By Zach DeMeyer Posted August 6, 2019
JumpCloud® Policies are one of the many useful features that are available with Directory-as-a-Service®. Policies are analogous to the popular group policy object (GPO) feature from Microsoft® Active Directory®, except they can be used for Windows®, Linux®, and Mac® systems. As such, using JumpCloud Policies is a great way to streamline and automate your system management. If you are curious about Policies, and unsure where to start, here are this writer’s top three system policies you need on your Macs.
Top Three Mac System Policies
1. FileVault 2
FileVault is the Mac full disk encryption (FDE) application. With FDE, IT admins can ensure that their users’ systems and the critical data stored on them is safe at-rest. That means, in the case that a company laptop is stolen, the thief will only make off with a physical theft, unable to access the data stored on the hard drive. FileVault 2 offers a recovery key which admins can use to access encrypted data if and when a user forgets their password or is otherwise locked out of their system.
Using JumpCloud’s FileVault 2 Policy enables admins to employ and enforce FDE at scale across their entire Mac system fleets with just a couple clicks. JumpCloud also features recovery key escrow at no additional cost, meaning that admins can securely store their users’ recovery keys in association to the systems that use them. JumpCloud also offers a Windows® BitLocker Policy to enforce FDE across Windows® fleets as well.
2. Disable External Disk (USB)
An attack vector that often goes unnoticed is the USB drive. Hackers can fill a USB drive with malware, trojans, or other worms, and then leave it anywhere to be picked up, potentially by your users. While it’s easy to think that such a thing won’t happen, a study by the University of Illinois found that 50% of people who find a lost USB drive will insert it into their computer, and 70% of those people don’t even take any security precautions beforehand.
That’s why JumpCloud features a Disable External Disk (USB) Policy. With this Policy, IT admins can instruct their organization’s Mac (as well as Windows and Linux®) fleets to reject external storage devices inserted into a system’s USB drives. Like all JumpCloud Policies, the Disable External Disk Policy can be applied based on role/permission, meaning that employees who need to be able to use USB storage devices can do so as authorized.
3. Password Modification
Since JumpCloud is the identity source of truth for organizations, it is imperative that a JumpCloud password is carefully modified. On Macs especially, changing the password solely at the system level through System Preferences can sometimes disconnect a system password from the overall JumpCloud password which can be used across a wide range of IT resources including applications, WiFi, and file servers. This can cause potential issues down the line as a user’s JumpCloud password expires. We’ve introduced a number of safeguards to improve this experience for admins and end users, including the Password Modification Policy.
By applying the Password Modification Policy, JumpCloud admins can limit their users’ ability to change their passwords on their systems. That way, end users can simply use the JumpCloud Mac app or their JumpCloud User Portal to change their password, which propagates to all of their JumpCloud connected resources.
More “Policies” to Consider
When it comes to securing and managing Mac systems, these three Policies should certainly be near the top of the list. You can find a full list of JumpCloud’s Policies here in our Support Center, but JumpCloud’s security capabilities don’t end there. That list doesn’t include other JumpCloud features that could be considered policies, such as password policies.
JumpCloud admins can leverage JumpCloud’s password complexity settings to align their JumpCloud instance with company password policies. Admins can adjust password length, what characters can and must be used, as well as reuse and aging settings. As such, JumpCloud’s password complexity settings can be used to meet NIST 800-63 compliance guidelines.
JumpCloud admins can also employ multi-factor authentication (MFA) on their Mac (and Linux) systems, as well as at the User Portal for all of their users in an instant. This functionality also includes the ability to control the enrollment period for MFA, giving end users a configurable window in which they can enroll in MFA before they’re required to do so.
System Policies, MFA, and password complexity requirements are great steps to take in protecting your digital kingdom, but you shouldn’t stop there. If you’re interested in learning about other ways to lock down your IT environment, consider reading The Security Playbook for SaaS Startups. This resource offers five actionable steps you can take to fortify your IT organization, inside and out. If reading isn’t really your thing, you can also watch the associated webinar where Greg Keller, JumpCloud’s Chief Strategy Officer, walks you through the same material.
Not a JumpCloud Customer?
If you aren’t currently using JumpCloud, let us be the first to introduce you to Directory-as-a-Service, the world’s first cloud directory service. You can try JumpCloud absolutely free just by signing up, which includes ten complimentary users in the platform for you to use forever. If you would like to learn more about JumpCloud and Policies, please contact us.