To provide a layer of security regarding which devices are able to enroll in a Systems Manager (SM) network, authentication using either Active Directory (AD) or Meraki users/owners can be used. This article will cover how to implement each potential option.
There are multiple methods which can be used for performing device enrollment authentication:
NOTE: Azure AD, OpenID, and Google Oauth will not provide any Group metadata like local Active Directory integration will.
NOTE: If you are using a Google Account Bind for use in conjunction with Android For Work (configured on the Organization > MDM page), Google authentication is not available as it is already being used as part of the AFW Enrollment process, and any selection made here would be for use in conjunction with this mechanism.
For each option, begin by navigating to Systems manager > Configure > General > User authentication settings. Then, refer to the appropriate section below to complete the configuration.
This option utilizes the list of users/owners on the Configure > Owners page in a Systems Manager network. This is best for smaller deployments, or cases where a list of owners is already actively maintained.
In order to change/add/delete users, use the Configure > Owners page.
With this option, any enrollment authentication requests will be proxied through an MX security appliance that is configured for AD integration. This works well when an MX in this configuration is already deployed, or one is available where AD authentication can be enabled.
To configure Active Directory via MX appliance:
Users attempting to enroll devices will now be required to authenticate using their Active Directory username and password. The username should be specified as the user's Active Directory name, not including the domain name (e.g. "testuser," not "domain/testuser")
Note: All communication between an MX security appliance and an Active Directory server will be encrypted using TLS. If AD integration has not yet been configured on the MX, please refer to steps 1-4 of the knowledge base article on configuring Active Directory for Group Policy.
Also Note: Users *may* in some AD configurations be able to successfully authenticate using the domain/testuser or email@example.com formats, but doing so may result in some features not functioning as expected.
With this option, any enrollment authentication requests will be proxied to an Active Directory server through a Windows device with the Systems Manager agent installed. This Windows device can be a user desktop, or an AD server. However, it must be enrolled in the Systems Manager network, have the SM agent installed (MDM > Add Devices > Windows), and not have any firewall settings preventing it from communicating with the AD server.
To configure Active Directory via SM agent:
If issues are encountered, ensure that the AD server used has the Global Catalog role enabled. Particularly if multiple domains are configured.
Note: Communication between the Gateway machines and the AD server is not encrypted. Therefore, it is strongly recommended that only the AD server being queried be used as a Gateway machine, in order to keep communication local.
Oauth against Google is as easy as filling in the allowed Google domain in the specified field.
NOTE: If you have Android For Work bound under Organization > MDM to a Google Domain, Google Authentication will autopopulate to this domain, and this field will not editable as seen in the screenshot above
The OpenID Connect option allows you to point Dashboard/your users at your custom Oauth/OpenID endpoint. Fill the information from your endpoint into the appropriate fields, but take care to note the following: