Glossary

AD-joined

A device that is joined to an Active Directory (AD) domain and inherits its configurations and policies from the parent domain.

ADI

The Active Directory Integration enables the syncing of users, groups, and passwords between JumpCloud and Active Directory. The integration consists of two agents: the Import Agent and Sync Agent. The integration can be configured to use one or both of the agents. Your use case determines which agents are required, the direction of the sync, and which system (JumpCloud or Active Directory) is the authority.

Administrator with Billing

This role is considered a "super administrator." These administrator accounts have all privileges, including the ability to manage billing, other JumpCloud administrators, and the Multi-Tenant Portal (if applicable). This includes access to manage users, groups, devices, user authentication, directory integrations, security, and account management.

ADMU

The JumpCloud Active Directory Migration Utility (ADMU) is a tool that automates the migration of Active Directory (AD) domain users to JumpCloud managed users. The utility converts a Windows non-local domain user profile to a local profile, simultaneously leaving the domain and installing JumpCloud.

Agent

• Also known as daemon, service, or client, a computer program that runs as a background process, rather than being under the direct control of an interactive user. Agent may refer to:
  • JumpCloud Agent - JumpCloud’s client that runs on managed devices. It communicates with JumpCloud servers every 60 seconds (“Agent heartbeat”) to look for jobs. If jobs are available, the Agent downloads the work request and executes it. See Understand the JumpCloud Agent.
  • Remote Assist Agent - The Remote Assist app is included with the JumpCloud Agent and is installed by default. The JumpCloud Agent is required to launch the initial Remote Assist client installation, but the app is intentionally deployed as separate from the JumpCloud Agent to ensure Admins are able to address customer issues even if the JumpCloud Agent is not running. See Understand the Remote Assist Agent.
  • For AD Import Agent and AD Sync Agent, see ADI

Allow list

An explicitly identified list of entities that are allowed a particular privilege, service, mobility, access or recognition. For its opposite, see blocklist.

API Key

A code used to authenticate to an application programming interface (API). API keys are considered “keys to the castle” and should be secured and protected. In the event of compromise, they should be rotated immediately. In JumpCloud, your API Key is only viewable at the time it's generated. If you've lost it, you can generate a new API Key from the initials (avatar) menu in the top right corner of the Admin Portal.

Apple Business Manager

Apple Business Manager (ABM) is a tool that Apple created to streamline several programs (Automated Device Enrollment, VPP, Managed Apple IDs) into a single platform for businesses to assign iOS, iPadOS, tvOS, and macOS devices to an MDM, as well as purchase apps and Books and manage Managed Apple IDs for User Enrollment. An organization connects their ABM instance to JumpCloud to allow JumpCloud to manage their Apple devices with MDM, provide Automated Device Enrollment and Zero-Touch Enrollment to their Apple devices, and install apps purchased from Apple.

Automated Device Enrollment

A zero-touch Apple MDM enrollment method that enables devices to be supervised during activation without intervention. Requires Apple Business Manager (ABM) or Apple School Manager (ASM).

Bind

A bind is an association or a connection made between two objects in JumpCloud. In order to log in to their device using their JumpCloud credentials, your user must first be bound to their device.

There are various types of binds in JumpCloud:

• bind users to devices
• bind users, devices, and policies to their respective groups
• bind policy groups, applications, and commands to device groups
• bind applications and resources like RADIUS and LDAP to user groups
• bind user groups to the JumpCloud Password Manager

Bind DN

The LDAP binding user is created to allow an application to gain access to the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to log in. JumpCloud does not support anonymous binds. When a user is designated as the Bind DN (distinguished name), they are automatically bound to the JumpCloud LDAP directory. Any JumpCloud user can be set as a binding user, although it's generally recommended to treat this account as privileged and for use only to facilitate the application's ability to bind/search the LDAP directory.

Biometric

Verifying a user’s identity based on biological traits such as a fingerprint (Touch ID) or facial recognition (Face ID).

Bitlocker

A disk encryption feature built into Microsoft Windows.

Blocklist

A basic access control mechanism that allows through all elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly identified. The items on the block list are denied access. For its opposite, see allow list.

BYOD (bring your own device)

An employee-owned device that is partially managed by the company through a work profile or container.

Conditional Access Policy

Conditional access policies are a set of rules configured to establish which devices can access company resources. Use Conditional Access Policies in JumpCloud to establish levels of access (password, password and MFA, or completely restricted) to resources based on conditions such as whether the device is managed, what the device's operating system is, the device's location, and whether the device is disk encrypted.

Connect Key

The Connect Key provides a way to associate devices with your JumpCloud organization. Find your Connect Key when you add a device in the Admin Portal under DEVICE MANAGEMENT > Devices.

Declarative Device Management

A device management protocol in which the device applies updates asynchronously without polling from a server, reporting its status back when an update has been made.

Dedicated device

A corporate-owned, single use device that is fully managed by the company and used for a specific purpose or task, such as a kiosk or point-of-sale.

Delegated authentication

Sometimes called passthrough authentication, a mode of authentication where the experience of "logging in" happens in JumpCloud, but another Identity Provider is the validating authority. End users will see no difference in their authentication experience between direct auth and delegated auth in JumpCloud.

Device trust

A security concept for ensuring that a device meets minimum security requirements before its user can access protected company resources.

Directory Insights

Directory Insights is JumpCloud's event logging and compliance feature that gives a centralized view of user activity that delivers in-depth logging and audit reporting for compliance and security purposes.

Display Name

The Display Name field in the JumpCloud user account record is consumed in account creation and account takeover, and, if present, is used as the display name on the user-bound device.

Dynamic group

A user group or device group in JumpCloud configured to update automatically as new users or devices meet the conditions set for the group or when existing users or groups no longer meet the conditions set for the group. See static group

EMM

Android's Enterprise Mobility Management. You can enroll and manage Android devices using EMM through the JumpCloud Admin Portal. Devices managed through Android EMM utilize a work profile to securely control access to company resources like email, calendar and contacts, and other company apps and data, while keeping personal user data private and secure.

Federated Authentication

A mode of authentication where the experience of "logging in" happens outside of JumpCloud with another Identity Provider. 

FileVault

FileVault is Apple's disk encryption program. See Apple's How does FileVault work on a Mac?

JumpCloud offers a preconfigured FileVault policy to enforce FileVault on macOS device. See Create a Mac FileVault 2 Policy

Full-disk encryption (FDE)

Full-disk encryption. See Bitlocker (Windows) and FileVault (macOS)

Use JumpCloud to configure access policies for devices based on their disk encryption status.

Fully managed device

A device that is managed by the company and used exclusively for work purposes, also sometimes referred to as a COBO (company-owned, business only) device.

High-water mark

The greatest number of users present in the JumpCloud directory at any point in the billing period.

Identity Access Management (IAM)

A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IdM systems fall under the overarching umbrella of IT security and Data Management.

Identity Provider (IdP)

The entity that stores and authenticates the identities that users log in to their systems, applications, file servers, and more with.

JIT provisioning

The technology that creates users and updates them dynamically when they log in (just in time) based on SAML assertions sent by the identity provider.

JumpCloud PowerShell Module

The JumpCloud PowerShell Module is a set of Windows PowerShell commands that allow JumpCloud administrators to interact with their JumpCloud directory.

LDAP

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

Least privilege

The concept of least privilege access to infrastructure means you give users access only to the company resources that they need to successfully do their daily job. Having too many admins with unlimited access is prone to human error and increases the attack surface for a security breach. See What is Least Privilege and Why Do You Need It?

Managed Service Provider (MSP)

A company that remotely manages a customer’s IT infrastructure and/or end user systems, typically on a proactive basis and as part of a subscription model. See Multi-Tenant Portal

MDM

Mobile Device Management; A software solution that allows IT Admins to control, secure, and enforce policies on laptops, mobile devices, tablets, and other endpoints.

mTLS

Mutual TLS; a common security practice that uses client TLS certificates to provide an additional layer of protection by cryptographically verifying the client information.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication requires users to provide something in additional to a password when logging in. MFA tightens account security by making it harder for unauthorized users to access the account. This second factor can be:

• something you know, like a PIN;
• something you have, like a smartphone or USB key; or
• something you are, such as your fingerprint or facial recognition

With JumpCloud, you have the option to enforce MFA using JumpCloud Go, JumpCloud Protect (Push MFA), Verification Code (TOTP) MFA, WebAuthn MFA, and/or Duo Security MFA. 

Multi-Tenant Portal (MTP)

The dashboard for Managed Service Providers to log in and manage all of their tenant organizations.

Network Attached Storage (NAS)

A file-level computer data storage server connected to a computer network that provides data access to a heterogeneous group of clients. NAS is specialized for serving files either by its hardware, software, or configuration.

On-prem

As opposed to a cloud solution, an in-house, physical appliance, such as an Active Directory server.

OrgID

The numeric identifier for a JumpCloud organization. This number is case sensitive.

PowerShell Module

A set of related PowerShell commands that are grouped together. PowerShell modules are hosted by Microsoft and available for installation from the PowerShell Gallery. See JumpCloud PowerShell Module

Provisioning

The process of importing or creating user identities and pushing those identities to other resources.

JumpCloud's Identity Management integration allows you to provision, update, and deprovision users and groups from JumpCloud in applications that support SCIM.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

Remote Access

JumpCloud Remote Access is a cloud-based solution that provides IT teams with robust remote support capabilities, including Remote Assist for remote screen access and control, as well as Background Tools for remote command line and file management.

Remote Assist

JumpCloud Remote Assist is a cloud-based remote screen access and control solution from JumpCloud for IT teams.

RMM

Remote Monitoring and Management (RMM) systems let IT admins manage multiple organizations and their systems without needing physical access to target machines.

SAML

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. JumpCloud uses SAML 2.0 to connect applications to JumpCloud. SAML 2.0 uses security tokens containing assertions to pass information between Identity Provider and Service Provider.

Secure Shell (SSH)

A network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.

Secure Token

Apple feature that secures and provides access to encryption keys that are required for FileVault decryption. See Apple’s documentation on secure tokens.

Service Account

On Mac systems, the system account that is created automatically to grant secure tokens for new users and provide security-level services to other user accounts managed by JumpCloud. Because it doesn't have an accessible password or valid home directory, this account can’t be logged in to by other users. See Install and Use the Service Account for MacOS

Service Provider

A software application that needs an identity from an Identity Provider to allow a user to sign in to the application using Single Sign-On.

Shadow IT

Systems and solutions implemented within organizations without the knowledge and approval of an IT or SecOps department.

Static group

A user group or device group that does not have automated membership enabled. See dynamic group

Step-up Authentication

A security principle for requiring additional authentication (above and beyond MFA) when accessing critical resources.

Sudo user

A program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do," as the older versions of sudo were designed to run commands only as the superuser. 

Super admin

An administrator with the Administrator with Billing role; the highest level of privilege in the JumpCloud Admin Portal.

TOTP

Time-based, one-time passwords, a form of MFA, are temporary passcodes generated by an algorithm for use in authenticating access to computer systems.

VPP

Apple's Volume Purchase Program, used with MDM to manage App Store licenses through an integration with JumpCloud's Software Management. See Manage Software with Apple's VPP

Work profile

The partition on an Android company-owned or employee-owned device that contains work apps and data visible to and managed by the company.

Zero Trust

An IT security model that assumes no user or device is trusted and must be verified to access resources.

Zero-touch

A method of provisioning devices that automates their configuration, allowing companies to purchase and ship devices directly to end users. Upon startup, these devices are automatically enrolled in device management, allowing IT admins to remotely configure them with the correct apps, licenses, and policies, and bind them to a user identity when the user logs in. See Configure Zero-Touch Enrollment for Android and Configure Automated Device Enrollment for Apple.

Zero-touch portal

The Android zero-touch portal that allows admins to configure zero-touch enrollment for Android device management. See Configure Zero-Touch Enrollment for Android