Support Center

Set Up Multi-factor Authentication for your Org - JumpCloud Admins

Summary

This guide shows you how to set up Multi-factor authentication (MFA) for JumpCloud users. After set up for a user, MFA can be used to authenticate that user when they sign into the JumpCloud User Portal, or other resources protected by JumpCloud MFA.
 


About JumpCloud MFA

JumpCloud MFA utilizes authenticator codes called Time-based One-Time Password (TOTP) Tokens. After MFA is setup for a user, the user is required to enter these tokens when they sign into a JumpCloud resource that has been enabled for MFA protection by a JumpCloud Admin. Each user is set up independently, and has their own TOTP tokens. This process requires a TOTP application that generates tokens for the user, generally using a mobile device. Any application that can generate a six-digit SHA-1 based TOTP token can be used with JumpCloud MFA. Several apps qualified to work with JumpCloud are:


Preparing Your Users

We advise administrators to educate their users before enabling MFA to prevent potential confusion over the change in their user workflow.

  • After an admin enables JumpCloud MFA for a user, the user receives an email notifying them they are now required for MFA, and tells them how long they have to enroll in MFA before the MFA token is required to log into the user portal.
  • Following the link in the email, or logging into the User Portal gives the user access to their TOTP key and QR code to scan into a qualified MFA app token generator app, until their enrollment period expires.
  • After the user completes MFA setup, the JumpCloud User Portal requires email address, password, and TOTP Token to sign in. Additionally, for any MFA-enabled systems, users are prompted for MFA when logging into those systems after they have completed setup.


Requiring Multifactor Authentication on an Individual User Account

Instructions

  1. Edit a user or create a new user in the Admin Portal. See Getting Started: Users.
  2. In the User Security Settings and Permissions section, select the Require Multifactor Authentication for User Portal option.
  3. Specify the number of days the user has to enroll in MFA before they are required to have MFA at log in. You can specify a number of days between 1 and 365. The default value is 7 days.
  4. Click save user.
  5. During enrollment, the user's details indicate how much time is remaining on their enrollment period.
  6. After the enrollment period expires, the user is locked out of the User Portal.


Requiring Multifactor Authentication on Existing Users in Bulk Actions

Instructions

  1. Select any users you would like to require MFA for.
  2. Click more actions, then select Require MFA on User Portal.
  3. Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.
  4. Click require to add this requirement to the selected users.


Extending Time for a User to Enroll in MFA

If a user has been locked out because their allotted time for MFA enrollment has expired, or is about to expire, you can extend the enrollment period for the user.

Instructions

  1. Edit the user that needs an extension in the Admin Portal.
  2. Click user's MFA status indicator to show the MFA options menu.
  3. Select the Reset MFA option from the menu to display the reset MFA modal.
  4. Specify the time period the user has to enroll, starting from today, and then click reset.
  5. The user is notified of the enrollment period change, and subsequently follows the standard MFA enrollment process.


In Case of Device Loss or Failures - Reset MFA

Because the device containing the TOTP key may be a single point of failure, in case of loss or breakage, it's recommended to record and store the TOTP value in a safe place as a backup. Most apps that generate TOTP tokens allow the TOTP key to be entered manually, which means it can be typed in rather than scanning the QR code in order to restore the ability to generate tokens on a new device or app.

Alternatively, if a user loses their ability to generate tokens, a JumpCloud administrator can perform an MFA reset for the user through either the Users list bulk actions or the Details tab for a single user in order to clear the previous TOTP key, and re-enter an enrollment period.

Instructions

  1. Edit the user that needs the MFA reset.
  2. Select the user’s MFA status to display the MFA operations menu.
  3. Select Reset MFA from the menu.
  4. The Reset MFA on Users window appears.
  5. Specify the number of days they have to complete their setup.
  6. Click reset.
  7. The user should be able to now login without MFA, and be prompted to reconfigure their MFA prior to the enrollment expiration.


MFA Resource Availability

MFA resource protection is available on the following JumpCloud-managed resources:

  • User Portal login
  • Mac desktop login
  • Linux SSH login
  • SSO/SAML application login
  • Admin Portal login*

After MFA setup is completed by a user, MFA is enforced for that user on any MFA-protected resource. For example, if MFA is enabled for a given Linux server, and User A has completed MFA setup, they are prompted for a token when signing into the protected Linux server. If User B has not completed MFA setup, they aren't prompted when signing into the same Linux server.

* Admin Portal MFA protection follows a separate MFA enrollment process.
See
Enable MFA for Systems for information about enabling MFA on your systems.


User Eligibility

User Workflow - Initial Set Up

  1. The user receives an email, stating they are required to setup MFA for JumpCloud.
  2. They click the link in the email OR log into the JumpCloud User Portal.
  3. They are prompted for username and password.
  4. They will click the user login button.
  5. Username and password are authenticated.
  6. They are prompted to set up multi-factor authentication, including links to Google Authenticator on the iOS App Store, and the Google Play Store. They are free to dismiss this prompt until the enrollment period ends. If they dismiss the prompt, they are reminded of the number of days remaining in enrollment.
  7. If they click continue, they are provided a QR code and TOTP key string that can be used to configure a qualified MFA token generator app, and prompted for their first TOTP token produced by the token generator app.
  8. For backup purposes, this would be the time to copy and paste their the TOTP key string below the QR code and store it in a secure location.
  9. After submission, they are notified that MFA setup is complete.


User Workflow - Expiring Enrollment

When a user has an enrollment that is expiring, they are sent a reminder 24 hours in advance notifying them that MFA enrollment is about to expire. After their enrollment has expired, they are locked out of the User Portal until their MFA requirement is removed by an administrator or their enrollment time is extended using the Extending Time for a User to Enroll in MFA process.


User Workflow - User Portal Login After MFA Setup Completed

After a user has completed MFA setup, the admin has required MFA on the user portal for the user, and the Google Authenticator is installed and linked with the user account, the login experience will be as follows for the User Portal:

  1. The user goes to https://console.jumpcloud.com.
  2. They are prompted for username and password.
  3. They click the user login button.
  4. Username and password are authenticated.
  5. They are prompted for the Multi-Factor Authentication verification code, which they should populate with their TOTP token from the qualified MFA app of they have chosen (e.g. Google Authenticator). The user has 60 seconds to input the digits from their MFA app into the JumpCloud OTP field. Nearing the end of the 60-second cycle, their MFA app indicates the current key is about to expire, and the user should wait until a fresh key is generated.
  6. They click the user login button.
  7. Their TOTP token is authenticated.
  8. They are logged into the User Portal.

View User MFA Status

The MFA Status indicator tells you a user's MFA status. A user's MFA Status is viewable in the Users MFA Status column. When you hover over the padlock icon, the status details are shown. 
  • User with MFA 
  • User in MFA enrollment period
  • User with expired enrollment period
  • User with MFA set up but who is not required to use MFA for User Portal
  • User required to set up MFA for User Portal who does not have an enrollment period


You can also view a user's MFA status in their user details.


You can filter the Users list to show MFA status and requirement. See View User Details

To see users in an enrollment period, filter apply both the required and inactive MFA status filters. Likewise, to see users with an expired enrollment period, also apply both the required and inactive MFA status filters.

Enable MFA for Systems
 
You can enable and disable MFA for multiple systems from the Systems more actions menu. 



Read the following articles to learn about enabling MFA for individual systems:
 

Related Articles

 

 

Last Updated: May 22, 2019 10:00AM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete