Four Ways JumpCloud’s Cloud Directory Has Grown with You

In the past, I typically didn’t risk touching my domain controller (and its aging, cluttered configuration) when it worked well — outside of the required updates and user management tasks of course. It was never worth the risk of destabilizing the system, no matter how much I thought I should make a change. Instead, I’d investigate other services to add additional capabilities with the directory handling access rights, which naturally created silos and got expensive, fast. It reminds me of a phenomenon that we’re all guilty of: not venturing beyond our comfort foods at our favorite restaurant, even when the menu has attractive new dishes we’d love to try. The same holds true in IT: when a system has worked “well” and performed its core function, especially for directories which have traditionally been confined to a more limited role, we don’t want to move away from it even if there is a better option. 

However, JumpCloud gives you much more.

A directory is a boon to IT departments, primarily because it’s more efficient to have a unified platform to manage user lifecycles, set device policies, and group memberships. Early adopters selected JumpCloud for these same reasons, but in order to have them in a domainless enterprise. We’ve since delivered continuous improvements to address today’s work-from-anywhere environment with built-in MFA/Push MFA, conditional access, and other SSO improvements that protect access to cloud applications and resources. Collectively, these are significant changes that position JumpCloud to meet your needs as you grow without adding additional vendors.

It’s rare when a service broadens the workflows that it manages and delivers it under a single pane of glass. The introduction of strong authentication and complementary solutions redefines the directory and makes it possible for users to consolidate around the platform and adopt new services without paying additional vendors for the very same capabilities. There’s a lot to see if you haven’t explored the platform recently; so, allow me to whet your appetite. We’ve delivered more than just new features: there’s more depth and refinement throughout JumpCloud that has resulted in reduced IT workloads and a better UX. Some changes are visible (like UI optimizations) while others deliver improved experience, such as more robust single sign-on (SSO). However, there are four distinct areas of the platform that have evolved over the past year that stand out, and have quietly become part of the bedrock of a cloud directory; they are:

1. Conditional Access
2. OS Patch Management
3. Smarter Groups
4. MFA, Everywhere

A Robust Cloud Directory, Ready to Serve

If you learn anything from this article, it’s that there’s no longer a need to look elsewhere for solutions such as identity and access management (IAM), SSO, Zero Trust security, and any other IT resource management needs, because the platform provides a growth path for adoption from basic configurations, onward to more advanced setups that will easily meet more stringent compliance requirements. It’s also lightweight enough that small and medium-sized enterprises (SMEs) don’t overspend on disparate solutions. There are multiple examples of sprawling, complex identity and access management (IAM) solutions that were expressly built for large enterprises. JumpCloud fulfills those core conditions through an intelligent combination of conditional access rules, MDM, and patch management alongside attribute-based access control (e.g., objects that determine access based upon who a team member’s manager is) and strong MFA to protect logins.

You can think of these platform components as the menu items to select from, and conditional access can be viewed as an entire full course meal. Conditional access is a foundational element of JumpCloud’s platform and can span from introducing simple but widespread Zero Trust access principles or deliver very focused, more restrictive access control policies. We’ll begin by examining each of these capabilities and why they matter to customers who are using the platform but haven’t gotten around to investigating all that it can do for them.

Conditional Access: A Full Course Meal

Conditional access is one the favorite features of several people within the technical evangelist group (and for good reason). It ensures that devices and networks meet a minimum security threshold, which is vital in the “Work from Anywhere” era of IT management. This capability hardens SSO implementations and directory groups with Zero Trust access control and provides added flexibility to integrate with complementary security services. Those improvements create new possibilities. Here are some common customer examples:

• Implementing conditional access to ensure that only trusted devices within your organization can access the User Portal.
• Enforcing MFA based on specified conditions, allowing users that are coming from a known device/location to skip MFA to balance usability and security. You can also specify certain VIP groups and have a different set of MFA options for them.
• Establishing broad access to the User Portal to make business applications more accessible and elevating security policies that are required for specialized applications. This allows streamlined access to apps such as Google Workspace, and more tailored access to other line of business apps that require step-up MFA.

You essentially “pick the ingredients” and JumpCloud does the cooking. These scenarios are user-centric rather than exclusively device-centric. This approach benefits IT administrators by simplifying onboarding and user lifecycle management. Your organization should do its part to have proper IT hygiene across all devices, which is a shared responsibility with whichever platform you ultimately select. JumpCloud’s group policies and our “menu” of IAM platform components, such as patching and device management, will help to ensure that some important controls are in place to optimize what using CA can do for your organization.

OS Patch Management and Mobile Device Management (MDM) Combined

Patching is a fundamental security tactic to prevent zero-day exploits and other persistent threats from exploiting vulnerable operating systems. There are many instances where old vulnerabilities resurface in the headlines when organizations failed to patch and cybercriminals seized on the opportunity to disrupt, hijack, and extort system owners. We’ve recently upgraded our Windows patching capabilities, which deepens what CA can do for you by requiring mitigation steps prior to allowing users to access a particular resource. This includes:

• Preventing users from upgrading to Windows 11 without permission
• Ensuring a good security posture by installing updates within a timely manner
• Giving IT admins the ability to prevent users from delaying or pausing updates

… And there’s much more to come on our product roadmap.

Onboarding, configurations, and policies that govern patching are foundational to CA and are delivered via JumpCloud MDM for Apple device users. Registering JumpCloud as your MDM provider ensures that users (and their devices) adhere to your organization’s security specifications. Devices may also ship pre-configured through zero-touch enrollment. Even more new capabilities will roll out over the coming months such as enhanced MFA, user management enhancements, same-day support for major OS releases and patch management, and additional insights delivered via data-driven UI and reporting optimizations.

Device trust incorporates the policies you’ve set for either specific user groups (or all) or access to specified (or all) applications, as outlined in the CA scenarios above. The ability to target CA access rules for designated groups is significant because groups are where attribute-based settings exist. It’s another layer of security that on-premises directories such as Microsoft’s Active Directory haven’t delivered in the past and not all IAM providers make available.

IT admins are accustomed to organizing users into groups, but JumpCloud keeps them up-to-date as a basis for using other platform capabilities that are built off of them.

Smarter Group Management

Groups are typically a regurgitation of an organizational structure, which isn’t at all appetizing, because business logic that can better secure assets isn’t considered. Think of JumpCloud’s approach, using attribute-based access control (ABAC), as a rules engine that adds conditions to different groups where those rules are “baked in.” It delivers another layer of intelligence that simplifies user lifecycle maintenance (users are even recommended by the platform), while proactively generating alerts for any rules violations. It saves time and bolsters cybersecurity.

CA’s integration with groups produces real-world benefits. For example, an SSO access rule will automatically inherit a membership that’s been vetted, and it’s Zero Trust by default. It works by scrutinizing attributes that ‘decorate’ users to continually cross check group membership. This empowers smart scenarios such as determining whether a member belongs to any subgroups that have special access rights that are different from the overall group without the risk of overprovisioning everyone else. For instance, JumpCloud will ensure that nobody will access a CRM app without appropriate attributes, even when they belong to the sales group.

Recall the ‘manager attribute’, which pertains to this scenario. Changes, such as a team member being transferred to another department and having a different manager, will be immediately recognized with a new manager attribute. It sounds small, but it generates a ripple effect that allows administrators to apply business logic immediately when granting access rights for downstream employees. Group membership, or roles depending on how a system is configured, are no longer the only factor that determines who can access what. Group membership has traditionally been static, and once established, the IT admin has held sole responsibility to audit it and dynamically respond to organizational changes; this is no longer the case. 

Other scenarios are made possible through SSO access control rules. IT admins may know when someone’s on vacation but won’t have any knowledge that the user is attempting to log into a company resource through public Wi-Fi 5,000 miles away. It would be unreasonable to assume that IT has foreknowledge of every conceivable situation. JumpCloud can proactively manage that situation with geofencing rules for their groups. In another instance, a home user may be required to authenticate using MFA outside of the controlled environment of the workplace, but rules can also specify exemptions should that user return to the office. These determinations are made live in production, without adding more administrative overhead.

The access control rules don’t require user intervention, until MFA is a condition. It’s important to account for user acceptance, because many MFA implementations are stymied by complexity. Users can’t ‘see’ how smart groups are quietly safeguarding assets, but they’ll know when something is expected of them. It’s important for that action to be user-friendly.

JumpCloud Protect™ MFA

A good user experience is also central to JumpCloud Protect. MFA push notifications via JumpCloud Protect are the most user-friendly method to authentication and have provided for greater user acceptance and more successful adoption of a second factor of authentication. 

This is a foundational element for robust, secure SSO implementations (as well as strongly secured OS logins) without having to pay for another service and establish another vendor relationship that requires more time and approval. JumpCloud is fully cross-platform to support your entire device fleet and the ability to turn MFA ‘on’ or ‘off’ is tightly woven into CA rules.

Targeted Improvements: The Right Ingredients

Other changes are less obvious, but support the four product areas we’ve been discussing. Every feature is designed to enhance and extend what the platform can do for you.

These refinements empower users to do more:

• Add an alternate email to expedite onboarding and password resets
• Toggle between admin and user roles with concurrent console sessions
• Establish sudo permission on user groups for a more efficient, secure way to elevate privileges on your devices
• Receive a SAML certificate expiration email that will inform admins when the IdP certificate needs to be refreshed
• Utilize enhanced patching options for Windows machines that give more granular control over when and how updates are applied
• Implement Push MFA to secure logins across all major operating systems
• Implement cross-domain identity management (SCIM) to import users and attributes from any SCIM outbound integration to assist with automating user provisioning
• Alerts for misconfigured service accounts on MacOS
• JumpCloud support for on-premises AD joined Windows devices

Onboarding is simpler with the introduction of alternate emails

SCIM support automated user provisioning

You’ll notice a theme behind these changes: collectively, they make it easier to onboard users with more granular access conditions and extend options for device trust. As Julia Child once said, “You don’t have to cook fancy or complicated masterpieces, just good food from fresh ingredients.” There are some “menu” items that you may have missed since you started using the platform, and as these new “ingredients” demonstrate, there’s a lot of goodness infused within. All the “courses” that compromise JumpCloud platform are discussed through the lens of what’s possible by utilizing the full platform.

With your “dining” experience coming to an end, you now have a better understanding of all the items that are available to you on the JumpCloud menu and the benefits of venturing beyond your initial cloud directory setup. We’ve provided an overview of JumpCloud features (patching and MDM, smart groups, and MFA) and how conditional access, in conjunction with those, provides robust IAM in a single place without selling you more than what your SME requires for Zero Trust authentication. The next step is to pull up a chair and test it all out for yourself.

Try the JumpCloud Cloud Directory

JumpCloud has transparent packages for features that you might need and integrates seamlessly with your directory. This getting started guide will help you to implement SSO within your existing account. You may also benefit from the steps outlined in this article that overview how to test SSO configurations. Readers who don’t have a JumpCloud account can sign up for free and use the full platform for free for up to 10 devices or 10 users and no time limit. Premium support is available 24x7x365 within the first 10 days.