Integrating Active Directory with Mobile Devices
-
@Dashrender said:
As for logging into the phone with an AD account, part of the on boarding of the device could setup another logon type that more closely resembles what we use today.
I don't don't ever see a phone being a multi-user device, just list most PCs aren't really a multi user device in a business, even though it could be. So I suppose that would be a skipped option.
So, if I am reading this correctly, basically you want AD to not be AD and do something completely different and THEN integrate with the phones? Like "AD integration" actually means "replace AD?"
I'm still confused. What role would AD play here?
-
@Dashrender said:
If they can add 1000+ items to GP for Windows 8, why can't they do the same for mobile devices?
That's GP, not AD. You can already do this with MDM. Phones are not computers, integrating with AD won't move you in the direction that you desire. If phones had GP, okay, maybe. But then you'd create all kinds of other issues (required VPN connections, for example.)
Basically you want MDM but you want it called AD, is what I am seeing. Why does calling it AD matter?
-
@Carnival-Boy said:
I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.
It's not me, the OS vendors define that when they create the OS. A mobile platform (like people call a phone) operates a certain way that is very different than how any traditional OS in use today works. They work more like a Commodore 64 than a modern desktop.
-
@Carnival-Boy said:
If we define AD fairly narrowly in terms of PCs and servers then you could say that in a post-PC/Cloud world AD is becoming redundant.
AD is a thing, it's not a concept. It is purely Microsoft's own LDAP server with a Kerberos authentication system layered on top. Nothing more. LDAP provides directory and authentication services, Kerberos helps to secure that. Anything more than that isn't AD.
-
@Carnival-Boy said:
But could AD adapt and become more than what it currently is? Could it develop MDM features that would make third-party MDMs obsolete? Microsoft isn't going that down route, and is developing InTune, but InTune isn't free sadly.
It could only if you allow AD to become something wholly different. Like can a car become a train? Sure, if the company that makes it stops making cars, starts making trains but names the train "car".
AD is a very specific thing, doing anything else would make it something else.
-
@Carnival-Boy said:
. Maybe in a few years time we won't be running AD at all.
Possible but I doubt it. Companies like control. They don't like the complexity that MDM brings. For corporate shared assets, AD and other LDAP products make sense.
-
@scottalanmiller said:
@Carnival-Boy said:
I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.
It's not me, the OS vendors define that when they create the OS.
I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.
-
@Carnival-Boy said:
Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.
So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?
-
@Carnival-Boy said:
I'd cope with a 5 inch wifi only "tablet" running Windows Pro, which I'd pair with a $100 mini Android phone. That way, I could leave the "tablet" at home if I know I'm going to be in the mosh pit at an Iggy Pop gig or dancing like a madman in a club at 2am.
That's almost available today, just not down to 5"
-
@scottalanmiller said:
So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?
Anyone using that computer is fine. The number is connected to the hardware, I'd be ok with that. Anything else would be pretty complicated.
-
@Carnival-Boy said:
I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.
It would be... but the C64 fundamentally doesn't have a concept of "users." So it's not like convincing a Mac or Linux box to join AD. They have users, just need to match them up and support the protocol. C64 and pretty much any home use OS prior to Windows 2000 lacked multi-user capability and could never use AD no matter what was added to it.
That's where the phone OSes are today. No users. Until they have users, the best that they could do, since they do have authentication, is tie to a single AD user account and support passwords via AD. But I doubt that that has value as it would only make them harder to support.
-
@Carnival-Boy said:
Anyone using that computer is fine. The number is connected to the hardware, I'd be ok with that. Anything else would be pretty complicated.
I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."
-
@scottalanmiller said:
@Carnival-Boy said:
Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.
So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?
You can get similar results just using a small Windows Tablet with mobile data service and a softphone installed on it. Seems like a very cumbersome solution for a phone.
-
@scottalanmiller said:
I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."
The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.
-
@Carnival-Boy said:
The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.
If you are on a SIM service (GSM.) With Verizon or Spint, it is hard codes to the device. But yes, in theory, you can have an AD account and a disconnected SIM card that you use. So you end up with two access mechanisms for logging in rather than one. Isn't that an improvement?
-
@scottalanmiller said:
@Carnival-Boy said:
I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.
It would be... but the C64 fundamentally doesn't have a concept of "users." So it's not like convincing a Mac or Linux box to join AD. They have users, just need to match them up and support the protocol. C64 and pretty much any home use OS prior to Windows 2000 lacked multi-user capability and could never use AD no matter what was added to it.
That's where the phone OSes are today. No users. Until they have users, the best that they could do, since they do have authentication, is tie to a single AD user account and support passwords via AD. But I doubt that that has value as it would only make them harder to support.
It took a long time to get there, but yes, this is what I want. A phone is NOT a multi user device - so the multi user facet of AD is not something I care about. If I'm controlling a device for my office - why should I have to pay for something else (MDM) to control it?
I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.
At least I think I do
-
@Dashrender said:
I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.
There is no ecosystem, it is just AD. Phones don't have users, so they can't tie to AD. You want people to have to enter a username and password to get into their phones? Why? What about this is better rather than worse than what you have today?
-
@Dashrender said:
It took a long time to get there, but yes, this is what I want. A phone is NOT a multi user device - so the multi user facet of AD is not something I care about.
But that is the ONLY facet of AD. What do you want AD to do then if not the one thing that it does?
-
@Dashrender said:
If I'm controlling a device for my office - why should I have to pay for something else (MDM) to control it?
Because AD offers NO control. If you are seeking control, AD should not be in the discussion. That's where this is getting confusing. If you want control of a mobile device, whether AD is there or not, you need MDM.
So if we fully integrate AD, 100%, you get nothing that you actually want and just make logins harder. MDM is still another step that you will still need.
-
Here is the easy way to think about AD integration. Replace saying AD with "I was username and passwords on phones that require a VPN back to the office to work rather than people being assigned to a phone and signing in with whatever security is standard for that device."
If that's what you want, I'd say "why", but maybe there is a good reason. But don't say AD, everyone is confused about what AD means. So replace the term with what it would mean in this context and ask if that is what you want - usernames and passwords on mobile devices that fail if the device can't get on a stable data network and connect to AD via a VPN. If that isn't what you want, don't say that AD brings a benefit.
I'm pretty sure everyone agrees that AD is bad for mobile devices but isn't clear what AD is and keeps thinking that there must be some upside somewhere.