Active Directory is a family of products. Besides the commonly known Active Directory Domain Services and Certificate Services siblings, the family consists of the Active Directory Lightweight Directory Services, Rights Management Services and Federation Services.
The latter received a major overhaul in Windows Server 2012 R2. One of the new features offered by Active Directory Federation Services is backed by Active Directory Domain Services: WorkPlace Join.
Active Directory Domain Services facilitate WorkPlace Join with a new object type, the msDS-Device object.
A primer on WorkPlace Join
WorkPlace Join, in my opinion, is a method to loosely couple devices (1) with a networking environment based on internet standards (2) to offer single sign-on (3) and rich authorization scenarios (4).
Let me explain in more depth:
- Although you can easily WorkPlace Join Windows 8.1-based devices through the new Control Panel, and WorkPlace Join Windows 7-based devices, too (through a separate download), you can also WorkPlace Join iOS and Android-based devices.
- You join these devices to Active Directory Domain Services (Ad DS) through the Device Registration Service (DRS) in Active Directory Federation Services (AD FS), based on federation-based protocols, encrypted using TLS and transported over HTTPS (TCP 443).
- When a device is WorkPlace Joined, a cookie on the device offers single sign-on (SSO) to web-based applications and services for the user profile (if any) that was used to WorkPlace Join the device.
- WorkPlace-Joined Devices, by default, offer more claimtypes than non-WorkPlace-Joined devices. These additional claimtypes may be used in rich authorization scenarios within the aforementioned applications and services.
Granted, iOS and Android-based devices don’t offer user profiles, today.
On Windows-based devices, though, WorkPlace Join is offered to the combination of the device object and the user account. When the device is used with another user account, the benefits of single sign-on and rich authorization scenarios are unavailable,
WorkPlace Join is not available for Windows 8 (8.0).
When you want to utilize WorkPlace Join, you need to meet these requirements:
- Your Active Directory Federation Services (AD FS) infrastructure needs to run Windows Server 2012 R2, or up.
- Your Active Directory Domain Services (AD DS) infrastructure needs to be prepared for Windows Server 2012 R2. This means you need to have run adprep.exe with the /forestprep and /domainprep switches and your Active Directory schema must read at least version 69.
- When you want to use the group Managed Service Account (gMSA) functionality for the Active Directory federation Services (AD FS) Service account(s), this requires the Windows Server 2012 Active Directory schema.
- Optionally, when you want to utilize the msDS-Primary-Computer attribute on user objects as a Group Policy scoping mechanism, this requires the Windows Server 2012 Active Directory schema and Windows 8.x clients.
Setting up WorkPlace Join
I’ve documented how to build an environment for WorkPlace Join (and other Windows Server 2012 R2-based Enterprise Mobility technologies like the Web Application Proxy and Work Folders) in Microsoft Azure for 4Sysops.com and you can find it through the links below:
- Building a BYOD lab in Microsoft Azure
- BYOD lab in Azure – Create virtual machines
- BYOD lab in Azure – Domain Controller, Certification Services
- BYOD lab in Azure – Active Directory Federation Services (AD FS)
- BYOD lab in Azure – Webserver
- BYOD lab in Azure – Trust relationships
Configuring WorkPlace Join on Windows 8.1 through the Control Panel
On devices running Windows 8.1 (and up), you can WorkPlace Join through the Control Panel of the New Interface.
To this purpose, perform these steps:
- Log on with the account that you wish to use to couple the device with the enterprise environment. This account does not need to have administrative privileges.
- While in the Start Screen, either:
- Press Ctrl + C to open the Charms menu. Click on Settings, then Change PC settings. In the Control Panel, in the left pane, click Network and then Workplace.
- Type (part of) Workplace settings and click on it in the Search results.
- In the text field under Enter your user ID to get workplace access or turn on device management enter the e-mail address or User Principal Name (UPN) for a valid account within Active Directory Domain Services. Click Join next.
- A pane will appear over the Control Panel section that allows you to authenticate to the Active Directory Federation Services (AD FS) infrastructure.
When you’ve enabled Multi-factor Authentication on WorkPlace Join, this pane will also feature the Multi-factor Authentication controls.
- When you successfully sign in, the combination of the device and user account will be WorkPlace-joined.
The Workplace settings screen can now be used to leave the workplace network, when you no longer want to combination of user and device to be trusted. The button labeled Leave serves this purpose.
- Now, after you’ve successfully authenticate to a claims-protected resource, the single sign-on (SSO) benefits for that resource will be enabled.
Configuring WorkPlace Join on Windows 8.1 through Group Policy
Windows 8.1 devices can also be automatically WorkPlace-Joined through Group Policy.
This behavior is governed by the Automatically workplace join client computers Group Policy setting under Policies, Administrative Templates, Windows Components, and finally Workplace Join.
When you configure this Group Policy setting to Enabled, any colleague that signs in with a domain user account on a domain-joined device in scope for the Group Policy object will be automatically and silently Workplace-Joined.
The Group Policy enables a Scheduled Task on the system that runs in the user’s context and is triggered on user sign-in. The task will silently Workplace Join the user and device with Active Directory after the User signs-in is complete, when the device is considered to be on the Intranet by the Federation Server.
Automatic WorkPlace Join has the following specific and additional requirements to the general requirements listed above:
- Devices must have connectivity to an Active Directory Domain Controller in order to Workplace Join. You cannot automatically WorkPlace Join through a reverse proxy solution, such as the Web Application Proxy.
- The AD FS Global Primary Authentication Policy must be configured to allow Windows Integrated Authentication for the Intranet. The Federation server used, needs to see the device to be joined as an inside device.
- Internet Explorer must use the following settings for the Local intranet security zone:
- Don’t prompt for client certificate selection when only one certificate exists: Enable
- Allow scripting: Enable
- Automatic logon only in Intranet zone: Checked
Luckily, the specific settings above are the default settings.
Configuring WorkPlace Join on Windows 7
For Windows 7 clients, both the Workplace Join functionality and the Control Panel of the New Interface are unavailable, by default. Although the New Control Panel will never make it to Windows 7 (and some people are very grateful for that), the WorkPlace Join functionality can be installed separately. The software package is available for download at the Microsoft Connect website.
You can distribute this package to Windows 7 devices through Group Policy and, for instance, System Center Configuration Manager. The use of the /quiet parameter is recommended in these scenarios.
Workplace Join for Windows 7 does not require or include a user interface. Once installed on the machine, any domain user that logs into the machine will be automatically and silently Workplace Joined with Active Directory; the installer creates a scheduled task on the system that runs in the user’s context and is triggered on user sign-in. The task silently Workplace-Joins the user and device with Active Directory after the user signs-in is complete. The Scheduled Task can be found in the Task Scheduler Library under Microsoft > Workplace Join.
The same additional requirements that apply to Automatic WorkPlace Join on Windows 8.1 apply to WorkPlace Join on Windows 7.
The msDS-Device Object
When you Workplace Join a device through this Active Directory Federation Services (AD FS) process, a Registered Device object is automatically created by the Device Registration Service (DRS) from within Active Directory Federation Services (AD FS). The Registered Device object, by default, is created in Active Directory Domain Services (AD DS) in a new container, labeled RegisteredDevices:
Registered Device objects (msDS-Device objects), by default, will be automatically created within this container for each of the devices you Workplace Join.
The first thing you’ll notice when examining these objects, is that, in contrast to domain-joined devices, the names for these objects are not very straightforward:
Additionally, in the left pane, many of the sections you’d normally see with user and device objects are missing. For instance, the ability to add Registered Devices to groups is not present.
However, in its attributes, a lot of useful information can be found on the device and the user account that was used to register it:
This attribute contains the hostname for the registered device.
- msDS-CloudIsManaged and msDS-IsManaged
These attributes contain true and false values to indicate whether the device is managed through Microsoft Intune and/or System Center Configuration Manager.
- msDS-DeviceOSType and msDS-DeviceOSVersion
These attributes contain strings to indicate the Operating System on the device, at the time when the device was registered. (If the device is upgraded, these attributes are not updated, unless a Mobile Device Management solution updates them for it.)
When looking for the user account object that registered the device, this attribute contains the Security identifier (SID) for it.
WorkPlace Join for Windows 7 and Windows 8.1-based devices offers a strategic expansion to Active Directory Domain Services into a dual identity stack. For iOS and Android-based devices, WorkPlace Join merely offers single sign-on (SSO) to enterprise applications and services. Something colleagues on these devices will appreciate strongly.
Walkthrough Guide: Workplace Join with a Windows Device
Walkthrough Guide: Workplace Join with an iOS Device
Automatic and Silent Workplace Join
IT Guide to Windows 8.1: Workplace Join
Workplace Join for Windows 7
WorkPlace Join overview
Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications