ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Integrating Active Directory with Mobile Devices

    Scheduled Pinned Locked Moved IT Discussion
    active directorymobile
    111 Posts 8 Posters 31.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.

      The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.

      coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
      • coliverC
        coliver @Dashrender
        last edited by

        @Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

        DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender @coliver
          last edited by

          @coliver said:

          @Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

          I'm guessing they would make a new license for the company to purchase specifically for phones/mobile devices.

          1 Reply Last reply Reply Quote 0
          • Bill KindleB
            Bill Kindle @scottalanmiller
            last edited by

            @scottalanmiller said:

            I have seen several people mention how they would like to see Active Directory integrated into a Windows phone or iOS. This sounds great when we first say it but when I stop to think about it I wonder what people are envisioning as how this integration would work. I have a few ideas but they are pretty light and I can't see enough value to make it all worth it outside of maybe a basic MDM solution (which Microsoft already offers via InTune.)

            Phones are single use devices, not multiuser devices. Or are people thinking that multiuser is a way forward with phones? How will phone calls and texts play into a scenario like that? What is the purpose of AD in this case? How will AD be used?

            I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              Personally I'd like to see AD integration provide it's own sandbox on the phone.

              AD is only an authentication and directory system, though. AD can't "do" anything on a device. It can't on Windows, it can't on a phone. The sandbox would be a separate application on the phone. How do you see AD authentication or directory providing services to that sandbox?

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @coliver
                last edited by

                @coliver said:

                If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.

                That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @A Former User
                  last edited by

                  @thecreativeone91 said:

                  I think AD on the phone is asking for all kinds of security issues. Hacks and otherwise. Not to mention, what would it actually do and what would be the broker aside from an MDM? unless you plan on putting your DC directly accessible or phones on a VPN which doesn't seem like a good idea in most cases. Its not like people should be accessing file shares outside of a cloud service like own cloud or workfolders etc on a mobile device (plus you can still authenticate to SMB shares without it being domain joined)

                  I agree, you would need the phone on a VPN all of the time for it to really be useful or have it piped through an MDM channel (which is effectively a VPN.) I have never been able to figure out a real value.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said:

                    I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.

                    The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.

                    You don't need AD to do that, though, I have that functionality today.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @coliver
                      last edited by

                      @coliver said:

                      @Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

                      We have that already on Android with Pertino. I get the VPN value to get access to things, but how would AD play in? You can already use AD for security, it just isn't integrated with the phone platform itself.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Bill Kindle
                        last edited by

                        @Bill-Kindle said:

                        I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

                        That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?

                        Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.

                        I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.

                        Bill KindleB 1 Reply Last reply Reply Quote 1
                        • Bill KindleB
                          Bill Kindle @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @Bill-Kindle said:

                          I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

                          That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?

                          Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.

                          I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.

                          One word:

                          Phablet.
                          http://en.wikipedia.org/wiki/Phablet

                          That's the only area I could see AD being used, and even then it's a stretch.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Bill Kindle
                            last edited by

                            @Bill-Kindle sure, if they cross the line into multiple user devices. But long before AD integration you will need operating systems that support the concept of users to do that.

                            1 Reply Last reply Reply Quote 0
                            • KellyK
                              Kelly
                              last edited by

                              Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things. If we continue out the vision of AD into Azure, combine in ActiveSync policies, and allow for Microsoft's vision of one Windows we have something that could be used to exert control over every platform while providing a unified experience. Not exactly the same experience because of differences in UX and interface, but one that is familiar regardless of the device in front of a user. It is a long view though. Right now, there is little reason to integrate mobile devices into AD.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Kelly
                                last edited by

                                @Kelly said:

                                Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things.

                                Access control and policy distribution are handled by the OS, not from AD. AD literally only does directory services and authentication. That's it.

                                KellyK 1 Reply Last reply Reply Quote 2
                                • KellyK
                                  Kelly @scottalanmiller
                                  last edited by

                                  @scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

                                  ? scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • ?
                                    A Former User @Kelly
                                    last edited by

                                    @Kelly said:

                                    @scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

                                    Not really. You can do Permissions and access control even without AD. Local SMB shares etc.

                                    AD is just a centralized database of authentication nothing more really.

                                    KellyK 1 Reply Last reply Reply Quote 1
                                    • KellyK
                                      Kelly @A Former User
                                      last edited by Kelly

                                      @thecreativeone91 Ok, contextualize with me. We're discussing integrating Active Directory with Mobile Devices, not discussing the separation of powers between the OS and the directory. Or at least I thought we were...

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Kelly
                                        last edited by

                                        @Kelly said:

                                        @scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

                                        Maybe, but I think that it is a big deal. Sure, without AD the OS can't do those things. But how would AD aid in doing those things on mobile devices? The thing that people are asking for is AD and the piece that doesn't do anything useful is AD. You can, and would, do all or nearly all of the desired features without AD. So I am not sure that the hair splitting is actually very fine, it's rather fundamental.

                                        1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @Kelly
                                          last edited by

                                          @Kelly said:

                                          @thecreativeone91 Ok, contextualize with me. We're discussing integrating Active Directory with Mobile Devices, not discussing the separation of powers between the OS and the directory. Or at least I thought we were...

                                          Well the discussions are one and the same. Why are we discussing the first? That's the question. Defining exactly what it does do and what it can do are pretty important when talking about how we want it to integrate since most of the desired integration, I believe, is around doing things that are not things done by AD.

                                          Basically if people want their mobile devices to act like non-mobile devices, great. But we should discuss that as OS features. Calling OS level features "AD integration" causes confusion and leads us down completely different paths as it means something completely different.

                                          KellyK 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            Here is an example that I see on Spiceworks all of the time. People ask for a NAS that has "AD integration." This is a common feature of NAS units. What this means is that the unit talks to AD and potentially allows for things like SMB share security to be handled via AD authentication. Great.

                                            However, what people typically mean is something completely different. They don't want authentication or at least not only authentication but they actually want NTFS ACLs, an OS and/or filesystem feature. That's completely different.

                                            You can think of it as splitting hairs but it literally means the difference between being able to identify which products meet your needs and which do not. Netgear ReadyNAS does AD integration really well, but has not NTFS ACLs. So people thinking that AD integration provides NTFS will be quite surprised when those are missing. Buffalo and Synology offer NTFS ACLs as well as AD integration.

                                            So knowing what is AD and what is something people mistakenly associate with AD is pretty critical. There is a reason that, at least in teh 1990s, Microsoft made a huge deal of making sure everyone know this for the MCP and MCSE exams. It's not something you can use loosely without causing problems.

                                            KellyK 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 1 / 6
                                            • First post
                                              Last post