Configure SaaS Management

JumpCloud® SaaS Management gives you visibility and control over shadow IT and SaaS app use within your org. Using the JumpCloud Go™ browser extension, discover SaaS app use previously outside of your IT team’s visibility. Improve your org's security and compliance by choosing what apps users can access and how to restrict them. Warn or block users from accessing unapproved SaaS apps and customize the messaging they see. Collect valuable usage insights that help streamline, simplify, and minimize unnecessary costs of your application portfolio.

Prerequisites:

• JumpCloud Go is enabled in your org and the browser extension is installed on supported devices (macOS, Windows, Linux). See Get Started: JumpCloud Go™ to learn more. 

Considerations:

• JumpCloud SaaS Management is a premium feature and requires the Platform Prime package. See JumpCloud Pricing to learn more.
• When you enable SaaS Management, the JumpCloud Go browser extension collects specific data to discover and track SaaS apps. See the SaaS Management FAQ to learn more.
  • To begin tracking, users must authenticate to the User Portal in their browser to establish a session. See Use JumpCloud Go™ to learn more.
• SSO apps you’ve configured in JumpCloud automatically appear in SaaS Management as approved apps. See Get Started: SAML Single Sign-on (SSO) to learn more.
• SaaS Management doesn’t track locally installed apps, or those installed using JumpCloud Software Management. 
• SaaS app licensing information isn’t tracked automatically. You’ll need to enter licensing details manually for it to appear in SaaS Management. 
• When you delete a JumpCloud user that has SaaS Management enabled, the user’s accounts remain listed in SaaS Management without an owner. Enhancements are planned to improve this, giving admins a list of deleted users with the ability to act on their app and account details.

Enabling SaaS Management 

To start using JumpCloud SaaS Management, enable it in the Admin Portal:

1. Log in to the JumpCloud Admin Portal.
2. Go to SECURITY MANAGEMENT > SaaS Management.
3. Toggle on SaaS Management Enabled.

After enabling SaaS Management, existing JumpCloud SSO apps are added automatically. For SaaS app discovery on user devices, the browser extension begins tracking activity within five minutes. Users must authenticate to the User Portal first to establish a session for SaaS Management to begin tracking.

Next, configure the following management settings to customize SaaS Management behavior.

Configuring SaaS Management Settings

Use these settings to fine tune browser extension tracking, exclude certain user groups, and customize action and response to unapproved apps.

SaaS Management on User Portal

Choose to display a SaaS Management info card for users in their User Portal > Security page. This informs users that SaaS Management is enabled, and which email domains are being tracked by your org.
Security.">

Browser Extension Domain Tracking

When users register, log in, or return to a SaaS app, they use an email address or username to authenticate. Control what activity is captured depending on the email address domain used for authentication:

• All Domains: Track SaaS app activity from all usernames and email domains.
• Specific Domains: Track activity only from specified email domains. Use this setting to limit tracking to your company’s email domain, excluding SaaS app activity from non-work email addresses. 

Browser Extension User Tracking 

Leverage user groups to control which users in your org are tracked by the browser extension.

• All Users: Track SaaS app activity for all users in your org.
• Exclude Specific User Groups: Select user groups to exclude from SaaS app tracking. For example, users with a specific role may need to be excluded from tracking. 

Default Action for Unapproved Apps 

When you classify discovered apps as unapproved, select the default action SaaS Management takes to warn or block your users in their browser with the extension installed:

• Take No Action: Allow users to access unapproved apps as normal.
• Show a Warning: Prompt users with a warning banner in their browser when accessing an unapproved app. You can customize the message users receive in the next section. You can also choose to redirect users to an approved alternative app.
  
• Block the Application: Deny users access to unapproved SaaS apps. Users receive a blocked message in their browser and can’t access the app. You can customize the block message in the next section.
  

Default Messaging for Unapproved Apps

Customize the default warning and blocking messages users see when accessing unapproved apps. 

• Warning message for unapproved applications: If you selected Show a Warning as the default behavior for unapproved apps, enter the message users see when they are warned when accessing an unapproved app.
  • (Optional) Select Allow users to dismiss warning messages by default to let users dismiss the warning banner.
• Blocking message for unapproved applications: If you selected Block the Application as the default behavior for unapproved apps, enter the message users see when they are blocked from accessing an unapproved app.

Managing Applications 

Now that you’ve enabled and configured SaaS Management, you can review and manage all of your apps and connected users. 

Overview Tab

When you enable SaaS Management, the JumpCloud Go extension begins tracking user activity in their browser. Once data starts populating, the Overview tab serves as a dashboard for SaaS app activity within your org. 

• Newly Discovered Apps: Apps that have been recently discovered by SaaS Management.
• Approved Apps: The number of approved apps in your org. These include existing JumpCloud SSO apps.
• Unapproved Apps: The number of unapproved apps you’ve specified in your org.
• Ignored Apps: The number of apps you’ve set SaaS Management to ignore. 
• Users Monitored: The total number of users being monitored by the browser extension. 
• Low Usage Tools: Apps used rarely (once or never in the last 30 days).
• Upcoming Renewals in the next 30 days: When you enter licensing information, apps that are due for renewal appear here.

Applications Tab

See a list of all SaaS apps discovered in your org. Apps are broken out into the following categories:

• Newly Discovered: Apps discovered by SaaS Management that you haven’t categorized yet.
• Approved: Apps that you’ve approved for use within your org. 
• Unapproved: Apps you’ve selected are not approved for use. You can either warn users when accessing them, or block access in their browser.
• Ignored: Apps that have been discovered but you’ve ignored. Use this category for apps you don’t want to restrict access to, but don’t want to appear in SaaS Management reporting.

App Usage

Usage is calculated using a combination of how often individual accounts access an app and the percentage of total accounts accessing the app. For example, app usage is categorized as High if 50% of assigned accounts use the app 5 or more days in a 30 day period.

Reviewing an App

Apps that SaaS Management discover appear in the Newly Discovered tab until you review and classify them as approved, unapproved, or ignored. 

To review an app:

1. In the Applications > Newly Discovered tab, locate the app to review. 
2. In the Actions column, click Review. The Review App modal appears. 
3. Under Owner, select a user within your org that manages the app. For example, if the app is owned and used by the Accounting team, this may be the Director of Accounting.
4. Under Status, select from the following options:
   1. Approved: Select this if the app is approved for use by your IT team or another team within your org. Users can access this app as normal with no restrictions. 
   2. Unapproved: Select this if the app is not approved for use in your org. Depending on the default action for unapproved apps configured in SaaS Management settings, users will either be warned or blocked from accessing the app in their browser.
   3. Ignored: Select this option for apps you don't want to restrict access to but also not appear in reporting.

To set Access Restrictions:

If you set the app status as Unapproved in the previous section, use Access Restrictions to configure how to warn or block users from accessing the app:

1. Select Take No Action to all users to access the app without restrictions.
2. Select Show a Warning to present a warning banner in the user’s browser. 
3. Select Block This Application to block access in the user’s browser: 
4. (Optional) If you set Show a Warning or Block This Application in the previous step, the following options are available:
   1. Select Overwrite default warning message to enter a custom warning message to the user. This overwrites the default messaging. Jump to Default Messaging for Unapproved Apps.
   2. Select Recommend an alternate app or resource to direct the user to an alternative app. Enter the Link label and URL.
   3. Select Allow users to dismiss this warning to let users collapse the warning banner.

Viewing App Details

You can select any app in the SaaS Management list to see an overview and additional information about it.

To access app details:

1. In the app list, go to the App column and click the name of the app to open its details.
2. The Overview tab opens by default. The following information displays:
   • Overview: A description of the SaaS app and its primary use case.
   • Users: The number of users discovered interacting with this app. 
   • Owner: The JumpCloud user that manages the app. You can customize this by clicking Actions > Edit App Details.
   • SSO Connection: Indicates if this is an existing SSO application within your JumpCloud org.
   • Home Page: The website URL of the app. 
   • App Usage: A graphical view of the number of accounts that access this app per day. 
   • License Information: License information about the app you’ve entered appears here. 

To modify an app from the details page:

1. In the top right of the app details, click Actions and select Edit App Details. 
2. The Review App modal appears. Jump to Reviewing an App to learn about the Owner, Status, and Access Restriction fields. 

Editing Licensing Information

Keep track of app costs and usage all within SaaS Management. You can manually enter licensing information for each SaaS app. 

To edit license information:

1. In the bottom right of the app details, click the pencil icon to Edit License Information.
2. The Edit App License Information modal appears. Select Track license information for this app. 
3. Select from the appropriate License Term:
   1. Free Subscription
   2. Paid Monthly
   3. Paid Yearly
4. If you selected Paid Monthly or Paid Yearly, enter the following details:
   1. Renewal Date
   2. Cost
   3. Total Licenses
5. (Optional) In the Notes field, enter any other relevant information you wish to track.

Deleting an App

You can't delete connected SSO apps directly from SaaS Management. Instead, delete them from JumpCloud SSO in the Admin Portal (USER AUTHENTICATION > SSO Applications). See Get Started: SAML Single Sign-on (SSO) to learn more. 

Managing Users

The Users tab gives you an overview of all SaaS app users in your org, which apps they have access to, and how frequently they use them. 

• Name: The user’s JumpCloud display name and email address used to access their apps.
• Apps Used: Total number of SaaS apps the user has accessed. 
• Accounts: Total number of accounts the user has across all SaaS apps. 
• Last Usage: The last time the user has interacted with a SaaS app. 
  

Viewing User Details

You can select any user in SaaS Management to see additional information, including app activity and login methods.

To access user details:

1. In SaaS Management, go to the Users tab.
2. In the list of users, find the user you want to review and click on their name.
3. The User Details displays with the following information:
   • User Overview: JumpCloud user information, including Job Title, Department, and Manager.
     • Click Go to JumpCloud User Detail to open the user details.
   • Account Usage: A graphical view of how many SaaS accounts the user accesses per day. 
   • SaaS Access Information: A list of apps the user has interacted with, the account they used to authenticate ti tge app, and the last time they used it.
     • The Login Method icons tell you how the user authenticated to the app:
       • JumpCloud: User authenticated with JumpCloud SSO.
       • Key icon: User authenticated with a password.
       • Google: User selected the option to authenticate with Google.

Disabling SaaS Management

To disable SaaS Management:

1. Log in to the JumpCloud Admin Portal.
2. Go to SECURITY MANAGEMENT > SaaS Management > Settings.
3. Toggle SaaS Management to Off.

Additional Resources

• Enroll: SaaS Management Course