JumpCloud Admin Implementation Guide
Welcome to JumpCloud! Thank you for entrusting us to manage your users and devices. This document gives you a proven, structured approach to implementing our directory services in your organization.
Whether you’re migrating to JumpCloud from another directory service, or beginning to organize and secure your environment, this guide will help you successfully design, test, and implement JumpCloud.
Looking for a more tailored project plan for your specific migration needs? Check out the Implementation Project Plans below based on your selected package.
Terminology
Get to know our product terminology:
- Administrator: JumpCloud administrators configure and manage JumpCloud for their organization.
- User: JumpCloud users access their company resources through JumpCloud.
- Device: Computers or Servers that run Mac, Windows, and Linux devices can be managed through JumpCloud. Admins can provision users to devices, deploy policies to devices, and execute commands on devices through JumpCloud.
- Groups: JumpCloud connects company resources to groups of resources. For example, connect a group of users to Single Sign On (SSO) applications, RADIUS servers, and directories like Google Workspace and Microsoft 365. You can also connect groups of users to groups of devices.
- Directory: A directory service organizes information about a network’s users and resources. JumpCloud integrates with a variety of popular directory services like Google Workspace and Microsoft 365 to sync user accounts. These integrations let JumpCloud act as an authoritative directory with a single set of credentials that can be used across all directory services.
- Applications: SSO SAML 2.0 applications that you can connect with JumpCloud. Applications like Slack, Salesforce, AWS, CakeHR, and so many more.
Implementation Project Plans
These Project Plans are downloadable XLS spreadsheets that give you a templated approach to integrating your environment with the JumpCloud Directory Platform with proven and tested workflows. You may download, customize, and edit these documents to meet your unique business needs or resources within your environment.
Platform Plus
Platform
Core
SSO + Device Management
SSO Only
Best Practices Before You Start
JumpCloud University Admin Training and Certification
JumpCloud University is a reflection of how much we value education as part of our solution. This learning platform is designed to give you the flexibility to take applicable courses and skip courses that you don’t need. We believe in freeform learning so you can take any course, watch any video, and practice any task without being locked into a certain series.
We believe learning is most effective when the learner gets to choose what they need, when they need it, and how they need it — and then move on with their day. Structure is there if you want it, but you can easily have freedom to get in, get the information you need, and get out.
Before starting your initial implementation of JumpCloud, we recommend taking the initial courses within our catalogue. JumpCloud is a large platform and is capable of managing a myriad of technical resources. JumpCloud University’s courses train IT admins on best practices for utilizing JumpCloud to the fullest extent.
It’s best practice for newer customers to have an IT team member become JumpCloud Core Certified before rolling out the platform within the technical environment. By obtaining the JumpCloud Core Certificate, this verifies the holder’s core knowledge, best practices, and implementation steps using JumpCloud’s platform.
To get started with your training and certification today, check out JumpCloud University.
Guided Simulations
Learn by doing! Explore JumpCloud’s features from multiple perspectives without impacting your live environment or jumping through hoops for test accounts. JumpCloud’s Guided Simulations page contains examples for both admins and users alike. These simulations cover some of our most popular modules such as agent installation, password reset, Conditional Access Policies, and configuring MDM.
These simulations are a great way to help train end users within the organization on how to leverage JumpCloud to do important tasks like managing their passwords, activating their account, and installing the agent.
Support and Troubleshooting
- Bookmark our Support page: https://support.jumpcloud.com
- Familiarize yourself with our Support Policies
- Read our Help Center Articles
- Subscribe to the JumpCloud Status Page for status updates, incident alerts, and maintenance windows
- If you do get stuck, reach out to JumpCloud Support. Include the following information in your request:
- A detailed description of your issue
- Any troubleshooting steps or actions that you’ve taken
- Relevant JumpCloud Agent Logs (for device related issues)
- Familiarize yourself with our Support Request Guidelines
Tips for Set Up and Management
- Avoid surprises – Avoid unexpected and unintended consequences; sign up for a free testing account.
- Test and explore – Have a plan. Set up a staging environment, install the JumpCloud Agent, and test any changes in a staging environment that mirrors your production devices as closely as possible. This will be helpful for initial implementation, ongoing maintenance, and updates.
- Be consistent – The foundation for efficient, fast scaling is consistency. Successful scaling starts with a good understanding of JumpCloud Groups.
- Add Administrator Team Members – We always suggest adding your IT team members as JumpCloud Administrators to your organization. You can set each admin with their own role with scoped permissions based on their job duties or needs. Learn more about how to Add Administrators to JumpCloud and grant their Admin Account Role.
- Notify employees – To ensure a consistent line of communication between you and your employees and end-users, email them in preparation with upcoming steps, needs, and actions. JumpCloud has supplied some generic email templates to assist with notifying your organization on the different steps throughout your implementation. Check out these JumpCloud End-User Email Templates to use when notifying your employees.
Set up your Admin Portal
Settings
Before you can really start to build out your JumpCloud directory, we recommend creating and modifying various global settings like password aging, complexity, lockouts, and more. These configurations are enacted on all resources within the JumpCloud platform.
End User Impact: None/Low
- Settings in the JumpCloud Admin Portal
- Adding Admins to your JumpCloud Organization
- Customizing Welcome Emails sent to Users from JumpCloud
- Conditional Access: Global Policy for MFA (if applicable)
- Enabling System Insights (if applicable)
- Enabling Directory Insights (if applicable)
Building Users in JumpCloud
This step involves building the user directory. You'll connect users with devices in the Going Live steps.
End User Impact: None/Low
User Import Types and Privileges required:
- CSV Import: JumpCloud Admin Portal privileges
- Google Workspace Directory Import: Super Administrator credentials are required
- Microsoft 365 Directory Import: Global Administrator credentials are required
- Okta Real-Time User and Password Import: Administrator credentials are required
- Active Directory Integration: Domain Administrator credentials are required
- API Import: JumpCloud Admin Portal privileges and an API key
Considerations:
- CSV imported users without an initial password will not receive any welcome email. If you would like to send an activation email to these users, select them in bulk from the Users page. Click “more actions” and then “Resend Email”
- Adding/Importing users into JumpCloud will have no effect on existing accounts until the user is associated with a resource (Device, Google Workspace/Microsoft 365 Directory).
- If you would like JumpCloud to take-over existing user accounts, the JumpCloud username must EXACTLY MATCH the local device username. If there is not an exact match, JumpCloud will assume the username is new and create a new user profile when a user is bound to the device. See JumpCloud User Naming Convention.
- Usernames for users imported from Google Workspace or Microsoft 365 will be their email address prefix. Please consider whether this matches your local device usernames, or if you intend to create new local user accounts. Be aware that you can only rename usernames of user accounts that aren’t yet bound to a resource.
- Example: [email protected] will have a username of: testuser123.
Step-by-step Implementation links:
CSV Import
Google Workspace Directory Import
Don't connect users to the Google Workspace Directory until you're ready to Go Live.
Microsoft 365 Directory Import
Don't connect users to the Microsoft 365 Directory until you're ready to Go Live.
Okta Real Time User Import
- Configure Okta Real-time User and Password Import: This integration with Okta allows Okta to be the authority over JumpCloud Users, their passwords, and User Attributes. In this configuration it is always recommended to have users change their passwords in Okta. Okta will then immediately send the new password to their JumpCloud account and associated resources. Please note that if Users are on macOS devices, there are certain workflows that need to be followed. These macOS workflows are addressed within the KB above.
Active Directory Integration
- Integrating AD with JumpCloud: This is used when you’re wanting to bridge a bisynchronous connection between your Active Directory domain and your JumpCloud tenant. You can leverage this integration to ensure that password changes within either directory are synced to the other. Not generally recommended if you’re migrating away from or decommissioning Active Directory, as we recommend another solution such as the M365 or GWS Directory Sync to import your users.
- Migrating Users from Active Directory to JumpCloud: This is used when you’re wanting to export the Active Directory users into JumpCloud. The methods mentioned in this KB are via CSV, but you may also alternatively use the M365 or GWS import feature instead. If your users are using domain-bound devices, you will need to migrate these devices from AD-bound to a local workgroup and local user profile using the JumpCloud Active Directory Migration Utility. This helps convert the devices and profiles to a local workgroup and profile while also installing the JumpCloud Agent on your behalf.
Deploying Agents to Devices
You should deploy the JumpCloud agent on any devices that you want JumpCloud to manage. You can install the JumpCloud agent on devices that are connected to a domain, however the agent is limited to just Commands and System Insights.
End User Impact: Low
Required Privileges:
- Manual and Remote Installs require remote root / administrator access to the device. To commit remote installs, you may need an RMM, MDM, or remote tooling to install the JumpCloud Agent. Otherwise you may manually install by being physically present to install or via a remote screen share software with your users.
- End-User Installs require the User to have local root / administrator privileges to the device.
JumpCloud Agent Requirements:
- JumpCloud Agent Compatibility, Device Requirements, and Impacts
- Internet connectivity and time synchronization – JumpCloud Agent Networking Requirements
Considerations:
- Command line vs. manual install depending on current environment size and expected future growth and desired deployment practices.
- Establish a consistent device naming convention for your user accounts. Verify your JumpCloud naming convention for usernames exactly matches the usernames on existing devices to ensure proper account take over.
- Consider establishing a consistent naming convention for device names.
- Ensure that the network is configured to allow communication with JumpCloud’s servers. See Clarification on Device Names.
Installation Methods:
Windows
- Manual install via JumpCloud Admin Portal, Remote Install via RMM/MDM, or manual distribution of JumpCloudInstaller.exe.
- End User Installs from User Portal
- Command line: Agent Deployment via Command Line
Linux
- Manual Installation via JumpCloud Admin Portal or manual distribution of command-line install.
- End User Installs from User Portal
- Command line: curl –silent –show-error –header ‘x-connect-key: YOUR_CONNECT_KEY’ https://kickstart.jumpcloud.com/Kickstart | sudo bash
- Automation via Configuration Management Tools:
macOS
Before deploying agents to your macOS devices, JumpCloud recommends configuring JumpCloud MDM with your ABM account. Check out how you can get started with JumpCloud MDM.
If you’re using a third-party MDM (like JAMF, Kandji, Mosyle, etc), you may disregard the latter statement and continue installing the JumpCloud Agent.
Note: Users must approve Full Disk Access to the JumpCloud Agent during install for macOS 12.0+ Monterey. See how to grant full disk access to the JumpCloud Agent.
- Manual install via JumpCloud Admin Portal or manual distribution of jumpcloud-agent.pkg.
- End User Installs from User Portal
Configuring JumpCloud Groups
At JumpCloud’s core, it's all about managing Users, their access, passwords, and identities across your environment. We recommend creating User Groups and Device Groups first as this will help you organize your user and device objects when you begin to import and add resources. As JumpCloud is GBAC-based (group-based access control), before Users can be given access to resources such as SSO Apps, they must be bound to a User Group that’s been granted App access.
Creating User Groups
Groups are the best way to control users' access to resources. If the groups will be used to control access to a resource, connect the group to the resource.
End User Impact: Low
Considerations:
- Create groups as needed for a given resource, and add user groups to the resources.
- Establish a naming convention for user groups that aligns across your organization.
- Determine a consistent, scalable structure for groups.
- User groups should be used to control access to devices, SSO applications, RADIUS networks, and directories like Google Workspace, Microsoft 365, and LDAP.
- Learn More: Getting Started: User Groups
Implementation Steps:
- Log in to the JumpCloud Administrator Portal: https://console.jumpcloud.com.
- Go to USER MANAGEMENT > User Groups.
- Click the ‘+‘ button to create a new user group.
- Create a name for the group and add any additional attributes.
- Go to USER MANAGEMENT > Users to bind users to the new user group.
- Click Save.
Creating Device Groups
Device groups can be used to control user or user group access to devices.
End User Impact: Low
Considerations:
- Policies and Policy Groups should be applied to Device Groups.
- Device Groups can contain a mix of operating systems.
- Create Device Groups as needed for your devices.
- Connect devices to Device Groups.
- Determine a scalable Device Group structure.
See Getting Started: Device Groups to learn how to create Device Groups.
Going Live
Educate Your Employees
When installing any new software or environment-wide application, it’s always best practice to educate and notify your end users before implementing. Send the following links to your organization employees so they can be aware of any changes, steps, and items during the implementation project.
Note: See Email Templates and Recommendations for Educating Users for example user communications before implementing certain features throughout your project plan.
End User Impact: High
Ensure end users understand JumpCloud will be managing their identity — their access to devices, applications, and other resources is managed by JumpCloud.
- You can connect the user to any of the resources connected to JumpCloud from a device to applications, networks, etc. However, if the user is created in a Staged user state, they will not gain access to their assigned resources until they are activated. See Managing User States for specific information about when a user is provisioned.
- Users update their passwords from the User Portal or from their JumpCloud Tray App on their device. See Changing My JumpCloud User Account Password?
- If Mac users update their passwords in the JumpCloud User Portal instead of changing it in the JumpCloud Mac Tray App, they’ll have to log out and log back in to update their Keychain and FileVault password.
- Google Workspace and Microsoft 365 users change their passwords in the JumpCloud User Portal. If users change their passwords within either of these directories instead of JumpCloud, there may be a password discrepancy between the two.
Considerations:
- User Activation – setting a temporary password vs. sending the user activation email.
- Notify applicable users that they will be receiving a Welcome email from JumpCloud.
- Educate All Users — including Google Workspace and Microsoft 365 users — that they change their password in their JumpCloud User Portal or in their JumpCloud managed device’s JumpCloud Tray App.
Implementation Steps:
- Customize organization information in the JumpCloud Admin Portal under Settings.
- Communicate workflow changes to users.
Google Workspace Directory Sync
To use JumpCloud's Google Workspace Directory integration, one of the following Google licenses are required:
- Google Workspace for Business
- Google Workspace for Education
- Google Workspace Basic (requires valid payment input for user additions)
- You must have an active Google Workspace domain to proceed
- A Google Workspace Domain Admin (Super Administrator)
End User Impact: Medium - User workflow impacted
Prerequisites:
- Google Workspace User Import, Provisioning, and Sync
- Users exist and have been imported into JumpCloud from Google Workspace.
- Users have been notified of the upcoming change.
Considerations:
- Users should be notified that JumpCloud will be managing their Google Workspace credentials, and informed on how they should update their passwords going forward.
- Users that are removed from the Google Workspace Directory Sync will have their accounts suspended in Google Workspace.
- FAQ – Google Workspace User Provisioning and Sync
Implementation Steps:
- Learn how, see Creating & Importing Users in JumpCloud
- We recommend that User Groups be used to connect users to the Google Workspace Directory. See Google Workspace User Import, Provisioning, and Sync.
- Users will receive an email to set or reset their JumpCloud password to complete synchronization.
- If a user’s current Google Apps password meets JumpCloud password complexity requirements, and they opt to use that for JumpCloud registration, from their perspective there is no password reset, although they may be logged out of their active Google sessions.
- Monitor adoption with the user status in the JumpCloud Admin Portal. Resend emails as necessary.
Microsoft 365 Directory Sync
Prerequisites:
- Microsoft 365 Directory Sync Authorized in JumpCloud
- Users exist in the JumpCloud Directory
- Users have been notified of the upcoming change
End User Impact: Medium - User workflow impacted
Considerations:
- Users should be notified that JumpCloud will be managing their Microsoft 365 credentials, and informed on how they should update their passwords going forward.
- Users that are removed from the Microsoft 365 Directory Sync will have their accounts suspended in Microsoft 365.
- The Microsoft 365 Directory Sync has to be reauthorized every 90 Days.
- FAQ – Microsoft 365 User Provisioning and Sync
Implementation Steps:
- Learn how, see Creating & Importing Users in JumpCloud.
- It is recommended that User Groups be used to bind users to the Microsoft 365 Director. See Microsoft 365 User Import, Provisioning, and Sync.
- Users will receive an email to set or reset their JumpCloud password to complete synchronization.
- If the user’s current Microsoft 365 password meets JumpCloud password complexity requirements and they opt to use that for JumpCloud registration, from their perspective there is no password reset, although they may be logged out of their active sessions.
- Monitor adoption with the user status in the JumpCloud Console. Resend emails as necessary.
User and Device Takeover
Prerequisites:
- JumpCloud agent is installed on devices and the device status is active/green in Admin Portal.
- Users are active in JumpCloud.
- JumpCloud usernames and device usernames match.
- Users have been notified of the change and understand where to update their passwords.
- Admins understand the expected behavior when users and devices are connected.
- You’ve successfully tested devices in your environment.
Considerations:
- Whether to use a phased roll-out approach or an all-at-once approach of going live with all users and devices at one time.
- Phased roll-out: This is useful if the majority of users are able to migrate to JumpCloud, however there is a group of users restricted by time. The phased roll-out is also useful for organizations with distributed teams. We recommend this approach for going live.
- All-at-once: This approach is most typically used when all users are migrated at the same time.
- Ensure that the timing of implementing these tasks won’t disrupt business operations, and that support staff are ready to assist if needed.
- Windows Live accounts aren’t supported and will need to be converted to local accounts. Learn how, see Unlinking a Windows Live Account.
- Active Directory bound devices with AD managed profiles are not supported for account takeover by JumpCloud. Please see the JumpCloud Active Directory Migration Utility for more details.
End User Impact: High - Users will be using their JumpCloud identities / accounts to authenticate to devices.
Existing Account Takeover (All OSes)
Implementation Steps:
- Ensure JumpCloud usernames and local device usernames match. If there are discrepancies, learn how in Changing Existing Usernames in Devices.
- Connect the user to a device by going to USER MANAGEMENT > Users. Then click on a user and go to the Devices tab.
- Allow up to a few minutes for the synchronization to occur.
- Advise users to log out and log back in with their JumpCloud account credentials.
Note: Be aware that changing usernames on Mac and Linux isn't generally recommended unless you have full understanding of the impacts of doing so. Changing the username on these platforms can have adverse effects on application and file access.
New Local Accounts (All OSes)
Implementation Steps:
- Connect the user to a device on the Devices tab of the user’s Details panel.
- Allow up to a few minutes for the synchronization to occur.
- Advise users to log in with their JumpCloud account credentials.
Policies and Policy Groups
JumpCloud Policies let admins control the behavior of devices for various purposes, most commonly to enforce security standards. Policies are set through the JumpCloud Admin Portal and require no coding skills. After they are configured, admins can deploy policies to groups of devices and monitor the status of each device to ensure the policy is enabled.
Considerations:
- When configuring an individual policy, they should be applied to device groups.
- We recommend using Policy Groups. Policy Groups can contain multiple policies you configure and you may then apply the Policy Group to Device Groups. For example, if you have a security baseline you need to meet, a singular Policy Group could contain X number of policies, which you can then bind to a Device Group(s).
- Some policies can be applied to all users, or only JumpCloud managed users on the device.
- Some policies require additional action, such as user log out / log in or device restart to take effect. Refer to the Policy Activation Details on the JumpCloud Policy’s Details pane for more information.
- Some policies are only compatible with certain OS versions and license levels.
End User Impact: Low to High - depending on the policy
Implementation Steps:
- Create a new policy, configuring any required settings.
- Create a new policy group. Add previously configured policies to this policy group.
- Connect the policy group to a device group.
Configuring Applications (SSO / SAML)
Considerations:
- Enabling SSO for a Service Provider (SP) will typically disable username/password authentication for all users. Please test during a maintenance window, or in a sandbox environment if available.
- Service Provider requirements.
- Administrators should be able to generate an SSL Certificate/ Key pair. See Generating a Public Certificate / Private Key Pair Using OpenSSL.
- Users should be educated on how they will authenticate into applications after SSO is enabled
- SP initiated vs. IdP initiated SSO
End User Impact: Medium - User authentication workflow changes. Once configured, Users must authenticate through JumpCloud before access is granted to the application.
Implementation Steps:
- Review SSO documentation for both JumpCloud and the Service Provider.
- Create a User Group to manage which users access the application.
- Grant user access by assigning users to the appropriate user groups.
- Configure the SSO application within JumpCloud.
- Configure SSO in the Service Provider’s settings.
- Test to ensure authentication workflow routes through JumpCloud.
- Enable either SCIM or JIT on the JumpCloud SSO Connector, if the SP supports either protocol. If SCIM is supported by the SP, we recommend configuring SCIM and not configuring JIT as SCIM handles the full-lifecycle of users, where JIT only supports creation and updates.
SSO Scenarios: SP initiated & IdP initiated
- The SP initiated workflow is the scenario where SSO is enabled for an application, and a user attempts to login via the SP. The expected behavior is that the user will be redirected to the JumpCloud login page. After they log in, the user is authenticated and logged in to the SP.
- The IdP initiated workflow is the scenario where a user logs in to their JumpCloud User Portal and logs in to an application via one of the application icons in their Portal dashboard.
Configuring LDAP
Prerequisites:
- Service Provider LDAP configuration documentation and/or support.
- A working LDAP Binding User (This is the service account for JumpCloud LDAP).
- JumpCloud Users have been bound to the LDAP Directory.
Considerations:
- LDAP Binding Service account naming convention.
- LDAP configurations vary depending on the Service Provider.
- Naming conventions for LDAP Groups.
- Familiarity with ldapsearch for testing and troubleshooting. See Using ldapsearch with JumpCloud.
End User Impact: Medium - User authentication workflow impacted
Implementation Steps:
- Prepare an LDAP Binding User account. See Using JumpCloud’s LDAP-as-a-Service.
- Create a User Group to manage which users are given access to LDAP Authentication.
- Grant user access by assigning users to the appropriate user groups.
- Bind User Groups to LDAP.
- Complete LDAP configuration within the Service Provider.
- Test connectivity. This may not be available for all vendors.
- Go live by enabling LDAP authentication in the Service Provider configuration.
Configuring RADIUS-as-a-Service
Prerequisites:
- JumpCloud Users connected to a user group.
- Users have activated their JumpCloud accounts.
- Wireless Access Points (WAP’s) which support RADIUS Authentication.
Considerations:
- Authentication Protocol – EAP/TTLS vs PEAP: See Configuring a Wireless Access Point (WAP), VPN, or Router for JumpCloud’s RADIUS.
End User Impact: Medium - User workflow impacted
Implementation Steps:
- Configurations vary by vendor. For links to RADIUS basics and limited specific setup docs.
- Create a User Group to manage which users are given access to the RADIUS network.
- Grant user access by assigning users to the appropriate user groups.
- Bind User Groups to the JumpCloud RADIUS endpoint.
- Complete RADIUS configuration within the networking device. Check with your vendor’s documentation on how to configure RADIUS.
- Test connectivity. This may not be available for all vendors.
- Go live by enabling RADIUS authentication in the network configuration.
Configuring Conditional Access Policies (if applicable)
Use Conditional Access Policies to implement Zero Trust security in your organization. You can create conditional access policies that secure access to resources based on conditions like a user's identity and the network and device they’re on. For example, lock down your environment with policies that deny access when users are on unmanaged devices or unapproved networks. Alternatively, relax access and let users log in to the User Portal without Multi-factor Authentication (MFA) when they’re on a VPN or managed device.
Prerequisites:
- JumpCloud Users are activated
- You’ve created JumpCloud User Groups
- Devices are managed by JumpCloud
- SSO Applications have been configured in JumpCloud
Considerations:
- Conditional Access Policies are included within the JumpCloud Platform Plus package
- Conditional Access Policies focusing on Device Trust require the JumpCloud Agent to be running on your managed devices.
End User Impact: Medium - User workflow impacted
Implementation Steps:
- Navigate to Conditional Policies in the left hand menu.
- Click the ‘+‘ button to create a policy.
- Configure the policy for either device trust, network trust, geolocation, or MFA by group as you require for your security compliance.
- Click Save.
To learn more about Conditional Access Policies and how to properly configure these types of policies, see, Getting Started: Conditional Access Policies.
Directory Insights
Directory Insights is JumpCloud's event logging and compliance feature. Directory Insights shines a light on audit trails leading up to critical events so you know the what, where, when, how, and who of your directory activities. You can use our RESTful API, PowerShell Module, and Administrator Portal to access event logs, see activity happening in your directory, and monitor user authentications to the User Portal, SAML SSO applications, RADIUS, and LDAP.
Prerequisites:
- JumpCloud Pricing Package that includes Directory Insights
- If you’d like to enable this, email [email protected].
Considerations:
- Directory Insights data catalogues various information and updates in real time, see JumpCloud Directory Insights.
End User Impact: None
Implementation Steps:
- Go to INSIGHTS > Directory.
- Create views, filters, and select time ranges which you want to audit.
- Export the data to JSON or CSV via the export drop down in the right hand side.
Complete
After following the steps above alongside your Project Plan, you should be completed with your implementation of JumpCloud’s platform. If you run into any break-fix issues along the way or after your implementation, please contact support by creating a support ticket within the Admin Portal.