By Jon Griffin Posted June 5, 2018
Group Policy Objects (GPOs) have been a mainstay in IT for about two decades now. These policies grant intricate control over Windows machines, and are a critical tool that many admins rely on for compliance and security. As the world moves into cross-platform and cloud environments, however, GPOs are starting to lose effectiveness. They simply weren’t created to function outside of an on-prem Microsoft® environment. That is why JumpCloud introduced our Policies feature.
In the JumpCloud world, Policies give admins a point-and-click method to configure the behavior of machines, no matter the platform or where they live. This means that remote workers and Mac, Linux, and Windows® systems can all be controlled with ease. The concept gives admins access to a cross-platform GPO-like tool set that they can use to step up security and achieve compliance. But how exactly does it work? In this post, we will give an overview of how policies with JumpCloud work to help admins control systems.
For support documentation, visit Getting Started: Policies.
How JumpCloud’s Policies Work
JumpCloud Policies are designed to work as simply and as straightforward as possible – with no coding required.
It all starts with the JumpCloud Agent, which is located on each JumpCloud managed machine. This agent is lightweight client code that you install or mass distribute to the endpoints you want to govern, and it allows for user account access management, logging of successful and failed login events, MFA, command execution, Policies, and more.
The agent communicates with JumpCloud on a 60-second interval, constantly checking back to see if there are any updates that need to be pushed out to the system it’s installed on. If a change does come through, the agent is able to make the change on the system and report back to the platform once complete. Once you have the agent installed on your machines, you can begin managing systems either individually or en masse using the JumpCloud Groups feature.
The Groups feature is the key to implementing across a large number of systems. Groups can be used to communicate Policies and access management to all systems within the group. Essentially, you add users and systems to a group, and from there you can add Policies, Applications, Commands, and more to the group. Then, each User and System in the group is given access to those apps and is controlled by those Policies and Commands.
Now that the framework is understood, we can discuss how it functions in JumpCloud Directory-as-a-Service® (DaaS).
For example, let’s say that we create a group for all of the sales team, and then bundle a bunch of Windows and Mac systems inside of the group. This group can now have policies targeted at it by admins. In the Policies tab, you can find a number of premade options that are all available “out of the box.” For example, if you want to create your own instance of a screen saver lock, you can select that policy out of the library. Then, you can customize the screen saver lockout time to whatever amount you want, and bind the policy to the sales team system group. Just like that, you have a group-based policy enforced over systems in your organization. Each system within that sales group will have the policy pushed out to it.
But what if an end user tries to make a modification to their settings that violates one of those policies? JumpCloud controls the user interface and can block users from modifying any settings on Mac or Windows, so it is possible to prevent any attempts. However, if they were somehow able to find a workaround and then change one of their settings, it wouldn’t last for long. The intelligence of our system will overwrite any changes by the user within 90-seconds. This ensures that your policies are resilient.
The final question to look at is how the policies get communicated to the end user’s system. One interesting aspect about JumpCloud (DaaS) is that there is no VPN required to communicate with the remote systems. Our agent calls back to the DaaS platform using mutual TLS through a hyper secure channel. The agent exclusively makes outbound calls from the endpoint, eliminating any risk of attackers trying to impersonate an inbound signal. This way, policies are received and communicated easily without needing to connect through VPN or sign in to the domain. The agent is able to be a resilient tool that manufactures changes on the endpoint every 60 seconds.
Try out JumpCloud’s Policies Feature for Yourself
So that’s how JumpCloud is able to deliver our cloud GPO-like function, Policies. To recap, all admins need to do to enforce this feature on their machines is to:
- Find a desired template
- Create an instance with the specific settings that you wish to enforce
- Apply the policy to a system group or multiple system groups
- That’s it, you’re set!
You can set as many policies as you wish on a group, and the agent will govern it with resilience. No VPN required. If you want to try out this feature for yourself, check it out by signing up for a free account. We offer 10 users free forever, and don’t require a credit card to get started. We want to give everyone the chance to see the directory in action, so make sure you take advantage of the offer to test it for yourself! If you have any questions, you can always reach out to the JumpCloud team and we would be happy to answer. Sign up today!