I'm evaluating using VIDM with our current ADFS SSO environment for device management. I'm using cloud-only Office 365 service (Exchange Online).
I've seen this article:
I have a question:
Some mobile device users need to connect to the Exchange Online service via ActiveSync. I saw the ActiveSync authentication flow from Microsoft documents. The O365 service will delegate the user to pass the authentication request to ADFS. I'm wondering that whether VIDM can work in this authentication flow since the mobile device won't communicate with VIDM or ADFS server directly. Here is a reference:
Thanks in advance!
Yes. VMware Identity Manager support both legacy authentication mode and modern authentication. We even add conditional access to legacy flow. Not only to modern. Here’s a good reference https://www.vmware.com/pdf/vidm-office365-saml.pdf
Thanks for your reply.
I've checked the document you provided. It seems that the solution in the document shows that using VIDM to replace ADFS
So far, we will use VIDM as a claim provider of the ADFS. So, could you please confirm whether the ActiveSync can work with VIDM in this kind of scenario?
Thanks in advance!
If ADFS owns the federation I would suspect legacy authN would have to be handled by ADFS. I don’t see how O365 would know about VMware Identity Manager. Modern authN would support a hybrid implementation where ADFS forwards only what you want to VMware Identity Manager.
Thanks very much for your reply
So, the answer is:
In my environment (using ActiveSync to connect O365 mailboxes) which uses legacy (basic) AUTH cannot achieve the device management purpose if using VIDM with ADFS.
Am I right?
No. Device management have nothing to do with it. You can still do device management. I think you must explain your use case more in detail. Then I’ll try to explain how or what is required.
Here is my requirement:
Only the devices registered in AirWatch can access the Office 365 mailboxes
As the authentication workflow in my original post, when the devices use ActiveSync to access Office 365 mailboxes, Office 365 will delegate to pass the authentication request to the on-premise authentication system (here is VIDM as the claim provider of the ADFS). In this kind of scenario, can my goal be achieved?
Sounds like you need the power shell method of protecting O365, only allowing managed devices to access using legacy authN. It is a pure AirWatch feature and AFAIK doesn’t care about federation or not. I’m no AirWatch expert but that is my understanding.