Configure SaaS Management

JumpCloud® SaaS Management gives you visibility and control over shadow IT and SaaS app use within your org. Using the JumpCloud Go™ browser extension and connectors, discover SaaS app use previously outside of your IT team’s visibility. Improve your org's security and compliance by choosing what apps users can access and how to restrict them. Warn or block users from accessing unapproved SaaS apps and customize the messaging they see. Collect valuable usage insights that help streamline, simplify, and minimize unnecessary costs of your application portfolio.

Prerequisites

• To use browser extension tracking, the JumpCloud Go browser extension must be installed on end user devices. For the fullest and most seamless experience, it's recommended to enable the JumpCloud Go feature for your org. See Get Started: JumpCloud Go™ to learn more. 

Considerations

• JumpCloud SaaS Management is a premium feature and requires the Platform Prime package. See JumpCloud Pricing to learn more.
• When you enable SaaS Management, the JumpCloud Go browser extension collects specific data to discover and track SaaS apps. See FAQ: SaaS Management to learn more.
  • To begin tracking, users must authenticate to the User Portal in their browser to establish a session. See Use JumpCloud Go™ to learn more.
• SSO apps configured in JumpCloud automatically appear in SaaS Management as approved apps. See Get Started: SAML Single Sign-on (SSO) to learn more.
• SaaS Management doesn’t track locally installed apps or those installed using JumpCloud Software Management. 
• SaaS app licensing information isn’t tracked automatically. You’ll need to enter licensing details manually for them to appear in SaaS Management. 
• When you delete a JumpCloud user with SaaS Management enabled, their accounts remain listed in SaaS Management without an owner. Enhancements are planned to improve this, giving admins a list of deleted users with the ability to act on their app and account details.

Enabling SaaS Management 

To start using JumpCloud SaaS Management, enable it in the Admin Portal:

1. Log in to the JumpCloud Admin Portal.
2. Go to SECURITY MANAGEMENT > SaaS Management.
3. Toggle on SaaS Management Enabled.

After enabling SaaS Management, existing JumpCloud SSO apps are added automatically. For SaaS app discovery on user devices, the browser extension begins tracking activity within five minutes. Users must authenticate to the User Portal first to establish a session for SaaS Management to begin tracking.

Next, configure management settings to customize SaaS Management behavior.

Configuring General Settings

Use these settings to fine tune browser extension tracking, exclude certain user groups, and customize action and responses to unapproved apps.

SaaS Management on User Portal

Choose to display a SaaS Management info card for users in their User Portal > Security page. This informs users that SaaS Management is enabled and which email domains are being tracked.

Discovery Methods

Configure the methods SaaS Management uses to discover users and apps.

• JumpCloud Go Browser Extension: Use this to toggle browser extension tracking on or off.

Browser Extension Discoverability

Domain Tracking

When users register, log in, or return to a SaaS app, they use an email address or username to authenticate. Control what activity is captured based on the email address domain used:

• All Domains: Track SaaS app activity from all usernames and email domains.
• Specific Domains: Track activity only from specified email domains. Use this setting to limit tracking to your company’s email domain, excluding SaaS app activity from non-work email addresses. 

User Tracking 

Leverage user groups to control which users in your org are tracked by the browser extension.

• All Users: Track SaaS app activity for all users in your org.
• Exclude Specific User Groups: Select user groups to exclude from SaaS app tracking. For example, users with a specific role may need to be excluded from tracking. 

Browser Access Restrictions

Default Action for Unapproved Apps 

When you classify discovered apps as unapproved, select the default action SaaS Management takes to warn or block users in their browser with the extension installed:

• Take No Action: Allow users to access unapproved apps as normal.
• Show a Warning: Prompt users with a warning banner in their browser when accessing an unapproved app. You can customize the message users receive in the next section. You can also choose to redirect users to an approved alternative app.
• Block the Application: Deny users access to unapproved SaaS apps. Users receive a blocked message in their browser and can’t access the app. You can customize the block message in the next section.

Default Messaging for Unapproved Apps

Customize the default warning and blocking messages users see when accessing unapproved apps. 

• Warning message for unapproved applications: If you selected Show a Warning as the default behavior, enter the message users see when they are warned.
  • (Optional) Select Allow users to dismiss warning messages by default to let users dismiss the warning banner.
• Blocking message for unapproved applications: If you selected Block the Application as the default behavior, enter the message users see when they are blocked.

Exclude from Browser Access Restrictions

Define groups of users who won’t receive warning or blocking messages and bypass SaaS Management restrictions. You can also define excluded user groups for each app during the review process. Jump to Setting Browser Access Restrictions.

Auto-delete Former Employee Accounts

This setting automatically deletes app accounts associated with removed JumpCloud users. You can specify the number of days (15, 30, or 90) after a JumpCloud user is removed for their associated app accounts to be deleted. You can also set this to Never to prevent account auto-deletion.

Notifications

Customize how SaaS Management sends email notifications to admins.

• Newly Discovered Applications: Set the frequency of notifications sent to all admins when an application is discovered. (Don’t send, Daily, Weekly, Monthly)
• Newly Discovered Accounts on Unapproved Applications: Set the frequency of notifications sent to all admins when a new account is discovered on an unapproved app. (Don’t send, Daily, Weekly, Monthly)
• Upcoming Renewals: Set the frequency of notifications sent to all admins when license renewals occur. (Don't send, One day before, One week before, One month before).
  

Configuring Connectors

Connect SaaS Management directly to SaaS service providers to expand discovery and tracking capabilities. Connectors use APIs to collect information directly from service providers. See SaaS Management Connectors to learn more.

Managing Applications 

Now that you’ve enabled and configured SaaS Management, you can review and manage your apps and connected users. 

Overview Tab

When you enable SaaS Management, the JumpCloud Go extension begins tracking activity users' browsers. Once data populates, the Overview tab serves as a dashboard for SaaS app activity within your org. 

This tab includes key metrics and insights:

• SaaS Applications Overview: Displays counts for Newly Discovered Apps, Approved Apps (including existing JumpCloud SSO apps), Unapproved Apps, and Ignored Apps.
• Insights: Metrics related to potential security risks including Unapproved apps used in last 7 days, Shadow Accounts, Former Employee Accounts, Shared Accounts, and Apps with high risk OAuth permissions.
  • Jump to Security Insights to learn more.

Applications Tab

See a list of all SaaS apps discovered in your org. Apps are broken out into the following categories:

• Newly Discovered: Apps discovered that you haven’t categorized yet.
• Approved: Apps that you’ve approved for use within your org. 
• Unapproved: Apps not approved for use. You can warn or block users when accessing in their browser.
• Ignored: Apps discovered but you've ignored. Use this category for apps you don’t want to restrict or appear in reporting.
• All Apps: A list of all discovered apps, regardless of categorization status.

Click Edit Columns to select columns to display. Click Export to export a CSV file of your applications list which can be used for financial or compliance reporting.

Manually Add Apps

In addition to automatic discovery, you can easily add applications manually to start tracking, warning, and blocking access when necessary.

1. Click + Add App.
   
2. In the modal, search for the app.
   1. If the app is in our catalog, it appears in the dropdown list.
   2. If the search doesn’t show your app, you can click on Add Custom App.
      • Custom apps are private and not added to the JumpCloud catalog.
   3. Add the Domain and (Optional) App Description.
      

3. Set the Status and Owner.
4. Click Add.

Reviewing and Editing Apps

Apps discovered by SaaS Management appear in the Newly Discovered tab until you classify them as approved, unapproved, or ignored. You can also edit details for apps already classified.

To review or edit apps:

1. In the Applications tab, go to the appropriate category (for example, Newly Discovered or Approved).
2. Find the app in the list, or select multiple apps for bulk review.
3. Open the Review modal depending on the number of apps to review:
   • To review a single app: In the Actions column, click Review.
     • Alternatively, click the app's name in the App column, then in the top right, click Actions > Edit App Details from the details view.
   • To review multiple apps: Ensure you've selected multiple apps in the list, then in the top right click Actions > Review Apps.

4. For Status, select one of the following:
   • Approved: Approved for use. Users access normally without restrictions. 
   • Unapproved: Not approved for use. Users are warned or blocked based on the default action set in SaaS Management settings.
   • Ignored: Discovered but ignored. These apps don't appear in reporting.
5. Under Owner, select a user that manages the app (Optional for Ignored apps).
   • For example, if the Accounting team owns the app, this may be the Director of Accounting.

Setting Browser Access Restrictions

If you set the app status as Unapproved, use Browser Access Restrictions to configure specific warning or blocking actions:

1. For Browser Access Restrictions, select one of the following:
   • Take No Action: Users access without restrictions.
   • Show a Warning: A warning banner appears in the browser.
     
   • Block This Application: Access is blocked in the browser
     
2. (Optional) If you selected Show a Warning or Block This Application, choose from the following options:
   1. Overwrite default warning message: Enter a custom warning message for the user. This overwrites the default message set in Settings. Jump to Default Messaging for Unapproved Apps.
   2. Recommend an alternate app or resource: Direct the user to an alternative app. Enter the Link label and URL.
   3. Allow users to dismiss this warning: Users can collapse the warning banner.
   4. Exclude from Browser Access Restriction: Specified user groups won’t receive warning or block messages.
      

Viewing App Details

Select any app in the SaaS Management list for an overview and additional information. To access details, click the app's name in the App column.

The Overview tab displays the following information:

• App Insights:
  • Shadow Accounts: Accounts not linked to an existing JumpCloud user.
  • Shared Accounts: Accounts used by multiple JumpCloud users. 
  • Former Employee Accounts: Accounts associated with a disabled JumpCloud user object.
  • License Renewal Date: The date you’ve specified for the app’s license renewal.
  • Owner: The JumpCloud user who manages the app.
    • To customize, go to Actions > Edit App Details.
  • App Category: The app’s primary use case. Fore example, marketing or design.
  • SSO Connection: Indicates if this is an existing JumpCloud SSO application.
    • (Optional) Use Submit Request when an app doesn’t have a corresponding SSO connector in JumpCloud. 
  • Home Page: The app’s website URL. 
  • Tracking Domains: The URLs captured by SaaS Management. 
• OAuth Permissions: Permissions users assign to accounts when logging in with Google OAuth (Google Workspace Connector required).
• App to App Connections: Third party apps discovered by this app’s connector. Jump to Security Insights to learn more. 
• App Usage: A graphical view of the number of accounts that access this app per day. 
• License Information: License cost, renewal, and usage information you've entered.

Security Insights

When using SaaS Management Connectors, discover key security insights and possible risks related to app usage and accounts. These insights are displayed in the Overview tab, the All Accounts tab, and in individual app and account details.

Available Security Insights

• Account Insights (Requires Browser Extension Tracking):
  • Shadow Accounts: Accounts without an associated JumpCloud user which prevent admins from managing their access. 
  • Shared Accounts: Accounts used by multiple JumpCloud users. These pose a high risk as a common attack vector.
  • Former Employee Accounts: Accounts associated with deleted or terminated JumpCloud users.
• OAuth Permissions (Requires Google Workspace Connector): Analyzes permissions users grant to SaaS apps when signing in with Google OAuth (Requires Google Workspace Connector).
• App to App Connections (Requires Connectors): Identify third party apps linked to SaaS apps via the associated connectors. For example, employees might add third-party apps to Slack.
  • Supported connectors include Slack, Zendesk, and Opsgenie.

Editing Licensing Information

Keep track of app costs and usage within SaaS Management. You can manually enter licensing information for each SaaS app. 

To edit license information:

1. In the bottom right of the app details, click the pencil icon next to License Information.
   • You can also click Actions > Update License Information in the top right.
2. The Edit App License Information modal appears. Select Track license information for this app. 
3. Select from the appropriate License Term: Free Subscription, Paid Monthly, or Paid Yearly.
4. If you selected Paid Monthly or Paid Yearly, enter the Renewal Date, Cost, and Total Licenses.
5. (Optional) In the Notes field, enter any other relevant information.
6. Click Save.

Deleting an App

You can't delete connected SSO apps directly from SaaS Management. Instead, delete them from JumpCloud SSO in the Admin Portal (USER AUTHENTICATION > SSO Applications). See Get Started: SAML Single Sign-on (SSO) to learn more. 

Managing Accounts

Accounts Tab

Use the accounts tab to view and manage all discovered accounts in one location. To access it, go to SaaS Management > Accounts tab.

The following displays:

• Account: The account used to access a SaaS app.
• Owner: The associated JumpCloud user. If a user isn’t automatically assigned, click Assign a User.
• Application: The SaaS app associated with the account. 
• Risks: Potential security risks.
  • Jump to Security Insights to learn more.
• Login Methods: How the account was accessed (Password, JumpCloud SSO, Google, Microsoft).
• Sources: How the account was discovered (JumpCloud SSO, Browser Extension, Connector).
• Last Used: Date the account was last active.
• Discovery Date: Date the account was first discovered.
• Actions: Lets you delete the account or mark Former Employee and Shared Account risks as resolved.
  • When you mark a risk as resolved, a summary with the action date appears in the Account details.
    

Viewing Account Details

You can view details for individual accounts from the main Accounts tab, or from within an app's Accounts tab.

To view accounts details:

1. Go to SaaS Management > Accounts tab, or go to SaaS Management > Applications tab, click the app name, and go to the Accounts tab within the app details. 
2. In the list, click the account name in the Account column.

Account details include:

• Account Overview: Owner, Application, Discovery Method and Date, and Last Updated Date.
  • OAuth Permissions (Google Workspace Connector required) and Risks. 
    • Jump to Security Insights to learn more.
• Discovery History: How the account was discovered (Source, Method), the Tenant, Last Login, Discover Date, and Device.

Assigning Users

SaaS Management may discover accounts through connectors that can't be linked to an existing JumpCloud user.

To assign a discovered account to a JumpCloud user:

• You can assign users from multiple areas in SaaS Management:
  • From the main Accounts tab, find the account in the list. In the User column, click Assign a User.
    
  • From the SaaS Management > Applications > Overview tab, if an unassigned accounts warning is present, click Review.
    
• In the Assign a user modal, search for and select the JumpCloud user. Click Assign.

Managing Users

The Users tab gives you an overview of all SaaS app users in your org, which apps they have access to, and how frequently they use them. 

This tab displays the user's Name (JumpCloud display name and email), Apps Used (total apps accessed), Accounts (total accounts across all apps), and Last Usage (last interaction date).

Viewing User Details

Select any user in SaaS Management to see additional information, including app activity and login methods.

To view user details:

1. In SaaS Management, go to the Users tab.
2. In the user list, find the user and click their name.

User details include:

• User Overview: JumpCloud user information (Job Title, Department, Manager).
  • Click Go to JumpCloud User Detail to open the user in the Admin Portal.
• Account Usage: A graphical view of SaaS account activity over time.
• SaaS Access Information: A list of apps the user has interacted with, the associated accounts, and last usage date.
  • The Login Method icons indicate how the user authenticated:
    • JumpCloud: User authenticated with JumpCloud SSO.
    • Key icon: User authenticated with a password.
    • Google: User selected the option to authenticate with Google.

You can also access app details from a specific user account by clicking the app name in the SaaS Access Information list.

Disabling SaaS Management

To disable SaaS Management:

1. Log in to the JumpCloud Admin Portal.
2. Go to SECURITY MANAGEMENT > SaaS Management > Settings.
3. Toggle SaaS Management Enabled to Off.

Additional Resources

• Enroll: SaaS Management Course