Integrating Active Directory with Mobile Devices

scottalanmiller

I have seen several people mention how they would like to see Active Directory integrated into a Windows phone or iOS. This sounds great when we first say it but when I stop to think about it I wonder what people are envisioning as how this integration would work. I have a few ideas but they are pretty light and I can't see enough value to make it all worth it outside of maybe a basic MDM solution (which Microsoft already offers via InTune.)

Phones are single use devices, not multiuser devices. Or are people thinking that multiuser is a way forward with phones? How will phone calls and texts play into a scenario like that? What is the purpose of AD in this case? How will AD be used?

Dashrender

Personally I'd like to see AD integration provide it's own sandbox on the phone.

Basically any application that you use for the office is inside the sandbox, and the office can push policies to the way that information is used, etc. This would include email and things like ODfB and Sharepoint.

Otherwise the device would be completely open for the end user to do whatever they want on it.

coliver

If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.

A Former User

I think AD on the phone is asking for all kinds of security issues. Hacks and otherwise. Not to mention, what would it actually do and what would be the broker aside from an MDM? unless you plan on putting your DC directly accessible or phones on a VPN which doesn't seem like a good idea in most cases. Its not like people should be accessing file shares outside of a cloud service like own cloud or workfolders etc on a mobile device (plus you can still authenticate to SMB shares without it being domain joined)

Dashrender

I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.

The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.

coliver

@Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

Dashrender

@coliver said:

@Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

I'm guessing they would make a new license for the company to purchase specifically for phones/mobile devices.

Bill Kindle

@scottalanmiller said:

I have seen several people mention how they would like to see Active Directory integrated into a Windows phone or iOS. This sounds great when we first say it but when I stop to think about it I wonder what people are envisioning as how this integration would work. I have a few ideas but they are pretty light and I can't see enough value to make it all worth it outside of maybe a basic MDM solution (which Microsoft already offers via InTune.)

Phones are single use devices, not multiuser devices. Or are people thinking that multiuser is a way forward with phones? How will phone calls and texts play into a scenario like that? What is the purpose of AD in this case? How will AD be used?

I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

scottalanmiller

@Dashrender said:

Personally I'd like to see AD integration provide it's own sandbox on the phone.

AD is only an authentication and directory system, though. AD can't "do" anything on a device. It can't on Windows, it can't on a phone. The sandbox would be a separate application on the phone. How do you see AD authentication or directory providing services to that sandbox?

scottalanmiller

@coliver said:

If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.

That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?

scottalanmiller

@thecreativeone91 said:

I think AD on the phone is asking for all kinds of security issues. Hacks and otherwise. Not to mention, what would it actually do and what would be the broker aside from an MDM? unless you plan on putting your DC directly accessible or phones on a VPN which doesn't seem like a good idea in most cases. Its not like people should be accessing file shares outside of a cloud service like own cloud or workfolders etc on a mobile device (plus you can still authenticate to SMB shares without it being domain joined)

I agree, you would need the phone on a VPN all of the time for it to really be useful or have it piped through an MDM channel (which is effectively a VPN.) I have never been able to figure out a real value.

scottalanmiller

@Dashrender said:

I imagine a time when my ODfB is controlled by my local AD (which might not be local any more). Instead of using a third party cloud file sharing solution, using MS's (though I suppose as long as the authenication could be seamless I wouldn't really care who's cloud file sharing I was using as long as it was secure.

The AD integrated phones would use something like Direct Access (though a lot easier on the setup side). This would be the VPN component for secure access to AD.

You don't need AD to do that, though, I have that functionality today.

scottalanmiller

@coliver said:

@Dashrender I was thinking something very similar to direct access would be the way to go for mobile devices. The new version isn't that hard to setup but the Windows 7/8/8.1 Enterprise license requirement seems a bit silly to me.

We have that already on Android with Pertino. I get the VPN value to get access to things, but how would AD play in? You can already use AD for security, it just isn't integrated with the phone platform itself.

scottalanmiller

@Bill-Kindle said:

I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?

Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.

I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.

Bill Kindle

@scottalanmiller said:

@Bill-Kindle said:

I thought that Work Folders were invented for BYOD folks? I'm not understanding why AD would be beneficial in this arena. Also, MDM solutions pretty much take care of any additional security that AD could bring to a phone anyways.

That's my thought too. MDM and AD work differently. MDM doesn't push down a username and password like AD does. If you use AD, you would need a username and password on the phone which would be really annoying and would you allow multiple users on one phone? If you do that, who is allowed to answer phone calls or receive texts? How do you deal with storage management?

Phones inherently are not like desktops or even laptops that are easily shared and meant to be shared. No one says "give me your phone and let me assume your identity using your phone number and whatnot while I am working at your desk." That would be weird.

I suppose that I could see an extremely odd case where you want shared phones and you sign in via AD and sign out when you are done and it allows email, phone number, texts and other phone features to migrate over at login time. But that would cause a world of issues with email constantly syncing up and stuff.

One word:

Phablet.
http://en.wikipedia.org/wiki/Phablet

That's the only area I could see AD being used, and even then it's a stretch.

scottalanmiller

@Bill-Kindle sure, if they cross the line into multiple user devices. But long before AD integration you will need operating systems that support the concept of users to do that.

Kelly

Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things. If we continue out the vision of AD into Azure, combine in ActiveSync policies, and allow for Microsoft's vision of one Windows we have something that could be used to exert control over every platform while providing a unified experience. Not exactly the same experience because of differences in UX and interface, but one that is familiar regardless of the device in front of a user. It is a long view though. Right now, there is little reason to integrate mobile devices into AD.

scottalanmiller

@Kelly said:

Well, what is the primary purpose of AD? I'd posit that access control and policy distribution are among the primary things.

Access control and policy distribution are handled by the OS, not from AD. AD literally only does directory services and authentication. That's it.

Kelly

@scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

A Former User

@Kelly said:

@scottalanmiller That is some pretty fine hair splitting. Technically accurate, but without AD the OS cannot properly perform its tasks. For the purpose of this specific discussion, I don't think that getting that fine grained is particularly useful.

Not really. You can do Permissions and access control even without AD. Local SMB shares etc.

AD is just a centralized database of authentication nothing more really.