First published on CloudBlogs on Jun, 11 2014
There’s no doubt that an explosion of private, generally unmanaged devices is underway. Sometimes, organizations want to save money and so encouraged users to supply their own devices; sometimes, users would sneak devices in the back door without waiting for IT policy to catch up; and sometimes, users preferred their own device or wanted to carry one device that held work and personal data and connections. Whatever the impetus, Bring Your Own Device (BYOD) has come to be. Of course, with BYOD comes new security threats and new compliance concerns. When users are restricted or cannot use a mobile device, frustration may grow and productivity may plummet. The Windows Server 2012 R2 operating system introduces two new concepts for devices, device registration (known as Workplace Join which is a feature of Active Directory Federation Services).
There’s no doubt that an explosion of private, generally unmanaged devices is underway. Sometimes, organizations want to save money and so encouraged users to supply their own devices; sometimes, users would sneak devices in the back door without waiting for IT policy to catch up; and sometimes, users preferred their own device or wanted to carry one device that held work and personal data and connections. Whatever the impetus, Bring Your Own Device (BYOD) has come to be. Of course, with BYOD comes new security threats and new compliance concerns. When users are restricted or cannot use a mobile device, frustration may grow and productivity may plummet. The Windows Server 2012 R2 operating system introduces two new concepts for devices, device registration (known as Workplace Join which is a feature of Active Directory Federation Services).
Workplace Join
You implement device registration by using the Workplace Join feature of AD FS. Users can register their devices to allow single sign-on scenarios or to gain access to corporate data that may otherwise be blocked. Prior to Workplace Join, a device was either in the domain or it wasn’t. Of course, to be in the domain, it also had to be a PC. Various management tools (including Microsoft System Center Configuration Manager and Exchange ActiveSync [EAS]) helped to bridge the gap, but it was still essentially binary. Non-Microsoft mobile device management tools became popular, but even with all of this in place, you couldn’t control which resources a mobile device could access and which it couldn’t. Now, there are essentially three states for any given device:- Unknown . Usually a BYOD device over which IT has no control and that isn’t domain joined (and possibly can’t be domain joined)
- Registered, or known. By registering the device, the user makes it “known” to the organization. This device can be recognized and even become part of seamless two-factor authentication.
- Domain-joined computers. Devices under the organization’s full control
Setting up the Workplace Join infrastructure
You need to complete a few steps to get Workplace Join up and running:- Configure a Globally Managed Service Account (gMSA) to be used with AD FS. (you can use a normal service account but a gMSA is recommended)
- Obtain Secure Sockets Layer certificates (usually publicly trusted for BYOD).
- Install and configure AD FS on Windows Server 2012 R2)
- Initialize and enable device registration in AD FS.
Walkthrough of device registration
For BYOD registration to be effective, it has to work with the devices that users have. That includes devices that run Apple iOS, Google Android, and of course PCs running Windows 8.1 that for one reason or another are not joined to the domain. Configuring a Windows client is easy as long as it’s Windows 8.1:- Log on to Windows 8.1 (with a Microsoft account or local account).
- Swipe in from the right edge of the screen, tap Settings , and then tap Change PC Settings .
- Tap Network , tap Workplace , and then tap Join .
- Enter your corporate user name in the user principal name format ( login_name @ domain.ext ), and then tap Join .
- When prompted, enter your domain credentials.
- Open Safari, and navigate to the endpoint for iOS devices. The URL will be something like https://adf1s.contoso.com/enrollmentserver/otaprofile .
- Log on to the web page using a company domain account.
- You will be prompted to install a profile. On the Install Profile screen, and then tap Install .
- When prompted to confirm installation of the profile, tap Install Now .
- If your device requires a PIN to unlock it, you will be prompted to enter your PIN.
- The profile installation is complete when you see the Profile Installed screen. Tap Done .
Published Sep 08, 2018
Version 1.0MicrosoftSecurityandComplianceTeam
Iron Contributor
Joined September 05, 2018
Security, Compliance, and Identity Blog
Follow this blog board to get notified when there's new activity