Integrating Active Directory with Mobile Devices

Dashrender

@scottalanmiller said:

@Dashrender said:

OK - after a live chat with Scott I finally understand why INTEGRATED AD on the phones isn't really helpful. It's because phones don't talk directly to any of our AD authenticated equipment. Instead they use other solutions like ODfB or O365. These other solutions while perhaps being synced back to our internal AD's have their own authentication for which we have to put in our usernames/passwords.

You can think of this as "service level AD integration" instead of "OS level AD integration." Every service on my phone that could use AD already uses AD. The only thing that doesn't is the phone itself, which I don't want to.

Great way to put it Scott.

Carnival Boy

@Dashrender said:

OK - after a live chat with Scott I finally understand why INTEGRATED AD on the phones isn't really helpful. It's because phones don't talk directly to any of our AD authenticated equipment. Instead they use other solutions like ODfB or O365.

That's good for you. We don't use ODfB or O365 so our phones do talk directly to our internal servers. Users have to manually enter their credentials to each and every server. A single sign-on, using a fingerprint, that then authenticates to all our servers would be helpful.

Also, an Apple phone has to authenticate to an Apple ID (a pain to administer), a Windows phone has to (or did when I had one) authenticate to a Microsoft ID (also a pain to administer). I don't know how Android works. Instead of authenticating to a unique Microsoft or Apple user ID, why can't I use a local domain account instead?

Dashrender

@Carnival-Boy said:

That's good for you. We don't use ODfB or O365 so our phones do talk directly to our internal servers. Users have to manually enter their credentials to each and every server. A single sign-on, using a fingerprint, that then authenticates to all our servers would be helpful.

How are your phones connecting to your internal severs - you mean like a web page?

Also, an Apple phone has to authenticate to an Apple ID (a pain to administer), a Windows phone has to (or did when I had one) authenticate to a Microsoft ID (also a pain to administer). I don't know how Android works. Instead of authenticating to a unique Microsoft or Apple user ID, why can't I use a local domain account instead?

What are you trying to administer with regards to these IDs?

FYI - Android by default wants to log into a google account, but you don't have to.

Carnival Boy

1. At the moment, all are web servers. Though the ability to browse network file shares would also be good - ie the net use S: you referred to earlier.

2. If I give a new user an iPhone, I have to create an Apple ID for him. As a result I have loads of Apple IDs. I could do without this. Especially the stupid "what was your favourite teacher at school?" type security questions.

Dashrender

@Carnival-Boy said:

1. At the moment, all are web servers. Though the ability to browse network file shares would also be good - ie the net use S: you referred to earlier.

The built-in password manager for the web browser should be able to hold onto the passwords for the sites you visit. As for mapping a network drive, mobile platforms don't support the SMB protocol without an add-on app. That app can probably hold the credentials for the drives you want to map.

2. If I give a new user an iPhone, I have to create an Apple ID for him. As a result I have loads of Apple IDs. I could do without this. Especially the stupid "what was your favourite teacher at school?" type security questions.

Having never setup an iPhone from scratch I didn't know an Apple ID was required. Do you need to make separate accounts for each device? A quick google search lead me to a recommendation that the company have one Apple ID on all devices for things like the Apple Store (assuming you want to prevent people from installing apps) and allow the users to create a second Apple ID based on say their work email address that they can use for iMessage, Facetime, etc.

A Former User

@Dashrender said:

Having never setup an iPhone from scratch I didn't know an Apple ID was required. Do you need to make separate accounts for each device? A quick google search lead me to a recommendation that the company have one Apple ID on all devices for things like the Apple Store (assuming you want to prevent people from installing apps) and allow the users to create a second Apple ID based on say their work email address that they can use for iMessage, Facetime, etc.

This is what I have always done. all devices are on one ID. I always blocked iMessage, Facetime and buying of from the store from the MDM.

Carnival Boy

1. No option to store web server credentials when I've tested it on my iPhone. I'd like my mobile platform to support the SMB protocol. Why not?

2. I set-up a separate Apple ID for each user and use the user's e-mail address as the ID. I also use my e-mail address as the secondary e-mail, so I can use that to authenticate the new ID (which you need to do in order to configure the phone). I don't want to prevent people from installing apps - in fact I encourage it.

From a security point of view, I've no idea if this is a terrible idea. @scottalanmiller will admonish me for keeping a record of the Apple ID passwords. I guess it does get a big dodgy if they store their personal credit card details against the Apple ID, and I'd recommend they change the password or use their own Apple ID if that is something they intend to do. If it integrated with AD, I'd just reset the password - wouldn't that be cool?

A Former User

@Carnival-Boy said:

1. No option to store web server credentials when I've tested it on my iPhone. I'd like my mobile platform to support the SMB protocol. Why not?

Why do you want that? A phone/tablet isn't a computer. That's what cloud service apps/work folders/own cloud is for.

By doing that you are given a device you don't have a ton of control over the same trust as you would a computer you can control. It also means ANY app wanted or not can now access that share and potentially steal data.

Carnival Boy

It is a computer and I would have a ton of control over it because it would join AD.

A Former User

@Carnival-Boy Again, AD doesn't give you control of the device.....

scottalanmiller

@Carnival-Boy said:

That's good for you. We don't use ODfB or O365 so our phones do talk directly to our internal servers. Users have to manually enter their credentials to each and every server. A single sign-on, using a fingerprint, that then authenticates to all our servers would be helpful.

What services do they use? SMB is the big one that people want and that isn't available last I know.

Single sign on would be awesome. That's a potential feature for every application to leverage. Several, like those from Microsoft, already handle this for MS apps. Any app could do this today.

scottalanmiller

@Carnival-Boy said:

Also, an Apple phone has to authenticate to an Apple ID (a pain to administer), a Windows phone has to (or did when I had one) authenticate to a Microsoft ID (also a pain to administer). I don't know how Android works. Instead of authenticating to a unique Microsoft or Apple user ID, why can't I use a local domain account instead?

I assume because central services are needed. Just like how Windows 8 and later require a LiveID to do some tasks.

scottalanmiller

@Carnival-Boy said:

1. At the moment, all are web servers. Though the ability to browse network file shares would also be good - ie the net use S: you referred to earlier.

Web would just be a limitation of the browser. That could be fixed easily, if the vendors cared. That would totally make sense to fix.

File shares (SMB) would be awesome. But I don't see them doing that. If they were willing to do that they would have done it by now.

scottalanmiller

@Dashrender said:

Having never setup an iPhone from scratch I didn't know an Apple ID was required. Do you need to make separate accounts for each device?

No, we have many on a single ID.

scottalanmiller

@thecreativeone91 said:

@Carnival-Boy said:

1. No option to store web server credentials when I've tested it on my iPhone. I'd like my mobile platform to support the SMB protocol. Why not?

Why do you want that? A phone/tablet isn't a computer. That's what cloud service apps/work folders/own cloud is for.

By doing that you are given a device you don't have a ton of control over the same trust as you would a computer you can control. It also means ANY app wanted or not can now access that share and potentially steal data.

I don't agree, I absolutely want my phone to do that. Why would you care about those new services and not SMB too? What makes one good and not the other.

No one supports SMB, but I think that it is crazy that they do not.

scottalanmiller

@Carnival-Boy said:

It is a computer and I would have a ton of control over it because it would join AD.

This is where I don't agree. AD gives no form of control. MDM would be needed for that. You could join MDM to AD, but is that beneficial? AD only provides the lookup, not the control. That's always MDM no matter how you slice it.

Carnival Boy

@thecreativeone91 said:

@Carnival-Boy Again, AD doesn't give you control of the device.....

I mean AD gives me control of the security of the SMB server. I use AD to determine which clients can and can't connect to the server. Let me put it another way, how do you secure your SMB server and what is it about certain clients that would scare you? You secure a server at the server level, not at the client level, don't you?

OK, you're right in as much as a client doesn't have to join AD to access an AD authenticated server. He can just pass AD credentials manually when connecting. I'm talking about convenience rather than necessity when I want a client to join AD.

So if we're looking at the question as strictly joining an phone to AD, without any other functionality, then yes, I agree with you all that there is little benefit. Joining an iOS phone to AD doesn't do much by itself. I'm talking about a phone running a fully featured, domain joined, Windows OS. If we're arguing about two different things, then let's leave it there.

scottalanmiller

@Carnival-Boy said:

So if we're looking at the question as strictly joining an phone to AD, without any other functionality, then yes, I agree with you all that there is little benefit. Joining an iOS phone to AD doesn't do much by itself. I'm talking about a phone running a fully featured, domain joined, Windows OS. If we're arguing about two different things, then let's leave it there.

If the goal is to run Windows on a phone, then I'm with you 100%. That would have huge benefits and I totally understand that goal. It's a mobile OS with AD integration that I can't figure out as AD would do so little.

Using Windows proper as a phone OS will have issues, but overall I think that they can be handled somewhat. But it will confuse users as it breaks the expectations of those types of devices.

Carnival Boy

Let me put it another way. Why do you join Windows PCs to AD? It isn't necessary. You don't need it to connect to an SMB server. You can have your web browser cache your credentials to intranet web servers. You don't need it for group policy. You can have all your apps cache credentials. You don't need it for anything. Why do it?

After you've told me the answer, tell me why you wouldn't want to connect a Phone to AD. What is it about a PC that you want on AD that isn't also desirable on a phone. Because there is nothing I do on my PC that I wouldn't like to do on my phone.

A Former User

@Carnival-Boy said:

OK, you're right in as much as a client doesn't have to join AD to access an AD authenticated server. He can just pass AD credentials manually when connecting. I'm talking about convenience rather than necessity when I want a client to join AD.

How would that be any more convenience than storing the credentials for the user in a file browser?