cancel
Showing results for 
Search instead for 
Did you mean: 

User-Based Policies?

Denver
Novitiate I

Hello,

I've been keeping an eye on Jumpcloud's progress and have been wanting to switch our small company over to it from Active Directory for quite some time now. The problem is that our company has multiple users jumping on and off each of our PCs throughout the day. Some of these users should have Admin rights with no restrictions while other users should be prevented from accessing things like USB ports, CMD/Powershell, Control Panel, Etc. I can do that just fine with AD Group Policies and control things on a very granular, per-user/user group basis for each shared PC. I have not yet found a way to do that with Jump Cloud and it is the only thing that has prevented us from making the switch.

It appears that Jump Cloud only allows device-based Group Policies with an all encompassing approach that forces all users of that PC to have the same level of access. We don't want to block out our IT personell and we don't want to give our newly hired temps access to things they shouldn't have.

So my question is, has anyone found a way to get user-based GPOs working for Jump Cloud after tossing out Active Directory?

2 REPLIES 2

BenGarrison
JumpCloud Alumni
JumpCloud Alumni

At this time, this isn't something that we are currently focused on. Our policies manage the entire system, as you mentioned.

The only way around this, is to create login events, that could leverage our commands module that then could run to apply "policies" IE: registry keys. At the user level. This would be ok if it was one or two devices. But if your entire organization is doing this, it wouldn't be feasible. 

I still feel this is something that we could evaluate. If you wouldn't mind submitting a feature request that would be super helpful!

 

Denver
Novitiate I

Actually I did submit a feature request for this some time ago and have not heard anything about it since. That's one of the reasons why I wanted to jump on here and see if anyone had come up with a creative way to handle it themselves.

I've already gone down the Powershell path of changing GPO registy keys whenever a certain user logs in and it was extremely unreliable. I also gave several Powershell GPO editing modules a try and they had the same result.

The only thing I've found so far that can reliably set policies at the user level without a domain or AD was using the built-in "Multiple Local Group Policy Objects" snap-in. The problem with that is that you have to go to each PC and manually configure the policies for each user. You also cannot set policies for specific user-groups which would save quite a bit of time. Like you said above, that's just not feasible.