Enable TOTP MFA for Devices

JumpCloud gives organizations the power to layer Multi-Factor Authentication (MFA) on top of nearly any resource you need to secure: Windows, Mac, Linux, applications, networks, infrastructure and more.

Tip:

If you'd like to use the JumpCloud Protect Push MFA mobile app for your MFA needs, see Configure Push MFA and Users: JumpCloud Protect to learn more.

Prerequisites:

Considerations

  • When TOTP MFA is enabled on a device, only users who have completed setup are prompted for TOTP MFA when they log in to the device.
  • See individual considerations for each OS, listed below.

Note:

Internet connectivity isn't required to use TOTP MFA on devices.

Before you can require your users to use TOTP MFA to log into their JumpCloud device, you have to complete two procedures: 

  1. Enable TOTP MFA at the org level
  2. Enable TOTP MFA on the devices

Enabling TOTP MFA at the Org Level

To enable TOTP MFA at the org level:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to SECURITY MANAGEMENT > MFA Configurations.
  3. Under the Time-based One Time Password window, click Enable.

Any device in your org for which MFA has been enabled will now require TOTP MFA. Enable MFA on the devices manually by following the steps below.

Enabling TOTP MFA for Your Devices

To enable TOTP MFA on your devices:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices
  3. Select the checkbox next to the devices you want to enable TOTP MFA on. 
  4. Click the Actions dropdown menu, and select Enable MFA
  5. Click Enable to confirm.
  6. To disable MFA, follow the steps above but select Disable MFA instead.

Once devices are enabled, users need to be enabled and they need to enroll in TOTP MFA. See Configure TOTP MFA for User Accounts to learn more. 

See these articles to learn more about enabling TOTP MFA for individual devices:

Tip:

To see your users' experience when logging in with TOTP, see JumpCloud Protect for End Users.

Enable TOTP MFA for Linux

Considerations:

  • If it’s not already installed by default, an Admin will need to install an OpenSSH server for the specific case where they intend to require MFA to log in via SSH. If you want to require MFA for SSH logins, ensure openssh-server is installed before installing the JumpCloud agent.
  • Gnome GDM is recommended. MFA may not work as intended using other Linux greeters.

To enable MFA for SSH on a Linux system:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Click on a Linux device to see it’s details.
  4. Under Device Configuration, if MFA Login is toggled off to disabled, toggle Allow SSH Password Login or Enable Public Key Authentication on. If both options are toggled on, MFA can’t be enabled.
  5. Click MFA Login Disabled to toggle it on.
  6. Click Save Device.

Tip:

You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.

Enable MFA for Mac

Considerations

  • Don’t enable TOTP MFA for OS X if the device is already using or has configured another MFA service or authentication plug-in. Doing so could cause adverse results, like not being able to access the device.
  • TOTP MFA only affects the OS login screen. FileVault decryption, screen saver, lock screen, etc. aren’t affected by this setting.
  • Devices that run macOS 12 Monterey on devices with small display areas might experience issues. MacOS Monterey has reduced the size of the login window for all MFA logins, including TOTP and Push. If your macOS Monterey device has a display that is less than 900 px in height, you might experience a display overlap between the login area and the policy text that is displayed on the screen. There is no workaround, and JumpCloud suggests that you use a macOS device with a vertical display that is more than 900 px high.

To enable MFA for a Mac Device:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices
  3. Check the box next to the Mac device that you want to view Details for. 
  4. Click on the Actions dropdown menu and select Enable MFA or Disable MFA.
  5. Click Enable to confirm you’re enabling MFA on your selected device.
  6. The MFA Status column is updated with a green lock icon.
  7. You can disable MFA from the selected device’s Details page on the Highlights tab > Device Configuration, toggle MFA Login Enabled to MFA Login Disabled.
  8. Save Device.
  9. After you enable MFA for a device, users will see a modified login window that prompts for a TOTP token.

Tip:

You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.

Enable MFA for Windows

Considerations:

  • MFA is only supported and functional for Windows 10 and above.
  • JumpCloud MFA employs the use of a credential provider. When MFA is enabled on a Windows system, and a user that is required to use MFA is bound to the system, all other Windows credential providers are disabled.
  • To ensure systems can be recovered when users have issues logging in, MFA can be bypassed by booting a Windows system in safe mode. You can prevent non-admin users from logging in to Windows systems in safe mode by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SafeModeBlockNonAdmins registry to 1
  • A TOTP token is only required when a user initially logs in to their JumpCloud-managed Windows system. When a user locks their screen, they aren’t required to enter a TOTP token to unlock their system.
  • Newer versions of Windows have the configurable option to keep users logged in through a reboot. The default setting for this option is to keep users logged in. As a result, users of computers with this option enabled aren’t required to provide a TOTP token after a reboot.
  • Users must have a TOTP app to generate TOTP tokens. JumpCloud recommends using JumpCloud Protect.
  • TOTP MFA is supported for Remote Desktop.
  • You may need to disable Windows Automatic Restart Sign-on (ARSO) to force the TOTP authentication prompt on the Windows login screen after a machine reboot. This can be done one of two ways – via a policy or via a PowerShell command. Jump to Disabling Windows ARSO.

To enable MFA for a Windows system:

  1. Go to DEVICE MANAGEMENT > Devices
  2. Check the box next to the Windows device that you want to view Details for. 
  3. Click on the Actions dropdown menu. 
  4. Click Enable MFA or Disable MFA.
  5. Click Enable to confirm you’re enabling MFA on your selected device.
  6. The MFA Status column is updated with a green lock icon.
  7. You can disable MFA from the selected device’s Details page on the Highlights tab > Device Configuration, toggle MFA Login Enabled to MFA Login Disabled.
  8. Save Device.
  9. After you enable MFA for a device, users will see a modified login window that prompts for a TOTP token.

Tip:

You can enable MFA for multiple devices from the Devices tab by clicking Actions and choosing Enable MFA.

After you save, TOTP MFA is enabled on the device and users that have been required TOTP MFA and are connected to the system will see a modified login screen that prompts them for a TOTP token.

Disabling Windows ARSO

You may need to disable Windows Automatic Restart Sign-on (ARSO) to force the TOTP authentication prompt in the Windows login screen after a machine reboot. This can be done one of two ways - via a policy or via a PowerShell command.

To disable Windows ARSO with a policy:

Create a policy with the following values to disable Windows ARSO:

  • Registry Key Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value Name: DisableAutomaticRestartSignOn
  • Type: DWORD
  • Data: 1

Important:

This registry key (and interface change) will not appear until the device has run through a group policy update cycle. The default group policy update cycle time is every 90 minutes with a randomized offset of up to 30 minutes.

To disable Windows ARSO with a command:

Run the following PowerShell command using the JumpCloud Commands module to disable Windows ARSO:

#Get Execution Policy currently
$exec_pol = Get-ExecutionPolicy
#Set Execution Policy to run script
Set-ExecutionPolicy Unrestricted
# Import JC PoSh module
Import-Module "C:\Program Files\JumpCloud\policies\JumpcloudPolicies\JumpcloudPolicies"
$automaticRestartSignOn = @{
  policypath = 'C:\Windows\system32\GroupPolicy\Machine\Registry.pol';
  policykey = 'Software\Microsoft\Windows\CurrentVersion\Policies\System';
  policyValuename = 'DisableAutomaticRestartSignOn';
  policyType = 'DWord';
  policyData = '1'
}
install-jcpolicy @automaticRestartSignOn
gpupdate /force
Set-ExecutionPolicy $exec_pol

To reverse the PowerShell command and remove the local group policy, run the following PowerShell command on the device in JumpCloud Commands:  

# Import JC PoSh module
Import-Module "C:\Program Files\JumpCloud\policies\JumpcloudPolicies\JumpcloudPolicies"$automaticRestartSignOn = @{  
policypath = 'C:\Windows\system32\GroupPolicy\Machine\Registry.pol';  
policykey = 'Software\Microsoft\Windows\CurrentVersion\Policies\System';  
policyValuename = 'DisableAutomaticRestartSignOn';
}
uninstall-jcpolicy @automaticRestartSignOn
gpupdate /force

Viewing Users’ MFA Status on the Device

To determine the TOTP MFA status of users connected to this device:

  1. Go to the DEVICE MANAGEMENT > Devices.
  2. Select a device and click the Users tab..
  3. The user MFA Status is shown in the MFA:TOTP column. 
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case