Boulder Heavy Industries Case Study: Extending AD & Going Remote

Boulder Heavy Industries (BHI) is a collective of marketing startups that work together to provide a variety of creative, strategic, and analytic services to their clients.

John Masson, the vice president of technology operations, and Mitch Anderson, the director of systems engineering, had long been considering ways to extend their Active Directory® instance to non-Windows® resources and remote users. They were forced to expedite their timeline when their organization shifted to remote work in response to the COVID-19 pandemic.

  • Organization: Boulder Heavy Industries
  • Location: Boulder, Colorado, with remote employees
  • Problem: Needed to extend Active Directory identities & secure remote users
  • Goal: Implement a comprehensive cloud AD identity bridge, including macOS® management 

Background

BHI’s IT team wanted a comprehensive solution to extend their AD instance, manage macOS machines, and enable remote users — and they hoped it would not only replace the collection of vendors they managed but also improve functionality.

John Masson & Mitch Anderson

BHI has a traditional AD implementation, including a primary domain controller and on-premises virtual machines with segmented roles. The organization is an Office 365™ and AWS® shop, and it ties a number of business applications to AD, including Jenkins, Tableau, and logging and monitoring applications.

The team’s Office 365 subscription comes with Azure® Active Directory capabilities, and they used Apple Profile Manager and Meraki to handle their macOS machines. None of those solutions was comprehensive, however, and they wanted a solution that would better accommodate the different needs and models of each organization under the BHI umbrella.

“We wanted user and system management from a central location, rather than relying on either individual businesses to manage it themselves or running around hair-on-fire all the time trying to service all these different units,” Masson said.

Challenges: Remote Users & COVID

Masson, Anderson, and the team briefly considered Azure AD because they technically already had a user directory in the cloud with it. However, it didn’t provide system management beyond Windows, and it wasn’t extensible enough to integrate with their other tools. They’d previously used Okta, but it similarly did not offer the system management capabilities they needed. With a fleet of Windows and macOS machines, they needed a vendor-agnostic tool that would let them configure and manage their machines.

BHI’s IT team also wanted to resolve the issue of AD user password changes, particularly for remote users. They had a small remote group before the whole organization moved to a work-from-home model, and they’d advised those users to log into the VPN for a period of time at least every two weeks in order to sync passwords with AD. However, the VPN was often slow, and password changes were particularly troublesome for macOS users.

“Every other password change on a Mac just completely nukes everything for the user,” Masson said.

COVID-19 deepened their challenges, and they knew they needed to implement a solution quickly.

“When COVID hit, we were — from a user and account management standpoint — not ready for it,” Anderson said. “That really moved us forward to accommodate this strange occurrence where everyone’s now remote. They’re not connecting to the VPN reliably, and any time there’s a password issue it’s a nightmare and a half to get them back online.”

The Solution: JumpCloud’s Active Directory Integration

BHI’s IT team had JumpCloud Directory Platform on their radar for at least a year, and they began testing amid their work-from-home transition. JumpCloud can either serve as a full-suite cloud directory service or a comprehensive AD identity bridge, and they began to roll it out as an identity bridge within about 10 days of testing.

JumpCloud’s Active Directory Integration feature allowed them to establish a comprehensive access control and system management platform in the cloud, implement a bi-directional sync between JumpCloud and AD, and institute self-service password resets for users — all while keeping AD in place.

“If it’s not broken, don’t fix it,” Anderson said of their AD instance. “JumpCloud is perfect for that because we get the best of both worlds.”

The team was able to use JumpCloud utilities to convert AD-managed Mac and Windows accounts into JumpCloud-managed accounts, which they could oversee from the cloud. Now, those users can change their passwords directly on their machines and those changes are written back to AD via JumpCloud without a VPN.

“I can only imagine troubleshooting some of the issues we face outside of the office, and thankfully we didn’t get to that point,” Masson said. “If we’d waited another 30 days, we would have started to have an innumerable amount of weird issues that would have taken up all of our help desk tech’s time.

“These issues come when systems don’t see a domain controller — and it’s typically the 60-day mark when trust relationships are lost and that sort of thing.”

The organization has since onboarded new users and JumpCloud was instrumental in getting them up and running remotely. Masson and Anderson envision JumpCloud further streamlining the onboarding process and reducing the number of add-on tools they need to manage.

“When we have to onboard a run-of-the-mill user, we have to touch five or six different tools, Anderson said. “For some of our more creative types, it’s like seven or eight tools. With JumpCloud, we’ll eventually be able to get that down to one.”

They’ve also been trying to reduce remote users’ dependence on the VPN and moving as many resources from behind the firewall as possible, and the Active Directory Integration implementation has been able to assist in that process.

“JumpCloud is really empowering us to let our people work from anywhere.”

Mitch Anderson

Implementation: Single Source of Truth

In rolling out JumpCloud, the BHI team has central management of their systems, including macOS and Windows machines. JumpCloud can take over local accounts on machines, and the team can then revert users from administrators to standard users. They’ve also been able to build new tools and workflows.

Anderson has built an API-based integration with Slack to create a “permission elevator.” Users can type a message in Slack, which triggers a Lambda command that temporarily elevates them to an admin and allows them to take actions like installing an application. They are automatically dropped back down to standard users after 15 minutes.

JumpCloud’s thorough API documentation, example code, and SDKs helped him familiarize himself with the API and build the tool much more quickly than he would’ve been able to otherwise.

“I can have this tool done in four hours — not 14 days,” he said, adding that he’s excited to have the chance to build other tools without sacrificing the up-front functionality in the meantime. “It’s really helpful for us because we can leverage what JumpCloud can already do, and we can build things that we need on top of what JumpCloud can do.”

They’ve also begun to manage full-disk encryption via JumpCloud’s Policies, and they plan to roll out more. JumpCloud allows admins to toggle on both FileVault 2 and BitLocker and escrow the recovery keys.

“Being able to manage FileVault remotely and having that key escrowed is a huge win,” Anderson said.

The IT team also plans to roll out multi-factor authentication (MFA) more broadly across their access points, enable web application single sign-on (SSO), and make JumpCloud their Office 365 identity provider. Their ultimate goal is to have JumpCloud as the authoritative source of truth across their environment.

“The goal is to continue to transfer as much functionality as we can to the JumpCloud side, away from Profile Manager and away from GPOs,” Masson said. “We’d like a single source of truth — fewer systems to manage, fewer things to break in between.”

The Result: ‘Don’t Wait’

By implementing JumpCloud, BHI’s IT team was able to quickly transition their operations to a work-from-home model and keep their users safe without sacrificing organizational security, as well as position themselves well for the future.

“We really want to continue fostering the work-from-home mentality and flexibility, but we also don’t want to compromise security and visibility — because that’s just as important in protecting the organization,” Masson said.

His advice for other organizations considering JumpCloud? “Don’t wait.”

Learn More

JumpCloud’s Active Directory Integration can help you eliminate other third-party identity and access management (IAM) services and federate core AD identities to virtually all resources, including systems, applications, files, and networks.

Click here to learn more about the AD Integration architecture and common use cases.

About JumpCloud

The JumpCloud Directory Platform provides secure, frictionless user access from any device to any resource, regardless of location. Get started, or contact us at 855.212.3122.