JumpCloud is one of those services which has been on my radar for a while…
At its core, it’s the answer to the age-old question “Do I really need to use Microsoft AD to centrally manage the people and devices in my company?”
This isn’t written to blast Microsoft AD which for what it is, is about as solid a User/Device management system as you can get if you’re an all-Windows estate it’s a no-brainer. However, problems start to arise when the real world kicks in and you start getting users with Macs and Linux desktops which you know you need to centrally manage, no need to be connected to a centralised login system and don’t want the fuss of figuring out just how you do that with the small time you’ll have that manage these things.
So why am I doing this?
- I want to have a place with centralised user accounts
- I’d like to use those accounts on the Linux servers I host in the cloud
- I’d like to use those accounts on my Linux Laptop
- I’d like to also have visibility of all the Servers on the Lan
- I’d like to do some centralised Linux patch management
- I’d like to use MFA when SSH into a server device or Login to a desktop device.
While this looks like a long list it’s not really and boils down to user management, security and patching. I’d like to do this on Linux or OSX machines as I don’t use Windows and eventually understand a way to do this on a Chromebook, however, I think that’s a little way off.
None of these on their own is a huge security boost, how they do apply strength in depth.
What is it
Jumpcloud is Directory-as-a-Service and works with that new model that as a user for a business you shouldn’t be restricted by something like Active Directory and should be able to use the tools that allow you to do a job, not the tools IT find easier to administer.
It’s possible to create a free tier Jumpcloud account to get going, and once done you’ll log in to a dashboard with looks like this:
From here the path forward is a fairly simple one and as with most things, this was my voyage of discovery your voyage may be like your needs different.
LDAP is the central glue here which all things bind through, it’s not needed for what I’m about to do, it just seemed like a good thing to have setup.
Click on the Circle with the + in it and give your LDAP a name then follow the on-screen prompts and you’re done, this is a pattern through the journey and you’ll soon get the hang of the interface.
Once LDAP is created, move on, nothing more to do directly in here..
Add Users and User Groups
Before you start with users, add some user groups
Under User Management -> User Groups
Click on the + symbol in the circle
Give the group a name and a description
If this group is going to contain users who need more privilege then you could either by default set that any user in this group has Sudo access globally
Enabling this will also enable the passwordless sudo option
Adding a Linux group you can specify a group name or GUI
If you don’t know what these mean, don’t enable them is the usual rule of thumb.
Click on Save
Now head over to User Management -> Users
This time clicking on the big + to add a user will provide several options of places you can add users from
For the sake of this writeup, I’m going to add a Manual entry, however, it’s possible to see AD, a CSV for Bulk Imports and options from some SaaS HR Systems.
Click on Manual user entry
There seems a lot to fill out on this screen, there’s not too much
Under User Information
Complete all the user information fields as needed, the ones with ” next to them are needed.
Under User Security Settings and Permissions, the options are defined as you need them, you can add user-level sudo access under Permission Settings if it’s not enabled at a group level and because I’ve enabled LDAP I’d tick Enable as LDAP Bind DN
For a quick setup, the remaining 3 sections are not required.
At the top of the screen click on the User Groups tab and add the user to a user group
Click on Save User in the bottom right
You’ve added a user to your Jumpcloud that can login to things.
Now there are users enabled, adding some devices they can login to would be a good thing. In this example, I’m going to add some Ubuntu servers which are on a cloud service provider and some Ubuntu desktop devices which are at home.
As with users adding some device groups to start with helps
Head over to Device Management – Device Groups and click on the + symbol
This screen is much simpler than the User Groups screen, Add a Name and a Description
Click on Save in the Bottom Right
Repeat this for each device group you’d like to add.
Click on Device Management – Devices and you’ll be displayed with a pretty dashboard showing the state of your devices.
Click on the Devices tab next to Overview
To add a device click on the + again
This then starts to get a little different as instead of a form to fill out the information to deploy an Agent manually or using Config Management systems like Puppet or Chef are displayed.
The command to run is displayed (in this case Linux as I’m using Ubuntu) and the supported Linux version is listed.
When the command line is run the following will happen.
- Check for compatibility.
- Check to ensure the system clock is accurate.
- Generate a private key and certificate signing request, used for secure communications with the JumpCloud.
- Install dependencies.
- Download the JC agent.
- Create a “jcagent” service, which will be configured to run at boot.
- Start the agent.
The process for installation took about 3 minutes on my pretty low-spec servers.
If running the install is a bit out of your wheelhouse there is a link in the top right which will take you to some video content to show how to do it which is a nice touch.
Once the servers and workstations are able to talk to the internet they will start showing up on the Devices screen
If you have issues and the devices don’t show up
Sometimes the jcagent service starts but doesn’t
sudo systemctl jcagent restart sudo systemctl jcagent status
If it still doesn’t show up head over and check the logs
sudo tail -f /var/log/jcagent.log
And see if the Jumpcloud support page can help.
If all else fails and you’re able to reboot the device.
Add Devices to Groups
This can be done by either
Selecting a device and clicking on the Device Groups tab then selecting a group
Or clicking on Device Management -> Device Groups, choosing a Device group, then selecting the devices tab and ticking the devices to add to that group
What have we done so far?
By this point we have
- Added Users and User Groups
- Added Device Groups
- Added Device Agents
- Added Devices to Groups
Secure your users
So far we have done the basics and provided Jumpcloud with the data needed to understand the user and device estate. Next, we can start using some of the features of Jumpcloud to start securing users on those devices.
In this section, I’ll cover
- Adding SSH keys to a users account
- Enabling MFA for a User
- Enabling MFA for a device
- Enabling a patching policy for your devices.
Setup ssh keys
Using keys instead of passwords is an accepted norm for remote SSH Access and this can be set up by default on any device managed by Jumpcloud.
Each user needs their own key assigned to them and this is done under User Management -> Users
Select the user and the Details tab, this time at the bottom of the list is now Public Keys
Click on add new public key and paste the public key information
Enable User 2FA
Head back to User Management -> Users and select a user (or group of users)
Select the Details tab
Scroll down to Multi Factor Authentication and enable Require Multi-Factor Authentication on the User Portal.
The user needs to login to the User Portal URL and will be prompted to set up 2FA using a tool like Authy, Google Authenticator, Lastpass Authenticator etc.
Once this has been done if the user’s account is now marked as TOTP MFA Active
A Suggestion I’ve read is to create a user group called services and not enable 2FA on any of the accounts because when MFA is enabled on a device (see below) and used when the user SSH’s onto a device for example they will be prompted for a 2FA authentication code. This doesn’t work too well for service accounts.
Enable Device-level MFA
To Enforce 2FA on a device managed by Jumpcloud head over to Device Management -> Devices and select a device.
In the pane which appears Select Enable MFA Login
A Popup message will appear
Confirm and click OK
Now any user with TOTP enabled will be able to login (SSH or Login Prompt) using 2FA Codes.
All pushed from Jumpcloud to the remote agent
So this is a very high level overview, with some “things i’ve figured out how to do without reading a manual” this bodes well for me for any software.
I’m hugely interested in the Patch Management which will be another post.
This is well-thought-out software and will fit any business that doesn’t want the bother of hosting AD. I can already see as well if there is ways of pulling in GCP/AWS/AD Information into Jumpcloud as well.
Well worth a look. watch out for further articles as I learn more about Jumpcloud.