ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Integrating Active Directory with Mobile Devices

    Scheduled Pinned Locked Moved IT Discussion
    active directorymobile
    111 Posts 8 Posters 31.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Carnival Boy
      last edited by

      @Carnival-Boy said:

      But could AD adapt and become more than what it currently is? Could it develop MDM features that would make third-party MDMs obsolete? Microsoft isn't going that down route, and is developing InTune, but InTune isn't free sadly.

      It could only if you allow AD to become something wholly different. Like can a car become a train? Sure, if the company that makes it stops making cars, starts making trains but names the train "car".

      AD is a very specific thing, doing anything else would make it something else.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Carnival Boy
        last edited by

        @Carnival-Boy said:

        . Maybe in a few years time we won't be running AD at all.

        Possible but I doubt it. Companies like control. They don't like the complexity that MDM brings. For corporate shared assets, AD and other LDAP products make sense.

        1 Reply Last reply Reply Quote 1
        • C
          Carnival Boy @scottalanmiller
          last edited by

          @scottalanmiller said:

          @Carnival-Boy said:

          I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.

          It's not me, the OS vendors define that when they create the OS.

          I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Carnival Boy
            last edited by

            @Carnival-Boy said:

            Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.

            So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?

            C ? 2 Replies Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Carnival Boy
              last edited by

              @Carnival-Boy said:

              I'd cope with a 5 inch wifi only "tablet" running Windows Pro, which I'd pair with a $100 mini Android phone. That way, I could leave the "tablet" at home if I know I'm going to be in the mosh pit at an Iggy Pop gig or dancing like a madman in a club at 2am.

              That's almost available today, just not down to 5"

              1 Reply Last reply Reply Quote 0
              • C
                Carnival Boy @scottalanmiller
                last edited by

                @scottalanmiller said:

                So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?

                Anyone using that computer is fine. The number is connected to the hardware, I'd be ok with that. Anything else would be pretty complicated.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Carnival Boy
                  last edited by

                  @Carnival-Boy said:

                  I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.

                  It would be... but the C64 fundamentally doesn't have a concept of "users." So it's not like convincing a Mac or Linux box to join AD. They have users, just need to match them up and support the protocol. C64 and pretty much any home use OS prior to Windows 2000 lacked multi-user capability and could never use AD no matter what was added to it.

                  That's where the phone OSes are today. No users. Until they have users, the best that they could do, since they do have authentication, is tie to a single AD user account and support passwords via AD. But I doubt that that has value as it would only make them harder to support.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Carnival Boy
                    last edited by

                    @Carnival-Boy said:

                    Anyone using that computer is fine. The number is connected to the hardware, I'd be ok with that. Anything else would be pretty complicated.

                    I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."

                    C 1 Reply Last reply Reply Quote 1
                    • ?
                      A Former User @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @Carnival-Boy said:

                      Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.

                      So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?

                      You can get similar results just using a small Windows Tablet with mobile data service and a softphone installed on it. Seems like a very cumbersome solution for a phone.

                      1 Reply Last reply Reply Quote 0
                      • C
                        Carnival Boy @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."

                        The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.

                        scottalanmillerS ? 2 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Carnival Boy
                          last edited by

                          @Carnival-Boy said:

                          The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.

                          If you are on a SIM service (GSM.) With Verizon or Spint, it is hard codes to the device. But yes, in theory, you can have an AD account and a disconnected SIM card that you use. So you end up with two access mechanisms for logging in rather than one. Isn't that an improvement?

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @Carnival-Boy said:

                            I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.

                            It would be... but the C64 fundamentally doesn't have a concept of "users." So it's not like convincing a Mac or Linux box to join AD. They have users, just need to match them up and support the protocol. C64 and pretty much any home use OS prior to Windows 2000 lacked multi-user capability and could never use AD no matter what was added to it.

                            That's where the phone OSes are today. No users. Until they have users, the best that they could do, since they do have authentication, is tie to a single AD user account and support passwords via AD. But I doubt that that has value as it would only make them harder to support.

                            It took a long time to get there, but yes, this is what I want. A phone is NOT a multi user device - so the multi user facet of AD is not something I care about. If I'm controlling a device for my office - why should I have to pay for something else (MDM) to control it?

                            I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.

                            At least I think I do 😉

                            scottalanmillerS 3 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.

                              There is no ecosystem, it is just AD. Phones don't have users, so they can't tie to AD. You want people to have to enter a username and password to get into their phones? Why? What about this is better rather than worse than what you have today?

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said:

                                It took a long time to get there, but yes, this is what I want. A phone is NOT a multi user device - so the multi user facet of AD is not something I care about.

                                But that is the ONLY facet of AD. What do you want AD to do then if not the one thing that it does?

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  If I'm controlling a device for my office - why should I have to pay for something else (MDM) to control it?

                                  Because AD offers NO control. If you are seeking control, AD should not be in the discussion. That's where this is getting confusing. If you want control of a mobile device, whether AD is there or not, you need MDM.

                                  So if we fully integrate AD, 100%, you get nothing that you actually want and just make logins harder. MDM is still another step that you will still need.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    Here is the easy way to think about AD integration. Replace saying AD with "I was username and passwords on phones that require a VPN back to the office to work rather than people being assigned to a phone and signing in with whatever security is standard for that device."

                                    If that's what you want, I'd say "why", but maybe there is a good reason. But don't say AD, everyone is confused about what AD means. So replace the term with what it would mean in this context and ask if that is what you want - usernames and passwords on mobile devices that fail if the device can't get on a stable data network and connect to AD via a VPN. If that isn't what you want, don't say that AD brings a benefit.

                                    I'm pretty sure everyone agrees that AD is bad for mobile devices but isn't clear what AD is and keeps thinking that there must be some upside somewhere.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      @Dashrender said:

                                      I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.

                                      There is no ecosystem, it is just AD. Phones don't have users, so they can't tie to AD. You want people to have to enter a username and password to get into their phones? Why? What about this is better rather than worse than what you have today?

                                      because it's not centrally managed.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        because it's not centrally managed.

                                        Because "what" is not centrally managed? What exactly is the end result that you desire?

                                        Remember AD does not provide central management. So if that is what you seek, why are we talking AD? Central management for a mobile platform is called MDM.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Carnival Boy
                                          last edited by

                                          I want to use Microsoft Group Policy (rather than, say, Meraki Group Policy) to control my phones. I also want single sign-on to AD so I can use the users AD account to authenticate phone apps to our server apps without them having to keep entering their account details.

                                          I may be using Group Policy and AD interchangeability, but that's probably because you can't have Group Policy without AD, right?

                                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Carnival Boy
                                            last edited by

                                            @Carnival-Boy said:

                                            I want to use Microsoft Group Policy (rather than, say, Meraki Group Policy) to control my phones.

                                            That's a decent idea, but isn't AD that you want. GP is a different thing that leverages AD in some cases. So what we want is phone platforms to have a management API? That makes total sense to me. But, all of them already do. To leverage a phone management API, MDM is what that is called.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 4 / 6
                                            • First post
                                              Last post