Many organisations prefer to use AD users and groups for targeting of systems management policies such as software deployment or patching. However, whilst it is possible to add a computer account to an AD group (due to the fact that a computer account is created in AD when joining a domain), adding a mobile device is slightly more challenging if not impossible, as no device account exists in AD.
An alternative is to add the mobile user to an AD group, then perform a user->device association so that the policy is applied to one or more devices. This can be achieved through a few simple steps outlined in this article. In summary these are:
- Enable ‘Authentication Check’ within the Mobile Management Solution (MMS).
- Create an AD group you wish to use to apply a specific policy. Add the relevant user accounts into this group.
- Define an AD import rule within the Symantec Management Platform (SMP) to pull in details of the group and associated users.
- Create a filter within the SMP to associate a user account with a device.
- Create one or more MMS policies that reference the filter created above.
How to Implement
- Enable ‘Authentication Check’
Enabling the authentication check within MMS serves two purposes. Firstly, this provides security by limiting device enrolments to approved users and secondly (and more importantly in the context of this article) to ensure username is captured.
More information on how to setup the authentication for Mobile Management Solution can be found in this article: http://www.symantec.com/connect/blogs/how-enable-authentication-check-symantec-mobile-management-solution
- Create the AD group
In my example I have created a group called ‘Base Company Restrictions’ then added the user ‘Joe Bloggs’ as a member of this group.
- Define an AD import rule
The next step is to import the group members into the SMP. I have used a single rule to do this and limited it to the specific group/s that I’m dealing with. Click on the following thumbnails to see how I’ve configured this.
- Create a filter within the SMP
Next it is necessary to translate the user membership into a device. This is done by matching the username in AD with the user enrollment name used when enrolling the device.
I’ve taken the SQL code behind our standard Primary User->Computer association and tweaked this to accommodate Mobile resources. Here is the code that you can add into a new filter to perform this translation/association.
SELECT r.Guid FROM ItemResource r,
( SELECT ttt._ResGuid AS [ResourceGuid] FROM ItemResource r,
( SELECT Users._ResGuid,ud.UserId FROM ItemResource r,dbo.[Inv_Global_Windows_Users] ud,
( SELECT _ResourceGuid as '_ResGuid' FROM dbo.[Inv_Security_Groups] ug WHERE ug.[Group Name]
= N'CN=BASE COMPANY RESTRICTIONS,OU=CONNECT,OU=EMM,DC=APJDEMOSITE,DC=COM' ) Users
WHERE Users._ResGuid=r.[Guid] AND
r.ResourceTypeGuid=N'FD864F19-4437-4A4F-8709-58EB5E3AE0A4' AND
ud._ResourceGuid = r.[Guid]) UserId,
(SELECT r.[Guid] AS '_ResGuid', Mobile.[UserID], r.Guid from ItemResource AS r,dbo.[Inv_Symantec_Mobile_Device_iOS] AS Mobile
WHERE Mobile._ResourceGuid = r.[Guid]
) ttt
WHERE r.[Guid]=UserId._ResGuid AND UserId.UserId=ttt.[UserID] ) tb
WHERE r.[Guid] = tb.[ResourceGuid]
It is important that the SQL is adjusted to reflect the AD group name. In the above code example, the group name is CN=BASE COMPANY RESTRICTIONS,OU=CONNECT,OU=EMM,DC=APJDEMOSITE,DC=COM.
This information can be found in the Resource Manager for one of the group members.
When this filter is updated, devices with an enrollment username that correspond with the username of the group member will appear in the filter membership. This filter can then be used for targeting of mobile policies. Note that the filter will not update automatically unless it is currently being used by a policy. This is by design. Filters can be updated immediately by clicking the ‘Update Membership’ button within the filter details.
- Create one or more MMS Policies
Create an MMS policy and assign this to the newly created filter. Ensure that you avoid any overlap between policies. Leverage the include and exclude capability of the policy targeting engine to remove any chance of policy overlap.
