在 JumpCloud,我們的使命是建立一個世界級的雲端目錄。我們不僅是將 Active Directory 演進至雲端,更是重新定義現代 IT 團隊的工作方式。JumpCloud 目錄平台是一個統一的目錄,旨在管理您的用戶、其 IT 資源、您的裝置群組,以及它們之間的安全連線,並提供全面的控制、安全性和可視性。
關於 Version 2 Digital 資安解決方案 專業代理商與領導者 台灣二版 ( Version 2 ) 是亞洲其中一間最有活力的 IT 公司,多年來深耕資訊科技領域,致力於提供與時俱進的資安解決方案 ( 如EDR、NDR、漏洞管理 ),工具型產品 ( 如遠端控制、網頁過濾 ) 及資安威脅偵測應 變服務服務 ( MDR ) 等,透過龐大銷售點、經銷商及合作伙伴,提供廣被市場讚賞的產品及客製化、在地化的專業服務。
台灣二版 ( Version 2 ) 的銷售範圍包括台灣、香港、中國內地、新加坡、澳門等地區,客戶涵 蓋各產業,包括全球 1000 大跨國企業、上市公司、公用機構、政府部門、無數成功的中小企業及來自亞 洲各城市的消費市場客戶。
There is no doubt about it — remote work is here to stay.
Managing, securing, and updating Apple device fleets has never been more pivotal to thwart potential security breaches. Mobile device management (MDM) solutions simplify remote management while providing peace of mind that essential data is kept safe.
Right now, organizations in industries across the board are cutting costs in response to the current economic climate. Are you a budget-conscious admin looking for “free Apple MDM” guidance? If so, keep reading to learn more about what to look for when evaluating platforms.
The Apple MDM Landscape
Choosing the right MDM vendor has become a crucial task since 2020. That’s when Apple released macOS Big Sur, which introduced several changes for end users and IT admins overseeing enterprise environments.
Proceeding this change, it wasn’t uncommon for small-to-medium-sized enterprises (SMEs) to leave Apple device maintenance in the hands of end users. Though several industries have embraced the vendor in recent years, Apple products still make up a small (but growing) percentage of the average organization’s device portfolio.
Of course, this left organizations vulnerable as most enterprise end users are not IT experts! Furthermore, they’re unlikely to prioritize organizational security over their daily tasks.
Today, Apple continues to add security patches that require coordination with official Apple MDM vendors. Of course, Apple’s commitment to privacy doesn’t stop there — Apple wants enterprise end users to know what their employers do and don’t have access to from their devices too!
Translation: Organizations must practice transparency, even with corporate-controlled devices. Admins can no longer rely on manual management of their Macs or third-party vendors that don’t use Apple’s native MDM protocols or APIs.
Free Apple MDMs: Are They Really Free?
Free MDM and open source MDM platforms do exist.
Review site Capterra lists 42 mobile device management software entries, in fact. But will these options cover the functionality you need? In most cases, the answer is no.
Open source MDMs and free MDM plans can often get the job done for extremely small businesses. But most SMEs require varying paid plans to meet more sophisticated security compliance requirements.
Most of the “free” Apple MDM plans you will find have device limits and/or time limits. In addition, they often require admins to manually install updates, troubleshoot connectivity issues, and/or manage on-prem infrastructure. Furthermore, each provider puts its unique spin on MDM APIs.
For these reasons, it’s crucial to clarify your requirements before investing time and energy into setting up a free Apple MDM solution. Let’s take a look at some key elements worth considering when weighing your options.
5 Essential Apple MDM Assessment Factors
It’s unlikely that most free or open source MDM solutions will check all of your boxes. You’ll need to decide which features are absolutely essential for your organization and which ones you can live without. Below are four core factors to consider before choosing a free Apple MDM:
1. Cross-Platform Support
Select a free vendor that only works with Apple products, and you’ll need to configure a different solution for Windows and Linux devices. Multiple solutions will require engaging in duplicate work, implementing multiple deployment processes, and staying up to date on different technologies. Translation: it can be a real pain in the tuchus!
If you manage a heterogeneous environment, prioritize device management technology that is cross-platform, multi-protocol, provider-agnostic, and location-independent. Ultimately, your MDM tool shouldn’t limit your choice of compatible vendor technology down the road either.
2. Security Compliance Functionality
Do you have remote workers using your servers? Following MDM best practices will require using platform features such as remote wipe, lock, restart, shutdown, mandatory password strength, multi-factor authentication (MFA), and more.
Consider if the free Apple MDM or open source solution will streamline the most common types of IT compliance regulations and standards: PCI, CCPA, HIPAA, SOX, SOC 2, and ISO 27001. While smaller businesses may not have many requirements, companies dealing with credit card transactions must cooperate with ISO 27001 standards. Furthermore, though SOC 2 isn’t a requirement it’s quickly becoming an industry standard for proving robust security practices.
Quick deployment and activation is essential for any admin expecting to meet evolving compliance instructions. In addition, look for streamlined reporting capabilities that make it easy to procure requested audit information at a moment’s notice.
3. Remote Configuration and Enrollment
Another factor to consider is how you currently deploy devices for new employees working from home. The best Apple MDM solutions allow admins to ship Apple devices straight to employees — ready to go out of the box. With zero-touch enrollment, the new employee simply follows the prompts on the screen for automatic enrollment and policy configuration. That means you can predetermine exactly what apps, resources, and data the employee will have access to ahead of time. If you’re looking for ways to take back your time, prioritize these features in your MDM search.
Young business people working in modern co-working space office using digital devices
4. Software Deployment and Patching
Software deployment on macOS comes in two flavors: App Store apps and non-App Store apps. Apps sold through the Mac App Store can be purchased through Apple Business Manager and then installed remotely via an MDM solution with no action required by the end user.
Alternatively, non-App Store apps must be packaged up and installed manually. Many paid MDMs will offer an “App catalog” with popular enterprise apps prepackaged and ready to install. If a free solution doesn’t offer this service, consider the time it will take to package up your apps manually.
And, as any experienced admin will tell you, never sleep on patch management! Failing to install security and performance updates is like turning away free food. So, when evaluating free Apple MDM solutions, take a close look at the patch management UX.
5. User Management
As previously mentioned, user management for Apple devices has become more complicated with the evolution of macOS. For example, the recent shift to SecureTokens as a way of ensuring trust caused plenty of challenges for IT admins.
Thus, it’s crucial to understand how your new MDM will work with your directory services. Here are some questions worth asking yourself how easy is it to:
Connect the MDM and directory service together to automate user management or will I need two separate solutions?
Control who can access which devices, networks, and applications?
Manage FileVault, which is intimately tied to the user and their profile?
Manage access to employee Macs remotely?
The integration of system and user management is extremely valuable for organizations planning to scale. In summary, choose the right solution from the start as it can be costly to switch after employee devices are already onboarded.
JumpCloud: The Best Free Apple MDM Solution
If you’re looking for greater integration between MDM and identity management, look no further than JumpCloud — the all-in-one MDM solution. Are we incredibly biased? Absolutely.
But the reality is there simply isn’t anything like it on the market. With JumpCloud you can manage Apple, Windows, and Linux devices from one frictionless location. The user portal allows admins to configure devices around user identities, wipe and lock devices, automate patch updates, and configure zero-touch enrollment quickly and easily.
In addition, users have the option of combining JumpCloud MDM with valuable security elements like SSO, MFA, full-disk encryption, cloud LDAP, and RADIUS.
MDM capabilities for 10 users and 10 devices forever.
10 days of premium 24×7 in-app chat support.
Full platform functionality (including software management, Zero Trust, etc.).
When you’re ready to scale, JumpCloud’s a la carte MDM plan starts at $5 per user/per device monthly. Below are some of the benefit from using JumpCloud:
Benefits of Using JumpCloud MDM
Seamless Cross-System Management
An IT admin’s credo is to secure their employee devices and, in doing so, protect company data and resources. Those devices could be Windows laptops, Linux servers, or Apple devices. JumpCloud, as an Apple-certified MDM vendor, offers seamless macOS MDM capabilities at no extra charge for companies on JumpCloud’s Free and Pro plans.
Convenient Security Controls
Security is something that can’t be sacrificed, even when it’s business as usual. Today, when teams are working from any corner of the globe, it’s even more critical that IT admins feel empowered to protect end users and enterprise devices regardless of location.
Once a JumpCloud-managed system is enrolled in Apple’s MDM, these commands equip admins with the ability to secure a user’s Mac in the event it’s lost or stolen. In addition, admins can remotely execute tasks like installing software, updating patches, and ensuring backups via JumpCloud’s command execution capabilities.
Easy Enrollment
Enroll macOS machines in bulk with a few clicks via JumpCloud’s macOS MDM enrollment policy. When applying the enrollment policy, admins have the option of checking a box that removes existing non-JumpCloud MDM enrollment profiles and automatically unenrolls devices from their previous MDM.
You can also use the policy to enroll new machines quickly. For DEP-enrolled machines, go through your Apple Business/School Manager platform and switch the association of their serial numbers to the new MDM server.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
Passwords are the bane of user and admin existence.
Keeping track of hundreds of passwords is tough, and employees inevitably forget them. When that happens, they’re frustrated that they can’t access the tools they need to do their job, and IT teams waste their precious time on lock-out tickets.
To circumvent this aggravating process, many employees create simple passwords or reuse them, which threatens their employer’s security and puts customer data at risk.
Many IT teams try to mitigate these issues by implementing single sign-on (SSO) or a password manager. But using just one or the other can still put a burden on IT and leave the company vulnerable to breaches.
What organizations really need is a unified approach to access that will enforce password health while allowing IT to control all target systems and support multiple authentication types. But is that even possible?
Below we’ll review why unmanaged passwords are so risky, describe the pitfalls of standalone SSO, and explain what a new world could look like when SSO and a password manager are implemented together.
The Dangers of Unmanaged Passwords
Unmanaged passwords are often a key component of cyberattacks, which are only getting more prevalent as employees have to remember more and more passwords to complete their day-to-day work. For example, Verizon’s 2022 Data Breach Investigations Report found that stolen login credentials were associated with half of all data breaches — a 30% increase from 2017.
But password management is expensive even without a breach. The average password reset can cost companies $70. When extrapolated to an entire organization, that adds up quickly.
While IT can send regular reminders to update passwords and educate employees on what makes a strong password, that’s not enough to mitigate risks. And those practices don’t reduce strain on IT either.
A password manager can reduce the chances of a breach and decrease pressure on IT by:
Rotating passwords – to ensure people are updating their passwords frequently
Syncing across operating systems and devices – to prevent as many lockouts as possible
While password managers certainly help, they still force employees to login into every application individually and, ideally, require additional layers of authentication to protect a user’s master password.
Resource Access With and Without SSO
Single sign-on, or SSO, is related to password management because it grants access to multiple applications after users provide one set of login credentials.
Without SSO, users still must remember and type in a username and password for every application they want to connect to. In that situation, you run the risk of employees sharing passwords, keeping sticky notes with their passwords on them, reusing passwords for several different applications, or creating passwords that are extremely easy to guess.
As discussed above, these habits can cause devastating financial and reputational damage. SSO and other Identity-as-a-Service platforms lessen the chances of a breach and decrease IT load by:
But SSO doesn’t solve everything — it doesn’t generate passwords, enforce password policies, or rotate passwords like a password manager can.
Benefits of a Password Manager + SSO
Combining the benefits of a password manager and SSO gives you the best of both worlds.
Users no longer have to create hundreds of complex passwords and worry about forgetting them. With a password manager and SSO, you can meet password-based access needs while imposing new authentication practices, including federation and multi-factor authentication (MFA). Adding more security best practices increases the protection of valuable IP and sensitive customer data.
The best joint password manager and SSO solutions store passwords locally on endpoints, making it tougher for hackers to get the data they want. In addition, some come with a relay infrastructure, allowing users to share passwords via end-to-end encrypted communication.
Ultimately, users get access to sites and services quickly, while IT admins can monitor and enforce password health on the back end without slogging through a slew of password reset tickets.
Secure Single Sign-On and Password Management With JumpCloud
The fact of the matter is that no one SSO or password management solution is going to safeguard your company from attacks and dramatically reduce IT’s workload. To truly accomplish those two objectives, you need to unify your tech stack and consolidate your IT tooling. Luckily, that’s what you get with the JumpCloud Directory Platform, which combines SSO and password management into a cloud-based directory.
With JumpCloud’s robust yet easy-to-use platform, IT can lay the foundation for unified access across all users, systems, and authentication types, including MFA. JumpCloud also has a newly released password manager, and its open directory infrastructure streamlines the login process for your employees. IT staff also benefit from having more time and budget to focus on strategic initiatives.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
As businesses continue returning to the office, more and more MSPs are being pressed to ensure that employees are able to return with minimal pain. Wi-Fi connectivity is often the very first issue that users will run into in a new office setting, so MSPs are finding that they must revisit how they handle the security of the wireless networks that they manage.
Common Wi-Fi Security Vulnerabilities
It’s very likely that your customers have their Wi-Fi set up with a guest network for visitors to use and a pre-shared key that employees are given on the first day of their employment. However, this authentication method is only marginally better than having no password at all and is very dangerous if the Wi-Fi provides access to domain-associated resources.
Addressing Connection Concerns
Being that your customers’ Wi-Fi keys are likely older than COVID-19, there has never been a better time to switch to a tried and tested solution: RADIUS. With RADIUS configured, network authentication takes place against a directory that has been configured to allow a user’s existing login credentials (username and password) to grant and revoke access to network resources.
RADIUS adds a much needed layer of security between users and a Wi-Fi network, while also bringing added convenience to your customers’ wireless networks. While RADIUS comes with a plethora of benefits, implementation can feel intimidating — but, it doesn’t have to be!
Using JumpCloud’s Cloud RADIUS Feature
In order to set up RADIUS for a client, you will need a directory to use as the source of truth for user authentication, and JumpCloud has the perfect solution for you. Here at JumpCloud, we leverage our powerful open directory platform to offer a high-quality, easy-to-use Cloud RADIUS solution that our customers love, giving them cloud-directory-fueled authentication and MFA to keep their networks secure and efficient.
Utilizing the Full Functionality of JumpCloud Alone
In addition to its Cloud RADIUS feature, implementing JumpCloud’sopen directory platform opens the door to a variety of other important features such as SSO, MDM, software deployment, and policies to help manage your users and endpoints.
In effect, with JumpCloud, you will not only be able to address your clients’ immediate network security and user experience needs, but you’ll also be able to position your services in a new way. You’ll be able to offer current and potential customers a more forward-facing and expansive service using all of JumpCloud’s capabilities — including helping clients consolidate their technology stack or adding much needed features into their IT infrastructure.
Now, I know what you’re thinking: “That’s great, but I am not in a position to migrate directory services. I simply want to deploy RADIUS to improve Wi-Fi and VPN authentication, and I already have customers using Azure Active Directory (AAD).”
Well, I have some good news for you: you can leverage your existing Azure AD environments in harmony with JumpCloud thanks to our new feature: RADIUS Authentication with Azure AD Credentials.
Using JumpCloud’s RADIUS Feature With Azure AD
Surprisingly (or maybe ironically?) enough, the implementation of RADIUS with Azure AD is reliant upon on-prem resources, with physical servers needing to be allocated to perform the required tasks. JumpCloud is a strong proponent of equipping MSPs and IT professionals with world-class tools to get their jobs done effectively, which means we focus on creating solutions for problems like this.
This means that we’ve made it so you can leverage JumpCloud’s Cloud RADIUS feature while maintaining Azure AD as the source of truth for your directory needs, effectively giving you the best of both worlds, with no on-prem setup necessary. This means that your customers can enjoy secure networks while improving ease of access to networks among their credentialed employees. On that same note, what this means for you, is that you now have a cloud-based RADIUS solution that can be implemented for any of your customers without gutting their existing directories.
Getting Started With Cloud RADIUS
Here are some guides to help you begin launching Cloud RADIUS across your MSP business and your clients’ orgs.
Check out some of the benefits that JumpCloud’s RADIUS solution will give to your clients:
Improved user experience that only requires a single, unique password to connect to networks and resources to get work done both in the office and remotely via a VPN.
Streamlined user onboarding and offboarding due to the activation or deactivation of a single set of secure credentials compared to many different usernames and passwords.
Fewer help desk tickets related to the pain associated with changing a PSK (pre-shared key) for a Wi-Fi network.
Simplified compliance that’s easier to prove by getting rid of a shared network password that anyone can get ahold of.
Easier network access for your techs. They’ll no longer be scrambling to figure out Wi-Fi passwords when performing site visits (this will also drastically lower the chance of a tech needing to huddle to one corner of a closet to get the single bar of LTE signal available for their hotspot to connect to your documentation service to find the Wi-Fi password. Definitely not speaking from personal experience. Sidenote: Why did they stop putting a network port on laptops?).
Ultimately, the largest benefit of having Cloud RADIUS from JumpCloud implemented is that you now have a solution that can be easily replicated across your entire customer base. Whether you’re working with a company that has never touched a directory service before (which JumpCloud can easily help with), or a customer that has been holding onto that 12 year-old server for dear life, JumpCloud is here to help you modernize your customers’ infrastructure.
With Cloud RADIUS, your service offerings around network management can fully revolve around a single authentication standard, your hardware vendor of choice, and a unified support approach that will delight your customers.
JumpCloud for MSPs
At JumpCloud, we are serious about setting MSPs up for success when working with in-office, hybrid, and fully remote clients. To do this, we have developed a dedicated platform for MSPs, called JumpCloud for MSPs.
JumpCloud for MSPs is an open directory platform that enables our partners to centralize identity, authentication, access, and device management capabilities under one umbrella without having to tear and replace any existing infrastructure.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
This morning, like many before it, I woke up and thought, “Today is the day I come up with some magical blog post idea that changes someone’s world!” I showered, threw on my Global Panini attire and a pair of Uggs slippers, cooked up an omelet, and made a pourover (my new obsession).
I plodded downstairs to the office and fired up the computer. I opened a new document, raised my hands to the keyboard and — nothing. Complete brain freeze.
It’s hard to be amazing week after week. I know you feel this too. You have IT projects that are stacked up. Your boss is on you week after week to make their world more secure without adding friction for the users. Or your MSP is feeling stagnant and you need to come up with some new services to offer — or figure out how to offer your current services in a different way.
The week over week of having to be “on” all the time…it diminishes your ability to be creative after a while. Problem-solving becomes what keeps you from getting out of bed each morning instead of driving you to be 1% better every day. I get that. I hear you loud and clear.
The Block is Real
This creativity block thing is real. Very real. And if you were just doing IT for the fun of it — creating a playspace for yourself — you wouldn’t have to worry. But, folks, this IT thing is what you get paid to do. You can’t just say, “too bad, so sad” and head off to the zoo, y’know?
Over here in the MacAdmins community, we have a great Slack instance where people are doing amazing things and being really creative. You go there, looking for something – a solution, some inspiration, a new job – but you’re still left uninspired. And you wonder why. Could be burnout. Could be general tiredness. Could be something else – let’s explore.
Brainstorming
At a recent standup (yes I now speak the language Agiletongue) I asked for a lift from my brilliant and creative teammates. Ideas, people, I needed ideas! It didn’t matter how outrageous they were. In fact, the more outrageous, the better. Anything is a springboard. As we’ve talked about previously, brainstorming requires a plethora of input and little to no judgment.
And as a response to my request I got….nuthin. No ideas. Not a one. I wonder if it’s just the heat of this unbelievably hot summer cooking our brains or if people are just plumb wore out from current events. No clue, but nobody had any ideas for me.
The next day, though, someone pinged me with an idea. “What about recipes?” they said. “It’ll be fun,” they said.
I work for a tech company. Our product does (amongst other incredible things) device and identity management. IT stack centralization. MDM and security management. Automation. With my IT background, I hear the word “recipe” my brain goes to GitHub and shell scripts and munki and other IT management types of things. But, alas, that is not what they meant.
They meant real recipes. Food recipes. Don’t get me wrong, I like food. It’s an important part of my day to day life. But, hmmm…was this a weird ploy to turn this into a happy homemaker column? I was both confused and a little offended but I stuck with the discussion knowing that I’d find out if I just let them talk.
How Does That Fit Into Tech?
Little by little the discussion started to make sense.
Us admins are under a lot of pressure to be perfect all the time. For many (if not all) of us, one mistake can cost our companies their reputation (not to mention financial and productivity loss). In some cases, if a mistake is big enough, it could cost our jobs or our client. So if you weren’t feeling stressed before you started reading this, you probably are now. Sorry!
One way to get past the stress is to get up from your chair, step away from your desk, and get active doing something that is not related to tech (if stepping away won’t get you in trouble, that is).
Thinking about other things is a great way to open channels that allow you to come up with solutions. We’ve all experienced this — our best ideas come in the middle of the night; or the middle of a shower.
Points to anyone who, by now, has accurately predicted where this is going.
A Story and a Treat
Mom baked every item on this table.
Growing up in my house meant that there was a plethora of home-baked goods. I don’t mean, a few store-bought cookies. I mean my mother baked. Daily. And there were always people over who didn’t live in this house.
The counter always had a few different kinds of cookies, a cake, maybe brownies, and on special occasions there were eclairs in the fridge. There were always bowls and beaters waiting to be licked clean and getting to the frosting bowl first meant you had to hide behind a locked door, lest someone steal it right out of your hands.
But one particular tradition we had was that on our birthday we got to choose our favorite dinner and our favorite cake. Mom wasn’t the best cook (I won’t say food was overcooked and dry and we’re probably lucky we didn’t all get food poisoning regularly, but…oh, I guess I will say it), but she could definitely bake.
So my choice was always spaghetti with meatballs (safe and really hard to mess up) and mom’s chocolate banana layer cake. I used to call it my migraine cake because every time I’d eat it I would end up with a migraine. Also, it was worth it every single time. I don’t do that anymore because now I know that my post-cake morbidity was due to celiac — but I can still taste it in my memory.
Here It Is
And, so, it is with a full heart and a now-hungry tummy that I gift you this recipe. Posting it here serves two purposes:
Getting up and doing something completely different from your work frees up your brain and refreshes your spirit.
Eating something delicious can reduce your stress level. Even if it’s not a healthy option, a treat is good for the soul.
The recipe card (mom retyped every one of her recipes onto an index card with our Selectric typewriter that only had an all-caps ball) is well-worn. It has food stains all over it. It may have even gotten a bit too close to the heat. But it’s still here and someday it will be passed down to someone in the family.
Chocolate Banana Cake
Serves: 16
Baking time: 30-35 minutes
Notes: This cake is best when frosted between layers and on the outside with a buttercream frosting.
Ingredients:
2 ¼ cups sifted flour
1 tsp baking powder
¾ tsp baking soda
1 tsp salt
1 tsp vanilla extract
½ cup sour milk
⅔ cup shortening (may substitute butter or margarine)
1 ½ cup sugar
2 eggs
2 ounce Bakers chocolate
1 cup mashed ripe bananas
Directions:
Preheat oven to 350º Fahrenheit.
Sift together flour, baking powder, baking soda, and salt.
Cream shortening together with the sugar until fluffy.
Add eggs, one at a time, beating after each addition to shortening mixture.
Mix chocolate in with egg and shortening. Stir in vanilla extract.
Add the dry ingredients, alternating with the banana and milk in small amounts.
Turn into two 9-inch greased pans.
Bake for 30–35 minutes or until a toothpick inserted into cakes comes out clean.
Let the cake cool completely before removing from pans and frosting.
Nutrition Information*: 1 slice (1/16th of the cake) contains 241 Calories, 11.1g Total Fat, 4g Saturated Fat, 21mg Cholesterol, 220mg Sodium, 355.5g Total Carbohydrates, 1.4g Dietary Fiber, 20.3g Total Sugars, 3.2g Protein
*Note that this does not include the nutrition facts of the buttercream frosting
Let us know if this helped reduce your stress by baking it or by eating it. Or both! Join us in the community and tell us your favorite recipe for freeing up your IT brain.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.
When we think of cyberattacks, we tend to envision the biggest and most disastrous ones — ones that involve well-known companies, expose tons of important data, and cause some serious fallout and public mistrust. While these attacks are real and dangerous, they’re not the only ones out there.
The reality is that cyber attacks affect businesses of all sizes and in all industries. Sometimes, our focus on the big ones can eclipse the less flashy ones that are just as dangerous to small and medium-sized enterprises (SMEs). In fact, a 2021 survey found that over 42% of small business respondents had experienced a cyber attack within the last year.
Mounting a viable defense starts with understanding what you’re up against — and even understanding the basics of common threats and defense measures can go a long way. The following are six of the most common attack vectors that can hit SMEs.
1. Ransomware
Because the largest ransomware attacks tend to dominate news cycles, many people don’t realize that ransomware attacks on SMEs are common as well. In fact, 50-70% of ransomware attacks are aimed at small businesses.
What Ransomware Looks Like for SMEs
Ransomware generally follows the same basic principles in attacks of all sizes: adversaries seize and lock a company’s data or assets and promise to return them upon payment of a ransom. For large enterprises, these ransoms can reach into the millions. For SMEs, they are often smaller — ransoms as low as $10,000 are common. While this may sound like a silver lining for SMEs, there’s a darker motive at play: adversaries know SMEs will pay them.
For established enterprises with decades of built-up resources, six-figure ransoms and the downtime associated with an attack are painful, but not often a death sentence. For SMEs with tighter resources, this isn’t always the case — the downtime and loss of data access alone can be crippling for a tightly-run SME. To adversaries, this means SMEs will fight to get their data back — so they demand a “reasonable” ransom and can expect with near-certainty that the SME will pay it. According to research, more than half of them do.
The Ramifications
The ramifications of a data breach to your employees, customers, partners, and reputation are grave: a Ponemon study found that 65% of consumers whose data was breached lost trust in the company that experienced the breach.
What’s more, paying the ransom doesn’t guarantee that your data hasn’t been compromised or shared when under the adversary’s control. Of the 59% of SMEs who said they had paid a ransom in a survey, only 23% got all their data back.
In fact, paying up can endanger your organization further: it tells hackers that you are willing and able to pay ransoms to reclaim your data. And now that they’re familiar with your defenses and architecture, they’ll have an easier time attacking you again. Unfortunately, repeat attacks are highly likely — either from the same criminal organization, or from another organization that the attackers sold your information to.
2. Supply-Chain Attacks
Most of us are familiar with supply chain attacks, where an infection starts with a large corporation and spreads as it comes into contact with other businesses through the supply chain. And while we’re likely to hear about supply-chain attacks on large businesses, news sources don’t always report on their trickle-down effects on smaller businesses in the supply chain.
How Supply-Chain Attacks Affect SMEs
In supply-chain attacks, SMEs aren’t usually direct targets, but rather casualties resulting from a larger breach. Thus, large supply-chain attacks have ramifications on many of the target organization’s partners, customers, or vendors. In REvil’s attack on Kaseya’s VSA software, for example, many of those impacted were SMEs that used the product. In another example, the famous SolarWinds breach was originally believed to have affected a few dozen organizations. It actually impacted over 250.
3. Phishing and Its Variants
Some of the most basic and low-effort tactics remain common — and effective — infiltration methods. Phishing remains one of the top three threats SMEs face, even despite increasing organizational awareness around it.
The reason phishing is still so common is two-fold:
It is effective for adversaries. From the cybercriminal’s point of view, phishing is relatively easy to deploy, and it often yields lucrative results. It takes few resources and minimal skill to launch phishing attacks, and yet they continue to dupe employees into sharing credentials, network access, and other sensitive (and, for cybercriminals, profitable) information and assets.
It preys on human error. Unlike many other attack vectors that leverage vulnerabilities in systems, phishing uses social engineering to take advantage of human nature (and human error) to gain initial entry. It only takes one mistake to allow an attack to take hold — and the average organization has a 37.9% phishing test fail rate.
Targeted Phishing in SMEs
Cybercriminals have refined tactics to mount more targeted and precise attacks with different types of phishing. Spear-phishing, for example, involves background research to convincingly target individuals rather than bulk-sending a list to a group of recipients. This personalization and specific targeting makes spear-phishing attempts harder to spot — like the popular scam that involves posing as the target’s boss in a text or email. These messages often use conversational language and use the names of the target and the boss, which can make them quite convincing.
Some adversaries take this type of attack a step further with whaling, which uses spear-phishing tactics to target company executives. Because executives have extensive access to systems and data, whaling is particularly popular — especially with SMEs, where scarce resources could hamper their ability to adequately train leaders on security and phishing awareness and best practices.
4. Software Vulnerability Exploits
Leveraging software vulnerabilities is a common way to gain access into an organization’s systems. Often, exploited vulnerabilities are known and even have patches available. In fact, many of the top exploited vulnerabilities were found years ago — for example, a Microsoft Office vulnerability found in 2017 continues to plague businesses that haven’t kept up with their patches. In a Ponemon survey, 60% of respondents who had experienced a breach said it could have occurred through a known vulnerability that had a patch available, but the organization hadn’t applied it.
Why SMEs Are Vulnerable
Routine patching is a critical basic cyber hygiene activity, and it is highly effective at blocking this type of attack. However, large-scale organizations are more likely to have formal patch management solutions in place than SMEs, which can make SMEs an easier target. In a 2022 JumpCloud survey, only about half of SME respondents said they were confident that their organization’s patch management strategy was sufficient to protect against known vulnerabilities.
5. Account Takeover
As businesses move to the cloud and dispersed infrastructure becomes the norm, identity has increasingly come to define the new perimeter. Because identity permeates every element of the infrastructure, it has become a common infiltration point. In fact, the number of password-stealing attacks on SMEs around the world increased by almost 25% from 2021 to 2022, and nearly 80% of attacks leverage identity to compromise credentials.
How ATO Attacks Work
In account takeover (ATO) attacks, adversaries gain access to the network by taking over a user’s account. Account access can be gained through various means, including password-stealing ware, social engineering, and using (often, by purchasing) the credentials of already-breached accounts. Once the adversary has taken over the account, they can access resources and move around the network under the guise of a legitimate user. This makes account takeovers difficult to detect.
6. Advanced Persistent Threats
SMEs that work with large enterprises may be more susceptible to advanced persistent threats (APTs), which are sophisticated attacks carried out stealthily over an extended period of time. APTs typically consist of infiltration, lateral movement toward targeted data or assets, and exfiltration. APTs can start from any ingress point, and can enter through methods as simple as a phishing attack or stolen password.
For example, an adversary could gain the credentials of an employee with base-level permissions through a phishing scam, then take over the account to analyze the network and gather permissions, access and store the target data, and finally exfiltrate it to sell for profit.
APTs are harder to detect in sprawled IT environments, which are common in SMEs that have grown quickly. IT sprawl limits the ability to fully carry telemetry data from one element to another, which makes infiltration and lateral movement hard to detect.
Shoring Up SME Security
Because cybersecurity attacks on SME attacks don’t always make headlines, SMEs often underestimate their vulnerability and underinvest in security. However, adversaries have something to gain from just about any business; SMEs face many of the same threats that enterprises do.
The attacks above are some of the most common, but SMEs face a multitude of threats via many different vectors. And while it’s impossible for anyone to achieve 100% immunity from threats, it’s possible for SMEs to develop a strong, reliable security program that deflects most attacks.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
Organizations turn on multi-factor authentication (MFA) to secure access to corporate resources and increase their security posture.
IT admins like using push notifications MFA for several reasons. Since most users have smartphones in their pockets at all times, push notifications offer minimal user friction. They are also ubiquitous (admins can enable them across different kinds of resources and endpoints unlike other methods) and offer security against “man in the middle” attacks.
Recently, this trusted security measure has been facing a new kind of attack known as push bombing or MFA fatigue. Keep reading to learn more about how to reduce your risk.
What Is Push Bombing and MFA Fatigue?
When an organization uses push MFA, the user is required to approve the login or access request sent to their personal device in the form of a push notification. This is just one way (of many) to verify the user’s identity, but preferred given its UX benefits.
Push bombing is a method where an attacker uses a script or a bot to trigger multiple login attempts with stolen or leaked credentials and trigger a SPAM of multiple push notifications to the user’s mobile device.
Here’s how it works:
An attacker repeatedly sends a user endless push notification streams with the intent to exacerbate them into accidentally approving the prompt.
Understandably, the user feels a sense of fatigue, and it’s easy to make mistakes out of frustration. They accept the prompt.
Unfortunately, the trick works extremely well for account take over and breaches. The attacker now has access to the account in question.
Alternatively, an attacker may also contact the user impersonating as an IT admin and convince them to approve the login attempt.
How JumpCloud Protect Helps Admins Combat Attacks
Stronger Password Policy
Push attempts are triggered after an attacker gains access to a user’s password. The weaker the password the more likely an attacker is to obtain it through brute force and social engineering techniques.
IT admins can use JumpCloud’s password settings to adopt a stronger password policy that meets the following requirements:
Greater than or equal to12 characters in length, including alphanumeric
Upper and lower case combinations
Changes password every 90 days
Admins should also use password aging to reduce risks due to re-use of older, leaked, or stolen credentials that a hacker may have obtained. Here’s what the Password Settings look like in the JumpCloud management portal:
Admins can also use JumpCloud’s password manager to manage their user’s passwords, which reduces the friction associated with using lengthier passwords with increased security posture. JumpCloud Password Manager eliminates the need to remember a master password thereby reducing the risks due to password leaks or breaches.
Account Lock-Out
Admins can use JumpCloud’s account lock-out settings to set a limit for password and Push MFA retries. A user’s account will be locked if the user denies a login request sent in Push notification for a specified number of consecutive attempts as determined by the settings. Admins can auto unlock the account after a certain duration to reduce user friction.
Mobile Biometric
Admins can activate mobile biometric on Push MFA, so that a user is required to use their fingerprint or face recognition as an additional factor to approve a login request. Here’s a look at what both the admin and user sees during this process:
Conditional Access
Admins can leverage JumpCloud conditional access policies for user portal and SSO application login attempts to restrict access from trusted devices or allow access only from the locations where an employee lives or places of travel. Simply select the Conditional Access option from the platform’s left-side navigation to open Conditional Access settings:
App and Location Information on Push Notifications
Admins can educate their users to check the application name for which the access request is made or the location from where the request was made before approving the request.
While application name or a granular location information may not always be available, when it is present it will help flag potentially fraudulent access requests.
Avoid Account Takeovers with JumpCloud
As reported by Microsoft, requiring MFA has been shown to reduce account takeover attacks by 99%. While MFA does offer resistance to attacks, hackers have, unfortunately, found a way to circumvent them with push bombing and MFA fatigue.
So, it’s important for organizations to employ additional precautions such as adding phishing-resistant email tools and filters, educating users on stronger password practices for their personal and work accounts, and implementing stronger security practices to avoid security breaches.
JumpCloud continuously adds new features that increase the security posture of the platform to give IT admins and organizations peace of mind. IT admins can also better protect their organizations by adopting JumpCloud recommendations, starting with enforcing stronger password policies.
Ready to experience the ease of JumpCloud for your IT needs?
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
In today’s world, security teams have to strike a delicate balance between intrusiveness and security. Employees are prone to password fatigue when they have to remember numerous passwords and change them frequently. And even with those protocols in place, the mental burden it carries can push employees to reuse passwords and reduce their complexity, putting your company at risk of a data breach.
The good news is there are easier ways to ensure security while streamlining the login process and minimizing employee disruption: SSO and MFA. But what’s the difference between the two, and do they work better together?
In this post, we’ll explain how SSO and MFA work, delineate their similarities and differences, and explain how you can use them together to prevent unauthorized access and bolster your company’s security posture.
How Does Single Sign-On (SSO) Work?
Single sign-on, or SSO, only requires a user to log in once to access multiple resources. In other words, users only have to learn and provide one global set of login credentials instead of remembering multiple passwords and typing them into every single application.
On the back end, a company’s identity vendor exchanges keys with all preconfigured apps or sites. Typically, this process is driven by Security Assertion Markup Language (SAML), which uses Extensible Markup Language (XML) certificates to verify the authentication. Once everything matches, the user is authenticated, and sites and apps are ready for their use.
Employees favor SSO because of its user-friendliness and convenience. IT admins also benefit from SSO because it’s usually implemented as part of a larger identity access management (IAM) solution, which allows them to monitor network, device, app, and server permissions simultaneously.
How Does Multi-Factor Authentication (MFA) Work?
You might be familiar with 2FA, but MFA takes 2FA to the next level. Whereas 2FA only requires two verification factors to log in, MFA requires two or more.
After someone enters their username and password, they are prompted to share multiple things they have — such as a token — or things they are, like a biometric factor. Some examples of these authentication factors are codes received via SMS, security questions, time-based one-time passwords, fingerprints, or retina scans.
MFA is becoming more widely adopted because it makes hacking someone’s username and password increasingly difficult. Even if an attacker can guess or intercept one verification method, they probably won’t be able to crack several others.
SSO vs. MFA
SSO and MFA have distinct similarities and differences that security teams should keep in mind as they build their authentication plan.
Similarities
Access: Both approaches control access to various applications and websites
Passwords: Both rely on a username and password
Decreased costs: Both have the potential to cut down on time IT spends on password resets
Differences
Management: MFA is a bit more difficult to manage than SSO
Security: MFA is considered more secure than SSO
Convenience: SSO is viewed as more straightforward and quicker
How Are SSO and MFA Used?
Single sign-on is used when it makes sense to authenticate users into multiple applications at once. Google is one of the best examples of a large-scale SSO implementation. Once you’ve logged into your Google account, you’ll also be logged into Drive, Gmail, YouTube, and any other Google-managed applications.
Multi-factor authentication is used when more stringent security measures are required. For instance, say you’re logging into your health insurance portal to view your claims. After logging in, you may need to scan your face, enter a one-time password sent to you via email, and/or accept a push notification on your authenticator app.
Can SSO and MFA Be Used Together?
It’s important to note that SSO and MFA are not mutually exclusive. In fact, many companies consider a joint SSO and MFA approach the best of both worlds — you can appease employees and keep your applications safe and secure.
With a joint SSO and MFA solution, an employee will enter their password and then use their phone, email, authenticator app, finger, or face to complete the sign-in process. If one of those methods fails, cyberattackers will still have a tough time breaking into their account, let alone specific applications.
SSO and MFA With JumpCloud
Modern Identity-as-a-Service (IDaaS) solutions were built with the dual SSO-MFA concept in mind. With the added flexibility of the cloud, the best IDaaS platforms let you control access and increase your security all in one place, with password complexity management, MFA, and SSH keys.
JumpCloud’s IDaaS infrastructure does just that, unifying your company’s architecture, improving the user experience, and safeguarding your data, all while reducing total cost of ownership.
Not sure if JumpCloud is right for you? Sign up for JumpCloud Free today and test it out yourself, for up to 10 users and 10 devices.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
When the world went remote, people were surprised to learn that many aspects of their jobs looked pretty much the same as they did in the office. It turns out that accessing resources from the kitchen (or the beach, or a coffee shop, or a train) isn’t that different from doing it in the office. In fact, we make it our mission to make sure remote work can happen from anywhere, on your terms.
Remote tech support, however, isn’t quite the same experience when you can’t see or drive the user’s screen directly. It’s frustrating and inefficient at best, and at worst, it creates more issues than it solves. Between trying to understand the user’s issue and prescribing solutions via verbal or written instructions, every ticket seems to take twice as long as they should.
But as remote work becomes a permanent part of today’s workplace (the average SME is now 57% remote or hybrid-remote), IT teams and MSPs must be able to effectively assist users remotely. To help teams streamline remote tech support, JumpCloud has introduced Remote Assist, which enables IT teams and MSPs to remotely view and control users’ devices. And we’ve got more good news: Remote Assist is free for all organizations and MSPs that use JumpCloud.
How Does Remote Assist Work?
JumpCloud Remote Assist facilitates remote tech support by allowing admins to remotely see and control a user’s device, regardless of their location. It includes the following capabilities:
Multi-OS support: Provide remote assistance to Windows and macOS devices, with Linux coming soon.
Remote support straight from your browser: Offer remote assistance through your browser, from anywhere, with any device, and at any time, with no need to install additional tools.
Multiple monitor support: View, control, and switch between any number of monitors connected to your remote Mac or Windows devices.
Audit Logging: Get centralized logging of all remote support sessions.
Clipboard synchronization: Copy and paste text and images between remote and local devices (coming soon).
Role-based access control: Determine which technicians can access end user devices via the JumpCloud account role-based access controls.
Secure Peer-to-Peer Connection: Assist employees securely with fully secured, private sessions protected by unique session keys, end-to-end encryption, and direct peer-to-peer communications.
Note that the first release of JumpCloud Remote Assist focuses on attended access for macOS and Windows, with Linux and unattended access coming soon.
Key Benefits of JumpCloud Remote Assist
Remote Assist is free to all organizations and MSPs without any restrictions on time, number of devices, sessions or technicians. It allows organizations to support an unlimited number of devices, regardless of the number of IT technicians using JumpCloud Remote Assist, for as long as they want. This ability to remotely assist users effectively (without incurring additional costs) is a critical component in making a smooth transition to the long-term remote-first paradigm.
Benefits to Direct Customers:
Increased Productivity and Lower User Friction: End-users resolve their technical problems more quickly, allowing them to focus on productivity and minimize time lost while waiting on issue fixes.
Windows, macOS, and Linux Support: Remote assistance becomes available to everyone — not just Windows users. This boosts team productivity as well as the end-user experience.
Faster Resolution for Help-Desk Tickets: IT teams can close helpdesk tickets faster, reducing time-to-resolution for your users and optimizing IT’s productivity time.
Benefits to MSPs:
Increased Reselling Margins: Centralize all your core capabilities such as identity, access, device management, and live remote assistance in the JumpCloud directory platform.
Reduced Operating Costs: Provide an easy and cost-effective way to manage multi-OS devices remotely.
Optimize Technician Time: Empower your IT admins to work efficiently and provide faster time-to-resolution for helpdesk issues.
Part of a Holistic Solution
With the latest Remote Assist solution offering, JumpCloud adds and consolidates multiple tools into a single platform. Organizations and MSPs that use JumpCloud can now administer and troubleshoot end-user devices remotely, without relying on or paying for third-party solutions.
In addition, the combination of Remote Assist, mobile device management (MDM), and patch management provides critical device management capabilities that deliver more comprehensive value than ad hoc approaches to device management. That includes optimized resources, time, and tools for IT teams and better savings for the organization.
Because the JumpCloud Directory Platform works well with other IT solutions in the market, organizations and MSPs can choose to use their existing MDM and identity access management (IAM) solutions while utilizing JumpCloud Remote Assist for free. All it takes to register is installing the JumpCloud Agent.
Get JumpCloud Remote Assist for Free!
JumpCloud is the only platform in the industry that consolidates live remote support with centralized identity, asset management and Secure, Frictionless AccessTM to all company resources.
JumpCloud Remote Assist is free for any organization to use, at any scale, for any number of devices, without any limits on time. Sign up for a free account to start working efficient remote assistance into your remote or hybrid strategy.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
Identity is the new perimeter. Cyberattacks are becoming more advanced and cloud-focused. Identity providers (IdP) have responded by offering security controls that make it possible for small and medium-sized enterprises (SMEs) to be proactive and mitigate these threats. Many SMEs use Microsoft’s Azure Active Directory (AAD), which has prescribed best practices to secure identities. Microsoft reserves several features for its most premium subscriptions levels. IT administrators must determine which subscription tiers, or mixture of supplemental services from an open directory, are most appropriate for their unique security requirements.
This article outlines the fundamentals of securing identities in AAD with emphasis on understanding what options are available and tailoring security controls to your organization. Provisioning and identity and access management (IAM) is the starting point, followed by centralizing the identity management lifecycle, adding appropriate controls, and auditing.
Identity and Access Control
There are three main paths for provisioning in AAD:
HR-driven onboarding.
Federating identity from AAD to cloud apps.
Inter-directory such as between the Active Directory Domain Services (AD DS) server role to access resources from your on-prem Active Directory domains.
Image credit: Microsoft
Provision, Manage, and Deprovision Access
Most Microsoft shops have Active Directory (AD). A sync tool called Azure AD Connect syncs users with AAD. Microsoft also accepts non-Microsoft identities for access control, but additional costs may be assessed. Some organizations may have deployed Active Directory Federation Services (AD FS) prior to the advent of AAD.
There’s a significant potential for disruptions to system availability when identities are migrated from AD FS to AAD without deliberate planning. Avoid impulsive decision-making when you’re migrating users. Organizations that opt for a hybrid approach should harden Active Directory. This detailed guide offers recommendations about how AD should be managed and maintained for optimal security. Always limit administrative privileges in AD and avoid running day-to-day as a domain administrator.
Familiarize yourself with “join, move, and leave” planning processes and Microsoft’s concepts for identity governance. Automation is possible, but it’s designed for mid-size to large organizations. There’s no default auditing to avoid over-provisioning users or for when individuals leave. Due diligence is necessary to avoid security and compliance issues.
Critically Important AAD Best Practices
Verify that you’ve completed these steps before moving on.
Role-Based Access Control
AAD has built-in and custom user roles, and role-based access control (RBAC) is standard across all subscription tiers. This permits IT to follow the concept of least privilege and helps to establish a Zero Trust security approach, but it relies heavily on manual input and maintenance.
Ensure that you:
Minimize the number of privileged accounts.
Plan to manage, control, and monitor access.
Limit global administrator accounts and make use of other roles such as billing administrator, global reader, helpdesk administrator, and license administrator.
Limit global administrators and never sync high privilege accounts from AD.
Pay careful attention to external collaboration settings and consider restricting external users from being able to invite guests to shared files; third-party storage; as well as review and adjust global sharing settings for SharePoint Online and OneDrive. These changes impact end users, but make it easier to recognize the “official” channels.
Using security groups for users assists with application security and lowers administrative overhead. Microsoft limits this capability to AAD Premium 1 (P1) and Premium 2 (P2) accounts. However, always try to avoid assigning resources directly to users and use identity protection. Please note that Microsoft has documented multiple limitations to syncing AD groups with ADD groups. For example, AD primary group memberships will not sync over to AAD.
Multi-Factor Authentication
Multi-factor authentication (MFA) is vital for identity protection. AAD’s free tier only permits the use of the Microsoft Authenticator application. Admins have the option of only protecting the Azure AD Global Administrator versus all accounts, but it’s highly advisable to set up MFA for all users. Protect against MFA self-enrollment attacks by using a Temporary Access Pass (TAP) to secure the initial registration. Avoid mixing per-user MFA with Security Defaults and other settings.
Your budget may impact what’s possible. Microsoft assesses fees for all MFA verifications that happen with non-Microsoft identities and capabilities vary depending upon licensing levels.
Consider using additional context and “number matching” in Authenticator notifications to include the application name and geographic location in Push MFA prompts. This practice safeguards against “MFA bombing,” where attackers send repeated reques
ts to exploit MFA fatigue. Attackers successfully hijacked Microsoft users’ sign-in sessions to bypass MFA at 10,000 organizations by using advanced phishing toolkits. Microsoft’s mitigation is to use certificate-based authentication and Fast ID Online (FIDO) v2.0 MFA implementations.
MFA through FIDO 2 devices and Windows Hello requires AAD P1 and P2. Additional hardware costs may apply. Some additional security controls include conditional access (CA).
Conditional Access
Microsoft recommends that all accounts deploy CA, but it’s also an extra cost and only available through P1, P2, or the E3 and E5 tiers for Microsoft 365 (M365) users. The standard M365 tier doesn’t include it. The overall licensing scheme is changing and can be bewildering.
There’s more than one CA implementation:
P1 enforces MFA in certain scenarios
P2 is risk based, learning user behavior to minimize MFA prompts
There are additional steps to consider for password management before we move on.
Configure Password Management
Microsoft has revised its password policy guidance to no longer expire passwords. It’s important to understand that SMEs that are regulated or don’t have MFA and CA configured shouldn’t do that. You may also consider changing passwords if you suspect an ID has been hijacked. CrowdStrike found that 71% of attacks are now malware-less and targeting cloud IDs. 75% of cloud breaches are due to compromised identities. A Zero Trust posture isn’t optional. Consider deploying Extended Detection and Response (XDR) from a vendor of your choosing or paying extra for Microsoft Identity Protection if you prefer the Microsoft stack.
Other best practices are:
Set up self-service password reset (SSPR) with two authentication methods. Note that using security questions might be risky, because attackers gather intelligence on employees that’s “open source” from the web or obtain information from third-party breaches elsewhere. Microsoft charges extra for on-premises write-back.
Use the same password policies everywhere (on-prem and cloud-based). Microsoft maintains extensive documentation on an agent-based approach to enforce AAD password protection on AD DS without exposing your domain controller to the web or forcing networking changes. Note that you have to be proficient in modifying AD settings.
Prepare for the Worst
Create an emergency access Global Admin account for when it’s necessary to “break the glass” during network outages and periods of system downtime. This account is excluded from CA and MFA. Always store these credentials appropriately and use a highly complex password.
Following the steps outlined above provides a strong foundation with the appropriate entitlements, attributes, and processes to prepare AAD for application provisioning.
Manage Connected Applications
Application provisioning is on a per user basis by default with group assignment to applications being reserved for P1, P2, or equivalent AAD subscribers. Ensure that applications don’t provision high access through RBAC. There are multiple options, and automation is available for application provisioning. The initial provisioning cycle populates users, followed by programmatic incremental updates that handle updates made through Microsoft Graph or AD.
Microsoft provides several options for attribute mapping from identities that originate from the “three paths” mentioned above via SCIM endpoints to cloud resources or the Azure AD Provisioning agent. The latter must run on the same server as your SCIM application. Microsoft also has options for one-way connections from AAD to LDAP or SQL database user stores, but those have several on-premise prerequisites. Provisioning users into AD DS isn’t supported.
Siloed identities complicate existing identity practices and infrastructure as well as increase technical overhead and the attack surface area. Enable single sign-on (SSO) to centralize identity management either through AAD or a system or service that integrates with it.
Enable Single Sign-On
SSO will improve security through modern authentication protocols, make life easier for your users, and reduce management overhead. Microsoft has imposed restrictions on the number of SSO applications per user on its free tier, but that policy may be changing. AAD provides pre-built integrations through the Azure AD application gallery in addition to SAML and OAuth 2.0 SSO protocols for manual settings. Microsoft doesn’t support the AAA protocol RADIUS, which many network appliances use for access control, so its SSO doesn’t access all of your resources. Consider using cloud RADIUS or install and configure the Microsoft NPS server role.
It’s possible for all AAD tiers to access native Windows apps via Kerberos, NTLM, LDAP, RDP, and SSH authentication in a hybrid deployment. However, identity protection features such as CA are limited to P1 and P2 products including Azure AD Application Proxy or secure hybrid partnerships integrations. These services will extend modern security to legacy apps.
Phishing Considerations
Microsoft’s default settings permit all users to access the AAD admin portal and register custom SSO applets. Attackers are wise to this workflow and exploit OAuth in phishing exploits, which may bypass MFA. The principle of least privilege mandates that users who don’t need access shouldn’t receive it. Strongly consider restricting user-driven application consent and setting permissions classifications to “low impact.” This also applies to group owners. Compliance boundaries are murkier and should be carefully assessed outside of the Microsoft ecosystem.
AAD can be complex and Microsoft has amassed Azure partners for advanced specialization. Blocks of time with consultants should be a budgeting consideration for any AAD project. This writer, a former IT director, needed consultants even when projects appeared straightforward.
AAD is capable of alerting you to suspicious OAuth authorization requests, but that requires an additional subscription to Microsoft Cloud App security, either standalone or through M365 E5. Other solutions such as CrowdStrike Falcon Identity Protection have this capability. JumpCloud is a CrowdStrike partner and integrates with its solutions through the CrowdStrike Store.
Now that you’re familiar with configuring users, groups, and applications, let’s review reporting.
Audit Your Security Regularly
You should always look for ways to improve in-house security and processes. If you can’t stop it, you should at least monitor it. Regularly audit your entitlements, users, and review activity reports. Taking this extra step helps make security a process as opposed to relying solely on products and services.
Ideally, you’ll be monitoring all privilege changes, suspicious activity, and signs of known attacks. AAD will provide you with several reports:
Basic security and usage reports are included among all subscription tiers
Advanced reporting is restricted to P1 and P2
SIEM reporting and Identity Protection require P2 (or equivalent) subscriptions
Some security capabilities may be more accessible and easier to deploy via JumpCloud, which integrates with AD, AAD/M365, Google Workspace, and Okta, or can function as a standalone directory. JumpCloud is focused on managing identities, in all places, as your security perimeter.
How JumpCloud Improves Upon Azure AD Best Practices
JumpCloud is an open directory platform that manages identities, access control, and devices. Devices are a method of granting access to an identity or application, so device management is included by default. That makes it possible to assemble high visibility telemetry data for reporting.
As previously noted, Microsoft requires its users to purchase additional subscriptions (Entra, M365 E3/5, AAD P1/2, and Intune for device management) to meet its recommendations for best practices. Standard AAD deployments fall short of Microsoft’s guidance, but some of its premium offerings may sell SMEs more features than they require or even want to purchase.
JumpCloud can help to fill in some of those gaps, and is easy to deploy, with deepening integrations for exporting AAD user groups. It’s designed for SMEs, so IT teams may benefit from having more control over what they’re buying (as opposed to not using what they pay for). The next section explores the specifics of how JumpCloud can improve AAD and help your organization to build the stack of its choosing out of best-of-breed apps and services.
IAM and SSO
Identities flow into JumpCloud from other directories, HRIS systems, or JumpCloud’s Cloud LDAP. Attributes, such as where users are located, who their supervisor is, or what team they belong to, simplify provisioning user access to IT resources such as applications and networks.
Group management is provided at no additional cost and leverages attribute-based access control (ABAC), enabling the system to continuously audit entitlements for Zero Trust access control. JumpCloud is introducing the ability to automate and apply membership suggestions to groups. RBAC is more of a manual process, which can lead to mistakes that over or under provision users. Group members can access resources through SSO protocols and more:
SAML
OAuth 2.0
OIDC
RADIUS
LDAP
JumpCloud provides delegated authentication that leverages AAD credentials and password policies for RADIUS. This capability extends Azure SSO to network resources such as Wi-Fi networks and VPNs while also reducing technical overhead and eliminating siloed identities. SSO applets launch from within the JumpCloud user console as a security control for phishing.
Environment-Wide MFA
JumpCloud Protect™, an integrated authenticator app for MFA, is designed to be frictionless. It provides application-based Push MFA and TOTP in addition to WebAuthn and U2F keys. More options for biometric authentication and passwordless log-in experiences are being added to the platform.
MFA can be config
ured for most SSO, LDAP, and RADIUS logins. It’s also integrated with CA.
Conditional Access
AAD identities can be protected by conditional access through JumpCloud as an add-on without purchasing P1 or P2 from Microsoft. Pre-built rules are available to enforce MFA for privileged user groups, restrict logins to specific locations, and to require device trust. Meaning, any identity + device that isn’t managed by JumpCloud won’t be able to access cloud apps. More granular conditions such as OS version and device encryption status are coming soon.
Password Management
A decentralized password manager and vault is available as an add-on through browser plug-ins and mobile apps to help SMEs implement complex passphrases for users. This feature assists with provisioning and revoking user access to reduce the risk of data breaches. Centralized password management also increases visibility for compliance peace of mind.
Device Management
JumpCloud is cross-OS, supporting:
Android: Support for policies and application distribution is coming in late 2022 and beyond.
Apple products: Mobile Device Management (MDM) is available for macOS and iOS devices, providing for application distribution, policies, and commands with the option for Zero Trust deployment. Policies are timely and in-touch with the needs of Mac admins, including addressing “Day 0” OS upgrade controls.
Linux: JumpCloud supports multiple Linux distros with multiple deployment options. It provides pre-built policies, including full disk encryption (FDE), and Sudo access for commands (with pre-built security commands through the Admin Console). IAM capabilities aren’t restricted to certain browsers; Microsoft mandates Edge for Intune device enrollment. Intune is an additional subscription beyond standalone AAD.
Windows: Anything an admin wishes to do is possible through security commands and a PowerShell module. Commands function through a queue. JumpCloud providespre-built GPO-like policies including fine-grained control over BitLocker, as well as a GUI for custom policies. There’s also software distribution, and more, with Windows Out of Box Experience (OOBE) coming soon to streamline onboarding remote workers.
Patch Management
JumpCloud offers cross-OS patching as an add-on. Patching is an important activity to mitigate the risk of security breaches that leverage 0-Day attacks with a healthy device state. Centralizing patch management helps to reduce costs versus purchasing a third-party patch management solution for Windows and all other operating systems. Browser patch management is arriving in Q4, 2022, and it will extend to reporting for management status.
Remote Assist
IT teams can extend opt-in remote support to users with Remote Assist. It’s free and works cross-OS. The only configuration that’s required is to have JumpCloud agents running on a device that’s bound to an identity from the open directory. It’s possible to:
Copy and paste between devices
Work in multi-monitor systems
Turn on audit logging
Reporting
JumpCloud’s emphasis on making identity the new perimeter is reflected in the telemetry that’s available from built-in reporting tools including Device Insights and Directory Insights. There’s a growing selection of pre-made reports, stored for analysis. SIEM integration is also possible.
Some of those include:
User to Devices
User to RADIUS Server
User to LDAP
User to Directories
User to SSO Applications
OS Patch Management Policy
Cloud Insights is an add-on to monitor Amazon Web Services (AWS) events and user actions. This makes compliance and data forensics easier for SMEs and helps to enforce least privilege in cloud infrastructure. Support for Google Cloud (GCP) will be introduced next for a multi-cloud strategy.
Avoid Vendor Lock-In and Do More with JumpCloud
JumpCloud is available to try with full functionality for 10 users and devices, and with 10 days of complementary chat support before charges are accessed. AAD users benefit from more freedom of choice, simpler deployment workflows, access to more sources, and lower costs.
Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.
Similarly, managed service providers (MSPs) receive 10 free user accounts within the first organization that they create in the multi-tenant portal, JumpCloud’s dedicated MSP solution.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.