Calling any JumpCloud users or employees...
-
@bigbear said in Calling any JumpCloud users or employees...:
When installing RDSH it only says you must be part of a domain, not AD particularly.
Except that the term domain means AD domain, in that context. Otherwise, being on DNS would meet the criteria, and obviously it does not. Domain isn't a generic term and means AD there.
-
I'm guessing jumpcloud doesn't provide ntlm but is more of a aws style directory service?
-
@bigbear Jumpcloud uses local accounts on the systems and maintains the policies via the agent on the devices installed.
-
@dbeato said in Calling any JumpCloud users or employees...:
@bigbear Jumpcloud uses local accounts on the systems and maintains the policies via the agent on the devices installed.
How do password resets happen? Are they just done via the JumpCloud agent so when you reset them on the service it pushes them out to the local accounts?
-
@scottalanmiller the password reset happen on the Jumpcloud web interface by either the user or IT manager. They call it DaaS with then the agent updating the local account with the respective password.
-
Reminds of Novell days, sorta.
There IS a way to provision RDSH on a workgroup, so I suppose you could use JumpCloud from there, but it's much more of a hack than simple provisioning a AD on RDSH.
DaaS may have been a poor choice for an acronym for this guys.
-
So you can't change the password locally through the agent?
What happens if you don't have internet at the time your password expires?
Or when your password expires but your system is locked/not logged into?
-
Hey folks! Let me provide some feedback for you all on this thread. Absolutely feel free to ping us - our support engineers and my product team and I can dive deep with you to problem-shoot your implementation ideas and strategies.
@bigbear - You are correct in that we are not, in the exact sense, a Remote Desktop Session Host provider. Lots of customers, do, drop the JC agent on the virtualized Windows system, bind the users they want deployed on the box to access it, apply policy on the box via our commands execution facility and finally RDP into the system. But you are correct, that is not exactly what we've built. We're also not quite an AWS-style Directory Service - which really is designed and positioned to synch with on-premise ADs to authenticate servers and VDIs in AWS. It's truly more core AD alternative and specifically the base authentication for our customer's system (Mac/Win/Lin), networks (via RADIUS) and apps (via LDAP and SAML). As for DaaS versus some other acronym - we're all certainly flooded with them...Directory as a Service is what it means and what the public started calling us early on. Probably before 'Desktop as a Service'. We liked it...stayed with it.
@dbeato Spot on.
@scottalanmiller You can't change a password locally on the host (yet)...all changed to all endpoints connected to the identity get updated instantly when the employee changes through their web portal. This said, the credentials on a system are locally cached and remain encrypted, not unlike a Windows host bound to a domain does when it's off the domain or off VPN. It will use the last good/known hash to authenticate.Hope this helps you all and thanks for the great discussion!
Greg -
@gregorymkeller by the Agent I meant that your API told your agent to do the change
-
@scottalanmiller Ah! Well, in fact, that is architecturally what's going on. In all of its nerdtastic glory...
(hit this link if image doesn't display: https://www.evernote.com/shard/s33/sh/4ef4d6a3-f38d-4217-a8ff-2a28fa63ef1b/92cb5a9f8d997ff4)
-
-
@scottalanmiller Grazie! Your markup skills are better than mine apparently!
-
@gregorymkeller said in Calling any JumpCloud users or employees...:
@scottalanmiller Grazie! Your markup skills are better than mine apparently!
I do this a lot
-
@scottalanmiller said in Calling any JumpCloud users or employees...:
@gregorymkeller said in Calling any JumpCloud users or employees...:
@scottalanmiller Grazie! Your markup skills are better than mine apparently!
I do this a lot
He's a robot, but we can't get him to admit it.
-
@gregorymkeller do you have any customers who have implemented your "DaaS" with an RDSH server?
-
@bigbear - I pinged the crew to see if they have any direct customer experiences and the team indicates it should work fine. The agent gets dropped on the RDSH and when we provision or bind to local accounts on that box, we drop those users in the RDP user group too. That system can not be domain joined obviously (the agent install will reject it, regardless). Give 'er a try!
-
I assume this means that RDSH license server doesn't require AD users?
-
@gregorymkeller Problem is RDSH requires an AD server or some hacks to get it in workgroup mode, in which case the users session security is very lax.
Does JumpCloud actually contract/sync AD?
-
@bigbear No, they removed the Active Directory bridge as per below:
https://support.jumpcloud.com/customer/portal/articles/2405730-installing-the-active-directory-bridge -
@Dashrender If you do it in workgroup mode, from what I have seen, its a pretty ugly setup.
Honestly I may endure the expense of Azure AD. It was a really nice setup, but $90 for the DC in the cloud was a surprise I didn't expect and the D11 instance is $220/month or so (on sale right now). So $300/month.
I can do the whole thing on a single box with more power on Vultr for $96 (Windows 2016 license included). Another $52 and I can run an AD box but I found several Microsoft articles stating that in a small single server environment it is acceptable to run AD on the RDSH box.
In our case we have no other AD servers.
