BHI\u2019s IT team wanted a comprehensive solution to extend their AD instance, manage macOS machines, and enable remote users \u2014 and they hoped it would not only replace the collection of vendors they managed but also improve functionality.<\/p>\n\n\n\n
<\/p>\n\n\n\n
BHI has a traditional AD implementation, including a primary domain controller and on-premises virtual machines with segmented roles. The organization is an Office 365\u2122 and AWS\u00ae<\/sup> shop, and it ties a number of business applications to AD, including Jenkins, Tableau, and logging and monitoring applications.<\/p>\n\n\n\n
The team\u2019s Office 365 subscription comes with Azure\u00ae<\/sup> Active Directory capabilities, and they used Apple Profile Manager and Meraki to handle their macOS machines. None of those solutions was comprehensive, however, and they wanted a solution that would better accommodate the different needs and models of each organization under the BHI umbrella.<\/p>\n\n\n\n
\u201cWe wanted user and system management from a central location, rather than relying on either individual businesses to manage it themselves or running around hair-on-fire all the time trying to service all these different units,\u201d Masson said.<\/p>\n\n\n\n
Masson, Anderson, and the team briefly considered Azure AD because they technically already had a user directory in the cloud with it. However, it didn\u2019t provide system management beyond Windows, and it wasn\u2019t extensible enough to integrate with their other tools. They\u2019d previously used Okta, but it similarly did not offer the system management capabilities they needed. With a fleet of Windows and macOS machines, they needed a vendor-agnostic tool that would let them configure and manage their machines.<\/p>\n\n\n\n
BHI\u2019s IT team also wanted to resolve the issue of AD user password changes, particularly for remote users. They had a small remote group before the whole organization moved to a work-from-home model, and they\u2019d advised those users to log into the VPN for a period of time at least every two weeks in order to sync passwords with AD. However, the VPN was often slow, and password changes were particularly troublesome for macOS users.<\/p>\n\n\n\n
\u201cEvery other password change on a Mac just completely nukes everything for the user,\u201d Masson said.<\/p>\n\n\n\n
COVID-19 deepened their challenges, and they knew they needed to implement a solution quickly.<\/p>\n\n\n\n
\u201cWhen COVID hit, we were \u2014 from a user and account management standpoint \u2014 not ready for it,\u201d Anderson said. \u201cThat really moved us forward to accommodate this strange occurrence where everyone\u2019s now remote. They’re not connecting to the VPN reliably, and any time there\u2019s a password issue it\u2019s a nightmare and a half to get them back online.\u201d<\/p>\n\n\n\n
BHI\u2019s IT team had JumpCloud Directory Platform<\/a> on their radar for at least a year, and they began testing amid their work-from-home transition. JumpCloud can either serve as a full-suite cloud directory service or a comprehensive AD identity bridge, and they began to roll it out as an identity bridge within about 10 days of testing.<\/p>\n\n\n\n
JumpCloud\u2019s Active Directory Integration feature<\/a> allowed them to establish a comprehensive access control and system management platform in the cloud, implement a bi-directional sync between JumpCloud and AD, and institute self-service password resets for users \u2014 all while keeping AD in place.<\/p>\n\n\n\n
\u201cIf it\u2019s not broken, don\u2019t fix it,\u201d Anderson said of their AD instance. \u201cJumpCloud is perfect for that because we get the best of both worlds.\u201d<\/p>\n\n\n\n
The team was able to use JumpCloud utilities to convert AD-managed Mac and Windows accounts into JumpCloud-managed accounts, which they could oversee from the cloud. Now, those users can change their passwords directly on their machines and those changes are written back to AD via JumpCloud without a VPN.<\/p>\n\n\n\n
\u201cI can only imagine troubleshooting some of the issues we face outside of the office, and thankfully we didn\u2019t get to that point,\u201d Masson said. \u201cIf we\u2019d waited another 30 days, we would have started to have an innumerable amount of weird issues that would have taken up all of our help desk tech\u2019s time.<\/p>\n\n\n\n
\u201cThese issues come when systems don\u2019t see a domain controller \u2014 and it\u2019s typically the 60-day mark when trust relationships are lost and that sort of thing.\u201d<\/p>\n\n\n\n
The organization has since onboarded new users and JumpCloud was instrumental in getting them up and running remotely. Masson and Anderson envision JumpCloud further streamlining the onboarding process and reducing the number of add-on tools they need to manage.<\/p>\n\n\n\n
\u201cWhen we have to onboard a run-of-the-mill user, we have to touch five or six different tools, Anderson said. \u201cFor some of our more creative types, it\u2019s like seven or eight tools. With JumpCloud, we\u2019ll eventually be able to get that down to one.\u201d<\/p>\n\n\n\n
They\u2019ve also been trying to reduce remote users\u2019 dependence on the VPN and moving as many resources from behind the firewall as possible, and the Active Directory Integration implementation has been able to assist in that process.<\/p>\n\n\n\n
\u201cJumpCloud is really empowering us to let our people work from anywhere.\u201d<\/p>Mitch Anderson<\/cite><\/blockquote>\n\n\n\n
Implementation: Single Source of Truth<\/h2>\n\n\n\n
In rolling out JumpCloud, the BHI team has central management of their systems, including macOS and Windows machines. JumpCloud can take over local accounts on machines, and the team can then revert users from administrators to standard users. They\u2019ve also been able to build new tools and workflows.<\/p>\n\n\n\n
Anderson has built an API-based integration with Slack to create a \u201cpermission elevator.\u201d Users can type a message in Slack, which triggers a Lambda command that temporarily elevates them to an admin and allows them to take actions like installing an application. They are automatically dropped back down to standard users after 15 minutes.<\/p>\n\n\n\n
JumpCloud\u2019s thorough API documentation, example code, and SDKs helped him familiarize himself with the API and build the tool much more quickly than he would\u2019ve been able to otherwise.<\/p>\n\n\n\n
\u201cI can have this tool done in four hours \u2014 not 14 days,\u201d he said, adding that he\u2019s excited to have the chance to build other tools without sacrificing the up-front functionality in the meantime. \u201cIt\u2019s really helpful for us because we can leverage what JumpCloud can already do, and we can build things that we need on top of what JumpCloud can do.\u201d<\/p>\n\n\n\n
They\u2019ve also begun to manage full-disk encryption via JumpCloud\u2019s Policies, and they plan to roll out more. JumpCloud allows admins to toggle on both FileVault 2 and BitLocker<\/a> and escrow the recovery keys.<\/p>\n\n\n\n
The Result: \u2018Don\u2019t Wait\u2019<\/h2>\n\n\n\n
By implementing JumpCloud, BHI\u2019s IT team was able to quickly transition their operations to a work-from-home model and keep their users safe without sacrificing organizational security, as well as position themselves well for the future.<\/p>\n\n\n\n
\u201cWe really want to continue fostering the work-from-home mentality and flexibility, but we also don\u2019t want to compromise security and visibility \u2014 because that\u2019s just as important in protecting the organization,\u201d Masson said.<\/p>\n\n\n\n
His advice for other organizations considering JumpCloud? \u201cDon\u2019t wait.\u201d<\/p>\n\n\n\n
Learn More<\/h2>\n\n\n\n
JumpCloud\u2019s Active Directory Integration can help you eliminate other third-party identity and access management (IAM) services and federate core AD identities to virtually all resources, including systems, applications, files, and networks.<\/p>\n\n\n\n
Click here to learn more about the AD Integration architecture and common use cases<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"