Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.
A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network. We will be using AD's Lightweight Directory Access Protocol (LDAP) version 3 to authenticate students via the iOS Mobile Guardian application.
The rest of this guide assumes that your AD server is setup and configured to allow LDAP authentication.
- If devices will be allowed off-campus, the AD server must be accessible outside of the school network.
- It is recommended that a secure LDAP protocol is used.
- It is recommended that the AD DS SSL certificate be issued by a Trusted CA authority rather than using a self-signed certificate. If the self-signed option is chosen, the certificate and entire chain will need to be installed on the device before authentication will be allowed.
Adding your AD DS details (optional)
Step 1 - Navigate to Certificates
Navigate to Settings > Certificates as shown below and upload your certificate. If self-signed, the certificate must include the entire certificate chain.
Adding your AD DS details
Step 1 - Navigate to Directory Settings
Navigate to Settings > Directory Settings as shown below and upload you
Step 2 - Select Mobile Authentication
Click the Mobile Authentication tab as shown below.
Step 3 - Add server details
Specify the Account Suffix, Base DN and Domain Controller details specific to your server. The domain controller name should match the details of your SSL certificate.
Change the standard LDAP and LDAPS ports if these are different and select your certificate if required. Select the Sign-Out Behaviour (This is mandatory)
Step 4 - Save the details
Click on the Save button to save the details.
Your configurations will now be added.
Preparing devices for authentication
Now that your AD DS details have been saved, performing a sync from the Mobile Guardian application will pull in these details and display the AD login screen.
Signing in as an AD DS user will create the student record on the Mobile Guardian dashboard if it doesn't already exist and link the student to the device.
The default setting to facilitate a multi-user environment is that all required tags should be assigned to the student as student tags will be assigned to the device on login. This will allow you to configure different profiles for different students.
Ideally, application tags should be shared between all students that will use a device, since applications will be installed and removed if you have used tags to configure them.
This behaviour can be changed under Settings > Global Preferences > General if required. Toggling the setting to the off position will mean that the device tags are left untouched no matter who is signed in on the device. This is useful for a one-to-one device scenario.