By Greg Keller Posted July 24, 2018
Overview and Background
Welcome, customers, to our latest release in the area of system management: the macOS® App! With this release, we have begun to execute on the strategy we’ve laid out over the last few months to make the employee’s personal workstation or laptop the center of their ‘identity world.’ It’s where they are spending the majority of their ‘compute time,’ where they are most engaged with work, and their workstation is the ‘thing’ which enables them to reach the resources they need. In other words, the system is the gateway to your users resources and JumpCloud is moving fast to make this the single most secure and efficient way for them to do so.
As we’ve developed JumpCloud® Directory-as-a-Service® over the last four years, the global usage of the platform’s system management features has exponentially scaled in popularity, maturity, and overall use. When we stepped back, and when we contemplated what identity is really all about—e.g., your end users’ security + convenience + access to resources—we saw there was an opportunity to make things more equitable in that calculus. As an example, security has always out-trumped convenience in the world of identity management and introduced tons of friction to end users’ lives. The ecosystem of vendors playing in this identity space consistently have followed the same patterns: end user web portals, email reminders to change passwords, etc. Lots of things that take them from their workflow. We too have concepts of portals and emails—and in various circumstances, we must support them for access-anywhere needs for employees to manage their identities. But the system endpoint—their personal devices and workstations—was unchartered in a modern sense as it directly related to identity management. In particular, we hypothesized what could be exploited on a user’s systems to make all of this easier. Where it is known, convenient and secure, for an employee to manage their identity. This was what we set out to solve.
Let me give you some background so you may better understand the app and why we are pursuing it.
What is JumpCloud’s end-user system app?
JumpCloud’s system-based app provides an easy-to-access, user-friendly experience on Mac® systems, which simplifies the common chores associated with managing identity. These employee-chores can range from changing their corporate account password to managing their multi-factor authentication tokens, to providing other security-focused tasks such as initiating SAML-based sessions for apps assigned to the employee. The app is directly installed into the operating system through the JumpCloud agent and the JumpCloud administrator is not required to manually install the app, as it is silently delivered and installed to systems via the agent itself. The app will initially provide the user with the most critical functionality in managing their identity (e.g. password changes) but its roadmap is aggressive and will unveil a continual series of productivity features to benefit your employees. In turn, they can more simply access resources without ‘signing in’ in addition to general identity management features that obviate the need to visit portals and more.
How does the app work?
As mentioned above, the app will be silently installed onto a JumpCloud-managed macOS system through the JumpCloud system agent itself. No admin intervention is required to install the app. Employee-driven password changes are initiated through the app and will contact JumpCloud’s credential management services on our cloud-based platform, all through their secure, mutual-TLS, connection between the system endpoint and the customer’s JumpCloud tenant. Password changes through the app require the user to enter in their prior (old) password, followed by their desired new password twice for confirmation. If the employee is currently MFA-enabled, they will also be asked to present their TOTP token when submitting the password change (see screenshot below). In the case of macOS, this local process enables us to instantly propagate the password change to the host’s FileVault® and Keychain® password stores as well, no logout/login required in this password change use case (User Portal-driven password changes will require the user to log out of their system to re-enter the creds).
Why did we invest in the Mac app strategy?
There are a number of reasons discussed in more detail below which underpinned the decision for us to move forward on our system-based app development. Some of the core tenants of our investment in the system app are…
- To improve security – We feel that a hardened system—one that is encrypted, one that has an appropriate baseline of security policies established through JumpCloud’s policies and ad-hoc commands, one that is multi-factor-protected, one whose user accounts leverage strong passwords, one that is scanning internally for malware threats, etc., is a well fortified environment for an employee to manage their identity. And from that hardened system, let that identity, via the machine’s secure connections, provide access to the resources an employee needs. In particular, we feel that password changes are best suited to take place within an environment like the employee’s machine. Why? Internet-based portals and emails are both widely commandeered vectors/surfaces by bad actors. Do your employees have the discipline to discern a spear-phishing email requesting them to change their password? Identity portals are a bit harder to penetrate, but alas can be proxied to intercept your employees credentials. While JumpCloud must maintain these traditional methods for managing credentials (emails and portals), our system-hosted apps will ensure a more secure method to change credentials. JumpCloud’s on-board agent protects this information during this whole transaction, and our mutual TLS connection from the system to JumpCloud’s cloud-based services, will ensure the transmission of credential data for its hashing is secured.
- To improve end-user efficiency – Friction is the death of productivity in the workplace. Identity management solutions and simple chores like password changes (or worse, not changing your password and locking out your account) are widely known to add friction to a user’s daily workflow. JumpCloud’s system app introduces a number of facets to improve productivity for employees as it relates to their corporate identities and managing them efficiently. First, it becomes part of the natural workflow within their operating systems, not an external artifact (e.g., “yet another password tool”). As an example, the password change flow is simplified in that the employee never has to ‘leave’ the machine. No browsers to launch, portals to enter, no emails to read/respond to. The app will gracefully indicate visually, and through native OS notifications, that the employee’s credentials will soon be expiring. It enables the user to change the password easily and immediately—no more nagging or forgetting to re-read the email sent by the IT administrator. This minimizes the chances of forgetting to change the password, the recourse of which is typically account lock-out and the need for an IT administrator to get involved. Finally and most importantly, the JumpCloud system app is the one place an employee needs to change their password to ensure ALL resources are updated. In an instant, the password change emitted by the system app will update all connected resources to that user: their G Suite™ or Office 365™ passwords, their network/RADIUS password, their on-prem or cloud-based application passwords and finally their locally managed files on Samba servers and NAS appliances (see graphic above).
- To make identity more understood – Identity is, simply put, poorly understood by employees. It is a hassle. In the SME space, it is largely non-existent as a practice. There may be some existence of password managers or SSO tools for web-based applications, or perhaps G Suite accounts which provide login to other online services, but in large part, it is a patchwork of tools with nothing truly ‘authoritative’ the employee can rely upon easily. At the true enterprise level, security is understood and deeply ingrained but is wrought with friction: VPN requirements, employee documentation and education, and a phalanx of tools and policies which must be used and followed. JumpCloud’s system app is designed to radically simplify that. Employees are issued a machine, and JumpCloud’s app presents itself in a very straightforward manner. We will indicate to the employee when their password must be changed, the employee changes their password, and JumpCloud will make the change and instantly. As a result, the employee’s credentials, for every service they have access to, are updated.
Thanks for reading and we hope your employees enjoy the improved efficiency and security of our system-based apps. As always, feel free to send your account management team questions on availability and a more detailed review of the App’s roadmap. For further reading: