This article outlines the requirements to create mobile device objects in Active Directory (ADUC) using the Centrify Identity Service
Applies To: Centrify Identity Service
Our Company has recently started using Centrify Identity Service and we're now starting to enroll our mobile devices including Android, iOS and Mac OS X systems. After enrollment completes, we are able to view the device details in the Cloud Manager and User portal but the object never appears in Active Directory Users and Computers (ADUC) as a computer object in the container specified in the Cloud Manager policy
Is this expected behavior after installing the Centrify Cloud Connector or do we need to configure additional options?
There are 2 requirements that must be met before the cloud connector can create an Active Directory computer object to associate mobile devices enrolled with the Centrify Identity Service:
1. Centrify must be enabled for Mobile Device Management. Administrators can determine if Centrify will provide MDM+SSO functionality or SSO-only services to users via settings in the Cloud Manager (Settings > Mobile Device Management > enable the "Use the cloud service for mobile device management" option)
2. The user account used for device enrollment must be an Active Directory user. If a Centrify Directory User (cloud) account is used for enrollment, the device will display in the Cloud Manager and User portals but will not create a matching object in ADUC. This is intended by design as the cloud user is not a member of Active Directory - the object cannot be associated with the user account.
Note: If a Centrify Directory Service account is created that matches the username of an Active Directory user, the cloud service will authenticate the user during enrollment as a cloud user and not an Active Directory user. When this occurs, no computer object will be created in ADUC and is expected behavior.
Centrify Support recommends unique account usernames. Matching cloud user account names to Active Directory user accounts should not be used and is not a supportable configuration.