October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.

Many organizations spend quite a bit of time onboarding new employees and making sure they have access to everything they need; however, the same care is often lacking when it comes to offboarding. Whether a long-time employee suddenly leaves on bad terms, a contractor is no longer being utilized for some period of time, or an employee goes on leave, improper offboarding or suspension of that user’s permissions and access poses significant risk for your organization.

Offboarding and deactivating a user’s identity can be a manual and time-consuming process, yet it is also very time-sensitive and sometimes requires IT admins to be available at a moment’s notice. Not every employee gives notice prior to leaving, and unforeseeable events can happen that force admins to scramble at the last minute to deprovision that user’s access to company resources.

This process becomes even more difficult if your organization needs to provide access to IT resources for temporary workers like contractors and interns, or has full-time employees that may need to be temporarily offboarded or have their IT resource access suspended rather than be permanently offboarded due to personal events like marriages, births, family care, overcoming an illness or injury, and more.

Most Companies Struggle With Offboarding

Improperly offboarding employees is a dangerous game to play, yet, according to TechRepublic, 48% of organizations said they are aware that former employees still have access to corporate networks. Further, 20% of organizations say they’ve experienced a data breach that’s linked to former employees.

These stats tell us that improperly offboarded employees are a predominant threat to organizations; however, the tools and resources needed to fix this issue aren’t there. The missing link here could be a lack of time, no simple way to quickly offboard or suspend user access to all IT resources, and/or lack of insight into the security risks posed by inadequate processes. It puts a spotlight on the notion that offboarding is as much a security issue as it is an operational one for IT.

Another important finding from TechRepublic is: 

Half of IT leaders said that ex-employees’ accounts remain active for longer than a day after their departure, 32% said it takes a week to deactivate an account, and 20% said it takes a month or more. Another 25% said they don’t know how long accounts remain active once the employee has left the company.

These percentages pose a significant problem for the organizations that fit into these stats. It only takes one angry ex-employee, one ex-employee that’s simply being careless with the handling of their credentials, or one employee on leave that still has active access to make damaging changes in some shared resource, even though they weren’t there for the last best practices discussion.

Case Study: Improper Offboarding and Compliance Violations

Here’s a real world example of how improper offboarding of employees and contractors can lead to considerable compliance violations, substantial fines, and the subsequent loss of public trust.

Pagosa Springs Medical Center (PSMC)

In 2018, Pagosa Springs Medical Center found itself at the epicenter of a major HIPAA violation which ended up costing them $111,400 — all because they did not properly offboard a terminated employee.

After their termination, the former PSMC employee retained remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI). The investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to this former employee.

HIPAA calls out the need for a formal offboarding process under the security rule section – § 164.308(a)(3)(ii)(C): “Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.“

Source: HHS

HIPAA is just one standard that can easily be violated due to improper offboarding — there are many others out there with similarly severe consequences for non-compliance.

A Quick Offboarding Checklist

Even at organizations where offboarding is seen as a fairly quick process, i.e. less than a couple of hours, the risk of that ex-employee or another bad actor taking advantage of existing access is still prevalent. 

TechRepublic also found that 70% of IT decision makers surveyed said it can take up to an hour to deprovision all of a single former employee’s corporate application accounts. Keep in mind, this does not include revoking an employee’s access to their devices and networks.

To combat this and improve your organization’s security posture, it’s helpful to put steps in place that improve offboarding efficiency. One of these steps should include an offboarding checklist to ensure that no loose ends are left after an employee’s de
parture.

Your offboarding checklist should include deactivation of access to:

• All applications
• Productivity tools:
  • Ex. Google Workspace and Slack
• CRM tools:
  • Ex. Salesforce and Zoho

• Cloud Infrastructure
• File shares
• Devices
• Corporate Networks
  • VPN
  • RADIUS
  • Or, if WiFi access is not centrally managed, periodically refresh the Corporate WPA2 passphrase
• And ensure return of equipment

Questions to Consider When Improving Offboarding Workflows:

• Does HR inform you in a timely manner when an employee leaves your organization?
• If an employee is terminated or leaves abruptly, are you able to deactivate their identity immediately?
• Are you able to suspend the identity for contractors who leave the company and may return?
  • What about employees on medical leave who may return?

Improving Employee Offboarding

Sticking to an offboarding checklist to ensure all access is revoked is extremely important, but what’s just as important is the process in which everything is deactivated. Not only are manual offboarding processes time-consuming, but they also leave a lot of room for human error. 

While working to improve and standardize your entire offboarding workflow, we also recommend that you establish routine communication with HR around onboarding and offboarding, as well as find an identity provider (IdP) to streamline the process.

Establish Routine Communication With HR

If you’re not already in continuous communication with HR regarding employees coming and going, you need to establish a better process between departments. HR should let you know when an employee is scheduled to leave or immediately notify IT when someone leaves abruptly. HR should also inform you in advance when an employee is scheduled to return from leave or their contract is renewed.

Though many project management tools exist to help alert internal stakeholders about new tasks, and some HRIS systems can even directly integrate into your core directory service to fully automate this process, this communication can be quickly achieved by creating an email alias or group with select individuals from HR and IT. Whenever someone across the organization alerts HR of a change in employment, they can CC this email alias to give IT the necessary “heads up” they need to act quickly.

Find the Right Identity Provider

When choosing an identity provider, find one that has the following capabilities:

• Allows you to automate deactivation of a user’s identity
  • Once you set the date/time of deactivation, your IdP should take care of the rest
• Lets you easily and quickly revoke access to ALL resources
  • Deactivating a user’s identity should revoke access to applications, devices, networks, and any other resources that user had access to
• Simplifies user activation and reactivation
  • If an employee returns from leave or a contractor’s contract is renewed, you should be able to quickly and easily reactivate their identity in a just few steps
• Includes integration capabilities with common HRIS software

Fixing the communication disconnect between HR and IT and implementing the right identity provider will allow you to securely and efficiently revoke access and re-provision access as needed, through just a few clicks.

JumpCloud’s Offboarding and User Suspension Features

Using JumpCloud^® as your primary IdP allows you to quickly deprovision user access to virtually all of their IT resources. Our scheduled suspension features allows you to schedule a date and time for user deactivation which revokes access to applications, devices, networks, and any other IT resource their account has permissions for. 

If the user in question will be returning, you can use this capability as a temporary suspension, and the user can later be reactivated; what’s more, they’ll receive updated permissions and access to new or changed resources as determined by their associated user, device, and policy groups automatically once reactivated. If the user in question will not be returning, use this feature to schedule their deactivation and then fully remove their account when appropriate (as dictated by compliance regulations or internal policy).

The JumpCloud scheduled user suspension feature simplifies and automates the deactivation workflow for scheduled permanent offboarding, as well as temporary suspension of contractors, freelancers, and employees on leave. This feature lets you revoke access to all resources, not just corporate applications. All of this works together to improve your overall security posture and ensure that your organization remains compliant with relevant standards.

All of this coupled with the fact that JumpCloud integrates with HR software like Workday and Bamboo, as well as provides API-based integration with other tools, provides a seamless onboarding and offboarding experience for IT admins.

Protect your organization from data breaches and compliance violations

Learn How to Manage User States

Try Scheduled User Suspension Free

This feature can be found within the JumpCloud Admin Console — find it under User Management > Users. Try it for free for up to 10 users and 10 devices by creating a JumpCloud Free account. Enjoy all of the functionality of the JumpCloud Directory Platform, including scheduled user suspension, and see if JumpCloud is the right IdP for your organization!

• Best Practices

• Security

Jump to Tutorial

Security-minded system administrators prioritize taking all the necessary measures to safeguard confidential and protected data. The compromise of a device can prove costly if it contains sensitive company information, especially when organizations have compliance requirements. Disk encryption is one of the best ways to mitigate this risk.

Encryption is the process of encoding data. Data is converted from plain text to ciphertext using a special mathematical algorithm that renders the data unreadable unless the encryption key is provided. This key should always remain a secret to the person authorized to access the data.

There are two major types of encryption in a computer: Full Disk Encryption (FDE) and File Level Encryption (FLE).

Full Disk Encryption

In full disk encryption, also known as hard drive encryption, the entire hard drive or volume — including all the files — is protected. During booting, a passphrase or secret key is required to unlock the drive before logging in with your user account credentials.

Implementing FDE guarantees data privacy and security for all the files from unauthorized users or anyone with malicious intent. Learn more about the benefits of FDE, and five reasons you should consider requiring it in your organization.

File Level Encryption 

As the name infers, file level encryption happens at the file system level. This type of encryption targets individual files and directories, but not the entire hard disk.

Both full disk encryption and file level encryption can be used simultaneously to achieve a higher level of data protection.

In this tutorial, we will focus on how to enable full disk encryption on Ubuntu 22.04 using LUKS. 

What Is Linux Unified Key Setup (LUKS)?

LUKS is a standard hard drive encryption technology for major Linux systems including Ubuntu. It is a platform-independent disk encryption specification and the de facto disk encryption standard for Linux systems.

LUKS was originally developed for Linux systems and is used in nearly all Linux distributions. It is also a popular encryption format for network-attached storage (NAS) devices. It encrypts entire block devices, making it an ideal choice for encrypting SSD, hard disk drives, and even removable drives.

In addition to offering FDE, LUKS allows users to create and run encrypted containers with the same level of protection as LUKS full disk encryption.

With LUKS, disk encryption can be enabled during the installation of an operating system. In fact, full disk encryption is only achieved during the installation of the Ubuntu Desktop operating system. It encrypts all the partitions including swap space, system partitions, and every bit of data stored on the block volume with the exception of the Master Boot Record (MBR).

How to Fully Encrypt Data on Ubuntu 22.04

If you already have a running instance of Ubuntu 22.04 and you want to enable full disk encryption, you’re required to reinstall it. You cannot fully encrypt it once it is installed. You can only encrypt directories or partitions post-installation.

If you forget your encryption passphrase, all your data will be inaccessible. As such, it is recommended to pick one that you can easily remember or store on a password vault or manager. Better yet, if you have used a complex password, you can note it down somewhere and keep it under lock and key.

Additionally, before starting this process, be sure to backup any critical data that could potentially be lost during the reinstallation process.

Getting Started

We will skip the few installation steps on Ubuntu 22.04 and head straight to the “Installation Type” step that requires you to select your preferred disk partition mode.

Two options will be presented. The first one (the default option) is “Erase disk and install Ubuntu” which wipes out all the existing data and automatically partitions the drive. The second option is “Something else” which is used to manually configure the disk partitions yourself. Please note that you will not be able to enable full disk encryption by selecting the second option.

Select the first option: “Erase disk and install Ubuntu” and click the “Advanced features” button as indicated.

Once you click the “Advanced features” button, a pop-up appears. Be sure to select “Use LVM with new Ubuntu installation” and the “Encrypt the new Ubuntu installation for security” options.

Then click “OK.”

Next, assuming you have already backed up any important data, click “Install Now.”

Disk encryption requires a security key in order to access your files each time your device boots. In this step, provide a strong security key or passphrase.

You can also enable a recovery key which enables a user to access the encrypted disk if they forget their password, or if the disk needs to be installed on a new device.

Then click “Install Now.”

On the pop-up dialogue that appears, click “Continue” to write changes to the disk.

From here, continue with the installation process until the end, and finally, reboot the system. Provide the security key that you generated and hit ENTER prior to logging in.

The secret key unlocks your drive thereby granting you access to your system.

From here, you can log in to your new Ubuntu installation by providing your user account’s password and pressing ENTER.

Conclusion

In this guide, we walked you through the implementation of full disk encryption using LUKS on Ubuntu 22.04. FDE provides a robust way to safeguard your data in case of theft or accidental loss of your device. 

Encryption is just one approach to ensuring the privacy and safety of your data. Therefore, you should not relax enforcing other data protection measures such as firewalls, identity and access management (IAM), and Zero Trust controls such as multi-factor authentication (MFA).

JumpCloud’s open directory platform is available to easily implement full disk encryption throughout your entire fleet. Pre-built policies make it possible to achieve full disk encryption for Windows and macOS devices, with granular control and visibility for BitLocker.

Linux devices can also be managed and monitored for encryption status. To see how this works, along with a number of other device security and management features, sign up today to get started. JumpCloud is free to use for up to 10 users and 10 devices; we also provide 24×7 in-app support for the first 10 days of use.

Would you prefer tailored, white-glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you and your fleet.

• How-To

• Devices

Identity is the new perimeter. Cyberattacks are becoming more advanced and cloud-focused. Identity providers (IdP) have responded by offering security controls that make it possible for small and medium-sized enterprises (SMEs) to be proactive and mitigate these threats. Many SMEs use Microsoft’s Azure Active Directory (AAD), which has prescribed best practices to secure identities. Microsoft reserves several features for its most premium subscriptions levels. IT administrators must determine which subscription tiers, or mixture of supplemental services from an open directory, are most appropriate for their unique security requirements. 

This article outlines the fundamentals of securing identities in AAD with emphasis on understanding what options are available and tailoring security controls to your organization. Provisioning and identity and access management (IAM) is the starting point, followed by centralizing the identity management lifecycle, adding appropriate controls, and auditing.

Identity and Access Control

There are three main paths for provisioning in AAD: 

• HR-driven onboarding.
• Federating identity from AAD to cloud apps.
• Inter-directory such as between the Active Directory Domain Services (AD DS) server role to access resources from your on-prem Active Directory domains.

Provision, Manage, and Deprovision Access 

Most Microsoft shops have Active Directory (AD). A sync tool called Azure AD Connect syncs users with AAD. Microsoft also accepts non-Microsoft identities for access control, but additional costs may be assessed. Some organizations may have deployed Active Directory Federation Services (AD FS) prior to the advent of AAD. 

There’s a significant potential for disruptions to system availability when identities are migrated from AD FS to AAD without deliberate planning. Avoid impulsive decision-making when you’re migrating users. Organizations that opt for a hybrid approach should harden Active Directory. This detailed guide offers recommendations about how AD should be managed and maintained for optimal security. Always limit administrative privileges in AD and avoid running day-to-day as a domain administrator.

Familiarize yourself with “join, move, and leave” planning processes and Microsoft’s concepts for identity governance. Automation is possible, but it’s designed for mid-size to large organizations. There’s no default auditing to avoid over-provisioning users or for when individuals leave. Due diligence is necessary to avoid security and compliance issues.

Critically Important AAD Best Practices

Verify that you’ve completed these steps before moving on.

Role-Based Access Control

AAD has built-in and custom user roles, and role-based access control (RBAC) is standard across all subscription tiers. This permits IT to follow the concept of least privilege and helps to establish a Zero Trust security approach, but it relies heavily on manual input and maintenance.

Ensure that you:

• Minimize the number of privileged accounts.
  • Plan to manage, control, and monitor access.
  • Limit global administrator accounts and make use of other roles such as billing administrator, global reader, helpdesk administrator, and license administrator.
• Limit global administrators and never sync high privilege accounts from AD.
• Pay careful attention to external collaboration settings and consider restricting external users from being able to invite guests to shared files; third-party storage; as well as review and adjust global sharing settings for SharePoint Online and OneDrive. These changes impact end users, but make it easier to recognize the “official” channels.

Using security groups for users assists with application security and lowers administrative overhead. Microsoft limits this capability to AAD Premium 1 (P1) and Premium 2 (P2) accounts. However, always try to avoid assigning resources directly to users and use identity protection. Please note that Microsoft has documented multiple limitations to syncing AD groups with ADD groups.  For example, AD primary group memberships will not sync over to AAD.

Multi-Factor Authentication

Multi-factor authentication (MFA) is vital for identity protection. AAD’s free tier only permits the use of the Microsoft Authenticator application. Admins have the option of only protecting the Azure AD Global Administrator versus all accounts, but it’s highly advisable to set up MFA for all users. Protect against MFA self-enrollment attacks by using a Temporary Access Pass (TAP) to secure the initial registration. Avoid mixing per-user MFA with Security Defaults and other settings.

Your budget may impact what’s possible. Microsoft assesses fees for all MFA verifications that happen with non-Microsoft identities and capabilities vary depending upon licensing levels. 

Consider using additional context and “number matching” in Authenticator notifications to include the application name and geographic location in Push MFA prompts. This practice safeguards against “MFA bombing,” where attackers send repeated reques
ts to exploit MFA fatigue. Attackers successfully hijacked Microsoft users’ sign-in sessions to bypass MFA at 10,000 organizations by using advanced phishing toolkits. Microsoft’s mitigation is to use certificate-based authentication and Fast ID Online (FIDO) v2.0 MFA implementations. 

MFA through FIDO 2 devices and Windows Hello requires AAD P1 and P2. Additional hardware costs may apply. Some additional security controls include conditional access (CA).

Conditional Access

Microsoft recommends that all accounts deploy CA, but it’s also an extra cost and only available through P1, P2, or the E3 and E5 tiers for Microsoft 365 (M365) users. The standard M365 tier doesn’t include it. The overall licensing scheme is changing and can be bewildering. 

There’s more than one CA implementation:

• P1 enforces MFA in certain scenarios
• P2 is risk based, learning user behavior to minimize MFA prompts

There are additional steps to consider for password management before we move on.

Configure Password Management

Microsoft has revised its password policy guidance to no longer expire passwords. It’s important to understand that SMEs that are regulated or don’t have MFA and CA configured shouldn’t do that. You may also consider changing passwords if you suspect an ID has been hijacked. CrowdStrike found that 71% of attacks are now malware-less and targeting cloud IDs. 75% of cloud breaches are due to compromised identities. A Zero Trust posture isn’t optional. Consider deploying Extended Detection and Response (XDR) from a vendor of your choosing or paying extra for Microsoft Identity Protection if you prefer the Microsoft stack.

Other best practices are:

• Set up self-service password reset (SSPR) with two authentication methods. Note that using security questions might be risky, because attackers gather intelligence on employees that’s “open source” from the web or obtain information from third-party breaches elsewhere. Microsoft charges extra for on-premises write-back.
• Use the same password policies everywhere (on-prem and cloud-based). Microsoft maintains extensive documentation on an agent-based approach to enforce AAD password protection on AD DS without exposing your domain controller to the web or forcing networking changes. Note that you have to be proficient in modifying AD settings.

Prepare for the Worst

Create an emergency access Global Admin account for when it’s necessary to “break the glass” during network outages and periods of system downtime. This account is excluded from CA and MFA. Always store these credentials appropriately and use a highly complex password.

Following the steps outlined above provides a strong foundation with the appropriate entitlements, attributes, and processes to prepare AAD for application provisioning.

Manage Connected Applications

Application provisioning is on a per user basis by default with group assignment to applications being reserved for P1, P2, or equivalent AAD subscribers. Ensure that applications don’t provision high access through RBAC. There are multiple options, and automation is available for application provisioning. The initial provisioning cycle populates users, followed by programmatic incremental updates that handle updates made through Microsoft Graph or AD.

Microsoft provides several options for attribute mapping from identities that originate from the “three paths” mentioned above via SCIM endpoints to cloud resources or the Azure AD Provisioning agent. The latter must run on the same server as your SCIM application. Microsoft also has options for one-way connections from AAD to LDAP or SQL database user stores, but those have several on-premise prerequisites. Provisioning users into AD DS isn’t supported.

Siloed identities complicate existing identity practices and infrastructure as well as increase technical overhead and the attack surface area. Enable single sign-on (SSO) to centralize identity management either through AAD or a system or service that integrates with it. 

Enable Single Sign-On

SSO will improve security through modern authentication protocols, make life easier for your users, and reduce management overhead. Microsoft has imposed restrictions on the number of SSO applications per user on its free tier, but that policy may be changing. AAD provides pre-built integrations through the Azure AD application gallery in addition to SAML and OAuth 2.0 SSO protocols for manual settings. Microsoft doesn’t support the AAA protocol RADIUS, which many network appliances use for access control, so its SSO doesn’t access all of your resources. Consider using cloud RADIUS or install and configure the Microsoft NPS server role.

It’s possible for all AAD tiers to access native Windows apps via Kerberos, NTLM, LDAP, RDP, and SSH authentication in a hybrid deployment. However, identity protection features such as CA are limited to P1 and P2 products including Azure AD Application Proxy or secure hybrid partnerships integrations. These services will extend modern security to legacy apps.

Phishing Considerations

Microsoft’s default settings permit all users to access the AAD admin portal and register custom SSO applets. Attackers are wise to this workflow and exploit OAuth in phishing exploits, which may bypass MFA. The principle of least privilege mandates that users who don’t need access shouldn’t receive it. Strongly consider restricting user-driven application consent and setting permissions classifications to “low impact.” This also applies to group owners. Compliance boundaries are murkier and should be carefully assessed outside of the Microsoft ecosystem.

AAD can be complex and Microsoft has amassed Azure partners for advanced specialization. Blocks of time with consultants should be a budgeting consideration for any AAD project. This writer, a former IT director, needed consultants even when projects appeared straightforward.

AAD is capable of alerting you to suspicious OAuth authorization requests, but that requires an additional subscription to Microsoft Cloud App security, either standalone or through M365 E5. Other solutions such as CrowdStrike Falcon Identity Protection have this capability. JumpCloud is a CrowdStrike partner and integrates with its solutions through the CrowdStrike Store.

Now that you’re familiar with configuring users, groups, and applications, let’s review reporting. 

Audit Your Security Regularly

You should always look for ways to improve in-house security and processes. If you can’t stop it, you should at least monitor it. Regularly audit your entitlements, users, and review activity reports. Taking this extra step helps make security a process as opposed to relying solely on products and services. 

Ideally, you’ll be monitoring all privilege changes, suspicious activity, and signs of known attacks. AAD will provide you with several reports:

• Basic security and usage reports are included among all subscription tiers
• Advanced reporting is restricted to P1 and P2
• SIEM reporting and Identity Protection require P2 (or equivalent) subscriptions

Some security capabilities may be more accessible and easier to deploy via JumpCloud, which integrates with AD, AAD/M365, Google Workspace, and Okta, or can function as a standalone directory. JumpCloud is focused on managing identities, in all places, as your security perimeter.

How JumpCloud Improves Upon Azure AD Best Practices

JumpCloud is an open directory platform that manages identities, access control, and devices. Devices are a method of granting access to an identity or application, so device management is included by default. That makes it possible to assemble high visibility telemetry data for reporting.

As previously noted, Microsoft requires its users to purchase additional subscriptions (Entra, M365 E3/5, AAD P1/2, and Intune for device management) to meet its recommendations for best practices. Standard AAD deployments fall short of Microsoft’s guidance, but some of its premium offerings may sell SMEs more features than they require or even want to purchase.

JumpCloud can help to fill in some of those gaps, and is easy to deploy, with deepening integrations for exporting AAD user groups. It’s designed for SMEs, so IT teams may benefit from having more control over what they’re buying (as opposed to not using what they pay for). The next section explores the specifics of how JumpCloud can improve AAD and help your organization to build the stack of its choosing out of best-of-breed apps and services.

IAM and SSO

Identities flow into JumpCloud from other directories, HRIS systems, or JumpCloud’s Cloud LDAP. Attributes, such as where users are located, who their supervisor is, or what team they belong to, simplify provisioning user access to IT resources such as applications and networks. 

Group management is provided at no additional cost and leverages attribute-based access control (ABAC), enabling the system to continuously audit entitlements for Zero Trust access control. JumpCloud is introducing the ability to automate and apply membership suggestions to groups. RBAC is more of a manual process, which can lead to mistakes that over or under provision users. Group members can access resources through SSO protocols and more:

• SAML
• OAuth 2.0
• OIDC
• RADIUS
• LDAP

JumpCloud provides delegated authentication that leverages AAD credentials and password policies for RADIUS. This capability extends Azure SSO to network resources such as Wi-Fi networks and VPNs while also reducing technical overhead and eliminating siloed identities. SSO applets launch from within the JumpCloud user console as a security control for phishing.

Environment-Wide MFA

JumpCloud Protect™, an integrated authenticator app for MFA, is designed to be frictionless. It provides application-based Push MFA and TOTP in addition to WebAuthn and U2F keys. More options for biometric authentication and passwordless log-in experiences are being added to the platform. 

MFA can be config
ured for most SSO, LDAP, and RADIUS logins. It’s also integrated with CA.

Conditional Access

AAD identities can be protected by conditional access through JumpCloud as an add-on without purchasing P1 or P2 from Microsoft. Pre-built rules are available to enforce MFA for privileged user groups, restrict logins to specific locations, and to require device trust. Meaning, any identity + device that isn’t managed by JumpCloud won’t be able to access cloud apps. More granular conditions such as OS version and device encryption status are coming soon.

Password Management

A decentralized password manager and vault is available as an add-on through browser plug-ins and mobile apps to help SMEs implement complex passphrases for users. This feature assists with provisioning and revoking user access to reduce the risk of data breaches. Centralized password management also increases visibility for compliance peace of mind.

Device Management

JumpCloud is cross-OS, supporting:

• Android: Support for policies and application distribution is coming in late 2022 and beyond.
• Apple products: Mobile Device Management (MDM) is available for macOS and iOS devices, providing for application distribution, policies, and commands with the option for Zero Trust deployment. Policies are timely and in-touch with the needs of Mac admins, including addressing “Day 0” OS upgrade controls. 
• Linux: JumpCloud supports multiple Linux distros with multiple deployment options. It provides pre-built policies, including full disk encryption (FDE), and Sudo access for commands (with pre-built security commands through the Admin Console). IAM capabilities aren’t restricted to certain browsers; Microsoft mandates Edge for Intune device enrollment. Intune is an additional subscription beyond standalone AAD. 
• Windows: Anything an admin wishes to do is possible through security commands and a PowerShell module. Commands function through a queue. JumpCloud providespre-built GPO-like policies including fine-grained control over BitLocker, as well as a GUI for custom policies. There’s also software distribution, and more, with Windows Out of Box Experience (OOBE) coming soon to streamline onboarding remote workers.

Patch Management

JumpCloud offers cross-OS patching as an add-on. Patching is an important activity to mitigate the risk of security breaches that leverage 0-Day attacks with a healthy device state. Centralizing patch management helps to reduce costs versus purchasing a third-party patch management solution for Windows and all other operating systems. Browser patch management is arriving in Q4, 2022, and it will extend to reporting for management status.

Remote Assist

IT teams can extend opt-in remote support to users with Remote Assist. It’s free and works cross-OS. The only configuration that’s required is to have JumpCloud agents running on a device that’s bound to an identity from the open directory. It’s possible to:

• Copy and paste between devices
• Work in multi-monitor systems
• Turn on audit logging

Reporting

JumpCloud’s emphasis on making identity the new perimeter is reflected in the telemetry that’s available from built-in reporting tools including Device Insights and Directory Insights. There’s a growing selection of pre-made reports, stored for analysis. SIEM integration is also possible.

Some of those include:

• User to Devices
• User to RADIUS Server
• User to LDAP
• User to Directories
• User to SSO Applications
• OS Patch Management Policy

Cloud Insights is an add-on to monitor Amazon Web Services (AWS) events and user actions. This makes compliance and data forensics easier for SMEs and helps to enforce least privilege in cloud infrastructure. Support for Google Cloud (GCP) will be introduced next for a multi-cloud strategy.

Avoid Vendor Lock-In and Do More with JumpCloud

JumpCloud is available to try with full functionality for 10 users and devices, and with 10 days of complementary chat support before charges are accessed. AAD users benefit from more freedom of choice, simpler deployment workflows, access to more sources, and lower costs.

Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

Similarly, managed service providers (MSPs) receive 10 free user accounts within the first organization that they create in the multi-tenant portal, JumpCloud’s dedicated MSP solution.

• Best Practices

• Directory Services
• Security

Microsoft is making a steady push in identity and mobile device management with an expanding array of cloud services. Many organizations, especially managed service providers (MSPs), are considering Azure Active Directory (AAD) with Intune™ for access control and unified endpoint management. It’s primarily focused on supporting the Microsoft ecosystem with add-on options to support other platforms and increase security for enterprises. In order to integrate into existing on-premises Windows domains, however, complex connectors are required. 

JumpCloud takes a different approach through its open directory platform, which can consume identities from multiple providers, through several protocols, to enable frictionless access into different resources. The platform is engineered to follow Zero Trust security principles and automate the user identity lifecycle. The open directory makes it possible for small and medium-sized enterprises (SMEs) and Managed Service Providers (MSPs) alike to provision the best resources, from any vendor, to get work done. It also provides add-ons for deeper system management and security considerations. Microsoft and JumpCloud both provide cloud-based IT management tools for identity management and device management. This article examines how they compare and the best fit for each platform.

What Is Azure AD?

AAD was created for the express purpose of extending Microsoft’s presence into the cloud. It connects users with Microsoft 365 services, providing a simpler alternative to Active Directory Federation Services (ADFS) for single sign-on (SSO). There’s similar nomenclature, but it doesn’t replace all the features of Active Directory and lacks support for key authentication protocols including LDAP and RADIUS. It provides a common identity for Azure, Intune, M365, and other Microsoft cloud products, which permits SSO and multi-factor authentication (MFA) within the Microsoft ecosystem. Cross-domain SSO and MFA are gated behind paid tiers of AAD, once a defined number of integrations per user is surpassed.

Microsoft has a structured gated licensing model with trial subscriptions and a free tier of AAD with some restrictions. For example, there are limits on stored objects and the number of apps a single user can access with SSO and group management with role-based access control (RBAC) costs extra. Microsoft also charges for MFA for external identities, per authentication. AAD’s features, which include a few time-limited trial services when users sign up, are listed on its website.

It also serves as Microsoft’s approach to a multi-tiered portfolio of identity, compliance, device management, and security products. The permutations of accompanying cloud products from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants. This is due to the breadth of configurations, and resulting complexity, that many enterprise use cases require. However, some organizations may benefit from this approach. Integrations with other paid Microsoft services are possible such as Microsoft Intune Premium Suite, Microsoft 365, automations for management tasks, and reuse of ADMX templates from Windows 10/11.

What Is Intune?

Microsoft’s latest offering is Microsoft Intune Premium Suite. It functions as a mobile device management (MDM) solution to administer features and settings for iOS^®/iPadOS^®, Android^®, and Windows. While it extends to macOS and Linux, it’s historically been less focused on non-Windows platforms. Microsoft is updating its services and is increasing what’s possible on other platforms. For instance, Intune supports custom/templated profiles for macOS, compliance policies, shell scripts, Apple Business Manager (ABM), and user/device enrollment options. Linux support has rolled out slowly and is focusing on compliance policies. Microsoft Edge is obligatory to utilize some of its features, such as conditional access policies for privileged users.

However, Intune bolsters Microsoft products such as Edge and Configuration Manager as first-class citizens. Windows administrators will be familiar with aspects of how it works, such as ADMX templates. Intune is most robust when it is used to manage Windows systems that are hybrid AD-joined, in combination with other services and security solutions. Separate license requirements and costs may impact what services can integrate with Intune.

What is Configuration Manager?

The following provides a quick primer on Configuration Manager:

• Cloud-based MDM to control features and settings; isolation of corporate data
• The Intune admin center offers status updates and alerts as well as device configuration and other administrative settings
• Connectors for Active Directory and certificate-based authentication
• ADMX templates to deploy Windows policies and benchmark group policies and Graph API for scripting, with appropriate licensing in place.
• Integration with AAD, Windows (Win32) LoB apps, and other Microsoft-centric services
• Application deployment and user assignments
• Compliance settings creation and the ability to lock down services with granular conditional access rules based upon group Intuneberships, location, device state, and triggers for specific application access rules (Note: Additional Microsoft products are necessary to protect identities as well as to monitor and control cloud application sessions such as Enterprise Mobility + Security E5)
• Reporting on apps, device compliance, operations, security, and users
• Device-only subscriptions for single-use devices such as kiosks
• Remote support is available as a premium add-on; unlimited federated identity, which provides SSO and MFA environment-wide requires a higher tier of AAD; and Microsoft offers pre-built connectors and SCIM synchronization through its paid SSO SKU.

What’s possible with Intune is somewhat dependent upon what other Microsoft services are being licensed (standalone or bundled), knowledge of Microsoft’s administrative tools, and how invested an organization can become in the Microsoft ecosystem. Intune is a broad product family, and it’s possible to achieve advanced enterprise-level compliance and security by spending more for additional services.

What Is JumpCloud?

JumpCloud is an open directory platform for SMEs and their MSP partners that includes zero trust identity and access control (IAM), cross-OS device management, and more. It simplifies the orchestration of identity management and access control throughout the vendor and open source landscape. Supported platforms include Linux, macOS, iOS/iPad OS, and Windows. Android support is forthcoming. JumpCloud is cloud-based and can be deployed for a domainless enterprise, without the need for AD or AAD, or extend your existing domains wit
h a more straightforward deployment. 

JumpCloud is tailored to the needs of SMEs. Some of its core features include:

• An intuitive user interface and dashboard that makes IT admins more productive and highlights issues that require immediate attention. 
• The capacity to integrate with AAD and Google identities, with delegated authentication available for RADIUS using AAD credentials.
• Unlimited, True SSO that delivers SAML, OIDC, and password-based authentication for any web application, as well as SCIM and RESTful support to manage user onboarding/authorization to third party applications. JumpCloud provides ready-to-consume connectors for many popular services.
• Push and TOTP MFA everywhere, including RADIUS and LDAP connections.
• Built-in MDM, without extra costs; isolation of corporate data.
• Application install and management on remote systems.
• Integrated remote assistance with Remote Assist, free of charge.
• Integrations with popular HRIS systems for rapid user onboarding and provisioning.
• Zero-touch device enrollment and deployment for Apple devices.
• Automated group memberships that leverage attribute-based access control (ABAC) to modernize the user identity lifecycle and enhance security. This provides entitlement management maturity beyond what’s possible with legacy access control paradigms. In contrast, Microsoft’s RBAC is more labor intensive with higher management overhead.
• Cross-OS policies and root-level CLI interfaces for centralized IT management and commands.
• A streamlined dashboard for IT teams and technicians
• Reporting for Device Insights, Directory Insights, and Cloud Insights for AWS.
• A cloud-based LDAP directory with available Active Directory sync tools.

Even more IT management and security essentials are serviced by the following add-on products:

• Pre-built conditional access capabilities that restrict access by location, whether a device is being managed by JumpCloud, and to enforce MFA for specific groups of users
• JumpCloud Patch Management
• Decentralized password management that integrates with the directory platform

Comparing JumpCloud to Azure AD with Intune

AAD and Intune have some overlap with JumpCloud on a feature-by-feature basis, and it makes sense for organizations to evaluate all of their cloud-based identity and system management options. Put simply, the comparison between JumpCloud and Azure AD with Intune is really about adaptability versus maintaining the status quo and vendor lock-in.

The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.

The greatest difference lies in Microsoft engineering its products for the enterprise in service of the Windows ecosystem, tooling, and its accompanying cloud services. There’s deep integrations with Microsoft products and specialized services that mostly benefit larger organizations. If you have an all-Windows^® network, and are already implementing Azure with Active Directory^® on-premises, then Azure AD and Intune could be the right addition for your organization. Using tools created by Microsoft in a Windows environment simply makes sense. Mobile-heavy organizations may also benefit from using Intune’s mobile device management capabilities to manage other operating systems.

JumpCloud is intended for the specific needs of the SME market, as evidenced by how its features are packaged and implemented for ease of use. It was created to address the constraints that arise when a legacy on-prem directory is modified for a new era in computing (that crosses domains). The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.

It also securely connects users to more resources, without the need for additional servers or add-ons. If your organization has AWS, macOS^®, Linux^®, Okta^®, Google Workspaces™, and other non-Windows platforms as core parts of the infrastructure, then you will benefit by choosing JumpCloud’s open directory platform. Organizations can choose the vendors that are best suited for users both now and in the future.

Ease of Use

JumpCloud is simpler and more accessible, with a more intuitive UI and pricing breakdown. A common complaint is that Microsoft’s interface changes frequently and causes confusion. That’s a consequence of product bundling and frequent product family/branding changes. Other issues involve functions such as zero-touch deployments being limited to Windows devices.

Centralized Policy Management

A key component of Active Directory is a feature known as Group Policy Objects (GPOs). GPOs allow IT admins to control the behavior of Windows systems in their environment with great precision. The key here is that Microsoft’s GPOs only work for Windows systems and are not applicable in the cloud via Azure AD, and with the recent rise of Mac^® and Linux^® systems in the workplace, that’s a problem. Microsoft has extended policies to other devices through Intune, which extends Windows administrative methodologies, software, and tooling elsewhere.

JumpCloud offers GPO-like policies for all three
major platforms — Windows, Linux, and macOS^® — as well as cloud-based resources. IT admins are able to remotely disable virtual assistants, enforce full disk encryption (FDE), and configure system updates with just a few clicks. When a prescribed policy isn’t going to get the job done, JumpCloud enables IT admins to create and execute their own commands and scripts on all three platforms. JumpCloud also provides optional policies for cross-OS patching.

Open Directory Platform

The JumpCloud platform does not need to fully own an identity to manage it. Rather, it can consume identities from different sources and sits in the middle to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing the access control and security challenges stemming from having identities exist in silos. 

For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals must tackle authorizing and orchestrating those users between different products. An Azure AD user also won’t be able to use RADIUS to access Wi-Fi without a domain controller or third-party service. SMEs can dramatically improve security as well as save on licensing, headcount, time, and effort by consolidating orchestration into a single directory (that sits in the middle).

Mobile Device Management Capabilities

Intune and JumpCloud have MDM services for managing BYOD and BYOC devices, but the respective value propositions diverge when organizations are cost conscious, have limited resources, or must support heterogeneous environments. 

Microsoft delivers cross-platform support, but Windows is the favored tenant with the capacity for zero-touch onboarding that would benefit Microsoft shops. JumpCloud is easier to adopt, learn, and works better with Mac and Linux systems. The open directory platform also adds additional value for MDM users to import user identities from non-Microsoft platforms to centrally manage or utilize them all.

Android, Apple, and Linux Devices

Intune has Mac and iOS/iPadOS support for the supervision of Apple devices through user login, device enrollment/deployment, configuration management, patch policies, and software distribution. It’s also offering services to manage Android devices and Linux. Microsoft’s full offering requires AAD, Intune, and an understanding of its Windows templates and tooling. It also has extended requirements for other Microsoft products such as Edge to be able to manage Linux users, limiting customer choice.

JumpCloud’s Apple and Linux MDM capabilities are extensive, beginning with a pre-built collection of policies, configuration options, security functions, and culminating in zero-touch device enrollment. MDM is immediately available as a core feature of the platform, and cross-OS patching is available as an add-on service. JumpCloud supports the most popular Linux distros and doesn’t impose any mandates to use a specific browser. 

Affordability and Implementation

With consideration to Microsoft’s extensive stack requirements and gated licensing, JumpCloud’s bundled MDM is more affordable and user-friendly. It’s also easier for IT teams and MSP technicians to learn and manage. 

Configuring Intune is a long and complex process. Intune software deployment and polling works on Microsoft’s schedule, creating management “unknowns.”  The workflow is as follows: upload an MSI, create a package, apply it to a machine … and it will install at some point. This procedure, coupled with a confusing interface, creates a learning curve. Organizations save on costs as a business/MSP by choosing a tool that’s easier to use. Jumpcloud offers more immediate actions for commands and policies.

Platform

Microsoft has devised an extensive cloud services productive portfolio in service of its enterprise customers. It’s a stepwise architecture that enlists adjunct services to build out a broad stack. The Microsoft ecosystem is as broad and comprehensive as a Microsoft shop needs it to be.

JumpCloud is specifically designed for what SMEs need, and sheds the complexity of Microsoft’s ecosystem. It offers far more functionality through one solution that can be bolstered by a mobile-specific MDM, rather than purchasing the entire Microsoft IT stack and everything else required for modern offices to manage users. Organizations that adopt JumpCloud for MDM are more likely to value heterogeneous device management and benefit from its platform approach. Namely, MDM users will obtain greater value by using more of the open directory platform.

Microsoft 365 and Google Workspace Sync

With Microsoft 365™/Google Workspace sync, organizations can access either productivity platform at will with JumpCloud credentials. The open directory platform imports attributes that decorate users with entitlements, streamlining admin workflows, increasing the accuracy of user profiles, and delivering smooth onboarding. IT admins can also manage groups in Workspaces, and the ability to import groups from AAD is launching soon.

Non-System Needs

When evaluating which identity management provider is right for you, you also want to consider your non-system needs. For instance, if you are interested in LDAP, RADIUS, Samba, SSH, and other protocol support, you might consider JumpCloud’s protocol-level hosted services. JumpCloud also implemented MFA for its LDAP and RADIUS services, which is significant when highly regulated industries like cyber insurance companies require MFA to be enabled for network devices. Otherwise, additional servers and services may be needed to be compliant.

Vendor Lock-In

Another core issue for MSPs and IT organizations is vendor lock-in. Microsoft is financially motivated to keep you on the Windows and Azure platform track, which includes its ecosystem of administrative tools and templates. Often, you need a number of additional Microsoft tools on the Azure AD and Intune path. Most organizations with AAD also use AD on-prem, AAD Connect, AAD DS, and other third-party tools to create a holistic IAM and device management approach. That’s a deep investment in budget, training, and dependency on Microsoft.

Intune belongs to an evolving family of IAM products that have undergone multiple re-namings and repackaging. Growing with Intune means licensing Intune as well as other complementary services for security and system analytics. Note that the selections are in flux, making direct comparisons with alternatives more challenging. Buying Intune sinks organizations deeper into the Microsoft stack, which limits their ability to purchase solutions outside the Microsoft domain and customize their stack for their needs. It also introduces some unpredictability in budgeting.

JumpCloud’s open directory platform allows for greater flexibility and shopping around for services, such as adding best of breed XDR integration from Crowdstrike or Sentinel One to secure identities and endpoints, versus a monolithic supply chain from Microsoft.

Total Cost of Ownership

Microsoft’s legacy requirements frequently mandate a hybrid infrastructure configuration. A hybrid infrastructure adds complexity, and complexity correlates to bigger budgets. Managing and licensing your physical servers is expensive (people, hardware, facilities, maintenance,
and utilities), and the increase to your potential cyberattack surface area are all factors to consider. These factors combined raise the total cost of ownership for AAD.

A common refrain is that “Microsoft stuff works well together.” In practice, transitioning on-premises Microsoft solutions to the cloud isn’t always straightforward. For example, AD groups don’t all automatically sync over to AAD. This writer recently spoke with an Intune administrator who recounted how his organization, which is invested in Microsoft, was experiencing difficulty transitioning to AAD and Intune from ADFS and Active Directory.

In this example, consultants were brought in to set up Intune. The consultants attempted to turn on “full blown AAD” for the environment. That decision resulted in downstream problems with Virtual Desktop Infrastructure (VDI), because only persistent virtual machines (where every user’s personal desktop settings are set for each virtual desktop) are supported in on-premises ADFS. This scenario may seem arcane, but it illustrates that even migrating to Microsoft’s latest and greatest services isn’t always straightforward. Microsoft has a multitude of legacy components for SSO that tie back to AD, which introduces difficulties that are unique to its ecosystem.

The Intune administrator summed it up perfectly: “I need to focus all my time [elsewhere] but can’t because I get pulled in every direction [due to the complexity of Microsoft’s ecosystem].” Simply put, if your infrastructure’s a mess, everything’s a mess … and costs more than is necessary. The more an organization sinks into Microsoft, the less flexibility it has to go elsewhere.

Service Licensing

Cost of ownership is a key differentiator between AAD + Intune and JumpCloud. AAD is initially a great value — if you’re a heavy user of the Microsoft stack — but costs mount as use increases and third-party services and non-Windows devices are added to your infrastructure. Navigating Microsoft’s complex gated licensing scheme is another driver of rising subscription costs. 

For example, organizations that are considering M365, which can bundle Intune, must assess the differences of all 30 license variations. Some consultants even specialize in demystifying Microsoft’s licensing options. Basic tiers are only the price of admission. There are additional costs involved simply to obtain a few fundamental capabilities such as federated identity in AAD to securely access resources outside of Microsoft’s stack using SSO. That’s the real-world starting point for modern IT, even before Intune or other subscriptions factor in.

Consuming external identities also costs more. Microsoft introduced a separate product family called Entra, which is its solution for decentralized identity, identity verification, and entitlement management. Entra extends Microsoft’s strategy to monetize interoperability that is focused on the enterprise market and the sale of adjacent services. In contrast, JumpCloud’s foundation supports expanding capacity to accept and incorporate other identities into workflows.

IT Infrastructure Consolidation

IT tool sprawl is just one of the many unintended consequences of today’s remote-first workforce. Adopting a consolidated stack is beneficial to avoid overlapping feature sets from many different software products. A Microsoft shop may not need to look elsewhere to meet compliance, IAM, IT management, and highly advanced security requirements with its stack (assuming they have the budget). However, there are downsides.

Smaller organizations may find themselves overextended by the breadth and complexity of Microsoft’s components and services that form its hybrid architecture. Buying, operating, and supporting a datacenter is just the start. It’s very likely that IT teams will have to employ external resources to assist with AAD + Intune implementations. Those decisions involve a substantial and costly long-term commitment.

Azure works best if organizations are fully incorporated into a Microsoft tech stack environment, but not outside of Microsoft’s cloud infrastructure (i.e., it can’t be used to manage non-Windows servers hosted in Amazon or Google clouds).

JumpCloud’s open directory platform enables IT teams to assemble a stack of best-of-breed solutions that are secure, on managed devices, and available through the identity provider of their choosing. Optional products assist with security, IT hygiene, and password management without extensive management overhead or mandates to deploy them successfully.

What’s Best for Your Shop?

If you are locked in to Microsoft solutions, or if you have corporate-owned iOS and Android mobile devices, then Azure solutions may be an acceptable fit. However, its platforms are  intended for the enterprise and extend broadly through gated licensing. Alternatively, if you are an SME that’s invested in other non-Windows platforms and non-Microsoft services and identities, and wish to (or see a path to) consolidate IT resources, then you should consider JumpCloud’s open directory platform. A third option is to use both to obtain the greatest value for your organization.

JumpCloud centralizes user and system management, regardless of platform or where identities reside. This includes our Multi-Tenant Portal (MTP), designed specifically for MSPs to manage multiple client organizations from one pane of glass. JumpCloud offers cross-platform GPO-like capabilities to manage fleets of systems with policies, including local admin system controls, full disk encryption with FileVault 2 and Bitlocker, screen lock regulations, and more. Apple MDM capabilities are available for macOS machines, for machines to execute security functions and distribute configuration policies.

For MSPs, consolidation gives you the chance to proactively manage and monitor your clients’ tech with fewer providers. It decreases your monthly expenditures without sacrificing efficiency or usability, and frees you up to spend more time helping your clients reach their goals. IT consolidation has many benefits for MSPs and their clients, including cost savings, a streamlined user (and management) experience, and an increase in client trust.

The Choice Is Yours

However you choose, all options present benefits to an organization. To learn more about JumpCloud versus Azure AD with Intune, contact us or join our community to engage your peers in conversation.

As always, signing up for the JumpCloud platform is completely free, and includes 10 users and systems to get you started. The best way to learn is by doing. You also get 10 days of premium 24×7 in-app chat support. Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

• Devices
• Directory Services