Your users can download the JumpCloud Protect® mobile app to secure their accounts using Multi-Factor Authentication (MFA). The app can be downloaded from the iOS App Store or the Google Play Store. Once your users have downloaded the app and successfully enrolled their devices, they can authenticate using Push MFA or Verification (TOTP) Code.
JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty-second timeout period. You can try again after the timeout or after you have approved or denied the initial request.
JumpCloud Protect can be used to log in to the Admin Portal, User Portal, or devices (Windows, Mac, Linux). Before your users can use the JumpCloud Protect mobile app, you, as an administrator, must enable it.
JumpCloud Protect is designed to operate on Android 8 and iOS 13 and higher. It may operate on older versions, but they are not supported by JumpCloud.
- The JumpCloud Protect mobile app supports iOS version 13 and above, and Android 8.0 and above.
- Google Playstore is blocked in China, so users cannot download JumpCloud Protect there. Please have them authenticate with TOTP using an authenticator app that is available in China.
- Additionally, push notifications on Android devices may not work in countries such as China because the Google Cloud Messaging (GCM) service may be blocked.
- If users have an Apple Watch paired with the iPhone running JumpCloud Protect, they can see and respond to their push notifications on the watch.
- The JumpCloud Protect mobile app may run on a tablet, but is not optimized for tablets at this time.
- If admins require mobile biometric as additional user verification, the device should support biometric, PIN, or Passcode.
- User verification is a security measure that verifies that the person authenticating to a service is in fact who they say they are.
- A user can only be enrolled in JumpCloud Protect on one device.
- JumpCloud Protect supports both Push MFA and TOTP MFA. However, your users must enroll in each form separately.
Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.
- Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected. Although these options default to on, users can turn off data collection on the app:
- Tap More > Settings > Privacy to display options for turning off Share Diagnostic Data and Share Usage Data.
Security Practices to Reduce Push Bombing and MFA Fatigue Risks
Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally. MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.
There are several ways to protect your organization against such an attack:
- An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks.
- Enable biometric on JC Protect for an extra layer of identity protection.
- Leverage Conditional Access Policies for additional safeguards.
- Educate users to check application and location information before approving a push request, and to deny any request they suspect as fraudulent. Keep in mind that location information does not have 100% accuracy, especially at the city level.
JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty-second period, except for RADIUS and LDAP attempts. Admins can turn this off, or increase the limit for maximum concurrent attempts, within MFA Configurations.
Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights under the event name push_mfa_attempt_failed with the error message ‘too many concurrent push requests’.
Before Enabling JumpCloud Protect
Before you enable JumpCloud Protect, you must first require your users to use MFA to log into their JumpCloud account. You can do this by creating a Conditional Access Policy and assigning to your users or user groups.
Alternatively, you can enable a setting in the Admin Portal to require individual users to use MFA when they log into their JumpCloud account. To do so:
- Go to USER MANAGEMENT > Users.
- Select a user to view their Details.
- In the User Security Settings and Permissions section, select Require Multi-factor Authentication for User Portal.
Enabling JumpCloud Protect
To enable JumpCloud Protect for your users:
- Log in to the JumpCloud Admin Portal.
- Go to SECURITY MANAGEMENT > MFA Configurations.
- In the JumpCloud Protect Mobile Push area, click the Enable button. Note: JumpCloud Protect is the default enabled MFA factor for new organizations.
- In the Mobile Biometric Verification dropdown, select one of the following:
- Never Required – default option; user will not be prompted for biometric
- Required If Enabled on Device – user will be prompted for biometric if the user’s device has biometric verification enabled; if it is not enabled on the device, authentication will not fail
- Always Required – user will be prompted for biometric; authentication will fail if device does not have it enabled or if user fails to provide biometric or passcode/PIN
- In the Mobile Biometric Verification dropdown, select one of the following:
- Click Save.
If Required if Enabled on Device or Always Required is selected, the user will not be able to accept or deny from the lock screen of their device or their Apple Watch.
Viewing User Device Details and Enrollment Status
After you have enabled JumpCloud Protect for your users, you can view details of the individual user’s enrollment. To view these details:
- Log in to the JumpCloud Admin Portal.
- Go to USER MANAGEMENT > Users.
- Select the user you want to view the enrollment status of.
- In the User Details tab, expand User Security Settings and Permissions and scroll to JumpCloud Protect Mobile Push Status.
In that pane, you can view the following information:
- Display Label: Nickname of the device
- Device Type: Type of device. For example, iPhone 8
- Device OS: OS version currently running on the device
- App Version: Version of JumpCloud Protect currently running on the device
- Authentication: Shows what type of User Verification is supported by the device
- Actions: Click the trashcan to remove the device
- If the user has not finished enrollment, a “This user has not enrolled a device in JumpCloud Protect Mobile Push” message will display.
- When a user completes enrollment, the following events appear in Directory Insights (DI):
- jumpcloud_protect_device_enrollment
- jumpcloud_protect_device_activation
You can also view MFA status from the Users list. From the columns dropdown, select MFA: JumpCloud Protect. When you hover over the status on the users list, you can see Protect MFA details for the user.
Deleting a User’s Device
You can delete a user’s device from the User Security Settings and Permissions screen. To do so:
- Under Actions, click the trashcan icon.
- In the confirmation window, click confirm.
Disabling JumpCloud Protect
If you no longer wish to use the JumpCloud Protect Mobile App, you can turn it off it.
If you have resources configured to require MFA and JumpCloud Protect is your users' only enrolled MFA factor, your user may lose access to those resources when JumpCloud Protect is disabled.
To disable JumpCloud Protect Mobile Push:
- Log in to the JumpCloud Admin Portal.
- Go to SECURITY MANAGEMENT > MFA Configurations.
- Click the toggle next to JumpCloud Protect Mobile Push.
- On the Disable JumpCloud Protect Mobile Push modal, click Confirm.