If you operate Active Directory on-premise, CloudM Automate can integrate with your directory using the CloudM AD Sync connector application.
You can quickly see if the On-Premise Integration is enabled or disabled. Selecting Enable or Disable will change the status of the feature.
In the Security section, you can view the Shared Secret and Key Pair currently being used and Regenerate, if required.
The On-Premise integration will trigger a sync when specific actions are taken on a user profile. The full range of events currently available (under Integration Settings) are:
- User Creation - When a new user is created
- User Deletion - When a user is deleted from CloudM Automate
- User Rename - When a user's name or email address is changed
- User Move - When a user is moved from one Organizational Unit to another (only available for Google domains).
- User Password Change - When a user changes their password
- User Update - When a user edits their profile, or their profile is edited (including user suspend / resume).
When one of the above events occurs, CloudM Automate makes a secure request to an on-premise connector application that performs matching operations in your directory.
When a notification is sent, CloudM Automate makes an HTTP request to the endpoint specified in the integration settings. The endpoint is a self hosted Windows serviceapplication that runs on your own network, and accepts and verifies requests from CloudM Manage before making any changes to your directory. Requests are encrypted and use public private key pairs to ensure authenticity and to ensure the connector application only processes requests from CloudM.
To further secure communications between CloudM Automate and your on-premise Active Directory connector, the application can be configured to use HTTPS or any reverse firewall (such as NGINX or HAPROXY) can be configured to relay connections to the connector.
Group Sync (Microsoft domains only)
From Active Directory On-Prem to CloudM Automate
The following events can be synced from AD On-Prem to CloudM Automate, using the Synchronize from AD Now button in Settings -> Domain Settings (which is only visible if the connector is enabled and a valid endpoint is set). This is a manual step and the changes will not sync automatically:
- A property of a group is updated (name, email and description).
- A member is added / removed from a group.
- A property of a member has changed.
- The owner of the group has changed.
- A new group has been added.
- A group has been deleted.
From CloudM Automate to Active Directory On-Prem
The following events will trigger an automatic sync when they are made to Groups within CloudM Manage.
- Updating the properties of an existing group - If a change is made to the properties of a Group within CloudM Automate, these changes will automatically sync to AD On-Prem if the Group exists there as well.
- Adding or removing members from a Group - If a change is made to the members list of a Group within CloudM Automate, these changes will automatically sync to AD On-Prem if the Group exists there as well.
- Only members with the "Member" role will be added to the Group.
Please note that Groups that are created or deleted in CloudM Automate will not sync to Active Directory On-Prem.
Clearing the cache
The cache of the connector holds information about the changes made to AD on-prem after the last sync. Clearing it will enable you to make a full sync, instead of only updating the changes made after the last sync (also known as a Delta sync).
The Clear connector cache button can be found on the Settings > Domain Settings screen (if the connector is enabled and a valid endpoint is set).