JumpCloud Agent Compatibility, System Requirements, and Impacts
This article includes details about OS compatibility, installation requirements, and changes made to your device during installation of JumpCloud’s agent. Use this information to perform these tasks:
Make sure you’re using a supported OS before you install the agent.
Find the files and directories used during installation to troubleshoot issues.
Verify files and directories are installed correctly before you contact Support.
Note: JumpCloud supports iOS devices, such as iPhones, iPads, and Apple TVs, but the JumpCloud agent is not installed on those devices. For more information, see Enrolling iOS Devices in MDM.
Pre-release or Release Candidate (RC) versions of OS releases are not supported.
If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
As of December 15, 2021, we will no longer support the JumpCloud agent on macOS Mojave 10.14.
As of November 30, 2020, we don't support the JumpCloud agent on macOS High Sierra 10.13.
As of June 30, 2020, we don't support the JumpCloud agent on Debian 8 systems.
As of April 14, 2020, we don't support the JumpCloud agent on macOS Sierra 10.12.
Note: If an unsupported device is assigned to the JumpCloud MDM server in Apple Business Manager (ABM), it will attempt to install the agent which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.
Warning: Do NOT release the device from ABM. Devices released from ABM will need to be re-enrolled using Apple Configurator for iOS. See the Apple Configurator User Guide.
MacOS Installation Requirements
Component
Requirement
Available Disk Space
177 MB minimum
Available Memory
5 MB minimum
Changes Made to Your MacOS Device During Installation
Installation Files, Directories, or Settings
Locations and Details
Installer Filename
jumpcloud-agent.pkg
Launch Daemon
com.jumpcloud.darwin-agent
Primary Installation Directory
/opt/jc/
Installation and Service Log Directory
/var/log/jc*.log
You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online devices.
JumpCloud Menu Bar App Tray Log Directory
~/Library/Logs/JumpCloud
Device Trust
The jumpcloud-user-agent application handles actions that must be performed in a user’s context:
The log file is present for every user on the device, whether or not the user is managed by JumpCloud, because the user-agent runs for each logged-in user. However, the agent will only install and manage certificates for managed users.
User-agent Management
To ensure that the JumpCloud user-agent is started when the user logs in and is restarted automatically, the agent installer places a properties list file here: /Library/LaunchAgents/com.jumpcloud.user-agent.plist
Certificate Management
When the JumpCloud user-agent requests new Device Trust certificates for the user, it creates a new MacOS keychain:
It stores the password to unlock this keychain in the user’s login keychain in this item: JumpCloud Device Trust Keychain Password.
The user-agent imports the Device Trust certificates and private key into this new keychain.
Certificate Auto-Selection for Safari
Safari looks for identity preference settings in the user’s login keychain to automatically select certificates. The user-agent creates identity preferences in the keychain to associate the Device Trust certificate with two JumpCloud URLs:
On MacOS, Chrome uses a properties list (plist) file to configure certificate auto-selection filters. The user agent will update the user’s current ‘Library/Preferences/com.google.chrome.plist’ file if it’s present or create a new file if it's not.
The auto-selection filters allow Chrome to find a certificate in the keychain to apply to a given URL. The selection filters will match a cert with a Subject Organizational Unit (SUBJECT:OU) of JumpCloud Device Trust to two JumpCloud URLs:
When enabled, key files are stored on a per user basis in this directory at this path: /etc/ssh/jumpcloud_totp/${USER}
JumpCloud manages this based on users having uploaded public keys to JumpCloud.
JumpCloud-managed Sudo Users
JumpCloud enables sudo users by adding those users to:
/etc/sudoers.d/00-USERNAME-jumpcloud
All JumpCloud-managed users will be added to the path. However, non-privileged users will contain a configuration file that explicitly denies sudo privileges.
System InsightsOS Query
/opt/jc/bin/jcosqueryi
Note: OS query is only installed when System Insights is enabled.
Additional MacOS Considerations:
For all supported macOS versions, a native Administrator service account is created, and credentials are required during installation for support with secure token in conjunction with FileVault. See Managing Users with High Sierra, FileVault, and APFS.
JumpCloud password complexity requirements are enforced by the Mac device. This means that any changes made to password policy settings in the Admin Portal will affect all users on Mac devices in the org, regardless of whether the user is JumpCloud-managed or not.
If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
As of February 18, 2022, JumpCloud no longer supports Windows 8.1.
As of June 30, 2020, we don't support the JumpCloud agent on 32-bit devices.
As of June 30, 2020, we don't support the JumpCloud agent on Windows 8.
As of April 14, 2020, we don't support the JumpCloud agent on Windows 7 or Windows 2008 + R2.
International versions of Windows are supported. However, certain international character sets may cause the following issues:
Cosmetic issues in the Devices detail views
Adverse results in Command execution in the Admin portal
Non-English locales aren't supported by JumpCloud policies
Home versions of Windows are supported in the following ways:
The JumpCloud agent can be installed
Conditional access is supported
JumpCloud policies and security commands are currently unsupported
Enhanced Security Configuration on Windows Server 2019 blocks our ability to auto-select the certificate in Internet Explorer and certain versions of Edge; disable Enhanced Security Configuration for users so that they aren't prompted when accessing JumpCloud-managed resources.
Release Candidate (RC) versions of O/S releases are not supported.
The JumpCloud agent is not compatible with Duo System Agent Authentication for Windows.
The JumpCloud agent does not support Windows ARM devices.
Important: PowerShell is required for Windows agent functionality.
Windows Installation Requirements
Component
Requirement
Disk Usage
166 MB minimum This includes C++ runtime components
Memory Usage
6 MB minimum
C++ Runtimes
MS Visual C++ 2013 Redistributable package (x86_64)
Changes Made to Your Windows Device During Installation
Installation Files, Directories, or Settings
Locations and Details
Installer Filename
JumpCloudInstaller.exe
SERVICE-NAME
jumpcloud-agent
Primary Location of JumpCloud Agent
For 64-bit: C:\Program Files\JumpCloud For 32-bit: C:\Program Files (x86)\JumpCloud
Service Log Directory
C:\Windows\Temp\jcagent.log
You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online devices.
Installation Log Directory
C:\Users\username\AppData\Local\Temp\jcagent.log The log file lives in the directory for the admin user who installs the agent.
Device Trust
The jumpcloud-user-agent application handles actions that must be performed in a user’s context:
The agent and user-agent import certificates into Windows Certificate Stores:
The agent imports the root certificate into the System Certificate Store. This action requires administrative privileges, which is why the agent performs this import.
The user-agent imports the intermediate certificate into the user’s Intermediate Certificate Store.
The user-agent imports the leaf cert and private key into the user’s Personal Certificate Store.
Certificate Auto-Selection for Chrome and Edge
To support certificate auto-selection in Chrome and Edge, the agent creates the following registry keys:
After you create a JumpCloud account for a user and the account is active, you can associate the user with a JumpCloud-managed Windows device. When you bind a user to a device, we add the user’s account to the following local groups:
Standard User Windows Local Groups (for user accounts with no local administrator permissions):
Users
Remote Desktop Users
Administrator User Windows Local Groups (for user accounts with local administrator permissions):
Administrators
Users
Remote Desktop Users
If you manually remove a user account from one of these groups, the agent on the Windows device restores these associations when you save any changes in the Administrator Portal.
Core packages are central to the running of a Linux distribution because they contain files for functionality, such as connecting to the Internet, managing and repairing file systems, and the system setup process (e.g. openssh). The packages you’re required to install for the JumpCloud agent to work varies by OS version and are listed in the following table.
Considerations:
Release Candidate (RC) versions of O/S releases aren't supported.
If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
As of December 2022, we don't support the JumpCloud agent on the following systems:
CentOS 8
Fedora 35
As of September 2022, we don't support the JumpCloud agent on the following systems:
Debian 9
Fedora 34
Mint 18
Ubuntu 21.04
As of August 8, 2022, we don't support the JumpCloud agent on Amazon Linux 2013 - 2018.
As of April 30, 2021, we don't support the JumpCloud agent on Ubuntu 16.04.
As of November 30, 2020, we don't support the JumpCloud agent on the following systems:
CentOS 6
RHEL 6
Ubuntu 19.04
As of June 30, 2020, we don't support the JumpCloud agent on Debian 8 systems.
Supported Linux Versions
OS
Requirements
Amazon Linux (amd64, arm64): 2, 2022
The following core packages must be installed:
chkconfig
coreutils
curl
dmidecode
glibc-common
grep
initscripts
lsof
net-tools
nss
nss-tools
openssl
psmisc
redhat-lsb-core
rpm
shadow-utils
sudo
tar
util-linux
yum
CentOS (amd64): 7
The following core packages must be installed:
chkconfig
coreutils
curl
dnf
findutils
gawk
glibc-common
grep
initscripts
lsof
net-tools
nss
nss-tools
openssl
policycoreutils
psmisc
redhat-lsb-core
rpm
shadow-utils
sudo
tar
util-linux
which
yum
Debian (amd64): 10 Debian (amd64, arm64): 11
The following core packages must be installed:
apt-rdepends
apt-show-versions
coreutils
curl
dpkg
grep
hostname
libc-bin
libnss3
libnss3-tools
libpam-runtime
libpam-modules
lsb-release
lsof
mawk
openssl
passwd
procps
psmisc
sudo
sysv-rc
sysvinit-utils
tar
Fedora (amd64): 36, 37
The following core packages must be installed:
chkconfig
coreutils
curl
dnf
findutils
gawk
glibc-common
grep
initscripts
lsof
net-tools
nss
nss-tools
openssl
policycoreutils
psmisc
redhat-lsb-core
rpm
rsyslog
shadow-utils
sudo
tar
util-linux
which
yum
Linux Mint (Cinnamon) (amd64): 19, 20, 21
The following core packages must be installed:
apt-rdepends
apt-show-versions
coreutils
curl
dpkg
grep
hostname
libc-bin
libnss3
libnss3-tools
lsb-release
lsof
mawk
openssl
passwd
procps
sudo
sysvinit-utils
tar
Pop!_OS (amd64): 22.04
The following core packages must be installed:
apt-rdepends
apt-show-versions
coreutils
curl
dpkg
grep
hostname
libc-bin
libnss3-tools
lsb-release
lsof
mawk
passwd
procps
sudo
sysvinit-utils
tar
RHEL (amd64): 7, 8 RHEL (amd64, arm64): 9
The following core packages must be installed:
chkconfig
coreutils
curl
dnf
findutils
gawk
glibc-common
grep
initscripts
lsof
net-tools
nss
nss-tools
openssl
psmisc
redhat-lsb-core
rpm
shadow-utils
sudo
tar
util-linux
which
yum
Rocky Linux (amd64, arm64): 8, 9
The following core packages must be installed:
coreutils
curl
findutils
gawk
glibc-common
grep
initscripts
lsof
net-tools
nss-tools
policycoreutils
psmisc
rpm
shadow-utils
sudo
tar
util-linux
which
yum
Ubuntu (amd64, arm64): 18.04, 20.04, 22.04
The following core packages must be installed:
apt-rdepends
apt-show-versions
coreutils
apt-curl
dpkg
grep
hostname
libc-bin
libnss3
libnss3-tools
lsb-release
lsof
mawk
openssl
passwd
procps
sysvinit-utils
sudo
tar
Linux Installation Requirements
Component
Requirement
Disk Usage
21 MB minimum
Memory Usage
5 MB minimum
Changes Made to Your Linux Device During Installation
Installation Files, Directories, or Settings
Locations and Details
Installer Filename
jcagent-os-version-arch.pkg
Installed Services
jcagent, agent-monitor (init.d systems)
Primary Installation Directory
/opt/jc/
Service Control Scripts
The following script lives on Linux devices that use System V init scripts (RedHat 6, CentOS 6, Amazon, Ubuntu 14). /etc/init.d/jcagent
All other versions use systemd initialization and will have the following script: /lib/systemd/system/jcagent.service
Google Auth PAM Plugin
This is the OS and Arch lib directory, for example: /lib, /lib64, etc. /security/pam_google_authenticator.so
The JumpCloud agent adds the following configuration lines to the device's /etc/pam.d/sshd configuration file. auth required pam_google_authenticator.so nullok user=root secret=/etc/ssh/jumpcloud_totp/${USER} auth required pam_permit.so
These configuration lines are removed when ssh with MFA is disabled.
Installation and Service Logs
/var/log/jc*
You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online systems.
Enabling Syslog for the Events API (logging user events)
JumpCloud appends a local host address (127.0.0.1:14028) when enabling Syslog for the Events API (logging user events). For more information, refer to Introduction to the Directory Insights API.
/etc/rsyslog.d/jumpcloud.conf
sshd Config File
Contains one or more of the following parameters: [PermitRootLogin, PasswordAuthentication, UsePAM, PubkeyAuthentication, ChallengeResponseAuthentication]. Other config management systems may cause a conflict if it also tries to manage this file.
/etc/ssh/sshd_config
TOTP Key Files
When enabled, TOTP key files are stored on a per user basis at this path:
/etc/ssh/jumpcloud_totp/${USER}
Sudo Users
JumpCloud enables sudo users by adding those users to:
/etc/sudoers.d/00-USERNAME-jumpcloud
All JumpCloud-managed users will be added to the path. However, non-privileged users will contain a configuration file that explicitly denies sudo privileges.
Authorized Keys
JumpCloud manages this based on users having uploaded public keys to JumpCloud.
The JumpCloud agent handles all Device Trust actions.
Certificate Management
The agent imports the Device Trust certificates into a Network Security Services (NSS) SQLite database (one per managed user). The databases are located in the user’s home directory:
If the databases don't exist, the agent creates them.
Certificate Auto-selection for Chrome
The agent creates a system-wide policy configuration for Chrome in the file ‘/etc/opt/chrome/policies/managed/JumpCloudCertificateAutoselect.json’.
This file contains ‘AutoSelectCertificateForUrls’ settings that match the JumpCloud Device Trust certificate to the following JumpCloud URL: https://device-cert.jumpcloud.com.
Additional Linux Considerations
For Linux account takeover to complete successfully, the /home/directory must exist for that user.
If it’s not already installed by default, an admin will need to install OpenSSH server for the specific case where they intend to require MFA to log in via SSH. If MFA is desired over SSH, ensure openssh-server is installed before installing the agent.
