Microsoft Azure App Enables Workplace Join Connections for Android Devices
Microsoft has advanced its Workplace Join support for devices running the Android operating system.
The latest announcement is the release this week of an updated authentication application for Android devices that facilitates the trusted access of those devices to an organization's premises-based apps. End users with Android devices can now establish such relationships via an Azure Authenticator app that was released at the Google Play store on January 13.
The Azure Authenticator app is part of Microsoft's Workplace Join scenario, which is designed to enable secure access to resources by non-domain-joined devices, such as Android and iOS devices. This bring-your-own-device (BYOD) scenario works by putting a certificate on those devices as part of the protection scheme. IT pros can assign the Azure Authenticator app for Android devices to end users so that they can establish the trusted connection themselves.
This release of the Azure Authenticator app for Android devices currently just supports conditional access to premises-based resources -- that is, those apps that are maintained on an organization's servers. It doesn't currently support conditional access to cloud-based apps associated with the Azure Active Directory service. However, Microsoft is working to add cloud apps support in a future release, according to the company's announcement today.
End users of the Azure Authenticator app for Android devices get either single sign-on access to apps, meaning that they don't have to log-in every time to access different resources within an organization, or they get optional multifactor authentication access. Multifactor authentication, which Microsoft recommends using, requires a second form of verification, such as responding to an alert automatically sent to a mobile device, to establish the trust relationship. Microsoft describes the Azure Authenticator setup process for end users in this MSDN library article.
Workplace Join is a feature of Windows Server 2012 R2 that establishes so-called "conditional access" to resources by non-domain-joined devices. Organizations wanting to use Workplace Join need to have multiple components in their computing environments. In addition to requiring Windows Server 2012 R2, organizations need to have Active Directory on premises and a subscription to Azure Active Directory Premium. IT pros need to turn on Windows Server 2012 R2 Federation Services, which is a role in the server, and point it via Azure Active Directory. They also need to run the Web Application Proxy role of the server. Using Workplace Join requires updating the schema for Windows Server 2012 R2. Those details are outlined in this MSDN library conditional access article.
It might have been thought that support for Android devices was already fully baked into the Workplace Join feature, but it seems to be evolving somewhat. Workplace Join was rolled out early on for Windows 8.1 clients and then later extended to Windows 7 clients. The MSDN article on setting up conditional access states that Android 4.0 and later devices are supported for Workplace Join, as well certain Android-based Samsung devices (Samsung GS3 or greater and Samsung Note2 or greater devices). Apple iOS 6 and greater devices also are supported using Workplace Join.
Samsung pioneered support for Workplace Join on Android devices via its Knox mobile security platform. Samsung had declared Knox support for Microsoft's Workplace Join feature as early as late February 2014. However, the arrival of Microsoft's Azure Authenticator app for Android devices, a key part of the authentication scheme, seems to have lagged that announcement for nearly a year.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.