For more than two decades, IT admins have relied on Active Directory (AD) or LDAP to broker network access to users, to control user access privileges for various sensitive company assets, and to apply security policies across the organization. But with cloud-based business applications now an integral part of the enterprise IT application landscape, Active Directory (AD) integration becomes a stumbling block for many. But make no mistake, AD/LDAP is still widely regarded as the central source of enforcing security policies on users and entities within an organization. AD is not getting displaced to accommodate cloud applications, but there is a need to have better and transparent integration between them. This is achieved by single sign-on (SSO) through an Identity and Access Management (IAM) solution such as Kaseya AuthAnvil. However, IT applications are just one piece in the IT security puzzle.
IT admins have also relied on AD to enforce security policies on user endpoints such as desktops and laptops. These endpoints used to be predominantly Windows-based machines but the influx of mobile devices (smartphones, tablets, and phablets) has radically transformed the user endpoint landscape. This transformation is not just due to the form factor of the devices, but also due to the underlying architecture and operating systems, which limit and alter the way these devices can be managed. This introduces challenges for IT admins when it comes to managing mobile devices and has led to a surge of various point solutions providing mobile device management.
Why use AD Integration to import mobile users?
IT admins typically group users in AD under “Security Groups” and use these groups to apply security policies to users when they access desktops, laptops, servers and the network in general. The Active Directory, by itself, does not extend security policies to mobile devices as it does on desktops, servers and laptops.
The solution, therefore, is to augment AD by providing a one-to-one mapping between security groups in AD to a set of mobile device security settings. This enables IT admins to continue relying on AD as the sole source of security grouping of users while ensuring:
- Fast on-boarding of users – with a few clicks you can onboard hundreds of users in minutes
- AD based access privileges on mobile devices when company data/resources are being accessed
- Centralized mapping of security policies to users on desktops, laptops or mobile
If mobile users and devices are on-boarded manually without using AD, the security profiles setup in AD and those enforced on the mobile devices tend to go out of sync over time. This in turn creates bigger problems for IT admins such as:
- Rise of Shadow IT/Stealth IT where users are able to bypass IT approval to get to applications and services they need, leading to potential data loss/leakage
- Inconsistencies in mobile security and Enterprise IT security policies
- Multiple points of potential failure in enforcing IT security across organization
How is AD augmentation possible without wrecking IT security?
The key design principle that enables this AD augmentation is for the Mobile Device Management (MDM) solution to associate mobile security profiles with users, based on which specific device security settings are applied to user’s mobile devices. To leverage existing AD setup, security groups within the AD will have a direct mapping with the security profiles in the MDM solution.
Obviously, opening up connection to AD/LDAP raises security concerns. But this AD augmentation can reinforce security with the following technical considerations:
- The MDM solution should require only an inbound read-only connection to the AD server from a single whitelisted IP address – the AD should never be open to the entire internet.
- The users are imported (/on-boarded) into the MDM solution only from Active Directory using security groups in the AD.
- The AD should have separate security groups of users specifically for mobile management. It is often an inaccurate assumption that the non-mobile focused security groups in AD will work for mobile security and vice-versa.
- Devices should be mapped to the on-boarded users once they install and register the MDM Agent on their devices using the unique activation code emailed to them from the MDM admin screen.
- The user mobile devices should never access the AD directly for authentication – the AD authentication must happen via an AD authentication component (typically called directory integration service) within the MDM solution using a secure read-only connection.
- AD authentication component within the MDM solution should never store any user credentials but only acts as a relay for AD authentication.
With such an implementation, all on-boarded mobile users will get a specific set of device security settings based on the AD security group they belong to, which is mapped to one of the security profiles setup in the MDM solution. If a user needs a higher level of security on the devices then he/she needs to be part of the specific AD security group which is mapped to the higher security profile.
In summary, AD integration in an MDM solution simplifies mobile device management for IT admins and makes it seem like an extension of managing desktops and laptops. With the right architecture design, it is possible to augment the Active Directory to manage the mobile devices without wrecking the IT security. This design principle is the cornerstone of building a Unified Endpoint Management solution.
Author: Varun Taware
