Group Policy Objects (GPOs) for MSPs

As Mac^® and Linux^® systems proliferate in modern IT organizations, managed service providers (MSPs) need to find tools that can manage clients’ system settings regardless of OS. In an ideal world, MSPs could leverage a group policy object (GPO) analogue across all three major operating systems — Mac, Linux, and Windows^®. Are there cross-OS GPOs for MSPs?

Before we dive into specifics, however, it’s best to first talk about the concept of GPOs in general.

What are GPOs?

Group policy objects allow IT admins to apply system security policies and other settings at scale from a single location. Common uses for GPOs include enforcing screen lock timeout policies, disabling external USB storage devices, configuring login window behaviors, and managing other security-related settings across entire system fleets.

As a concept, GPOs originated from Microsoft^® Active Directory^®, the premier on-prem directory service. To this day, Active Directory (AD) champions the management of Windows^® resources on-prem, including systems, apps, and other IT infrastructure. As such, AD’s GPOs apply almost exclusively to Windows systems that are connected to an on-prem network.

GPOs and MSPs

For MSPs, traditional GPOs provide a way to streamline the management of their clients’ Windows systems, but it comes at a cost. For decades, MSPs needed to administer client AD instances directly by driving back and forth between client offices to physically access their AD infrastructure to apply GPOs. These truck rolls increase an MSP’s overhead and reduce the amount of overall time a technician can spend on other clients.

Beyond the general inefficiency of physically maintaining AD instances, the legacy directory service is not optimized for the modern resources that have revolutionized clients’ IT environments. Specifically, AD struggles to authenticate Mac and Linux systems and subsequently cannot natively enforce GPOs on them. So, for MSPs with clients that leverage a heterogeneous blend of operating systems, AD’s Windows-focused GPOs don’t pass muster. As such, a GPO-like alternative that MSPs can use across their clients’ Windows, Mac, and Linux systems would be a great boon.

GPO-like Options for MSPs

Many GPO-like options that MSPs can leverage consist of some form of Active Directory extension solution.

Traditional Identity Bridges

IT organizations including MSPs use identity bridging solutions as a way to federate AD user identities to non-Windows systems. Depending on the identity bridge, AD GPOs can also be propagated to these non-Windows systems as well. 

Therein, however, lies the rub. MSPs need to make sure they’re using the correct identity bridge solution for their needs, as only some identity bridges can handle GPO-like capabilities. Additionally, MSPs still need to physically attend to their clients’ AD infrastructure while using identity bridges (or setup VPNs to manage the on-prem infrastructure which can be additional work), which eats into their efficiency and, ultimately, their bottom line.

Mobile Device Management (MDM)

MDM solutions are common additions to the average MSP’s tooling stack. Using MDM, MSPs can manage mobile devices running iOS^® or Android^® and even some laptops and desktops. Like with identity bridges, certain MDM tools can also be used to apply GPOs or GPO-like policies across these devices.

Also like identity bridges, however, is the fact that MDMs are limited by the devices they can authenticate to. Some MDMs only operate with smartphones or tablets, while others may include laptops/desktops/other workstations, but are restricted to certain operating systems, like Apple^®-related products. For MSPs with clients that use a broad range of devices, the GPO-esque capabilities of an MDM may not cover all of their needs either.

Cloud Directory Service

The cloud directory service, or Directory-as-a-Service^®, completely reimagines the capabilities of legacy AD for modern IT needs. Directory-as-a-Service (DaaS) securely connects users to virtually all their IT resources regardless of their provider or location. Using DaaS, MSPs can apply GPO-like functions, or Policies, across Windows, Mac, and Linux systems from a single cloud admin console.

Extending beyond systems, DaaS also manages client identity access to cloud applications, infrastructure, networks, file servers, and more. In doing so, MSPs can help their clients migrate off of their on-prem infrastructure and save costs with the cloud. Specifically for MSPs, Directory-as-a-Service also offers a Multi-Tenant Portal that they can use to manage each client organization from a single pane of administrative glass.

For client organizations deeply rooted in their Active Directory infrastructure, Directory-as-a-Service features a full AD Integration (ADI) that propagates on-prem AD identities to all the non-domain resources that AD struggles to authenticate to. MSPs using ADI can completely manage their clients’ AD users remotely, and connect them to all of their resources, even if AD can’t do so natively.

Learn More

If you are in need of GPOs that work across all client organizations, contact our Partner team to learn how to get the most out of a cloud directory service as an MSP.