Devices Management: Azure AD Join vs. Azure AD Device Registration vs. Domain Join

For start, please read this article https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/, there are details regarding these matters.

So why am I writing these? As an IT professionals, we can read those technical articles, understand like MDM, MAM, ConfigMgr/SCCM, AAD, GPO, but customers don’t. When customer wants a device management solution, they often ask “What kind of devices management you can offer?” or “What kind of devices management do you have?”. Then we start to telling them “use Intune MDM, or use ConfigMgr, or use both”…and customers have no idea what they want and what we can offer. And then, we start talk about CYOD, BYOD..

Ok, let’s start all over again, here are some options for customers (please correct me if I understand those wrongly. )

  1. Do you allow employee personal devices access company data? Example: emails, sharepoint documents?

    Answers:

    1) Yes, allowed user access company data without conditions –>Do nothing. (Not recommended)

    2) Yes, allowed user access company data, and company also has rights to controls the device –> CYOD (Choose your own device):

    Use Azure AD join, make sure users understand that company can wipe their personal device remotely when it is necessary.

    Use WIP (with enrollment) and AIP to control Data Separation and Leak Protection and Sharing protection.
    https://www.petri.com/azure-information-protection-versus-windows-information-protection-overview-part-1
    https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection

    Use conditional access.
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

    use ConfigMgr deploy applications to devices and manage devices.

    3) Yes, allowed access company data with restrictions and conditions, but company are not allow to control personal device (Personal privacy law)–>  BYOD (Bring your own device):

    Use Azure AD device registration.
    Use AIP and use WIP (without enrollment).

    Here is excellent article about WIP, written by Niall Brady
    https://www.windows-noob.com/forums/topic/15654-using-intune-to-enable-wip-to-protect-enterprise-data-on-windows-10-devices-mam-we/

    Use conditional access
    https://practical365.com/clients/mobile-devices/intune-mam-conditional-access-policies/

    4) No, block everything–>Tell your employee that it is not allowed. There are many ways how to do that, but no details in this time. 🙂

  2. Do you allow external users access to your company data from their owned devices?

    Answers:
    Since devices are not owned your company , there are not other choice but use BYOD.

  3. For company owned devices, do you have a domain controller? (I do hope customer knows what this means..)

    Yes –> Domain join. User GPO, ConfigMgr to manage devices (Customers properly don’t want to know those, as long as they get all the applications that they wanted, and everything works.) . Additional use AIP

    No –> Azure AD join. Same as CYOD

  4. For company owned devices that are domain joined. Do you want have more control how user access company information?
    Yes –> Domain joined + Azure AD device registration. Additional use WIP (without enrollment) and AIP.

    No –> Domain joined.

 

Simple understanding of CYOD, BYOD, Domain joined

CYOD: Device can be personal owned or company owned, it is under control by company.  IT department can use ConfigMgr deploy applications to devices. (This requires install ConfigMgr Cloud Distribution point and Cloud management gateway)
https://blogs.technet.microsoft.com/arnabm/2017/08/27/client-installation-over-internet/

BYOD: Device is personal owned, device itself is not under control by company, but there are restrictions how to access company internal information.

Domain joined: Device is company owned (unless company let user join personal devices to domain). IT department can use ConfigMgr and GPO, and amount others tools control devices.

Domain joined + Azure AD registration: Same as domain joined. Additional you can control single sign on and WIP (without enrollment)

 

Leave a Reply

Your email address will not be published. Required fields are marked *