- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
Here at 4sysops we've covered how to manage Active Directory from your Apple iOS-based devices such as iPhones, iPads, and iPod touches. However, this blog post turns that paradigm around 180 degrees: How can we manage a fleet of iDevices from within Active Directory?
Microsoft provides a framework for managing their own mobile hardware; specifically Windows Phone-based smartphones and Windows RT-based tablet devices. On the other hand, Microsoft gives administrators little to no help if we find ourselves having to apply security policies to Apple mobile hardware.
In this blog post I will present your primary options for solving this problem. We'll spend most of our time discussing Apple's own solution, as it is cost-effective and gives Active Directory administrators as much control as possible over the iDevice deployment. We'll finish up with some third-party competitors in this space.
Apple, Microsoft, and the "magic triangle" ^
For $999 Apple will sell you a Mac mini computer with OS X 10.8 "Mountain Lion" Server pre-installed. As an alternative, you can install Mountain Lion Server on any Intel Apple computer from the Apple App Store for $20. I show you the latest Mac mini model in the screenshot below.
Unfortunately, Apple no longer manufactures rack-mounted servers.
Now that you have an OS X Server machine up and running in your network, what next? Well, the metaphor of the "magic triangle" was developed as a way to describe the interrelationship between Microsoft's Active Directory with Apple's Open Directory directory service.
Think of the Apple iDevice as one point of the triangle, Active Directory as the second point, and Open Directory as the third. In this mixed environment, the iOS device hardware is managed from Open Directory, and the logged-on user is an Active Directory user who is trusted by the Open Directory realm.
The inner details of the magic triangle configuration are beyond the scope of this article. However, let me give you the abbreviated summary:
- Set up the OS X Server computer as an Open Directory master
- Bind the OS X Server computer to the Active Directory domain; this creates a computer account for the Mac computer in AD (although you can't manage the Mac using Group Policy for obvious reasons)
- Use the Workgroup Manager tool on your Open Directory server to retrieve a list of Active Directory user and group accounts
Profile Manager ^
Are you with me so far? Mountain Lion Server includes a cool Web application called Profile Manager that enables you to centrally manage all of your network's iDevice hardware. You can control literally every aspect of the iDevices--what actions are allowed, what actions are disallowed, and so forth. You can even perform a remote wipe if a company-owned iDevice is stolen. I show you the Profile Manager interface in the screenshot below.
You can control all aspects of your company's iDevices by using Apple Profile Manager.
Again, walking you through the full Profile Manager setup would take an entire article unto itself. Here is the "CliffsNotes version" of the process:
- Install an SSL digital certificate on the OS X Server computer
- Create and populate Open Directory groups for your managed iOS devices
- Create and deploy management profiles to your iDevice groups
- Enroll managed iDevices with the OS X Server
The iDevice enrollment process occurs on the iDevice itself; this process can be completed by the administrator or the end-user. Once the iDevice has been added to the server group, you can view the managed iDevice through the Profile Manager Web portal.
Administrators can manage iDevices through a mobile-friendly Web console.
Third-party alternatives ^
As nifty as the Apple Profile Manager system is, some Windows systems administrators won't or can't be bothered to introduce more Apple technology in their environment than is absolutely necessary.
To that point, there are several third-party vendors who sell iOS device management solutions that are based in a more traditional Active Directory context.
What's so cool about Centrify is that you can manage your iOS devices completely from within Active Directory with (a) in-box Active Directory management tools such as the Group Policy Object Editor and Active Directory Users and Computers; and (b) there is utterly no need for additional Apple hardware.
Centrify means you can manage Apple hardware with Group Policy.
Here are some additional companies who offer AD-centric or cloud-centric iOS device management tools: