When the world went remote, people were surprised to learn that many aspects of their jobs looked pretty much the same as they did in the office. It turns out that accessing resources from the kitchen (or the beach, or a coffee shop, or a train) isn’t that different from doing it in the office. In fact, we make it our mission to make sure remote work can happen from anywhere, on your terms.

Remote tech support, however, isn’t quite the same experience when you can’t see or drive the user’s screen directly. It’s frustrating and inefficient at best, and at worst, it creates more issues than it solves. Between trying to understand the user’s issue and prescribing solutions via verbal or written instructions, every ticket seems to take twice as long as they should. 

But as remote work becomes a permanent part of today’s workplace (the average SME is now 57% remote or hybrid-remote), IT teams and MSPs must be able to effectively assist users remotely. To help teams streamline remote tech support, JumpCloud has introduced Remote Assist, which enables IT teams and MSPs to remotely view and control users’ devices. And we’ve got more good news: Remote Assist is free for all organizations and MSPs that use JumpCloud. 

How Does Remote Assist Work? 

JumpCloud Remote Assist facilitates remote tech support by allowing admins to remotely see and control a user’s device, regardless of their location. It includes the following capabilities:

• Multi-OS support: Provide remote assistance to Windows and macOS devices, with Linux coming soon. 
• Remote support straight from your browser: Offer remote assistance through your browser, from anywhere, with any device, and at any time, with no need to install additional tools. 
• Multiple monitor support: View, control, and switch between any number of monitors connected to your remote Mac or Windows devices.
• Audit Logging: Get centralized logging of all remote support sessions. 
• Clipboard synchronization: Copy and paste text and images between remote and local devices (coming soon).
• Role-based access control: Determine which technicians can access end user devices via the JumpCloud account role-based access controls.
• Secure Peer-to-Peer Connection: Assist employees securely with fully secured, private sessions protected by unique session keys, end-to-end encryption, and direct peer-to-peer communications.

Note that the first release of JumpCloud Remote Assist focuses on attended access for macOS and Windows, with Linux and unattended access coming soon. 

Key Benefits of JumpCloud Remote Assist

Remote Assist is free to all organizations and MSPs without any restrictions on time, number of devices, sessions or technicians. It allows organizations to support an unlimited number of devices, regardless of the number of IT technicians using JumpCloud Remote Assist, for as long as they want. This ability to remotely assist users effectively (without incurring additional costs) is a critical component in making a smooth transition to the long-term remote-first paradigm.  

Benefits to Direct Customers:

• Increased Productivity and Lower User Friction: End-users resolve their technical problems more quickly, allowing them to focus on productivity and minimize time lost while waiting on issue fixes.
• Windows, macOS, and Linux Support: Remote assistance becomes available to everyone — not just Windows users. This boosts team productivity as well as the end-user experience. 
• Faster Resolution for Help-Desk Tickets: IT teams can close helpdesk tickets faster, reducing time-to-resolution for your users and optimizing IT’s productivity time.

Benefits to MSPs:

• Increased Reselling Margins: Centralize all your core capabilities such as identity, access, device management, and live remote assistance in the JumpCloud directory platform.
• Reduced Operating Costs: Provide an easy and cost-effective way to manage multi-OS devices remotely.
• Optimize Technician Time: Empower your IT admins to work efficiently and provide faster time-to-resolution for helpdesk issues. 

Part of a Holistic Solution

With the latest Remote Assist solution offering, JumpCloud adds and consolidates multiple tools into a single platform. Organizations and MSPs that use JumpCloud can now administer and troubleshoot end-user devices remotely, without relying on or paying for third-party solutions.

In addition, the combination of Remote Assist, mobile device management (MDM), and patch management provides critical device management capabilities that deliver more comprehensive value than ad hoc approaches to device management. That includes optimized resources, time, and tools for IT teams and better savings for the organization.

Because the JumpCloud Directory Platform works well with other IT solutions in the market, organizations and MSPs can choose to use their existing MDM and identity access management (IAM) solutions while utilizing JumpCloud Remote Assist for free. All it takes to register is installing the JumpCloud Agent. 

Get JumpCloud Remote Assist for Free!

JumpCloud is the only platform in the industry that consolidates live remote support with centralized identity, asset management and Secure, Frictionless Access^TM to all company resources.

JumpCloud Remote Assist is free for any organization to use, at any scale, for any number of devices, without any limits on time. Sign up for a free account to start working efficient remote assistance into your remote or hybrid strategy.

Jump to Tutorial

Security-minded system administrators prioritize taking all the necessary measures to safeguard confidential and protected data. The compromise of a device can prove costly if it contains sensitive company information, especially when organizations have compliance requirements. Disk encryption is one of the best ways to mitigate this risk.

Encryption is the process of encoding data. Data is converted from plain text to ciphertext using a special mathematical algorithm that renders the data unreadable unless the encryption key is provided. This key should always remain a secret to the person authorized to access the data.

There are two major types of encryption in a computer: Full Disk Encryption (FDE) and File Level Encryption (FLE).

Full Disk Encryption

In full disk encryption, also known as hard drive encryption, the entire hard drive or volume — including all the files — is protected. During booting, a passphrase or secret key is required to unlock the drive before logging in with your user account credentials.

Implementing FDE guarantees data privacy and security for all the files from unauthorized users or anyone with malicious intent. Learn more about the benefits of FDE, and five reasons you should consider requiring it in your organization.

File Level Encryption 

As the name infers, file level encryption happens at the file system level. This type of encryption targets individual files and directories, but not the entire hard disk.

Both full disk encryption and file level encryption can be used simultaneously to achieve a higher level of data protection.

In this tutorial, we will focus on how to enable full disk encryption on Ubuntu 22.04 using LUKS. 

What Is Linux Unified Key Setup (LUKS)?

LUKS is a standard hard drive encryption technology for major Linux systems including Ubuntu. It is a platform-independent disk encryption specification and the de facto disk encryption standard for Linux systems.

LUKS was originally developed for Linux systems and is used in nearly all Linux distributions. It is also a popular encryption format for network-attached storage (NAS) devices. It encrypts entire block devices, making it an ideal choice for encrypting SSD, hard disk drives, and even removable drives.

In addition to offering FDE, LUKS allows users to create and run encrypted containers with the same level of protection as LUKS full disk encryption.

With LUKS, disk encryption can be enabled during the installation of an operating system. In fact, full disk encryption is only achieved during the installation of the Ubuntu Desktop operating system. It encrypts all the partitions including swap space, system partitions, and every bit of data stored on the block volume with the exception of the Master Boot Record (MBR).

How to Fully Encrypt Data on Ubuntu 22.04

If you already have a running instance of Ubuntu 22.04 and you want to enable full disk encryption, you’re required to reinstall it. You cannot fully encrypt it once it is installed. You can only encrypt directories or partitions post-installation.

If you forget your encryption passphrase, all your data will be inaccessible. As such, it is recommended to pick one that you can easily remember or store on a password vault or manager. Better yet, if you have used a complex password, you can note it down somewhere and keep it under lock and key.

Additionally, before starting this process, be sure to backup any critical data that could potentially be lost during the reinstallation process.

Getting Started

We will skip the few installation steps on Ubuntu 22.04 and head straight to the “Installation Type” step that requires you to select your preferred disk partition mode.

Two options will be presented. The first one (the default option) is “Erase disk and install Ubuntu” which wipes out all the existing data and automatically partitions the drive. The second option is “Something else” which is used to manually configure the disk partitions yourself. Please note that you will not be able to enable full disk encryption by selecting the second option.

Select the first option: “Erase disk and install Ubuntu” and click the “Advanced features” button as indicated.

Once you click the “Advanced features” button, a pop-up appears. Be sure to select “Use LVM with new Ubuntu installation” and the “Encrypt the new Ubuntu installation for security” options.

Then click “OK.”

Next, assuming you have already backed up any important data, click “Install Now.”

Disk encryption requires a security key in order to access your files each time your device boots. In this step, provide a strong security key or passphrase.

You can also enable a recovery key which enables a user to access the encrypted disk if they forget their password, or if the disk needs to be installed on a new device.

Then click “Install Now.”

On the pop-up dialogue that appears, click “Continue” to write changes to the disk.

From here, continue with the installation process until the end, and finally, reboot the system. Provide the security key that you generated and hit ENTER prior to logging in.

The secret key unlocks your drive thereby granting you access to your system.

From here, you can log in to your new Ubuntu installation by providing your user account’s password and pressing ENTER.

Conclusion

In this guide, we walked you through the implementation of full disk encryption using LUKS on Ubuntu 22.04. FDE provides a robust way to safeguard your data in case of theft or accidental loss of your device. 

Encryption is just one approach to ensuring the privacy and safety of your data. Therefore, you should not relax enforcing other data protection measures such as firewalls, identity and access management (IAM), and Zero Trust controls such as multi-factor authentication (MFA).

JumpCloud’s open directory platform is available to easily implement full disk encryption throughout your entire fleet. Pre-built policies make it possible to achieve full disk encryption for Windows and macOS devices, with granular control and visibility for BitLocker.

Linux devices can also be managed and monitored for encryption status. To see how this works, along with a number of other device security and management features, sign up today to get started. JumpCloud is free to use for up to 10 users and 10 devices; we also provide 24×7 in-app support for the first 10 days of use.

Would you prefer tailored, white-glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you and your fleet.

October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.

Many organizations spend quite a bit of time onboarding new employees and making sure they have access to everything they need; however, the same care is often lacking when it comes to offboarding. Whether a long-time employee suddenly leaves on bad terms, a contractor is no longer being utilized for some period of time, or an employee goes on leave, improper offboarding or suspension of that user’s permissions and access poses significant risk for your organization.

Offboarding and deactivating a user’s identity can be a manual and time-consuming process, yet it is also very time-sensitive and sometimes requires IT admins to be available at a moment’s notice. Not every employee gives notice prior to leaving, and unforeseeable events can happen that force admins to scramble at the last minute to deprovision that user’s access to company resources.

This process becomes even more difficult if your organization needs to provide access to IT resources for temporary workers like contractors and interns, or has full-time employees that may need to be temporarily offboarded or have their IT resource access suspended rather than be permanently offboarded due to personal events like marriages, births, family care, overcoming an illness or injury, and more.

Most Companies Struggle With Offboarding

Improperly offboarding employees is a dangerous game to play, yet, according to TechRepublic, 48% of organizations said they are aware that former employees still have access to corporate networks. Further, 20% of organizations say they’ve experienced a data breach that’s linked to former employees.

These stats tell us that improperly offboarded employees are a predominant threat to organizations; however, the tools and resources needed to fix this issue aren’t there. The missing link here could be a lack of time, no simple way to quickly offboard or suspend user access to all IT resources, and/or lack of insight into the security risks posed by inadequate processes. It puts a spotlight on the notion that offboarding is as much a security issue as it is an operational one for IT.

Another important finding from TechRepublic is: 

Half of IT leaders said that ex-employees’ accounts remain active for longer than a day after their departure, 32% said it takes a week to deactivate an account, and 20% said it takes a month or more. Another 25% said they don’t know how long accounts remain active once the employee has left the company.

These percentages pose a significant problem for the organizations that fit into these stats. It only takes one angry ex-employee, one ex-employee that’s simply being careless with the handling of their credentials, or one employee on leave that still has active access to make damaging changes in some shared resource, even though they weren’t there for the last best practices discussion.

Case Study: Improper Offboarding and Compliance Violations

Here’s a real world example of how improper offboarding of employees and contractors can lead to considerable compliance violations, substantial fines, and the subsequent loss of public trust.

Pagosa Springs Medical Center (PSMC)

In 2018, Pagosa Springs Medical Center found itself at the epicenter of a major HIPAA violation which ended up costing them $111,400 — all because they did not properly offboard a terminated employee.

After their termination, the former PSMC employee retained remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI). The investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to this former employee.

HIPAA calls out the need for a formal offboarding process under the security rule section – § 164.308(a)(3)(ii)(C): “Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.“

Source: HHS

HIPAA is just one standard that can easily be violated due to improper offboarding — there are many others out there with similarly severe consequences for non-compliance.

A Quick Offboarding Checklist

Even at organizations where offboarding is seen as a fairly quick process, i.e. less than a couple of hours, the risk of that ex-employee or another bad actor taking advantage of existing access is still prevalent. 

TechRepublic also found that 70% of IT decision makers surveyed said it can take up to an hour to deprovision all of a single former employee’s corporate application accounts. Keep in mind, this does not include revoking an employee’s access to their devices and networks.

To combat this and improve your organization’s security posture, it’s helpful to put steps in place that improve offboarding efficiency. One of these steps should include an offboarding checklist to ensure that no loose ends are left after an employee’s departure.

Your offboarding checklist should include deactivation of access to:

• All applications
• Productivity tools:
  • Ex. Google Workspace and Slack
• CRM tools:
  • Ex. Salesforce and Zoho

• Cloud Infrastructure
• File shares
• Devices
• Corporate Networks
  • VPN
  • RADIUS
  • Or, if WiFi access is not centrally managed, periodically refresh the Corporate WPA2 passphrase
• And ensure return of equipment

Questions to Consider When Improving Offboarding Workflows:

• Does HR inform you in a timely manner when an employee leaves your organization?
• If an employee is terminated or leaves abruptly, are you able to deactivate their identity immediately?
• Are you able to suspend the identity for contractors who leave the company and may return?
  • What about employees on medical leave who may return?

Improving Employee Offboarding

Sticking to an offboarding checklist to ensure all access is revoked is extremely important, but what’s just as important is the process in which everything is deactivated. Not only are manual offboarding processes time-consuming, but they also leave a lot of room for human error. 

While working to improve and standardize your entire offboarding workflow, we also recommend that you establish routine communication with HR around onboarding and offboarding, as well as find an identity provider (IdP) to streamline the process.

Establish Routine Communication With HR

If you’re not already in continuous communication with HR regarding employees coming and going, you need to establish a better process between departments. HR should let you know when an employee is scheduled to leave or immediately notify IT when someone leaves abruptly. HR should also inform you in advance when an employee is scheduled to return from leave or their contract is renewed.

Though many project management tools exist to help alert internal stakeholders about new tasks, and some HRIS systems can even directly integrate into your core directory service to fully automate this process, this communication can be quickly achieved by creating an email alias or group with select individuals from HR and IT. Whenever someone across the organization alerts HR of a change in employment, they can CC this email alias to give IT the necessary “heads up” they need to act quickly.

Find the Right Identity Provider

When choosing an identity provider, find one that has the following capabilities:

• Allows you to automate deactivation of a user’s identity
  • Once you set the date/time of deactivation, your IdP should take care of the rest
• Lets you easily and quickly revoke access to ALL resources
  • Deactivating a user’s identity should revoke access to applications, devices, networks, and any other resources that user had access to
• Simplifies user activation and reactivation
  • If an employee returns from leave or a contractor’s contract is renewed, you should be able to quickly and easily reactivate their identity in a just few steps
• Includes integration capabilities with common HRIS software

Fixing the communication disconnect between HR and IT and implementing the right identity provider will allow you to securely and efficiently revoke access and re-provision access as needed, through just a few clicks.

JumpCloud’s Offboarding and User Suspension Features

Using JumpCloud^® as your primary IdP allows you to quickly deprovision user access to virtually all of their IT resources. Our scheduled suspension features allows you to schedule a date and time for user deactivation which revokes access to applications, devices, networks, and any other IT resource their account has permissions for. 

If the user in question will be returning, you can use this capability as a temporary suspension, and the user can later be reactivated; what’s more, they’ll receive updated permissions and access to new or changed resources as determined by their associated user, device, and policy groups automatically once reactivated. If the user in question will not be returning, use this feature to schedule their deactivation and then fully remove their account when appropriate (as dictated by compliance regulations or internal policy).

The JumpCloud scheduled user suspension feature simplifies and automates the deactivation workflow for scheduled permanent offboarding, as well as temporary suspension of contractors, freelancers, and employees on leave. This feature lets you revoke access to all resources, not just corporate applications. All of this works together to improve your overall security posture and ensure that your organization remains compliant with relevant standards.

All of this coupled with the fact that JumpCloud integrates with HR software like Workday and Bamboo, as well as provides API-based integration with other tools, provides a seamless onboarding and offboarding experience for IT admins.

Protect your organization from data breaches and compliance violations

Learn How to Manage User States

Try Scheduled User Suspension Free

This feature can be found within the JumpCloud Admin Console — find it under User Management > Users. Try it for free for up to 10 users and 10 devices by creating a JumpCloud Free account. Enjoy all of the functionality of the JumpCloud Directory Platform, including scheduled user suspension, and see if JumpCloud is the right IdP for your organization!

Can JumpCloud integrate with my organization’s identity source of truth? What about our HRIS solution?  

We hear this type of question more and more from small and medium enterprise (SME) IT admins. The question is not surprising, given that the SME segment is the fastest growing segment in the global HR market: SMEs accounted for over 60% of that market share in 2020, according to Verified Market Research. 

Being able to answer “yes” when someone asks us whether JumpCloud can integrate with their identity source and HRIS platform is vital — particularly because user identity management now affects both IT and HR. As a shared concern, it is increasingly important to ensure there are efficient, consistent, and, whenever possible, automated identity lifecycle management processes between these two departments, regardless of the HR and IT solutions in place.

With the latest updates to the JumpCloud identity management custom API connector, the answer to “Can JumpCloud integrate with my identity source or HRIS solution?” is increasingly “yes.”

What is the JumpCloud Identity Management Custom API connector?

The JumpCloud custom API connector provides an open and flexible way to integrate JumpCloud with a broad number of identity sources. This includes HRIS, human capital management (HCM), compensation, and benefits platforms, as well as other cloud directories. JumpCloud can integrate with many leading HR solutions, like ADP, BambooHR, and Workday, as well as many other HRIS and non-HRIS solutions.

How Does It Work?

From the JumpCloud Admin Portal, an IT admin completes a configuration template that defines the authentication method, API endpoints, and the attribute mappings needed to create the integration between JumpCloud and the application serving as the identity source. Once that configuration is verified, the integration is activated and available to use to import user identities directly into JumpCloud from the identity source, connecting the HR and IT worlds.

User Identity Lifecycle (Co-)Management 

HR and IT have always shared the objective of high employee satisfaction and productivity from onboarding to offboarding. How each department achieved this objective used to be distinct, with minimal overlap of responsibilities and concern. 

Now, however, identity management is a collaborative effort between HR and IT. HR assumes the responsibility of creating and keeping the person’s identity current, as well as triggering onboarding and offboarding flows. IT is more focused on assigning and maintaining the appropriate access and permissions throughout the user’s lifecycle. This includes access to all the resources a person needs to be productive during their entire tenure with the organization, as well as deprovisioning the user’s identity and access when they leave. 

This shift in responsibilities has created the need for information to flow from an organization’s identity source to JumpCloud. In the past, JumpCloud has offered integrations and automations from JumpCloud to applications. Now,  JumpCloud is using the same types of integrations and automations to transmit information from identity sources to JumpCloud. This allows JumpCloud to act as a pass-through of the user identity information. 

However, many of these identity sources do not have integrations to JumpCloud. Without an integration, both IT and HR must perform multiple manual, insecure, error-prone processes. These processes have the potential to negatively impact employees’ ability to do their jobs and create security vulnerabilities. 

To fill this gap, JumpCloud offers several options for integrating with these identity sources in the JumpCloud Admin Portal. The solutions range from specific integrations built by JumpCloud (such as Personio, Workday, Google Workspace, and M365) to open solutions: the custom SCIM connector and the custom API connector. All of these options support employee onboarding (joiners). 

In addition, we have added support for keeping a user’s profile in-sync as changes are made in the identity source (movers) and for deprovisioning identities when a user’s status is set to inactive in the identity source (leavers). 

With each addition to our open and flexible integration options, our answer to the question of whether JumpCloud integrates with an organization’s chosen identity source gets closer and closer to a universal “yes.” 

Explore the Integration Options

To explore JumpCloud’s available integration options, go to the JumpCloud Admin Portal and navigate to Directory Integrations  > HR Directories > +. If you don’t have a JumpCloud account, you can try it for free for up to 10 users and 10 devices by creating a JumpCloud Free account. Sign up to explore how JumpCloud enables you to make work happen — from anywhere, on any device, and with the platforms you choose. Make Work Happen™ on your terms.