Create, Manage, & Enforce Laptop Policies for IT

Written by Cassa Niedringhaus on October 28, 2020

Share This Article

IT administrators must create and enforce policies to manage and secure end users’ laptops, especially as more employees work outside the confines of traditional office settings.

This work should start with written and agreed upon policies that outline how devices will be configured, particularly for organizations that must meet compliance regulations. This also helps standardize onboarding as new users and new devices join the organization, whether they’re working from home or at an office site. Then, you can identify a solution to implement those policies across your laptops, regardless of operating system.

In this article, you’ll get an overview of relevant security policies and tools to implement them at scale across the Windows®, Mac®, and Linux® devices you manage.

Standard Laptop Security Policies

Although policies will differ based on your IT environment, you can start with industry-standard policies to lock down and configure laptops. Use a gap analysis if you want to meet a specific compliance standard and identify areas you need to address with additional policies. Here are some policies you can use as a baseline for internal security as well as compliance:

  • Create local user accounts with a core identity for each user
  • Create a consistent administrator account on each laptop
  • Have the ability to lock and shut down laptops remotely
  • Enforce full-disk encryption (FDE)
  • Set a screen lock timer (i.e., 120 seconds)
  • Disable access to unnecessary features, such as the App Store, control panel, or system preferences
  • Manage and monitor patching and updates 
  • Establish password complexity requirements
  • Require multi-factor authentication (MFA) at login
  • Prompt users to change their core passwords on their laptops (rather than via web forms or emails)

Once you create laptop policies, you then need to manage and enforce them at scale. If you have a heterogeneous environment, you’ll have to decide whether you want to use point solutions or an all-in-one solution to manage your laptops. 

Implement A Cross-OS Cloud Directory Platform

Unlike legacy directory services, the JumpCloud® Directory Platform is purpose-built to manage Mac, Windows, and Linux devices from a web-based admin console. Once you install JumpCloud’s system agent on each device and enroll macOS devices in JumpCloud MDM, you can configure and secure them, no matter where they’re located. (All Macs running Big Sur and subsequent OS versions must be enrolled in an MDM because of changes Apple is making to its device management strategy.)

Using JumpCloud, you can extend core user identities to their laptops and virtually all other resources, like on-premises servers and cloud infrastructure, legacy and SaaS applications, and networks. Here’s a tour of some of the device management capabilities available in the Admin Portal:

Enforce Pre-Built Configurations (Policies)

Deploy a suite of pre-built Configurations (Policies) to your laptops to enforce full-disk encryption, disable features like the control panel, and control patching and other OS updates — including preventing users from upgrading to macOS Big Sur.

Apply Configurations to groups of laptops — such as a group of all Mac devices — to manage them at scale. 

Create Custom Policies

For Mac laptops, you can build custom configuration profiles and deliver them to those laptops via the Admin Portal’s MDM. This unlocks the ability to take further steps to control Macs, such as pushing down WiFi settings and certificates, kernel extension whitelisting, and specifying privacy preference control settings. 

For Windows laptops, you can create custom registry key policies, replicate Active Directory® GPOs, and deliver them to those laptops via the Admin Portal as well. 

Create Custom Commands 

Take additional custom actions on laptops, desktops, or servers via the in-console command runner — Bash for Mac and Linux, and PowerShell or command-line for Windows. Commands can be scheduled or triggered via webhook. 

Deploy MDM Commands

Using JumpCloud MDM, you can remotely wipe, lock, shut down, and restart Mac laptops directly from the Admin Portal in the event that a laptop is lost, stolen, or otherwise compromised. 

Institute End User Training

Beyond taking steps to create, manage, and enforce laptop policies, you can also train end users to help further secure your fleet. This training should include guidance on setting passwords (i.e., not repeating personal passwords), recognizing phishing attempts, and avoiding public networks or using a VPN when employees are working on the road. 

JumpCloud also gives you the ability to use device-native applications on Windows and Mac laptops, where users can manage and change their passwords, which is far more secure than popular phishing targets like web forms or emails. Make sure end users know to change their passwords only on their laptops.

Learn More

If you’d like to learn more about JumpCloud and managing Mac, Windows, and Linux laptops from the cloud, set up a JumpCloud Free account. The account gives you full access to the platform for up to 10 users and 10 devices, with 10 days of premium in-app chat support with our team of support engineers to make sure you get the most out of your account. Try JumpCloud Free today.

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter