Skip to main content

Enable multi-student devices using Active Directory

  • Updated

KB-artical-General.png

Active Directory (AD) Integration Guide for iOS Mobile Guardian Application

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.

A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorises all users and computers in a Windows domain-type network. We will be using AD's Lightweight Directory Access Protocol (LDAP) version 3 to authenticate students via the iOS Mobile Guardian application.

The rest of this guide assumes that your AD server is set up and configured to allow LDAP authentication.

Notes:

  • If devices will be allowed off-campus, the AD server must be accessible outside of the school network.
  • A secure LDAP protocol is recommended.
  • It is recommended that the AD DS SSL certificate be issued by a Trusted CA authority rather than using a self-signed certificate. If the self-signed option is chosen, the certificate and entire chain will need to be installed on the device before authentication will be allowed.

Adding your AD DS details (optional):

Navigate to Certificates

  • Navigate to Settings > Certificates and upload your certificate. If self-signed, the certificate must include the entire certificate chain.

Navigate to Directory Settings

  • Navigate to Settings > Directory Settings and upload your details.
  • Click the Mobile Authentication tab.

Add Server Details

  • Specify the Account Suffix, Base DN, and Domain Controller details specific to your server. The domain controller name should match the details of your SSL certificate.
  • Adjust the standard LDAP and LDAPS ports if necessary and select your certificate if required. 
  • Select the Sign-Out Behaviour #Note: This is mandatory.

Save the Details

  • Click on the Save button to save the details.
  • Your configurations will now be added.

 

Preparing Devices for Authentication

  • Once your AD DS details have been saved, performing a sync from the Mobile Guardian application will pull in these details and display the AD login screen.
  • Signing in as an AD DS user will create the student record on the Mobile Guardian dashboard if it doesn't already exist and link the student to the device.
  • The default setting to facilitate a multi-user environment is that all required tags should be assigned to the student, as student tags will be assigned to the device upon login. This allows you to configure different profiles for different students.
  • Ideally, application tags should be shared among all students using a device, since applications will be installed and removed based on the tags configured.
  • This behaviour can be modified under Settings > Global Preferences > General. Toggling the setting off will ensure that device tags remain unchanged regardless of the user signed in on the device. This is useful for a one-to-one device scenario.

Please let us know if you found this guide helpful! 

Thank you for reading! 🙂

Related articles