JumpCloud Protect is designed to operate on Android 8 and iOS 13 and higher. It may operate on older versions, but they are not supported by JumpCloud.
If your JumpCloud administrator enables it, you can download the JumpCloud Protect® mobile app to secure your accounts using Multi-Factor Authentication (MFA) or 2-step verification. The app can be downloaded from the iOS App Store or the Google Play Store. Once you have downloaded the app and successfully enrolled your device, you can authenticate using Push MFA or Verification (TOTP) Code MFA.
JumpCloud Protect sends a push notification to your enrolled mobile device after you’ve attempted to access a resource with your username and password.
- You will receive the login request on the lock screen of your device, and can approve/deny with a long press (iOS) or by expanding the notification (Android).
- If your admin has required biometric authentication, the login request will not complete without it (Face ID, fingerprint, or passcode).
- When you approve the login request, you gain access to your resource. If you tap deny, the login request will be declined, which prevents bad actors from accessing your account.
A Push notification is valid for 60 seconds before the User Portal will time out in which case the user will need to initiate the Push notification process again. If the user responds to an expired Push notification on the device an error will appear.
You can use JumpCloud to log into the Admin Portal, User Portal, or into your Windows, Mac, or Linux devices.
This KB article provides information for JumpCloud users. For admins looking to set up the JumpCloud Protect app for their users, see JumpCloud Protect Admin Guide.
Considerations
- The JumpCloud Protect app supports iOS version 13 and above, and Android 8.0 and above.
- The JumpCloud Protect app may run on a tablet but is not optimized for tablets at this time.
- A user can only be enrolled in JumpCloud Protect on one device.
- Mobile Push is supported for authentication into the User Portal, SAML SSO applications, device logins, and for Password Reset.
- Protect will collect certain diagnostic data for troubleshooting issues and continuous app improvements. There is no user information collected. Although these options default to on, users can turn off data collection on the app:
- Tap More > Settings to display options for turning off Share Diagnostic Data.
Protecting Against Push Bombing and MFA Fatigue Attacks
Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally. MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration Here are ways to protect yourself against such an attack:
- Make sure you are following a strong password policy.
- Enable biometric on your device and ask your administrator to enable it for JumpCloud Protect.
- Verify application and location information before approving a push request.
In addition, JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second timeout period (the number of maximum concurrent attempts can be changed by an admin). You can try again after the timeout or after you have approved or denied the initial request.
Setting Up JumpCloud Protect
If your organization is using JumpCloud Protect for their MFA, follow the steps below to complete initial setup.
To set up the JumpCloud Protect app:
- Log into your JumpCloud User Portal: https://console.jumpcloud.com/login.
- Navigate to Security > Multi-factor Authentication > JumpCloud Protect Mobile Push > Enroll Device.
When you log into your User Portal, you may be prompted to activate MFA without navigating to the Security screen.
- Download the JumpCloud Protect App from the iOS App Store or the Google Play Store. You can do so in one of three ways:
- Search for “JumpCloud Protect” in the Google Play Store on Android devices or the App Store on iOS devices.
- Use the links provided in the notification screen to remotely download the app to your device.
- Click View QR Code to Launch Google Play Store or App Store to display a QR code that your phone’s camera can use to link directly to the app download.
- Once the JumpCloud Protect app is downloaded, open it on your device.
- If introductory information displays, tap Next and then tap Get Started (or skip the messages).
- Allow the app to send notifications.
- Tap + Add Account.
JumpCloud Protect supports both Push MFA and TOTP MFA. However, you must enroll in each form separately.
- You will be prompted to give the app permission to use your phone’s camera. Allow it.
- You will be directed to scan a QR code in your JumpCloud User Portal. Back in the User Portal, click I Have the App.
- Alternatively, you can click Enter Code Instead to view the account details and manually enter them in the JumpCloud Protect app.
- Scan the QR code in the JumpCloud Protect app.
- A green checkmark displays, indicating that the device has been verified. Click done in both the JumpCloud Protect app and the User Portal.
If JumpCloud Protect is not in the foreground when you complete this process, you will receive a push notification that you must tap for the process to complete.
Transitioning to JumpCloud Protect from a Previous Authenticator
If you are already using a different authenticator to verify your identity through Verification Code (TOTP) MFA and want to transition to JumpCloud Protect, you can do so by:
- Log in to your user portal: http://console.jumpcloud.com.
- Navigate to Security.
- Click Reset TOTP.
- In the screen that appears, enter the verification code from your current authenticator and click Clear TOTP Settings.
- A QR code will display. In the JumpCloud Protect app, tap the + button.
- Scan the QR Code.
- Enter the code and click Submit.
Authenticating with JumpCloud Protect
If your organization has enabled JumpCloud Protect for your account, and if you have enrolled your device, you will receive a push notification on your device when you attempt to log into a resource secured by your JumpCloud admin. If Biometric User Verification is set to required, the login request will not complete without it (Face ID, fingerprint, or passcode). Select Approve on your device to log into the resource. Select Deny on your device if you are not the one who requested the notification.
It is a good security practice to check the application and location information before approving a push request, in case the request is fraudulent. Location information does not have 100% accuracy, especially at the city level. If you suspect a request is fraudulent, deny the request and notify your IT admin.
Apple Watch
You can also see and respond to JumpCloud Protect notifications on your Apple Watch.
- The watch must be paired with an iPhone running the JumpCloud Protect app, and notifications must be enabled for the app.
If your admin has required biometric authentication, the notification on the watch will prompt you to open the app on your phone.
Resetting Your Password with JumpCloud Protect Push
To reset your password from the User Portal Login screen:
- Go to the JumpCloud User Portal: https://console.jumpcloud.com.
- Click Reset User Password.
- Enter your company email address and click Send Reset Request.
- Click the secure link that has been sent to the email address you entered.
- Enter your new password in both password fields and click Reset Password.
- (Optional) If you only have one form of MFA enabled for your account, you will proceed to the next step. If you have multiple, select JumpCloud Protect Mobile Push.
- Click Send Password Reset Request to Mobile Device.
- On your device, approve the request.
Once you complete the authentication, your password will be reset and you’ll be able to log in.
Step-Up Authentication with JumpCloud Protect
You can use JumpCloud Protect as your Step-Up Authenticator as well. Step Up Authentication is required when you’ve logged into your User Portal and you need to access an application that requires an additional layer of security through a second authentication factor.
To log into an application that requires Step-Up Authentication:
- Log into your User Portal: http://console.jumpcloud.com.
- Click the application you wish to access.
- Select JumpCloud Protect from the list of available MFA options.
- When the request comes into your mobile device, approve the request.
Denying the request logs you out of your JumpCloud User Portal. This is to keep bad actors from accessing your applications and data.
Once you approve your request, you will have access to the application.
Using JumpCloud Protect’s TOTP for Other Applications
JumpCloud Protect supports both Push MFA and TOTP MFA. However, you must enroll in each form separately.
When you open the JumpCloud Protect app, you see a list of the accounts you have set up for MFA. This list either shows the Verification Code for the account with a timer indicating when the code will expire, or the fact that the account is registered for Push MFA. See below:
Tapping on the code itself will copy the code to the device’s clipboard. Tapping anywhere else opens the Account Details screen.
More Screen
At the bottom of the JumpCloud Protect screen, there is a More button.
- Tap Settings to access Display and Privacy options.
- The links to How it Works, Troubleshooting Guide, Terms of Service, and the Privacy Policy will open external links.
- Tapping on the App Version or the Protect ID will copy those values to your clipboard.
Deleting an Account from JumpCloud Protect
If you no longer need one of the accounts you have set up with your JumpCloud Protect mobile app, you can delete it. To do so:
- Open the JumpCloud Protect mobile app on your device.
- Tap the name of the account you want to delete. This brings you to the Account Details screen.
- Tap Delete Account.
- Tap Delete in the window that appears.