SureMDM has an Active Directory (AD) sync tool that allows IT admins to wipe iOS and Android devices automatically when the AD ID/user is deleted from the Active Directory server.
To get the setup, IT admins need to:
- Enable Recycle Bin in AD Server
- Install AD sync connector on the server
Steps to enable Recycle Bin on the AD Server
Note: These steps are for machines that do not have the Recycle Bin enabled.
1. Login to AD Server.
2. Open Server Manager.
3. Under Server Manager, go to Tools and select Active Directory Administrative Center.
4. Enable the Recycle Bin option.
Steps to install AD sync connector on the server
1. Get the .msi file.
2. Double click and install the file.
3. Go to the installed file location.
C:\Program Files (x86)\42Gears\ADSyncConnector
4. Open ActiveDirectorySyncService.exe.Config using notepad.
6. Enter appropriate details as shown in the example below.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="CustomerID" value="032000098" />
<add key="DirectoryPath" value="localhost" />
<add key="DirectoryUsername" value="Administrator" />
<add key="DirectoryPassword" value="*******" />
<add key="UserSyncPeriodicity" value="1" /> //in minutes
<add key="PushSyncPeriodicity" value="3" /> //in minutes
<add key="SureMDMUrl" value="adsyncgetnadacom.test.suremdm.io" />
<add key="SureMDMApiToken" value="FF0084EB-7E83-4EC6-8EEF-E70EF19C15EC" />
<add key="SureMDMUserName" value="adsync@getnada.com" />
<add key="SureMDMPassword" value="******" />
</appSettings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/>
</startup>
</configuration>
Note:
- DirectoryPath will be localhost only when it is running inside the AD server. If the ADSync connector is installed outside the AD machine, specify the FQDN of that machine instead of localhost
- It’s always better to have PushSyncPeriodicity to have a higher value than UserSyncPeriodicity. UserSyncPeriodicity is used to sync all new users into sqlite DB. This is used internally to track all users and also newly added users in AD. PushSyncPeriodicity is used to sync all the deleted users from AD with SureMDM in the provided sync interval
7. Save and close the notepad.
8. Go to Task Manager > Services > AD sync connector and restart the service.
Once this is done, the Directory and SureMDM password fields will get encrypted as shown in the example below:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="CustomerID" value="032000098" />
<add key="DirectoryPath" value="localhost" />
<add key="DirectoryUsername" value="Administrator" />
<add key="DirectoryPassword" value="*******" />
<add key="UserSyncPeriodicity" value="1" /> // in minutes
<add key="PushSyncPeriodicity" value="3" /> // in minutes
<add key="SureMDMUrl" value="adsyncgetnadacom.test.suremdm.io" />
<add key="SureMDMApiToken" value="FF0084EB-7E83-4EC6-8EEF-E70EF19C15EC" />
<add key="SureMDMUserName" value="adsync@getnada.com" />
<add key="SureMDMPassword" value="*********" />
</appSettings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/>
</startup>
</configuration>
10. Configure SAML/ADFS inSureMDM Web Console.
Now, once a user is deleted from the AD server, devices enrolled with that username will be automatically wiped. Once device is wiped, enrollment is removed from device side but device will be present in the console.
Note: If you are installing the connector inside the AD machine then the directory path should be localhost. If you are installing the connector outside the AD machine, then the directory path should be FQDN of the AD machine. In order for the connector to connect with the AD machine from a different domain, we need to open the LDAP port using TCP 389.
To sign up for a free trial of SureMDM, click here.