11-15-2023 09:23 AM - edited 11-30-2023 08:12 AM
Scott Reed, Senior Product Manager at JumpCloud, provides a detailed demonstration of the Self-Service Account Provisioning (SSAP) and Federation. With a rich background in corporate IT, Scott introduces SSAP as a step towards simplifying device provisioning for organizations, aiming for a near Zero Touch Enrollment experience, especially on Windows devices without requiring Azure premium licensing.
The live demonstration not only outlines the theoretical aspects but also showcases the real-world implications of SSAP, reflecting Scott's decade-long experience and the transformative potential of this feature in modern organizational IT landscapes.
You can find the full video recording here:The IT Hour | Self Service Account Provisioning 10.13.23
Scott Reed, Senior Product Manager, JumpCloud
Scott Reed:
So I want to start by talking about what we're doing and why we're doing it. Having done my intro before, I'll do a quick overview of my origin story for those new to the call. But before I worked at JumpCloud, I worked in Corporate IT. I have 10 years in IT experience working from Tier 1 to the IT supervisor at my last role before joining JumpCloud. And part of my world in those three IT orgs that I worked in was provisioning devices and getting them ready for users on their first day. This was before the magic of Apple Business Manager in Zero Touch Enrollment and also included times working with Windows Active Directory wasn't an Azure AD admin, but what I recognized from that experience is just how fundamental that is to every organization - provisioning computers for users on their first day. So this is a feature, and this is a story that's all about making that process easier, and it's a stepping stone in the vision that we have in truly trying to work towards the closest to it that we can get to a Zero Touch Enrollment flow for Windows that doesn't require Azure Premium licensing.
So self-service account provisioning is essentially our analog to what is commonly referred to as an Azure AD join. Azure AD join, this is when a user signs in with a Microsoft account and a Windows 10 and 11 device, and it provisions a new account there. In the Windows world, they own the operating system, right? So an Azure AD join can happen out of the box during the OOBE flow or on existing devices that are in the field. It can occur inside of the settings menu. With JumpCloud, we are not the creators of the operating system. We are citizens of it.
So we did some really fun things with this solution, and one of them was building a Windows credential provider to plug into Windows, and, more excitingly, on Mac OS, we built a new login window. I'm incredibly excited about what this new login window does because it does something simple, so simple but so powerful for a cloud directory, that is, it allows you to manage wireless connectivity from the login window without having an active account. So that's huge. You can connect to a hotspot. There's a refresh button, and we're going to dig into this now.
So let's talk about what we built with Self-Service Account Provisioning and the new login window, how you turn it on, and get into the nitty-gritty. So I'm going to go and share something.
Alright, so here we are. We're on the devices overview page, and this is where the settings to turn on Self-Service Account Provisioning live. So inside of the settings tab, you're going to find two new toggles, one for Mac, one for Windows. I really again focused with the tech writing and my product team on the right words to use, and we landed on Self-Service Account Provisioning, allowing users to provision their JumpCloud accounts to a managed device from the login window.
This is something you can turn on globally for Mac and for Windows and set different permission levels. This is essentially an add-on to what we currently offer for Self-Service Account Provisioning, where the feature for that for Apple Zero Touch Enrollment is a choice that occurs inside of the Automated Device Enrollment (ADE) configuration for Mac OS where there's the ability to enable user authentication. Where during this flow, this is the step for our Zero-Touch that does the same thing. It provisions an account out of the box.
Now you don't have to, there's many reasons for organizations that may prohibit them from being able to use Zero Touch Enrollment for Mac OS, whether Apple's made the process easier, but once upon a time, organizations didn't have a DUNS number or maybe it's just now you purchase Mac machines, you don't go through a vendor, you have other ways that you purchase it.
So this, for all intents and purposes, opens up the door for Light Touch Workstation Provisioning flows for your IT org where your org is preparing those for their users on their first day and then gives you as an admin a Zero-Touch experience for when you hand that device off to a user.
So Zero-Touch, right? What is Zero-Touch? And it's Zero-Touch for us, The IT team. All the touches are being done by the end users.
So the way that I like to explain Zero-Touch in my world is to imagine having a stack of laptops that you've provisioned. It's taken you two or three minutes to provision each one, and you've got a stack of 10 laptops. 10 new users come in, they're all going to have the same hardware. So any user can take any laptop out of that stack, and they're the ones that make it theirs.
So how would that look in the real world? Well, we're going to do some demoing in the real world. So what I have here is I'm going to walk through a couple of these scenarios, that I'm going to give you some examples of some of the “gotchas” that I want to highlight.
Self-Service Account Provisioning is about new accounts only, and the ability to do a Self-Service Account Provisioning is singular, just like with the Zero Touch Enrollment flow for Apple Business Manager, it's a one-time action that occurs, and that's how we've built it. Now we can talk about how we could expand this with an incremental feature to make this action occur regardless of the Trust On First Use or that one-time action.
So here's this device.So one of the things that's very important to highlight is that this will only work if the account doesn't exist there. So I'm going to show you an example of something that's going to error, and I want to highlight that “gotcha”. So here on the Mac login screen, I'm clicking sign to a JumpCloud, and I'm going to try to sign in with the user where there's an account on here that already exists.
Account already exists. Hank Declan. Contact your admin. Huh? This is only about creating new accounts, so I want to make that very clear while we're here.
Let's talk about this new login window. Check it out. Wireless. Manage wireless network connectivity, and this is pretty smart. It leverages what's already in the operating systems so it’ll remember your saved networks, it'll automatically connect. We're doing a ton of piggybacking, bringing the Apple native wireless experience to the Mac. We think about the other things that we have here. We've got a Wi-Fi icon in the top right, you might not be able to see this, but it's green. If you turn the wireless off, this goes red. So you have a visual indication to tell you for Online. And then my favorite Easter egg, you've got this Info icon that you can click on to see the hostname, the serial, the MAC address, the IP, and the Mac OS version directly from the login window. From a JumpCloud perspective, the thing that excites me most is this new refresh button. So we just saw that issue that this user Hank was already already here.
Let's add him. Let's add him back to the machine and watch what happens. I'm going to go, I'm going to add Hank to this machine, and I'm going to click this refresh button. Boom! What just happened? Hank was added to this device, and more so than that, we can see visually that Hank is a JumpCloud managed user. How can we see that? Well, there's a JumpCloud icon next to his avatar. Additionally, the sign-in with the JumpCloud button went away. This is the experience for all devices that have Managed Users for what will happen when you flip that toggle on. There will be no “Sign-In with JumpCloud” button. They'll get the new login window with this new avatar.
This login window will eventually become the default login window. But to respect change management and give you guys the control to roll this out as you want it, the toggle exists now. In the coming weeks, months, and quarters there will be a time when this becomes the new login window, hard stop. But, we want to respect change management, your users, and ultimately I feel very strongly that this is an incremental improvement for all, given the number of tickets that may be able to be resolved just with this refresh button in wireless network connectivity.
“Scott, does the Wi-Fi indicator go green on internet connectivity or JC connectivity?”. Internet connectivity. The other thing to call out, it's a Wi-Fi indicator. If you're on the LAN, it's still a Wi-Fi indicator. So I did some negotiation. I wanted it to be able to be a LAN indicator if you were plugged in with ethernet, but wireless is what we're showing there to show internet connectivity. “Can we see that without turning on self-enrollment”, you cannot, but if there are any JumpCloud Managed Users on the device, like this device shows, there will be no “sign-in with JumpCloud” button. So that button only shows on devices with zero Managed Users. They're coupled together.
So let's keep rolling, right? So here we are, we're on the login window. Let's go back and let's unbind Hank from this device so we can get it back into the state where there are zero Managed Users. Alright, so let's see what a Self-Service Account Provisioning looks like. We're going to go and add Holly Flax at Sabre to this device. There she is. Holly's been added. There's our experience. That is Self-Service Account Provisioning. Holly's account is added to this device. It's at the login window, and if I sign in with Holly now... she has MFA enabled, I don't have it set up, the demo gods got me this time, but you can see that Holly's account was provisioned to this device.
So this is the “sign-in with JumpCloud” Flow - being able to provision an account to a device. And again, it only occurs when there are zero Managed Accounts on the device. Visually we can see Managed and Unmanaged with the JumpCloud icon and this login window, let's be very clear, the login window is actually a rare thing that users see. With these new M1 Macs, we wake the screen from sleep. So the amazing magic, right? This is a Ventura device, the amazing magic from our overlords of Apple where you've got a screen saver that then turns into the desktop background, and it moves. You still get that because that's at the Screen Lock screen. Other things you see here, I have added to this device a policy. “Login troubleshooting tip: Connect to hotspot or Wi-Fi”. That is something that I have done on this device through a policy, and that policy is the login window text policy.
So that login window text, you're in control of this. This does not come with it, but I love adding that to help my pretend users myself. So get creative. That login window text is super valuable in being able to suit your users for their needs.
So Windows. So for the Windows demo, let's go ahead and talk about that. I'm going to show you something that I'm super proud of, which is our JumpCloud University and the tech team that puts this together. They do an amazing job, and for better or for worse, with this Intel Mac that I'm on and sharing my screen and demoing, I am not comfortable tempting the demo gods with hardware and letting them potentially take me down. So let's get to the step in this video where we do a demo on Windows with “sign-in with JumpCloud”, which is going to be right here.
So let me highlight how Windows is different. Windows does not allow any vendor to implement a new login window. Not possible. So our options, the laws of physics allow us to create a credential provider. So this credential provider that we've created will show up again only on devices with zero Managed Users, and it'll show up in the bottom left as a user. It looks like a user, but you click “Sign-in with JumpCloud”, and then as you'll see here, once clicked, you'll have the option to click here and “Sign-in with JumpCloud”, which will again launch a web view where users will authenticate with an email address and a password.
So let's talk about a choice that I made here. Here's the choice. This step right here at the credential provider is reconfirming the password that was put in during the web flow, of that existing user, and then we're asking users and giving them the opportunity to create a PIN.
Windows treats login options differently than Mac. You can have multiple primary login options where the PIN is one of them. The PIN is the gateway to the biometric, so you cannot set up Windows Hello after creating a PIN. So we made a cognizant choice to try to take that friction point out in getting to biometrics and when users set up their password, also set up their PIN. PINs are more secure than passwords. They just are. They're unique to the device that they're on. This is a six-digit requirement to set it up, and when a user sets up their account through the Self-Service Account Provisioning flow on Windows, they're also asked to set a PIN. The value of “sign-in with JumpCloud”, in my mind, from my perspective, this is the key value when we start to think about that road to Zero-Touch Apple; the best practice for Apple is to use Automated Device Enrollment.
The use case of adding new accounts from the sign-in window on Mac devices is really for organizations that are unable or unwilling or just don't want to go through the Automated Device Enrollment flow, Apple Business Manager and setting that up where you're ordering your devices through a purchasing partner that allows you to enroll them in a JumpCloud MDM in the box in the plastic. The best practice again is to do that. There's no option right now when we start to think about how JumpCloud can integrate into the Windows out-of-the-box experience. The OOBE flow. Because the OOBE flow dictates an Azure AD join with a sign with a Microsoft account. So the more creative ways that organizations that choose to use JumpCloud as an alternative to Microsoft can get to an OOBE flow experience. “Sign-in with JumpCloud” is now a key fundamental building block that will get you closer to a true Zero-Touch experience.
With this, thinking creatively, there's ways with your purchasing partner with your imaging flows to get devices with the agent installed, and that's all you have to do. You no longer have to take that secondary step where an account is bound to a device, and you put a sticky note and say “This computer's going to be for Becky. This one's going to be for Luke.” Those devices can be in a user list state when they're handed to users on their first day, and this would be the Zero-Touch user flow “Sign-in with JumpCloud” to add their device.
The next feature that we have in the hopper to get us even closer to that Zero-Touch flow is a Provisioning Package flow that will allow you to download a Provisioning Package file from JumpCloud so that your workstation provisioning flow as an org will be a device comes from Dell in the box. You take it out of the box, connect it to the wifi, plug a USB stick in, and the next thing you know, that device is in your JumpCloud device list, with the agent installed and with the “Sign-In with JumpCloud” ready for those users on the first day. This is going to turn workstation provisioning from hours into minutes for many organizations. Provisioning Packages will be delivered, mark my word, before the end of the year. I'm super excited to have that out. So “Sign-in with JumpCloud” plays with the provisioning package to get us to the lightest touch possible onboarding flow for IT orgs to get Windows devices ready for their end users. Provisioning packages are kind of secret in the Microsoft ecosystem because they don't require Azure Premium licensing because they are not inside of that closed ecosystem, of “we're only using Microsoft”.
So let's talk about again how we enable this and what's going on, and let's tempt the demo gods. So globally, this login window is enforced on all devices in an org. You see, I just turned it off. The old login window will now come into play. This is a global setting.
During testing, we've been running this inside our JumpCloud “dog food” organizations, as we call it, for over a month, and what we found is there were some scenarios where some of our developers have done some really funky things to their devices and that led the login window from preventing them to get in. During that process we fix those bugs, we feel very strongly that this login window, it's ready for prime time, but if there's ever a scenario where there's a belief that the new login window is preventing users from logging in, as just demonstrated here, you can toggle this on and off at your whim without any real impact to your organization. Recognizing that that toggle on and off is impacting the login window, and you only touch that login window truthfully after a reboot or after intentional sign-out from a machine.
When we were doing this in production and turning this on and off for our 700 users, there was not once a report of a user saying, “Hey, I see the old login window”, that never happened. The troubleshooting step again, you can turn this on and off, and it's a global setting for all of your Macs. Other thing to call out, this has nothing to do with JumpCloud MDM, this only has to do with the JumpCloud agent. So if there's anyone that's using JumpCloud in joint management with another MDM vendor, you can absolutely do the same toggle on and off independent of using JumpCloud as your chosen Apple MDM vendor.
So that wraps up my demo. We're going to share some of the resources that I've been flashing off here. These resources again are if you want to see this, the tutorial for Self-Service Account Provisioning is amazing. There's also a great Help Center article that talks about how to turn this on, and the final piece is a community post that kind of wraps it all together. So I'll look to my colleagues here to share that.