![]() ![]() All AD FS/DRS farms in a given Active Directory forest will use the same Device Registration configuration and device object container. Adding an additional AD FS/DRS farm to an existing Active Directory forestĭevice Registration and device object storage is maintained at the Active Directory forest level. This includes Domain Admins from any domain or trusted domain. Where numberOfDevices is the number of devices allowed, per user.īy default, Domain Admins are exempt from this policy. This policy can be managed using Windows PowerShell: Set-AdfsDeviceRegistration -DevicesPerUser numberOfDevices The default policy is 10 devices per user. Once a user reaches their device quota, they will not be allowed to join new devices until one or more of their existing devices is removed. Configure device quotaĪdministrators can limit the number of devices that a given user is allowed to workplace join. That is, unused devices will not be automatically removed from Active Directory. Setting the number of days to zero will disable the unused device clean up task. The valid range for the number of days is 0-1000. Where days is the number of days that a device can be inactive before removing it from Active Directory. You can configure the number of days using the following Windows PowerShell command: Set-AdfsDeviceRegistration -MaximumInactiveDays days By default, devices that are not used for 90 days are removed. Unused devices will be automatically removed from Active Directory. When prompted for credentials, enter the credentials of an account that has administrative rights to your federation servers. On your Web Application Proxy server, open a Windows PowerShell command window and type: Update-WebApplicationProxyDeviceRegistration If you are using the Web Application Proxy, you must update the configuration. You must repeat steps 1 and 2 on each federation server in you AD FS farm. You can view the UPNs that were detected using the following command: Get-AdfsDeviceRegistrationUpnSuffix This command will detect the UPNs associated with Active Directory forests and domains and configure AD FS to listen Set-AdfsDeviceRegistrationUpnSuffix ![]() Next, you must update the UPN suffix list supported by the Device Registration Service (DRS) using the following command. Where thumbprint is the thumbprint of the certificate that was installed in the previous step. On your federation server, issue the following Windows PowerShell command: Set-AdfsSslCertificate -Thumbprint thumbprint On your federation server, import the certificate to the local machine Personal store. Obtain a server SSL certificate that meets the requirements as outlined in the previous section. You have to obtain a new server SSL certificate that meets the requirements outlined in the previous section. Subject Alternative Name (DNS) = To configure device registration service to allow DRS discovery Subject = (This is your AD FS farm name) You can use a wildcard certificate that covers all of the possible names used at your company or you can add the additional names as subject alternative names. You can satisfy this requirement in two ways. If your company uses multiple UPN suffixes, then your AD FS server SSL certificate must contain an entry for each UPN suffix. You must include one server name for every userPrincipalName (UPN) suffix in use at your company in the format of: enterpriseregistration.įor example, if your company’s UPN suffix is then your AD FS server SSL certificate must contain If your organization uses multiple UPN suffixes, multiple CNAME records must be created in DNS.įor Example, if the name of your AD FS farm is and you use two UPN suffixes at your organization named and you will create the following DNS records.ĮĬonfigure Device Registration Discovery Server SSL certificateįor the Workplace Join client to discover the Device Registration server using a well-known DNS CNAME record, AD FS must be configured with a server SSL certificate that includes the well-known Device Registration server names. ![]() ![]() The CNAME record must use the well-known prefix EnterpriseRegistration followed by the UPN suffix used by the user accounts at your organization. You must create a DNS CNAME record that points to the A record associated with your AD FS farm. Workplace Join client devices will attempt to discover the Device Registration Server by combining the user account name with a well-known Device Registration server name. Discover Device Registration using a well-known DNS CNAME (alias) The following sections describe how to configure Device Registration so that it can be discovered by Workplace Join client devices. You must be logged on with enterprise administrator permissions in order to set Device Registration settings Configure Device Registration Service Discovery Any domain user can view the Device Registration configuration. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |