Integrate Active Directory(AD)
Most organizations use Active Directory to simplify user management, identity management and user authentication. Mobile Device Manager Plus integrates with your organization's Active Directory to help leverage its benefits.
Advantages of Directory Integration
- Enroll with AD credentials
Mobile devices can be enrolled into MDM by using the users' AD credentials for authentication. This serves as an alternative for one time password (OTP), or as an additional layer of security with two-factor authentication.
- Self enrollment
Self enrollment allows users to enroll devices without the need for the admin to send out multiple invites. The enrollment is authenticated using the user's AD credentials. This feature can be used only after integrating the organization's AD with MDM. Upon integration, admin can also restrict users' of certain AD groups from enrolling devices using self enrollment.
- Login with AD credentials
The admin or technicians can login to the MDM portal using their AD credentials for better security.
- Auto suggest users
After integrating MDM with AD, the users' email ID and names are auto suggested when an enrollment request is created. This helps admin create the enrollment requests quicker.
- Automatic update of user accounts
If there is a change in the users' e-mail address, display name or other attributes in the AD, this is automatically updated in the accounts configured with Mobile Device Manager Plus.
Integrating AD with MDM
To integrate your organization's AD with MDM, navigate to Enrollment -> Directory Services. Now, click on Integrate/Add Domain and choose the directory type.
- If On-Premises AD is chosen, enter the following details and click on Add Domain to complete the integration.
- Domain Name
- Domain User Name
- AD Domain Name
- Domain Controller Name
If Azure AD is selected, enter the Azure OAuth details to secure and complete the integration process.
- Obtain the Client ID and Client Secret, from the Microsoft portal. These details are specific to your organization.
- Once the Client ID and Client Secret have been specified, click on Integrate.
- You can check the integration status under Directory services >Domains.
- If G Suite is chosen, enter the following details and click on Save to complete the integration.
- Domain Admin Account
- If Okta is chosen, enter the Org URL and Token Value by following the steps given below.
- Sign in to your Okta organization as a user with administrator privileges.
- Provide Org URL from the top right corner of your dashboard (excluding "htpps://"). Your Org URL will look like this:
- id.example.com, if you have configured a custom URL domain.
- Now, create a Token.
- If you use the Developer Console, select Tokens from the API menu.
- If you use the Administrator Console (Classic UI), select API from the security menu, and then select Tokens.
- Click on Create Token and provide a name for the Token.
- Now, make note of the Token Value which will be displayed only once, and specify the same in MDM. Note: If the Token Value is not noted, you must create another Token and specify its Token Value.
NOTE: Self Enrollment and Groups Sync are currently not supported for G Suite.
Once the domain is added, it will be listed on this page. Admins can also integrate multiple ADs with MDM. If you have integrated G Suite with MDM during Chromebook Enrollment, you can view the details in this page as well.
Sync with AD
Mobile Device Manager Plus syncs with the AD once every day to fetch the details. In case of On-Premises AD and G Suite directory, the complete data is synced whereas in other directories, only the modifications are noted and posted back to MDM.
The admin can initiate a manual sync with the directory services by clicking either on Sync all or Sync only modified. As the name suggests, clicking on Sync all will sync the complete directory again with MDM and Sync only modified syncs only the changes that were made after the previous sync.
Sync AD groups
After integration AD with MDM, you can also choose to sync the AD groups directly to MDM. With this, the admin can manage devices by associating profiles, distributing apps and documents directly to the AD groups.
Enable group sync by clicking on Enable groups sync under the Actions column. This will sync all the groups from the selected domain and these groups will be available in Groups and Devices in the Device Mgmt tab.
Similarly, the group sync can be disabled by clicking on Disable group sync. This will disable all the synced groups from MDM. The profiles, apps and documents will have to be removed manually by the users or the admin.
To remove an AD from MDM, you need to ensure that the user does not have any enrolled devices or any pending enrollment requests. Once this condition is met, click on Action and Delete to disassociate the AD from MDM.
Note: The users and groups will be listed on the MDM server even after disassociating the AD and need to be removed manually by the admin.