Registering BYOD devices

First published on CloudBlogs on Jun, 11 2014
There’s no doubt that an explosion of private, generally unmanaged devices is underway. Sometimes, organizations want to save money and so encouraged users to supply their own devices; sometimes, users would sneak devices in the back door without waiting for IT policy to catch up; and sometimes, users preferred their own device or wanted to carry one device that held work and personal data and connections. Whatever the impetus, Bring Your Own Device (BYOD) has come to be. Of course, with BYOD comes new security threats and new compliance concerns. When users are restricted or cannot use a mobile device, frustration may grow and productivity may plummet. The Windows Server 2012 R2 operating system introduces two new concepts for devices, device registration (known as Workplace Join which is a feature of Active Directory Federation Services).

Workplace Join

You implement device registration by using the Workplace Join feature of AD FS. Users can register their devices to allow single sign-on scenarios or to gain access to corporate data that may otherwise be blocked. Prior to Workplace Join, a device was either in the domain or it wasn’t. Of course, to be in the domain, it also had to be a PC. Various management tools (including Microsoft System Center Configuration Manager and Exchange ActiveSync [EAS]) helped to bridge the gap, but it was still essentially binary. Non-Microsoft mobile device management tools became popular, but even with all of this in place, you couldn’t control which resources a mobile device could access and which it couldn’t. Now, there are essentially three states for any given device:

• Unknown . Usually a BYOD device over which IT has no control and that isn’t domain joined (and possibly can’t be domain joined)
• Registered, or known. By registering the device, the user makes it “known” to the organization. This device can be recognized and even become part of seamless two-factor authentication.
• Domain-joined computers. Devices under the organization’s full control

The organization can now decide with much more flexibility and granularity which group of devices can access which information. For example, you may allow unknown devices to access applications with lower sensitivity such as an intranet but require devices to register (with Workplace Join) before they can access the internal HR and Finance site. When a user registers a device, it’s a “give and get” scenario. The user “gives” by registering the device and in turn “gets” access to resources. Although some users may not be willing to make their device known to the organization, the organization may in turn choose not to allow them to access confidential information. Technically speaking, during registration, a certificate is installed on the device and a new device record is created in the AD DS. This device record establishes a link between the user and their device. Because the device is now “in” AD DS, it can be used as part of a claims-based authentication process (Active Directory Federation Services [AD FS]) and referenced in conditional access policies.

Setting up the Workplace Join infrastructure

You need to complete a few steps to get Workplace Join up and running:

1. Configure a Globally Managed Service Account (gMSA) to be used with AD FS. (you can use a normal service account but a gMSA is recommended)
2. Obtain Secure Sockets Layer certificates (usually publicly trusted for BYOD).
3. Install and configure AD FS on Windows Server 2012 R2)
4. Initialize and enable device registration in AD FS.

Walkthrough of device registration

For BYOD registration to be effective, it has to work with the devices that users have. That includes devices that run Apple iOS, Google Android, and of course PCs running Windows 8.1 that for one reason or another are not joined to the domain. Configuring a Windows client is easy as long as it’s Windows 8.1:

1. Log on to Windows 8.1 (with a Microsoft account or local account).
2. Swipe in from the right edge of the screen, tap Settings , and then tap Change PC Settings .
3. Tap Network , tap Workplace , and then tap Join .
4. Enter your corporate user name in the user principal name format ( login_name @ domain.ext ), and then tap Join .
5. When prompted, enter your domain credentials.

From an iOS device, the process is equally straightforward:

1. Open Safari, and navigate to the endpoint for iOS devices. The URL will be something like https://adf1s.contoso.com/enrollmentserver/otaprofile .
2. Log on to the web page using a company domain account.
3. You will be prompted to install a profile. On the Install Profile screen, and then tap Install .
4. When prompted to confirm installation of the profile, tap Install Now .
5. If your device requires a PIN to unlock it, you will be prompted to enter your PIN.
6. The profile installation is complete when you see the Profile Installed screen. Tap Done .

You should now be back in Safari. You’ll see a message letting you know that you can close or leave Safari. With Samsung Android, the user can register their device using the “Add Account” process, choosing Active Directory.  This will step the user through the same process or requesting their credentials and completing the Workplace Join. That’s it. Your device is now registered by using Workplace Join. For details and instructions on how to set up a test lab, see Walkthrough Guide: Workplace Join with an iOS Device . In our next post, I’ll talk about synchronizing data to home or personal devices while maintaining information protection. NEXT BLOG POST IN THIS SERIES: Syncing and protecting corporate information (Coming June 12) Catch-up with the previous entries in this blog series: Part one: Setting up the environment here Part two: Making resources available to users Learn more about Access and Information Protection here .