Workplace Join Registers Unmanaged Devices

Windows Server 2012 R2 offers new functionality that registers unmanaged devices into Active Directory (AD). The feature, called Workplace Join, enables a user to verify ownership of a given device to AD. The user can then sign in from that device to corporate resources and services, such as Web applications or AD-federated Office 365, without requiring additional authentication. Workplace Join requires Windows Server 2012 R2 with its AD schema, as well as the most recent Windows clients, and may have licensing implications. Workplace Join also requires that the user have a domain account in AD.

Understanding Workplace Join

Traditionally, Windows PCs for most of an organization’s employees were purchased and managed by the organization, and the device was joined to AD through a process called a domain join, which simultaneously established the trust of the PC to the organization, and the organization to the PC, throughout the life of that device.

Today, organizations face conflicting requirements when looking to provision and secure resources such as their line-of-business Web applications or subscriptions to Office 365. They must secure access to the resources while minimizing the impact of that security on users, who are increasingly using devices that are neither owned nor managed by the organization. With this increase of employee-owned devices, organizations have been left with few options to identify or verify the ownership of a device. As a result, they have no way to ensure that organizational resources can only be accessed through devices the organization is aware of.