Integrating Active Directory with Mobile Devices
-
Here is an example that I see on Spiceworks all of the time. People ask for a NAS that has "AD integration." This is a common feature of NAS units. What this means is that the unit talks to AD and potentially allows for things like SMB share security to be handled via AD authentication. Great.
However, what people typically mean is something completely different. They don't want authentication or at least not only authentication but they actually want NTFS ACLs, an OS and/or filesystem feature. That's completely different.
You can think of it as splitting hairs but it literally means the difference between being able to identify which products meet your needs and which do not. Netgear ReadyNAS does AD integration really well, but has not NTFS ACLs. So people thinking that AD integration provides NTFS will be quite surprised when those are missing. Buffalo and Synology offer NTFS ACLs as well as AD integration.
So knowing what is AD and what is something people mistakenly associate with AD is pretty critical. There is a reason that, at least in teh 1990s, Microsoft made a huge deal of making sure everyone know this for the MCP and MCSE exams. It's not something you can use loosely without causing problems.
-
@scottalanmiller said:
@Kelly said:
@thecreativeone91 Ok, contextualize with me. We're discussing integrating Active Directory with Mobile Devices, not discussing the separation of powers between the OS and the directory. Or at least I thought we were...
Well the discussions are one and the same. Why are we discussing the first? That's the question. Defining exactly what it does do and what it can do are pretty important when talking about how we want it to integrate since most of the desired integration, I believe, is around doing things that are not things done by AD.
Basically if people want their mobile devices to act like non-mobile devices, great. But we should discuss that as OS features. Calling OS level features "AD integration" causes confusion and leads us down completely different paths as it means something completely different.
You are correct that we need to define what we are discussing. In my mind when I talk about Active Directory services it is inclusive of all the functions that are properly the purview of the OS, but are extended because of integration with an AD domain. That is the context of my comments above. I am guessing, but I think with some sureness, that this is what most people mean when they want Active Directory integration. They want their mobile devices to be authenticated against the directory with policies and access applied by that authentication.
-
@scottalanmiller said:
However, what people typically mean is something completely different. They don't want authentication or at least not only authentication but they actually want NTFS ACLs, an OS and/or filesystem feature. That's completely different.
Looks like I'm revealing a hole in my own education here. So even though the account that is used to evaluate access is an AD account you would not consider that something that is within the realm of AD?
-
@Kelly said:
...They want their mobile devices to be authenticated against the directory with policies and access applied by that authentication.
Well that's part of the question... is that true? Do people really want AD users to be able to log in using a username and password from AD? Do they really want the mobile devices talking to AD all of the time, even off network? Maybe they do, but I have not seen that.
What impression I have gotten is that people want the "other" things that are not AD related but don't actually want any of the AD features themselves (directory and authentication.)
I think that you are the first person to really state that authentication is desired. How do you picture that being useful? Do you want multiple users sharing mobile devices? Do you want people logging into phones like desktops?
-
@Kelly said:
Looks like I'm revealing a hole in my own education here. So even though the account that is used to evaluate access is an AD account you would not consider that something that is within the realm of AD?
Correct. NTFS ACLs existed a decade before AD existed and worked fine. AD is nothing more than a list of users (and a list of the OUs that they are in) and their hashed passwords so that devices (like desktops) can security look up a user in the directory and query the directory to see if the password provided matches what AD has for that user. That is all that AD does.
Anything like share or file security is handled by the OS or filesystem and work easily without AD. You can have any without any of the others.
You can do thinks like AD using LDAP and Kerberos from non-AD sources, use eDirectory, use NT SAM, use local accounts, etc. AD is super popular, but far from the only way to do this.
-
@scottalanmiller said:
@Kelly said:
What impression I have gotten is that people want the "other" things that are not AD related but don't actually want any of the AD features themselves (directory and authentication.)I think that you are the first person to really state that authentication is desired. How do you picture that being useful? Do you want multiple users sharing mobile devices? Do you want people logging into phones like desktops?
Not personally no. That would not fly at my current company. I guess what I'm getting at (poorly it seems) is being able to control phone similarly to how I am able to control laptops. Be able to specify programs and network access based upon AD credentials. A typical login is not feasible on a device that small, but having a real, functional fingerprint scanner could replace that potentially.
-
@Kelly said:
Not personally no. That would not fly at my current company. I guess what I'm getting at (poorly it seems) is being able to control phone similarly to how I am able to control laptops. Be able to specify programs and network access based upon AD credentials. A typical login is not feasible on a device that small, but having a real, functional fingerprint scanner could replace that potentially.
I agree that being able to control programs and such on mobile devices would be handy. But MDM does that today. The only thing that is different is that it doesn't use AD for authentication. The question around AD integration would be purely "does AD usernames and passwords make the mobile device better."
Or to ask it another way, we have everything that you describe today but without AD. And since AD usernames and passwords aren't what you envision and fingerprint scanning is.... what's wrong with the full feature set and fingerprint scanning that I am using right now? I think that I have everything that you want with my iPhone 5s with MDM without AD right now. What extra value would AD provide over that if we aren't leveraging AD authentication?
-
The only place that I could see this working is if mobile devices became multi-user and you wanted AD to allow arbitrary users to log into any mobile device on the network like it is used for desktops and laptops. But I can't come up with a use case where that would be a positive, at least considering where mobile technology is today.
-
@scottalanmiller said:
What extra value would AD provide over that if we aren't leveraging AD authentication?
Potentially having only set of credentials to manage.
-
@Kelly said:
Potentially having only set of credentials to manage.
Do you want to manage the credentials of mobile devices? Right now I don't have to manage that. That would be an additional workload. Mobile devices are assigned to people, not authenticated against central stores today. I'm not saying that that is a bad idea, but is there really a perceived value to that when a device is assigned to a person individually?
-
The lack of credentials is actually what sets mobile devices apart from non-mobile (stationary) devices. On traditional desktops and laptops, we have the idea of a person "logging in" and needing to authenticate to prove that they are that person.
Mobile devices, on the other hand, are defined by having the device itself associated with a person and only needing to authenticate to the device. So if the device is logged into, it is that person as it is a single user platform.
Both work fine and can work with network resources, it is just two fundamentally different ways of looking at devices. Once accepts multiple users, one is an extension of one user.
-
@scottalanmiller said:
@Kelly said:
Potentially having only set of credentials to manage.
Do you want to manage the credentials of mobile devices? Right now I don't have to manage that. That would be an additional workload. Mobile devices are assigned to people, not authenticated against central stores today. I'm not saying that that is a bad idea, but is there really a perceived value to that when a device is assigned to a person individually?
Some of this is because MDM and, to an extent, BYOD are in their infancy. Directory and authentication systems are still reactive rather than innovated for the most part. We have so many segregations within typical data and task flow that it isn't realistic or feasible to use authentication against a central store. My original answer was a look to the future. There may be a way and a day where this is useable, and needful. Where we have an experience similar to Corning's glass video. At that point I think a central authentication system would be not just nice, but required.
-
On a completely unrelated note, have y'all considered having the text in a quote show the most recently quoted post instead of the first one?
-
@Kelly said:
On a completely unrelated note, have y'all considered having the text in a quote show the most recently quoted post instead of the first one?
Not ML that gets to make that choice, sadly. It's just how the platform works. It's an issue for the NodeBB developers. We should start a thread about that over an their forums......
-
It seems some of the confusion may come from not understanding that Authentication and Authorization are two separate processes. AD Does authentication your OS uses the authentication to give you authorization.
-
@thecreativeone91 said:
It seems some of the confusion may come from not understanding that Authentication and Authorization are two separate processes. AD Does authentication your OS uses the authentication to give you authorization.
That is often the case. The OS enforces authorization while AD simply does authentication. AD will confirm who you are and the OS decides what you can do.
-
@scottalanmiller said:
@coliver said:
If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.
That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?
I guess this is how I see AD's involvement.
-
@Dashrender said:
@scottalanmiller said:
That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?
I guess this is how I see AD's involvement.
You want an interface in AD that isn't tied to the rest of the directory structure? How are you picturing this? Would the devices be in an OU (like "Mobile iOS" and "Mobile Windows")?
I understand why having things all in one place is nice. Since Mac and UNIX machines aren't managed in this way, though, and since the things that you need for MDM generally need interface features not available in AD's management.... is this actually valuable? If we had this today, would it actually do something positive? Maybe it would, I'm just trying to picture this. Beyond technical issues, just purely thinking at an interface level, would it be good?
Having used our own MDM, I can't see wanting it in AD. Maybe most people want a lot less from their mobile management than I do?
-
I guess I want MDM in windows like i have GPs in Windows - I don't want an add-on product for managing corporate resources.
I agree that I can't manage nix or Macs (though I suppose that would be nice), and the desire might be pie in the sky - but yes I want this.
As for logging into the phone with an AD account, part of the on boarding of the device could setup another logon type that more closely resembles what we use today.
I don't don't ever see a phone being a multi-user device, just list most PCs aren't really a multi user device in a business, even though it could be. So I suppose that would be a skipped option.
-
@Dashrender said:
I guess I want MDM in windows like i have GPs in Windows - I don't want an add-on product for managing corporate resources.
But MDMs already have Policy Profiles. which would be the equivalent of GPs. You wouldn't see the GP features by integrating to AD just the authentication services. There is just too much difference in the types of devices and their OS to see that much integration.