Windows 2000 started Microsoft’s Golden Age. With Active Directory and Group Policy you could control the settings on every PC and server on your network from a single screen. If you need to tell every computer where to download Window’s Updates you checked a box. If you needed to turn off a Windows feature you checked a box. As long as every PC in your domain was a Windows PC, management was a breeze.
BYOD forced diversity into the network
Fast forward to 2007. Two things changed IT forever:
- Microsoft introduced Windows Vista
- Apple introduced the iPhone
Within a few years, IT departments lost control of devices selection and PC sales started declining for the first time ever.
When a CEO walks into the IT department with an iOS or Android device and says “Make it work,” you make it work. The vast majority of tablets sold today run iOS or Android which fall outside the control of Active Directory. It is reasonable to assume device diversity will continue to expand when you consider that Chromebooks now account for 20% of “PCs” sold to educational institutions and Android Laptops have been announced.
You still have to control mobile devices
If you connect a mobile device to your corporate network, regardless of what it is, you should have some control over it. For example, most phones can send and receive corporate email. Email is protected by a password on PCs but not necessarily on a phone. Companies should enforce a password policy on any device that can send or receive company email.
This requires Mobile Device Management (MDM) software. Even if the MDM solution integrates into Active Directory, this is another layer of compelxity for the IT department to manage. It is one more thing to fix, configure, and require policies, oversight, auditing, disaster recovery, etc.
Can MDM replace Active Directory?
Some MDM systems work on Windows laptops as well as phones and tablets. If it can be installed on a laptop, it can be installed on a desktop. What if we pushed policies to computers using MDM instead of Active Directory (AD)?
To be honest, I don’t think MDM technology is able to replace AD …. yet … but it may not be long before it can. This has caused me to be very cautious about selecting products that require AD.
It is hard to imagine a world without some form of centralized user account database like AD but with cloud services the use of AD may become problematic.
The effect of the cloud on AD
Assuming you can handle the complexity of migration, you can integrate your existing AD infrastructure into Office 365. You can also sync AD with Google Apps via Directory Sync. Most other cloud applications have their own user account database which does not sync with AD.
This creates another problem. As we choose cloud applications we have to decide if we want Single Sign On (SSO) via AD integration or to force end users to have multiple user account and passwords. Users will have a hard time remembering all their accounts and IT will have to go to multiple sites to manage accounts. Neither solution is ideal.
Microsoft is building a MDM solution
Microsoft is building an MDM solution that is integrated into Active Directory and will manage iOS and Android devices. In many ways that sounds like the perfect solution and it may be. Microsoft frustrated me in the early days of the cloud by creating products that only worked on Windows or Internet Explorer. I understand they were trying to protect Windows and Office but it put them years in cloud and mobile development.
Microsoft’s early lack of vision in the cloud and mobile market makes me caution about using their products on non-Microsoft devices. I can envision a world where their MDM solution is great on Windows Phone but lacks features for Android and iOS. I am worried about being tied to a vendor that could easily use one product to try to force me to use another. Conversely, management of the network would be much less cumbersome if I can use one console for MDM and User Management.
One system to manage them all
At this time, I don’t see any alternative to using MDM to manage mobile devices and AD to manage users.
If Microsoft makes it easy and cost effective to manage mobile devices and users with AD they may be the best user management platform moving forward.
On the other hand, if their management tools and interfaces continue to be Windows-centric, their relevance is going to continue to decline to the point where third party management solutions will be a better choice.
It is hard for me to imagine a world without Active Directory but if Microsoft doesn’t adapt all of it’s products to work well with other products I can see a time in the next 5-10 years where Active Directory will be considered legacy technology.