Configuring the maximum amount of devices colleagues can Workplace Join

We’ve discussed the WorkPlace Join functionality in Active Directory Federation Services in Windows Server 2012 R2 (and up) and the accompanying Registered Device objects in Active Directory Domain Services, and we’ve looked into granularly granting and revoking access to WorkPlace Join by specifying Issuance Authorization Rules for the Device Registration Services (DRS) and configuring the time-out before the Device Registration Services (DRS) deletes these Registered Device objects.

Today, let’s look at restricting the amount of devices a user can Workplace Join.

Note:
The default WorkPlace Join quota does not apply to administrators.
Members of the group Domain Admins (RID 512) can WorkPlace Join up to 2147483647 (2 31-1) devices as this is specifically defined in an Issuance Authorization Rule for the Device Registration Service (DRS) in Active Directory Federation Services (AD FS).

By default, domain users can WorkPlace Join up to 10 devices.

The quota of 10 devices a colleague can WorkPlace Join is strikingly identical to the quota of 10 devices a colleague can Domain Join, by default.

 

Changing the quota

The Device Registration Service (DSR) is exposed for authentication and authorization in Active Directory Federation Services (AD FS), but has its own distinct endpoint and service. Much of that is controlled to DRS-specific PowerShell Cmdlets.

You can change the inactivity time-out with the following steps:

  • Log in with an account that is a member of the Domain Admins group to a device capable of offering the Active Directory Federation Services 3.0 PowerShell module.
  • Start PowerShell
  • Perform this PowerShell one-liner:

Set-AdfsDeviceRegistration –DevicesPerUser n

You can specify a value between 0 and 1000 for n. When you specify 0, no quote will be applied to non-admin colleagues WorkPlace-joining devices.

  • Exit PowerShell and log off, or type logoff directly in PowerShell.

Tip!
You can check the current quote using the Get-AdfsDeviceRegistration PowerShell Cmdlet. You can also use this Cmdlet to check your change.

 

Concluding

You can change the inactivity clean-up time-out for the Device Registration Service (DRS) within Active Directory Federation Services (AD FS) with the Set-AdfsDeviceRegistration PowerShell Cmdlet.

Related blogposts

Granularly permitting or denying the right to WorkPlace Join
WorkPlace Join vs. Domain Join
New features in AD DS in Windows Server 2012 R2, Part 5: WorkPlace Join and Registered Device objects

Further reading

Set-AdfsDeviceRegistration
Get-AdfsDeviceRegistration
ADFS 3.0: Enabling Device Registration Service (DRS)
AD FS W2012 R2 – Workplace Join via WAP
Conditional Access with Azure Device Registration Service (aka Workplace Join)

Posted on January 6, 2015 by Sander Berkouwer in Active Directory Federation Services, Bring-Your-Own

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.