Devices Management: Azure AD Join vs. Azure AD Device Registration vs. Domain Join

By | September 6, 2017

For start, please read this article https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/, there are details regarding these matters.

So why am I writing these? As an IT professionals, we can read those technical articles, understand like MDM, MAM, ConfigMgr/SCCM, AAD, GPO, but customers don’t. When customer wants a device management solution, they often ask “What kind of devices management you can offer?” or “What kind of devices management do you have?”. Then we start to telling them “use Intune MDM, or use ConfigMgr, or use both”…and customers have no idea what they want and what we can offer. And then, we start talk about CYOD, BYOD..

Updated: (Dec.6, 2017. We can also have Hybrid joined, means Domain joined + Azure AD joined, and using Co-management new feature of ConfigMgr/Intune  to manage devices, please read the set up details here. http://www.scconfigmgr.com/2017/11/23/how-to-setup-co-management-part-1/ )

Ok, let’s start all over again, here are some options for customers (please correct me if I understand those wrongly. )

  1. Do you allow employee personal devices access company data? Example: emails, sharepoint documents?

    Answers:

    1) Yes, allowed user access company data without conditions –>Do nothing. (Not recommended)

    2) Yes, allowed user access company data, and company also has rights to controls the device –> CYOD (Choose your own device):

    Use Azure AD join, make sure users understand that company can wipe their personal device remotely when it is necessary.

    Use Windows information protection (WIP) (with enrollment) and Azure information protection (AIP) to control Data Separation and Leak Protection and Sharing protection.
    https://www.petri.com/azure-information-protection-versus-windows-information-protection-overview-part-1
    https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-information-protection

    Use conditional access.
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

    3) Yes, allowed access company data with restrictions and conditions, but company are not allow to control personal device (Personal privacy law)–>  BYOD (Bring your own device):

    Use Azure AD device registration.
    Use Windows information protection (WIP) (without enrollment)
    and Azure information protection (AIP)

    Here is excellent article about WIP, written by Niall Brady
    https://www.windows-noob.com/forums/topic/15654-using-intune-to-enable-wip-to-protect-enterprise-data-on-windows-10-devices-mam-we/

    Use conditional access
    https://practical365.com/clients/mobile-devices/intune-mam-conditional-access-policies/

    4) No, block everything–>Tell your employee that it is not allowed. There are many ways how to do that, but no details in this time. 🙂

  2. Do you allow external users access to your company data from their owned devices?

    Answers:
    Since devices are not owned your company , there are not other choice but use BYOD.

  3. For company owned devices, do you have a domain controller? (I do hope customer knows what this means..)

    1) Yes –> Domain join. User GPO, ConfigMgr to manage devices (Customers properly don’t want to know those, as long as they get all the applications that they wanted, and everything works.) . Additional use Azure information protection (AIP)

    2) No –> Azure AD join. Same as CYOD

  4. For company owned devices that are domain joined. Do you want have more control how user access company information?

    1) Yes –> Domain joined + Azure AD device registration. Additional use Windows information protection (WIP) (without enrollment) and Azure information protection (AIP).

    2) No –> Domain joined.

 

Simple understanding of CYOD, BYOD, Domain joined

CYOD: Device can be personal owned or company owned, it is under control by company.  IT department can use ConfigMgr deploy applications to devices. (This requires install ConfigMgr Cloud Distribution point and Cloud management gateway)
https://blogs.technet.microsoft.com/arnabm/2017/08/27/client-installation-over-internet/

BYOD: Device is personal owned, device itself is not under control by company, but there are restrictions how to access company internal information.

Domain joined: Device is company owned (unless company let user join personal devices to domain). IT department can use ConfigMgr and GPO, and amount others tools control devices.

Domain joined + Azure AD registration: Same as domain joined. Additional you can control single sign on and WIP (without enrollment)

 

Leave a Reply

Your email address will not be published. Required fields are marked *