Password tickets can swamp IT teams, especially when users increasingly work outside the office.
If you work as part of a lean IT operation (and especially if you’re the lone administrator) you need ways to ensure that users can securely access the resources they need to do their jobs without your intervention. And yet, at least one in five help desk calls is a password reset ticket, according to the Gartner Group, and that figure is likely much higher in schools. This means the large, proactive projects on your plate are constantly being overshadowed by day-to-day troubleshooting.
However, you can take steps to increase remote user efficiency and self-service and keep your team focused on other critical tasks. One of the most effective ways to accomplish this is by ensuring each user has only one set of secure credentials to access all their resources and giving them better avenues to manage their passwords. In doing so, you can reduce the overall number of remote user password tickets and maintain frictionless access across the board.
But how do you get to a place where employees can use just a single set of credentials to access every resource they may need? It starts with building a migration strategy, which we cover in the guide below.
1. Catalogue Every Point of Entry an Employee Needs
Take a step back: How many sets of credentials do your users need to access all their resources? Are any credentials shared, or do they have different sets of credentials to access each individual system or application?
The first step to improve remote user access (and decrease password tickets) is to get an aggregate view of the resources and access points in your environment. Then, you can decide how to improve remote user access to those resources. This likely includes:
- Devices: Mac, Windows, and/or Linux
- Applications: SaaS and legacy applications
- Infrastructure: Cloud and on-prem servers
- Networks: VPNs
Depending on the range and type of resources in your environment, several immediate options are available to help you grant remote user access in a secure way. These include: a password manager and a single sign-on (SSO) solution. Although they can’t encompass every resource — like device identity and login — they can give you a way to take concrete steps toward unifying identities for your users and reducing password tickets as you enact a longer-term strategy.
Password Managers as “Pseudo” Single Sign On
A password manager eases the pain of creating and remembering secure passwords for myriad resources and creates a pseudo single-credential pair experience for users. Many password managers even offer multi-factor authentication (MFA) to further protect access without adding too much complexity for the user.
Although a password manager improves remote user access by (theoretically) minimizing the number of passwords a user could potentially forget, it doesn’t solve the challenge completely, nor does it address secondary challenges like offboarding and revoking access to the connected accounts. It also doesn’t extend to all IT resources, like devices and networks. And, finally, IT admins might struggle to completely control user accounts on all applications.
Sign Sign On Works, But In Limited Capacity
Another option is to integrate SSO, either via a solution integrated with your core directory or via your productivity suite. This option gives users a portal through which they access their core applications, guarded by one pair of credentials, or enables them to log into applications with their default email address. Similarly to a password manager, this option helps to reduce the number of credentials users have to remember, thereby reducing password tickets, and gives you a mechanism to control user access to applications. It also gives you a mechanism to revoke access to the connected accounts during offboarding.
However, most single sign on providers are focused on application access only, and provide little to no support for extending the same set of credentials to other essential IT resources.
So in both cases you still need to reduce the number of credential pairs for users. If users need to remember only one secure password, and that password unlocks the devices and other resources they need to do their jobs, they’re more likely to remember it. It’s also easier for you to control and reset that password when needed.
2. Adopt A Cloud-First Strategy to Improve Remote User Access Workflows
The more you can enable users to access their resources where they’re already working — in their favorite browser — the less often you’ll have to resolve access issues. You can also take better advantage of your password manager or SSO solution that way. An increasing number of resources are web-based and in the cloud, such as SaaS applications and cloud infrastructure. This gives you additional options to adopt a cloud-first strategy and reduce the number of resources your users need to access via an internal corporate network.
For example, you can implement Dropbox instead of an internal file server so remote users access their files in a workflow that does not change, regardless of their location, or implement a Voice over IP (VoIP) phone system in place of traditional phone systems.
You can then decrease your organization’s reliance on solutions like VPN tunnels and RDP ports, which are more complicated for users to adopt and more risky for your organization if misconfigured. You can still provision user access to a VPN for when they work on insecure networks — like a coffee shop or a hotel — but they can work-from-home and change their passwords without a VPN required. This improves remote access without compromising security and eliminates common scenarios that generate password tickets (like remote Active Directory password changes).
Beyond shifting individual resources to the cloud, it’s also worth examining your core infrastructure and whether or not you can move it to the cloud as well. Shifting resources and infrastructure to the cloud means less overhead, more predictable costs, and more reliable availability. In the same way that it eases remote user access issues, it also gives you a consistent way to administer your environment no matter where you’re located.
3. Implement User Self-Service Tools
There are a variety of ways you can help users help themselves without your intervention. This includes Slack-integrated tools where users can get automated answers to common queries or track their tickets without repeatedly contacting your team. You can also create a hub for user-related knowledge base articles or videos where they can track down information — like how to manage their passwords — on their own.
These strategies build trust in your team while empowering users to solve their own access issues and reserve your time for more critical tickets.
Beyond these strategies, you can give users tools for password self-service either through a browser or directly on their devices. Device-based password management in particular is the most convenient and secure route to do this because it preempts phishing attacks and it’s familiar to non-technical users (i.e., Ctrl+Alt+Del on Windows).
That way, users never have to track down a password-reset email, remember which webpage to visit, or submit a helpdesk request. Instead, you can train and empower them to manage their passwords where they’re already working. This is both easier for them and more secure for your organization.
A Long-Term Strategy to Implement a Single Directory
The three steps we’ve covered here will help reduce password tickets in the interim and free up valuable time for your team. When you step back and look at a longer-term vision for your organization, you can take this work even further.
Instead of layering a password manager and other point solutions on top of your identity provider, you can implement a comprehensive directory that can extend identities to all resources. Using the JumpCloud Directory Platform, you can centrally manage and synchronize user identities across your resources. The platform is purpose-built to integrate with Mac, Windows, and Linux devices, applications, networks, and servers — as well as services that require a user store like Active Directory, Microsoft 365, and Google Workspace.
Once you create or import users into the JumpCloud Directory Platform, you can federate their identities everywhere. That way, users have one set of credentials to access all their resources. This is helpful not only for users — and reducing remote access friction — but it also gives you a central point of command to suspend access across resources if an account is compromised or a user leaves the organization. Users don’t need to use a VPN to access their resources; instead, all they need is an internet connection and a secure device.
Plus, through JumpCloud, you can enable users to change their passwords in an intuitive workflow directly through their devices. Their password changes are written back to the JumpCloud directory — and that change is automatically propagated to all connected resources, including Active Directory, Microsoft 365, and Google Workspace.
In total, this infrastructure gives users frictionless but secure access to their resources without a heavy lift from IT. If you’d like to learn more about the JumpCloud Directory Platform, read this case study about how one school used JumpCloud to reduce password tickets and ease the pain of password resets.
Try JumpCloud Free
You can also try it out yourself with a JumpCloud Free account, which gives you access to the full platform for up to 10 users and 10 devices, plus 10 days of premium in-app chat to get you started.