Overview
This case study shows a potential solution for JumpCloud device management working in conjunction with Duo MFA for device login. Big thanks to my fellow coworker Rickie N. for all of the heavy lifting, script writing, and background knowledge of how to bring the pieces together to make this solution work.
The primary method of utilizing Duo alongside JumpCloud is to enforce MFA when accessing the JumpCloud user portal and SSO. It is possible to also enforce Duo MFA on device login by synchronizing JumpCloud’s user directory to Duo, and then deploying the Duo agent (Duo refers to this agent as “Duo Authentication for Windows/Mac Logon”) onto end-user computers.
This is possible by having JumpCloud be the Source-Of-Truth for users, by binding these users to JumpCloud managed devices, by propagating these users to Duo, and by using JumpCloud to deploy the Duo agent onto your end-user devices.
Below is a broad outline of the steps needed for this solution. A lot of the verbiage focuses on text messaging and phone call based authentication this solution should work similarly for the Duo Mobile Authentication App.
Jumpcloud's Built-in Duo Support
For user access to the JumpCloud user portal or SSO applications (when using conditional access policies) JumpCloud has Duo support built-in, this article explains how to configure this within JumpCloud.
[JC Admin Portal] Under MFA Configurations section disable all other forms of MFA, and enable/configure Duo WebSDK Application.
Note: As of this writing "Duo Essentials” license level should support all the functionality mentioned in this article.
Individual users would configure their Duo MFA secondary authentication settings through the Duo user portal as opposed to the JumpCloud user portal.
Propagating users from JumpCloud to Duo
If you have the JumpCloud → AzureAD/M365 directory integration configured, the propagation of users to Duo is quite elegant;
- JumpCloud is the authoritative source for users, and creates (or controls existing) username, password, user attributes, group membership, and user state in AzureAD/M365.
- Then one would configure Duo to import users through Duo’s AzureAD Directory Sync feature.
Alternatively you can pull these users through Duo's AD or LDAP features, though this requires the Duo Proxy agent be installed on a self-managed server (hence the most desirable method is to utilize the AzureAD sync tool Duo offers).
These are the Sync options within the Duo admin portal;
Configuring Devices for DUO MFA
In the JumpCloud Admin portal you will need to bind users to Managed Devices, this provisions the user as new on that device (or takes over existing user), manages the user rights (standard or Admin), controls the user state (active/suspended), and provisions their JumpCloud password to the device.
Deploying the Duo Agent onto devices
Note that this does NOT need to be done through JumpCloud, for testing it is often easiest to simply install the agent manually on a device,
But, to take full advantage of JumpCloud device management you can install the Duo Authentication agent onto end-user devices using JumpCloud's commands functionality.
For initial testing we recommend setting these commands to Run manually, though long term it would be ideal to set these commands to Command After Agent Install. This will run this command automatically whenever a new device is added to your JumpCloud device list.
How to create a command to run automatically after a device is added
Duo has detailed documentation about how to enable device auth for Windows and Macs. These links include useful information about installing the Duo agents, and we encourage you to peruse them before continuing on.
The Duo Windows agent can be installed using simple command line parameters on the executable install file (See above link for more information).
The Duo MacOS agent requires a script with some simple modification. The above link provides a download of that script in which you specify necessary information to enable the silent install (such as Duo’s ikey, skey, Duo org ID, etc.)
The JumpCloud Command scripts needed for Windows and Mac deployment
WINDOWS
This Duo Kb article explains the specific parameters found in the Duo admin portal you will need to gather, and provides a list of optional settings you may choose to deploy.
Here is an example of the Windows powershell command. Replace the generic information in the below script. This JumpCloud command will download the latest Duo Windows Agent from Duo’s download site, and then silently install it with the parameters you set for the following settings; IKEY, SKEY, HOST, AUTOPUSH, FAILOPEN, SMARTCARD, RDPONLY
Example powershell command script used to install Windows Duo.
|
curl https://dl.duosecurity.com/duo-win-login-latest.exe -o C:\Win dows\Temp\duo-win-login-latest.exe ; C:\Windows\Temp\duo-win-login-latest.exe /S /V" /qn IKEY=“YOUROWNIKEYHERE" SKEY=“YouOwnSKeyHere" HOST=“api-xxxx1de.duosecurity.com" AUTOPUSH="#0" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#0"" |
Example of windows command within JumpCloud Admin portal.
MacOS
The MacOS command script used in the JumpCloud commands is even simpler than the Windows script, but Duo requires you to follow a few steps to prepare the PKG file for installation of the Duo Mac agent. You are unable to push the parameters during the install process the same way it is done with Windows. Rather, you will need to use Duo’s procedure as laid out in this article to create a PKG file with the parameters specific to your Duo Org.
NOTE: Since it is required that you download the installer zip file first, and then run their script to prepare the PKG file, you must self host this installer. You can use dropbox or another file sharing solution that allows directly file access without a web prompt, though the most commonly used is Amazon AWS S3 buckets, as they are very cost effective and easy to setup (which is the example shown in the the script below);
Example bash command script used to install Windows Duo.
|
!/bin/bash #### Need to host the customised PKG file somewhere. Customisation walkthrough can be found @ https://duo.com/docs/macos#run-the-installer-package ######## downloadLink="https://yours3site.s3.amazonaws.com/MacLogon-2.0.2.pkg" #Download Agent curl -L -o /tmp/MacLogon-2.0.2.pkg $downloadLink && \ /usr/sbin/installer -pkg /tmp/$pkgName -target / |
Example of macOS command within JumpCloud Admin portal.
The User Experience
Users log into their Mac or Windows devices with JumpCloud provisioned users and JumpCloud Passwords. The Duo authentication agent then prompts for secondary authentication. (The auth types you support would be configured within your Duo admin portal)
User Portal: Example of Duo as option on User Portal login screen
(all other JumpCloud MFA options can be disabled if desired).
User Portal: Duo prompting user to input text code
(specifically for text based user auth) after selecting Duo as MFA option.
Initial Logon Screen for Windows Computer.
Duo popup that would allow all forms of Duo secondary Authentication.
