Organizations may want, or sometimes have an immediate need, to have their entire user base reset passwords. There are many ways to facilitate this within JumpCloud. There are advantages and disadvantages for each option, ways to initiate the reset flows, and variations in user experience that result.
Resetting Passwords using Password Expiration Settings
Expiration is a well worn method of enforcing rotation of passwords. This is typically used to manage password aging in a rotating fashion, but it may also be employed to enforce a more urgent reset across an organization’s user base. This method allows some customization in how that reset is enforced and experienced by users.
All users receive certain nudges from JumpCloud when their passwords are near expiration. These include:
- A daily email to users notifying them that their password will expire. This will start seven days prior to expiration. The email has a link to the User Portal where they will be prompted to change their password. This is a dismissible prompt.
- A Change Password prompt will appear each time a user logs in to their User Portal. This will start within seven days of their password expiration. This is a dismissible prompt.
- A daily notification will appear to a user on a managed device with the JumpCloud tray app (Windows and macOS users only) nudging them to use the app to reset their password. This will start within 10 days prior to their password expiration. This looks slightly different on Macs and Windows.
Linux users do not have a tray app, and will need to change their password locally on their device. If their password expires before they update their password locally, they will not be able to log in to their device. Admins will need to manually reset the user's password from the Admin Portal.
Reviewing Expiration Settings
Before enforcing any form of password expiration, there are a few settings that should be reviewed to ensure that expiration will not have undesired consequences on managed resources.
- Log in to the JumpCloud Admin Portal.
- Go to Settings > Security and find the Password Settings > Password Aging section:
- Review the first setting for most recent passwords cannot match each other (limit historical reuse). It's recommend this be enabled with a value of at least 1.
- Determine if you want to enable the Allow password change after expiration setting. When passwords expire, access to resources through JumpCloud will be disrupted. This option allows users a path to self-recover from an expired password upon login to their User Portal or managed device.
- Go to the Password Configurations section:
- For any configured instances of Google Workspace, M365/Entra ID, RADIUS, or LDAP, ensure the desired settings are selected for Password Expiration. These settings will determine if users are maintained, removed, disabled, or have access removed when passwords expire. Take into consideration if you want user email accounts suspended and emails bounced while passwords are expired, or if Wi-Fi access should be cut off from the device the user is logged in to.
- Click Save when finished.
Initiating a Reset within a Limited Timeframe
This is a good option if there is a desire to enforce a reset, but urgency allows for this reset to take place within a prescribed timeframe. Providing a window of time for users to perform a reset can be less disruptive to productivity and distribute the potential admin remediation should a user experience confusion or challenges with the reset.
- Log in to the JumpCloud Admin Portal.
- Navigate to Settings > Security and scroll down to the Password Settings > Password Aging section.
- If not yet enabled, enable the days until password expiration setting and update the number of days that you’d like to allow for your organization to reset all passwords.
- Determine if you want to enable the days prior to password expiration, require password reset at login setting for a certain number of days prior to expiration. This is the same prompt that all users receive prior to expiration, but is not dismissible, thus a nice way to ensure users don’t delay a reset in the days leading up to expiration.
- Click Save when finished.
Initiating a Reset Immediately
This method of initiating reset will be far more disruptive to active users within an organization and will also ensure that compromised passwords are no longer active. Please consider the urgency of action appropriate to the identified vulnerability.
When passwords expire, users will lose access and their account status will be updated on all JumpCloud managed resources. This may include access to emails that can notify them of expiration, communication applications commonly used to recover users, devices, and networks those devices are connected through.
Linux users will be logged out of their device and require admin intervention to restore their access.
If opting to force a reset via expiring passwords immediately, consider if you would like users to be able to self-recover from this expiration. The Allow password change after expiration setting, when enabled, will allow users to use their expired password to enter a reset flow in the JumpCloud User Portal or a managed device at login.
- Log in to the JumpCloud Admin Portal.
- Go to USER MANAGEMENT > Users.
- Select the users needing a password reset.
- From the More Actions menu, select Force Password Change.
- Review the Force Password Change confirmation modal and if correct, click Force Change.
Resetting Passwords using a Reset Request
If there isn’t great urgency, requesting a reset of passwords is the least disruptive option for initiating an org-wide reset. While protecting productivity, when a request isn’t disruptive, it also tends to be less effective in prompting users to take action, so this is not a recommended path of remediation if there is a concern that passwords may be compromised.
Sending an Admin-specified Reset Request
There is a way to send a password reset request through the JumpCloud Admin Portal that comes in the form of an email to each user's company email address. The user follows a link in the email to a reset form that requests a new password and a confirmation of that password. This is a simple flow, but as mentioned above, users may be rightfully skeptical of the request if they aren’t expecting it—if you decide to use this method, we suggest letting users know in advance to expect the email from JumpCloud.
- Log in to the JumpCloud Admin Portal.
- Go to USER MANAGEMENT > Users.
- Select the users needing a reset request.
- From the More Actions menu, select Resend Email.
- The selected users will receive the following email. The existing password is not required for this reset request.
Sending a Customized Reset Request
Every organization has a unique IT environment, and leverages JumpCloud to access different collections of resources. Thus, a request coming from a trusted administrator with customized instructions for a reset is likely to be more effective than a generic reset request. See Customizing Email Templates to learn more.