JumpCloud gives organizations the power to layer Multi-Factor Authentication (MFA) on top of nearly any resource you need to secure: Windows, Mac, Linux, applications, networks, infrastructure and more.
If you'd like to use the JumpCloud Protect Push MFA mobile app for your MFA needs, see JumpCloud Protect for End Users.
Prerequisites:
- Configure TOTP MFA for user accounts first. Learn how to do this inConfigure TOTP MFA for User Accounts.
Considerations:
- When TOTP MFA is enabled on a device, only users who have completed setupareprompted for TOTP MFA when they log in to the device.
- See individual considerations for each OS, listed below.
Note:
Internet connectivity is not required to use TOTP MFA on devices.
Before you can require yourusers to use TOTP MFA to log into their JumpCloud device, you must complete two procedures:
- Enable TOTP MFA at the org level.
- Enable TOTP MFA on the devices.
Enabling TOTP MFA at the Org Level
To enable TOTP MFA at the org level:
- Log in to the Admin Portal:https://console.jumpcloud.com/login.
- Navigate toSECURITY MANAGEMENT > MFA Configurations.
- Under the Time-based One Time Password window, clickEnable.
Any device in your org for which MFA has been enabled will now require TOTP MFA. Enable MFA on the devices manually by following the steps below.
Enabling TOTP MFA for Your Devices
To enable TOTP MFA on your devices:
- Log in to the Admin Portal:https://console.jumpcloud.com/login.
- Go toDEVICE MANAGEMENT > Devices.
- Select the checkbox next to the devices you want to enable TOTP MFA on.
- Clickmore actions.
- SelectEnable MFA.
- Confirm by selectingenable.
Once devices are enabled, users need to be enabled and they need to enroll in TOTP MFA. See Configure TOTP MFA for User Accounts for more information.
Learn more about enabling TOTP MFA for individual devices below:
- EnableTOTP MFA Linux SSH
- EnableTOTP MFA for Mac
- EnableTOTP MFA for Windows
Tip:
To see your users' experience when logging in with TOTP, see JumpCloud Protect for End Users.
Enable TOTP MFA for Linux
Considerations:
- If it’s not already installed by default, an admin willneed to install an OpenSSH serverfor the specific case where they intend to require MFA to log in via SSH. If you want to require MFA forSSH logins, ensure openssh-server is installed before installing the JumpCloud agent.
To enable MFA for SSH on a Linux system:
- Log in to the JumpCloud Admin Portal:https://console.jumpcloud.com/login.
- Go toDEVICE MANAGEMENT > Devices.
- Select a Linuxdevice.
- If MFA Login is disabled, deselect Allow SSH Password Login or Enable Public Key Authentication. If both options are selected, MFA can’t be enabled.
- Click MFA Login Disabled and choose Enable MFA Login.
- Click Save Device.
Tip:
You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.
Enable MFA for Mac
Considerations
- Don’t enable TOTP MFA for OS X if the device is already using or has configured another multi-factor authentication service or authentication plug-in. Doing so could cause adverse results, like not being able to access the device.
- TOTP MFA only affects the OS login screen. FileVault decryption, screen saver, lock screen, etc. aren’t affected by this setting.
- Devices that run macOS 12 Monterey on devices with small display areas might experience issues. MacOS Monterey has reduced the size of the login window for all MFA logins, including TOTP and Push. If your macOS Monterey device has a display that is less than 900 px in height, you might experience a display overlap between the login area and the policy text that is displayed on the screen. There is no workaround, and JumpCloud suggests that you use a macOS device with a vertical display that is more than 900 px high.
To enable MFA for a Mac Device:
- Log in to the Administrator Portal:https://console.jumpcloud.com/login.
- GotoDEVICE MANAGEMENT>Devices.
- Check the box next to the Mac device that you want to viewDetailsfor.
- Click on themore actionsdropdown menu in the right-hand corner.
- ClickEnable MFAorDisable MFA.
- You receive a pop-up with information about enabling MFA on your selected device, clickenable, and you will receive a notification that the device was saved successfully.
- TheMFA Statuscolumn is updated with a green lock icon.
- You can disable MFA from the selected device’sDetailspage on the Highlights tab > Device Configuration, toggleMFA Login Enabled toMFA Login Disabled.
- Save Device.
- After you enable MFA for adevice, users will see a modified login window that prompts for a TOTP token.
Tip:
You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.
Enable MFA for Windows
Considerations:
- MFA is only supported and functional for Windows 10 and above.
- JumpCloud MFA employs the use of a credential provider. When MFA is enabled on a Windows system, and a user that is required to use MFA is bound to the system, all other Windows credential providers are disabled.
- To ensure systems can be recovered when users have issues logging in, MFA can be bypassed by booting a Windows system in safe mode. You can prevent non-admin users from logging in to Windows systems in safe mode by setting theHKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SafeModeBlockNonAdminsregistry to 1.
- A TOTP token is only required when a user initially logs in to their JumpCloud-managed Windows system. When a user locks their screen, they aren’t required to enter a TOTP token to unlock their system.
Note:
If the 'Display User Info When the Session is Locked' policy AND the 'Do Not Display Last Username on Logon Screen' policy are enabled, users will have to enter MFA to unlock their system. These policies are included in each of the templated JumpCloud Enhanced Security groups.
- Newer versions of Windows have the configurable option to keep users logged in through a reboot. The default setting for this option is to keep users logged in. As a result, users of computers with this option enabled aren’t required to provide a TOTP token after a reboot.
- Users must have a TOTP app to generate TOTP tokens. JumpCloud recommends using JumpCloud Protect.
- TOTP MFA is supported for Remote Desktop.
- You may need to disable Windows Automatic Restart Sign-on (ARSO) to force the TOTP authentication prompt on the Windows login screen after a machine reboot. This can be done one of two ways – via a policy or via a PowerShell command. See To disable Windows ARSO below.
To enable MFA for a Windows system:
- GotoDEVICE MANAGEMENT>Devices.
- Check the box next to the Windows device that you want to viewDetailsfor.
- Click on themore actionsdropdown menu in the right-hand corner.
- ClickEnable MFAorDisable MFA.
- You receive a pop-up with information about enabling MFA on your selected device, clickenable, and you will receive a notification that the device was saved successfully.
- TheMFA Statuscolumn is updated with a green lock icon.
- You can disable MFA from the selected device’sDetailspage on the Highlights tab > Device Configuration, toggleMFA Login Enabled toMFA Login Disabled.
- Save Device.
- After you enable MFA for adevice, users will see a modified login window that prompts for a TOTP token.
Tip:
You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.
After you save, TOTP MFA is enabled on the system and users that have been required TOTP MFA and are connected to the system will see a modified login screen that prompts them for a TOTP token.
Disabling Windows ARSO
You may need to disable Windows Automatic Restart Sign-on (ARSO) to force the TOTP authentication prompt in the Windows login screen after a machine reboot. This can be done one of two ways - via a policy or via a PowerShell command.
To disable Windows ARSO with a policy:
Create a policy with the following values to disable Windows ARSO:
- Registry Key Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value Name: DisableAutomaticRestartSignOn
- Type: DWORD
- Data: 1
Important:
This registry key (and interface change) will not appear until the device has run through a group policy update cycle. The default group policy update cycle time is every 90 minutes with a randomized offset of up to 30 minutes.
To disable Windows ARSO with a command:
Run the following PowerShell command using the JumpCloud Commands module to disable Windows ARSO:
#Get Execution Policy currently
$exec_pol = Get-ExecutionPolicy
#Set Execution Policy to run script
Set-ExecutionPolicy Unrestricted
# Import JC PoSh module
Import-Module "C:\Program Files\JumpCloud\policies\JumpcloudPolicies\JumpcloudPolicies"
$automaticRestartSignOn = @{
policypath = 'C:\Windows\system32\GroupPolicy\Machine\Registry.pol';
policykey = 'Software\Microsoft\Windows\CurrentVersion\Policies\System';
policyValuename = 'DisableAutomaticRestartSignOn';
policyType = 'DWord';
policyData = '1'
}
install-jcpolicy @automaticRestartSignOn
gpupdate /force
Set-ExecutionPolicy $exec_pol
To reverse the PowerShell command and remove the local group policy, run the following PowerShell command on the device in JumpCloud Commands:
# Import JC PoSh module
Import-Module "C:\Program Files\JumpCloud\policies\JumpcloudPolicies\JumpcloudPolicies"$automaticRestartSignOn = @{
policypath = 'C:\Windows\system32\GroupPolicy\Machine\Registry.pol';
policykey = 'Software\Microsoft\Windows\CurrentVersion\Policies\System';
policyValuename = 'DisableAutomaticRestartSignOn';
}
uninstall-jcpolicy @automaticRestartSignOn
gpupdate /force
Viewing Users’ MFA Status on the Device
To determine the TOTP MFA status ofusers connected to this device:
- Go totheDEVICE MANAGEMENT>Devices.
- Select adevice and click theUserstab..
- The user MFA Status is shown in theMFA:TOTPcolumn.
Back to Top
