How to Block BYOD from Accessing Your Apps with a Device Trust Policy

Written by Amy Krishnamohan on February 17, 2021

Share This Article

With the dramatic shift to remote work in response to the global pandemic, IT admins are being asked if their users can leverage their personal Mac, Windows, or Linux workstations. For end users, it might not be a big difference to get their work done through their personal or corporate laptop, but it can expose your organization to significant security risk. Why? Because the number one IT security risk to an organization is compromised credentials. Personal devices with less than rigorous security configurations and policies put user credentials at risk. Specifically, personal device may not have the right anti-malware software, the proper security configurations, and up-to-date patches and software. They may also have applications and browser extensions that are high risk, which an IT organization would not be comfortable with. All of these challenges are present for IT admins when personal devices are used to access corporate resources, which is why many want to block untrusted devices from accessing organizational IT resources. This is often known as the device trust part of conditional access within the Zero Trust Security framework.

In terms of implementing this, with the recent release of JumpCloud Conditional Access, it is easy to set up Zero Trust security so that only trusted identities (users), devices, and networks can access corporate resources. Let’s explore the five simple steps to enable your employees to securely access critical company resources from authorized devices.

Step 1: Login to JumpCloud

If you already have a JumpCloud account, log into the Admin Portal and go to SECURITY MANAGEMENT > Conditional Policies. If you don’t yet have an account, JumpCloud Free is our free account with 10 users and 10 systems. It also includes all of our functionality including our premium Conditional Access features.

Step 2: Distribute Your Certificate

As a first step, you’ll want to confirm your Mac, Windows, and Linux fleet of machines. We do this by deploying a secure certificate on the machine. 

On the right corner of the screen, find the settings button. 

Once you click it, you will be sent to the Device Certificates page.

All you have to do is move “Off” to “On” to complete this step. Simple right? But what does this do exactly?

The Global Certificate Distribution feature distributes certificates to every enrolled device through the JumpCloud agent regardless of OS. Whether it is Mac, Windows, or Linux, JumpCloud can manage virtually all types of devices and implement Conditional Access policies around them. Since these certificates effectively validate your users’ device authenticity, the process to distribute them safely and securely was carefully considered. An X.509 certificate signed by Jumpcloud is installed one per user, per device into all supported browsers, which is sent along with all authentication attempts and validated along with all the other factors to determine if access is allowed. -. This provides an additional layer of verification to make sure that the device is used by the right user. The diagram below shows what happens behind the scenes:

  1. JumpCloud – Your JumpCloud cloud-based directory manages your user and device objects. 
  2. Windows, Mac, Linux device – Windows 7-10, Windows Server 2008-2019, Mac OS X, macOS, and various Linux distros.
  3. JumpCloud agent – Installed on host via PKG, EXE, or Linux package. 
  4. JumpCloud private client key – Automatically installed and managed by JumpCloud during agent installation. Each key is unique to the system endpoint. 
  5. Supported browsers – Chrome, Firefox, and Safari browsers are used to access the JumpCloud User Portal for password and other user profile changes. Communication is done through HTTPS. 
  6. Organization private CA – Automatically created for each organization to ensure secure, Mutual TLS (mTLS) between the JumpCloud cloud-based tenant and the system endpoint. 

This is what happens behind the scenes. JumpCloud agent that is installed on your device, distributes X.509 certificates to each device; one certificate per user, per device. This happens using secure protocols to protect the validity of the certificate, and your end users will not even notice it happening.

Step 3: Build a Conditional Access Policy

Once you distribute the certificate through an agent, Jumpcloud will consider this a managed device for the purposes of authentication. And now you can create a Device Trust policy that can lay out different actions for trusted and untrusted devices.

  1. Select Unmanaged device to apply the device trust policy to users who are on devices that is not managed by JumpCloud (no agent installed, no certificate distributed)
  2. Select JumpCloud managed device if you want the device trust policy to apply to users who are on a device that is managed by JumpCloud. A JumpCloud managed device has the JumpCloud agent and certificate installed on it. 

How does a Device Trust policy help your organization? With the rise of remote work, there are many employees who will try to access company applications and information using their personal devices in addition to (or even instead of) their corporate-issued devices. Why is this so dangerous? Most company applications are now cloud-based, so with just a username and password employees can access extremely sensitive information from any browser. When an employee uses a personal laptop that may or may not have anti-malware, may not have a firewall enabled, unpatched operating system, browser, or applications, unknown configurations, and no secure device policies in place, those usernames and passwords could be hacked very easily. A Device Trust policy makes sure that employees use corporate devices when they access corporate data that is at risk of exposure by the unknown security controls (or lack thereof) on employee personal devices.

Step 4: Decide the Action

Once you have a Device Trust policy in place, you can enforce an action based on this policy. It can include: 

  • Denying access to specific resources
  • Adding additional layers of authentication like MFA 

Step 5: Relax, Drink Some Coffee, and Watch Your Insights Dashboard

Now that you’ve set up a Device Trust policy, you can relax! You’ll be able to look at the Directory Insights dashboard to monitor Failed or Successful system login attempts or other behaviors to check if the policy is executing correctly.

Try JumpCloud Free Today

You can get started today using the JumpCloud Directory Platform as a turnkey identity, access, and device management solution for implementing conditional access. Conditional Access is part of the JumpCloud Platform Plus package and provides complete IAM and device management, as well as advanced security measures. This package also includes premium support with a guaranteed uptime SLA, with monetary credits for misses, which gives you 24/7 support and implementation services with global engineering teams. Your first 10 users and 10 devices in the platform are free to use to get your bearings, so sign up today — no credit card required.

Amy Krishnamohan

Amy is Senior Director of Product Marketing at JumpCloud responsible for product / solution marketing. She has diverse experience across product marketing, marketing strategy and product management from leading enterprise software companies such as Google, MariaDB, Teradata, SAP, Accenture and Cisco. Amy received her Masters in Software Management from Carnegie Mellon University

Continue Learning with our Newsletter