As an MSP, onboarding new employees for your clients is likely a core part of your offering. Giving client users access to all the resources they’ll need from day one can be a tedious process, especially when done manually. Let’s talk about potential problems that can arise when manually onboarding client users as an MSP, as well as a solution that streamlines the process through automation.
Problems with Manual Client User Onboarding
MSPs face three core areas of concern regarding manual client user onboarding: efficiency, accuracy, and security.
Manually onboarding a client’s new employees is, plain and simple, inefficient. In general, an MSP will prep the new employees’ computers from their own offices, and then hand deliver or drop ship them to the clients’ offices with day-one login instructions. Depending on their process, an MSP might even send a technician onsite to client offices in order to boot up the new systems and subsequently install their remote monitoring and management (RMM) agent on each one. Once the workstation is settled, the tech will also have to create the client user’s accounts for each individual application and Infrastructure-as-a-Service (IaaS) solution they use, adding more time to the process.
After all the hardware and software are set up, the MSP needs to train employees on how to use their systems, apps, and other IT resources, oftentimes through typed memos but sometimes through onsite training. Beyond that, the technician will also need to be available to field questions and address other help requests as needed.
Given the inefficiency of manual onboarding, it’s easy to imagine that there may be issues not just with how new user accounts are created, but what they consist of as well. After all, to err is to be human, so when a human is solely responsible for entering in new employees, there’s bound to be at least one detail that slips through the cracks.
Picture for a second an MSP technician tasked to provision 20 or so new users across 5 different clients into each of their IT resources: systems, applications, infrastructure, etc. Each user needs access to the specific resources that their organization dictates, and depending on their role, will have vastly differing needs than other users at their specific client organization. Although seemingly insignificant, one small snafu in this process could result in a new employee being unable to start their duties for days, even weeks, until the issue is detected and resolved.
Besides being an obvious time sink, manual client onboarding can also create security vulnerabilities which can spell disaster for both client organizations and the MSPs that manage them.
For instance, an MSP may manually send a new client employee their resource (system, app, network, etc.) credentials over email. Doing so opens up these credentials to potential compromise if the email were to be intercepted in any way. Beyond that, a bad actor can mirror credential delivery emails for phishing purposes, exposing new employees as potential targets.
Outside of credential delivery, manual onboarding also presents security issues by way of improper provisioning. Having to create each individual user account to access applications and other resources opens up two security problems in particular.
The first security issue with manual user onboarding is that an MSP needs to keep track of newly created identities by hand — either via a spreadsheet (which is highly insecure) or in a user directory. Otherwise, the account will go unmanaged, which leads to more issues down the road if the client user needs to reset their password. Additionally, when the user needs to be offboarded, the MSP will need to subsequently delete the account by hand or suffer the consequences of lingering resource access.
The second security problem created by manual resource provisioning is the fact that a technician may overlook or miss creating a user’s account access to a specific service or app. In that case, the user may take matters into their own hands, creating their own unmanaged accounts in a practice known as shadow IT. Shadow IT presents similar issues to those detailed above, except unlike those manually created accounts, shadow IT accounts are created unbeknownst to MSPs and can be even more compromising later on.
Thankfully, there are solutions that can be used to automate these processes and head off problems before they become full-fledged issues.
Automating Client User Onboarding
MSPs using a cloud directory service can automate their client user onboarding to promote efficiency, accuracy, and security while staying within their budget. Here are just a few of the onboarding benefits a cloud directory service can offer MSPs:
Centralized Identity Management
A cloud directory service provides MSPs the ability to grant users a single identity for all resources, alleviating many issues faced through manual onboarding. For example, through centralized identity management in a cloud IdP, an MSP can use group-based controls to instantly grant system, application, and network access just by adding a new employee to their department’s group.
Additionally, a cloud directory service allows MSP techs to import entire lists of users, including their system serial numbers, attributes for applications, and much more, all via CSV file. Doing so ensures that the user account provisioning process is both streamlined and accurate, as techs can systematically enter in all the required information before the account goes live, even going as far as having a client’s HR department provide much of the required information beforehand, too.
A zero-touch deployment process streamlines new user system unboxing by foregoing many initial setup steps through the help of a cloud directory service in tandem with mobile device management (MDM) solutions. With zero-touch, an MSP uses a system’s serial number to automatically deploy required system agents and subvert the usual initial boot up processes. That way, an MSP tech can preconfigure a system (usually a Mac®) without ever having to open up the machine and do so manually, and then the new employee can take the system out of its box and get to work without having to deal with setting it up.
A cloud directory service platform with Just-in-Time (JIT) provisioning alleviates much of the issues involved with creating and managing client user application accounts. JIT leverages user attributes that are prescribed by MSP technicians to automatically create user accounts in applications as needed. Using SAML single sign-on (SSO), JIT federates user authentication info and attributes from an identity provider into an application or IaaS solution, meaning less data entry for MSP techs.
A Cloud Directory Service for MSPs
If the prospect of automating new client user onboarding appeals to you, check out JumpCloud®’s Directory-as-a-Service® platform. The first cloud directory service, JumpCloud is platform-agnostic, providing comprehensive user management across virtually all IT resources, including system management for Windows®, Mac, and Linux®. Specifically, MSPs can benefit from Directory-as-a-Service’s zero-touch deployment for Mac systems when used in tandem with one of several popular MDM tools.
JumpCloud is also protocol-independent, managing identity access to applications, infrastructure, and networks through LDAP, RADIUS, and SAML. JumpCloud’s SAML SSO includes JIT provisioning for a wide range of applications to streamline app onboarding.
Directory-as-a-Service features a Multi-Tenant Portal (MTP), created with MSPs in mind to provide a single pane of administrative glass to manage all client organizations. For client user onboarding, MSP technicians can carry out much of their usual processes without ever leaving their seat, cutting down significantly on truck rolls between client offices.
Get Started for Free
JumpCloud Directory-as-a-Service is available completely free for the first 10 users and systems in any organization. Just sign up for a free account to start using the product.
The JumpCloud Partner Program guides MSPs and other IT service providers through their JumpCloud experience with competitive margins, MSP-specific support channels, and co-marketing opportunities. Contact the Partner team if you’d like to learn more.