HERE'S WHY
Having secure devices plays a major role in meeting compliance requirements. We want to support as many Mobile Device Management solutions (MDMs) as possible, in addition to providing our agent. We have heard from many of you that you use JumpCloud's MDM solution. This article goes over how to sync & bring all of your compliance-related information from JumpCloud to Drata.
HERE'S HOW
Before Diving In…
Make sure you have admin access to your company's JumpCloud account.
Your JumpCloud account has access to JumpCloud APIs.
Some of our checks use System Insights endpoints, note that these are not granted on all JumpCloud plans and may need to be enabled. You can check https://console.jumpcloud.com/#/settings/features to see if it is enabled on your instance.
The computers you want to monitor have the JumpCloud Agent installed.
We currently support computers. Mobile and tablet devices are not supported.
To monitor policies through JumpCloud on Mac OS devices, the device must be enrolled in JumpCloud MDM.
At this time, Drata’s device compliance checks using the JumpCloud MDM connection confirms the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
Current Limitations
Drata has limited ability to read browser extensions through JumpCloud, at this time only Chrome Extensions are being read. Currently, if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. As a JumpCloud admin, ensure that this app shows on the device's Application List. Alternatively, you or your users can upload manual evidence in Drata.
JumpCloud's APIs do not expose installed applications on Linux devices. Your Linux users will need to manually upload Antivirus and Password Manager app or browser extension evidence.
Step 1. Configure JumpCloud Device Policies and Commands
Drata makes use of the following Device Policies in our compliance checks. To learn more about JumpCloud Device Policies, please follow these instructions. During evaluation, Drata will check individual devices for a connected policy or that the device belongs to a Policy Group containing the policy:
Windows:
BitLocker Full Disk Encryption
Configure Windows Updates
Lock Screen
Mac:
FileVault 2
Lock Screen
Automatic macOS Updates (under Patch Management for Premium users) or Software Update Preferences (under Device Policies)
Note: JumpCloud’s Patch Management feature is not fully supported at this time and is only supported for Automatic macOS Updates.
Linux:
Check Disk Encryption
Lock Screen
For other checks, we utilize the JumpCloud Commands functionality to run scripts on the system. These scripts can be found below, and then copy and pasted into your JumpCloud console. We recommend you configure JumpCloud to run these scripts at a set daily interval, and Drata will gather evidence from the latest runs of these commands when we run our daily compliance checks.
Like Policies, these Commands should be attached either directly to devices or to device groups containing every device you want to run compliance checks on.
You can create new Commands starting from here: https://console.jumpcloud.com/#/commands/new
To enable us to query the results of these commands, you must use the following titles exactly as below:
DrataCollectorLinux
DrataCollectorLinux
(Linux Shell Script)
#!/bin/sh
if which ufw > /dev/null && ufw status | grep -q "Status: active"; then
firewall='true';
else
firewall='false';
fi
graphics=`lspci | grep VGA | head -1`;
if which apt-config > /dev/null && apt-config dump APT::Periodic::Unattended-Upgrade | grep -q 'APT::Periodic::Unattended-Upgrade "1";'; then
autoUpdate='true';
else
autoUpdate='false';
fi
echo "{"
echo " \"firewallEnabled\": $firewall,"
echo " \"macAddress\": null,"
echo " \"graphics\": \"$graphics\","
echo " \"autoUpdateEnabled\": $autoUpdate,"
echo " \"gateKeeperEnabled\": null,"
echo " \"fileVaultEnabled\": null,"
echo " \"winServicesList\": null"
echo "}"
Step 2. Configure JumpCloud API
In the next step, you will be setting up an API Token.
To locate your API Key:
Log into the JumpCloud Admin Console
Go to the username drop down located in the top-right of the Console.
Retrieve your API key from API Settings.
API Key Considerations
This API key is associated to the currently logged in administrator. Other admins will have different API keys.
In order to revoke access with the current API key, simply reset your API key. This will render all calls using the previous API key inaccessible.
Step 3. Connect JumpCloud MDM to Drata
1. Select "Connections" from the left side navigation menu.
2. Select the 'Available connections' tab and then search for 'JumpCloud MDM' to select the connect button for the JumpCloud MDM integration.
3. Enter the JumpCloud account details and click 'Save & Test Connection.'
Note: This is where you enter the API URL and API token created above in Step 2.
Step 4. Enable JumpCloud MDM and Verify Connection
In the Settings page, select 'Internal Security' to go to the Internal Security page.
Select 'Automated via JumpCloud MDM' and switch off 'Automated via Drata Agent' to disable the Drata agent.
Note: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.
Your JumpCloud MDM setup is complete! Drata will fetch data from JumpCloud on a daily basis once Autopilot completes running.