Offices in prior decades were built primarily with an on-premises state of mind. In order to do work, you had to drive to the office, work on a desktop or stationary computer, and authenticate locally to your on-prem Active Directory\u00ae<\/sup> or LDAP server.<\/p>\n\n\n\n
Beyond the fact it doesn\u2019t easily accommodate remote work, the on-prem model has other downsides, including forcing admins to manage multiple different passwords for applications and connect their users to WiFi via an unsecured passphrase like WPA2. As technology evolved, cloud applications, varying operating systems, and disparate resources became more common in the workplace, and they challenged the on-prem model as well. <\/p>\n\n\n\n
Desktops evolved into laptops, installed versions of applications became web browser-based, and WiFi protocols evolved to become more secure. Offices, too, have started evolving to allow for work-from-home or multiple remote branch offices. <\/p>\n\n\n\n
When working in any IT environment, especially environments with remote workers, there are several things you should consider configuring and enforcing. This guidance applies whether you are using JumpCloud or not, so we\u2019ll go through this before going through JumpCloud-specific guidance.<\/p>\n\n\n\n
Strong Password Policies: <\/strong><\/p>\n\n\n\n
Different security compliance regulations may require different levels of password complexity. For example, section 8.x in the PCI DSS 3.2.1 compliance requirements<\/a> recommends the following list be enforced on passwords used in a secure environment: <\/p>\n\n\n\n
It should be noted that you can always make these requirements stricter based on the security compliance and policies you want to enforce in your environment. Our advice has alway been and continues to be to create long, strong passwords. Ideally, end users are creating a sentence or combining multiple words together for a long password (greater than 16 characters is always preferable, but note that Office 365 limits passwords to 16 characters).<\/p>\n\n\n\n
Anti-Phishing Security Policies:<\/strong><\/p>\n\n\n\n
In recent years, there has been an increasing number of attacks and successful attacks using phishing or spear-phishing. In 2017 alone, according to a PhishLabs report<\/a>, there was a 237% increase in SaaS app mimic attacks. Beyond that, phishing and pretexting were responsible for 93% of breaches in social attack incidents, Verizon found in one security study<\/a>. There are many ways bad actors can use social engineering, spam email, or URL redirection to get information out of your employees and into their own hands.<\/p>\n\n\n\n
Beyond educating your employees about good anti-phishing practices<\/a> and requiring strong passwords, you can enforce multi-factor authentication, keep anti-virus software updated, and use only HTTPS.<\/p>\n\n\n\n
System Security Policies: <\/strong><\/p>\n\n\n\n
If you want to achieve a higher security standard across your systems, you can reference the CIS Benchmarks<\/a> for your operating system and leverage those policies too. <\/p>\n\n\n\n
Multi-Factor Authentication: <\/strong><\/p>\n\n\n\n
Secure Network Authentication: <\/strong><\/p>\n\n\n\n
Individualizing secure access to networks can be handled several ways, two of which are common standards: secure LDAP and RADIUS<\/a>.<\/p>\n\n\n\n
Full Disk Encryption:<\/strong><\/p>\n\n\n\n
No Shared Accounts: <\/strong><\/p>\n\n\n\n
Secure Application Authentication: <\/strong><\/p>\n\n\n\n
JumpCloud’s cloud directory platform allows you to manage your company\u2019s identities, resources, and systems via an easy-to-use Admin Portal via your favorite web browser. The above diagram outlines the different resources you can connect to JumpCloud\u2019s core directory.<\/p>\n\n\n\n
This guide will help cover the following topics to ensure your JumpCloud organization follows some of the basic best practices for enforcing security while working remotely:<\/p>\n\n\n\n
Users are the core of any directory. With JumpCloud, you can ensure users have access only to the specific resources they need, and are blocked from ones they shouldn\u2019t, and follow strict password complexity policies. With JumpCloud, you can also create user groups that allow you to control which users have access to specific applications, systems, file servers, and networks.<\/p>\n\n\n\n
It\u2019s a best practice to configure your JumpCloud organization’s password complexity settings before getting started with creating or importing your users. By creating strong password policies up front, your new JumpCloud users will have to abide by those policies on day one. This way, users only need to set their password once to meet your requirements, and this password will then become their password for all other interconnected JumpCloud resources, systems, and applications.<\/p>\n\n\n\n
JumpCloud gives you the ability to configure password policies as you see fit under the Org Settings <\/em>tab on the left side of the Admin Portal.<\/p>\n\n\n
Password settings and Policies are under the User Accounts section within the Custom Password Settings dropdown. Here, you can set the minimum character limit, types of characters required, maximum number of failed login attempts, length of password history, and more. <\/p>\n\n\n
User Groups in JumpCloud give you the control as an administrator to configure which users have access to which resources in your JumpCloud organization. Creating User Groups<\/a> is simple and quick within the JumpCloud Admin Portal. To begin, navigate to the Groups tab in the left menu.<\/p>\n\n\n
Whether the group is based on department, location, or application need, you can create user groups with a few clicks. If you\u2019re just starting out with JumpCloud, there are no pre-created groups, which gives you the flexibility to create custom groups specific to your organization.<\/p>\n\n\n\n
Generally, you\u2019ll want to create an \u201cEveryone\u201d or \u201cAll Employees\u201d group. This group will make it easier to control access to different resources<\/a> the entire company would require, such as the corporate HR application, chat solution, and conferencing application. <\/p>\n\n\n\n
Tip<\/strong>: You don\u2019t need a VPN to use JumpCloud. However, if you have a large user base who travels abroad and might need to use caf\u00e9 or other public WiFi networks, then a VPN would be recommended for an extra layer of security.<\/p>\n<\/div>\n\n\n\n
Leverage Office 365 or G Suite? Using the Directories tab, you can easily sync your JumpCloud user groups with your O365\/G Suite directory to consolidate users\u2019 passwords, control user IAM, and provision new users to their target directories.<\/p>\n\n\n\n
System Groups in JumpCloud are primarily used for two purposes: User Group access on multiple systems and enabling security policies on systems bound to the System Group.<\/p>\n\n\n\n
To create a System Group<\/a>, navigate back to the Groups tab on the left side in the JumpCloud Admin Portal.<\/p>\n\n\n
Generally, it\u2019s a best practice to organize your systems into different system groups based on operating system, location, or department. You can easily manage User Group access to multiple systems, such as with DevOps team members accessing multiple Linux servers.<\/p>\n\n\n\n
Depending on the operating systems your organization uses, you should create System Groups for each OS. If you use System Groups labeled with their correlating OS, you could then apply the correlating security Policies<\/a> on each system group. The group model of managing Policies and systems is much easier than configuring each system individually. <\/p>\n\n\n
JumpCloud has three primary directory integrations: Office 365 \/ Azure Active Directory<\/a>, G Suite<\/a>, and Active Directory<\/a>. With these directory syncs in place, you can import pre-existing users into JumpCloud. You can also provision new users directly in the JumpCloud Admin Portal, where they can then be provisioned in the connected directories via bi-directional syncing.<\/p>\n\n\n
If you\u2019re working remotely or from home, you can use JumpCloud\u2019s singular dashboard to easily import, create, revoke, or suspend user accounts. The User\u2019s workflow is unaffected when logging into Office 365\/Azure Active Directory, G Suite, and-or Active Directory. JumpCloud manages the user account and password sync at the API level with these Directories and their connected resources.<\/p>\n\n\n\n
Connecting and configuring your current directories in JumpCloud will make it easier for you and your team to manage user accounts remote\/abroad.<\/p>\n\n\n\n
If you\u2019re looking at moving into a more remote or full-time remote work environment, it\u2019s highly recommended to set multi-factor authentication for all users who are accessing your company resources. MFA increases the security of your company\u2019s users and resources because it ensures authentication requires not only a password but also a secondary factor.<\/p>\n\n\n\n
JumpCloud has TOTP MFA built into the platform natively. JumpCloud\u2019s TOTP MFA can be enabled on a wide variety of resources<\/a> connected with JumpCloud, and it\u2019s supported by many different TOTP applications<\/a>, such as Google Authenticator, Duo Mobile, Authy, FreeOTP, and more.<\/p>\n\n\n\n
You can also enable this secondary layer of security on user or admin authentication<\/a> into their JumpCloud portals.<\/p>\n\n\n\n
One of the greatest benefits of using JumpCloud is the ability for deep system management and control over user access, system policies, and remote commands<\/a> on your remote fleet without the need for RDP, VPNs, or SSH. This is all done through JumpCloud\u2019s lightweight system agent<\/a>. Users can easily change their password natively within Windows using ctrl-alt-del and macOS users can use the JumpCloud Mac App in their menu bar. If you enable users to change their password with common workflows in the OS, you help dissuade users from clicking any suspicious email that asks them to change their password via the web.<\/p>\n\n\n\n
The JumpCloud system agent communicates to JumpCloud through secure channels over HTTPS\/443<\/a>, which ensures all updates, changes, removals, and additions to systems are carried out in a secure method. The agent communicates with JumpCloud in a 60-second cadence, meaning any changes you make to the system, bound users, or Policies are all updated within 60 seconds.<\/p>\n\n\n\n
Many current JumpCloud customers leverage the system agent to ensure remote offices, work-from-home employees, and company-owned systems are secure, managed, and following the best practices for security. All system management can be done 100% from the Admin Portal in your favorite web browser.<\/p>\n\n\n\n
Need to do something a bit more advanced like custom scripting? Not a problem. JumpCloud also gives admins the ability to write, execute, and schedule custom bash, PowerShell, and command-line commands all from the Admin Portal. These commands could be anything from mapping printers to mounting file shares, or pulling information off a system.<\/p>\n\n\n\n
Pairing JumpCloud\u2019s system agent with the premium System InsightsTM<\/sup> feature<\/a> gives you a much deeper look into the health and status of your systems. You can see installed applications, hardware information, hard disk space, and more for systems \u2014 directly from the Admin Portal. This way, you can take inventory of your systems and resources, as well as troubleshoot as needed.<\/p>\n\n\n\n
As JumpCloud manages systems through the lightweight agent, Users are able to change their password through their logged in session within the operating system. By enforcing password changes and reminders inside of the operating system, users will easily adapt to this already standard workflow knowing to change it locally. Whether your users are using macOS<\/a> or Windows<\/a>, they\u2019ll be able to change passwords locally.<\/p>\n\n\n\n
Local password changes can help dissuade users from falling for phishing attacks. Users are less likely to be swayed to change their password if it comes through a suspicious email, knowing it\u2019s changed locally in-system. The ease-of-use and convenience of changing your password locally keeps it easy for the users, but also easier for the admins as reminders, self-serve, and changes can all be done self-serve for the end-users.<\/p>\n\n\n\n
Built to be vendor-agnostic, JumpCloud allows you to configure system policies<\/a> for Mac, Windows, and Linux systems remotely. There are many different system Policies you can configure within JumpCloud\u2019s Policy menu. When creating new Policies, we recommend applying them to System Groups, so all associated systems are covered. This can be done within the Policy\u2019s System Group tab.<\/p>\n\n\n
To get started enforcing good security practices and locking down systems, we recommend configuring and implementing these beginning policies below that were annotated in the first section of this Admin Guide.<\/p>\n\n\n\n
You can enforce more policies as needed, which is a great way to ensure your work-from-home users\u2019 systems are as secure and locked down as possible. It\u2019s also recommended users are set to \u201cstandard user\u201d when you bind users to systems. You should only give sudo\/administrator-level permissions to users who require it, such as developers and administrators.<\/p>\n\n\n
If you\u2019re running Mac and\/or Windows systems in your JumpCloud organization, you can easily enable full disk encryption via JumpCloud Policies: Create the BitLocker (Windows) or FileVault 2 (macOS) policy within the Policies menu in JumpCloud and apply it to your JumpCloud \u201cWindows System\u201d and \u201cMac System\u201d groups to fully encrypt the disks.<\/p>\n\n\n\n
Once the Policy is applied, the recovery key is securely escrowed into JumpCloud and appended to the system. The recovery key can be viewed through the \u201cShow Recovery Key\u201d link within the System\u2019s Details tab. If you already have FileVault 2 or BitLocker enabled before JumpCloud, JumpCloud cycles the key and escrows the new key into JumpCloud.<\/p>\n\n\n
This way, you don\u2019t have to manage any spreadsheets, sticky notes, or other legacy means of managing your recovery keys \u2014 and the whole process can be done 100% remotely and easily through JumpCloud\u2019s Admin Portal while being highly secure.<\/p>\n\n\n\n
Full disk encryption enforces strong methods built in natively within Windows 8.1\/10 and macOS 10.13.6 or higher. If the system were to be lost or stolen, you have the assurance the data on the disk is safe because of the JumpCloud FDE policies applied to the systems. Only the user or admin can decrypt the volume, and the recovery key is only available to view for JumpCloud admins through the Admin Console.<\/p>\n\n\n\n
Generally, if the system travels outside of the office, including in remote work scenarios, it\u2019s highly recommended to enforce full disk encryption. This way you are implementing security at the lower levels on the disk and the laptop is secure-at-rest. Check out JumpCloud\u2019s guides on full disk encryption for BitLocker<\/a> and FileVault 2<\/a> for more details. <\/p>\n\n\n\n
If you\u2019re looking for more granular control or the ability to run scheduled tasks, JumpCloud gives you the ability to configure commands<\/a> for Mac and Linux\u00ae<\/sup> (Bash) and Windows (PowerShell or command-line). These commands are remotely executed on either singular or multiple systems, all backed by the JumpCloud agent. To get started, navigate to the Commands tab in the left menu in the JumpCloud Admin Portal.<\/p>\n\n\n
In a work-from-home or remote work environment, you can pull system or user information on the system using these remote commands. If you leverage JumpCloud\u2019s System Insights<\/a>, you can do this natively within the Admin Portal.
<\/p>\n\n\n\n
JumpCloud has a commands gallery on GitHub<\/a>, so you can copy and paste example commands. These are basic commands to get you started, but if you\u2019d like to write your own custom commands or tasks via Bash or PowerShell, you have the possibility to do so, all from the Admin Portal in your favorite browser.<\/p>\n\n\n\n
Although JumpCloud does not function as a system\u2019s application manager, it can pair with third-party, open-source package managers such as Chocolatey for Windows systems and AutoPKG for macOS systems in your JumpCloud environment. This is done leveraging JumpCloud\u2019s Commands in the Admin Portal.<\/p>\n\n\n\n
For Windows systems, using Chocolatey<\/a> is straightforward and simple. You can install Chocolatey remotely and then begin to provision applications to your users\u2019 systems remotely through JumpCloud. For example, if you want to install Notepad++ or Chrome, you can use the following two lines in a JumpCloud command once Chocolatey has been installed. <\/p>\n\n\n\n
choco install googlechrome -y
choco install notepadplusplus -y<\/strong><\/p>\n<\/div>\n\n\n\n
With JumpCloud Commands, you can also call Chocolatey to update Chocolatey-managed applications on a specific schedule, such as everyday at 0500 UTC as shown in the following example.<\/p>\n\n\n
This allows you and your IT admins to ensure the appropriate applications are installed and available for your remote workers, even though your users might be standard users within Windows. Chocolatey\u2019s open repository has more than 7,000 applications in their public list, and they continually update what\u2019s available.<\/p>\n\n\n\n
Although JumpCloud doesn\u2019t natively manage the installed applications on Windows, it acts as the vehicle to pair with Chocolatey\u2019s package manager to help consolidate your administrative tasks in JumpCloud\u2019s Admin Portal.<\/p>\n\n\n\n
For macOS systems, JumpCloud Commands can be paired with AutoPKG to help manage and install applications remotely on the macOS systems in your company\u2019s fleet.<\/p>\n\n\n\n
Once AutoPKG has been installed, you can then create specific JumpCloud Commands which will use AutoPKG to deploy applications across your macOS fleet. To leverage AutoPKG to the fullest, you\u2019ll want to ensure your environment has the appropriate requirements in place. For example, if your repository has the latest version of Firefox, you can install it across your systems using the following AutoPKG recipe:<\/p>\n\n\n\n
autopkg install firefox.install<\/strong><\/p>\n<\/div>\n\n\n\n
By combining both solutions, JumpCloud and AutoPKG, you can create application installs and updates for your macOS environment without needing your macOS users to have sudo privileges. Although JumpCloud isn’t a full application manager, like with Chocolatey, it acts as the vehicle for AutoPKG to do its magic.<\/p>\n\n\n\n
Most companies use a catalog of web applications, such as Slack, Zoom, Salesforce, AWS, GitHub, and more. In most scenarios, you can access these applications from anywhere in the world, as long as you have internet access. JumpCloud was built in the same way of being 100% cloud-based.<\/p>\n\n\n
JumpCloud allows you to configure SAML 2.0 application connectors for SSO to the resources your company uses. There are hundreds of pre-configured connectors for applications in JumpCloud\u2019s catalog<\/a>, with Just-in-Time provisioning for select apps, as well as a generic connector for applications not already pre-configured. <\/p>\n\n\n\n
By leveraging JumpCloud user groups, you can associate specific application access only with the groups that need those applications. As seen in the example below, Group 1 has access to Box, AWS, and Zendesk, but does not have access to Slack, Salesforce, or Atlassian Cloud. Keep in mind, JumpCloud users can be placed in both Group 1 and Group 2 to gain access to both sets of resources, depending on the requirements and use cases.<\/p>\n\n\n\n
With this workflow, JumpCloud becomes the identity provider to the SAML application (otherwise known as service provider). JumpCloud users can then access the applications they need through the JumpCloud User Portal<\/a>. This allows access to all of their cloud-based applications using their individual, secure credentials for JumpCloud. <\/p>\n\n\n\n
You can easily control all your company\u2019s applications<\/a>, enforce MFA<\/a> on SSO Apps, and manage user access<\/a> all from a single pane of glass with JumpCloud\u2019s Admin Portal. With JumpCloud, you\u2019ll gain assurance all application access is secure for all employees, even those who are working from home or remote.<\/p>\n\n\n\n
If you\u2019re currently using either WiFi, firewall, or VPN, you can point your network resources to JumpCloud for authentication. There are two main methodologies when connecting networking hardware to JumpCloud: RADIUS<\/a> and secure LDAP<\/a>. <\/p>\n\n\n\n
You can also easily work with the networking gear your company is already using by pointing either your VPN or wireless access points to JumpCloud\u2019s RADIUS servers. JumpCloud will then handle all network authentication to the specified network via the RADIUS protocol.<\/p>\n\n\n
In a work-from-home environment, you can point your VPN to JumpCloud\u2019s RADIUS<\/a> server for authentication. JumpCloud\u2019s RADIUS works with any VPN vendor, as long as the VPN server can be configured to authenticate using the RADIUS protocol. For example, if you\u2019re using OpenVPN<\/a>, you can easily direct authentication to JumpCloud.<\/p>\n\n\n\n
Along with individualizing access for networks, JumpCloud has the ability to configure MFA for RADIUS<\/a> authentication. Harden your VPN\u2019s security by requiring both a user\u2019s strong password and their MFA token during authentication through the VPN client. <\/p>\n\n\n\n
Another route to take is through JumpCloud\u2019s Secure LDAP-as-a-Service<\/a>. In this methodology, you would point your networking hardware or software to JumpCloud\u2019s secure LDAP servers to handle authentication. This methodology is common among most VPN and firewall vendors. <\/p>\n\n\n
You\u2019ll have to configure JumpCloud\u2019s LDAP-as-a-Service before configuring your network to point to JumpCloud. This methodology is also secure and easy, as we use OpenLDAP RFC-2307 over the secure port of LDAPS\/636. This way, any authentication to and from the VPN or firewall is encrypted and secure. OpenVPN<\/a> is another example of a vendor that can integrate with JumpCloud\u2019s secure LDAP-as-a-Service. <\/p>\n\n\n\n
Moving into a domainless enterprise or full work-from-home model is secure and efficient with JumpCloud’s cloud directory platform. Protect your IT resources and employee identities with an entirely cloud-based solution, backed by secure protocol standards. Enforce security policies and allow users to change passwords on the system<\/a> to help prevent web-based phishing attempts. Whether a company is five or 5,000 users, JumpCloud allows IT admins to manage their resources from anywhere on the planet from a single pane of glass via the Admin Portal.<\/p>\n\n\n\n
JumpCloud was built to be the first cloud-based directory solution, and we can also assist a migrating company looking to move into a flexible, work-from-home environment. You can sign up with JumpCloud<\/a> and begin testing on your own. If you\u2019re looking at implementing JumpCloud for an organization with more than 10 users, check out JumpCloud\u2019s various pricing plans<\/a> and only pay for what you need.<\/p>\n\n\n\n
If you\u2019re looking for additional reading beyond what\u2019s included here, we\u2019ve compiled other resources to help ensure you get the most out of your JumpCloud experience and make the transition to remote work as seamless as possible:<\/p>\n\n\n\n
JumpCloud’s cloud directory platform allows you to manage your company\u2019s identities, resources, and systems \u2014 from anywhere.<\/p>\n","protected":false},"author":98,"featured_media":45082,"template":"","categories":[42],"collection":[],"wheel_hubs":[],"platform":[],"resource_type":[2310],"funnel_stage":[],"coauthors":[2550],"acf":[],"yoast_head":"\n