August 17, 2015

Windows 10 Mobility - Part 2 - How it Works

Previously, I introduced the major themes for Mobility. Today, we're going to talk about how it works. If you missed the major themes article, may I suggest you check it out here.

First thing's first: getting started. In order to get Windows 10 Mobility running, you'll need an Azure AD (Premium) tenant up and running and configured to function properly. Some organizations will have used Azure Active Directory Connect to synchronize their directory to Azure AD. Those will typically want to make sure they select the proper options for bi-directional synchronization (don't be scared). Others, perhaps those wanting to separate their mobile warriors from on premise AD entirely, will choose to home these users and devices completely in Azure AD with no connection back to an on premise AD. This is perfectly normal!!! There is absolutely no rule that dictates how you configure on prem vs. cloud users, only best practices. Assuming all is set up, the next thing you need to do is permit your users to join a device:

From the old Azure Portal (don't get me started), go into your tenant and click configure, scroll down to devices and select one of the options below:
Enable User to Join Device to AAD
Note something really neat here:

  1. You can select WHICH users are permitted to Azure AD join a device, or all.
  2. You can force additional administrators onto the device when joining.
  3. You can require Multi-Factor authentication to Azure AD join - MFA is covered in depth in a future blog post on Identity!
  4. You can specify how many devices a user can join, and, if you are using Intune as well, you can specify additional requirements like what kind of device and what state the device is in.

It's important to note that Workplace Join and Azure AD join are not the same thing. Microsoft promises me they are getting the features and functionality matrix fixed soon. A comparison of these two functions will be covered in a future article.

Now that the plumbing is complete, you can join a device running Windows 10 to Azure AD! There are a variety of ways into this scenario. The first is what us techies call OOBE (Out Of Box Experience) - it's the screen you get when starting a brand new computer for the first time. With Windows 10, one of the questions it asks when you are setting up the computer is: Who Owns this PC?

Who Owns this PC. Image from
This image is taken from a non-RTM build of Windows 10 but is fairly representative of how the final product looks. If you answer "This device belongs to my organization..." it will then prompt you to log in with your company credentials. Boom - Azure AD joined.

Another way to Azure AD join is from a provisioning package after you set up your PC. Sorry, I couldn't scrounge up a pic that represented this scenario very well. Suffice to say, it is a special file that your admins can send you that lets you provision your device just by double clicking it. Finally, you can self join to Azure AD from the same screen you use to do a domain join:

Self Azure AD Join
From either of these scenarios, you then log in, agree to have your device managed and then you are all set. Now, your device is managed from Azure AD!

Okay, so now what? Well, it depends but just like joining a computer to a brand new domain, not much happens if you haven't configured other things. Here are some examples of things you can do!

  1. Auto provision the first party Windows 10 Apps (Mail/People/Calendar) with account information.
  2. Configure Office 365, OneDrive for Business and Skype for Business
  3. Hook into intranet based websites, servers and printers
  4. Deploy the Company Portal app which is the Business Application Catalog (currently supports only Universal apps but will be adding Win32 apps this fall).
  5. Control the device like selective wipe, password and pin policy, monitor app installations, monitor device location (MDM things).
  6. Install Win32 apps via Intune and all the other goodies that Intune brings like device health compliance, malware prevention, etc.
  7. Control/require MFA

The protocols for interacting with Azure AD are completely open and REST based, so there are lots of 3rd party opportunities here. It's a brand new market.

To wrap up this article, I'll pose a rhetorical question: Domain Join or Azure AD join? As with all things - it depends but it is one or the other. That's where consultants like me come in - helping you figure out what's best for your worker scenarios. Next up - Identity! I hope you'll stay tuned :)