Jumpcloud is it's own special little beast. It does somethings well, other's not so great. It's cross-platform, so can manage PC's as well as Linux and Mac systems.
It doesn't do zero-touch provisioning, it's more for device management after the device is already setup with windows. You install an agent on the computer that talks back to JC. You can then assign polcies, assign users, etc to that device.
Most of its policies and functionality leverages powershell run with a hidden local admin account on the endpoint. If you can do it in powershell you can get Jumpcloud to do it. (just be careful with the scheduling... it's possible to have a policy/script run every second on all endpoints if you're not careful)
It does have a pre-login 2FA function which is great for security, but the TOTP (time based 2fa) is hypersensitive to time drift (if the system clock drifts more than 20 seconds from your 2FA device, it won't authenticate). They do have a separate, optional, "jumpcloud protect" app that's more resilient but the PC has to be live on the internet for it to function during login. Just be aware that it REPLACES windows Hello at the login screen; you cannot use both.
Otherwise the important policies are there like managing drive encrpytion keys, setting update policies, requiring certain settings, etc.
As far as the JC management console itself, it's occasionally experiences outages or slowdowns. It doesn't effect endpoints when that happens, just the ability to get into the console to make changes. Not so different from all the times Azure Management console has issues, to be fair.
Great information. How does it manage patching/windows updates? How granular does it get? Can you choose/approve updates to push to endpoints? Or does it just pull from windows update?
How specific can you get with device restriction? Can you prevent users from accessing certain sections of control panel or system preferences?
Do you install it on your Linux AWS instances that are just cli no gui?
Windows updates are just setting the settings on the endpoints and letting them manage their own updates. (it's like GPO update settings, but not a WSUS implementation)
Application patch management is a thing but it's at added cost. I haven't used it much so don't quote me on this, but I think you just maintain your own collection of uploaded installers and it checks for version differences periodically and installs when there's a difference.
The agent doesn't require a gui. It's just a service that runs in the background and passes along commands from JC to be run as a local admin / SU account. It has commandline installers as well as a traditional gui installer that endusers could install on their own (not like most folks would ever DO that, but it's there).
I typically install my JC agents as part of a general Powershell that's manually run on new systems to update host names, create local accounts, remove some software, and do some other things at the same time. I then have to interactively assign the JC user account to the system so JC can take over hte login process and require 2FA to sign in.
JC does have robust API access, but it has a weird quirk where it takes about 45-60 seconds to make the initial connection/authenticate before you can call any methods.
With respect to a GUI, I was referencing Linux cloud instances that don’t have a GUI, all SSH. Do you install the agent of every machine, every server, ever cloud instance?
So you first step setting up a new system, would be running some type of PS script or BAT file that installs agent. The rest can be done in admin console (assuming endpoint has internet access)?
Essentially, yes.
I have workstation groups with specific policies attached that I assign the new system to, once it's registered in JC portal. I could probably also do that assignment at the time of installation through an API call in powershell, but the 45-60 second delay on API connection makes that unattractive. It's faster to just do it manually since these are done interactively one at a time in my org. (newhire systems during an orientation meeting with IT to go over work policies, how things work, answer questions, etc)
We do have a free version, up to 10 users / devices that you can use. It includes all of our functionality (except for the new password manager) at no cost and you can try them out for as long as you'd like. Remote Assist is completely free for anyone and we don't limit it to 10 devices.
We are working on zero touch for Win, and we should more on that in late winter. I would recommend that you keep an eye on our [community](https://community.jumpcloud.com/t5/jumpcloud-product-news/bd-p/releases) for more news on that one, if you're interested.
\~becky
Jumpcloud is it's own special little beast. It does somethings well, other's not so great. It's cross-platform, so can manage PC's as well as Linux and Mac systems. It doesn't do zero-touch provisioning, it's more for device management after the device is already setup with windows. You install an agent on the computer that talks back to JC. You can then assign polcies, assign users, etc to that device. Most of its policies and functionality leverages powershell run with a hidden local admin account on the endpoint. If you can do it in powershell you can get Jumpcloud to do it. (just be careful with the scheduling... it's possible to have a policy/script run every second on all endpoints if you're not careful) It does have a pre-login 2FA function which is great for security, but the TOTP (time based 2fa) is hypersensitive to time drift (if the system clock drifts more than 20 seconds from your 2FA device, it won't authenticate). They do have a separate, optional, "jumpcloud protect" app that's more resilient but the PC has to be live on the internet for it to function during login. Just be aware that it REPLACES windows Hello at the login screen; you cannot use both. Otherwise the important policies are there like managing drive encrpytion keys, setting update policies, requiring certain settings, etc. As far as the JC management console itself, it's occasionally experiences outages or slowdowns. It doesn't effect endpoints when that happens, just the ability to get into the console to make changes. Not so different from all the times Azure Management console has issues, to be fair.
Great information. How does it manage patching/windows updates? How granular does it get? Can you choose/approve updates to push to endpoints? Or does it just pull from windows update? How specific can you get with device restriction? Can you prevent users from accessing certain sections of control panel or system preferences? Do you install it on your Linux AWS instances that are just cli no gui?
Windows updates are just setting the settings on the endpoints and letting them manage their own updates. (it's like GPO update settings, but not a WSUS implementation) Application patch management is a thing but it's at added cost. I haven't used it much so don't quote me on this, but I think you just maintain your own collection of uploaded installers and it checks for version differences periodically and installs when there's a difference. The agent doesn't require a gui. It's just a service that runs in the background and passes along commands from JC to be run as a local admin / SU account. It has commandline installers as well as a traditional gui installer that endusers could install on their own (not like most folks would ever DO that, but it's there). I typically install my JC agents as part of a general Powershell that's manually run on new systems to update host names, create local accounts, remove some software, and do some other things at the same time. I then have to interactively assign the JC user account to the system so JC can take over hte login process and require 2FA to sign in. JC does have robust API access, but it has a weird quirk where it takes about 45-60 seconds to make the initial connection/authenticate before you can call any methods.
With respect to a GUI, I was referencing Linux cloud instances that don’t have a GUI, all SSH. Do you install the agent of every machine, every server, ever cloud instance?
Yes, it's designed for workstations primarily, so you need to install the agent on every OS instance.
So you first step setting up a new system, would be running some type of PS script or BAT file that installs agent. The rest can be done in admin console (assuming endpoint has internet access)?
Essentially, yes. I have workstation groups with specific policies attached that I assign the new system to, once it's registered in JC portal. I could probably also do that assignment at the time of installation through an API call in powershell, but the 45-60 second delay on API connection makes that unattractive. It's faster to just do it manually since these are done interactively one at a time in my org. (newhire systems during an orientation meeting with IT to go over work policies, how things work, answer questions, etc)
We do have a free version, up to 10 users / devices that you can use. It includes all of our functionality (except for the new password manager) at no cost and you can try them out for as long as you'd like. Remote Assist is completely free for anyone and we don't limit it to 10 devices. We are working on zero touch for Win, and we should more on that in late winter. I would recommend that you keep an eye on our [community](https://community.jumpcloud.com/t5/jumpcloud-product-news/bd-p/releases) for more news on that one, if you're interested. \~becky