Support Center

JumpCloud Admin Implementation Guide

Welcome to JumpCloud! Thank you for entrusting us to manage your users and systems. This document gives you a proven, structured approach to implementing our directory services in your organization. Whether you’re migrating to JumpCloud from another directory service, or are beginning to organize and secure your environment, this guide will help you to successfully design, test, and implement JumpCloud.

- The JumpCloud Team

In this guide:

 

Terminology

Get to know our product terminology:

  • Administrator: JumpCloud administrators configure and manage JumpCloud for their organization.
  • User: JumpCloud users access their company resources through JumpCloud.
  • System: Devices that run Mac, Windows, and Linux systems can be managed through JumpCloud. Admins can provision users to systems, deploy policies to systems, and execute commands on systems through JumpCloud.
  • Groups: JumpCloud connects company resources to groups of resources. For example, connect a group of users to SSO applications, RADIUS servers, and directories like G Suite and Office 365. You can also connect groups of users to groups of systems.
  • Directory: A directory service organizes information about a network's users and resources. JumpCloud integrates with a variety of popular directory services like G Suite and Office 365 to sync user accounts. These integrations let JumpCloud act as an authoritative directory with a single set of credentials that can be used across all directory services.
  • Device: A computer or server.
  • Applications: Single Sign-On (SSO) SAML 2.0 applications that you can connect with JumpCloud. Applications like Slack, Salesforce, AWS, CakeHR, many more.

Before You Start: Best Practices

Follow these best practices to ensure a successful implementation and adoption.

Set Up and Management

  • Avoid surprises. Avoid unexpected and unintended consequences; sign up for a free testing account.
  • Test and explore. Have a plan. Set up a staging environment, install the JumpCloud Agent, and test any changes in a staging environment that mirrors your production systems as closely as possible. This will be helpful for initial implementation, ongoing maintenance, and updates. If you’d like some helpful ideas and recommendations on items to test, contact us at support@jumpcloud.com.
  • Be consistent. The foundation for efficient, fast scaling is consistency. Successful scaling starts with a good understanding of JumpCloud Groups.
 

Support and Troubleshooting

Get help from our Support page: https://support.jumpcloud.com.

1 - Build Users in JumpCloud

This step involves building the user directory. You'll connect users with systems in the Going Live steps.

End User Impact: None/Low

Import Types and Privileges required:

  • CSV Import: None
  • G Suite Directory Import: Super Administrator credentials are required
  • Office 365 Directory Import: Global Administrator credentials are required

Considerations:

  • CSV imported users without an initial password receive a welcome email from JumpCloud. If you want to stage users in JumpCloud prior to sending a welcome email, set an initial password for users.
  • Adding/Importing users into JumpCloud will have no effect on existing accounts until the user is associated with a resource (System, G Suite/Office 365 Directory).
  • If you would like JumpCloud to take-over existing user accounts, the JumpCloud username must EXACTLY MATCH the local system username. If there is not an exact match, JumpCloud will assume the username is new and create a new user profile when a user is bound to the system. See JumpCloud User Naming Convention.
  • Usernames for users imported from G Suite or Office 365 will be their email address prefix. Please consider whether this matches your local system usernames, or if you intend to create new local user accounts. Be aware that you can only rename usernames of user accounts that aren't yet bound to a resource.
    • Example: testuser123@domain.com will have a username of: testuser123.
       
Step-by-step Implementation links:

CSV Import

G Suite Directory Import

Don't connect users to the G Suite Directory until you're ready to Go Live.

Office 365 Directory Import

Don't connect users to the Office 365 Directory until you're ready to Go Live.

Active Directory Import API


 

2 - Deploy Agents to Systems

You should deploy the JumpCloud agent on any systems that you want JumpCloud to manage. You can install the JumpCloud agent on systems that are connected to a domain, however the agent won't start until the system is removed from the domain.

End User Impact: None /  Low

Required Privileges:

  • Local or Remote root / administrator access to the system.

Supported Operating Systems:

Considerations
  • Command line vs. manual install depending on current environment size and expected future growth and desired deployment practices.
  • Establish a consistent system naming convention for your user accounts. Verify your JumpCloud naming convention for usernames exactly matches the usernames on existing systems to ensure proper account take over.  
  • Consider establishing a consistent naming convention for system names. 
  • Ensure that the network is configured to allow communication with JumpCloud's servers. See Clarification on System Names.
Implementation Steps:

macOS Windows
Linux
 

3 - Configure JumpCloud

 

Create User Groups

Groups are the best way to control users' access to resources. If the groups will be used to control access to a resource, connect the group to the resource.

End User Impact: Low

Considerations:
  • Create groups as needed for a given resource, and add user groups to the resources.
  • Establish a naming convention for user groups that aligns across your team.
  • Determine a consistent, scalable structure for groups.
  • User groups should be used to control access to systems, SSO applications, and directories like G Suite, Office 365, and LDAP.
Implementation Steps:

Getting Started: Groups


Create System Groups

System groups can be used to control user or user group access to systems.

End User Impact: Low

Considerations
  • Policies are applied to system groups.
  • System groups can contain a mix of operating systems.
  • Create groups as needed for your systems.
  • Connect systems to groups.
  • Determine a scalable groups structure.

Implementation Steps:

Getting Started: Groups

 

4 - Going Live  

 

Educate Your Employees


JumpCloud is your Directory-as-a-Service. Send the following links to your organization employees your JumpCloud end users.  See Email Templates and Recommendations for Educating Users for example user communications.

End User Impact: High

Ensure end users understand JumpCloud will be managing their identity their access to systems, applications, and other resources is managed by JumpCloud.
  • Users update their passwords from the User Portal or from their JumpCloud Mac app. See How Do I Change My JumpCloud User Account Password?
  • Users can't update their passwords on their systems.
  • If Mac users update their passwords in the JumpCloud User Portal instead of changing it in the JumpCloud Mac app, they'll have to lout out and log back in to update their Keychain and FileVault password. 
  • G Suite and Office 365 users change their passwords in the JumpCloud User Portal.
Considerations:
  • User activation - setting a temporary password vs. sending the user activation email.
  • Notifying applicable users that they will be receiving a Welcome email from JumpCloud.
  • Educate all users  including G Suite and Office 365 users that they change their password in their JumpCloud User Portal or in their JumpCloud Mac app. 
Implementation Steps:
  • Customize organization information in the JumpCloud Admin Portal in Settings.
  • Communicate workflow changes to users.
 

Going Live - Scenarios


End User Impact: High - Users will be using their JumpCloud identities / accounts to authenticate to resources.

Prerequisites
  • JumpCloud agent is installed.
  • System status is green in the Admin Portal.
  • Users are active in JumpCloud.
  • JumpCloud and system usernames match.
  • User and system groups are created and connected to resources.
  • Users have been notified of the change and understand where to update their passwords.
  • Admins understand the expected behavior when users and systems are connected.
  • You have successfully tested systems in your environment.
Considerations:
  • Whether to use a phased roll-out approach or a Big-bang approach of going live with all users and systems at one time. 
    • Phased roll-out: useful if the majority of users are able to migrate to JumpCloud, however there is a group of users restricted by time. The phased roll-out is also useful for organizations with distributed teams. We recommend this approach for going live.
    • Big-bang: this approach is most typically used when all users are migrated at the same time. 
  • Ensure that the timing of the Go Live won't disrupt business operations, and that support staff are ready to assist if needed.
  • Windows Live accounts aren't supported and will need to be converted to local accounts. Unlink a Windows Live account.
  • If you're using G Suite or Office 365 directory sync, users will receive a welcome email when their JumpCloud account is bound to the G Suite or Office 365 directory.
Existing Account Takeover (All OSes)

Implementation Steps
  1. Connect the user to a system on the Systems tab of the user's Details panel.
  2. Allow 60 seconds for the synchronization to occur.
  3. Advise users to log out and log back in with their JumpCloud account credentials.
  4. You can rename users on local systems following the steps included in Changing Existing Usernames in Systems.
Be aware that changing usernames on Mac and Linux isn't generally recommended unless you have full understanding of the impacts of doing so. Changing the username on these platforms can have adverse effects on application and file access.

New Local Accounts (All OSes)

Implementation Steps:
  1. Connect the user to a system on the Systems tab of the user's Details panel.
  2. Allow 60 seconds for the synchronization to occur.
  3. Advise user to log in with their JumpCloud account credentials.
 

Policies

JumpCloud Policies let admins control the behavior of systems for various purposes, most commonly to enforce security standards. Policies are set through the JumpCloud Admin Portal and require no coding skills. After they are configured, admins can deploy policies to groups of systems and monitor the status of each device to ensure the policy is enabled.

End User Impact: Low to High, depending on the policy

Considerations:
  • Policies are applied to system groups.
  • Policies can be applied to all users, or only JumpCloud managed users.
  • Some policies require additional action, such as user log out / log in, or system restart to take effect. Refer to the Policy Activation Details for more information.
  • Some policies are only compatible with certain OS versions.
Implementation Steps
  • Create a new policy, configuring any require settings. 
  • Connect the policy to a system group.
 

G Suite Directory Sync

To use JumpCloud's G Suite Directory integration, one of the following Google licenses are required:

  • G Suite for Business
  • G Suite for Education
  • G Suite Basic (requires valid payment input for user additions)
  • You must have an active G Suite domain to proceed
  • A G Suite Domain Admin (Super Administrator)
End User Impact: Medium (User workflow impacted)

Prerequisites: Considerations:
  • Users should be notified that JumpCloud will be managing their G Suite credentials, and informed on how they should update their passwords going forward.
  • Users that are removed from the G Suite Directory Sync will have their accounts suspended in G Suite.
  • The G Suite Directory Sync has to be reauthorized every 90 Days.
  • FAQ - G Suite User Provisioning and Sync
Implementation Steps:
  • We recommended that User Groups be used to connect users to the G Suite Directory. See G Suite User Import, Provisioning, and Sync.
  • Users will receive an email to set or reset their JumpCloud password to complete synchronization.
  • If a user’s current Google Apps password meets JumpCloud password complexity requirements, and they opt to use that for JumpCloud registration, from their perspective there is no password reset, although they may be logged out of their active Google sessions.
  • Monitor adoption with the user status in the JumpCloud Admin Portal. Resend emails as necessary.
  • Watch how: G Suite Integration Video Tutorial

Office 365 Directory Sync
 

End User Impact: Medium (User workflow impacted)

Prerequisites:

  • Office 365 Directory Sync Authorized in JumpCloud.
  • Users exist in the JumpCloud Directory.
  • Users have been notified of the upcoming change.

Considerations:

  • Users should be notified that JumpCloud will be managing their Office 365 credentials, and informed on how they should update their passwords going forward.
  • Users that are removed from the Office 365 Directory Sync will have their accounts suspended in Office 365.
  • The Office 365 Directory Sync has to be reauthorized every 90 Days.
  • FAQ - Office 365 User Provisioning and Sync

Implementation Steps:

  • It is recommended that User Groups be used to bind users to the Office 365 Director. See Office 365 User Import, Provisioning, and Sync.
  • Users will receive an email to set or reset their JumpCloud password to complete synchronization.  
  • If the user’s current Office 365 password meets JumpCloud password complexity requirements and they opt to use that for JumpCloud registration, from their perspective there is no password reset, although they may be logged out of their active sessions.
  • Monitor adoption with the user status in the JumpCloud Console. Resend emails as necessary.
  • Watch how: Office 365 Integration Video Tutorial


Applications (SSO / SAML)
 

End User Impact: Medium (User workflow impacted)

Considerations:

  • Enabling SSO for a Service Provider (SP) will typically disable username/password authentication for all users. Please test during a maintenance window, or in a sandbox environment if available.
  • Service Provider requirements.
  • Administrators should be able to generate an SSL Certificate/ Key pair. See Generating a Public Certificate / Private Key Pair Using OpenSSL.
  • Users should be educated on how they will authenticate into applications after SSO is enabled
  • SP initiated vs. IdP initiated SSO

Implementation Steps:

  • Review SSO documentation for both JumpCloud and the Service Provider.
  • Generate the SSL Certificate/Key pair.
  • Create a User Group to manage application assignment.
  • Grant user access by assigning users to the appropriate groups.
  • Go Live: Enable SSO in the Service Provider settings.

SSO Scenarios: SP initiated & IdP initiated

  • The SP initiated workflow is the scenario where SSO is enabled for an application, and a user attempts to login via the SP. The expected behavior is that the user will be redirected to the JumpCloud login page. After they log in, the user is authenticated and logged in to the SP.
  • The IdP initiated workflow is the scenario where a user logs in to their JumpCloud User Portal and logs in to an application via one of the application icons in their Portal dashboard.

     

Configure LDAP-as-a-Service 

End User Impact: Medium (User workflow impacted)
 

Prerequisites:

  • Service Provider LDAP configuration documentation and/or support.
  • A working LDAP Binding User (This is the service account for JumpCloud LDAP).
  • JumpCloud Users have been bound to the LDAP Directory.
Considerations:
  • LDAP Binding Service account naming convention.
  • LDAP configurations vary depending on the Service Provider.
  • Naming conventions for LDAP Groups.
  • Familiarity with ldapsearch for testing and troubleshooting. See Using ldapsearch with JumpCloud.

Implementation Steps:

  1. Prepare an LDAP Binding User account. See Using JumpCloud's LDAP-as-a-Service.
  2. Complete LDAP configuration within the Service Provider. See JumpCloud LDAP Resources.
  3. Test connectivity. This may not be available for all vendors.
  4. Go live by enabling LDAP authentication in the Service Provider configuration.

Configuring RADIUS-as-a-Service


End User Impact: Medium (User workflow impacted)
 

Prerequisites:

  • JumpCloud Users connected to a user group.
  • Users have activated their JumpCloud accounts.
  • Wireless Access Points (WAP’s) which support RADIUS Authentication.

Considerations:

Implementation Steps:

  1. Configurations vary by vendor. For links to RADIUS basics and limited specific setup docs. See JumpCloud RADIUS Resources.
  2. Associate users to the configured RADIUS resource via prepared groups
  3. Meraki specific instructions: Configuring Cisco Meraki WAP's to JumpCloud RADIUS.

Examples of User Activation Emails

This section shows you some of the emails users receive after you add users and integrate your directory with JumpCloud.

 

Standard User Activation Email

G Suite User Activation Email

Office 365 User Activation Email




 
 

Last Updated: Jun 13, 2019 02:25PM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete