BYOD Basics: Enabling the use of Consumer Devices using Active Directory in Windows Server 2012 R2

  • Article

Microsoft recently released Windows Server 2012 R2 Preview, which includes several improvements to Active Directory. Some of the most noteworthy enhancements to Active Directory in Windows Server 2012 R2 Preview are in response to the proliferation of consumer devices in the workplace.

Join personal devices to the workplace

Windows Server 2012 R2 Preview allows users to join their personal devices, both Windows devices and iOS devices, to Active Directory. When a personal device is Workplace-Joined, it will provide second-factor authentication and single sign-on (SSO) to corporate resources and applications.

Workplace Join leverages a feature included in the Active Directory Federation Services (AD FS) Role in Windows Server 2012 R2 Preview, called Device Registration Service (DRS). DRS provisions a device object in Active Directory when a device is Workplace Joined. Once the device object is in Active Directory, attributes of that object can be retrieved and used to provide conditional access to resources and applications. The device identity is represented by a certificate which is set on the personal device by DRS when the device is Workplace Joined.

Provide users access to application and services from anywhere

Windows Server 2012 R2 Preview includes a new Remote Access role service, called Web Application Proxy, which can be used to provide external access to application and services from anywhere. Web Application Proxy enables the ability to provide users outside an organization with access to applications that are running on servers inside an organization.

Web Application Proxy publishing works for any personal device, including corporate laptops, home computers, tablets, and smartphones. Users are not required to install any additional software on their device to access published applications.

Web Application Proxy is more granular than traditional VPNs; users can only gain access to applications that are published. Web Application Proxy must be deployed with AD FS, which enables leveraging features such as single sign-on.

Managing risk with multi-factor access control and multi-factor authentication

Enabling users to join personal devices to the workplace and providing access to applications and services from anywhere comes with additional risks. Windows Server 2012 R2 Preview includes enhancements to AD FS that are intended to manage these risks.

The main function of AD FS is to issue an access token that contains a set of claims. Claim rules govern the decision regarding what claims AD FS accepts and then issues. In AD FS in Windows Server 2012 R2 Preview, access control is enhanced with multiple factors, including user, device, location, and authentication data. AD FS includes a greater variety of claim types available for the authorization claim rules. AD FS in Windows Server 2012 R2 Preview includes 62 claim types.

AD FS in Windows Server 2012 R2 Preview enabled administrators to configure additional authentication methods beyond the primary authentication mechanism. Primary authentication methods are built-in and are intended to validate users’ identities. You can configure additional authentication factors to request that more information about the user’s identity is provided and consequently ensure stronger authentication.

Download Windows Server 2012 R2 Preview in your own lab and test various BYOD scenarios.