Integrating Active Directory with Mobile Devices
-
@thecreativeone91 said:
@Dashrender said:
I guess I want MDM in windows like i have GPs in Windows - I don't want an add-on product for managing corporate resources.
But MDMs already have Policy Profiles. which would be the equivalent of GPs. You wouldn't see the GP features by integrating to AD just the authentication services. There is just too much difference in the types of devices and their OS to see that much integration.
If they can add 1000+ items to GP for Windows 8, why can't they do the same for mobile devices?
-
Currently I manage around 100 PCs and laptops which are assigned to users who use them for e-mail, ERP, CRM, web browsing, the intranet, accessing shared files, messaging and phoning (via the local PBX). They are managed through AD and domain accounts.
I manage around 25 iPhones which are assigned to users who use them for e-mail, ERP, CRM, web browsing, the intranet, accessing shared files, messaging and phoning (via the phone carrier). They are managed through Meraki MDM and Apple accounts.
I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC. I'm not that technical. For me they are all just computers that users do work on. All I know is is that managing computers with AD is tons better than managing computers with Meraki and Apple, added to the fact that having two systems to master and manage is worse than having one.
-
If we define AD fairly narrowly in terms of PCs and servers then you could say that in a post-PC/Cloud world AD is becoming redundant. Maybe in a few years time we won't be running AD at all.
But could AD adapt and become more than what it currently is? Could it develop MDM features that would make third-party MDMs obsolete? Microsoft isn't going that down route, and is developing InTune, but InTune isn't free sadly.
-
Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.
I'd cope with a 5 inch wifi only "tablet" running Windows Pro, which I'd pair with a $100 mini Android phone. That way, I could leave the "tablet" at home if I know I'm going to be in the mosh pit at an Iggy Pop gig or dancing like a madman in a club at 2am.
-
@Dashrender said:
As for logging into the phone with an AD account, part of the on boarding of the device could setup another logon type that more closely resembles what we use today.
I don't don't ever see a phone being a multi-user device, just list most PCs aren't really a multi user device in a business, even though it could be. So I suppose that would be a skipped option.
So, if I am reading this correctly, basically you want AD to not be AD and do something completely different and THEN integrate with the phones? Like "AD integration" actually means "replace AD?"
I'm still confused. What role would AD play here?
-
@Dashrender said:
If they can add 1000+ items to GP for Windows 8, why can't they do the same for mobile devices?
That's GP, not AD. You can already do this with MDM. Phones are not computers, integrating with AD won't move you in the direction that you desire. If phones had GP, okay, maybe. But then you'd create all kinds of other issues (required VPN connections, for example.)
Basically you want MDM but you want it called AD, is what I am seeing. Why does calling it AD matter?
-
@Carnival-Boy said:
I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.
It's not me, the OS vendors define that when they create the OS. A mobile platform (like people call a phone) operates a certain way that is very different than how any traditional OS in use today works. They work more like a Commodore 64 than a modern desktop.
-
@Carnival-Boy said:
If we define AD fairly narrowly in terms of PCs and servers then you could say that in a post-PC/Cloud world AD is becoming redundant.
AD is a thing, it's not a concept. It is purely Microsoft's own LDAP server with a Kerberos authentication system layered on top. Nothing more. LDAP provides directory and authentication services, Kerberos helps to secure that. Anything more than that isn't AD.
-
@Carnival-Boy said:
But could AD adapt and become more than what it currently is? Could it develop MDM features that would make third-party MDMs obsolete? Microsoft isn't going that down route, and is developing InTune, but InTune isn't free sadly.
It could only if you allow AD to become something wholly different. Like can a car become a train? Sure, if the company that makes it stops making cars, starts making trains but names the train "car".
AD is a very specific thing, doing anything else would make it something else.
-
@Carnival-Boy said:
. Maybe in a few years time we won't be running AD at all.
Possible but I doubt it. Companies like control. They don't like the complexity that MDM brings. For corporate shared assets, AD and other LDAP products make sense.
-
@scottalanmiller said:
@Carnival-Boy said:
I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.
It's not me, the OS vendors define that when they create the OS.
I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.
-
@Carnival-Boy said:
Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.
So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?
-
@Carnival-Boy said:
I'd cope with a 5 inch wifi only "tablet" running Windows Pro, which I'd pair with a $100 mini Android phone. That way, I could leave the "tablet" at home if I know I'm going to be in the mosh pit at an Iggy Pop gig or dancing like a madman in a club at 2am.
That's almost available today, just not down to 5"
-
@scottalanmiller said:
So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?
Anyone using that computer is fine. The number is connected to the hardware, I'd be ok with that. Anything else would be pretty complicated.
-
@Carnival-Boy said:
I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.
It would be... but the C64 fundamentally doesn't have a concept of "users." So it's not like convincing a Mac or Linux box to join AD. They have users, just need to match them up and support the protocol. C64 and pretty much any home use OS prior to Windows 2000 lacked multi-user capability and could never use AD no matter what was added to it.
That's where the phone OSes are today. No users. Until they have users, the best that they could do, since they do have authentication, is tie to a single AD user account and support passwords via AD. But I doubt that that has value as it would only make them harder to support.
-
@Carnival-Boy said:
Anyone using that computer is fine. The number is connected to the hardware, I'd be ok with that. Anything else would be pretty complicated.
I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."
-
@scottalanmiller said:
@Carnival-Boy said:
Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.
So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?
You can get similar results just using a small Windows Tablet with mobile data service and a softphone installed on it. Seems like a very cumbersome solution for a phone.
-
@scottalanmiller said:
I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."
The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.
-
@Carnival-Boy said:
The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.
If you are on a SIM service (GSM.) With Verizon or Spint, it is hard codes to the device. But yes, in theory, you can have an AD account and a disconnected SIM card that you use. So you end up with two access mechanisms for logging in rather than one. Isn't that an improvement?
-
@scottalanmiller said:
@Carnival-Boy said:
I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.
It would be... but the C64 fundamentally doesn't have a concept of "users." So it's not like convincing a Mac or Linux box to join AD. They have users, just need to match them up and support the protocol. C64 and pretty much any home use OS prior to Windows 2000 lacked multi-user capability and could never use AD no matter what was added to it.
That's where the phone OSes are today. No users. Until they have users, the best that they could do, since they do have authentication, is tie to a single AD user account and support passwords via AD. But I doubt that that has value as it would only make them harder to support.
It took a long time to get there, but yes, this is what I want. A phone is NOT a multi user device - so the multi user facet of AD is not something I care about. If I'm controlling a device for my office - why should I have to pay for something else (MDM) to control it?
I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.
At least I think I do