ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Integrating Active Directory with Mobile Devices

    Scheduled Pinned Locked Moved IT Discussion
    active directorymobile
    111 Posts 8 Posters 31.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      I have seen several people mention how they would like to see Active Directory integrated into a Windows phone or iOS. This sounds great when we first say it but when I stop to think about it I wonder what people are envisioning as how this integration would work. I have a few ideas but they are pretty light and I can't see enough value to make it all worth it outside of maybe a basic MDM solution (which Microsoft already offers via InTune.)

      Phones are single use devices, not multiuser devices. Or are people thinking that multiuser is a way forward with phones? How will phone calls and texts play into a scenario like that? What is the purpose of AD in this case? How will AD be used?

      Bill KindleB 1 Reply Last reply Reply Quote 1
      • DashrenderD
        Dashrender
        last edited by Dashrender

        Personally I'd like to see AD integration provide it's own sandbox on the phone.

        Basically any application that you use for the office is inside the sandbox, and the office can push policies to the way that information is used, etc. This would include email and things like ODfB and Sharepoint.

        Otherwise the device would be completely open for the end user to do whatever they want on it.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • coliverC
          coliver
          last edited by

          If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            I think AD on the phone is asking for all kinds of security issues. Hacks and otherwise. Not to mention, what would it actually do and what would be the broker aside from an MDM? unless you plan on putting your DC directly accessible or phones on a VPN which doesn't seem like a good idea in most cases. Its not like people should be accessing file shares outside of a cloud service like own cloud or workfolders etc on a mobile device (plus you can still authenticate to SMB shares without it being domain joined)

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender
              last edited by

              I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.

              The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.

              coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
              • coliverC
                coliver @Dashrender
                last edited by

                @Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

                DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @coliver
                  last edited by

                  @coliver said:

                  @Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

                  I'm guessing they would make a new license for the company to purchase specifically for phones/mobile devices.

                  1 Reply Last reply Reply Quote 0
                  • Bill KindleB
                    Bill Kindle @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    I have seen several people mention how they would like to see Active Directory integrated into a Windows phone or iOS. This sounds great when we first say it but when I stop to think about it I wonder what people are envisioning as how this integration would work. I have a few ideas but they are pretty light and I can't see enough value to make it all worth it outside of maybe a basic MDM solution (which Microsoft already offers via InTune.)

                    Phones are single use devices, not multiuser devices. Or are people thinking that multiuser is a way forward with phones? How will phone calls and texts play into a scenario like that? What is the purpose of AD in this case? How will AD be used?

                    I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said:

                      Personally I'd like to see AD integration provide it's own sandbox on the phone.

                      AD is only an authentication and directory system, though. AD can't "do" anything on a device. It can't on Windows, it can't on a phone. The sandbox would be a separate application on the phone. How do you see AD authentication or directory providing services to that sandbox?

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @coliver
                        last edited by

                        @coliver said:

                        If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.

                        That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @A Former User
                          last edited by

                          @thecreativeone91 said:

                          I think AD on the phone is asking for all kinds of security issues. Hacks and otherwise. Not to mention, what would it actually do and what would be the broker aside from an MDM? unless you plan on putting your DC directly accessible or phones on a VPN which doesn't seem like a good idea in most cases. Its not like people should be accessing file shares outside of a cloud service like own cloud or workfolders etc on a mobile device (plus you can still authenticate to SMB shares without it being domain joined)

                          I agree, you would need the phone on a VPN all of the time for it to really be useful or have it piped through an MDM channel (which is effectively a VPN.) I have never been able to figure out a real value.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.

                            The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.

                            You don't need AD to do that, though, I have that functionality today.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @coliver
                              last edited by

                              @coliver said:

                              @Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

                              We have that already on Android with Pertino. I get the VPN value to get access to things, but how would AD play in? You can already use AD for security, it just isn't integrated with the phone platform itself.

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @Bill Kindle
                                last edited by

                                @Bill-Kindle said:

                                I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

                                That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?

                                Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.

                                I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.

                                Bill KindleB 1 Reply Last reply Reply Quote 1
                                • Bill KindleB
                                  Bill Kindle @scottalanmiller
                                  last edited by

                                  @scottalanmiller said:

                                  @Bill-Kindle said:

                                  I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

                                  That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?

                                  Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.

                                  I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.

                                  One word:

                                  Phablet.
                                  http://en.wikipedia.org/wiki/Phablet

                                  That's the only area I could see AD being used, and even then it's a stretch.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Bill Kindle
                                    last edited by

                                    @Bill-Kindle sure, if they cross the line into multiple user devices. But long before AD integration you will need operating systems that support the concept of users to do that.

                                    1 Reply Last reply Reply Quote 0
                                    • KellyK
                                      Kelly
                                      last edited by

                                      Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things. If we continue out the vision of AD into Azure, combine in ActiveSync policies, and allow for Microsoft's vision of one Windows we have something that could be used to exert control over every platform while providing a unified experience. Not exactly the same experience because of differences in UX and interface, but one that is familiar regardless of the device in front of a user. It is a long view though. Right now, there is little reason to integrate mobile devices into AD.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Kelly
                                        last edited by

                                        @Kelly said:

                                        Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things.

                                        Access control and policy distribution are handled by the OS, not from AD. AD literally only does directory services and authentication. That's it.

                                        KellyK 1 Reply Last reply Reply Quote 2
                                        • KellyK
                                          Kelly @scottalanmiller
                                          last edited by

                                          @scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

                                          ? scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • ?
                                            A Former User @Kelly
                                            last edited by

                                            @Kelly said:

                                            @scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

                                            Not really. You can do Permissions and access control even without AD. Local SMB shares etc.

                                            AD is just a centralized database of authentication nothing more really.

                                            KellyK 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post