JumpCloud Lounge Q&A Roundup: AD, Windows, & SAML

Written by Leia Schultz on August 19, 2020

Share This Article

The JumpCloud® Lounge is a new public Slack workspace where more than 1200 JumpCloud administrators and IT pros from around the world come to talk shop. The admins in the Lounge provide JumpCloud pro tips, solutions, and ask questions to learn about putting the platform to use at their organization, admin to admin.

We rounded up some of the Lounge community’s recent questions and the answers provided by community members. Although every IT environment is different, the JumpCloud admins in the Lounge have wealth of experience navigating them with or without JumpCloud’s directory at their core.

This roundup is based on Lounge questions about using JumpCloud with Active Directory® (AD), managing Windows® end user usernames, retrieving a JumpCloud Service Account password, and custom SAML applications.

Using JumpCloud with Active Directory

Q: I’m new to JumpCloud and setting up a new domain from scratch (no servers set up yet). Does AD need to be installed first (prior to adding JumpCloud)? 

A: You can use JumpCloud as a standalone domainless directory without having to stand up a brand new AD instance, as it is its own directory service (unless there’s a technical or business use case for still using AD). If you’re looking to extend your AD domain users to JumpCloud, then AD would need to exist first and you can export your AD users to JumpCloud using the AD Import tool.

Managing Windows Usernames 

Q: I’m in the process of having my Windows end users install the JumpCloud Agent and I noticed that there’s a bind option. I was tempted to click on it in the JumpCloud Admin Console but wanted to get some feedback from those of you who have bound their Windows after they installed the JumpCloud Agent. Any lessons learned or things I should be mindful of?

A: You need to make sure their local Windows profile username matches their JumpCloud username. If they do not match, binding the JumpCloud Agent to the system will create a separate local profile on their laptop instead of them continuing to use the one they already had on there.

You can edit the username in JumpCloud to match the local machine (providing the account isn’t bound to anything in JumpCloud). This does create some username discrepancies on the backend (Admin Portal), but only JumpCloud admins can see that. Keep in mind the only issue with changing end users’ JumpCloud username to match their laptop username is that you end up not following a naming convention in the Admin Portal. 

Retrieving a JumpCloud Service Account Password

Q: Is there a way to retrieve the JumpCloud Service Account password? We’ve got a MacBook® that the user has locked out and now we can’t seem to get back into it. They also appear to have registered it to a non-work Apple® ID so we can’t reset it this way either.

A: The JumpCloud Service Account cannot be used for login. The randomly generated password for that account is not accessible in any way, and that account doesn’t have a valid home directory.

It exists solely for the purpose of managing the Secure Token attribute for FileVault access. If the system is at a FileVault login screen, you can try (and fail) to login three times, at which point Apple presents you with the option to enter the FileVault Recovery Key. Successful entry of that key will allow system startup to proceed to the macOS® login window. At that window, network connectivity is possible with a wired network connection. The JumpCloud Agent is running at that macOS login window, so connectivity brings the system online and manageable again.

Admins who’ve been down this road many times with and without the recovery key are familiar with wiping systems. This is typical when a device becomes JumpCloud-managed, but previously was 100% managed by the end user who’ll often set a recovery key on their system and forget it. They often forget their Apple ID password, too. The reset procedures are painful, but the info here is key to success if you have the recovery key.

Configuring Custom SAML Connectors

Q: Is there any way to automate a custom SAML app in JumpCloud with API or PowerShell commands?

A: JumpCloud offers a generic SAML connector admins can use to connect to a custom app. Here’s the API endpoint documentation for creating a customer SAML configuration. Keep in mind:

  • This will create the application using JumpCloud’s generic SAML 2.0 connector. The endpoint is not designed for adding in one of the native listed applications.
  • The JumpCloud PowerShell Module wrapper does not yet have functionality for SAML endpoints built into it (although this is an area that JumpCloud will likely include in the future). Aside from PowerShell, you can also utilize any of our SDKs (Python, Go, Ruby, and Java).

Join Us in the Lounge

If you’re not already in the Lounge, use this link to join today. Remember to explore the Lounge’s channels to find topics you’re interested in (type !channels in a private message to yourself and Slack will respond with all the Lounge channels, like #macos, #windows, #active-directory, and beyond). If you’d like to request a new channel, let us know by emailing slack_owner@jumpcloud.com.

The JumpCloud Lounge doesn’t replace the standard avenues of speaking with your Customer Success Manager or filing a support ticket, but it does offer a new way to find answers to your questions and connect with your community of IT admins.

Remember, there are no barriers to try JumpCloud Free with up to 10 users and 10 systems, plus 10 days of chat support when you set up your instance.

Continue Learning with our Newsletter