JumpCloud Agent Compatibility, System Requirements, and Impacts

This article includes details about OS compatibility, installation requirements, and changes made to your device during installation of JumpCloud’s agent. Use this information to perform these tasks:

  • Make sure you’re using a supported OS before you install the agent.
  • Find the files and directories used during installation to troubleshoot issues.
  • Verify files and directories are installed correctly before you contact Support.

You can review our prospective end of support timelines in Prepare Now for End of Support.

Note:

JumpCloud supports iOS devices, such as iPhones, iPads, and Apple TVs, but the JumpCloud agent is not installed on those devices. For more information, see Enrolling iOS Devices in MDM.

Mac

Supported macOS versions

  • Monterey 12.x
  • Ventura 13.x
  • Sonoma 14.x
  • Intel and Apple Silicon devices are supported.

Considerations

  • For Macs running macOS Monterey and later, the JumpCloud Agent requires Full Disk Access permissions to enable communication with the authentication controls on the device. See Granting Full Disk Access Permissions to the JumpCloud Agent for MacOS.
  • Pre-release or Release Candidate (RC) versions of OS releases are not supported.
  • If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
  • As of December 31, 2023, JumpCloud no longer supports macOS 11.X Big Sur.
  • As of December 15, 2021, JumpCloud no longer supports macOS Mojave 10.14.
  • As of November 30, 2020, JumpCloud no longer supports macOS High Sierra 10.13.
  • As of April 14, 2020, JumpCloud no longer supports macOS Sierra 10.12.

Note: If an unsupported device is assigned to the JumpCloud MDM server in Apple Business Manager (ABM), it will attempt to install the agent, which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.

Warning:

Do NOT release the device from ABM. Devices released from ABM will need to be re-enrolled using Apple Configurator for iOS. See the Apple Configurator User Guide.

Term Definition & Service
Login Password (or User Password)
  1. This is the primary credential that is linked with your keychain  and FileVault (if enabled).
  2. This password is used to log into your local user account in macOS. 
Bootstrap Token
  1. Bootstrap Tokens grant a secure token to mobile or MDM administrator accounts.

  2. These won't be created automatically if the first user created is a standard user during MDM enrollment, or if local account creation is skipped entirely.

  3. Only available after MDM enrollment (JumpCloud MDM currently doesn't use this feature).

Keychain
  1. Keychains are linked to the user when the user is created.
  2. Shares password with user account.
  3. Keychain password is only available to the user, and not the administrator.
  4. If the keychain password is lost, the user loses access to that keychain, and a new keychain is created.
  5. Keychain passwords can become out of sync two different ways:
    • User login password change outside the Mac. For example, an Active Directory (AD) password change done in AD outside of macOS.
    • User login password reset executed by an administrator on device. 
FileVault (FV)
  1. FileVault is the service that encrypts disks in macOS using an encryption key.
  2. Shares password with the administrator account that enabled it.
  3. This key can become out of sync if the following occurs:
    • A password change via script.
    • AD password change outside the Mac.
  4. You can avoid FV lockouts in the following ways:
    • Having a second administrator on the Mac with a secure token.
    • If the password is changed, store the old password somewhere safe, it can be used to decrypt FV.
  5. Warning: Do not reboot!
    • If you have rebooted, you will need another account with a secure token to unlock FV.
    • If you don't have the passwords, or a valid account and password to decrypt the FV volume, you have to use the Recovery Key. 

Changes Made to Your MacOS Device During Installation

Installation Files, Directories, or Settings Locations and Details
Installer Filename jumpcloud-agent.pkg
Launch Daemon com.jumpcloud.darwin-agent
Primary Installation Directory /opt/jc/
Installation and Service Log Directory

/var/log/jc*.log

You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online devices.

JumpCloud Menu Bar App Tray Log Directory ~/Library/Logs/JumpCloud
JumpCloud Go

These components are installed to suport JumpCloud Go authentication:

  • LaunchDaemon: /Library/PrivilegedHelperTools/com.jumpcloud.JumpCloudGoHelper
  • LaunchAgent: /opt/jc_user_ro/JumpCloudGo.xpc
  • Native message host: /opt/jc_user_ro/JumpCloudGo-Chrome
  • /Library/Google/Chrome/NativeMessagingHosts/com.jumpcloud.jumpcloudgo.json
  • /Library/LaunchDaemons/com.jumpcloud.JumpCloudGoHelper.plist
  • /Library/LaunchAgents/com.jumpcloud.JumpCloudGo.plist
Device Trust

The jumpcloud-user-agent application handles actions that must be performed in a user’s context:

  • App location -  /opt/jc_user_ro/jumpcloud-user-agent
  • Log file -  /Users/<username>/Library/Logs/JumpCloud/jc-user-agent.log

The log file is present for every user on the device, whether or not the user is managed by JumpCloud, because the user-agent runs for each logged-in user. However, the agent will only install and manage certificates for managed users.

User-agent Management

To ensure that the JumpCloud user-agent is started when the user logs in and is restarted automatically, the agent installer places a properties list file here:

/Library/LaunchAgents/com.jumpcloud.user-agent.plist

Certificate Management

When the JumpCloud user-agent requests new Device Trust certificates for the user, it creates a new MacOS keychain:

/Users/username/Library/Keychains/jumpcloud-device-trust-keychain-db

It stores the password to unlock this keychain in the user’s login keychain in this item: JumpCloud Device Trust Keychain Password.

The user-agent imports the Device Trust certificates and private key into this new keychain.

Certificate Auto-Selection for Safari

Safari looks for identity preference settings in the user’s login keychain to automatically select certificates. The user-agent creates identity preferences in the keychain to associate the Device Trust certificate with two JumpCloud URLs:

Certificate Auto-Selection for Chrome

On MacOS, Chrome uses a properties list (plist) file to configure certificate auto-selection filters. The user agent will update the user’s current ‘Library/Preferences/com.google.chrome.plist’ file if it’s present or create a new file if it's not.

The auto-selection filters allow Chrome to find a certificate in the keychain to apply to a given URL. The selection filters will match a cert with a Subject Organizational Unit (SUBJECT:OU) of JumpCloud Device Trust to two JumpCloud URLs:

Custom Login Window

/Library/Preferences/com.apple.loginwindow.plist

/Library/Security/SecurityagentPlugins/jumpcloud-loginwindow.bundle/Contents/Info.plist

TOTP Key Files

When enabled, key files are stored on a per user basis in this directory at this path:

/etc/ssh/jumpcloud_totp/${USER}

JumpCloud manages this based on users having uploaded  public keys to JumpCloud.

JumpCloud-managed Sudo Users

JumpCloud enables sudo users by adding those users to:

 /etc/sudoers.d/00-USERNAME-jumpcloud

All JumpCloud-managed users will be added to the path. However, non-privileged users will contain a configuration file that explicitly denies sudo privileges.

System Insights OS Query

/opt/jc/bin/jcosqueryi

Note: OS query is only installed when System Insights is enabled.

Additional MacOS Considerations:

Windows

Supported Windows Versions:

  • 10 (64 bit)
  • 11
  • Server: 2012 R2
  • Server: 2016 (64 bit)
  • Server: 2019
  • Server: 2022

Considerations:

  • If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
    • As of June 16, 2023, the JumpCloud agent will not be updated past version 1.115.1 on 32-bit devices.
    • As of June 16, 2023, the JumpCloud tray application will not be updated past version 1.32.0 on 32-bit devices.
    • As of February 18, 2022, JumpCloud no longer supports Windows 8.1.
    • Beginning on May 11, 2021, we only support Windows 10 build 1909 and above. Learn more: Windows 10 Release Information.
    • As of June 30, 2020, we don’t support the JumpCloud agent on 32-bit devices.
    • As of June 30, 2020, JumpCloud no longer supports Windows 8.
    • As of April 14, 2020, JumpCloud no longer supports Windows 7 or Windows 2008 + R2.
  • International versions of Windows are supported. However, certain international character sets may cause the following issues:
    • Cosmetic issues in the Device detail views.
    • Adverse results in Command execution in the Admin Portal.
    • Non-English locales aren’t supported by JumpCloud policies.
  • Home versions of Windows are supported in the following ways:
    • The JumpCloud agent can be installed.
    • Conditional access is supported.
    • JumpCloud policies and security commands are currently unsupported.
  • Enhanced Security Configuration on Windows Server 2019 blocks our ability to auto-select the certificate in Internet Explorer and certain versions of Edge; disable Enhanced Security Configuration for users so that they aren’t prompted when accessing JumpCloud-managed resources.
  • Release Candidate (RC) versions of O/S releases are not supported.
  • The JumpCloud agent is not compatible with Duo System Agent Authentication for Windows. 
  • JumpCloud no longer supports Windows ARM devices. 

Note:

PowerShell is required for Windows agent functionality.

Component Requirement
Disk Usage

166 MB minimum

This includes C++ runtime components

Memory Usage 6 MB minimum
C++ Runtimes MS Visual C++ 2013 Redistributable package (x86_64)

Changes Made to Your Windows Device During Installation

Installation Files, Directories, or Settings Locations and Details
Installer Filename jcagent-msi-signed.msi
SERVICE-NAME jumpcloud-agent
Primary Location of JumpCloud Agent

C:\Program Files\JumpCloud

Service Log Directory

C:\Windows\Temp\jcagent.log

You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online devices.

Installation Log Directory

C:\Users\username\AppData\Local\Temp\jcagent.log

The log file lives in the directory for the admin user who installs the agent.

JumpCloud Go

These components are installed to support JumpCloud Go authentication:

  • C:\Program Files\JumpCloud\JumpCloudGo\JumpCloudGo-Chrome.exe
  • C:\Program Files\JumpCloud\JumpCloudGo\com.jumpcloud.jumpcloudgo.json
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.jumpcloud.jumpcloudgo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.jumpcloud.jumpcloudgo
Device Trust

The jumpcloud-user-agent application handles actions that must be performed in a user’s context:

  • App location - C:\Program Files\JumpCloud\jumpcloud-user-agent\jumpcloud-user-agent.exe
  • Log file -  C:\Users\<username>\AppData\Local\Temp\jc-user-agent.log
Certificate Management

The agent and user-agent import certificates into Windows Certificate Stores:

  • The agent imports the root certificate into the System Certificate Store. This action requires administrative privileges, which is why the agent performs this import.
  • The user-agent imports the intermediate certificate into the user’s Intermediate Certificate Store.
  • The user-agent imports the leaf cert and private key into the user’s Personal Certificate Store.
Certificate Auto-Selection for Chrome and Edge

To support certificate auto-selection in Chrome and Edge, the agent creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ 

AutoSelectCertificateForUrls

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ 

AutoSelectCertficateForUrls

The agent adds an entry for the ‘https://device-cert.jumpcloud.com’ URL if it doesn't exist.

Registry Keys Added

HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\JumpCloud agent\ConfigFile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\{96542816-DAD1-4D02-8363-CA4121E5CAE7}_is1

System Insights OS Query C:\Program Files\JumpCloud\jcosqueryi.exe

Additional Windows Considerations

  • After you create a JumpCloud account for a user and the account is active, you can associate the user with a JumpCloud-managed Windows device. When you bind a user to a device, we add the user’s account to the following local groups:
    • Standard User Windows Local Groups (for user accounts with no local administrator permissions):
      • Users
      • Remote Desktop Users
    • Administrator User Windows Local Groups (for user accounts with local administrator permissions):
      • Administrators
      • Users
      • Remote Desktop Users
    • If you manually remove a user account from one of these groups, the agent on the Windows device restores these associations when you save any changes in the Administrator Portal.
  • Windows Live! isn’t supported. See Use Microsoft Accounts with JumpCloud
  • See JumpCloud agent Port Requirements.
  • See Adding the JumpCloud agent to an allow list.

Linux

Core packages are central to the running of a Linux distribution because they contain files for functionality, such as connecting to the Internet, managing and repairing file systems, and the system setup process (e.g. openssh). The packages you’re required to install for the JumpCloud agent to work varies by OS version and are listed in the following table.  

Considerations

  • Release Candidate (RC) versions of O/S releases aren’t supported.
  • If the JumpCloud agent is installed on an unsupported version or combined with a non-default desktop environment, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
    • As of December 2022, JumpCloud no longer supports:
      • CentOS 8
      • Fedora 35
    • As of September 2022, JumpCloud no longer supports:
      • Debian 9
      • Fedora 34
      • Mint 18
      • Ubuntu 21.04
    • As of August 8, 2022, JumpCloud no longer supports Amazon Linux 2013 – 2018.
    • As of April 30, 2021, JumpCloud no longer supports Ubuntu 16.04.
    • As of November 30, 2020, JumpCloud no longer supports:
      • CentOS 6
      • RHEL 6
      • Ubuntu 19.04
    • As of June 30, 2020, JumpCloud no longer supports Debian 8 systems.

Supported Linux Versions

Distribution Requirements

Amazon Linux (amd64, arm64): 2, 2023

The following core packages must be installed:

  • chkconfig
  • coreutils
  • curl
  • dmidecode
  • glibc-common
  • grep
  • initscripts
  • lsof
  • net-tools
  • nss
  • nss-tools
  • openssl
  • psmisc
  • redhat-lsb-core
  • rpm
  • shadow-utils
  • sudo
  • tar
  • util-linux
  • util-linux-user
  • yum

CentOS (amd64): 7

The following core packages must be installed:

  • chkconfig
  • coreutils
  • curl
  • dnf
  • findutils
  • gawk
  • glibc-common
  • grep
  • initscripts
  • lsof
  • net-tools
  • nss
  • nss-tools
  • openssl
  • policycoreutils
  • psmisc
  • redhat-lsb-core
  • rpm
  • shadow-utils
  • sudo
  • tar
  • util-linux
  • which
  • yum

Debian (amd64): 10 

Debian (amd64, arm64): 11, 12

The following core packages must be installed:

  • apt-rdepends
  • apt-show-versions
  • coreutils
  • cron
  • curl
  • dpkg
  • grep
  • hostname
  • libc-bin
  • libnss3 
  • libnss3-tools
  • libpam-runtime
  • libpam-modules
  • lsb-release
  • lsof
  • mawk
  • openssl
  • passwd
  • procps
  • psmisc
  • rsyslog
  • sudo
  • systemd
  • tar

Fedora (amd64): 36, 37, 38

The following core packages must be installed:

  • chkconfig
  • coreutils
  • curl
  • dnf
  • findutils
  • gawk
  • glibc-common
  • grep
  • initscripts
  • lsof
  • net-tools
  • nss
  • nss-tools
  • openssl
  • policycoreutils
  • psmisc
  • redhat-lsb-core
  • rpm
  • rsyslog
  • shadow-utils
  • sudo
  • tar
  • util-linux
  • which
  • yum

Linux Mint (Cinnamon) (amd64): 20, 21

The following core packages must be installed:

  • apt-rdepends
  • apt-show-versions
  • coreutils
  • curl
  • dpkg
  • grep
  • hostname
  • libc-bin
  • libnss3 
  • libnss3-tools
  • lsb-release
  • lsof
  • mawk
  • openssl
  • passwd
  • procps
  • sudo
  • sysvinit-utils
  • tar

Pop!_OS (amd64): 22.04

The following core packages must be installed:

  • apt-rdepends
  • apt-show-versions
  • coreutils
  • curl
  • dpkg
  • grep
  • hostname
  • libc-bin
  • libnss3-tools
  • lsb-release
  • lsof
  • mawk
  • passwd
  • procps
  • sudo
  • sysvinit-utils
  • tar

RHEL (amd64): 7, 8

RHEL (amd64, arm64): 9

The following core packages must be installed:

  • chkconfig
  • coreutils
  • curl
  • dnf
  • findutils
  • gawk
  • glibc-common
  • grep
  • initscripts
  • lsof
  • net-tools
  • nss
  • nss-tools
  • openssl
  • psmisc
  • redhat-lsb-core
  • rpm
  • shadow-utils
  • sudo
  • tar
  • util-linux
  • util-linux-user
  • which
  • yum

Rocky Linux (amd64, arm64): 8, 9

The following core packages must be installed:

  • coreutils
  • curl
  • findutils
  • gawk
  • glibc-common
  • grep
  • initscripts
  • lsof
  • net-tools
  • nss-tools
  • policycoreutils
  • psmisc
  • rpm
  • shadow-utils
  • sudo
  • tar
  • util-linux
  • util-linux-user
  • which
  • yum

Ubuntu (amd64, arm64): 18.04, 20.04, 22.04

The following core packages must be installed:

  • apt-rdepends
  • apt-show-versions
  • coreutils
  • apt-curl
  • dpkg
  • grep
  • hostname
  • libc-bin
  • libnss3 
  • libnss3-tools
  • lsb-release
  • lsof
  • mawk
  • openssl
  • passwd
  • procps
  • sysvinit-utils
  • sudo
  • tar

Linux Installation Requirements

Component Requirement
Disk Usage 21 MB minimum
Memory Usage 5 MB minimum

Changes Made to Your Linux Device During Installation

Installation Files, Directories, or Settings Locations and Details
Installer Filename

jcagent-<os-version-arch>.<deb/rpm>

Installed Services

jcagent, agent-monitor (init.d systems)

Primary Installation Directory

/opt/jc/

Service Control Scripts

The following script lives on Linux devices that use System V init scripts:

/etc/init.d/jcagent

 

All other versions use systemd initialization and will have the following script:

/lib/systemd/system/jcagent.service

Google Auth PAM Plugin

This is the OS and Arch lib directory, for example: /lib, /lib64, etc.
/security/pam_google_authenticator.so

 

The JumpCloud agent adds the following configuration lines to the device's /etc/pam.d/sshd configuration file:

auth required pam_google_authenticator.so nullok user=root secret=/etc/ssh/jumpcloud_totp/${USER}

auth required pam_permit.so

 

These configuration lines are removed when ssh with MFA is disabled. 

Installation and Service Logs

/var/log/jc*

 

You can download the most recent 1 MB of logs for a device from the Device Details panel by clicking Get agent log. Logs are only available for online systems.

Enabling Syslog for the Events API (logging user events)

JumpCloud appends a local host address (127.0.0.1:14028) when enabling Syslog for the Events API (logging user events). For more information, refer to Introduction to the Directory Insights API.

 

/etc/rsyslog.d/jumpcloud.conf

sshd Config File

Contains one or more of the following parameters: [PermitRootLogin, PasswordAuthentication, UsePAM, PubkeyAuthentication, ChallengeResponseAuthentication]. Other config management systems may cause a conflict if it also tries to manage this file.

 

/etc/ssh/sshd_config

TOTP Key Files

When enabled, TOTP key files are stored on a per user basis at this path:

 

/etc/ssh/jumpcloud_totp/${USER}

Sudo Users

JumpCloud enables sudo users by adding those users to:

 

 /etc/sudoers.d/00-USERNAME-jumpcloud

 

All JumpCloud-managed users will be added to the path. However, non-privileged users will contain a configuration file that explicitly denies sudo privileges.

Authorized Keys

JumpCloud manages this based on users having uploaded public keys to JumpCloud.

 

/root/.ssh/authorized_keys, /home/${USER} .ssh/authorized_keys

System Insights OS Query Installation Location

/opt/jc/bin/jcosqueryi

Device Trust

The JumpCloud agent handles all Device Trust actions.

 

Certificate Management

The agent imports the Device Trust certificates into a Network Security Services (NSS) SQLite database (one per managed user). The databases are located in the user’s home directory:

  • Certificate database: /home/username/.pki/nssdb/cert9.db
  • Key database: /home/username/.pki/nssdb/key4.db

 If the databases don't exist, the agent creates them.

Certificate Auto-Selection for Chrome

The agent creates a system-wide policy configuration for Chrome in the file ‘/etc/opt/chrome/policies/managed/JumpCloudCertificateAutoselect.json’.

 

This file contains ‘AutoSelectCertificateForUrls’ settings that match the JumpCloud Device Trust certificate to the following JumpCloud URL: https://device-cert.jumpcloud.com.

Additional Linux Considerations:

  • For Linux account takeover to complete successfully, the /home/directory must exist for that user.
  • If it’s not already installed by default, an admin will need to install OpenSSH server for the specific case where they intend to require MFA to log in via SSH. If MFA is desired over SSH, ensure openssh-server is installed before installing the agent.
  • See Agent Networking and Port Requirements

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case