Integrating Active Directory with Mobile Devices
-
@Carnival-Boy said:
Also, an Apple phone has to authenticate to an Apple ID (a pain to administer), a Windows phone has to (or did when I had one) authenticate to a Microsoft ID (also a pain to administer). I don't know how Android works. Instead of authenticating to a unique Microsoft or Apple user ID, why can't I use a local domain account instead?
I assume because central services are needed. Just like how Windows 8 and later require a LiveID to do some tasks.
-
@Carnival-Boy said:
- At the moment, all are web servers. Though the ability to browse network file shares would also be good - ie the net use S: you referred to earlier.
Web would just be a limitation of the browser. That could be fixed easily, if the vendors cared. That would totally make sense to fix.
File shares (SMB) would be awesome. But I don't see them doing that. If they were willing to do that they would have done it by now.
-
@Dashrender said:
Having never setup an iPhone from scratch I didn't know an Apple ID was required. Do you need to make separate accounts for each device?
No, we have many on a single ID.
-
@thecreativeone91 said:
@Carnival-Boy said:
- No option to store web server credentials when I've tested it on my iPhone. I'd like my mobile platform to support the SMB protocol. Why not?
Why do you want that? A phone/tablet isn't a computer. That's what cloud service apps/work folders/own cloud is for.
By doing that you are given a device you don't have a ton of control over the same trust as you would a computer you can control. It also means ANY app wanted or not can now access that share and potentially steal data.
I don't agree, I absolutely want my phone to do that. Why would you care about those new services and not SMB too? What makes one good and not the other.
No one supports SMB, but I think that it is crazy that they do not.
-
@Carnival-Boy said:
It is a computer and I would have a ton of control over it because it would join AD.
This is where I don't agree. AD gives no form of control. MDM would be needed for that. You could join MDM to AD, but is that beneficial? AD only provides the lookup, not the control. That's always MDM no matter how you slice it.
-
@thecreativeone91 said:
@Carnival-Boy Again, AD doesn't give you control of the device.....
I mean AD gives me control of the security of the SMB server. I use AD to determine which clients can and can't connect to the server. Let me put it another way, how do you secure your SMB server and what is it about certain clients that would scare you? You secure a server at the server level, not at the client level, don't you?
OK, you're right in as much as a client doesn't have to join AD to access an AD authenticated server. He can just pass AD credentials manually when connecting. I'm talking about convenience rather than necessity when I want a client to join AD.
So if we're looking at the question as strictly joining an phone to AD, without any other functionality, then yes, I agree with you all that there is little benefit. Joining an iOS phone to AD doesn't do much by itself. I'm talking about a phone running a fully featured, domain joined, Windows OS. If we're arguing about two different things, then let's leave it there.
-
@Carnival-Boy said:
So if we're looking at the question as strictly joining an phone to AD, without any other functionality, then yes, I agree with you all that there is little benefit. Joining an iOS phone to AD doesn't do much by itself. I'm talking about a phone running a fully featured, domain joined, Windows OS. If we're arguing about two different things, then let's leave it there.
If the goal is to run Windows on a phone, then I'm with you 100%. That would have huge benefits and I totally understand that goal. It's a mobile OS with AD integration that I can't figure out as AD would do so little.
Using Windows proper as a phone OS will have issues, but overall I think that they can be handled somewhat. But it will confuse users as it breaks the expectations of those types of devices.
-
Let me put it another way. Why do you join Windows PCs to AD? It isn't necessary. You don't need it to connect to an SMB server. You can have your web browser cache your credentials to intranet web servers. You don't need it for group policy. You can have all your apps cache credentials. You don't need it for anything. Why do it?
After you've told me the answer, tell me why you wouldn't want to connect a Phone to AD. What is it about a PC that you want on AD that isn't also desirable on a phone. Because there is nothing I do on my PC that I wouldn't like to do on my phone.
-
@Carnival-Boy said:
OK, you're right in as much as a client doesn't have to join AD to access an AD authenticated server. He can just pass AD credentials manually when connecting. I'm talking about convenience rather than necessity when I want a client to join AD.
How would that be any more convenience than storing the credentials for the user in a file browser?
-
@thecreativeone91 said:
How would that be any more convenience than storing the credentials for the user in a file browser?
See my post above....
-
@Carnival-Boy said:
I'm talking about a phone running a fully featured, domain joined, Windows OS. If we're arguing about two different things, then let's leave it there.
That seems like it would be a very annoying device.. Computer and phone are designed to be operated in two different manners operating a phone like a computer would be odd, confusing and bad on battery life.
-
@Carnival-Boy said:
Let me put it another way. Why do you join Windows PCs to AD? It isn't necessary. You don't need it to connect to an SMB server. You can have your web browser cache your credentials to intranet web servers. You don't need it for group policy. You can have all your apps cache credentials. You don't need it for anything. Why do it?
Because the services used by the computer are AD integrated top to bottom and the desktops and laptops are multiuser so tracking users is important. They are not single user devices like phones. So AD is part of the authentication. We use AD to simplify multiuser management of the computer, that it is used for services is ancillary.
-
@Carnival-Boy said:
After you've told me the answer, tell me why you wouldn't want to connect a Phone to AD. What is it about a PC that you want on AD that isn't also desirable on a phone. Because there is nothing I do on my PC that I wouldn't like to do on my phone.
Because the phone is a single user device and has no value in talking to AD that I can see. PCs allow anyone to log in, I don't want that on my phone. I only want me to be able to log in. And I want any call to that device to go to me, not to whoever is holding it.
-
@thecreativeone91 said:
Computer and phone are designed to be operated in two different manners operating a phone like a computer would be odd, confusing and bad on battery life.
Odd to you, not to me. Wherever possible, I avoid using the phone. I see my iPhone as a computer on which I very occasionally, when forced, make and receive phone calls.
-
@Carnival-Boy said:
Odd to you, not to me. Wherever possible, I avoid using the phone. I see my iPhone as a computer on which I very occasionally, when forced, make and receive phone calls.
I think that the issue here is that you just want a Windows tablet, not a phone. Nothing wrong with that. But you are looking to push phone users to act like computer users which isn't how people want their phones to work. There are two different types of devices, general purpose computers and phones / mobile devices. They are designed to operate in two different ways.
You just need to choose the one that fits your needs. You should get a small tablet rather than a phone. I think that instead of asking for existing phones to "integrate AD", what you really want is existing Windows tablets to shrink by a few inches to meet your size requirements.
Does that make sense? I think that your end goal is good, but I think that you are approaching it the wrong way. I'm pretty sure that a Windows tablet today does what you want exactly, just is too large?
-
A small windows tablet, with WWAN and GPS, that I can occasionally send and receive phone calls on. Yeah, that would be fine for me
-
@Carnival-Boy said:
A small windows tablet, with WWAN and GPS, that I can occasionally send and receive phone calls on. Yeah, that would be fine for me
They can make that today, just no one does. They've gotten pretty close. If you use VoIP you can basically do it on a smaller tablet.
-
@scottalanmiller said:
And I want any call to that device to go to me, not to whoever is holding it.
You don't really (at least easily) have this ability now.
So how would AD made this any different?
To @Carnival-Boy point - it's not AD specifically but the entire ecosystem that is MS's support of the desktop that is wanted on the phone. IE when I log into my phone using my AD account (which I should only have to do once, from there after I should be able to use a PIN) the phone will authenticate with the AD, pull down the associated MDM profile, grant access to SMB, if the feature were added, be able to use my AD creds to log into websites, etc.
If you want to call it AD integrated MDM, and it's the MDM doing all these things to my phone - fine.. but to the average person this seems like AD integration.
-
@scottalanmiller said:
@Carnival-Boy said:
A small windows tablet, with WWAN and GPS, that I can occasionally send and receive phone calls on. Yeah, that would be fine for me
They can make that today, just no one does. They've gotten pretty close. If you use VoIP you can basically do it on a smaller tablet.
The Winbook that was previously mentioned here on ML is pretty nice - combine that with your phone/mobile hotspot and you're golden.
-
@Dashrender said:
@scottalanmiller said:
And I want any call to that device to go to me, not to whoever is holding it.
You don't really (at least easily) have this ability now.
So how would AD made this any different?
By turning the device into a multi-user device. That's AD's function, to make things easily multi-user.