Group policy objects (GPOs) are key tools in an IT admin’s toolkit, allowing them to efficiently configure their system fleets for security and performance. Traditionally, GPOs are leveraged using the on-premises directory service Active Directory® (AD), administering to systems that are also on-prem. With a global shift to a remote work model, however, many IT departments find it more difficult to set GPOs on remote laptops using AD. A cloud directory service can be used to set GPO-like Policies on all remote Windows, macOS, and Linux systems.
The Power of Policies
In a world where many resources and users exist outside of the traditional IT domain, admins need to be proactive about protecting their users’ devices to ensure that they remain secure — regardless of where they are or what resources they leverage. By focusing on user systems first, admins essentially create a gateway that provides user access to other resources, as well as a first line of defense for those resources. Using system policies like GPOs, admins can pre-configure their system fleets for success and security.
System policies are used to set system settings without having to physically access the machine. With them, admins can enable settings like logon window enforcement, screen lock, full disk encryption (FDE), etc. on their systems. As a practice, system policies are highly effective for promoting security, allowing admins to take precautionary measures that limit a user to the least possible amount of system access and control they need to do their work.
With much of the world switching to a fully remote work model, however, IT organizations need their GPOs to be extensible and provide similar capabilities across all operating systems. Unfortunately, traditional methods for implementing GPOs, like using AD, have their limitations.
Using AD to Set GPOs on Remote Laptops
Admins running Windows Server 2012 or newer can use Group Policy Management Console to set GPOs on remote Windows laptops. The method doesn’t work with versions of Windows Server older than 2012, but it applies to many popular Windows OS versions, including 7 and 10.
Admins running older versions of Windows Server will need to script GPOs through PowerShell in order to set them on remote laptops. This method applies to nearly all Windows Server and OS versions but requires the admin to have a working understanding of PowerShell commands.
Regardless of the method, IT departments will need their remote end users to leverage a VPN to securely access the on-prem network in order for the GPOs to be applied. Although a mainstay in remote resource access, VPNs can be technically challenging to set up from an admin’s perspective and difficult to operate as an end user. If either are done improperly, bad actors can leverage the VPN to penetrate an organization’s infrastructure.
IT organizations opting to use the methods above need to ensure that their VPNs are properly set up and secured. Check out this infographic for our top tips on how to do so.
In addition to potential problems that can arise from VPN usage, neither method natively applies to OSs outside of the Windows domain — namely macOS® and Linux®. Although Windows is still the most popular OS in the world, Mac and Linux are rapidly growing in popularity. As organizations prioritize positive employee experience while they’re working from home, IT departments need to be able to manage GPOs on all systems — regardless of operating system or location.
Using a Cloud Directory Service to Set GPOs on Remote Laptops
JumpCloud® Policies are GPO analogues that can be applied to virtually any remote laptop, controlling key security configurations on Mac, Windows, and Linux systems. By leveraging Policies, IT admins can remotely configure all of their system fleets using the cloud — no VPN required.
You can try Policies and the rest of the JumpCloud product out for yourself absolutely free. Just sign up for Directory-as-a-Service® and get started with ten free users today.