JumpCloud Community

When was the last time you went through and culled your address book? How about your photos? Or your iTunes library? Have you cleared out your closet recently? Or your bookshelves? Or your garage? Yeah, me too. And if you’re not moving in the near future, well, those repositories will probably keep growing and growing. 

Things accumulate. We’re human – very busy humans. And we don’t always have time to clean up after ourselves. Today we’re going to talk about the value and importance of keeping your databases clean and organized.

As IT Admins, we like our tools to work seamlessly with each other. We want our HRIS to integrate with our Directory Service. We want our network access and our collaboration tools to come along for the ride too. We want a unified IT stack that will streamline our services and make our lives easier. We want more time to do the cool things.

But like all things, there is a price to pay for simplifying. Like most things, it’s not the initial cost, it’s the upkeep. And so, implementing a cloud directory service isn’t a huge lift for most of us. But keeping its data updated… well that’s a different story. We don’t care for that story. Besides, if we offboard properly and suspend accounts, all is well anyhow right?

Disaster Avoidance Techniques

Nothing in your business is more important than your data. And, so, you treat that data like the crown jewels – you require a lot of identification and authorization in order to access them. Your IAM tool of choice is the guard that you use to control access to your crown jewels. 

Your job, as an IT professional, is to make sure that your company’s data and your employees’ PII is safe and secure from prying eyes and that it is protected from all forms of disaster. To perform this disaster avoidance, you put in place a number of different types of safety measures – firewalls, SSL, SSO (and the rest of the alphabet of security), multi-tiered backup strategies (think belts AND suspenders), and implementations that retain access rather than regain access to data. Additionally, you perform regular checkups of your tools. 

Mitigating Disasters Before They Happen

In order to mitigate a disaster in advance, I highly recommend being psychic. But, seriously, performing regular checkups on your mitigations is the only way to truly prevent trouble when disaster strikes.

This includes making sure you’re following the methodology for adding/removing/updating IT administrators. We all want single-button management in IT. Wait, let me rephrase that. We want single-button-but-with-granular-control IT management. We want to work less and profit more. Sadly, we can’t have everything we want. While much of what we can offer you with JumpCloud is simple and streamlined, there is some assembly required. 

Some Assembly Required

When deciding on Admin roles within JumpCloud, you should fully understand the privileges associated with each role (see JumpCloud Admin Portal Roles for a helpful graphic):

• Administrator With Billing – super administrator – can create, configure, modify, and delete all user/group/device management, all authentication/directory integration, all security/account management tasks, all MTP admin tasks; basically, all the  things including things related to money – this one holds ALL the keys to the kingdom
• Administrator – this level of admin has all the privileges of  the billing admin with the exception of money-related tasks, administrator management, and  MTP administration tasks.
• Manager – Accounts with this role can manage users, devices, and groups.
• Command Runner With Billing – Accounts with this role can manage account payment methods.
• Command Runner – Accounts with this role can only run commands they’re given access to. 
• Help Desk – Accounts with this role can access and view JumpCloud resources, submit support requests, and manage users in the following ways:

1. Create and delete users
2. Reset account passwords
3. Unlock users

• Read Only – Accounts with this role have read-only permissions; they can access and view users and other JumpCloud resources, but can’t perform any management tasks.

Best Practices for Administrator Role Assignments

There are a number of things to keep in mind when assigning a role to your Admins. Above all else, best practice is to assign more than one Administrator With Billing. I cannot emphasize this strongly enough. Do not skip this step – access to your JumpCloud instance depends on this. “Why?” you ask. Good question, I’d love to tell you.

The billing administrator holds the keys to the JumpCloud kingdom for your company. That admin has all the rights to do everything everywhere. Further, that admin is where your invoices get sent. If your billing admin leaves and you don’t have a second billing admin a couple of key  things happen (or, rather don’t happen) because you will lose your super admin privileges to JumpCloud. 

The first painful thing that happens is that you lose super admin privileges to JumpCloud. 

The second pain point happens because when the billing admin is suspended, their email address is also suspended. Makes sense, right? If your company no longer has access to that old email address, invoices end up in /dev/null. That is bad for everyone – for you, for your users, for your business. Everyone becomes #sadpanda. 

Lastly, if a billing admin leaves and you don’t properly offboard that person, you leave yourself a security hole. That admin could, potentially, still access assets. 

All is not lost, but if a billing admin leaves and nobody else is promoted into that role before they leave, it is fixable. But it is a remarkably unpleasant chore to regain access and much time could pass before you realize the error, which could result in the JC instance being suspended. While not a show-stopper, of course, it is also no small task. There is a regaining-access-to-your-domain-name level of hoop-jumping you’ll need to go through to restore access. 

Do Yourself a Favor

Create some processes that will help you avoid this particular pain point. Checklists are a great tool to help ensure that you’re taking care of all the tasks that will keep you in business. Do your Directory Service check up on some regular interval, like you do for your backups (you do check your backups, right?). Put it on your calendar and write it into your job description. On the date that it’s due, nothing else happens before this checklist is completed.

This quarterly Directory Health Checklist should answer the following:

1. All staff changes. While we make onboarding and offboarding easy, we are just the tool. You need to add the human component to it by checking to make sure all your people are in all the right places. Employees shift positions which can shift which policy groups they’re in. Promotions happen, which can instigate a change in their privilege level. Make sure everything jives.
2. An accurate, current list of admins and their roles.
3. Is there a second “emergency-use” admin account?
4. Are your stale users and admins completely removed from the JC console? Stale is ok for croutons, but not for users.

Do you do monthly/quarterly checkups? What’s on your schedule besides testing your backups and checking your Directory service’s admin access? Let’s talk about strategies for this!