Skip to content

Benefits of JumpCloud Password Manager for MSPs

JumpCloud Password Manager has officially been released to our customers and MSP partners! MSPs have long requested a tool that allows their users to share passwords and MFA tokens, and now, we have a solution of our own built right into the core of our platform. 

Say goodbye to the days of juggling 14-day trials and countless promotional emails just to get a few days of password management. As a JumpCloud MSP partner, your account executives can have you up and running with Password Manager before your next password reset ticket.

If you’re not a current JumpCloud MSP partner and you’re still weighing your various password management options, it can be difficult to determine which solution is best. Here, I would like to discuss some of the benefits of implementing JumpCloud Password Manager for your clients.

Simplify the Vendor Management Process 

An MSP’s vendor management responsibilities can be as complex as another full-time client. And the more vendors you have to rely on to provide a comprehensive tech stack, the less time you have to win that new account. That’s why we built our Password Manager directly into the JumpCloud platform. 

Whether you’re a new partner or JumpCloud’s already part of your tech stack, you’ll enjoy both SSO and password management directly within one portal – without increasing your stack’s complexity. 

Meet a Popular Client Request on Your Terms 

Password management can be a bit of a touchy subject for MSPs. Since it’s often an a la carte or add-on feature, many clients try to do their own research on the cheapest solution, and bring it to their MSP to implement. 

Unfortunately, this scenario rarely works out for either party. MSPs are forced to complicate their tech stack, often with a product they don’t trust or recommend. And the cheapest-possible solutions rarely prioritize intuitive user experiences, leading to frustrations for the technicians and admins that must manage the product. 

With JumpCloud Password Manager, MSPs have a tool they can readily recommend to any of their clients currently using JumpCloud, with assignment and deployment being only a few clicks away. In addition to a seamless roll out experience, you can avoid the long process of convincing your client that they can trust this new vendor you are introducing into their environments.

Grow Your Revenue Without Increasing Costs

With JumpCloud Password Manager, you are no longer forced to choose between affordability and security. If you’re enrolled in JumpCloud for MSPs, Password Manager is included in your plan, making implementing it for your clients a no-brainer. If you’re considering switching to JumpCloud, combining SSO and password manager into one platform may save you money.

Adding Password Management to your tech stack can also increase your team’s efficiency, decreasing your need for additional staff. Password resets make up anywhere from 20% to 50% of an organization’s support ticket load, meaning your technicians are wasting valuable time handling one of the most easily solved problems in the technology industry. This can translate into a situation where even offering password management as service to your clients for free can have a real impact on your bottom line.

Choose JumpCloud for Password Management

Here at JumpCloud, we are working hard to meet the needs of our MSP Partners, their clients, and the users that rely upon our platform everyday. With the arrival of JumpCloud Password Manager, we have taken yet another step in the direction of making the Open Directory Platform more powerful than ever. 

If you have any questions about Password Manager, reach out to your account executive today. If you’re new here, visit our JumpCloud for MSPs page to try our platform for free.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Use JumpCloud RADIUS for FortiGate Group Authentication

JumpCloud delivers single sign-on (SSO) to everything, including RADIUS authentication and authorization for network devices. Multi-factor authentication (MFA) is environment wide, delivering Push MFA for RADIUS. RADIUS is a core network protocol that’s widely used for Wi-Fi authentication, and it provides authentication, authorization, and accounting (AAA). 

JumpCloud Cloud RADIUS simplifies and secures privileged administrative access for network admins. It’s also an option to configure access to LANs for all of your SSL VPN users. JumpCloud eliminates the need to use Fortinet’s FortiTokens for MFA.

This two-part blog series explores two use cases with FortiGate next-generation firewall:

  • Option 1: Use existing local FortiGate groups that contain FortiGate remote users. This approach is ideal for existing appliances that already have settings and users.
  • Option 2: Use remote groups (JumpCloud) and attribute mapping to set up access control on a new Fortinet device. This approach spares admins the work of having to establish local groups using ACLs on the Fortinet appliance.

This article focuses on Option 1.

We’ll demonstrate how to bind the local user to the JumpCloud RADIUS server that is configured inside your FortiGate so that JumpCloud becomes the authentication authority without changing anything in the way the appliance is configured for network posture. 

Note: It’s also possible to accomplish this using a different brand of network appliance.

Configuring JumpCloud RADIUS and Groups

Follow this guide to get started with JumpCloud groups. You may also refer back to this previous tutorial on how to configure SAML access for Fortinet devices if it better suits your requirements. However, RADIUS has the advantage of also mapping groups and authorizations/permissions.

Establishing Groups and MFA

You may have MFA required for individual users or leverage groups with conditional access. Skip this step if you’ve already configured your access control policies.

To require MFA factors for the User Portal on an individual user account:

  1. Edit a user or create a new user in the Admin Portal. See Getting Started: Users.
  2. In the User Security Settings and Permissions section, select Require Multi-Factor Authentication for User Portal option. Note: The enrollment period only affects TOTP MFA. See Considerations
  3. Click save user.

To require MFA factors for the User Portal on existing users from the more actions menu:

  1. Select any users you want to require MFA for.
  2. Click more actions, then select Require MFA on User Portal.
  3. Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.
  4. Click require to add this requirement to the selected users.

To require MFA factors with a Conditional Access Policy: 

  1. Log in to the Admin Portal: https://console.jumpcloud.com/
  2. Go to SECURITY MANAGEMENT > Conditional Policies. 
  3. Click (+). 
  4. Enter a unique Policy Name.
  5. Optionally, enter a description for the policy.
  6. If you don’t want the policy to take effect right away, toggle the Policy Status to OFF and finish the rest of the configuration. When you’re ready to apply the policy, you can toggle the Policy Status to ON. 
  7. For users, choose one of the following options:
    • Select All Users if you want the policy to apply to all users. 
    • Select Selected User Groups if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Getting Started: Groups
    • If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups.
  8. Optionally, set the conditions a user needs to meet. Note: Conditions is a premium feature available in the Platform Plus plan. Learn more about conditions in Getting Started: Conditional Access Policies
  9. In Action, select Allow authentication into selected resources, then select the Require MFA option. 
  10. Click create policy. 

Two JumpCloud groups were created for the purpose of this tutorial:

  • RADIUS-FortiGate_VPN_Users
  • RADIUS-FortiGate_Admins

Setting Up RADIUS

Create a RADIUS server in JumpCloud:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to RADIUS.
  3. Click (+). The new RADIUS server panel appears.
  4. Configure the RADIUS server:
    • Enter a name for the server. This value is arbitrary.
    • Enter a public IP address from which your organization’s traffic will originate.
    • Provide a shared secret. This value is shared with the device or service endpoint you’re pairing with the RADIUS server.
  5. Select an identity provider.

Now select an authentication method:

  • To use certificate authentication, select Passwordless.
    • Once Passwordless has been selected, the Save button will be disabled until a certificate has been successfully uploaded (or the authentication method has been changed back to Password).
  • If desired, select Allow password authentication as an alternative method.
    • If this checkbox is selected, admins can enable certificates for some users while allowing others to continue validating by username and password. Users will continue to have the option to validate by username and password, but once they choose to validate with certificates and a valid certificate is found, the password option will no longer be presented.
    • The MFA Configuration section will be available if using JumpCloud as the identity provider, and Passwordless is selected as the Authentication Method, and the Allow password authentication as an alternative method checkbox is selected.
  • Configuring multi-factor authentication (MFA).
    • ​​Toggle the MFA Requirement option to “enabled” for this server. This option is disabled by default.
    • Select Require MFA on all users or Only require MFA on users enrolled in MFA.
      • If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect™ (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
      • If JumpCloud Protect is not yet enabled, users can select the Enable Now link.
  • Uploading a Certificate Authority (CA).
    • To upload your certificate, click on the Choose a File button, navigate to the file location, and select it for uploading.
    • Once the file has uploaded successfully the file name will display on the screen and options will change to replacing or deleting the file. There is also an option to view the full CA chain.
    • Clicking Save will return the user to the main RADIUS screen, where the Certificate badge will display in the Primary Authentication column.
      Note: For more information about where and how to find trusted certificates outside of JumpCloud, see RADIUS-CBA Tools for BYO Certificates.

Select Users for Access to the RADIUS Server (User Groups tab):

  • To grant access to the RADIUS server, click the User Groups tab then select the appropriate groups of users you want to connect to the server.
    • Every user who is active in that group will be granted access.
  • ​​​​​​​Click save.

Note: Users who are being granted access to a RADIUS server and leveraging delegated authentication (with Azure AD as their identity provider) must be imported into JumpCloud and assigned to a User Group.

FortiGate Settings

Follow these instructions to configure the RADIUS server(s) in your FortiGate appliance. Next, we’ll make it possible for your existing users to use JumpCloud’s identity and access management (IAM).

Local Groups with Remote Users

You may enter more than one JumpCloud RADIUS server IP for redundancy. The next section uses the FortiGate command line interface (CLI) to convert your existing local users into RADIUS users. Then, you’ll match the usernames with the respective JumpCloud usernames. Significantly, there will be no changes made from an access control list (ACL) perspective. Yet, you’ll increase your network security and easily meet compliance requirements. The steps are simple, and will spare a small and medium-sized enterprise (SME) the time and expense of allocating/billing blocks of hours with a network technician or MSP partner.

Converting Local Users Into RADIUS Users

The first step is to launch your CLI to convert users that already exist in FortiGate. 

screenshot of an existing user and user group
An existing user and user group

This may be scripted to streamline the process for a group of users. The steps include:

# config user local
(local # edit “USER NAME”
# show
# set type radius
# set radius-server YOUR SERVER
# end

screenshot of code

Checking Your Work

You may verify these settings by entering:

# config user local
(local) # edit USER NAME
# show
# end

The local user is looking at the remote RADIUS user for authentication
The local user is looking at the remote RADIUS user for authentication

Ensure that the user is a member of the corresponding RADIUS group in JumpCloud with the exact same user name as on your appliance. JumpCloud now controls authentication, including enabling MFA without having to engage with FortiTokens or a third-party MFA solution.

This is an example of an existing FortiGate user:

This RADIUS user belongs to the appropriate JumpCloud Group

Reporting

JumpCloud’s Directory Insights captures and logs RADIUS authentications. It makes it possible to determine which user is attempting to access your resources and whether it was successful. Directory Insights is useful for debugging and testing your RADIUS configuration deployments.

screenshot of JumpCloud Directory Insights

Try JumpCloud RADIUS

JumpCloud’s full platform is free for 10 users and devices with premium chat support for the first 10 days to get your started. The open directory platform provides SSO to everything:

  • SAML
  • OIDC/OAUTH
  • LDAP
  • RADIUS

Attribute-based group access control, mobile device management (MDM), commands, and GPO-like policies are included in the platform for advanced identity lifecycle management. JumpCloud also features integrated remote assistance, reporting, and an optional password manager and cross-OS patch management. The directory platform works across Android (soon), Apple, Linux, and Windows devices, managing identities wherever the user is.

Need a Helping Hand? Reach out to professionalservices@jumpcloud.com for assistance to determine which Professional Service option might be right for you.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

10 IT-Related Employee Experience Questions

When evaluating your organization’s technology choices, there are a few different angles to took at it from:
  1. Usefulness – Do the pieces of tech that make up your stack accomplish what you need them to in the most efficient way possible?
  2. Total cost of ownership – Is your TCO where you want it to be, or can it be improved with different tools?
  3. User experience – Is your chosen tech easy to use? Does it save or suck IT’s time?
  4. Employee experience – How does your technology affect the employee experience at your company? Is it promoting productivity and happiness or frustrating and holding up end users?
This article focuses on the employee experience aspect of your tech evaluation process. Consider this: 69% of employees are more likely to remain at your company for 3 years if they have a positive onboarding experience. Though onboarding is just one small piece of the employee experience puzzle, it’s an important one, and your technology is the foundation of your onboarding processes. This is important because if your tech isn’t up to par, then your workflows become disconnected and inefficient, and HR and IT will either have to work harder to make up for that, or your onboarding and identity lifecycle management tasks will be substandard. This leads to IT and HR frustration and burnout, decreased productivity on the end user’s part, and unsatisfied employees, which all negatively affects your bottom line. A good starting point when evaluating your IT tech stack from the angle of how your tech impacts the employee experience is to survey employees with tech- and IT-specific questions. Here are a handful to get you started:

10 Tech Stack and Employee Experience Questions

Onboarding

1. Rate your onboarding experience in the following areas: a. Device setup (1-5 scale) b. Access setup (1-5 scale) c. Technical orientation (1-5 scale) 2. Did you have access to everything technology-wise that you needed on day 1 of your employment? (Yes/No)

Role and/or Access Changes

3. Have you changed roles or responsibilities since joining the organization? (Yes/No) a. If yes, rate your role change experience (1-5 scale) b. If yes, did you have to reach out to IT or HR to fix anything after your role change, or was it all handled correctly behind the scenes? (Had to reach out./Everything was handled appropriately.)
  • If they answer that they had to reach out, you can provide a box for them to further explain the issue.
4. Have your access needs changed over time for any other reason? (Yes/No) a. If yes, rate how efficiently this was handled (i.e., Did your privileges change in a timely manner to allow you to be productive?) (1-5 scale) b. If yes, rate how effectively this was handled (i.e., When your privileges were changed, did you have everything you needed to be productive?) (1-5 scale)

Remote/In-Office Work

5. At any point with our organization, did you switch between in-office and remote work? (Yes/No) a. If yes, when switching from in-office to remote work, did IT and HR ensure that you were set up to be productive from the moment you changed your work style? (Yes/No) 6. When working from a new location, was your technical experience impacted in a negative way? (i.e., Were you able to access everything you needed with the appropriate security measures in place?)  (Yes/No/NA)

Specific Tools

7. How satisfied are you with the apps, software, and other tools you use on a daily basis? (1-5 scale)

Credentials

8. How satisfied are you with the efficiency and ease of daily login processes? (1-5 scale) 9. How satisfied are you with our password management tool? (1-5 scale)

General Pulse Check

10. How satisfied are you with the preparedness of the IT department based on past interactions you’ve had? (1-5 scale)

Creating Your Survey

All of the questions listed here are general suggestions to get you started with evaluating your tech stack vs your employees’ experiences. Modify or remove them as you see fit – feel free to make them more specific or allow employees to write in open-ended answers, to give you a better picture of how your tech truly impacts each person’s day-to-day responsibilities. If you’re looking to improve the employee experience at your organization, it’s important to find and employ technology that connects seamlessly and reduces any current tech disruptions that your end users face. A good place to start is by ensuring that IT’s directory service and HR’s tool of choice connect well. Employee experience and security issues often begin when these two tools don’t work well together, leading to even bigger issues down the line.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Azure AD & Macs: A Better Way to Tango

Until recently, Windows was the de facto platform of choice in the working world as businesses set up their networks on the Microsoft operating system.

They used Word for word processing, Excel for spreadsheet work, PowerPoint for presentations, and Active Directory for domain management. However, the old paradigm has been shifting for some time now.

While Windows-based PCs and laptops are still the market leaders for large and small-to-medium-sized enterprises (SMEs), many organizations have begun to adopt Mac, Linux, and Android devices. Improved usability, convenience, and affordability are commonly cited reasons for switching.

Translation: administrators must manage and control access to their Azure Active Directory from different types of devices and operating systems.

So, can you bind a Mac to Azure Active Directory?

Let’s find out.

Mac and Azure AD: Unwilling Bedfellows

The short answer is yes — you can bind Mac to Azure. But as you can imagine, it is far from straightforward.

Competitors hardly find incentives to make life easy for each other. Think of Pepsi and Coke’s cola wars or Nike and Adidas’ sportswear battles; they’ve been at it for decades. Apple and Microsoft are no different.

flow chart of cloud identity

With Microsoft’s Azure being a leading access management solution, many IT managers have found themselves being the grass that suffers the pinch between the giant boots of these two tech giants.

Since its release in 2000, Active Directory (AD) has been a staple for Windows networks. It provides users and IT admins with identity management, access control, and policy enforcement for Windows servers, desktops, and laptops.

Azure Active Directory (AAD) is Microsoft’s cloud-based version of its traditional on-premise Active Directory service. It allows businesses to securely access their applications and resources from anywhere on their windows device.

However, the problem arises when it comes to Apple’s Macs. While Microsoft has done an excellent job of making Windows computers compatible with AAD, the same cannot be said for Mac users.

The Challenge of Binding Macs to Azure AD

The challenge of binding Macs to Azure Active Directory is twofold:

  1. No thanks to the Apple-Microsoft rivalry, there is no native integration between Macs and AAD.
  1. Even when workaround solutions exist, ensuring a seamless user experience can also take time and effort.

For example, some admins have taken a cobbled approach of creating a domain within Azure using the Azure AD Domain Services (AD DS) before setting up a VPN connection between their Macs and the Azure domain. The problem, however, is that this solution is complicated and even discouraged by Microsoft.

Shot of a young businessman looking bored while working at his desk during late night at work

Others, which already utilize Active Directory, can choose to implement an on-prem directory extension. However, this presents a new set of challenges, from extra costs to more infrastructure to manage.

In addition, this doesn’t enable direct Mac integration into Azure AD. Instead, admins are left with a non-future-proof method of managing endpoints.

The Solution: Step Out of Platforms And Into Identity

A better approach that IT admins take to resolve this problem is to think away from platforms and into identity.

Rather than relying on a cobbled solution that requires managing multiple directories or on-prem extensions, cloud identity management solutions such as the JumpCloud Directory Platform provide a single-user directory that can manage all users’ access to the network and other applications from one central platform.

This solution enables admins to bind not only Macs but also Windows, Linux, and other devices to Azure Active Directory in an intuitive and hassle-free manner. With JumpCloud, admins can securely manage users’ AAD access, regardless of their device or platform.

Also, IT teams that leverage other cloud-computing platforms, such as Amazon’s AWS, or Google Workspace, needn’t worry about managing different identities.

Users can access every network or resource with a single identity, such as Wi-Fi, VPN, web applications, legacy LDAP application, and on-prem or cloud-based file storage solutions. This configuration creates a true single sign-on (SSO) experience for users, making it more convenient and secure.

Manage Identity with the JumpCloud Directory Platform

JumpCloud provides an all-in-one solution for IT admins to bind Macs to Azure Active Directory without any of the earlier-mentioned problems. It’s an identity provider that delivers secure, cloud-based access services to users regardless of their devices.

The platform streamlines user experiences with SSO while unifying admin tools for mobile device management (MDM), multi-factor authentication (MFA), and compliance controls behind one pane of glass. Want to get a better handle on your heterogeneous environment? Watch our demo video and sign up for a free trial today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Intune Linux Management: Capabilities & Alternatives

Microsoft Intune is a cloud-based enterprise mobility and security (EMS) management solution that enables organizations to manage mobile devices. It integrates with other components of Microsoft’s EMS platform, including Azure Active Directory (AAD) and Azure Information Protection (AIP), allowing IT teams to enforce security policies and manage how endpoints are used in the organization. 

Intune allows organizations to achieve a productive mobile workforce without worrying about corporate data security. For example, IT teams can set rules and configure security policies for various devices, whether those devices are corporate-owned or personal. This helps organizations implement bring your own device (BYOD) policies while mitigating security concerns. 

However, despite these benefits, Intune has only traditionally supported devices running Windows, macOS, iOS, and Android operating systems (OSs). This left out Linux-based devices that many companies use to maintain workloads out of the picture for a long time. Toward the end of 2022 however, Microsoft finally added Linux workstation support to Intune — starting with Ubuntu. 

Does Intune Support Linux?

The short answer is yes. In October 2022, Microsoft announced that Microsoft Endpoint Manager (MEM) added Linux-based devices to its unified endpoint management solution, with general availability for Ubuntu LTS

However, Microsoft has yet to release support for other distros which means IT teams are either leaving other types of Linux workstations unmanaged or using other third-party mobile application management (MAM) and mobile device management (MDM) tools

What’s Been Discussed?

Companies need to ensure that all endpoints are secure and compliant. In this regard, IT teams need to ensure that they mitigate compliance issues by deploying software and patches to all device types, including Linux endpoints. Effective Linux MDM is particularly challenging due to the many flavors of Linux distributions.

With Linux support added to Intune, IT teams can theoretically use a unified console to manage devices and apply the same protection policies and configurations for Linux workstations. Whether Microsoft is able to accomplish that for more distros after Ubuntu remains to be seen.

Having cross-platform support in an MDM is essential because the integration of multiple operating systems into one tool streamlines:

Cloud-Based Management

If IT teams are able to combine all the applications and device controls in one cloud-based endpoint management system, they can then apply policies and endpoint configurations in the same way across a heterogenous IT environment for added security and compliance. 

In addition, a unified MDM allows organizations to move their employees closer to Zero Trust security architecture and cover their entire IT infrastructure. For example, IT teams can apply management controls such as password policies, Wi-Fi profiles, and certificates in a standard way across all cloud-managed endpoints. 

Compliance

Adding Linux support to an existing MDM enables companies to more easily enforce compliance policies and standards. For example, IT teams can create rules and configuration settings such as the minimum RHEL version that devices need to meet to be considered compliant. 

IT teams can also create application policies that provide an extra layer of protection, allowing employees to access them on personal devices securely. Most importantly, IT teams can also take actions for non-compliance, like sending notifications to the user. 

Conditional Access Policies

Determining if the device is compliant is one of the outcomes of cloud management. In a Microsoft-specific ecosystem, MEM allows organizations to assess the device’s posture while sending signals to AAD. If MEM finds that the device is compliant, it applies conditional access configurations. These configurations combine device compliance signals with other signals such as user identity risks to secure access to enterprise resources through adaptive policies. 

With Intune, Microsoft’s goal is to allow IT teams to set AAD Conditional Access policies for Linux devices, as it does for Windows, macOS, iOS, and Android endpoints. This would ensure that only compliant Linux devices can access enterprise resources such as Microsoft 365 applications. 

However, note that the current release only provides conditional access policies protecting web applications via Microsoft Edge. This is an example of Microsoft attempting to lock admins and users further into the Microsoft ecosystem, without allowing for the flexibility of choice in IT tools. 

The Good News? A Linux Device Management Alternative Already Exists

Even if Microsoft succeeds with its Intune Linux management framework, the approach will still face some challenges. This is because of the differences between Microsoft’s approach to identity and access management (IAM) and other open source solutions. 

For example, while Microsoft’s approach is to create segmented solutions that seamlessly integrate with Azure, the same cannot be said about non-Windows platforms like Linux-based OSs. Additionally, it is those very same segmented solutions that force users into Microsoft products and add additional complexity and cost for IT admins.

If you’d prefer to have a cloud-based MDM that provides the openness you need to choose the best tools and IT resources for your stack, while still resolving compliance and security issues in a heterogeneous environment, then you should consider JumpCloud® as an alternative cloud directory service

As an open directory platform and unified MDM, JumpCloud centralizes identity and system management, irrespective of OS. It can overcome the common “admin black hole” associated with managing Linux devices, and help you reduce the number of IT tools your organization has to pay for and manage to fully secure its IT environment.

Whether you need patch management, encryption and lock-screen policies, MFA, or other capabilities applied to the Linux devices in your fleet, JumpCloud supports the following distros:

  • Amazon Linux 2 on x86_64 and ARM64 processors
  • Amazon Linux 2022 (AL2022) on x86_64 and ARM64 processors
  • CentOS 7, 8
  • Debian 10, 11 on x86_64 and ARM64 processors
  • Fedora 35, and 36
  • Mint 19, 20, 21 Cinnamon on x86_64 and ARM64 processors
  • RHEL 8, 9 on x86_64 and ARM64 processors
  • Rocky Linux 8, 9 on x86_86 and ARM64 processors
  • Ubuntu 18.04 (64 bit), 20.04, and 21.04, and 22.04 on x86_64 and ARM64 processors

Give JumpCloud’s unified device management a try for free, no credit card required, to simplify IT security and compliance. You can register for a JumpCloud Free account and enjoy free 24/7 in-app support for the first 10 days to help you get set up.

Illustration of a person using a large screen

Manage Linux Systems

macOS, Linux, and Windows Management for the modern organization

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Total Cost of Ownership of Azure AD

Editor’s Note: Given the fast-paced nature of technology, it is possible that some of the information presented in this article is out-of-date, or incomplete, in some fashion. The author periodically reviews and revises this article to ensure information contained within is as accurate as possible.


Microsoft® Azure® is an umbrella for a variety of cloud services, including Azure Active Directory (AAD). On its face, Azure AD might seem like a replacement for on-prem Active Directory (AD) or a cloud-based solution for organizations in need of a directory service, but more factors come into play for IT admins making purchasing decisions, including complicated SKUs and licensing. This article examines the total cost of ownership (TCO) of AAD for the type of configuration that a small and medium-sized enterprise (SME) would require for its identity management lifecycle.

AAD was created to extend on-prem AD identities to Azure in order to provide user management for Microsoft Office applications, and now single sign-on (SSO) for service providers (SP). It’s available as a standalone product, but is also bundled with Microsoft 365 (M365) subscriptions. Microsoft has positioned AAD as the connective tissue within a broader identity and access management (IAM) ecosystem. That extends from users and devices to its security portfolio. Add-ons and integrations are almost inescapable, because AAD is very interwoven with those products. It’s not even possible to implement Microsoft’s best practices for AAD without paying more.

A Codependent Approach

Significantly, Microsoft manages endpoints separately from identities even though experts recommend making identity the new perimeter in cybersecurity. Device management (outside of AD) is only bundled with some of its premium M365 SKUs, but not AAD. Organizations that aren’t using M365 will have to purchase a separate subscription to manage their devices.

Microsoft’s reference architecture suggests an array of Microsoft-based tools to fully leverage AAD, so even Microsoft-heavy IT shops will encounter more IT infrastructure and maintenance costs. You’ll have limited administrative capabilities if you use AAD without on-prem AD, or aren’t subscribed to premium tiers and add-on services. For example, you won’t be able to employ the suite of group policy objects (GPOs) to on-prem Windows devices, and you’ll struggle with authenticating local IT resources such as applications and file servers. 

AAD is also not an open directory, so working with external identities from other identity providers (IP) and connecting users to IT resources (RADIUS, LDAP) requires even more solutions. Some are cloud-based, but others expand its footprint on-premise, and are reliant on AD.

Costs of Azure Active Directory

To fully assess the TCO of Azure AD, it’s necessary to account for tangential, but necessary, costs. Fortunately, we’ve developed an equation to help you understand the TCO of AAD:

Costs of Azure Active Directory = Azure AD Premium Package + Add-Ons for device management + External Identities + Azure AD DS + Active Directory + LDAP Server + RADIUS Server + Integration/Management Time for your implements

Let’s begin by assessing AAD’s pricing and then branch outward to the other components.

Standalone Azure AD and M365

Standalone AAD has three SKUs:

  • AAD Free – AAD Free provides SSO to Microsoft apps and federation to other SAML/OIDC services. This version is feature-limited with no group management, limited MFA configurations, limits on directory objects per user, and various other restrictions.
  • Premium 1 (P1) – P1 introduces SSO sign-in page customizations, conditional access rules, role-based group assignments to applications, end-user self-service for passwords and MFA, additional cloud security, and options for authenticating users into local Windows apps. 
  • Premium 2 (P2) – P2 adds risk-based identity protection, more self-service capabilities, as well as identity governance and compliance such as privileged access and entitlements management. Logging and reporting is also more comprehensive.
Azure Ad pricing
capabilities and use cases for Microsoft
Image credit: learn.microsoft.com

M365 subscriptions also bundle AAD. It’s not even possible to use M365 without AAD, which serves as its substrate for managing your users. Some admins encounter AAD through Office.

Its directory features are gated off into multiple tiers:

  • M365 Business Premium – This includes device management and security services to protect identities.
  • M365 E1 – Device management isn’t included and AAD is limited.
  • M365 E3 – This edition includes device management and AAD P1.
  • M365 E5 – This edition includes device management and AAD P2.
  • M365 F3 – This edition includes device management and AAD P1.
  • Enterprise Mobility + Security (EMS) E3 – This edition includes device management and AAD P1.

EMS E5 – This edition includes device management and AAD P2.

Microsoft 365 pricing
Image credit: Microsoft

Device Management

AAD sounds a lot like AD, but it doesn’t perform the same role; for example, it won’t manage your devices. Microsoft established its Intune product lineup to manage Android/Chrome, Apple, Linux, and Windows endpoints. It uses AAD to manage identities, Configuration Manager (formerly SCCM), in addition to Windows Defender for security and Autopilot for onboarding Windows devices. Intune may be bundled with M365, depending upon your subscription level. However, Intune is not included with AAD P1 or P2, and that omission will increase your monthly costs per user.

compared pricing
availability of Basic Mobility and Security and Intune

Intune includes enterprise-grade features and can be a useful tool for compliance and managing non-Windows devices for organizations that have many remote workers. However, it also has documented downsides. SMEs that are accustomed to AD may be unfamiliar with its quirks:

  • Unpredictable time spent importing the provisioning of devices, assigning profiles, and deploying apps.
  • Simple mistakes can cause actions to fail, such as a Registry key requirement rule filtering out devices.
  • Problems with assigning available licenses to new users.
  • Configuration changes taking a long time to go into effect.
  • Debugging events and sync logs requiring additional third-party tooling.
  • Loss of internet connectivity causing Windows Autopilot to fail.

The cost of learning, implementing, and supporting Intune is another TCO consideration.

Azure Active Directory Domain Services

Intune is not the only option for Microsoft shops. Azure Active Directory Domain Services (Azure AD DS) is billed as a domain controller-as-a-service for virtual machines and legacy applications. It’s charged for the hour, and the price is based on the number of directory objects.

Per Microsoft, “Azure AD DS provides a managed domain for your users, applications, and services to consume. This approach changes some of the available management tasks you can do, and what privileges you have within the managed domain.”

Azure AD DS differs from on-prem AD in a number of ways, including its lack of domain or enterprise administrator privileges. You also cannot add on-prem domain controllers to the managed domain.

If you use AAD and Azure AD DS in conjunction with on-prem AD — which is necessary if you want full AD capabilities — you’ll have to factor in the associated costs for that as well.

Managing External Identities

Microsoft Entra is necessary to manage external (non-Microsoft) identities and devices. There’s a charge for every single MFA authentication for non-Microsoft identities such as Google Workspace. In addition, AAD P1 or P2 licenses are necessary to work with external identities.

compared pricing for identities

Complex Licensing

If you think that AAD is the right solution for your organization, you’ll have to dig through the pricing and SKUs outlined above. It goes without saying that the pricing model is complicated, and non-system access needs may also obligate you to purchase more CALs. You should begin by understanding your current situation. If you have a Microsoft Enterprise Agreement, Open Volume agreement, or are part of the Cloud Solutions Program, you will have a right to certain functionality (Basic and Premium depending upon your specific agreement).

If your IT organization isn’t a part of any of those programs, yet you’ve purchased Azure or M365, you can purchase the right Premium Azure AD services. It’s possible for SMEs to overspend on AAD or be upsold by a Microsoft partner due to the complexity of its licensing, so it’s important to take the time to understand your requirements versus what you’re paying for.

reddit feed
Image credit: Reddit

Complicated Setup and Migrations

The breadth of potential configurations, critical need to understand security best practices, and overall complexity can make adopting AAD a major initiative. Most SMEs aren’t experts in Microsoft licensing and seek assistance for their implementations. For instance, AAD’s default settings can place your users at risk of phishing attacks that can even bypass MFA. IT teams that are migrating from products such as AD FS or have multiple domains in a forest will face some technical considerations that may be unclear and unfamiliar. Microsoft’s guidance states:

“If you have multiple on-premises domains in a forest, we recommend storing and synchronizing information for the entire forest to a single Azure AD tenant. Filter information for identities that occur in more than one domain, so that each identity appears only once in Azure AD, rather than being duplicated. Duplication can lead to inconsistencies when data is synchronized. For more information, see the Topology section below.” 

That can be significant work for an SME.

The realization that adopting AAD can be very cumbersome has given rise to a cottage industry of consultants, and many organizations purchase blocks of hours to support their deployments. In-house resources may not be enough. Factor implement costs into your TCO calculations.

Cost of Active Directory

Active Directory represents a number of costs for organizations, including servers, software, and licensing. SMEs will also have to maintain a server room, which can add significant costs.

Servers: Domain Controllers

If you use Azure AD with on-prem AD, servers are an obvious cost. You either need to maintain a server room or spin up AD in a virtual environment, both of which must factor into the TCO of Azure AD. You need to budget for the costs of redundant servers, too, in case your primary domain controller (DC) fails. High availability (HA) is automatic whenever there’s more than one DC. That makes it possible to shut down a server for maintenance without impacting your end users.

A task from an IT department’s project to set up high availability
A task from an IT department’s project to set up high availability

Objects are automatically replicated throughout the server cluster and administration is more complex: e.g., add-on apps must be installed and updated on each DC. Adding additional servers to achieve HA may increase licensing, management, and other infrastructure costs.

Software: Windows Server

Beyond the cost of the servers themselves, you’ll need to purchase the software to be installed on them. Since 2016, Windows Server licensing has been on a per CPU core pricing structure, rather than the previous per socketed CPU structure. Admins can purchase those licenses in 2- or 16-packs. You may need to stand up multiple servers for all of the required server roles.

Licensing: Client Access Licenses

Another important cost to consider is client access licenses (CALs), which you purchase based either on user count or device count. Core licensing has become even more expensive.

An example of new CALs being required without Software Assurance volume licensing
An example of new CALs being required without Software Assurance volume licensing

Hardening AD for Security

It can take more than a work week to secure AD to recommended best practices. Maintaining AD alongside AAD could dramatically increase IT overhead and administrative costs.

A statement of work to harden a domain controller
A statement of work to harden a domain controller — the total cost was $6,485.95

Advanced Identity Lifecycle Management

AD isn’t Zero Trust and identity lifecycle management is a manual process unless SMEs develop automations or use third-party solutions. That increases the risk that users may be over or under-provisioned, or that inactive accounts remain in use. Managing users in AD can be a disjointed, error-prone process. The risk of data exfiltration is higher with manual processes, which creates a financial risk as laws and regulations are treating violations more seriously. AAD’s advanced identity management policies can extend AD and improve upon it, but only with P1, P2 subscriptions. Azure AD Connect is required to sync identities between AD and AAD.

Server Rooms

An accumulation of hardware, servers, and network equipment means you’ll be spending more for your server room. Eventually, you’ll require a more powerful core switch or better firewall. “Better” translates to more expensive and potentially unplanned downtime on your network as well as new annual support costs, change management, and backups of your configurations.

Support renewal costs for upgraded firewalls at a manufacturing company
Support renewal costs for upgraded firewalls at a manufacturing company

Then, you’ll have to establish physical security controls and ideally, fire suppression. An inert gas system requires sealing a room and having dedicated HVAC. Other solutions for special hazards, including in-rack fire suppression, are also costly. See here for an example:

Part of a quote for a server room’s fire suppression upgrade
Part of a quote for a server room’s fire suppression upgrade

Microsoft promises consolidation, but its solutions can be a wellspring of added administration.

This next section explores non-systems requirements and challenges AAD creates for SSO.

LDAP Server

AAD and AD lack SSO to everything, especially the core protocols that network devices or Wi-Fi networks use. This can lead to identity silos and duplicate authentication flows. Microsoft promises consolidation, but its solutions can be a wellspring of added administration.

If you aren’t hosting all your server infrastructure in Azure, you’ll also need to manage the associated identity management costs to manage user access to other cloud infrastructure providers such as AWS® and GCP. Some of these platforms offer their own managed Active Directory services, so you can potentially leverage those managed AD services, but you’ll need to make sure that they can connect back to your other AD infrastructure and/or with Azure. None of this work is easy, and it can add a great deal of fragility to your IAM environment.

Azure AD doesn’t come with cloud LDAP functionality, so you’ll need to maintain an LDAP server, as well as service on-prem LDAP applications and MFA solution, if required. Azure AD DS is also required to sync passwords and group memberships from Active Directory. Azure AD DS allows organizations to migrate legacy applications to Azure entirely, but that service represents an additional cost as well as the work around the migration of applications which is not an easy task in most instances.

Image credit: Microsoft

RADIUS Server

Azure AD does not come with cloud RADIUS functionality either. Instead, you’ll need to spin up a RADIUS server, use the NPS server role or another cloud service to have the capability of managing Wi-Fi and VPN access. You’ll also require a secondary authentication method. JumpCloud makes it possible to leverage AAD credentials for delegated authentication. Many network devices use RADIUS for authentication, and the lack of support makes initiatives such as compliances more difficult. Auditors often want devices, down to switches, protected by MFA.

Vendor Lock-In

This level of platform integration may be beneficial for “all Microsoft and Azure” organizations. However, the lack of interoperability through an open directory and continued reliance on AD adds costs, complexity, and administrative overhead. That level of monoculture and high dependence on a single vendor makes it more difficult to adopt “best-of-breed” solutions.

With the changing IT landscape, the good news is that IT organizations are leveraging a wider range of platforms. This requires a different set of IT management tools, and specifically, it involves the core identity provider. Using Azure AD encourages the use of Azure throughout your entire environment. AAD, like AD, obligates the use of Microsoft infrastructure and services/applications. This strategy has been successful for Microsoft in the past, and the company is employing it again to work to lock-in customers into Microsoft platforms.

Microsoft’s promotion of IT consolidation has been successful from a sales perspective, but it doubles down on vendor lock-in. In contrast, an open directory platform provides value lock-in.

Evaluating Azure Active Directory

Azure AD might be the solution for a Microsoft shop that already has AD established and needs to extend their IT resource management to the cloud. However, organizations should assess their existing stack and whether Azure AD will address all their needs before making the purchase. Beyond Azure AD, organizations will likely need to purchase Intune for device management. Azure AD DS is also necessary to maintain Azure AD Connect (along with their on-prem AD instance), as well as RADIUS and LDAP instances and other add-ons. These all represent cost centers. Azure AD is not an all-in-one solution, but does meet certain use cases.

Resource to Calculate TCO

JumpCloud released a TCO Guide and TCO Calculator to help IT admins understand the complete costs of different solutions used in their environment. We also invite you to try JumpCloud, which is free and full-featured for 10 uses and devices. It may help extend AD in the way that your organization needs to adapt to change or meet compliance requirements without hassle. JumpCloud is 

JumpCloud’s open directory platform delivers select features found in AAD, Entra, and Intune with an emphasis on what’s best for SMEs. Those capabilities are available without gated licensing, tethering your team to legacy systems, or complicated workarounds. It’s priced to enable workflows, versus charging more for advanced identity lifecycle management. JumpCloud enables IT unification, as opposed to consolidating with a single vendor.

Its benefits include:

JumpCloud also offers a variety of Professional Services to help ease the load your employees face. Learn more or schedule a free 30-minute technical consultation.

Software renewals come out of the capital expenditures (CAPEX) budget, which is a major long-term expenditure versus operating expenses (OPEX), the day-to-day operational budget. Accounting makes a distinction between software and services. Using services helps your organization to lower its income taxes and free up cash. Services may make it easier to budget when you already know what the ongoing costs will be.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

How to Install and Secure MariaDB in RHEL 9

Jump to Tutorial

MariaDB is an open source and community-developed fork of MySQL. It is a widely used relational database management system (RDMS) used to store data both in production and for personal and experimental projects. It was designed by the original developers of the MySQL database server, with the objective of remaining open source under the GNU GPL license.

Some of the advantages of using MariaDB over MySQL include:

  1. Strong security thanks to additional security features such as user roles, PAM and LDAP authentication, data encryption, and role-based access control (RBAC).
  2. High performance thanks to more and better storage engines such as Aria and XtraDB. The former replaces MyISAM in MySQL and offers better caching. XtraDB replaces InnoDB and improves performance.
  3. Galera clustering which ensures scalability, high availability, and zero loss of data through replication.
  4. Integrated monitoring using microsecond precision and extended user statistics.

In this guide, we will demonstrate how to install and secure MariaDB on RHEL 9.

Step 1: Upgrade Software Packages

To get started, log into your server as a sudo user via SSH. Next, upgrade all the packages and refresh the repositories as follows:

$ sudo dnf update

screenshot of code

The MariaDB Server package is provided by the official AppStream repositories. You can confirm this by searching for the package on the repositories as shown:

$ sudo dnf search mariadb-server

The following output confirms that MariaDB is hosted on the default repositories.

screenshot of code

Step 2: Install MariaDB Server on RHEL 9

The next step is to install the MariaDB Server. To do so, run the following command:

$ sudo dnf install mariadb-server -y

The command installs the MariaDB server alongside other dependencies and additional packages required by the database server.

screenshot of code
screenshot of code

Once the installation is complete, confirm that MariaDB is installed using the following command:

$ rpm -qi mariadb-server

Running this command displays comprehensive details about the MariaDB Server package including the name, version, architecture, installation date, and installed size to name a few.

screenshot of code

Step 3: Start and Enable MariaDB Server

Up to this point, we have successfully installed the MariaDB Server. By default, the MariaDB service does not start automatically. As such you need to start it by running the following command:

$ sudo systemctl start mariadb

In addition, set it to start automatically on system startup.

$ sudo systemctl enable mariadb

screenshot of code

To verify that MariaDB is up and running, run the command:

$ sudo systemctl status mariadb

screenshot of code

MariaDB listens on TCP port 3306. You can confirm this using the command:

$ sudo ss -pnltu | grep mariadb

screenshot of code

Step 4: Secure MariaDB Server

The default settings for the MariaDB database server are considered weak and not robust in the face of a breach or intrusion. As such, you need to go an extra step and secure the database server. To do this, run the mysql_secure_installation script as shown:

$ sudo mysql_secure_installation

Running the script will present you with a series of prompts.

First, you will be required to provide the root password. Next, switch to unix_socket authentication which allows the user to use operating system credentials when connecting to the MariaDB database server.

You can then decide to change the root user or let it remain exactly the way it is.

screenshot of code

For the remaining prompts, press “Y” in order to secure MariaDB to the recommended standards. This does the following:

  1. Removes anonymous users from the database server. This prevents the risk of having anyone log into MariaDB without having a user account.
  2. Disallows remote root login. This ensures that only the root user is allowed to connect from ‘localhost’ or the server on which MariaDB is installed. This prevents brute-force attacks using the root user password.
  3. Removes a test database called test which can be accessed by anyone and is only used for testing. Its removal is recommended before transitioning to a producing environment.
  4. Reloads the privilege tables. Hence, saves all the changes made.
screenshot of code

MariaDB is now secured using the recommended security standards after installation.

Step 5: Log Into MariaDB Server

To log in to the MariaDB database server, run the command:

$ sudo mysql -u root -p

Provide the root password for MariaDB and press ENTER. This ushers you to the MariaDB shell.

To check the version of MariaDB installed, run the command:

SELECT VERSION();

From the output, you can see that we are running MariaDB 10.5.16.

screenshot of code

To list all the databases, run the command:

SHOW DATABASES;

screenshot of code

Step 6: Create Database and Database User (Optional)

This step illustrates how to create a database and a database user.

To create a database in the MariaDB Server, run the following command where test_db is the database name:

CREATE DATABASE test_db;

Next, create a database user on the system with a password. Here, test_user is the name of the database user and P@ssword321@ is the user’s password. Be sure to provide a stronger password for your user.

CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'Password321@';

Next, grant privileges to the database user on the database. This determines the rights that the user has on the database, e.g., ALTER, CREATE, DELETE, DROP, SELECT, UPDATE, etc. This command will grant user rights to the database.

GRANT ALL ON test_db.* TO 'test_user'@'localhost' WITH GRANT OPTION;

Lastly, reload the grant tables in order to save the changes made as follows:

FLUSH PRIVILEGES

screenshot of code

To confirm the creation of the database, again, run the following SQL query:

SHOW DATABASES;

This time around, an additional database named test_db appears on the list.

screenshot of code

To view a list of all the users in the database server, run the following query:

SELECT User, Host FROM mysql.user;

screenshot of code

Conclusion

In this guide, you learned how to install and secure the MariaDB database server on RHEL 9. For more information about MariaDB, check out the official documentation.

Looking for more ways to secure your Linux servers and devices? Learn how to improve Linux security posture with JumpCloud’s MDM policies. 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

The Top 5 Data Security Breaches of 2022 (and How to Avoid Them)

Today’s leading organizations use personal data to create eerily accurate insights into user behaviors, preferences, and conversations. While the primary goal is often to improve customer experience, the stakes are higher when sensitive or confidential information is involved. 

Malicious actors are always on the hunt for fresh exploitation opportunities; one might even say data is the new oil in terms of espionage! User credentials, medical records, and financial information have all come under attack in recent years, leading to millions of dollars in costs

This article will highlight the most prominent high-profile data security breaches of 2022. In it, we’ll also share how each organization responded with the intention of learning from their experiences. Let’s get started: 

5 Lessons Learned From 2022’s Biggest Security Breaches

confidential data screen

Unfortunately, 2022 was no exception to breach activity. 

According to Statista, approximately 24 million data records were exposed worldwide during the year’s first three quarters. Has data taken over for oil as the most valuable commodity of the modern age?

  1. Crypto.com Witnesses Widespread Theft

Crypto.com is a cryptocurrency trading exchange based in Singapore. On the 17th of January 2022, it became the latest (at the time) high-profile victim of hackers targeting crypto wallets and making away with customers’ crypto tokens.

What Happened?

According to an official report from the exchange company, its risk monitoring systems detected transactions from customer accounts that were approved without two-factor authentication (2FA) from the account holders. The attack targeted 500 customers’ accounts and saw the actors steal up to $33 million worth of bitcoin and Ethereum.

The Aftermath

Crypto.com put its withdrawal services on hold for 14 hours and upgraded to a new 2FA infrastructure. It revoked existing 2FA tokens and required users to create new ones compatible with the new infrastructure.

The exchange also maintained that it conducted a full-scale audit of its network infrastructure and improved its security posture.

It also contracted with external security firms to carry out security checks and provide threat intelligence services.

What about the poor customers whose crypto tokens got filched? Despite initially claiming that “No funds were lost,” Crypto.com acknowledged that money had been stolen and reimbursed its customers.

Fingerprint Biometric Authentication Button. Digital Security Concept

2. International Committee of the Red Cross Gets Attacked

The Red Cross is a reputable international organization that provides essential medical and humanitarian aid to vulnerable persons worldwide. 

However, in January 2022, they became data insecurity victims after cyberattackers gained entry to their network due to a late patch of their security systems. The attack led to the breach of records of 515,000 vulnerable persons, containing their names, locations, and other personal data.

What Happened?

The attack on the Red Cross’s servers was a deliberate target that featured sophisticated techniques and codes designed to run on specific ICRC servers.

The cyberattackers gained access to the Red Cross’s network on the 9th of November 2021 through an unpatched vulnerability in an authentication module. Upon gaining entry, they deployed security tools that helped them pose as authorized users and admins.

From there, the attackers could access the sensitive information they wanted despite the data encryption.

To date, there’s been no evidence that the information stolen from this attack has been traded or used for illicit purposes. And despite speculation that the responsible actors may be state-sponsored, the identity of the persons behind the attack and their motives is still anyone’s guess.

The Aftermath

After determining on the 18th of January that their systems had been compromised, the Red Cross worked with security experts to investigate and secure the vulnerability through which the attackers gained entry.

For a time, the affected systems were taken offline and were only taken back up after several penetration tests had been carried out to prevent reoccurrence.

The organization also took extensive measures to communicate the breach to those affected.

Shot of a young businessman looking bored while working at his desk during late night at work

3. Whistleblower Reveals Suisse Secrets

Switzerland is world-famous for three things: the Alps, staying neutral during conflicts, and banking secrecy laws. The latter forms the background of this data breach incident.

At its forefront was Credit Suisse, one of the world’s biggest financial institutions, with its clients’ financial details totaling assets worth $108.5 billion being publicly revealed.

What Happened?

The leak was an intentional attempt by a person or group to expose the bank’s alleged lucrative business of helping clients hide their wealth. Financial details from as far back as the 1940s-2010 were revealed to a network of 163 journalists from 48 media organizations worldwide.

It is believed that the attack was from an inside threat, as the source was most likely an employee of the bank who gained access through their legitimate credentials.

Although the bigger story is definitely about how some of the bank’s clients controversially acquired their wealth, there is no shying away from the fact that the data breach itself is a significant concern for the organization’s security integrity.

This is particularly so when one considers that, as the whistleblower themselves admitted, owning a Swiss bank account is not a crime, and many of the bank’s clients had gotten their wealth through honest means.

The Aftermath

Credit Suisse denied any wrongdoing and maintained that the information revealed was history taken out of context.

As for the data breach itself, well, all of the information itself had become publicly available, and, as such, remediation was not really possible.

What the bank could do, however, was to review and reinforce its internal processes and data security protocols. All of which they, of course, said they did.

Connection network in dark servers data center room storage systems 3D rendering

4. The North Face Data Breach

The North Face is one of the world’s leading apparel companies and has been supplying outdoor adventurers with everything they need to get out into nature since 1968. However, in August 2022, they became one of the companies that fell victim to a data breach.

What Happened?

The attackers had used credential-stuffing tactics to gain access to about 200,000 customers’ accounts, where they acquired names, emails, billing & shipping addresses, phone numbers, and more. Tellingly though, no financial information was compromised in the attack.

The public got informed of the data breach through a notification the company sent out to customers who may have been affected. In it, they mentioned that the attack was launched on the 26th of July and got detected and blocked on August 11 and 19, respectively.

The Aftermath

Upon detection, The North Face moved quickly to contain the attack, resetting passwords of all affected accounts and erasing payment card tokens. The company maintained that compromising the payment card tokens did not put the customers at risk, as the information in them is only useful on the North Face’s website. Customers were also encouraged to use new passwords which they hadn’t used in other accounts.

5. Toyota Exposed by Contractor Mistake

Think all data breaches boil down to malicious intent? Think again.

Toyota is arguably the biggest name in the automotive industry so we can skip the introductions. In October 2022, Toyota experienced a significant data breach due to an error made by a third-party contractor.

What Happened?

Sometime in 2017, Toyota hired a website development subcontractor for its T-Connect service. The subcontractor then mistakenly posted some of the source code to a GitHub repository that was publicly accessible. This granted third-party access to almost 300,00 persons’ email addresses and customer control numbers.

This remained in place for five years and was discovered in 2022.

The Aftermath

As soon as Toyota made the discovery, it immediately changed the access key and made the source code private. It assured customers that there was no possibility of data such as names, telephone numbers, or credit cards being compromised as the affected servers held no such information.

It also urged customers to remain vigilant and watch out for phishing or spoofing attacks. It also set up a help center where customers can confirm whether their email address was among those that were breached.

How to Reduce Your Risk of Data Breaches

If there’s any lesson the aforementioned events provide, it’s to never be too careful as the data security space can be unpredictable. Data breaches can happen anytime, from insider threats to malicious external actors and even human error.

Here are a few measures you can take to minimize the risk:

  • Implement multi-factor authentication (MFA) systems for all sensitive accounts and services.
  • Ensure that all software is up to date and patched with the latest security updates.
  • Restrict employee access to sensitive data and use encryption software whenever possible.
  • Perform regular security audits and risk assessments to identify any possible weak points in your data security.
  • Use a reputable cloud provider for all of your data storage needs.
  • Make sure all passwords are strong, unique, and changed regularly.

Following these measures will help you stay one step ahead of the bad guys and keep your data safe. And as hackers become more sophisticated, we must become even more vigilant and update our security strategies accordingly.

Beef Up Security With JumpCloud

The JumpCloud Directory Platform boosts IT admin and MSP peace of mind by unifying their most integral security tools in one place. From MFA to single sign-on (SSO) to mobile device management (MDM), JumpCloud provides a comprehensive solution to keep organizational data safe and secure from nefarious hackers. 

It provides time-saving capabilities like automated patch management, wipe and lock, and one-touch deployment that help save time. The best part? Most users saved money after switching to JumpCloud and reduced their IT stacks. Stay steps ahead of making the news for the wrong reasons. Sign up for a free trial today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

JumpCloud Linux Capabilities Roundup in 2022

At JumpCloud, we are constantly investing and developing our Linux infrastructure and capabilities for our customers. We want to enable admins with the flexibility to manage and control Linux devices on the same platform as any other OS (ie. Mac, Windows, iOS, and Android) so they can continue to utilize the speed, stability and security of Linux-based systems wherever they need them.

Since the beginning of 2022, we had planned to increase the velocity and focus of our Linux capabilities. Some of the key areas of focus for Linux included:

  • Enable Remote Security Management
  • Improve and Strengthen Security Posture 
  • Provide Simple & Scalable Patch Policies
  • Introduce New Popular Linux Distros

Just take a look at what our customers have been leveraging this year. 

Security Commands

JumpCloud Commands let you quickly and easily automate tasks across multiple servers, launch those tasks based on a number of different types of events, and get full auditing of all command results. To that end, we added more security commands that allow Linux devices to remotely execute management commands, such as:

  • Lock
  • Restart
  • Shutdown
  • Erase
  • Screensaver/ Inactivity Lock based on timeout period 
screenshot of security commands

New Linux Policies

We added new Linux policies to help organizations manage and secure their deployed Linux endpoints more efficiently while improving their overall security posture. They include:

  • Partition Options
  • File Ownership and Permissions
  • Network Parameters
  • Disable Unused Filesystems
  • Additional Process Hardening
  • Configure RSyslog
  • Forbidden Services
  • Secure Boot Settings
  • Service Clients
  • SSH Root Access
  • SSH Server Security
screenshot of new policy

Patch Management

JumpCloud Patch Management was launched in Q1, 2022 with initial support for Windows and iOS. Our Linux (Ubuntu) support was a fast-follow in April. The Ubuntu default policies are preconfigured with conservative defaults for the following settings: 

  • Defer Rollup/Patch Updates: The number of days to defer the availability of future minor OS updates. For Deferral Days, specify how many days to defer a minor OS update after it’s released.
  • Defer Major Updates to Ubuntu LTS versions only: Specify how many days to defer the availability of future major LTS OS updates. For Deferral Days, specify how many days to defer a major OS update after it’s released.
screenshot of fleet distribution homepage

Expanded Linux Agent Support

JumpCloud continues to build out our support across Linux-based systems to enable IT administrators the flexibility to manage all of their deployed devices. Expanding to a variety of new distributions, the JumpCloud agent can be deployed to secure, manage, and view these systems in the admin portal. Our Linux distros include:

  • Amazon Linux and Amazon Linux 2
  • CentOS 
  • Debian 
  • Fedora 
  • Mint 
  • Rocky Linux 
  • Ubuntu 
  • RHEL and more

What’s Next?

Exciting new capabilities are already in the pipeline for Linux. Perhaps a sneak peek is allowed as we bring good cheers to the new year. Linux support is coming to JumpCloud Remote Assist! Admins will be able to remotely access (view and control) a Linux laptop or desktop to help troubleshoot and resolve issues.

If you have not tried any of our Linux capabilities, sign up for a free account for up to 10 users and 10 devices. Support is available 24×7 within the first 10 days of your account’s creation!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

5 Simple Security Measures for SME Compliance on a Budget

Did you know that nearly half of small businesses experienced cybersecurity breaches in 2021? 

The information comes from a 2021 AdvisorSmith survey of 1,122 small business owners and managers. Yet, a whopping 61% of them aren’t concerned about falling victim to cyberattacks. They think they’re “too small to be a target.” 

Bad actors target small businesses and small-to-medium-sized enterprises (SMEs) just as frequently (if not more so) than established organizations. Websites get hacked, email accounts get compromised, and sometimes, employees even steal sensitive information. 

While it’s understandable for budget-conscious SMEs to put cybersecurity measures on the back burner, it just isn’t worth the risk. Especially when there are simple actions organizations of all sizes can take to improve their security tenfold. 

Before we dive into our top five cybersecurity tips for SMEs, let’s take a moment to better understand what factors might make your organization an easy target. 

Why SMEs Are Easy Targets for Cybercrime 

blue key with code overlayed on the image

As previously mentioned, many folks assume adversaries solely target enterprise companies because they provide larger opportunities for blackmail profits.

What they don’t realize is that SMEs are often targeted by chance, not by choice. Cybercriminals may impersonally wade through lists including hundreds of business names without doing much research into organizational holdings. 

With that said, SMEs and enterprise-level companies alike are often chosen for the following reasons: 

1. Money

Most cybercriminals carry out attacks for financial benefits. Naturally, receiving direct payments from victims is the most efficient way to profit from an attack. They usually lock down assets, before demanding a ransom to unlock them. 

Intellectual property (IP) is a highly motivating asset to steal. Criminals know that an SME will pay big to get it back as a leaked IP can bring a small business down to its knees. Some hackers also sell breached assets, data, and information in the black market for profit.

2. Company Damage

Alternatively, some attacks are politically, competitively, or ideologically motivated. Though it may sound like the plot of a thriller movie, disgruntled former partners, business rivals, and unhappy employees have all been known to hijack organizational systems. 

A successful cyberattack can cause major damage. They can wipe data, cause downtime, or even drive a total business shutdown. In addition to depleting bottom lines, they can ruin consumer trust. Breached SMEs also risk facing compliance ramifications, especially if the breach affected other consumers and other third parties. 

3. Access to Resources

Cyberattacks can also be aimed at leveraging the company’s resources and relationships. For example, cybercriminals may target your business as part of a larger DDoS attack, to steal customers’ personally identifiable information (PII) for financial fraud, or just to hijack your computer resources for crypto mining.

4. Testing Tactics

Software engineers aren’t the only ones who run tests! Cybercriminals sometimes experiment with new tactics and attack vectors on smaller businesses before targeting the big fish in the pond. 

SMEs are an easy target in such cases because the criminals expect their defenses to be weak. Don’t allow your organization to be someone’s stepping stone to a more high-impact target.

5. Becoming a Casualty in a Supply Chain Attack

Finally, SMEs are sometimes victims of circumstances. An attack may target a large vendor’s asset and infect the entire supply chain, spreading out to customers, other third parties, and even SMEs that interact with the compromised assets or parties. 

These unintentional attacks may still end up crippling businesses. There are many other reasons why SMEs make easy targets for criminals. But the bottom line is that SMEs’ resource limitations can make them attractive and impactful targets to cybercriminals. 

Read Combining Business Priorities and Security: Choose Your Own Adventure.

5 Simple Security Measures for SMEs

coworkers in sever room looking at a tablet

Whether you’re the target of an intentional attack or a victim of an unintentional attack, the implications of a security breach can be dire. 

It’s better to take a proactive approach to cybersecurity than deal with potential financial, legal, and reputational challenges down the line. Below are five simple measures that can help you to improve your business’s cybersecurity even on a budget: 

1. Implement Multi-Factor Authentication

Leveraged credentials such as passwords cause 61% of data breaches. Implementing multi-factor authentication can help in reducing these breaches.

Multi-factor authentication (MFA) is a security method for protecting access to online resources by utilizing multiple (often two) factors to verify a user’s identity. The MFA requires an additional form of identity besides a password. This can be a security key, biometric data, one-time passcode (OTP) via email or SMS, or a push notification from a supported smartphone or tablet app. 

Implementing MFA has many benefits, including securing your resources even if your passwords have been compromised. 

Read How Effective Is Multi-Factor Authentication.

2. Stay on Top of Patch Management

Antivirus software is great at stopping known malware threats. But admins must keep systems up to date in order for them to work properly. This is why it’s important to stay on top of patch management. Your computers, servers, and operating systems should always be patched. 

System patch management is critical because patches often fix bugs and address security vulnerabilities in operating systems. For the modern business with distributed workforces and a variety of work devices and operating systems, manual patching can be a headache. Consider cloud patch management solutions within unified toolkits like the JumpCloud Directory Platform. 

Here’s how JumpCloud cloud patch management works for Mac and Windows systems. 

3. Use Firewalls

A firewall is a security system that filters network traffic and prevents unauthorized access to your network. Besides blocking unwanted traffic, firewalls also protect your systems from malicious software infections. It prevents unauthorized access to sensitive company data. They are an invaluable tool in web traffic management.

With a dependable firewall in place, only trusted sources and IP addresses can access your systems. Firewalls often differ based on their structure, functionality, and traffic filtering methods. Some of the most common firewalls include:

Firewalls are crucial components of any perimeter-based cybersecurity. For your network and devices to be protected, you need to properly set up and maintain your firewall. Always ensure your firewalls are up to date.

4. Enforce Strong Password Policies 

All your cybersecurity efforts can go to waste if you have ineffective password policies. Besides emphasizing strong passwords that are difficult to crack, you should also encourage your employees to change their passwords regularly and not share them with other people. Implement multi-factor authentication as discussed above.

Read Best Practices for IT Security Passwords. 

5. Implement the Principle of Least Privilege

People within your organization can pose significant security risks too. Insider threats happen when people with access and privileges abuse them. This is why it’s crucial to carefully consider who needs access to what.

Implementing the principle of least privilege will protect your resources from insider threats. Additionally, it makes it easier to monitor compliance and makes it easier for your employees to access the resources they need instead of having to sift through everything.

Read Your Guide to Privileged Access Management. 

Simplify Security With JumpCloud

For SMEs with lean budgets, cybersecurity can feel unattainable. But you can’t afford to completely skip on security. 

The five simple, cost-effective actions outlined above can significantly improve cybersecurity without breaking the bank. There are also affordable tools such as JumpCloud, with a la carte options, that can help SMEs streamline security efforts in a centralized platform. 

Simplify your security with JumpCloud.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.