Active Directory Integration (ADI) Release Notes

Interested in previous years' release notes? See last year's ADI Release Notes 2023. Alternately, see JumpCloud's Feature Release Notes.

2024-12-11 ADI Release Notes

AD Import Agent v3.10.0

Bug Fix

  • The ADI import agent no longer queries AD for the additional attributes if the SyncAdditionalAttributes setting is false.
    • The ADI import agent was querying AD for the additional attributes even though it was not syncing those attributes to JC when the the SyncAdditionalAttributes setting is false.

2024-12-10 ADI Release Notes

AD Import Agent v3.9.0

Bug Fix

  • The ADI import agent jspasswordfilter.dll no longer causes the DC to crash when a password with the maximum characters supported by Windows is set in AD. 

Note: Maximum password length supported in JumpCloud is 64 characters. Any password longer than 64 characters will result in a password update failure.

2024-11-19 ADI Release Notes

AD Sync Agent v4.20.0

Rollback of v4.19.0 changes

Bug Fix 

  • The AD sync agent logs no longer include the 502 unexpected content-type error “error: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type”

2024-11-11 ADI Release Notes

Re-release of AD Sync Agent v4.17.0

Bug Fixes

  • In the Manage users and passwords in JumpCloud, AD or both (bi-directional sync) and Manage users and passwords in JumpCloud (one-way sync from JumpCloud to AD) deployment configurations, users that are in a nested OU can now be added to security groups in AD from JumpCloud. These users can only be removed from an ADI specific security group named “JumpCloud” and security groups nested underneath that security group.

2024-11-07 ADI Release Notes

Rollback of ADI Sync Agent v4.19.0

The Active Directory Integration (ADI) sync agent v4.19.0 was rolled back and v4.15.0 was re-released. The roll back is due to users being removed from all groups in AD that are not associated (bound) to the ADI integration in JumpCloud. This behavior can cause these users to lose access to some AD managed resources. 

We rolled back to 4.15.0 to remove all group syncing related changes.  We did this out of an abundance of caution.

If you are using v4.17.0 and are not experiencing issues, you do not need to roll back. We will re-verify v4.17.0 and release it again, as long as the behavior that resulted in this rollback does not exist.

To downgrade from v4.19.0 to 4.15.0 do the following:

  • Log in to the JumpCloud admin portal and navigate to the ADI configuration for your AD domain.
  • From the Download section, select Install New Agent in the sync agent row and click Download Sync Agent.
  • Either leave the window with the connect key open or copy and store the connect key.
  • Log in to the AD server where the sync agent is installed
  • Upload the sync agent you downloaded
  • Stop the AD sync service, “JumpCloud AD Integration Sync Agent”
  • Uninstall the AD sync agent
  • Run the 4.15.0 sync agent installer
  • Paste in the connect key 
  • Repeat this on all servers where the 4.19.0 sync agent is installed 

2024-10-29 ADI Release Notes

AD Import Agent v3.7.0

New configuration setting, SyncAdditionalAttributes, enables the syncing of additional user attributes from AD to JumpCloud:

The new setting, SyncAdditionalAttributes, has been added to the jcadimportagent.config file which controls whether or not additional user attributes sync from AD to JumpCloud.

  •  The additional attributes that can now optionally sync from AD to JumpCloud are:
    • Display Name
    • Description
    • JobTitle
    • Department
    • Company
    • Location
    • EmployeeType
    • PhoneNumbers
    • Addresses
    • Manager
  • This setting is automatically added to the jcadimportagent.config file for both net new ADI import agent installations and upgrades of existing ADI import agents
  • For net new ADI import agent installations, the default value for this setting is true, meaning the additional attributes will sync

Important:

If you are adding a new AD server to an existing AD environment with JumpCloud ADI installed, you will need to make sure this setting matches across your existing servers and this new server.

  • For existing ADI import agent installations, the default value for this setting is false, meaning the additional attributes will not sync
    • This default value ensures there is no unexpected change in behavior for existing installations
  • If the setting is not present in the jcadimportagent.config file, the value will be considered false
  • If you have existing ADI import agent installations and want to sync these additional attributes, you will need to edit the jcadimportagent.config file and manually set the value to true
  • When SyncAdditionalAttributes is set to true, any values that exist in JumpCloud for these additional attributes will be overwritten

Tip:

To avoid any access disruption when SyncAdditionalAttributes is set to true, update your dynamic group rules to include values that will come from AD.

2024-10-03 ADI Release Notes

AD Sync Agent v4.19.0

Bug Fix

  • In the Manage users and passwords in JumpCloud, AD or both (bi-directional sync) and Manage users and passwords in JumpCloud (one-way sync from JumpCloud to AD) deployment configurations, users can now be removed from any security group except the main ADI group (e.g., “JumpCloud” or “JumpCloud (mydomain1)”)

2024-09-20 ADI Release Notes

Admin Portal

Users page

  • Password status is “Delegated” with sub-text “Managed by AD” when the user’s delegated authority is set to Active Directory

2024-09-04 ADI Release Notes

Admin Portal

Bug Fixes

  • Delete confirmation is shown after clicking the delete button for an ADI domain configuration:
  • Delete button on the ADI domain configuration screen was updated to have a red outline
  • Users page More Actions menu option for setting the delegated authority on a user record was renamed to Set Delegated Authority

ADI Service

  • User login no longer fails once the user is disassociated (unbound) all but one delegation-enabled ADI domain

AD Sync Agent v4.17.0

Bug Fixes

  • In the Manage users and passwords in JumpCloud, AD or both (bi-directional sync) and Manage users and passwords in JumpCloud (one-way sync from JumpCloud to AD) deployment configurations, users that are in a nested OU can now be added to security groups in AD from JumpCloud. These users can only be removed from an ADI specific security group named “JumpCloud” and security groups nested underneath that security group

2024-08-19 ADI Release Notes

Admin Portal

  • New UI and experience for adding, managing, and using the ADI:
    • Provides guidance through the installation process, better visibility into the configuration settings, and greater prominence of the information needed to monitor and manage the integration
  • New ADI configuration settings:
    • Delegated Password Validation - default setting for enabling and disabling delegated authentication to AD for users imported from AD to JumpCloud (applicable in the Manage users and passwords in either system or both and Manage users and passwords in Active Directory deployment configurations)
    • Externally Managed Password and Attributes - default setting for restricting and unrestricting changes to ADI synced user attributes and user password within the JumpCloud Admin Portal and the JumpCloud User Portal. This is a read-only setting
    • Enable groups and memberships management -  default setting controlling whether a groups and group memberships are synced from JumpCloud to AD when a sync agent is installed on an AD server (applicable in the Manage users and passwords in either system or both and Manage users and passwords in JumpCloud deployment configurations). This is a read-only setting
    • Provision Staged Users - default setting controlling whether a staged user is synced from JumpCloud to AD when a sync agent is installed on an AD server (applicable in the Manage users and passwords in either system or both and Manage users and passwords in JumpCloud deployment configurations). This is a read-only setting
  • Option to automatically update the delegated authority setting for user(s).
    • This option is presented when the following actions are taken and includes a list of important factors to consider when making your selection:
      • on save after delegated authentication is enabled or disabled in the ADI configuration
      • when an ADI AD domain is deleted
      • when a user has direct access granted to or removed from a delegation-enabled AD domain
      • when a user has access granted to or removed from a user group that has access to a delegation-enabled AD domain
      • when a user group has access granted to or removed from a delegation-enabled AD domain
Option When Connecting (Binding) or Disconnecting (Unbinding) Users or User Groups
Option When Enabling Delegation on ADI Config
Option When Enabling Delegation on ADI Config
  • Agent download options in the ADI Configuration:
    • Update Existing Agent downloads the agent installer without generating a new agent connect key 
    • Install New Agent downloads the agent installer and provides a new connect key which must be used within 7 days
  • Ability to set a delegated authentication Delegated Authority for an individual user.
    • New Delegated Authentication section with a Delegated Authority setting in the User Security Settings and Permissions section on the Details tab of the User page
    • Confirmation modal explaining the implication of the change shows when the Delegated Authority is changed.
    • Delegated Authentication shows under Security status in the left pane of the User panel when the Delegated Authority setting is Active Directory
  • Ability to set a delegated authentication Delegated Authority for multiple users at once:
    • New Set Delegated Password Authority option in the More Actions menu on the Users Page
  • Visibility into which users have delegated authentication enabled from the Users page:
    • Password status shows “Delegated” for users that have a Delegated Authority set to Active Directory
  • New Delegation ENABLED label added when delegation is enabled and active for an ADI AD Domain:
    • Directories List - Label added to the AD domain name in Directories lists
    • User groups - Resources list in the User group drop down in Users page
    • Staged user - resources section showing AD delegation enabled label
Directories List
Expanded User Group in User Groups Tab of a User Record
Staged User Resource Summary
  • New and updated DI events
Event Description Change
user_login_attempt Logs every time a user tries to log in to a JumpCloud managed resources JSON includes a new field “password_delegated_authority” in the auth_context when the user’s login is delegated to AD for authentication

"auth_context": {

    "auth_methods": {

      "password": {

        "success": true

      }

    },

    "password_delegated_authority": "ActiveDirectory"

 

 },

association_change Logs every time two resources are associated (bound) or disassociated (unbound). Logged when a user is associated (bound) to or disassociated (unbound) from a delegation-enabled AD domain.
Logged when a user group is associated (bound) to or disassociated (unbound) from a delegation-enabled AD domain.
user_delegated_authority_update Logs when a change is made to the Delegated Authority setting on the User record. New DI event
activedirectory_domain_delegated_password_change Logs when the delegated authentication setting Delegated Password Validation in the ADI configuration is changed New DI event

End User experience

  • Existing AD users imported from AD to JumpCloud no longer have to reset their password in AD to log in to JumpCloud managed resources when delegated authentication is enabled for them:
    • If the import agent is installed on DCs, the password is stored in JumpCloud after the initial log in.  The stored password is synced to other resources and can be used to log in to resources that don’t support delegated authentication to AD, such as Cloud RADIUS and Cloud LDAP, and
    • If the import agent is installed on AD member servers, the password is never stored in JumpCloud
  • User associated with a delegation-enabled ADI AD domain and their Delegated Authority set to Active Directory will receive the a new AD welcome email

ADI Service

  • When multiple AD import agents are installed, one is designated as the primary agent by the ADI service. All delegated authentication requests are sent to that agent. If that agent becomes unavailable, another active import agent is automatically designated as the primary agent by the ADI service

JumpCloud v2 API

  • Updated the Create a new Active Directory Integration /activedirectories endpoint to support setting and unsetting delegated authentication as well as setting and changing the deployment configuration in the ADI configuration for a specific AD domain. The newly added parameters are:
    • delegationState
    • useCase
  • Updated the Update Active Directory /activedirectories/{id} endpoint to support setting and unsetting delegated authentication as well as setting and changing the deployment configuration in the ADI configuration for a specific AD domain. The newly added parameters are:
    • delegationState
    • useCase

End user schema model 

  • Added delegated_authority to the systemuser schema
    • Delegated authentication set on the user: delegatedAuthority":{"name": "ActiveDirectory"}
    • Delegated authentication unset on the user: "delegatedAuthority" : null

AD Import Agent v3.0

Installer changes

  • Reordered the installer screens
  • Added support for new format of the API key 
  • Added a new step for entering the import agent connect key
    • An import agent connect key is now required when installing the import agent on a new AD server.  
    • Upgrades to import agent v3.0 and higher upgrades will not prompt for the connect key. The stored connect key will be used.
    • A connect key is required when upgrading from import agent v2.6.0 or lower

Logs

  • New delegated authentication specific log file JumpCloud_AD_Import_Grpc.log. The log file is located in the AD import agent installer folder that was specified during installation.  The default location for the installer folder is JumpCloud\AD Integration\JumpCloud AD Import 

Functionality

  • Added support for delegated authentication from JumpCloud to AD using mTLS
  • Connect key is stored in the registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\AD Integration Import Agent\connect_key

AD Sync Agent v4.15.0

  • No functionality changes
  • Minor changes related to the agent deployment process

2024-03-21 ADI Release Notes

AD Sync Agent v4.11.1

Bug fix

  • AD Sync Agent replaced sAMAccountName (SAM) with UserPrincipalName (UPN) even when the AD Import Agent was configured to use the UPN instead of the SAM for the username value

Installer changes

  •  Logo update

2024-02-06 ADI Release Notes

Admin Portal

New ADI Directory Insights (DI) Events

DI Event Description Notes
activedirectory_agent_inactive Logged when an agent is marked as inactive. This occurs when the agent stops responding to the heartbeat check or the agent service being stopped on the server. New event
activedirectory_agent_active Logged when an agent successfully registers for the first time. New event
activedirectory_primary_agent_switch Logged when an agent is marked as the primary agent if a primary doesn’t exist or the agent that was primary  becomes inactive. Updated to include hostname, version, source_ip, host_type, host_os_version
activedirectory_agent_activate Logged when an agent becomes active from an inactive state. Updated to include hostname, version, source_ip, host_type, host_os_version

Additional information captured in ADI Directory Insights (DI) Events

  • host_type and host_os_version logged in all ADI import and sync agent DI events

AD Import Agent v2.6.0

Installer changes

  • The installation wizard no longer prompts for selecting LDAPS or LDAP  when installing the agent on a domain controller (DC)

Logging changes

  •  LDAPS error suppressed in event log when LDAP allowed

AD Sync Agent v4.10.0

Installer changes

  • The installation wizard no longer prompts for selecting LDAPS or LDAP  when installing the agent on a domain controller (DC)

Logging changes

  • Email and username added back to the sync agent logs
  • LDAPS error suppressed in event log when LDAP allowed
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case