Modern IT environments are incredibly diverse, and while this is great for many reasons, it can also make the IT department’s job more difficult. Today’s environments are often comprised of a mixture of on-prem and cloud resources, corporate owned and BYOD devices, varying device and operating system (OS) types such as Mac, Windows, Linux, iOS, Android, and more.

All of these factors, plus the popularity of hybrid work, add complexity around managing identities and sometimes make it feel like centralized and simplified identity management is out of the question. Luckily, this is not the case at all, though some organizations might need to adjust their infrastructure and tool choices to be more future-proof to achieve a modern and unified identity management strategy. Let’s take a look at why that is and how it can be done.

Centralized Identity Management Barriers

As mentioned above, heterogenous IT environments can be a problem for IT, because resources live in many different places, employees work from all over the world, and there are a plethora of device and OS types out there.

Here’s how some of these factors affect identity management:

• Cloud and on-prem resources: It can be hard to get visibility into who has access to what resources, and SaaS apps might not connect to a traditional directory such as Microsoft AD.
• Hybrid and remote working models: Monitoring, managing, and helping employees that aren’t in the office can be problematic without the proper tools.
• BYOD: Personal devices typically don’t connect back to traditional directory services, and they are sometimes difficult or impossible to manage.
• Mac, Windows, and Linux device popularity: Most tools are meant to help you manage certain device types but not others, making it hard to keep track of and secure devices that employees use.

All of these factors and more contribute to an incomplete, decentralized identity management strategy in many organizations. 

Why Centralized Identity Management Is Key

This decentralized approach is often forced on IT, rather than chosen, simply because of the disparate resources that need to be managed on top of the fact that many organizations use outdated or disconnected IT management tools. This strategy (or lack thereof) can quickly turn into a security and compliance nightmare, an unnecessary weight on IT, a fractured employee experience, and a hit to the organization’s bottom line, among other things.

When users and their digital identities are not centrally managed, it’s virtually impossible to get visibility into their resource access privileges, what devices they’re accessing company resources on (whether company-managed or completely unsecured), what problems they might be experiencing, whether their systems are up-to-date or not, and much more. On top of all of this, Shadow IT is as prevalent as ever, which causes even more security hiccups when left unchecked due to poor identity management. 

Considering that 84% of organizations experienced at least one identity-related breach in the past year, you can see how far-reaching the effects of the decentralized identity management problem truly are.

To avoid all of this to the furthest extent possible, IT needs centralized control over all identities, access, and devices, while simultaneously allowing departments and employees the flexibility they need to get work done.

How to Centralize Identity Management

So, the end goal is to provide employees with flexibility in where and how they work, while maintaining the amount of control that you want over their digital identities, access, and devices. To do so, you’ll want to centralize the management of all of these things, as much as possible.

Centralized user management provides IT with the control and visibility over every device, application, and network across the organization, without dictating what resources are the right choice for each group. This strategy saves IT time with easier day-to-day workflows, helps ensure compliance, enhances security, and ameliorates the end user experience.

A modern way to centralize identity management is by adding JumpCloud’s open directory platform to the center of your IT infrastructure. The beauty of an open directory is that it can easily connect to all of your existing infrastructure, as well as any other tools (such as other directories, HR tools, and more) you decide to adopt in the future, allowing your business to evolve and scale with ease. This means that with the JumpCloud Directory Platform, you can centrally manage identities, access, and devices, all from a single, modern platform.

Get complete, centralized visibility into employee identities, what they do or do not have access to, and their devices. With JumpCloud’s identity lifecycle management capabilities, enjoy simplified onboarding and offboarding, add users to groups for easy control, keep devices patched and up-to-date, quickly change access levels, and much more. With this solution, your organization still maintains the flexibility it needs to leverage the best devices, applications, and tools on the market. Plus, you can hire the best talent, regardless of their location, without worrying about how it’ll impact security or how IT will manage them.

Use JumpCloud to ensure that your identity lifecycle management process is efficient, secure, and complete.

Learn More

• Best Practices
• Unification

• Devices
• User Access

Active Directory (AD) is a directory service introduced by Microsoft that runs on a Windows server to centrally manage user access to resources on the LAN. The server role in Active Directory is run by Active Directory Domain Services (AD DS), and the server running AD DS is called a domain controller. The domain controller performs two important functions:

• Authenticates and authorizes all users and systems in a Windows-based network
• Assigns and enforces all security policies for Windows systems

That is why Active Directory remains an important system of record for many small and medium-sized enterprises (SMEs), even though it can only reside on servers within a network. However, IT infrastructure and workplace trends have changed dramatically since its introduction over two decades ago. It’s common to have a heterogeneous mix of devices with employees working remotely at least some of the time (or even indefinitely). Microsoft has responded by extending AD to the WAN, but devices and users can now be managed without AD, or Microsoft. 

Identity has become the new perimeter and IT teams must look beyond standalone AD to manage identities and all corresponding devices, wherever they exist. Devices are the gateway to your IT assets and shouldn’t go unmanaged because they’re not Windows. Cloud directories are filling the gap by providing the access control, device management, portability, and security that AD cannot. This has brought forward the option for a new paradigm: the domainless enterprise.

This article examines AD’s benefits, and when it’s necessary to look beyond it. That’s accomplished by integrating with cloud directory services to extend it, or even a domainless enterprise.

What Does Active Directory Do?

AD DC manages local network elements, such as systems and users, by organizing them into a structured hierarchy. The domain controller is then responsible for authorizing user authentication requests within the network. The next section outlines its core capabilities.

Manages Devices, Services, and Users

Active Directory Users and Computers manages local contacts, devices, and users in your fleet: from PCs to printers. Admins create and organize groups within organizational units (OUs) to logically separate resources. OUs reside within a “forest,” which is the highest level of organization in AD. It may include service accounts for network services, apps that run on your servers, and integrations with SaaS apps. Service accounts can run locally on machines or across the domain. This tool also configures permissions for objects within your directory.

Global Catalog of Domains

Global catalog is an AD feature that stores replicas of the attributes of an object within a forest (or domain tree), even if the object (such as a user) resides within a separate domain. This enables organizations to centralize IT even if they have multiple locations and data centers, but users and devices must either exist within the confines of those facilities or utilize a VPN.

Querying and Indexing Directory Objects

There are two built-in options to query AD attributes. The Active Directory schema snap-in enables admins to index attributes. PowerShell is another option to specify a query string to retrieve AD objects. Many organizations purchase third-party reporting tools for compliance purposes and to gain visibility into their AD environment, but it’s vital to trust all software that’s installed on a DC. Attackers may gain entry into networks through the supply chain, and DCs hold the “keys to the kingdom.”

High Availability

Every domain controller is a server object in AD DS. High availability is automatic whenever there’s more than one DC. This makes it possible to shut down a server for maintenance without impacting your end users. Objects are automatically replicated throughout the server cluster. Administration is more complex: e.g., add-on apps must be installed and updated on each DC. Adding servers may increase licensing, management, server infrastructure costs.

Schemas and Templates

Admins have deep control over how AD operates. Schemas can be customized to control (through rules) objects that can be stored within the directory and their related attributes. Templates can be configured to automate the creation of objections and associated policies. Admins use the Group Policy Editor to create and edit ADMX and ADML template files. Templates may also be imported into Microsoft’s Endpoint Manager, a new subscription cloud service.

Now, let’s explore what AD isn’t capable of doing.

What Doesn’t Active Directory Do?

The domain controller serves an important role, but the modern workplace has shifted to the cloud. Legacy management solutions like the domain controller struggle to manage the disparate, non-Windows-based identities that have become commonplace in the IT landscape. Managing identities also entails managing devices and access to SaaS apps external to the Microsoft ecosystem. The next section examines those constraints in further detail.

Single Sign-On (SSO) and Multi-factor Authentication (MFA)

The widespread shift toward web applications means that end users can no longer leverage single sign-on (SSO) through AD for all resources. Twenty years ago, when the IT landscape consisted entirely of Windows applications and desktops, AD connected every user to just about every resource they required. AD no longer grants that level of authorization, forcing admins to adopt additional tooling to manage authentication and authorization for all of their IT assets.

Microsoft introduced an Identity-as-a-Service (IDaaS) solution with Azure Active Directory (AAD), but AAD can make identity management complex, time-consuming, and costly for IT admins by forcing them to keep on-prem AD in conjunction with it. There’s a free tier of AAD that makes it possible to access apps such as Microsoft 365 (M365), but a Premium 1 (P1) or greater subscription to AAD is necessary to have SSO for domain-bound apps and the cloud.

Additionally, if IT professionals wanted to leverage SSO for their users without AAD, they would have to add Active Directory Federation Services (AD FS) to their on-prem AD. That would need to be housed on-prem. AD FS has high management overhead and can be difficult to implement. Microsoft requires the NPS server role to be installed, configured, and managed to access network devices. There are multiple options for SSO within the Microsoft portfolio, but extending AD for roles it wasn’t designed for dramatically increases complexity and overhead.

Multi-factor authentication (MFA) isn’t built into AD. SMEs must purchase solutions that integrate with it. Microsoft offers MFA to access Windows apps, but only through its AAD P1, P2 SKUs. Additionally, conditional access (CA) policies aren’t available without those integrations.

Securing and Managing External Identities 

The domain controller struggles with providing access to IT resources outside of the on-prem Windows networks, so AWS and GCP infrastructures can be difficult to integrate, such as Google Workspace. 

Third-party solutions, such as JumpCloud’s open directory, manage identities from other identity providers (IdPs) such as Google or Okta. Microsoft has introduced the capacity to manage external identities through Entra, for an additional monthly fee per user. It also charges for every single instance of an MFA authentication for those external IDs.

Strong Security Defaults

Substantial work is required to harden Active Directory through specialized configurations. It’s not secure by default, and attackers have cultivated a strong understanding of AD’s default settings. Hardening AD is mandatory to secure your infrastructure. 

IT teams should always follow best practices to limit how they run as domain administrators. It’s advisable to use Microsoft’s ATA (Advanced Threat Analytics) or Defender for Identity to detect anomalous user behaviors. Security best practices for AD can take several full days of work to implement.

Automation of Identity Lifecycle and Entitlements

User identity lifecycle and entitlement management is a manual process in AD. Serious and costly breaches, including the Colonial Pipeline ransomware attack, have occurred when domain users were “forgotten.” Forgotten accounts are still able to access assets. It’s important to actively manage users and privileges to safeguard against insider and external threats.

Integrated Reporting

Third-party tools/services are necessary for reporting, especially when your users are accessing confidential and protected information or your industry is subject to compliance or regulatory requirements.

Cross-OS Device Management

Systems must be directly bound to the AD to deploy Group Policy Objects (GPOs) which are registry settings, configurations, or tasks that need to be executed. Mac and Linux systems’ commands and scripts (i.e., no GPOs) cannot be managed from the Windows domain controller, meaning that IT admins must manually configure each system if they choose not to implement add-ons. Even Windows systems must be connected to a VPN to receive policy updates from AD or PowerShell commands, complicating your capacity to effectively manage remote users.

Microsoft’s paid subscription Intune service fills this gap, but Microsoft services aren’t mandatory. An open directory platform, such as JumpCloud integrates with AD to perform this function, but could also manage devices without a domain controller being present.

Patching

There have been over 1,000 patches released from Microsoft to date this year alone. Patch Tuesday has now become “Zero Day Tuesday.” However, it’s possible to deploy software using AD Group Policy, but it doesn’t handle patching Windows systems throughout a domain (or even third-party applications) without a patching solution. 

Patching services may be cloud-based, such as JumpCloud, or on-premise servers. Patching OSs and apps (such as browsers) is vital to prevent Zero Day attacks from being exploited.

AD DS runs on Windows Server, which must be maintained and supported. Domain controllers contain data that determine access to an established network, making it a primary target for cyberattackers looking to corrupt or steal confidential information. It’s even possible for attackers to elevate domain standard users accounts to become domain admins without using malware on unpatched systems. Security tools such as BloodHound and Mimikatz are all that’s required for the AD attack path. 

Standard endpoint detection and response (EDR) won’t detect these intruders, and firewalls won’t stop them. Given these risks, cybersecurity should be a paramount priority for all SMEs. Industry experts routinely recommend a Zero Trust posture.

Active Directory isn’t Zero Trust.

Active Directory and Zero Trust Security

Microsoft has responded to these threats by updating AD’s capabilities for better security, but the requisite setups and changes can be resource intensive or require its premium cloud services. Active Directory works best with on-prem networks and Windows-based environments. AD natively operates by establishing a network of trusted assets, known as a domain, which are protected by an AD domain controller, VPN, firewalls, and other controls.

The objective is to create a strong perimeter to protect trusted resources from the open internet. As a result, external sources of network traffic (e.g., users) must first authenticate and ultimately be authorized to access internal domain resources such as systems and applications.

Zero Trust security, on the other hand, is a security model that effectively eliminates the separation between an internal domain that’s safe and the open internet that’s dangerous. Rather, all sources of network traffic are viewed as potential attack vectors that must generate trust before they are authorized for user access — and with good reason too. Bad actors are now attacking traditional networks from inside and out, often bypassing perimeter-based security by targeting trusted assets. Thus, Zero Trust security is effective because it basically eliminates the concept of trusted assets (i.e., the domain) altogether. Users must prove who they are.

The next-generation Active Directory alternative has been reimagined AD for the cloud era. Cloud directories connect users to their IT resources regardless of their platform, provider, protocol, and location. They’ll also manage all your devices. Additionally, as an identity and access management (IAM) platform, cloud directories forgo the concept of the traditional domain. This provides users with True Single Sign-On™ access to virtually all of their IT resources. SMEs can leverage JumpCloud’s open directory platform to manage identities wherever they reside with the assurance that it will help to deliver Zero Trust security.

Cloud Integration with IT Resources

The cloud directory integrates with the external identities and devices that AD doesn’t support in addition to AD itself. This is made possible through the combination of modern IAM and SSO protocols, automated entitlements management, using MFA to verify users, and CA for privileged user management. You can manage your entire device fleet through JumpCloud.

Centrally Control Identities and Systems

JumpCloud can extend AD and AAD identities and agent-based control (or MDM) to all systems in a fleet, whether they’re Apple, Android, Linux, or Windows devices. Unlike Microsoft, there’s no additional cost to manage your non-Windows devices or Windows without a DC. JumpCloud can also serve as a standalone cloud directory or import identities from Google and Okta. 

End users access their machines with their identity provider’s credentials, and admins can enforce pre-built GPO-like policies on those machines, such as full disk encryption or managing patches. No complex templates are required. SUDO-level permissions and a PowerShell module enable administrators to perform commands on any device, from CRUD operations to benchmark policies. A commands queue offers admins an easy-to-use dashboard for admins to see what commands they have awaiting execution on all their assigned devices and their status. 

Other key features include:

• Automatic high availability and redundancy. There’s no need to license multiple servers or to create a service account that has access to a privileged AD group.
• Telemetry aggregated from devices, events, users, and cloud services with pre-built reports and reporting tools. You’ll even know which users are accessing SSO apps.
• Opt-in Remote Assist, without the complexity of RDP or need to license a solution from a third party. This feature works across multiple operating systems.
• An optional decentralized password manager and vault for your users.
• Zero-touch Mac enrollment is available and Windows Out of the Box Experience (OOBE) is upcoming to onboard remote workers.
• PowerShell command templates to bind Windows PCs to your office printers without a print server.
• PKI as a service (coming soon), eliminating the need for a separate CA (certificate authority) Windows server role.
• The benefit of potentially lowering your TCO.

Manage Wi-Fi and VPN Access

You don’t need AD to access your network. Admins can achieve Cloud RADIUS functionality without additional on-prem infrastructure, and they can ensure users log into Wi-Fi networks (with VLAN tagging) and VPN clients using the same core credentials they use to access their other resources. Delegated authentication includes AAD credentials. Admins can enable Push or TOTP MFA, which is especially useful to secure VPN access to internal network and on-prem resources from switches to servers.

SSO to Everything

The open directory platform builds the stack that you want. A web-based portal is used to access all the apps employees need to do their jobs with best-of-breed solutions. The portal serves as a security control to help eliminate phishing. Pre-built connectors are freely available for common apps. Supported protocols include:

• LDAP
• OIDC
• SAML/SCIM
• RADIUS

Long-standing workflows don’t have to be scrapped in favor of cloud apps. Even Windows file sharing is possible without a domain controller.

Like AD, groups are used to manage access to your apps and resources. The difference is that they are automated with HRIS provisioning included. Attribute-based access control (ABAC) reduces the risk of human error and eliminates the heavy administrative overhead that’s necessary to keep AD privileges and users up to date. 

Boundaries matter less. 

This setup also eliminates the need for complex server management and AD’s global catalog. For instance, specifying an office location could be as simple as creating a directory group assignment.

Integrated MFA and Conditional Access

AD is reliant upon a single factor. MFA is environment wide in the open directory platform. Optional conditional access policies can further restrict access to trusted devices, by geolocation, and more for privileged users. JumpCloud doesn’t charge for MFA for external identities; Microsoft’s AAD does. Microsoft limits CA to AAD P1, P2, and requires integrations for AD. AD doesn’t have these capabilities and must be morphed into something it’s not in order to satisfy modern requirements.

In contrast, there’s far less complexity, labor, and cost when the domain controller is left out of the equation. In addition, there’s a greater opportunity to protect identities. JumpCloud secures identities (and aligned devices) even further with extended detection and response (XDR) integrations from the security vendors of your choosing. Microsoft only makes its security services first-class citizens.

Utilizing an Open Directory Platform

Organizations have already been moving their operations to managed services in the cloud to save the cost and time of maintaining an on-prem domain controller and server rooms. The journey begins by integrating JumpCloud with AD. An open directory platform frees up time and money for IT admins looking to manage a variety of systems and applications from one built-in service. Budget can be allocated toward higher priorities, such as Zero Trust, especially during leaner economic times. JumpCloud is free for your first 10 users or devices with 10 days of chat support up front. 

Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

Jump to Tutorial

MariaDB is an open source and community-developed fork of MySQL. It is a widely used relational database management system (RDMS) used to store data both in production and for personal and experimental projects. It was designed by the original developers of the MySQL database server, with the objective of remaining open source under the GNU GPL license.

Some of the advantages of using MariaDB over MySQL include:

1. Strong security thanks to additional security features such as user roles, PAM and LDAP authentication, data encryption, and role-based access control (RBAC).
2. High performance thanks to more and better storage engines such as Aria and XtraDB. The former replaces MyISAM in MySQL and offers better caching. XtraDB replaces InnoDB and improves performance.
3. Galera clustering which ensures scalability, high availability, and zero loss of data through replication.
4. Integrated monitoring using microsecond precision and extended user statistics.

In this guide, we will demonstrate how to install and secure MariaDB on RHEL 9.

Step 1: Upgrade Software Packages

To get started, log into your server as a sudo user via SSH. Next, upgrade all the packages and refresh the repositories as follows:

$ sudo dnf update

The MariaDB Server package is provided by the official AppStream repositories. You can confirm this by searching for the package on the repositories as shown:

$ sudo dnf search mariadb-server

The following output confirms that MariaDB is hosted on the default repositories.

Step 2: Install MariaDB Server on RHEL 9

The next step is to install the MariaDB Server. To do so, run the following command:

$ sudo dnf install mariadb-server -y

The command installs the MariaDB server alongside other dependencies and additional packages required by the database server.

Once the installation is complete, confirm that MariaDB is installed using the following command:

$ rpm -qi mariadb-server

Running this command displays comprehensive details about the MariaDB Server package including the name, version, architecture, installation date, and installed size to name a few.

Step 3: Start and Enable MariaDB Server

Up to this point, we have successfully installed the MariaDB Server. By default, the MariaDB service does not start automatically. As such you need to start it by running the following command:

$ sudo systemctl start mariadb

In addition, set it to start automatically on system startup.

$ sudo systemctl enable mariadb

To verify that MariaDB is up and running, run the command:

$ sudo systemctl status mariadb

MariaDB listens on TCP port 3306. You can confirm this using the command:

$ sudo ss -pnltu | grep mariadb

Step 4: Secure MariaDB Server

The default settings for the MariaDB database server are considered weak and not robust in the face of a breach or intrusion. As such, you need to go an extra step and secure the database server. To do this, run the mysql_secure_installation script as shown:

$ sudo mysql_secure_installation

Running the script will present you with a series of prompts.

First, you will be required to provide the root password. Next, switch to unix_socket authentication which allows the user to use operating system credentials when connecting to the MariaDB database server.

You can then decide to change the root user or let it remain exactly the way it is.

For the remaining prompts, press “Y” in order to secure MariaDB to the recommended standards. This does the following:

1. Removes anonymous users from the database server. This prevents the risk of having anyone log into MariaDB without having a user account.
2. Disallows remote root login. This ensures that only the root user is allowed to connect from ‘localhost’ or the server on which MariaDB is installed. This prevents brute-force attacks using the root user password.
3. Removes a test database called test which can be accessed by anyone and is only used for testing. Its removal is recommended before transitioning to a producing environment.
4. Reloads the privilege tables. Hence, saves all the changes made.

MariaDB is now secured using the recommended security standards after installation.

Step 5: Log Into MariaDB Server

To log in to the MariaDB database server, run the command:

$ sudo mysql -u root -p

Provide the root password for MariaDB and press ENTER. This ushers you to the MariaDB shell.

To check the version of MariaDB installed, run the command:

SELECT VERSION();

From the output, you can see that we are running MariaDB 10.5.16.

To list all the databases, run the command:

SHOW DATABASES;

Step 6: Create Database and Database User (Optional)

This step illustrates how to create a database and a database user.

To create a database in the MariaDB Server, run the following command where test_db is the database name:

CREATE DATABASE test_db;

Next, create a database user on the system with a password. Here, test_user is the name of the database user and P@ssword321@ is the user’s password. Be sure to provide a stronger password for your user.

CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'Password321@';

Next, grant privileges to the database user on the database. This determines the rights that the user has on the database, e.g., ALTER, CREATE, DELETE, DROP, SELECT, UPDATE, etc. This command will grant user rights to the database.

GRANT ALL ON test_db.* TO 'test_user'@'localhost' WITH GRANT OPTION;

Lastly, reload the grant tables in order to save the changes made as follows:

FLUSH PRIVILEGES

To confirm the creation of the database, again, run the following SQL query:

SHOW DATABASES;

This time around, an additional database named test_db appears on the list.

To view a list of all the users in the database server, run the following query:

SELECT User, Host FROM mysql.user;

Conclusion

In this guide, you learned how to install and secure the MariaDB database server on RHEL 9. For more information about MariaDB, check out the official documentation.

Looking for more ways to secure your Linux servers and devices? Learn how to improve Linux security posture with JumpCloud’s MDM policies. 

Microsoft Intune is a cloud-based enterprise mobility and security (EMS) management solution that enables organizations to manage mobile devices. It integrates with other components of Microsoft’s EMS platform, including Azure Active Directory (AAD) and Azure Information Protection (AIP), allowing IT teams to enforce security policies and manage how endpoints are used in the organization. Intune allows organizations to achieve a productive mobile workforce without worrying about corporate data security. For example, IT teams can set rules and configure security policies for various devices, whether those devices are corporate-owned or personal. This helps organizations implement bring your own device (BYOD) policies while mitigating security concerns. However, despite these benefits, Intune has only traditionally supported devices running Windows, macOS, iOS, and Android operating systems (OSs). This left out Linux-based devices that many companies use to maintain workloads out of the picture for a long time. Toward the end of 2022 however, Microsoft finally added Linux workstation support to Intune — starting with Ubuntu.

Does Intune Support Linux?

The short answer is yes. In October 2022, Microsoft announced that Microsoft Endpoint Manager (MEM) added Linux-based devices to its unified endpoint management solution, with general availability for Ubuntu LTS. However, Microsoft has yet to release support for other distros which means IT teams are either leaving other types of Linux workstations unmanaged or using other third-party mobile application management (MAM) and mobile device management (MDM) tools.

What’s Been Discussed?

Companies need to ensure that all endpoints are secure and compliant. In this regard, IT teams need to ensure that they mitigate compliance issues by deploying software and patches to all device types, including Linux endpoints. Effective Linux MDM is particularly challenging due to the many flavors of Linux distributions. With Linux support added to Intune, IT teams can theoretically use a unified console to manage devices and apply the same protection policies and configurations for Linux workstations. Whether Microsoft is able to accomplish that for more distros after Ubuntu remains to be seen. Having cross-platform support in an MDM is essential because the integration of multiple operating systems into one tool streamlines:

Cloud-Based Management

If IT teams are able to combine all the applications and device controls in one cloud-based endpoint management system, they can then apply policies and endpoint configurations in the same way across a heterogenous IT environment for added security and compliance. In addition, a unified MDM allows organizations to move their employees closer to Zero Trust security architecture and cover their entire IT infrastructure. For example, IT teams can apply management controls such as password policies, Wi-Fi profiles, and certificates in a standard way across all cloud-managed endpoints.

Compliance

Adding Linux support to an existing MDM enables companies to more easily enforce compliance policies and standards. For example, IT teams can create rules and configuration settings such as the minimum RHEL version that devices need to meet to be considered compliant. IT teams can also create application policies that provide an extra layer of protection, allowing employees to access them on personal devices securely. Most importantly, IT teams can also take actions for non-compliance, like sending notifications to the user.

Conditional Access Policies

Determining if the device is compliant is one of the outcomes of cloud management. In a Microsoft-specific ecosystem, MEM allows organizations to assess the device’s posture while sending signals to AAD. If MEM finds that the device is compliant, it applies conditional access configurations. These configurations combine device compliance signals with other signals such as user identity risks to secure access to enterprise resources through adaptive policies. With Intune, Microsoft’s goal is to allow IT teams to set AAD Conditional Access policies for Linux devices, as it does for Windows, macOS, iOS, and Android endpoints. This would ensure that only compliant Linux devices can access enterprise resources such as Microsoft 365 applications. However, note that the current release only provides conditional access policies protecting web applications via Microsoft Edge. This is an example of Microsoft attempting to lock admins and users further into the Microsoft ecosystem, without allowing for the flexibility of choice in IT tools.

The Good News? A Linux Device Management Alternative Already Exists

Even if Microsoft succeeds with its Intune Linux management framework, the approach will still face some challenges. This is because of the differences between Microsoft’s approach to identity and access management (IAM) and other open source solutions. For example, while Microsoft’s approach is to create segmented solutions that seamlessly integrate with Azure, the same cannot be said about non-Windows platforms like Linux-based OSs. Additionally, it is those very same segmented solutions that force users into Microsoft products and add additional complexity and cost for IT admins. If you’d prefer to have a cloud-based MDM that provides the openness you need to choose the best tools and IT resources for your stack, while still resolving compliance and security issues in a heterogeneous environment, then you should consider JumpCloud^® as an alternative cloud directory service. As an open directory platform and unified MDM, JumpCloud centralizes identity and system management, irrespective of OS. It can overcome the common “admin black hole” associated with managing Linux devices, and help you reduce the number of IT tools your organization has to pay for and manage to fully secure its IT environment. Whether you need patch management, encryption and lock-screen policies, MFA, or other capabilities applied to the Linux devices in your fleet, JumpCloud supports the following distros:

• Amazon Linux 2 on x86_64 and ARM64 processors
• Amazon Linux 2022 (AL2022) on x86_64 and ARM64 processors
• CentOS 7, 8
• Debian 10, 11 on x86_64 and ARM64 processors
• Fedora 35, and 36
• Mint 19, 20, 21 Cinnamon on x86_64 and ARM64 processors
• RHEL 8, 9 on x86_64 and ARM64 processors
• Rocky Linux 8, 9 on x86_86 and ARM64 processors
• Ubuntu 18.04 (64 bit), 20.04, and 21.04, and 22.04 on x86_64 and ARM64 processors

Give JumpCloud’s unified device management a try for free, no credit card required, to simplify IT security and compliance. You can register for a JumpCloud Free account and enjoy free 24/7 in-app support for the first 10 days to help you get set up.

Manage Linux Systems

macOS, Linux, and Windows Management for the modern organization

Try JumpCloud Free – 10 Users

• Devices

JumpCloud Password Manager has officially been released to our customers and MSP partners! MSPs have long requested a tool that allows their users to share passwords and MFA tokens, and now, we have a solution of our own built right into the core of our platform. 

Say goodbye to the days of juggling 14-day trials and countless promotional emails just to get a few days of password management. As a JumpCloud MSP partner, your account executives can have you up and running with Password Manager before your next password reset ticket.

If you’re not a current JumpCloud MSP partner and you’re still weighing your various password management options, it can be difficult to determine which solution is best. Here, I would like to discuss some of the benefits of implementing JumpCloud Password Manager for your clients.

Simplify the Vendor Management Process 

An MSP’s vendor management responsibilities can be as complex as another full-time client. And the more vendors you have to rely on to provide a comprehensive tech stack, the less time you have to win that new account. That’s why we built our Password Manager directly into the JumpCloud platform. 

Whether you’re a new partner or JumpCloud’s already part of your tech stack, you’ll enjoy both SSO and password management directly within one portal – without increasing your stack’s complexity. 

Meet a Popular Client Request on Your Terms 

Password management can be a bit of a touchy subject for MSPs. Since it’s often an a la carte or add-on feature, many clients try to do their own research on the cheapest solution, and bring it to their MSP to implement. 

Unfortunately, this scenario rarely works out for either party. MSPs are forced to complicate their tech stack, often with a product they don’t trust or recommend. And the cheapest-possible solutions rarely prioritize intuitive user experiences, leading to frustrations for the technicians and admins that must manage the product. 

With JumpCloud Password Manager, MSPs have a tool they can readily recommend to any of their clients currently using JumpCloud, with assignment and deployment being only a few clicks away. In addition to a seamless roll out experience, you can avoid the long process of convincing your client that they can trust this new vendor you are introducing into their environments.

Grow Your Revenue Without Increasing Costs

With JumpCloud Password Manager, you are no longer forced to choose between affordability and security. If you’re enrolled in JumpCloud for MSPs, Password Manager is included in your plan, making implementing it for your clients a no-brainer. If you’re considering switching to JumpCloud, combining SSO and password manager into one platform may save you money.

Adding Password Management to your tech stack can also increase your team’s efficiency, decreasing your need for additional staff. Password resets make up anywhere from 20% to 50% of an organization’s support ticket load, meaning your technicians are wasting valuable time handling one of the most easily solved problems in the technology industry. This can translate into a situation where even offering password management as service to your clients for free can have a real impact on your bottom line.

Choose JumpCloud for Password Management

Here at JumpCloud, we are working hard to meet the needs of our MSP Partners, their clients, and the users that rely upon our platform everyday. With the arrival of JumpCloud Password Manager, we have taken yet another step in the direction of making the Open Directory Platform more powerful than ever. 

If you have any questions about Password Manager, reach out to your account executive today. If you’re new here, visit our JumpCloud for MSPs page to try our platform for free.

• MSP

Microsoft and Google have been locked in a battle for the heart of the IT community for years now. This technological arms race has brought about a number of cloud innovations, including in identity and access management (IAM). Both contenders understand that by controlling user identities, they can lock you into their respective ecosystems and sell you additional services. 

In one corner, we have Microsoft Azure Active Directory (AAD), a cloud-based IAM solution for hybrid or cloud-only implementations. In the other corner, we have Google Cloud Identity, a cloud-based solution for managing user identities and access to Google resources. Both organizations seek to control your identities. The interesting problem is that if you are looking to replace your on-prem Active Directory instance or leverage directory services, then neither of these options can provide a solution.
In this article, we’ll compare Google Cloud Identity and Azure Active Directory, before explaining why neither is the best replacement for on-prem solutions.

What is Google Cloud Identity?

If you have ever used Google Workspace, you’re already familiar with Google cloud identities. Google identity management services enable users to connect to various applications and platforms delivered through Google. Google identity management allows for easy integrations to Google’s catalog of SaaS services and SSO applications but it does not offer support for legacy applications or on-prem resources. It also offers some authentication services via OAuth and SAML. An organization’s systems, on-prem applications, and network are outside of the scope of G Suite directory.

Unfortunately, this means that a lot of users will remain locked into their on-prem identity provider instance, namely Active Directory. While Google IDaaS is an excellent cloud user management system for Google Workspace, it is not a stand alone cloud-delivered directory service.

What is Azure Active Directory?

Microsoft’s version of the user management system is called Azure Active Directory (also called AAD, or Azure AD). The name confuses many people, because it makes it seem like Microsoft has moved their on-prem directory to the cloud. But that’s not the case. 

Rather, Azure AD works on top of Active Directory to provide single sign-on (SSO) access to a variety of SaaS applications like Office 365, Salesforce, DropBox, and many others. In essence, it is designed as a bridge between your existing legacy Active Directory instance and Microsoft’s catalog of compatible cloud-delivered services. While it is possible to sync your Active Directory instance with Azure AD, in of itself Azure AD is not a complete cloud-based directory service.

This is because Azure AD does not act as the authoritative source of truth of user identities (unless you are just using Office 365 or Azure resources). This role is still within the domain of Active Directory for many organizations, thus requiring traditional on-prem devices and dedicated IT staff to create and maintain. While Azure AD is meant to be a cloud identity platform, unfortunately, the true source of identity management is still firmly grounded with the legacy directory service, Active Directory.

The Problem with Google Cloud Identity and AAD 

As hinted above, the most glaring weakness of both of these platforms is that neither can truly function as the core identity provider for an organization. Instead, they’re user management systems designed only for their respective platforms.

Google Cloud Identity only organizes identities for Google Workspace and other Google cloud-hosted applications. It isn’t designed to be used for on-prem systems, AWS cloud servers, Azure, Office 365, and a wide range of other web and on-prem applications and networks. 

Azure Active Directory isn’t an Active Directory replacement, either. It’s a user management system for Azure, Office 365, and a web application SSO platform. If you want a core directory service, you won’t find it with either Google Cloud Identity or Azure Active Directory.

Instead, both of these platforms leave it to the IT department to figure out how to build a central, authoritative directory service for the organization. Having multiple user management platforms can create a significant amount of work and a great deal of security risk. 

Thankfully, there’s a better solution. An open directory platform can be your single authoritative source for user identities and authentication – across all platforms and operating systems. 

Open Directory Platform – the best Active Directory Replacement 

A new generation of cloud identity management is here. This independent solution, called an open directory platform, doesn’t rely on a single vendor, but works across platforms and operating systems to support authentication on Windows, Mac, Linux, Google Workspace, and more – all from the cloud, all at the same time. 

JumpCloud’s open directory platform provides the stability and authentication of Azure Active Directory and the flexibility and cloud nativity of Google workspace. You’ll also get many features, like SSO, multi-factor authentication (MFA), and password management you typically have to get from a third-party provider. 

Ready to learn more about why JumpCloud is the best replacement for active directory? Drop us a note to get a live demo, or sign up for your free account today.

• Best Practices

• Directory Services
• Integrations