ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Integrating Active Directory with Mobile Devices

    Scheduled Pinned Locked Moved IT Discussion
    active directorymobile
    111 Posts 8 Posters 31.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Kelly
      last edited by

      @Kelly said:

      On a completely unrelated note, have y'all considered having the text in a quote show the most recently quoted post instead of the first one?

      Not ML that gets to make that choice, sadly. It's just how the platform works. It's an issue for the NodeBB developers. We should start a thread about that over an their forums......

      1 Reply Last reply Reply Quote 1
      • ?
        A Former User
        last edited by

        It seems some of the confusion may come from not understanding that Authentication and Authorization are two separate processes. AD Does authentication your OS uses the authentication to give you authorization.

        scottalanmillerS 1 Reply Last reply Reply Quote 2
        • scottalanmillerS
          scottalanmiller @A Former User
          last edited by

          @thecreativeone91 said:

          It seems some of the confusion may come from not understanding that Authentication and Authorization are two separate processes. AD Does authentication your OS uses the authentication to give you authorization.

          That is often the case. The OS enforces authorization while AD simply does authentication. AD will confirm who you are and the OS decides what you can do.

          1 Reply Last reply Reply Quote 2
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said:

            @coliver said:

            If Microsoft continues to merge their platforms we could see a device with multiple "desktops" for lack of a better term. One would be a personal "desktop" the other would be business. This could allow policies and enforcement to be placed on one side of the phone and not the other. If a person leaves and it is a personal device a disabling the AD account could remove that "desktop" from the phone.

            That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?

            I guess this is how I see AD's involvement.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              @scottalanmiller said:

              That would be an MDM application feature though, right? Other than putting an interface for that into AD, how would AD be involved?

              I guess this is how I see AD's involvement.

              You want an interface in AD that isn't tied to the rest of the directory structure? How are you picturing this? Would the devices be in an OU (like "Mobile iOS" and "Mobile Windows")?

              I understand why having things all in one place is nice. Since Mac and UNIX machines aren't managed in this way, though, and since the things that you need for MDM generally need interface features not available in AD's management.... is this actually valuable? If we had this today, would it actually do something positive? Maybe it would, I'm just trying to picture this. Beyond technical issues, just purely thinking at an interface level, would it be good?

              Having used our own MDM, I can't see wanting it in AD. Maybe most people want a lot less from their mobile management than I do?

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender
                last edited by

                I guess I want MDM in windows like i have GPs in Windows - I don't want an add-on product for managing corporate resources.

                I agree that I can't manage nix or Macs (though I suppose that would be nice), and the desire might be pie in the sky - but yes I want this.

                As for logging into the phone with an AD account, part of the on boarding of the device could setup another logon type that more closely resembles what we use today.

                I don't don't ever see a phone being a multi-user device, just list most PCs aren't really a multi user device in a business, even though it could be. So I suppose that would be a skipped option.

                ? scottalanmillerS 2 Replies Last reply Reply Quote 0
                • ?
                  A Former User @Dashrender
                  last edited by

                  @Dashrender said:

                  I guess I want MDM in windows like i have GPs in Windows - I don't want an add-on product for managing corporate resources.

                  But MDMs already have Policy Profiles. which would be the equivalent of GPs. You wouldn't see the GP features by integrating to AD just the authentication services. There is just too much difference in the types of devices and their OS to see that much integration.

                  DashrenderD 1 Reply Last reply Reply Quote 1
                  • DashrenderD
                    Dashrender @A Former User
                    last edited by

                    @thecreativeone91 said:

                    @Dashrender said:

                    I guess I want MDM in windows like i have GPs in Windows - I don't want an add-on product for managing corporate resources.

                    But MDMs already have Policy Profiles. which would be the equivalent of GPs. You wouldn't see the GP features by integrating to AD just the authentication services. There is just too much difference in the types of devices and their OS to see that much integration.

                    If they can add 1000+ items to GP for Windows 8, why can't they do the same for mobile devices?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • C
                      Carnival Boy
                      last edited by

                      Currently I manage around 100 PCs and laptops which are assigned to users who use them for e-mail, ERP, CRM, web browsing, the intranet, accessing shared files, messaging and phoning (via the local PBX). They are managed through AD and domain accounts.

                      I manage around 25 iPhones which are assigned to users who use them for e-mail, ERP, CRM, web browsing, the intranet, accessing shared files, messaging and phoning (via the phone carrier). They are managed through Meraki MDM and Apple accounts.

                      I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC. I'm not that technical. For me they are all just computers that users do work on. All I know is is that managing computers with AD is tons better than managing computers with Meraki and Apple, added to the fact that having two systems to master and manage is worse than having one.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • C
                        Carnival Boy
                        last edited by

                        If we define AD fairly narrowly in terms of PCs and servers then you could say that in a post-PC/Cloud world AD is becoming redundant. Maybe in a few years time we won't be running AD at all.

                        But could AD adapt and become more than what it currently is? Could it develop MDM features that would make third-party MDMs obsolete? Microsoft isn't going that down route, and is developing InTune, but InTune isn't free sadly.

                        scottalanmillerS 3 Replies Last reply Reply Quote 0
                        • C
                          Carnival Boy
                          last edited by

                          Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.

                          I'd cope with a 5 inch wifi only "tablet" running Windows Pro, which I'd pair with a $100 mini Android phone. That way, I could leave the "tablet" at home if I know I'm going to be in the mosh pit at an Iggy Pop gig or dancing like a madman in a club at 2am.

                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            As for logging into the phone with an AD account, part of the on boarding of the device could setup another logon type that more closely resembles what we use today.

                            I don't don't ever see a phone being a multi-user device, just list most PCs aren't really a multi user device in a business, even though it could be. So I suppose that would be a skipped option.

                            So, if I am reading this correctly, basically you want AD to not be AD and do something completely different and THEN integrate with the phones? Like "AD integration" actually means "replace AD?"

                            I'm still confused. What role would AD play here?

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              If they can add 1000+ items to GP for Windows 8, why can't they do the same for mobile devices?

                              That's GP, not AD. You can already do this with MDM. Phones are not computers, integrating with AD won't move you in the direction that you desire. If phones had GP, okay, maybe. But then you'd create all kinds of other issues (required VPN connections, for example.)

                              Basically you want MDM but you want it called AD, is what I am seeing. Why does calling it AD matter?

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Carnival Boy
                                last edited by

                                @Carnival-Boy said:

                                I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.

                                It's not me, the OS vendors define that when they create the OS. A mobile platform (like people call a phone) operates a certain way that is very different than how any traditional OS in use today works. They work more like a Commodore 64 than a modern desktop.

                                C 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Carnival Boy
                                  last edited by

                                  @Carnival-Boy said:

                                  If we define AD fairly narrowly in terms of PCs and servers then you could say that in a post-PC/Cloud world AD is becoming redundant.

                                  AD is a thing, it's not a concept. It is purely Microsoft's own LDAP server with a Kerberos authentication system layered on top. Nothing more. LDAP provides directory and authentication services, Kerberos helps to secure that. Anything more than that isn't AD.

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @Carnival Boy
                                    last edited by

                                    @Carnival-Boy said:

                                    But could AD adapt and become more than what it currently is? Could it develop MDM features that would make third-party MDMs obsolete? Microsoft isn't going that down route, and is developing InTune, but InTune isn't free sadly.

                                    It could only if you allow AD to become something wholly different. Like can a car become a train? Sure, if the company that makes it stops making cars, starts making trains but names the train "car".

                                    AD is a very specific thing, doing anything else would make it something else.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Carnival Boy
                                      last edited by

                                      @Carnival-Boy said:

                                      . Maybe in a few years time we won't be running AD at all.

                                      Possible but I doubt it. Companies like control. They don't like the complexity that MDM brings. For corporate shared assets, AD and other LDAP products make sense.

                                      1 Reply Last reply Reply Quote 1
                                      • C
                                        Carnival Boy @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        @Carnival-Boy said:

                                        I'll leave the likes of @scottalanmiller to define the difference between a phone and a PC.

                                        It's not me, the OS vendors define that when they create the OS.

                                        I mean define for the purposes of this thread. As in explain to non-technical people like me what the difference is. Though joining a Commodore 64 to a domain would be pretty cool.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Carnival Boy
                                          last edited by

                                          @Carnival-Boy said:

                                          Anyway, what I really want for myself is a 5 inch phone running full Windows Pro. Then AD just works.

                                          So you want a 5" Windows laptop / tablet that can make calls. I understand wanting that and it makes sense. How do you want calls to work? Do you want them to go to ANYONE using that computer or only to you? Do you want AD on that device so that anyone in the company can use your phone and sign in as themselves? If so, do they get your calls?

                                          C ? 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Carnival Boy
                                            last edited by

                                            @Carnival-Boy said:

                                            I'd cope with a 5 inch wifi only "tablet" running Windows Pro, which I'd pair with a $100 mini Android phone. That way, I could leave the "tablet" at home if I know I'm going to be in the mosh pit at an Iggy Pop gig or dancing like a madman in a club at 2am.

                                            That's almost available today, just not down to 5"

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 3 / 6
                                            • First post
                                              Last post