UniFi Identity - Admin Guide for Managing Identity Services and Users
Highlights
The Identity Endpoint services allow users to easily access powerful features through their Identity Endpoints for both desktop and mobile.
- Smart Door Access: Unlock doors effortlessly using their mobile phones.
- One-Click WiFi: Connect to the organization's WiFi without entering credentials.
- One-Click VPN: Connect to the organization's VPN without entering credentials.
- Camera Sharing: Access assigned Protect cameras and watch live feeds, and collaborate seamlessly for security. This feature is currently in Early Access.
- Talk Softphone: Make calls, check voicemail, and stay connected anytime.
- EV Charging: Power up electric vehicles with ease.
- File Access: Access UniFi Drive folders using Identity Endpoint for iOS and Android, and mount Drive folders on Windows and macOS desktops for easy access and synchronization.
- AD/LDAP Integration: Admins can import users from LDAP, Active Directory (AD), or Microsoft Entra ID to Identity, allowing users to sign in to their UniFi Console and Identity using their existing directory credentials. This feature is currently in Early Access.
Requirements
- Only the UniFi Console Owner, Super Admins, and Admins with Full Management permission for OS Settings can add users and assign features to them.
- If your console has UniFi Identity Enterprise installed, you must downgrade to UniFi Identity first.
- Ensure One-Click WiFi and One-Click VPN are enabled if you want to use and assign them to users. If you have downgraded from UniFi Identity Enterprise to UniFi Identity:
- One-Click WiFi and One-Click VPN will be automatically enabled in UniFi Identity if they were already enabled in UniFi Identity Enterprise before the downgrade.
- One-Click WiFi and One-Click VPN will be disabled in UniFi Identity if they were not enabled in UniFi Identity Enterprise before the downgrade. You need to enable them manually.
- The Smart Door Access and EV Charging services are automatically enabled when the UniFi Access and UniFi Connect applications are installed, respectively.
- To use and assign EV Stations, ensure you have selected UniFi Identity in the Connect application > EV Stations > select a device > Settings > Station Security > Allow Charging.
- To use and assign Talk Softphones to users, ensure you have upgraded to the UniFi Talk Pro Plan first.
- If Remote Access on the console is disabled in Settings > Control Plane > Console > Advanced, the Identity Endpoint needs to be on the same local network as the console to view live feeds.
- To use and assign UniFi Drive folders to users, ensure you are using a UNAS and note the following:
- Installing an HDD with 1.00 TB or above is recommended for basic storage protection.
- To mount and access Drive folders on Windows and macOS desktops:
- Ensure you have enabled Learn to Mount SMB on Your Desktop in Drive > Settings > Services > File Services > SMB.
- Ensure your desktop and UNAS are connected to the same local network.
- UNAS only supports UniFi Drive. Other Identity services such as Smart Door Access, One-Click WiFi, and One-Click VPN are not supported.
Manage Identity Services Globally
- Go to your UniFi OS > select an application > Settings > Admin & Users > Identity Endpoint.
- Perform the following actions as needed:
- Change Site Logo: Go to Site Logo, hover your mouse over the logo and click Change, and upload an image from your computer. Only JPN and PNG are allowed, with a file size limit of 10 MB and recommended dimensions of 1024 x 1024 pixels.
- Manage Services: Go to Services to enable Smart Door Access, One-Click WiFi, One-Click VPN, Camera Sharing, Talk Softphone, EV Charging, File Access, and more. When disabled, users can no longer access the services assigned to them.
-
Manage WiFi/VPN settings: Click Service Settings and click Manage In Network for advanced network settings. For One-Click VPN, you can:
- Set the Default VPN Proxy to Global or Intranet.
- Enter the Default DNS Suffix, which will enable Windows clients to automatically append this suffix to all the domain names when making a DNS lookup.
- Configure Custom Routing to determine which IPs or subnets route traffic through the VPN. Supports input in both IP and CIDR formats.
-
Identity Credentials:
- Tick the Auto-Send Invitations When a User Has an Email checkbox to automatically send an invitation email when service permissions are assigned to a user account with an email address configured.
- Tick the Requires a Verification Code When Loading a Credential checkbox to automatically send a unique verification code to the invited user's email. Users must enter this code for verification when loading credentials in their UniFi Identity Endpoints.
- Directory Integration: Click Set Up to connect and import users from LDAP, Active Directory (AD), or Microsoft Entra ID. This integration allows users to sign in to their UniFi Console using their existing directory credentials.
- Manage: Clicking Deactivate UniFi Identity will remove all Identity services and revoke all user permissions. Please note that your site's Wi-Fi network will experience a temporary disruption due to the removal of One-Click WiFi.
- Click Apply Changes.
Manage Users
Create New User and Assign Resources
- Go to your UniFi OS > select an application > Settings > Admin & Users > Users > Create New User and click Create New User.
- Enter the user's name and email.
- Configure the following:
- Groups: Assign the user to specific groups to give them the permissions granted to those groups.
-
Assignments: Assign resources to the user.
- Network: Assign One-Click WiFi and VPN for network access.
-
Access:
- Access Policies: Assign to grant access to specific locations during designated times. See this article to learn more
- Credentials: Assign to allow location unlocks using the assigned credentials. See this article to learn more
- Protect: Tick the checkbox and click Add Shared Cameras to assign Protect cameras and let the user work as a surveillance collaborator.
- Talk Softphone: Assign Talk softphones to receive phone calls from UniFi Talk phones.
- EV Charging: Assign EV Stations to power up electric vehicles with ease.
-
File Access: Assign Drive folders for easy access. Only available when using a UNAS.
- Personal Drive is created by default for every user. Only the user can access it.
- Click Shared Drive, select the drives to assign, and designate the user as the drive Owner, Editor, or Viewer. Click Add. By default, admins are assigned all shared drives.
- Click Create.
-
Send a UniFi Identity invitation to the user through email or a URL.
Import Users from a CSV File
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users > Create New User and click Import Users from CSV File.
- Upload a CSV file according to the specified format. The file cannot exceed 10 MB, must be UTF-8 encoded, and is limited to 1,000 users.
- Select whether to Import Users to a Specific Group.
- Click Import.
Set Up AD/LDAP Directory
UniFi Identity lets you connect and import users from LDAP, Active Directory (AD), or Microsoft Entra ID. This integration allows users to sign in to their UniFi Console using their existing directory credentials. This feature is currently in Early Access.
- Go to your Access application > Settings > Admins & Users > Users > Create New User and click Set Up AD/LDAP Directory.
- Follow the instructions in this article.
Send Identity Invitation to User
This helps the user download and set up UniFi Identity Endpoint for mobile and desktop, and access all the powerful features at their fingertips.
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users.
- Select a user, go to Overview, and do either of the following:
- If an Identity invitation was not sent before, click Send.
- If an Identity invitation was sent but has expired, click Invite Again.
Upgrade to Admin Role
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users.
- Select a user, go to Settings, and click Upgrade to Admin.
- Assign admin permissions and click Upgrade.
Deactivate and Remove User
- Deactivated users will still be displayed in the user list but cannot access the assigned resources unless activated.
- Only users with Active status can access the assigned resources.
- Only deactivated users can be removed.
- Your admin role must have higher-level permissions than the user's to activate, deactivate, or remove a user.
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users.
- Select a user, go to Settings, click Deactivate, and confirm you want to proceed.
- Once deactivated, you can do either of the following:
- Activate the user.
- Remove the user from the Access application.
Deactivate and Remove Admin
- Deactivated admins will still be displayed in the admin list but will lose access to UniFi applications, Site Settings, and all assigned resources unless activated.
- Only admins with Active status can access the UniFi applications, Site Settings, and all assigned resources.
- Only deactivated admins can be removed.
- Your admin role must have higher-level permissions than the admin's to activate, deactivate, or remove an admin.
- Go to your UniFi OS > select an application > Settings > Admins & Users > Admins.
- Select an admin, go to Settings, click Deactivate, and confirm you want to proceed.
- Once deactivated, you can do either of the following:
- Activate the admin.
- Remove the admin from the Access application.
Manage Groups
Create New Group
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users > Manage Groups and click Create New.
- Enter the group name.
- Configure the following:
- Users: Select the users to assign to this group.
-
Assignments: Assign resources to the group.
- Network: Assign One-Click WiFi and VPN for network access.
-
Access:
- Access Policies: Assign to grant access to specific locations during designated times. See this article to learn more
- Credentials: Assign to allow location unlocks using the assigned credentials. See this article to learn more
- Protect: Tick the checkbox and click Add Shared Cameras to assign Protect cameras and let the users work as surveillance collaborators.
- Talk Softphone: Assign Talk softphones to receive phone calls from UniFi Talk phones.
- EV Charging: Assign EV Stations to power up electric vehicles with ease.
-
File Access: Assign Drive folders for easy access. Only available when using a UNAS.
- Personal Drive is created by default for every user. Only the user can access it.
- Click Shared Drive, select the drives to assign, and designate the user as the drive Owner, Editor, or Viewer. Click Add. By default, admins are assigned all shared drives.
- Click Create.
Remove Users from Group
- Go to the UniFi OS > select an application > Settings > Admins & Users > Users > Manage Groups.
- Select a group, go to Users, and click X beside a user to remove them from the group.
Send Identity Invitation to Users
This helps the group users download and set up UniFi Identity Endpoint for mobile and desktop, and access all the powerful features at their fingertips.
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users > Manage Group.
- Select a group and click Send Identity Invitation to Users.
- Select the users to send the invitation and click Send.
Remove Group
- Go to your UniFi OS > select an application > Settings > Admins & Users > Users > Manage Group.
- Select a group and click Remove.
Change Identity Site Name
Changing the console name will also change the Identity site name.
- Go to your UniFi OS > select an application > Settings > Control Plane > Console.
- Go to the Name field and edit the name.
- Click Apply Changes.
Change One-Click VPN Name
- Go to your Network application > Settings > VPN > VPN Server and click your One-Click VPN.
- Go to the Name field and edit the name.
- Click Apply Changes. The new VPN name takes effect in the Identity Endpoints after 10 minutes.
Change One-Click WiFi SSID
- Go to your Network application > Settings > WiFi and click your One-Click WiFi.
- Go to the Name field and edit the name.
- Click Apply Changes. The new WiFi SSID takes effect in the Identity Endpoints after 10 minutes.