Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications
Published: June 24, 2013
Updated: August 28, 2013
Applies To: Windows Server 2012 R2
The rapid increase in the number of consumer devices and ubiquitous information access is changing the way that people perceive their technology. The constant use of information technology throughout the day, along with easy access of information, is blurring traditional boundaries between work and home life. These shifting boundaries are accompanied by a belief that personal technology—selected and customized to fit users’ personalities, activities, and schedules—should extend into the workplace. To accommodate the growing requirement of personal consumer devices to be connected to enterprise networks, Windows Server 2012 R2 introduces the following value propositions:
Administrators can control who has access to company resources that are based on application, user, device, and location.
Employees can access applications and data everywhere, on any device. Employees can use Single Sign-On in browser applications or enterprise applications.
By using Workplace Join, information workers can join their personal devices with their company's workplace computers to access company resources and services. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications. When a device is joined by Workplace Join, attributes of the device can be retrieved from the directory to drive conditional access for the purpose of authorizing issuance of security tokens for applications. With Windows Server 2012 R2, Windows 8.1 and iOS devices can be joined by using Workplace Join.
Workplace Join is made possible by Device Registration Service (DRS) that is included with the Active Directory Federation Services role in Windows Server 2012 R2. When a device is joined by Workplace Join, DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. DRS is meant to face both internal and external resources. Companies that deploy both DRS and the Web Application Proxy can join devices that use Workplace Join from any Internet-connected location.
For more information about deploying Device Registration Service, see Step 5: Configure a federation server with Device Registration Service
Companies can manage the risk that is related to information access and drive governance and compliance while granting consumer devices access to corporate resources. Workplace Join on devices provides the following capabilities to administrators:
Identifies known devices with device authentication. Administrators can use this information to drive conditional access and control access to resources.
Provides a more seamless sign-in experience for users to access company resources from trusted devices.
Single Sign-On (SSO) in the context of this scenario is the functionality that reduces the number of password prompts that the end user has to enter to access company resources from known devices. This functionality implies that users are prompted only one time during the lifetime of SSO to access company applications and resource from this device. If a device uses Workplace Join, the user who is registered to use this device gets persistent SSO, by default for seven days. This user has a seamless sign-in experience in the same session or in new sessions.
As part of this solution, you learn how to use Workplace Join on a Windows device, an iOS device, and experience Single Sign-On to a company resource.
This solution guides takes you through the following walkthrough steps: