Configure a Conditional Access Policy

You can configure conditional access policies that relax or secure access to resources based on conditions like a user's identity and the network and the device they’re on. Read this article to learn how to create, disable, and delete a conditional access policy.

For general information on Conditional Access Policies, including a list of supported browsers, see Get Started: Conditional Access Policies.

If you’re not sure what to create for your first conditional access policy, use one or more of the following policy ideas to relax or restrict user access to resources. 

Policies to get you started:

  • Relax user access to resources with a policy that doesn’t require MFA when a user is on a JumpCloud managed device. 
  • Allow access to the User Portal without MFA, but require MFA to access specific applications. 
  • Increase security on user groups with a policy that requires MFA to access the User Portal.
  • Lock down access to resources with a policy that denies access when a user isn’t in the office or on a VPN.

Note:

Users need to meet the conditions of a policy for it to apply. For example, let's say you create a policy for all your users that requires them to use MFA when they log in to the User Portal from a selected network. When your users aren’t on the selected network and they log in to the User Portal, the global policy applies instead. Learn more about Global Policy Settings.

Configuring a New Access Policy

  1. Log in to the JumpCloud Admin Portal.
  2. Go to SECURITY MANAGEMENT > Conditional Policies.
  3. From the list view, click ( + ), then select the Resource (User Portal, SSO Applications, or JumpCloud LDAP).
  4. The new policy panel is where you create and enable an access policy. There are four main sections to complete:

General Info: Give a policy a name and a description (optional) from this section. New policies are enabled by default, but if you want to create the policy now, and enable later, use the slider to the left of this section.

Assignments: The type of resource you’re configuring the policy for is listed under Resources. When you’re configuring an application policy, you can choose if the policy applies to specific applications or all of your applications. For all policies, you also choose if the policy applies to all of your users or specific user groups.

  • If there are User Groups you want to exclude from the policy, search for and select those user groups and in the Excluded User Groups field.

Note:

If a user is in a group that's included and in another group that's excluded, they will be excluded from the policy.  

Conditions (optional): An access policy becomes a conditional access policy when you add a condition. Adding a Condition is a premium feature and is part of the Platform Prime plan. You can decide if any or all of the conditions need to be met for the policy to apply. 

Note:

At most, you can add one of each type of Condition in a policy. 

  • For details on the various conditions which can be set, see the Conditions section below.

Action

  • If you don’t want to require MFA, select Allow authentication into selected resources and make sure the Require MFA check box is cleared. 
  • If you want to require MFA, select Allow authentication into selected resources, then select the Require MFA check box. 
  • If you want to deny access, select Deny access into selected resources. 

Note:

Enrollment periods aren’t honored by conditional access policies. When you configure and enable a conditional access policy that requires MFA, users who don't have MFA set up are required to enroll in MFA the first time they log in to the resource.

To disable or delete an Access Policy:

  • To disable a policy, select the policy from the list view and toggle the Policy Status to OFF.
  • To delete a policy, select the checkbox of the policy from the list view and click delete in the top right.

Tip:

Conditional Access Policies work in conjunction with Global Policies. If none of the set conditional policies apply to a user, the Global Policies then are enacted as fallback policies.

Understanding Conditions

An access policy created for the User Portal or SSO Applications becomes a conditional access policy when you add a condition. Adding a Condition is a premium feature and is part of the Platform Prime plan.

IP Address Condition

  • Select IP Address as the Condition.
  • Select the Operator as Is On List if you want the policy to apply to users who are on a network that’s part of a selected IP list. 
  • Select the Operator as Is Not On List if you want the policy to apply to users who aren’t on a network that’s part of a selected IP list.
  • For Value, select the IP lists to apply to this policy.

Tip:

Here's a guided simulation: Conditional Access: Network Trust

Location Condition

  • Select Location as the Condition.
  • Select the Operator as Is In Country if you want the policy to apply to users who are in a selected country.
  • Select the Operator as Is Not In Country if you want the policy to apply to users who aren’t in a selected country. 
  • For Value, choose the Countries you want included as part of the policy.

Note:

The Unknown Location option represents IP addresses that aren’t mapped to a country.

Tip:

Here's a guided simulation: Conditional Access: Geolocation

​​​​​​​Device Condition

  • Select Device as the Condition.
    • For this condition, Value is not editable and will remain JumpCloud managed.
  • Select the Operator as Is if you want the conditional access  policy to apply to users who are on a device that’s managed by JumpCloud. A JumpCloud managed device has the JumpCloud agent and a certificate installed on it. 
  • Select the Operator as Is Not if you want the conditional access  policy to apply to users who are on a device that isn’t managed by JumpCloud. A device is unmanaged by JumpCloud when it doesn’t have the JumpCloud agent installed on it.

Note:

See Conditional Policy Device Certificates before you create a policy with a device condition. Also, a managed device condition does not currently apply to mobile devices managed by MDM.

Tip:

Here's a guided simulation: Conditional Access: Device Trust

Disk Encryption Condition

  • Select Disk Encryption as the Condition.
    • For this condition, Value is not editable and will remain Enabled on Device.
  • Select the Operator as Is if you want this policy to apply to devices with disk encryption enabled.
    • This will not be allowed if the device condition is also set to Unmanaged, as it is not possible to detect disk encryption status on an unmanaged device.
  • Select the Operator as Is Not if you want this policy to apply to devices which do not have disk encryption enabled.

Note:
  • Qualification for encryption is BitLocker enabled (MacOS), system drive encrypted (Windows), or root disk is encrypted (Linux). 
  • Encryption status is checked at regular intervals, with two hours as a maximum interval between checks.
  • A disk encryption condition does not currently apply to mobile devices managed by MDM.
    • Action: Use the Action section to decide how the policy affects user authentication to selected resources. You can:
      • Allow authentication into selected resources without MFA.
      • Allow authentication into selected resources with MFA.
      • Deny access to selected resources.

Disk Encryption Example: If you want your users to be denied access when they do not have disk encryption enabled on their device, we recommend that you create a conditional access policy specifically for that (creating one to allow access for devices with disk encryption will not deny access to those without disk encryption enabled).

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case