Your users can change their password at any time from their device, or they can be forced to change it when their password expires.
For users on Windows devices, they can change their password in various ways. We recommend they use the following methods in the order they’re listed:
- From the JumpCloud Windows App running in the system tray. For more information, see Users: Change Your Password in the Windows App.
- Press Ctrl+Alt+Del and choose Change Password.
- Open the log in page for the JumpCloud User Portal and select Reset User Password. For more information, see Change Your User Portal Password.
- Inside the JumpCloud User Portal, go to Security Settings.
- Use the link inside a password expiration email. If you enable the Password expires after N days option, users receive one email a day for 7 days leading up to their password’s expiration that asks them to reset their password.
Prerequisites
- The device must be managed by JumpCloud through the Windows agent. See Understand the Agent.
- The Windows device must be running a supported version, see Windows Agent Compatibility.
- JumpCloud managed Windows users need an active internet connection to change their password.
- Users can’t be locked out of their JumpCloud account, see about Password Statuses.
- User accounts can’t have expired passwords.
- Learn about Viewing User Details.
Considerations
- If you have MFA enabled in your organization, your users will need to verify their identity using MFA before they can change their password. They can use Push MFA though the JumpCloud Protect app, TOTP MFA through either JumpCloud Protect or another authenticator, or use Duo. However, Duo is only available if it’s the only form of MFA available.
- Passwords changed locally using Ctrl+Alt+Del will update the Windows Credential Manager and the Data Protection API.
- User accounts managed by Active Directory using AD integration won’t be able to use the Windows App to reset their password.
- A known issue exists for Windows 8, 8.1, and Server 2012: if a user is on a slow internet connection, they can click Cancel before they see the password change confirmation screen. In this case, the password change operation isn’t stopped, but the user isn’t notified of success or failure. This is a limitation of the previously mentioned Windows versions and can’t be controlled by JumpCloud.
JumpCloud Windows App
The JumpCloud Windows App is the preferred method for user password changes on Windows devices. Below is an overview of the user process. For specific user instructions, see Users: Change Your Password in the Windows App. Note that when you change your password, any active sessions (User Portal, SSO applications, etc.) will be terminated.
The user flow:
- In the system tray, open the JumpCloud Windows App.
- To change the password, type in your previous password, followed by the new password twice for confirmation.
- If MFA is enabled for your JumpCloud account, you need to authenticate your account. Depending on the types of MFA enabled by your organization, you’ll see one of two options:
- Push: Use the JumpCloud Protect app to verify your identity with a push notification. See JumpCloud Protect for End Users.
A cancel button displays on the logon screen while you are verifying your identity using Push MFA. Clicking this button has no effect on the push notification.
- TOTP: Enter a six-digit code from an authenticator app such as JumpCloud Protect or Google Authenticator.
The Duo app is also supported, but is only used when no other form of MFA has been enabled. If you are using duo as your only form of MFA verification, you will receive a notification on your device to verify your identity. See Use Duo Security with JumpCloud MFA.
- The new password is instantly synchronized with any other password stores.
- The Windows device agent then contacts JumpCloud’s credential management services through a secure Transport Layer Security (TLS) connection.
- The device agent synchronizes changes from the device to JumpCloud and all the resources JumpCloud manages. If you’re using AD Sync, the password changes sync to Active Directory® as well.
Before you begin
- User accounts managed by Active Directory using AD integration won’t be able to use the Windows App to reset their password.
- Leverage a toolkit of emails and help articles to communicate with your end users about the Windows Password Sync feature, how to use it, and other resources you may need to provide a user-friendly experience when going live with the Windows App.