Microsoft is making a steady push in identity and mobile device management with an expanding array of cloud services. Many organizations, especially managed service providers (MSPs), are considering Azure Active Directory (AAD) with Intune™ for access control and unified endpoint management. It’s primarily focused on supporting the Microsoft ecosystem with add-on options to support other platforms and increase security for enterprises. In order to integrate into existing on-premises Windows domains, however, complex connectors are required. 

JumpCloud takes a different approach through its open directory platform, which can consume identities from multiple providers, through several protocols, to enable frictionless access into different resources. The platform is engineered to follow Zero Trust security principles and automate the user identity lifecycle. The open directory makes it possible for small and medium-sized enterprises (SMEs) and Managed Service Providers (MSPs) alike to provision the best resources, from any vendor, to get work done. It also provides add-ons for deeper system management and security considerations. Microsoft and JumpCloud both provide cloud-based IT management tools for identity management and device management. This article examines how they compare and the best fit for each platform.

What Is Azure AD?

AAD was created for the express purpose of extending Microsoft’s presence into the cloud. It connects users with Microsoft 365 services, providing a simpler alternative to Active Directory Federation Services (ADFS) for single sign-on (SSO). There’s similar nomenclature, but it doesn’t replace all the features of Active Directory and lacks support for key authentication protocols including LDAP and RADIUS. It provides a common identity for Azure, Intune, M365, and other Microsoft cloud products, which permits SSO and multi-factor authentication (MFA) within the Microsoft ecosystem. Cross-domain SSO and MFA are gated behind paid tiers of AAD, once a defined number of integrations per user is surpassed.

Microsoft has a structured gated licensing model with trial subscriptions and a free tier of AAD with some restrictions. For example, there are limits on stored objects and the number of apps a single user can access with SSO and group management with role-based access control (RBAC) costs extra. Microsoft also charges for MFA for external identities, per authentication. AAD’s features, which include a few time-limited trial services when users sign up, are listed on its website.

It also serves as Microsoft’s approach to a multi-tiered portfolio of identity, compliance, device management, and security products. The permutations of accompanying cloud products from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants. This is due to the breadth of configurations, and resulting complexity, that many enterprise use cases require. However, some organizations may benefit from this approach. Integrations with other paid Microsoft services are possible such as Microsoft Intune Premium Suite, Microsoft 365, automations for management tasks, and reuse of ADMX templates from Windows 10/11.

What Is Intune?

Microsoft’s latest offering is Microsoft Intune Premium Suite. It functions as a mobile device management (MDM) solution to administer features and settings for iOS^®/iPadOS^®, Android^®, and Windows. While it extends to macOS and Linux, it’s historically been less focused on non-Windows platforms. Microsoft is updating its services and is increasing what’s possible on other platforms. For instance, Intune supports custom/templated profiles for macOS, compliance policies, shell scripts, Apple Business Manager (ABM), and user/device enrollment options. Linux support has rolled out slowly and is focusing on compliance policies. Microsoft Edge is obligatory to utilize some of its features, such as conditional access policies for privileged users.

However, Intune bolsters Microsoft products such as Edge and Configuration Manager as first-class citizens. Windows administrators will be familiar with aspects of how it works, such as ADMX templates. Intune is most robust when it is used to manage Windows systems that are hybrid AD-joined, in combination with other services and security solutions. Separate license requirements and costs may impact what services can integrate with Intune.

What is Configuration Manager?

The following provides a quick primer on Configuration Manager:

• Cloud-based MDM to control features and settings; isolation of corporate data
• The Intune admin center offers status updates and alerts as well as device configuration and other administrative settings
• Connectors for Active Directory and certificate-based authentication
• ADMX templates to deploy Windows policies and benchmark group policies and Graph API for scripting, with appropriate licensing in place.
• Integration with AAD, Windows (Win32) LoB apps, and other Microsoft-centric services
• Application deployment and user assignments
• Compliance settings creation and the ability to lock down services with granular conditional access rules based upon group Intuneberships, location, device state, and triggers for specific application access rules (Note: Additional Microsoft products are necessary to protect identities as well as to monitor and control cloud application sessions such as Enterprise Mobility + Security E5)
• Reporting on apps, device compliance, operations, security, and users
• Device-only subscriptions for single-use devices such as kiosks
• Remote support is available as a premium add-on; unlimited federated identity, which provides SSO and MFA environment-wide requires a higher tier of AAD; and Microsoft offers pre-built connectors and SCIM synchronization through its paid SSO SKU.

What’s possible with Intune is somewhat dependent upon what other Microsoft services are being licensed (standalone or bundled), knowledge of Microsoft’s administrative tools, and how invested an organization can become in the Microsoft ecosystem. Intune is a broad product family, and it’s possible to achieve advanced enterprise-level compliance and security by spending more for additional services.

What Is JumpCloud?

JumpCloud is an open directory platform for SMEs and their MSP partners that includes zero trust identity and access control (IAM), cross-OS device management, and more. It simplifies the orchestration of identity management and access control throughout the vendor and open source landscape. Supported platforms include Linux, macOS, iOS/iPad OS, and Windows. Android support is forthcoming. JumpCloud is cloud-based and can be deployed for a domainless enterprise, without the need for AD or AAD, or extend your existing domains with a more straightforward deployment. 

JumpCloud is tailored to the needs of SMEs. Some of its core features include:

• An intuitive user interface and dashboard that makes IT admins more productive and highlights issues that require immediate attention. 
• The capacity to integrate with AAD and Google identities, with delegated authentication available for RADIUS using AAD credentials.
• Unlimited, True SSO that delivers SAML, OIDC, and password-based authentication for any web application, as well as SCIM and RESTful support to manage user onboarding/authorization to third party applications. JumpCloud provides ready-to-consume connectors for many popular services.
• Push and TOTP MFA everywhere, including RADIUS and LDAP connections.
• Built-in MDM, without extra costs; isolation of corporate data.
• Application install and management on remote systems.
• Integrated remote assistance with Remote Assist, free of charge.
• Integrations with popular HRIS systems for rapid user onboarding and provisioning.
• Zero-touch device enrollment and deployment for Apple devices.
• Automated group memberships that leverage attribute-based access control (ABAC) to modernize the user identity lifecycle and enhance security. This provides entitlement management maturity beyond what’s possible with legacy access control paradigms. In contrast, Microsoft’s RBAC is more labor intensive with higher management overhead.
• Cross-OS policies and root-level CLI interfaces for centralized IT management and commands.
• A streamlined dashboard for IT teams and technicians
• Reporting for Device Insights, Directory Insights, and Cloud Insights for AWS.
• A cloud-based LDAP directory with available Active Directory sync tools.

Even more IT management and security essentials are serviced by the following add-on products:

• Pre-built conditional access capabilities that restrict access by location, whether a device is being managed by JumpCloud, and to enforce MFA for specific groups of users
• JumpCloud Patch Management
• Decentralized password management that integrates with the directory platform

Comparing JumpCloud to Azure AD with Intune

AAD and Intune have some overlap with JumpCloud on a feature-by-feature basis, and it makes sense for organizations to evaluate all of their cloud-based identity and system management options. Put simply, the comparison between JumpCloud and Azure AD with Intune is really about adaptability versus maintaining the status quo and vendor lock-in.

The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.

The greatest difference lies in Microsoft engineering its products for the enterprise in service of the Windows ecosystem, tooling, and its accompanying cloud services. There’s deep integrations with Microsoft products and specialized services that mostly benefit larger organizations. If you have an all-Windows^® network, and are already implementing Azure with Active Directory^® on-premises, then Azure AD and Intune could be the right addition for your organization. Using tools created by Microsoft in a Windows environment simply makes sense. Mobile-heavy organizations may also benefit from using Intune’s mobile device management capabilities to manage other operating systems.

JumpCloud is intended for the specific needs of the SME market, as evidenced by how its features are packaged and implemented for ease of use. It was created to address the constraints that arise when a legacy on-prem directory is modified for a new era in computing (that crosses domains). The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.

It also securely connects users to more resources, without the need for additional servers or add-ons. If your organization has AWS, macOS^®, Linux^®, Okta^®, Google Workspaces™, and other non-Windows platforms as core parts of the infrastructure, then you will benefit by choosing JumpCloud’s open directory platform. Organizations can choose the vendors that are best suited for users both now and in the future.

Ease of Use

JumpCloud is simpler and more accessible, with a more intuitive UI and pricing breakdown. A common complaint is that Microsoft’s interface changes frequently and causes confusion. That’s a consequence of product bundling and frequent product family/branding changes. Other issues involve functions such as zero-touch deployments being limited to Windows devices.

Centralized Policy Management

A key component of Active Directory is a feature known as Group Policy Objects (GPOs). GPOs allow IT admins to control the behavior of Windows systems in their environment with great precision. The key here is that Microsoft’s GPOs only work for Windows systems and are not applicable in the cloud via Azure AD, and with the recent rise of Mac^® and Linux^® systems in the workplace, that’s a problem. Microsoft has extended policies to other devices through Intune, which extends Windows administrative methodologies, software, and tooling elsewhere.

JumpCloud offers GPO-like policies for all three major platforms — Windows, Linux, and macOS^® — as well as cloud-based resources. IT admins are able to remotely disable virtual assistants, enforce full disk encryption (FDE), and configure system updates with just a few clicks. When a prescribed policy isn’t going to get the job done, JumpCloud enables IT admins to create and execute their own commands and scripts on all three platforms. JumpCloud also provides optional policies for cross-OS patching.

Open Directory Platform

The JumpCloud platform does not need to fully own an identity to manage it. Rather, it can consume identities from different sources and sits in the middle to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing the access control and security challenges stemming from having identities exist in silos. 

For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals must tackle authorizing and orchestrating those users between different products. An Azure AD user also won’t be able to use RADIUS to access Wi-Fi without a domain controller or third-party service. SMEs can dramatically improve security as well as save on licensing, headcount, time, and effort by consolidating orchestration into a single directory (that sits in the middle).

Mobile Device Management Capabilities

Intune and JumpCloud have MDM services for managing BYOD and BYOC devices, but the respective value propositions diverge when organizations are cost conscious, have limited resources, or must support heterogeneous environments. 

Microsoft delivers cross-platform support, but Windows is the favored tenant with the capacity for zero-touch onboarding that would benefit Microsoft shops. JumpCloud is easier to adopt, learn, and works better with Mac and Linux systems. The open directory platform also adds additional value for MDM users to import user identities from non-Microsoft platforms to centrally manage or utilize them all.

Android, Apple, and Linux Devices

Intune has Mac and iOS/iPadOS support for the supervision of Apple devices through user login, device enrollment/deployment, configuration management, patch policies, and software distribution. It’s also offering services to manage Android devices and Linux. Microsoft’s full offering requires AAD, Intune, and an understanding of its Windows templates and tooling. It also has extended requirements for other Microsoft products such as Edge to be able to manage Linux users, limiting customer choice.

JumpCloud’s Apple and Linux MDM capabilities are extensive, beginning with a pre-built collection of policies, configuration options, security functions, and culminating in zero-touch device enrollment. MDM is immediately available as a core feature of the platform, and cross-OS patching is available as an add-on service. JumpCloud supports the most popular Linux distros and doesn’t impose any mandates to use a specific browser. 

Affordability and Implementation

With consideration to Microsoft’s extensive stack requirements and gated licensing, JumpCloud’s bundled MDM is more affordable and user-friendly. It’s also easier for IT teams and MSP technicians to learn and manage. 

Configuring Intune is a long and complex process. Intune software deployment and polling works on Microsoft’s schedule, creating management “unknowns.”  The workflow is as follows: upload an MSI, create a package, apply it to a machine … and it will install at some point. This procedure, coupled with a confusing interface, creates a learning curve. Organizations save on costs as a business/MSP by choosing a tool that’s easier to use. Jumpcloud offers more immediate actions for commands and policies.

Platform

Microsoft has devised an extensive cloud services productive portfolio in service of its enterprise customers. It’s a stepwise architecture that enlists adjunct services to build out a broad stack. The Microsoft ecosystem is as broad and comprehensive as a Microsoft shop needs it to be.

JumpCloud is specifically designed for what SMEs need, and sheds the complexity of Microsoft’s ecosystem. It offers far more functionality through one solution that can be bolstered by a mobile-specific MDM, rather than purchasing the entire Microsoft IT stack and everything else required for modern offices to manage users. Organizations that adopt JumpCloud for MDM are more likely to value heterogeneous device management and benefit from its platform approach. Namely, MDM users will obtain greater value by using more of the open directory platform.

Microsoft 365 and Google Workspace Sync

With Microsoft 365™/Google Workspace sync, organizations can access either productivity platform at will with JumpCloud credentials. The open directory platform imports attributes that decorate users with entitlements, streamlining admin workflows, increasing the accuracy of user profiles, and delivering smooth onboarding. IT admins can also manage groups in Workspaces, and the ability to import groups from AAD is launching soon.

Non-System Needs

When evaluating which identity management provider is right for you, you also want to consider your non-system needs. For instance, if you are interested in LDAP, RADIUS, Samba, SSH, and other protocol support, you might consider JumpCloud’s protocol-level hosted services. JumpCloud also implemented MFA for its LDAP and RADIUS services, which is significant when highly regulated industries like cyber insurance companies require MFA to be enabled for network devices. Otherwise, additional servers and services may be needed to be compliant.

Vendor Lock-In

Another core issue for MSPs and IT organizations is vendor lock-in. Microsoft is financially motivated to keep you on the Windows and Azure platform track, which includes its ecosystem of administrative tools and templates. Often, you need a number of additional Microsoft tools on the Azure AD and Intune path. Most organizations with AAD also use AD on-prem, AAD Connect, AAD DS, and other third-party tools to create a holistic IAM and device management approach. That’s a deep investment in budget, training, and dependency on Microsoft.

Intune belongs to an evolving family of IAM products that have undergone multiple re-namings and repackaging. Growing with Intune means licensing Intune as well as other complementary services for security and system analytics. Note that the selections are in flux, making direct comparisons with alternatives more challenging. Buying Intune sinks organizations deeper into the Microsoft stack, which limits their ability to purchase solutions outside the Microsoft domain and customize their stack for their needs. It also introduces some unpredictability in budgeting.

JumpCloud’s open directory platform allows for greater flexibility and shopping around for services, such as adding best of breed XDR integration from Crowdstrike or Sentinel One to secure identities and endpoints, versus a monolithic supply chain from Microsoft.

Total Cost of Ownership

Microsoft’s legacy requirements frequently mandate a hybrid infrastructure configuration. A hybrid infrastructure adds complexity, and complexity correlates to bigger budgets. Managing and licensing your physical servers is expensive (people, hardware, facilities, maintenance, and utilities), and the increase to your potential cyberattack surface area are all factors to consider. These factors combined raise the total cost of ownership for AAD.

A common refrain is that “Microsoft stuff works well together.” In practice, transitioning on-premises Microsoft solutions to the cloud isn’t always straightforward. For example, AD groups don’t all automatically sync over to AAD. This writer recently spoke with an Intune administrator who recounted how his organization, which is invested in Microsoft, was experiencing difficulty transitioning to AAD and Intune from ADFS and Active Directory.

In this example, consultants were brought in to set up Intune. The consultants attempted to turn on “full blown AAD” for the environment. That decision resulted in downstream problems with Virtual Desktop Infrastructure (VDI), because only persistent virtual machines (where every user’s personal desktop settings are set for each virtual desktop) are supported in on-premises ADFS. This scenario may seem arcane, but it illustrates that even migrating to Microsoft’s latest and greatest services isn’t always straightforward. Microsoft has a multitude of legacy components for SSO that tie back to AD, which introduces difficulties that are unique to its ecosystem.

The Intune administrator summed it up perfectly: “I need to focus all my time [elsewhere] but can’t because I get pulled in every direction [due to the complexity of Microsoft’s ecosystem].” Simply put, if your infrastructure’s a mess, everything’s a mess … and costs more than is necessary. The more an organization sinks into Microsoft, the less flexibility it has to go elsewhere.

Service Licensing

Cost of ownership is a key differentiator between AAD + Intune and JumpCloud. AAD is initially a great value — if you’re a heavy user of the Microsoft stack — but costs mount as use increases and third-party services and non-Windows devices are added to your infrastructure. Navigating Microsoft’s complex gated licensing scheme is another driver of rising subscription costs. 

For example, organizations that are considering M365, which can bundle Intune, must assess the differences of all 30 license variations. Some consultants even specialize in demystifying Microsoft’s licensing options. Basic tiers are only the price of admission. There are additional costs involved simply to obtain a few fundamental capabilities such as federated identity in AAD to securely access resources outside of Microsoft’s stack using SSO. That’s the real-world starting point for modern IT, even before Intune or other subscriptions factor in.

Consuming external identities also costs more. Microsoft introduced a separate product family called Entra, which is its solution for decentralized identity, identity verification, and entitlement management. Entra extends Microsoft’s strategy to monetize interoperability that is focused on the enterprise market and the sale of adjacent services. In contrast, JumpCloud’s foundation supports expanding capacity to accept and incorporate other identities into workflows.

IT Infrastructure Consolidation

IT tool sprawl is just one of the many unintended consequences of today’s remote-first workforce. Adopting a consolidated stack is beneficial to avoid overlapping feature sets from many different software products. A Microsoft shop may not need to look elsewhere to meet compliance, IAM, IT management, and highly advanced security requirements with its stack (assuming they have the budget). However, there are downsides.

Smaller organizations may find themselves overextended by the breadth and complexity of Microsoft’s components and services that form its hybrid architecture. Buying, operating, and supporting a datacenter is just the start. It’s very likely that IT teams will have to employ external resources to assist with AAD + Intune implementations. Those decisions involve a substantial and costly long-term commitment.

Azure works best if organizations are fully incorporated into a Microsoft tech stack environment, but not outside of Microsoft’s cloud infrastructure (i.e., it can’t be used to manage non-Windows servers hosted in Amazon or Google clouds).

JumpCloud’s open directory platform enables IT teams to assemble a stack of best-of-breed solutions that are secure, on managed devices, and available through the identity provider of their choosing. Optional products assist with security, IT hygiene, and password management without extensive management overhead or mandates to deploy them successfully.

What’s Best for Your Shop?

If you are locked in to Microsoft solutions, or if you have corporate-owned iOS and Android mobile devices, then Azure solutions may be an acceptable fit. However, its platforms are  intended for the enterprise and extend broadly through gated licensing. Alternatively, if you are an SME that’s invested in other non-Windows platforms and non-Microsoft services and identities, and wish to (or see a path to) consolidate IT resources, then you should consider JumpCloud’s open directory platform. A third option is to use both to obtain the greatest value for your organization.

JumpCloud centralizes user and system management, regardless of platform or where identities reside. This includes our Multi-Tenant Portal (MTP), designed specifically for MSPs to manage multiple client organizations from one pane of glass. JumpCloud offers cross-platform GPO-like capabilities to manage fleets of systems with policies, including local admin system controls, full disk encryption with FileVault 2 and Bitlocker, screen lock regulations, and more. Apple MDM capabilities are available for macOS machines, for machines to execute security functions and distribute configuration policies.

For MSPs, consolidation gives you the chance to proactively manage and monitor your clients’ tech with fewer providers. It decreases your monthly expenditures without sacrificing efficiency or usability, and frees you up to spend more time helping your clients reach their goals. IT consolidation has many benefits for MSPs and their clients, including cost savings, a streamlined user (and management) experience, and an increase in client trust.

The Choice Is Yours

However you choose, all options present benefits to an organization. To learn more about JumpCloud versus Azure AD with Intune, contact us or join our community to engage your peers in conversation.

As always, signing up for the JumpCloud platform is completely free, and includes 10 users and systems to get you started. The best way to learn is by doing. You also get 10 days of premium 24×7 in-app chat support. Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

Active Directory (AD) and a domain controller are some of the IT components that are core to organizations using Windows operating systems (OSs). But what’s the difference between them? 

Active Directory is Microsoft’s proprietary directory service. It allows IT teams to manage identity and secure access to various resources on the enterprise network. 

A domain controller, on the other hand, is a server that responds to user authentication requests, allowing the host to access various resources on an enterprise network. 

In this post, we’ll explore the differences between a domain controller versus Active Directory, and how JumpCloud can help you enhance AD or ditch the domain controller altogether. 

Active Directory: Identities and Access

Active Directory is an identity management database that allows IT teams to define what users can do on a network. As a database, Active Directory captures data in the form of objects. An object can be a single resource element, like a user, group, application, or device. 

Each object has associated attributes that allow it to be distinguished from other entities. For example, a user object would have a username, password, and email attributes that distinguish it from other objects. 

Active Directory consists of four essential services that allow it to provide identity and access management:

• Active Directory Domain Services (AD DS). This is the main service within the Active Directory protocol. Besides storing the directory information, it also controls which users can access each enterprise resource and group policies. AD DS uses a tiered structure comprising the domains, trees, and forests to coordinate networked resources.
• Active Directory Lightweight Directory Services (AD LDS). It shares the same codebase and functionality as AD DS. However, unlike AD DS, AD LDS uses the Lightweight Directory Access Protocol (LDAP), allowing it to run on multiple instances on the same server. 
• Active Directory Federation Services (AD FS). As the name suggests, AD FS is a federated identity service that provides single sign-on (SSO) capabilities. It uses many popular protocols such as OAuth, OpenID, and Secure Assertion Markup Language (SAML) to pass credentials between different identity providers. 
• Active Directory Certificate Services (AD CS). This is a service that creates on-premises public key infrastructure (PKI), allowing organizations to create, validate, and revoke certificates for internal use.

Domain Controller: Validate and Authenticate

A domain controller is a server that processes user authentication requests on a particular domain on an enterprise network. While domain controllers are primarily used in AD domains, you can also use them with other non-Windows identity and access management (IAM) systems, such as Samba and FreeIPA.

A domain controller restricts access to enterprise resources within a given domain by authenticating and authorizing users based on their login credentials. For example, in Windows domains, the domain controller obtains authentication information for user accounts from Active Directory. 

While domain controllers can operate as single systems, they are often implemented in clusters to provide high availability (HA) and reliability services. For example, in Windows Active Directory, each cluster can consist of a primary domain controller (PDC) and a backup domain controller (BDC). In Unix and Linux ecosystems, replica domain controllers replicate authentication databases from the PDC. 

Active Directory vs. Domain Controller

It’s common to think that the terms Active Directory and domain controller are synonymous. This is because domain control is a function within Microsoft’s Active Directory, and domain controllers are servers that leverage AD to validate and respond to authentication requests. 

However, the terms are not interchangeable. Active Directory is a database that stores and organizes enterprise resources as objects. You can think of Active Directory as a database that stores users and device configurations in AD DS. A domain controller, in contrast, is simply a server running Active Directory that authenticates users and devices. In this regard, you can think of a domain controller as a custodian, facilitator, or host of Active Directory. 

Since domain controllers mediate all access to the network resources, it is essential to protect them with additional security mechanisms, such as firewalls, encryption protocols, and expedited configuration and patch management solutions.

Deciding What You Need for a Directory and Domain Controller

Many organizations are looking to implement SSO solutions that allow their employees to access all their on-prem and cloud-based applications easily. 

In the recent past, a vital requirement of these solutions was the domain controller, which made it possible to connect applications back to Active Directory as a single source of truth. Organizations have used AD FS as a solution for integrating Active Directory into cloud-based applications. However, while Microsoft markets AD FS as a “free” solution, there are many hidden costs, including hardware purchase, deployment, and ongoing maintenance, that you have to contend with. 

But suppose you were to decide what you need for a directory or what constitutes a complete IAM solution today. Such a solution should provide automated provisioning of resources, lifecycle management, mobile device management (MDM), and reporting from a single console. The IAM solution should also be vendor-agnostic, unlike Active Directory, which excels at managing access to on-prem Windows-based OSs. The IT environments of today simply don’t look like that anymore.

The JumpCloud Directory Platform^® is a low-cost, cloud-based directory management solution that simplifies AD integration, allowing IT teams to unify IAM and consolidate tooling while enhancing Active Directory’s functionality. Organizations can also leverage JumpCloud as an AD replacement tool, reducing the on-prem servers required to set up AD FS and moving to a domainless enterprise. 

Explore JumpCloud Pricing

Packages and A La Carte Pricing

Explore Options

83% of companies have some kind of bring your own device (BYOD) policy in place, which means that understanding and adhering to BYOD best practices needs to be top of mind for IT, security, and upper management. 

Some situations you might find yourself in will require you to either: 

1. Learn about best practices prior to implementing a BYOD policy, and ensure that the practices, rules, and expectations you put together follow those practices, or
2. Retroactively go back into your existing BYOD policy, ensure that it follows best practices, and make improvements wherever necessary.

No matter your situation, you’ll be better off if you’re aware of the challenges and vulnerabilities that accompany BYOD, follow BYOD best practices, and understand what device management tools exist to make managing BYOD easier. This article will dive into each of these topics to help you move forward with your BYOD initiative.

BYOD Vulnerabilities

While many employees expect a flexible BYOD policy at work, there are a handful of risks and vulnerabilities that come along with BYOD implementation. These are often exacerbated by poorly planned and/or poorly executed BYOD implementation, so don’t fret; many of them can be prepared for or avoided altogether by following best practices.

Some of the risks that accompany BYOD in the workplace include:

• Data theft.
• Malware.
• Legal problems.
• Lost or stolen devices.
• Improper mobile management.
• Insufficient employee training.
• Shadow IT.

While each of these poses risk to your organization, the level of risk associated with each can be mitigated through proper training, protocols, device setup, and other strategies. However, they’re still important to keep in mind when you’re establishing or updating your BYOD policy.

There are also challenges that many organizations run into when implementing a BYOD policy. Some of those challenges are:

• Establishing the policy’s scope.
• Figuring out how to separate personal and organizational data.
• Determining how to remain secure and compliant with BYOD devices in the mix.
• Creating sufficient employee security training materials.

Now, let’s get into some BYOD best practices that can help you overcome these challenges and reduce some of the risk that accompanies allowing BYOD in your org.

BYOD Best Practices

While there are many benefits of allowing BYOD in your organization, understanding the risks of BYOD will help you recognize the significance of BYOD best practices. A few of those best practices include:

• Assessing your needs.
• Developing a clear BYOD policy.
• Implementing organization-wide security measures.
• Auditing and blacklisting applications.
• Requiring robust employee training.

Assess Your Needs

In order to create a BYOD policy that will work for your organization and its employees, a best practice is to fully assess your needs. This means answering the following questions:

• What types of working situations (remote, in-office, or hybrid) do you manage? 
• Do you manage part-time, seasonal, or contractor devices?
• How much control do you need over employee devices to maintain your desired level of security/compliance?
• What size is your IT team, and how many BYOD devices will that team be able to manage effectively on top of their other priorities?
• What type of devices and operating systems (OS) do you currently use? What new devices and OSs are you willing to allow with BYOD?
• What policies mustbe on all devices used for work (corporate-owned and personal)?
• How will you ensure BYOD devices are updated in a timely manner and as secure as possible?
• What types of work can or cannot be done on personal devices?
• Are you willing to pay for any maintenance costs or bills associated with BYOD devices in your org?

While this is not an exhaustive list of questions to consider, it’s a great jumping off point for creating a solid understanding of where your organization is at and where it needs to go. This BYOD best practice allows you to take stock of your current device management strategy, understand which teams and parts of the business allowing BYOD will affect, and ensure you create a comprehensive policy moving forward.

Develop a Clear BYOD Policy

Once you’ve assessed the needs and goals of your organization, you can use them to create a clear BYOD policy. The essential parts of this policy include: 

• Which devices and operating systems are allowed or not allowed.
• How they will be managed.
• Expectations for employee use and behavior.
• Security and compliance initiatives, such as what security measures will be implemented across BYOD devices.
• How personal and work data will remain separate.
• How BYOD devices will be onboarded and offboarded.
• BYOD security training policies.

Depending on your organization’s needs, you can add other topics into your policy, or remove some as necessary. The point of creating a clear BYOD policy is not to strictly follow a template that came from someone else, but to mold it into something that perfectly suits your business.

Decide what to include in your remote work policy

Read More

Implement Organization-Wide Security Measures

The next BYOD best practice that we want to touch on is implementing security measures to keep devices, identities, and organizational resources as safe as possible. If not addressed upfront, BYOD can pose new security threats to your organization which can have devastating consequences. 

Some common security measures used in a BYOD policy are multi-factor authentication (MFA), conditional access policies, enforced patch management, and more. By ensuring that personal devices used for work remain secure and productive, you can better protect the identities that use them, as well as the resources that those identities access on them.

It’s important to plan for any potential security threat that can arise due to the use of personal devices for work. Being proactive and establishing clear security guidelines prior to a security event occurring will significantly reduce the amount of risk that BYOD brings to your organization.

Audit and Blacklist Applications

Another BYOD best practice related to security and compliance is constantly auditing and whitelisting or blacklisting applications. It’s essential to keep track of what applications employees need to get work done, how secure they are, and if you should continue using them after a period of time. 

On top of that, with BYOD in particular, it’s important to specifically blacklist certain applications that don’t meet your security standards — this often comes in the form of games, social networking apps, and third-party file sharing apps. Any app that severely compromises organizational resource security on a personal device used for work needs to be inspected and restricted properly.

Invest in Ongoing Employee Training

The last BYOD best practice we want to discuss is both upfront and ongoing employee training. 43% of employees are “very” or “pretty” certain they have made a mistake at work with security repercussions. Not only is this number scary, but it’s also concerning that so many workers are unsure of what type of actions have security repercussions at work. Considering so much business is done and stored digitally and 85% of data breaches are due to the “human element,” this isn’t something to take lightly.

The first step to mitigating these risks is through clear, engaging, and consistent employee training. While this is true across the board, this is a specific BYOD best practice because allowing personal devices to be used for work purposes creates new attack vectors that employees aren’t used to or even aware of. 

To deal with this, consider creating an employee training program specifically catered to BYOD security and best practices for users. This training program should be required, and users should have to re-examine the topics multiple times throughout their tenure to stay aware and up to date on BYOD security.

BYOD and Mobile Device Management With JumpCloud

The best way to monitor and manage BYOD in your organization is through a modern mobile device management (MDM) platform. JumpCloud offers an MDM solution on top of many other capabilities such as MFA, single sign-on (SSO), policy and patch management, and much more! This way, with a single platform, you can allow BYOD while simultaneously securing all devices within your organization.

Try JumpCloud Free MDM

MDM + Cloud Directory

Try Risk Free

Organizations turn on multi-factor authentication (MFA) to secure access to corporate resources and increase their security posture. 

IT admins like using push notifications MFA for several reasons. Since most users have smartphones in their pockets at all times, push notifications offer minimal user friction. They are also ubiquitous (admins can enable them across different kinds of resources and endpoints unlike other methods) and offer security against “man in the middle” attacks. 

Recently, this trusted security measure has been facing a new kind of attack known as push bombing or MFA fatigue. Keep reading to learn more about how to reduce your risk.

What Is Push Bombing and MFA Fatigue?

When an organization uses push MFA, the user is required to approve the login or access request sent to their personal device in the form of a push notification. This is just one way (of many) to verify the user’s identity, but preferred given its UX benefits.

Push bombing is a method where an attacker uses a script or a bot to trigger multiple login attempts with stolen or leaked credentials and trigger a SPAM of multiple push notifications to the user’s mobile device. 

Here’s how it works: 

1. An attacker repeatedly sends a user endless push notification streams with the intent to exacerbate them into accidentally approving the prompt. 
2. Understandably, the user feels a sense of fatigue, and it’s easy to make mistakes out of frustration. They accept the prompt.
3. Unfortunately, the trick works extremely well for account take over and breaches. The attacker now has access to the account in question. 

Alternatively, an attacker may also contact the user impersonating as an IT admin and convince them to approve the login attempt.

How JumpCloud Protect Helps Admins Combat Attacks 

Stronger Password Policy

Push attempts are triggered after an attacker gains access to a user’s password. The weaker the password the more likely an attacker is to obtain it through brute force and social engineering techniques. 

IT admins can use JumpCloud’s password settings to adopt a stronger password policy that meets the following requirements:

• Greater than or equal to12 characters in length, including alphanumeric
• Upper and lower case combinations
• Changes password every 90 days

Admins should also use password aging to reduce risks due to re-use of older, leaked, or stolen credentials that a hacker may have obtained. Here’s what the Password Settings look like in the JumpCloud management portal: 

Admins can also use JumpCloud’s password manager to manage their user’s passwords, which reduces the friction associated with using lengthier passwords with increased security posture. JumpCloud Password Manager eliminates the need to remember a master password thereby reducing the risks due to password leaks or breaches.

Account Lock-Out

Admins can use JumpCloud’s account lock-out settings to set a limit for password and Push MFA retries. A user’s account will be locked if the user denies a login request sent in Push notification for a specified number of consecutive  attempts as determined by the settings. Admins can auto unlock the account after a certain duration to reduce user friction. 

Mobile Biometric

Admins can activate mobile biometric on Push MFA, so that a user is required to use their fingerprint or face recognition as an additional factor to approve a login request. Here’s a look at what both the admin and user sees during this process:

Conditional Access

Admins can leverage JumpCloud conditional access policies for user portal and SSO application login attempts to restrict access from trusted devices or allow access only from the locations where an employee lives or places of travel. Simply select the Conditional Access option from the platform’s left-side navigation to open Conditional Access settings:

App and Location Information on Push Notifications

Admins can educate their users to check the application name for which the access request is made or the location from where the request was made before approving the request. 

While application name or a granular location information may not always be available, when it is present it will help flag potentially fraudulent access requests.

Avoid Account Takeovers with JumpCloud

As reported by Microsoft, requiring MFA has been shown to reduce  account takeover attacks by 99%. While MFA does offer resistance to attacks, hackers have, unfortunately, found a way to circumvent them with push bombing and MFA fatigue. 

So, it’s important for organizations to employ additional precautions such as adding phishing-resistant email tools and filters, educating users on stronger password practices for their personal and work accounts, and implementing stronger security practices to avoid security breaches.

JumpCloud continuously adds new features that increase the security posture of the platform to give IT admins and organizations peace of mind. IT admins can also better protect their organizations by adopting JumpCloud recommendations, starting with enforcing stronger password policies.

Ready to experience the ease of JumpCloud for your IT needs?

Click here to start your free account today.