FAQ: JumpCloud Protect Admins

Your users can download the JumpCloud Protect® mobile app to secure their accounts using Multi-Factor Authentication (MFA). The app can be downloaded from the iOS App Store or the Google Play Store. Once your users have downloaded the app and successfully enrolled their devices, they can authenticate using Push MFA or Verification (TOTP) Code MFA.

This KB article will answer common questions and offer suggestions to troubleshoot any issues that may arise during your team’s use of JumpCloud Protect.

Frequent Question Answer
What software package is JumpCloud Protect included in?  JumpCloud Protect is available in all JumpCloud tiers.
Where can my users download JumpCloud Protect?

JumpCloud Protect can be downloaded from the iOS App Store or the Google Play Store.

What versions of Android and iOS does JumpCloud Protect support? iOS 13 and above, and Android 8 and above. 
Are there any countries where JumpCloud Protect can’t be downloaded? The JumpCloud Protect mobile app may not be available in restricted countries such as Iran, Cuba, Syria, Sudan, North Korea, Russia, Belarus, and the Crimean region. Google Playstore is blocked in China, so users will not be able to download JumpCloud Protect on Android devices there. Even when downloaded elsewhere, JumpCloud Protect push won't work when traveling to certain countries.
Can my users enroll multiple devices at once?  No. Currently, users can only enroll one device at a time with JumpCloud Protect. If they get a new device, they should enroll the new device before wiping the old, or log in using another factor to enroll the new device. If those steps are missed they will need to contact admin for enrollment on the new device.
If my users enroll in Push MFA, are they automatically enrolled in Verification Code MFA? No. Your users need to enroll in each type of MFA separately.
Can my users transfer Push MFA enrollment to another device?  No, enrollments cannot be transferred. Users must unenroll the old device before enrolling the new device through the JumpCloud User Portal. 
What data does JumpCloud Protect collect?

JumpCloud Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected.

Users can opt out of diagnostic and usage data collection from the Settings > Privacy screen.

My users are already enrolled in Verification Code MFA through Google Authenticator/Authy/Duo. Can they continue to use that? Yes. If you decide to use JumpCloud Protect for verification code MFA in the future, your users will need to enroll in it using the JumpCloud User Portal. Once they do so, their current enrollment will be reset and they will use JumpCloud Protect. 
What security practices are employed by the JumpCloud Protect app? JumpCloud Protect is highly secure and uses asymmetric key cryptography for security. When a device is enrolled and activated, an asymmetric key pair (public and private key) is generated. The private key is stored securely on the device while the public key is stored on JumpCloud’s servers. The push requests and responses are then signed by the key pair making the transactions highly secure.The communication between the mobile app and JumpCloud’s servers is encrypted. All communication is sent through https connections using TLS.
How can I protect users against Push Bombing and MFA Fatigue Risks?

Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally.  MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.

Here are ways to protect your organization against such an attack: 

  • An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks. 
  • Enable biometric on JC Protect for an extra layer of identity protection.
  • Leverage Conditional Access Policies for additional safeguards.
  • Educate users to check application and location information before approving a push request, and to deny any request they suspect is fraudulent.
    • Keep in mind that location information does not have 100% accuracy, especially at the city level. 
      • Test item
        • Test Item

Important: JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights.

Frequent Questions and Answers

What software package is JumpCloud Protect included in?

JumpCloud Protect is available in all JumpCloud tiers.

Where can my users download JumpCloud Protect?

JumpCloud Protect can be downloaded from the iOS App Store or the Google Play Store.

What versions of Android and iOS does JumpCloud Protect support?

iOS 13 and above, and Android 8 and above. 

Are there any countries where JumpCloud Protect can’t be downloaded?

The JumpCloud Protect mobile app may not be available in restricted countries such as Iran, Cuba, Syria, Sudan, North Korea, Russia, Belarus, and the Crimean region. Google Playstore is blocked in China, so users will not be able to download JumpCloud Protect on Android devices there. Even when downloaded elsewhere, JumpCloud Protect push won't work when traveling to certain countries.

Can my users enroll multiple devices at once?

No. Currently, users can only enroll one device at a time with JumpCloud Protect. If they get a new device, they should enroll the new device before wiping the old, or log in using another factor to enroll the new device. If those steps are missed they will need to contact admin for enrollment on the new device.

If my users enroll in Push MFA, are they automatically enrolled in Verification Code MFA?

No. Your users need to enroll in each type of MFA separately.

Can my users transfer Push MFA enrollment to another device?

No, enrollments cannot be transferred. Users must unenroll the old device before enrolling the new device through the JumpCloud User Portal. 

What data does JumpCloud Protect collect?

JumpCloud Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected.

Users can opt out of diagnostic and usage data collection from the Settings > Privacy screen.

My users are already enrolled in Verification Code MFA through Google Authenticator/Authy/Duo. Can they continue to use that?

Yes. If you decide to use JumpCloud Protect for verification code MFA in the future, your users will need to enroll in it using the JumpCloud User Portal. Once they do so, their current enrollment will be reset and they will use JumpCloud Protect. 

What security practices are employed by the JumpCloud Protect app?

JumpCloud Protect is highly secure and uses asymmetric key cryptography for security. When a device is enrolled and activated, an asymmetric key pair (public and private key) is generated. The private key is stored securely on the device while the public key is stored on JumpCloud’s servers. The push requests and responses are then signed by the key pair making the transactions highly secure.The communication between the mobile app and JumpCloud’s servers is encrypted. All communication is sent through https connections using TLS.

How can I protect users against Push Bombing and MFA Fatigue Risks?

Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally.  MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.

Here are ways to protect your organization against such an attack: 

  • An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks. 
  • Enable biometric on JC Protect for an extra layer of identity protection.
  • Leverage Conditional Access Policies for additional safeguards.
  • Educate users to check application and location information before approving a push request, and to deny any request they suspect is fraudulent.
    • Keep in mind that location information does not have 100% accuracy, especially at the city level. 

Important:

JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights.

Troubleshooting Issues and Resolutions

See Troubleshoot: JumpCloud Protect.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case