PDA

View Full Version : iPads, Active Directory, and the Enterprise




MacDann
Dec 12, 2010, 08:45 AM
I have been charged with writing a proposal to adopt iPads into our enterprise environment that is currently 100% Windows (Primarily XP but slowly migrating to Windows 7.)

This is a K-12 education environment, and the proposed adoption is for student use.

We currently use Active Directory for authentication, control and management of our hardware and user accounts.

As I look over the documentation from Apple in their business white papers, I see mention of the use of certificates, but little or nothing relating to Active Directory.

If anyone here is currently using an iPad in an AD environment, I would like to hear about their experiences. I have people on staff who are familiar with the use of certificates, so I don't see that being a problem. What does concern me is the security aspect, especially authentication and the control of devices and updates that we currently perform through the use of group policies and AD.

Thanks in advance for the help,

MD



tunerX
Dec 12, 2010, 09:00 AM
The iPad is a standalone device. There isn't a way to tie it into a proprietary directory service like active directory.

Once the user has access to the UI they have complete control of the device unless you have apps and such allow the use of passwords. Again those passwords will be single user.

You can use some functions of LDAP and tie that in with MS LDAP for basic directory services but nothing as holistic as AD and group policy management. Your only safety would be using content filtering appliances, firewalls, and keeping the iPad infrastructure isolated from the enterprise core aside from certain ports and protocols.

MacDann
Dec 12, 2010, 09:16 AM
Based on what I have been able to determine at this point, you have confirmed my fears. With no multiple user capabilities, nor the ability to authenticate through AD, these things are going to be a real handful to manage. Granted, they are being proposed to be deployed at one site only, which would make management a *little* easier, the problems created by these issues is really going to to make then a totally separate environment, or so it would seem.

Thanks a bunch - you have aggregated a lot of issues into one document.

MD


The iPad is a standalone device. There isn't a way to tie it into a proprietary directory service like active directory.

Once the user has access to the UI they have complete control of the device unless you have apps and such allow the use of passwords. Again those passwords will be single user.

You can use some functions of LDAP and tie that in with MS LDAP for basic directory services but nothing as holistic as AD and group policy management. Your only safety would be using content filtering appliances, firewalls, and keeping the iPad infrastructure isolated from the enterprise core aside from certain ports and protocols.

PhoneI
Dec 12, 2010, 10:40 PM
If you are using ActiveSync to sync your IPad devices to a corporate Exchange email system, you will need to enable the users in Active Directory to complete the sync.

In addition, you can require user account credentials if you are connecting to a corporate wireless infrastructure.

JS207
Mar 17, 2012, 02:24 PM
I just noticed that there is a new free offering out there called Centrify Express for mobile that integrates iPads and iPhones into Active Directory (ie they join the domain like a Win or Mac system) and you get AD authentication, group policies for iOS settings, use ADUC to wipe/lock devices, etc. You might want to check it out here https://www.centrify.com/mobile/free-mobile-device-security-management.asp .... I read about it on cultofmac here http://www.cultofmac.com/146569/centrify-makes-ios-management-easy-for-windows-it-pros-and-does-it-for-free-feature/

Bankerts
Mar 17, 2012, 02:27 PM
Have no fear. Use an MDM provider like Mobile Iron or Airwatch which talks to your AD. Close down your exchange and wireless so they need certificate-level authentication and push the certificates via MDM.

Works great for the 8000+ iDevices my company has deployed.

mattpreston11
Mar 17, 2012, 02:37 PM
This is why blackberrys are still huge.

russmcintire
Jan 17, 2013, 09:47 AM
Have no fear. Use an MDM provider like Mobile Iron or Airwatch which talks to your AD. Close down your exchange and wireless so they need certificate-level authentication and push the certificates via MDM.

Works great for the 8000+ iDevices my company has deployed.

Do you or your company have any documentation for setting this up? We are exploring this and are not sure how to proceed.

Ratatapa
Jan 17, 2013, 09:49 AM
We used Ipad in our environment (Car sells)

They go into the backyard with the customer, then from WIFI they RDP into the server to calculate the price in from of the client