To Join or Not To Join Microsoft's Workplace Join
Suppliers of mobile device management and Active Directory management tools have various levels of support for the new Microsoft Workplace Join feature.
Microsoft introduced Workplace Join in Windows Server 2012 R2 to make it easier to connect employee-owned tablets and smartphones and other device types not designed to join an Active Directory domain -- notably iPads and Android-based tablets and phones. Of course, that also includes Windows RT tablets and phones based on the Microsoft Windows Phone OS.
Workplace Join allows administrators to join personal devices providing two-factor authentication and single sign-on to enterprise network resources and applications. When enrolling a device using Workplace Join, Active Directory can retrieve the attributes of that device providing "conditional access for the purpose off authorizing issuance of security tokens for applications," according to Microsoft.
But as the article, "Manage Mobile Devices and Policies in Active Directory", on how to implement Workplace Join warns, it has limitations. Workplace Join is only designed to simplify resource access and is not intended as a complete mobile device security feature. It also doesn't provide Group Policy settings that can be applied to mobile devices, has limited access control mechanisms and doesn't provide the types of device security controls available with ActiveSync polices.
For its part, Microsoft doesn't market Workplace Join as a mobile device management solution, though it's enabled in the company's own new Enterprise Mobility Suite, and specifically the Intune management service, so perhaps it might become a requirement in the future.
Various suppliers of mobile device management software and Active Directory administration tools say their offerings provide more comprehensive methods of authenticating mobile and user-owned devices. Those tools typically use various means of connectivity including Microsoft Exchange ActiveSync, Apple Push Notification Service (APNS) and Google Cloud Messaging (GCM). Whether Workplace Join becomes a preferred means of enrolling mobile devices in Active Directory domains remains to be seen.
So far, integration between Workplace Join and third-party tools is at a formative stage. A few offer it in some form, while others don't see a need for it at this point. Chris Ashley, a product manager at Dell Software, says customers have inquired about Workplace Join support. "Among customers I have actually talked to, they're actually excited about this feature, they're just holding off mostly because of the fact they're still running a lot Windows 7 desktops," Ashley says. "But it's something they want to introduce. A feature like this is really cool, but sometimes you do find those little shortcomings that make it a procedure."
Dell last month released a new module for its Active Administrator tool for Active Directory management. The new module aids in the management of a certificate, which is a key part of setting up Workplace Join, according to Ashley. It will install the certificate on the server so when it expires, an administrator can update it. The new module also makes it possible to assign access to resources via IP addresses. The benefit of using Active Administrator, Ashley notes, is that it supports management of Group Policy Objects.
"Certainly any policies that you use to provide access to the servers internally, we can cover," he says. "We're able to manage those policies, to recover them if they're messed up and give it confidence to change those policies because we can roll those polices back, if the change has a detrimental effect."
The new module, called Active Administrator for Certificate Management, provides DNS management capability in addition to certificate management. "The DNS management capability is important because there are two records that you have to create to make sure devices that are trying to register with Workplace Join can actually locate the machines that are required," Ashley says. "So being able to manage those records, and monitor that those records exist and that they can be reached will also be important to folks who are trying to leverage Workplace Join."
Down the road, Ashley says Dell is evaluating how its tools, which in addition to Active Administrator include GPO Manager, might add more security to devices registered using Workplace Join. An example would be more refined policy management, but factoring into that will be new capabilities delivered by Microsoft in the next release of Windows Server and Windows 10, as well as customer demand.
Mobile Device Management
Tomas Vetrovsky, director of product management at Mountain View, Calif.-based MobileIron, a supplier of mobile device management software, says customers have inquired about integrating its namesake software with Workplace Join. "Our customers would like to use Workplace Join, mainly for single sign-on," Vetrrovsky says. "But right now I don't see many customers adopting it."
With MobileIron software, while it connects to Active Directory, once the authentication is established, it handles management and policies, he says. In and of itself, Workplace Join wasn't designed to work with GPOs, Vetrovsky adding it doesn't need to when using mobile device management (MDM). "The GPO-based approach was designed for devices that are connected on the local area network," he says. "As soon as you start talking about tablets or laptops that are spending most of the time somewhere on the Internet, just connecting from the outside, MDM provides real-time management that's better than the GPO approach."
Another major MDM supplier that will integrate with Workplace Join is Good Technology, but Eugene Liderman, the company's director, public sector technology, says users of the Good Dynamics Secure Mobility Platform don't need it.
"Good can be complementary to Workplace Join or operate completely independent of it," Liderman says. "If you look at the majority of what Workplace Join provides, which is visibility to enrolled devices, some basic device-level control and single sign-on to certain back-end resources, all of this can be provided by the Good Dynamics Secure Mobility Platform. The major difference is that Good provides this without having to upgrade the Active Directory schema like Workplace Join requires."
Liderman adds that Good Dynamics respects the user-state in Active Directory when a user requests network access. For example, if a user is removed/suspended/deactivated in
Active Directory, its tools will prevent that user from gaining access to network resources/data/messages. In addition, he says while Workplace Join focuses on device-level control, Good Dynamics can support device-level control via MDM. "More important, it can also enable application-level controls and policy management, as well as single sign-on access to various back-end resources whether through Good's secure browser or through a native iOS or Android application secured with the Good SDK," he says.
Customizable Policy Management
Paul Moore, co-founder and chief technology officer at Centrify Corp., says Workplace Join is very similar to the mobile device enrollment in the Centrify Suite, but the latter offers more customizable policy management. "An admin can set up devices so that they have zero sign-on to corporate resources, but still have precise control over what users can do," Moore says. "For example, an admin can indicate that an app is only accessible from enrolled devices, at certain times of the day, from particular device types, from specified countries, etc."
Centrify also offers full device management capabilities, with features including remote wipe, lock and find for end users, and centralized policy management for administrators, he says. The centralize policy management permits the configuration of e-mail settings, the installation of applications, VPN setup, device restrictions and so on.
No Workplace Join Integration
Blake Branon, lead solutions engineer at AirWatch, acquired by VMware Inc. last year, says AirWatch provides more advanced security controls via the AirWatch Secure Email Gateway (SEG). The gateway enforces granular policies to allow or disallow access to corporate content, as well as such variables as device type, OS, encryption and whether a device is jail broken. It does make use of access control lists (ACLs), as well as Windows PowerShell support. "AirWatch and Workplace Join are mutually exclusive so a customer would either use Workplace Join and manage it with Active Directory or use AirWatch," Branon says.
Others who question the need to use or integrate with Workplace Join are Renee Bradshaw, senior solutions marketing manager at NetIQ Corp. Bradshaw argues its NetIQ Access Manager provides simpler single sign-on capabilities than Workplace Join. That's because Workplace Join requires Active Directory Federation Services, "which is a nightmare to use," Bradshaw says. "NetIQ Access Manage also doesn't need to bother with the management of Group Policies."
ManageEngine, which supplies an MDM tool called Desktop Central, also doesn't plan to integrate with Workplace Join, according to Ananth Vaidyanathan, a product marketing manager. "We don't actually integrate with Workplace Join and we don't recommend that," he says. "It is not a mandatory thing to have Workplace Join for managing mobile devices using the product Desktop Central," adding that customers haven't requested Workplace Join integration. But he says if it's necessary in the future the company would provide it.