How Centrify for Mobile Works

We are now on “Beta 2” of Centrify for Mobile, our new cloud-based service the lets enterprises centrally secure and manage smart phones and tablets, including iPads and Android devices, using existing Active Directory infrastructure, skill sets and processes. We have gotten hundreds of people registering to be beta testers and we appreciate all the feedback and usage. In prior blog posts I talked about why we decided to branch out into mobile and showed my own iPhone being secured by Active Directory, and in this post I want to provide more details on our cloud-based architecture for letting you leverage Active Directory to secure your iPad, iPhones and Android devices.

But before I drill down a bit on Centrify for Mobile’s architecture, let me first describe the design goals of our mobile support and describe at a high level some of the functionality that it delivers so you can put the architecture in context.

Centrify’s mobile solution helps customers gain total visibility and control over employee-owned or company-owned mobile devices. The solution helps organizations get the most out of their existing investments in Active Directory infrastructure, skills and processes while offering an extremely easy-to-deploy and highly scalable solution for mobile device security. Besides its Active Directory-centric approach and its cloud service, additional key capabilities include:

  • Robust Group Policy management — IT staff can easily set policies such as passcode policies, as well as device and application restrictions, thereby ensuring security and compliance for popular smart phone and tablet devices.
  • Integration with existing helpdesk processes — if an organization de-provisions a user within Active Directory, the device that is associated with the user inside Active Directory can be automatically wiped. Similarly, helpdesk staff can unlock a phone using the same management interface they use to help a user when it comes to other issues (e.g. reset a password).
  • Self-service enrollment — Centrify offers an automated enrollment process via the web or a mobile app, making it easy to have mobile devices join the Active Directory domain.
  • Detect rooted/jail-broken devices — Centrify delivers a mobile application that gives organizations the ability to reject rooted/jail-broken devices.
  • Visibility to inventory devices and applications — easily report on enrolled devices, installed applications and device update status across the entire organization.

So let’s now talk about how it all works. Let me first describe the architectural components. Centrify for Mobile includes the following components:

  • Centrify Cloud Service — a multi-tenanted cloud service that provides secure communication from your on-premise Active Directory to your organization’s mobile devices. The Centrify Cloud Service facilitates over-the-air policy integration with Active Directory — even if devices are not connected to an organization’s network.
  • Centrify Cloud Proxy Server — an on-premise software package that runs as a Windows service that facilitates secure communication via https from an organization’s Active Directory to the Centrify Cloud Service.
  • Centrify Cloud Management Suite — a collection of Windows management tools that are downloaded and installed and include the Centrify Cloud Proxy Server, as well as Active Directory Users & Computers (“ADUC”) and Group Policy Objects Editor (“GPOE”) extensions to support mobile devices.
  • Centrify Mobile Manager — an optional mobile application that runs on a mobile device that detects rooted/jail-broken devices and facilitates the enrollment process of a mobile device joining a customer’s Active Directory domain. Customers can also join their devices to their Active Directory domain via a web enrollment page.

Below is an architectural diagram that shows all the components.

So in terms of how you deploy this, the deployment of Centrify for Mobile is actually extremely fast and simple, and with your Active Directory infrastructure already in place, the only on-premise requirement is to download, install and configure the Centrify Cloud Proxy, which takes well less than an hour regardless of the number of devices to be managed.

From there, you can use the Centrify Group Policy Extensions for our mobile support to set up default policies that will apply to mobile devices when they enroll with our cloud service and join the domain. The policies are fairly common across devices. Policies can configure settings for Exchange as well as Passcode policy (length, number of complex characters, failed attempts before locking, etc.) and device restrictions, such as which applications can be installed, use of camera, or enabling screen capture. In addition, Centrify for Mobile automatically sets up profiles that enforce the customer’s policies for WiFi and VPN access, authentication, proxy and protocol settings. A complete list of supported policies can be found at:

The final step in getting this to work is to have the devices join the Active Directory domain and have the policies kick in. The actual way mobile devices join the Active Directory domain and have Group Policies automatically apply to them is via a self-service process. The owner of the device enrolls their device by simply entering their Centrify Customer ID and their Active Directory username and password via a web-based form or via a Centrify mobile application that they install on their device. Using either method, a trusted over-the-air connection is made from the device to the Centrify Cloud Service, which in turns communicates to the on-premise Cloud Proxy Server. The end result is that a computer object within Active Directory is created, and the device is associated in the directory with the user that enrolled the device. Because the device is in the directory, Group Policies can then be automatically applied to the device via the Cloud Proxy Server back to the Cloud Service and then to the device. This process joins the device to Active Directory and applies the pre-defined policies, which takes just a minute or so to complete.

Finally, besides being able to view and manage the joined devices via Active Directory Users and Computers (ADUC), Centrify for Mobile provides a web-based Cloud Manager that also lets you manage your mobile devices. A component of the Centrify Cloud Service, it lets you view the devices that are under management (e.g. device and app inventory) and also lets you perform administrative tasks such as unlock or wipe a device (which are also actions available via ADUC).

So that’s a high-level view of what Centrify for Mobile’s architecture is all about. In future blog posts I will talk more about it.