Integrating Active Directory with Mobile Devices

scottalanmiller

@Dashrender said:

If I'm controlling a device for my office - why should I have to pay for something else (MDM) to control it?

Because AD offers NO control. If you are seeking control, AD should not be in the discussion. That's where this is getting confusing. If you want control of a mobile device, whether AD is there or not, you need MDM.

So if we fully integrate AD, 100%, you get nothing that you actually want and just make logins harder. MDM is still another step that you will still need.

scottalanmiller

Here is the easy way to think about AD integration. Replace saying AD with "I was username and passwords on phones that require a VPN back to the office to work rather than people being assigned to a phone and signing in with whatever security is standard for that device."

If that's what you want, I'd say "why", but maybe there is a good reason. But don't say AD, everyone is confused about what AD means. So replace the term with what it would mean in this context and ask if that is what you want - usernames and passwords on mobile devices that fail if the device can't get on a stable data network and connect to AD via a VPN. If that isn't what you want, don't say that AD brings a benefit.

I'm pretty sure everyone agrees that AD is bad for mobile devices but isn't clear what AD is and keeps thinking that there must be some upside somewhere.

Dashrender

@scottalanmiller said:

@Dashrender said:

I'm not sure there is a name for the entire ecosystem that MS has created around access control/user authentication, etc - but I want that for the phones.

There is no ecosystem, it is just AD. Phones don't have users, so they can't tie to AD. You want people to have to enter a username and password to get into their phones? Why? What about this is better rather than worse than what you have today?

because it's not centrally managed.

scottalanmiller

@Dashrender said:

because it's not centrally managed.

Because "what" is not centrally managed? What exactly is the end result that you desire?

Remember AD does not provide central management. So if that is what you seek, why are we talking AD? Central management for a mobile platform is called MDM.

Carnival Boy

I want to use Microsoft Group Policy (rather than, say, Meraki Group Policy) to control my phones. I also want single sign-on to AD so I can use the users AD account to authenticate phone apps to our server apps without them having to keep entering their account details.

I may be using Group Policy and AD interchangeability, but that's probably because you can't have Group Policy without AD, right?

scottalanmiller

@Carnival-Boy said:

I want to use Microsoft Group Policy (rather than, say, Meraki Group Policy) to control my phones.

That's a decent idea, but isn't AD that you want. GP is a different thing that leverages AD in some cases. So what we want is phone platforms to have a management API? That makes total sense to me. But, all of them already do. To leverage a phone management API, MDM is what that is called.

scottalanmiller

@Carnival-Boy said:

I may be using Group Policy and AD interchangeability, but that's probably because you can't have Group Policy without AD, right?

Yes, everyone is mixing those. And yes, they are independent. Every Windows machine has GP with or without AD. They can work together, but they are completely separate.

A Former User

@Carnival-Boy said:

@scottalanmiller said:

I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."

The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.

The Top Cell carriers in the US use CDMA not GSM.

A Former User

@scottalanmiller said:

@Carnival-Boy said:

I may be using Group Policy and AD interchangeability, but that's probably because you can't have Group Policy without AD, right?

Yes, everyone is mixing those. And yes, they are independent. Every Windows machine has GP with or without AD. They can work together, but they are completely separate.

You can join windows to a SAMBA domain without any Domain Group policy but, it will still do Authentication.

Carnival Boy

@thecreativeone91 said:

The Top Cell carriers in the US use CDMA not GSM.

Oh right. I've never heard of that.

JaredBusch

@thecreativeone91 said:

The Top Cell carriers in the US use CDMA not GSM.

That is completely off base.

#1 Verizon uses CDMA.
#2 & #3 AT&T and T-Mobile use GSM.

Then below that are US Cellular & Sprint using CDMA. US Cellular uses CDMA in order to claim good coverage because they have a no charge (to the consumer) roaming agreement with Verizon.

Dashrender

@thecreativeone91 said:

@Carnival-Boy said:

@scottalanmiller said:

I think most people are not happy with that. Phones are "assigned by hardware" but the AD is "assigned by user." So you'd get a weird mix of user and device authentication on the device. Instead of calling a person, the phone number would be "call the anonymous user of this device."

The phone number is connected to the SIM card not the phone. So I could use any phone, and the phone could be multi-user, and I'd just have to plug my SIM into whichever phone I happened to be using at the time.

The Top Cell carriers in the US use CDMA not GSM.

CDMA is moving toward CIM card usage.
http://s4gru.com/index.php?/topic/4635-will-sprint-now-be-moving-to-sim-based-authentication-for-cdma/

Verizon already has it - my boss' CIM died last week and they had to send her another one.

Dashrender

OK - after a live chat with Scott I finally understand why INTEGRATED AD on the phones isn't really helpful. It's because phones don't talk directly to any of our AD authenticated equipment. Instead they use other solutions like ODfB or O365. These other solutions while perhaps being synced back to our internal AD's have their own authentication for which we have to put in our usernames/passwords.

For example - on our PCs we type 'net use s: \server\sharename' to map a drive through SMB - but this is something we never do on a phone. So the 'simplicity' of having our phone know our Username/Password already isn't really that helpful. (though because the phone could 'assume' the use of this information for setting up things like Sharepoint and O365 - it's not entirely non-useful either).

OK fine - Now I do want MDM control added to Windows just like Group Policy for Desktop/Laptops is part of Windows.

scottalanmiller

@Carnival-Boy said:

@thecreativeone91 said:

The Top Cell carriers in the US use CDMA not GSM.

Oh right. I've never heard of that.

Oh yeah, forgot that you would not be aware that SIM cards aren't exactly uncommon, but aren't the most common option here. And when you do have SIM cards, typically they are locked to the carrier and device, so only kinda of portable.

scottalanmiller

@Dashrender said:

OK - after a live chat with Scott I finally understand why INTEGRATED AD on the phones isn't really helpful. It's because phones don't talk directly to any of our AD authenticated equipment. Instead they use other solutions like ODfB or O365. These other solutions while perhaps being synced back to our internal AD's have their own authentication for which we have to put in our usernames/passwords.

You can think of this as "service level AD integration" instead of "OS level AD integration." Every service on my phone that could use AD already uses AD. The only thing that doesn't is the phone itself, which I don't want to.

Dashrender

@scottalanmiller said:

@Dashrender said:

OK - after a live chat with Scott I finally understand why INTEGRATED AD on the phones isn't really helpful. It's because phones don't talk directly to any of our AD authenticated equipment. Instead they use other solutions like ODfB or O365. These other solutions while perhaps being synced back to our internal AD's have their own authentication for which we have to put in our usernames/passwords.

You can think of this as "service level AD integration" instead of "OS level AD integration." Every service on my phone that could use AD already uses AD. The only thing that doesn't is the phone itself, which I don't want to.

Great way to put it Scott.

Carnival Boy

@Dashrender said:

OK - after a live chat with Scott I finally understand why INTEGRATED AD on the phones isn't really helpful. It's because phones don't talk directly to any of our AD authenticated equipment. Instead they use other solutions like ODfB or O365.

That's good for you. We don't use ODfB or O365 so our phones do talk directly to our internal servers. Users have to manually enter their credentials to each and every server. A single sign-on, using a fingerprint, that then authenticates to all our servers would be helpful.

Also, an Apple phone has to authenticate to an Apple ID (a pain to administer), a Windows phone has to (or did when I had one) authenticate to a Microsoft ID (also a pain to administer). I don't know how Android works. Instead of authenticating to a unique Microsoft or Apple user ID, why can't I use a local domain account instead?

Dashrender

@Carnival-Boy said:

That's good for you. We don't use ODfB or O365 so our phones do talk directly to our internal servers. Users have to manually enter their credentials to each and every server. A single sign-on, using a fingerprint, that then authenticates to all our servers would be helpful.

How are your phones connecting to your internal severs - you mean like a web page?

Also, an Apple phone has to authenticate to an Apple ID (a pain to administer), a Windows phone has to (or did when I had one) authenticate to a Microsoft ID (also a pain to administer). I don't know how Android works. Instead of authenticating to a unique Microsoft or Apple user ID, why can't I use a local domain account instead?

What are you trying to administer with regards to these IDs?

FYI - Android by default wants to log into a google account, but you don't have to.

Carnival Boy

1. At the moment, all are web servers. Though the ability to browse network file shares would also be good - ie the net use S: you referred to earlier.

2. If I give a new user an iPhone, I have to create an Apple ID for him. As a result I have loads of Apple IDs. I could do without this. Especially the stupid "what was your favourite teacher at school?" type security questions.

Dashrender

@Carnival-Boy said:

1. At the moment, all are web servers. Though the ability to browse network file shares would also be good - ie the net use S: you referred to earlier.

The built-in password manager for the web browser should be able to hold onto the passwords for the sites you visit. As for mapping a network drive, mobile platforms don't support the SMB protocol without an add-on app. That app can probably hold the credentials for the drives you want to map.

2. If I give a new user an iPhone, I have to create an Apple ID for him. As a result I have loads of Apple IDs. I could do without this. Especially the stupid "what was your favourite teacher at school?" type security questions.

Having never setup an iPhone from scratch I didn't know an Apple ID was required. Do you need to make separate accounts for each device? A quick google search lead me to a recommendation that the company have one Apple ID on all devices for things like the Apple Store (assuming you want to prevent people from installing apps) and allow the users to create a second Apple ID based on say their work email address that they can use for iMessage, Facetime, etc.