By Vince Lujan Posted October 7, 2017
JumpCloud has been making waves in the identity and access management (IAM) space since the introduction of Directory-as-a-Service® (DaaS) – the first fully-fledged directory service delivered from the cloud. DaaS is an incredibly powerful platform with the capability to manage the entirety of an organization’s complex, modern infrastructure with minimal effort.
The foundation of Directory-as-a-Service comes down to two core components: user management and system management. JumpCloud’s system management capabilities are some of the most widely used functionalities of DaaS, which is what we will discuss in this blog post, but keep in mind that JumpCloud does much more than system management. Authenticating access to on-prem or web applications, wired or WiFi networks, cloud or on-prem file servers (Samba file servers and NAS devices), and more are all within the purview of JumpCloud’s Directory-as-a-Service.
Managing Systems in the Past
Historically, most organizations leveraged Microsoft Active Directory® (AD) for their core directory services. Back when it was first released in 1999, AD offered the user management capabilities that IT admins wanted, but went further to provide the device management capabilities for Windows systems as well. Since the office was dominated by PCs at the time, the fact that AD wasn’t highly compatible with Mac or Linux systems wasn’t especially problematic.
The bulk of AD’s system management capabilities came in the form of Group Policy Objects (GPOs) – a Microsoft term for various commands and scripts that enforce policies on systems to govern behavior and configure settings. The concept of GPOs was revolutionary at the time, and has remained one of the primary reasons why so many organizations have maintained AD through the years. However, AD comes up short with GPOs for Mac and Linux.
There are a number of reasons why this is the case. The most prevalent is the simple fact that macOS and Linux are competing operating systems running against Windows. Microsoft has attempted to box their OS competitors out of the enterprise – but it’s not working. Mac and Linux systems have become more popular in the modern office. So finding the best approach to managing those systems has become a critical challenge and a major cause of dissatisfaction with Active Directory.
Modern System Management Requirements
IT admins the world over are looking for alternatives to AD for the new cloud-forward IT world. They know that for a modern directory service to be effective, it must be delivered from the cloud so that it is more agile. It must be able to manage access to resources both on-prem and in the cloud. Finally, it must be OS agnostic, offering system management capabilities for Windows, Mac, and Linux systems. Directory-as-a-Service checks all of these boxes and more.
Managing Systems with JumpCloud
Active Directory customers often ask us, how is robust system management through the cloud possible? How do these disparate systems join the domain? How are they managed by the domain controller? The answer to these questions is that Directory-as-a-Service doesn’t work that way. The end result has very similar capabilities as Active Directory, but under the covers Directory-as-a-Service is a completely different platform.
For example, AD and Windows endpoints are tightly intertwined with the AD domain controller via Kerberos. In lieu of Kerberos, Directory-as-a-Service leverages the proprietary JumpCloud agent that is deployed on system endpoints. This can be mass deployed or individually installed. The interconnectivity between the system and your “domain”, which is really your tenant in the JumpCloud directory, is all done with a deeply manufactured PKI relationship. The agent enables this relationship by creating a private, encrypted key on each endpoint used to “bind” the systems running the JumpCloud agent to your JumpCloud administrative console via mutual TLS. From a JumpCloud admin’s perspective, this relationship manifests itself in the form of a list of users and systems that can now be managed via the JumpCloud administrative console.
The JumpCloud agent enables IT admins to execute commands, scripts, and policies on those systems. IT admins are provided with full logging of the success or failure of the task.
So, again, the end result is unified system management from a single, browser-based dashboard – but the approach to getting their is dramatically different than the conventional AD architecture.
The following are a few examples how opting for Directory-as-a-Service can benefit your organization.
- User management – JumpCloud administrators can leverage DaaS to manage user identities from creation and setup, provisioning resources, to revoking access and removing the user at any time.
- System management – JumpCloud administrators can deploy commands and scripts via the Commands feature. For example, this can be used to deploy GPO-like capabilities that set policies and govern behavior across system endpoints regardless of platform (e.g. Windows, Mac, and Linux).
- Multi-Factor Authentication (MFA) – With MFA enabled, upon login the user will see their usual avatar and password field. Then, JumpCloud will introduce an MFA token field, leveraging a TOTP generator like Duo or Google Authenticator to gain access to the system(s).
- Event Logging – JumpCloud has an Events API, which enables access to stored data about authentication and other behaviors (i.e. the events on the machine). For example, the JumpCloud API can be utilized if you want to know what user was authenticated from what IP address and when.
Learn More about Managing Systems with JumpCloud
These are but a few examples of the benefits received from managing systems with JumpCloud. If you are interested in learning more about how Directory-as-a-Service can benefit your organization, drop us a note. You can also sign up for a free account and start managing your system endpoints today. Your first 10 users are free forever.