Groups are a familiar concept to IT administrators. They’re a time-tested method for access control, policy management, and authorization to resources from directories. Active Directory popularized groups in the early 2000s and simplified permission inheritance in a system that was intended to operate in private networks, behind the firewall, and not the web. Requirements have changed dramatically in the ensuing years, with the establishment of Zero Trust architecture, geographically distributed teams, and the accelerating pace of IT automation. The domain-driven approach to group management has become time-consuming and inadequate.
JumpCloud’s approach to group management works differently, and was designed to broaden the benefits of directory management, without the need for domain controllers or expensive hardware to bridge your offices. This new architecture adds context and automations to identity and access management (IAM) in a way that’s accessible to small to mid-sized enterprises (SMEs) and easy for users. Attributes and key information about users’ devices combine to create insights that translate into actions, such as proactively recommending changing group memberships, mandating multi-factor authentication (MFA), or executing commands. “Smart” groups streamline identity management across network boundaries, and together with policies that govern the user lifecycle and device compliance, serve to constantly reinforce Zero Trust security principles.
Let’s take a closer look at groups and the use cases that they unlock for SMEs. These scenarios are beneficial beyond IAM and cybersecurity, and are helpful for any organization that’s consolidating its IT operations for compliance and cost savings across all types of devices.
How JumpCloud Groups Are Different
The capabilities outlined above sound very different from Active Directory groups. That’s because JumpCloud’s attribute-based access control (ABAC) works differently. That distinction helps groups to function as a centralized IAM suite. Attributes make it possible for instant cross-checks of users within a group to manage access to IT resources as opposed to inheriting permissions. The universe of possibilities of what groups can deliver is vastly more versatile and intelligent. The next section explores some of those scenarios and their practical benefits.
There’s another tangible benefit for security: this capability will instantly advance your maturity model for entitlements management. Continuously validating and identifying entitlement issues delivers an “intermediate” level of controls and measures for this aspect of access control. Full automation will make it “advanced”. Active Directory cannot deliver beyond “basic” maturity because user management is a manual process that adds to administrative overhead.
What’s Possible with Groups?
JumpCloud’s groups are collections of objects such as users, policies, and devices. These logical groupings make it possible to use a single platform for user and device lifecycle management. These are some of the core components of the platform that involve groups:
- Automated user onboarding
- Multiple methods of IAM connectivity
- MFA and conditional access
- Managing devices across platforms
- Managing your IT assets
- Implement GPO-like policies, cross-OS
These capabilities coalesce into “smart” groups that unify and automate the process of managing identities from the onset in a way that places less onus on administrators to keep up with organizational changes. It serves as an extra pair of eyes to verify that permissions are correct and that users aren’t over (or under) provisioned, based upon their job roles and supervisors. Permissions are no longer static and stagnate, which avoids security and user experience issues that could otherwise occur if access control was simply inherited by groups.
Rapid User Onboarding
User lifecycles start with onboarding, and JumpCloud makes it easy to import identities and attributes from identity providers (IdPs) including Active Directory, Microsoft 365, and Google Workspaces. JumpCloud also extends support to HRIS services, to automate and schedule new user provisioning. Imported attributes can be used to determine group memberships, which saves admins time and mitigates errors, compliance, and security risks.
Attribute-driven group suggestions work like this: after an admin imports someone from an HRIS with their department populated as “sales,” they receive a pop-up asking if they want to add a user to the sales group. The platform also has built-in SCIM provisioning and a REST interface for custom integrations to reduce the workload to bind users to integrated applications.
Connect to More Things, in More Ways
JumpCloud provides multiple options to connect to your apps, network and storage devices, services, servers, and more. Group memberships (and sometimes, the appropriate attributes) grant (or remove) access; groups are bound to the respective resources.
The following interfaces are included with the platform:
- Single sign-on (SSO): JumpCloud’s believes that you should “own” your identity. The platform supports SAML SSO and OpenID (OIDC) for SSO connectivity. Admins can select from hundreds of preconfigured connectors or use custom configuration settings.
- RADIUS servers: The platform provides RADIUS services that can be used to log in users into devices and networks, such as Wi-Fi, along with custom VLAN settings. This can be done with MFA enabled and using delegated authentication to bring your own credentials.
- LDAP: LDAP is the heart of JumpCloud’s directory and connects users to anything that supports the standard, without the overhead of maintaining your own servers.
Authentication factors are configured at the group level, or a group is bound to a service.
MFA and Conditional Access
LDAP, RADIUS, and SSO services all provide the option for push MFA via the JumpCloud Protect™ app. The platform can also be integrated with biometric factors, such as Apple’s FaceID. Admins can alternatively opt for TOTP (time-based one-time passwords) as an alternative. Push MFA is preferred, because it’s considered to be the most user-friendly method of authentication.
Some accounts require additional protection, so JumpCloud also offers conditional access policies that take into account the sign-in location of users, device trust, or dedicated IPs. Policies can be configured with specific application assignments and members can be easily bound to them from user groups. User groups centralize and simplify setting up Zero Trust functionality.
Managing Devices Across All Platforms
The device trust policy is possible because of JumpCloud’s ability to configure security policies for compliances and benchmarks. The platform includes targeted pre-made policies for every major desktop operating system, MDM (mobile device management), as well as the ability to implement custom policies. Compliance baselines (NIST and CIS Controls) will soon be available to set in policy groups.
Admins also have the capacity to execute commands against groups, en masse, with Sudo access. Commands are currently in the process of being revamped for more automation and orchestration with granular queuing and timeout options. Groups can also be used to associate devices by operating systems (or other criteria) for patch management, a JumpCloud feature.
JumpCloud provides a unified patch management console, with full OS parity, that leverages groups to organize devices for patch scheduling. The user experience is optimized for each OS to balance usability and security, providing more utility than a standalone directory.
Getting Started with Groups
JumpCloud Support provides detailed tutorials about how to get started with groups.
The JumpCloud platform connects you to more things and is free of cost for 10 devices and 10 users. You’ll also receive complimentary premium chat support and can ask questions with your peers in our community. Support is available 24×7/365 within the first 10 days of your account’s creation. There’s no additional charge for “smart” groups, which is a core platform feature.