Get Zero Trust Ready with JumpCloud Conditional Access

Written by Dave Madrid on December 16, 2020

Share This Article

As the world moves to remote work, the perimeter of security has drastically changed. More and more employees are relying on home networks or personal devices to connect to corporate resources. People are now accessing resources from any device and from anywhere outside of their corporate domain. This activity has given rise to the domainless enterprise—a central cloud directory service, which serves as the hub for securely connecting users and their devices to the IT resources they need to accomplish their jobs. 

As we evolve  how we work, we also need to change how we secure the IT environment. Zero Trust is the concept of “trust nothing, verify everything,” and it fundamentally shifts how security is implemented in an organization. With a Zero Trust model, access is granted when:

  1. The user is verified based on their identity.
  2. The device that they’re using is known to the organization and, thus, deemed safe and secure.
  3. The network they’re accessing resources from is known, and is verified as safe and secure.

The process of continuous verification can be complex and time-consuming. 

Using Conditional Access to Enable Zero Trust

With the release of Conditional Access, JumpCloud customers now have an easier path to implement the core foundations of a Zero Trust model. By managing identities, networks, and devices all from a single cloud directory platform, JumpCloud empowers admins to verify three key access points: a user’s identity, the network they’re on, the device they’re using. By establishing trust of these key elements, IT admins can then establish flexible verification rules through JumpCloud’s new Conditional Access Policies:

  • Identity Trust: Verify users based on their identity, role, and group. Enforce or relax multi-factor authentication (MFA) requirements based on users’ group membership. 
  • Network Trust: Verify the authentication requests are from a secure location. Create IP Allow/Deny lists that dictate what networks users can access resources from. 
  • Device Trust: Verify users are accessing resources from secure devices. Combine JumpCloud’s device management with new certificate-based trust to restrict access to resources at the device level.

Conditional Access Policies enable IT admins to customize their approach to access and security by combining these steps into different policy levels.

How do I use Conditional Access Policies in my organization?

Conditional Access allows admins to combine individual policies into global access verification schemes for your organization or can be applied at a group level. Here are some of the use cases we’ve heard from our customers.

  • Allow remote work, but require MFA when employees aren’t in the office.
  • Require MFA for specific groups (i.e., contractors) accessing the organization’s applications.
  • Prevent access coming from personal devices.
  • Allow personal devices for specific user groups, but require each user to enter MFA.
  • Disable prompts for MFA for my warehouse workers when they’re accessing applications from the internal network.
  • Require all admins to enter MFA because they have higher privileges and can do the most harm.
  • Allow CEO or other C-level executives to enter without MFA when coming from a trusted device.

How exactly is a device determined to be trusted?

At JumpCloud, a device is considered a user’s gateway to all access. To provide secure access through devices, admins install the JumpCloud agent on any devices that are required to be managed and controlled by the organization. Through the agent, admins can distribute security configurations (policies), manage user accounts and their credentials, and apply core security settings such as enabling full disk encryption and MFA. 

With these procedures performed by the agent, JumpCloud can verify trust through the automatic installation of a JumpCloud-issued certificate. This certificate verifies the machines that are known and trusted by the organization and are part of the organizations’ conditional access verification requirements when authenticating to resources. 

To distribute certificates to your devices, go to Conditional Policies > Settings > Conditional Policies Settings > Device Certificates and toggle Global Certificate Distribution to ON. With certificates in place, the admin can configure Conditional Access Policies by specific user groups if desired. When a policy applies to a user, JumpCloud will verify that the user logging into the User Portal matches the user in the certificate, then the device is considered “trusted.” 

How are Conditional Access Policies enforced?

JumpCloud’s Conditional Access allows an admin to combine a set of trust elements (identities, devices, and networks) into an “Access Policy.” For example, if a user is accessing their User Portal from a known IP address and a device with a JumpCloud-issued certificate, they’re allowed access without MFA. However, in the case where there’s more than one policy that applies to a user, JumpCloud will enforce the strictest policy. Here’s the order from the most strict to the least:

  1. Deny access to the User Portal.
  2. Allow access to the User Portal with MFA.
  3. Allow access to the User Portal and all SAML/SSO applications without MFA.

What if no policies apply to a user?

In the case where no policy applies to a user, JumpCloud offers a Global Policy to provide broad coverage as a default. This is a policy that takes effect when no other policy applies. By default, it’s configured to respect the configuration in the “Multi-Factor Authentication Settings” section of the User – Details page for each user.

As this setting is user specific, you may want to configure the Global Policy to override the setting by choosing one of the three other options. To do this, you need to go into the “Conditional Policies Settings” page, go to “Conditional Policies” and select the Settings button:

From here, choose one of the following:

  • Allow authentication into resources Users will be allowed into the User Portal without being prompted for MFA.
    • Require MFA – Users will be allowed in with MFA required.
  • Deny access Users will be denied access.
  • (Legacy) Allow authentication and require MFA based on the individual user setting JumpCloud will honor the configuration in the “Multi-Factor Authentication Settings” section of the User – Details page for each user.

What happens when a policy requires MFA, but the user hasn’t configured MFA yet?

If you’re an existing customer, you may have experienced a situation where a user was locked out unless they were in an enrollment period. This often resulted in admin intervention. Now, when a Conditional Access Policy requires MFA and the user has not set up an MFA factor, the user will be denied access, but allowed to self-enroll in any of the enabled MFA factors.

What’s next with Conditional Access?

Conditional Access has been a top request from customers, making the launch of JumpCloud Conditional Access an important milestone. You can also look forward to more features coming soon such as:

  • Group exclusion The ability to exclude user groups from a policy (e.g., all users except admins can access UP without MFA).
  • Policy enforcement by application Create a policy requiring MFA to specific applications and relax MFA for others.
  • Geofencing Restrict access from specific countries.

Test Drive JumpCloud 

If you don’t already have a JumpCloud account, you can create one for free, manage up to 10 users and 10 devices, and test drive the full platform, including Conditional Access. You can follow the guided simulation to get started with Conditional Access. Use 10 days of premium, in-app 24×7 chat support with our support engineers to get the most out of your new account. 

Dave Madrid

Dave is a Senior Product Manager at JumpCloud with over 25 years experience building great products. When not in the office, you'll find him in the mountains, hiking, fly fishing, and camping.

Continue Learning with our Newsletter