Integrating Active Directory with Mobile Devices
-
@thecreativeone91 said:
I think AD on the phone is asking for all kinds of security issues. Hacks and otherwise. Not to mention, what would it actually do and what would be the broker aside from an MDM? unless you plan on putting your DC directly accessible or phones on a VPN which doesn't seem like a good idea in most cases. Its not like people should be accessing file shares outside of a cloud service like own cloud or workfolders etc on a mobile device (plus you can still authenticate to SMB shares without it being domain joined)
I agree, you would need the phone on a VPN all of the time for it to really be useful or have it piped through an MDM channel (which is effectively a VPN.) I have never been able to figure out a real value.
-
@Dashrender said:
I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.
The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.
You don't need AD to do that, though, I have that functionality today.
-
@coliver said:
@Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.
We have that already on Android with Pertino. I get the VPN value to get access to things, but how would AD play in? You can already use AD for security, it just isn't integrated with the phone platform itself.
-
@Bill-Kindle said:
I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.
That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?
Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.
I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.
-
@scottalanmiller said:
@Bill-Kindle said:
I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.
That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?
Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.
I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.
One word:
Phablet.
http://en.wikipedia.org/wiki/PhabletThat's the only area I could see AD being used, and even then it's a stretch.
-
@Bill-Kindle sure, if they cross the line into multiple user devices. But long before AD integration you will need operating systems that support the concept of users to do that.
-
Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things. If we continue out the vision of AD into Azure, combine in ActiveSync policies, and allow for Microsoft's vision of one Windows we have something that could be used to exert control over every platform while providing a unified experience. Not exactly the same experience because of differences in UX and interface, but one that is familiar regardless of the device in front of a user. It is a long view though. Right now, there is little reason to integrate mobile devices into AD.
-
@Kelly said:
Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things.
Access control and policy distribution are handled by the OS, not from AD. AD literally only does directory services and authentication. That's it.
-
@scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.
-
@Kelly said:
@scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.
Not really. You can do Permissions and access control even without AD. Local SMB shares etc.
AD is just a centralized database of authentication nothing more really.
-
@thecreativeone91 Ok, contextualize with me. We're discussing integrating Active Directory with Mobile Devices, not discussing the separation of powers between the OS and the directory. Or at least I thought we were...
-
@Kelly said:
@scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.
Maybe, but I think that it is a big deal. Sure, without AD the OS can't do those things. But how would AD aid in doing those things on mobile devices? The thing that people are asking for is AD and the piece that doesn't do anything useful is AD. You can, and would, do all or nearly all of the desired features without AD. So I am not sure that the hair splitting is actually very fine, it's rather fundamental.
-
@Kelly said:
@thecreativeone91 Ok, contextualize with me. We're discussing integrating Active Directory with Mobile Devices, not discussing the separation of powers between the OS and the directory. Or at least I thought we were...
Well the discussions are one and the same. Why are we discussing the first? That's the question. Defining exactly what it does do and what it can do are pretty important when talking about how we want it to integrate since most of the desired integration, I believe, is around doing things that are not things done by AD.
Basically if people want their mobile devices to act like non-mobile devices, great. But we should discuss that as OS features. Calling OS level features "AD integration" causes confusion and leads us down completely different paths as it means something completely different.
-
Here is an example that I see on Spiceworks all of the time. People ask for a NAS that has "AD integration." This is a common feature of NAS units. What this means is that the unit talks to AD and potentially allows for things like SMB share security to be handled via AD authentication. Great.
However, what people typically mean is something completely different. They don't want authentication or at least not only authentication but they actually want NTFS ACLs, an OS and/or filesystem feature. That's completely different.
You can think of it as splitting hairs but it literally means the difference between being able to identify which products meet your needs and which do not. Netgear ReadyNAS does AD integration really well, but has not NTFS ACLs. So people thinking that AD integration provides NTFS will be quite surprised when those are missing. Buffalo and Synology offer NTFS ACLs as well as AD integration.
So knowing what is AD and what is something people mistakenly associate with AD is pretty critical. There is a reason that, at least in teh 1990s, Microsoft made a huge deal of making sure everyone know this for the MCP and MCSE exams. It's not something you can use loosely without causing problems.
-
@scottalanmiller said:
@Kelly said:
@thecreativeone91 Ok, contextualize with me. We're discussing integrating Active Directory with Mobile Devices, not discussing the separation of powers between the OS and the directory. Or at least I thought we were...
Well the discussions are one and the same. Why are we discussing the first? That's the question. Defining exactly what it does do and what it can do are pretty important when talking about how we want it to integrate since most of the desired integration, I believe, is around doing things that are not things done by AD.
Basically if people want their mobile devices to act like non-mobile devices, great. But we should discuss that as OS features. Calling OS level features "AD integration" causes confusion and leads us down completely different paths as it means something completely different.
You are correct that we need to define what we are discussing. In my mind when I talk about Active Directory services it is inclusive of all the functions that are properly the purview of the OS, but are extended because of integration with an AD domain. That is the context of my comments above. I am guessing, but I think with some sureness, that this is what most people mean when they want Active Directory integration. They want their mobile devices to be authenticated against the directory with policies and access applied by that authentication.
-
@scottalanmiller said:
However, what people typically mean is something completely different. They don't want authentication or at least not only authentication but they actually want NTFS ACLs, an OS and/or filesystem feature. That's completely different.
Looks like I'm revealing a hole in my own education here. So even though the account that is used to evaluate access is an AD account you would not consider that something that is within the realm of AD?
-
@Kelly said:
...They want their mobile devices to be authenticated against the directory with policies and access applied by that authentication.
Well that's part of the question... is that true? Do people really want AD users to be able to log in using a username and password from AD? Do they really want the mobile devices talking to AD all of the time, even off network? Maybe they do, but I have not seen that.
What impression I have gotten is that people want the "other" things that are not AD related but don't actually want any of the AD features themselves (directory and authentication.)
I think that you are the first person to really state that authentication is desired. How do you picture that being useful? Do you want multiple users sharing mobile devices? Do you want people logging into phones like desktops?
-
@Kelly said:
Looks like I'm revealing a hole in my own education here. So even though the account that is used to evaluate access is an AD account you would not consider that something that is within the realm of AD?
Correct. NTFS ACLs existed a decade before AD existed and worked fine. AD is nothing more than a list of users (and a list of the OUs that they are in) and their hashed passwords so that devices (like desktops) can security look up a user in the directory and query the directory to see if the password provided matches what AD has for that user. That is all that AD does.
Anything like share or file security is handled by the OS or filesystem and work easily without AD. You can have any without any of the others.
You can do thinks like AD using LDAP and Kerberos from non-AD sources, use eDirectory, use NT SAM, use local accounts, etc. AD is super popular, but far from the only way to do this.
-
@scottalanmiller said:
@Kelly said:
What impression I have gotten is that people want the "other" things that are not AD related but don't actually want any of the AD features themselves (directory and authentication.)I think that you are the first person to really state that authentication is desired. How do you picture that being useful? Do you want multiple users sharing mobile devices? Do you want people logging into phones like desktops?
Not personally no. That would not fly at my current company. I guess what I'm getting at (poorly it seems) is being able to control phone similarly to how I am able to control laptops. Be able to specify programs and network access based upon AD credentials. A typical login is not feasible on a device that small, but having a real, functional fingerprint scanner could replace that potentially.
-
@Kelly said:
Not personally no. That would not fly at my current company. I guess what I'm getting at (poorly it seems) is being able to control phone similarly to how I am able to control laptops. Be able to specify programs and network access based upon AD credentials. A typical login is not feasible on a device that small, but having a real, functional fingerprint scanner could replace that potentially.
I agree that being able to control programs and such on mobile devices would be handy. But MDM does that today. The only thing that is different is that it doesn't use AD for authentication. The question around AD integration would be purely "does AD usernames and passwords make the mobile device better."
Or to ask it another way, we have everything that you describe today but without AD. And since AD usernames and passwords aren't what you envision and fingerprint scanning is.... what's wrong with the full feature set and fingerprint scanning that I am using right now? I think that I have everything that you want with my iPhone 5s with MDM without AD right now. What extra value would AD provide over that if we aren't leveraging AD authentication?