Create a Windows Self-Service Account Provisioning Policy

Use the Windows Self-Service Account Provisioning (SSAP) policy to configure how users create their JumpCloud accounts on Windows devices directly from the login window. This streamlines user onboarding and enables light-touch device configuration for admins, particularly on shared or kiosk devices. Policy settings allow you to specify whether only the first user can provision an account, or if multiple users can sign in with JumpCloud and automatically provision their device accounts.

Prerequisites

• Windows devices that meet JumpCloud’s Agent Compatibility and System Requirements.
  • Windows Home editions aren't supported.
  • Windows Server editions aren't supported.
  • Active Directory (AD) and Entra ID joined devices aren’t supported. 
• The JumpCloud agent must be installed and running on Windows devices. See Install the Windows Agent. 
• When using default behavior (Enabled), the device cannot have an existing JumpCloud-bound user account.

Considerations

• Takeover of an existing local account on a device isn't supported. Device association will fail if the user signing in has a JumpCloud username that matches an existing local account. 
• This feature doesn't support creating a new JumpCloud user object at the device login window. The JumpCloud user must exist within the org and have credentials assigned.
• Created policies take precedence and will override the global SSAP configuration set in Device Settings. See Provision New Users on Device Login to learn more.

To create the policy:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. In the All tab, click (+).
4. On the New Policy panel, select the Windows tab.
5. Search for Windows - Self-Service Account Provisioning Policy, then click configure.

6. (Optional) In Policy Name, enter a new name for the policy or keep the default. Policy names must be unique.
7. (Optional) In Policy Notes, enter details like when you created the policy, where you tested it, and where you deployed it.
8. Select from the following options:
   • Enabled: Only the first user on the device can sign in with JumpCloud. This is the default behavior for SSAP
     • (Optional) Set the User Permission Level for the device account.
   • Always Enabled: Lets multiple users sign in to the device with JumpCloud and automatically provision their device accounts.
     • (Optional) Set the User Permission Level for created device accounts.
   • Disabled: Prevents all users not already bound to a device from signing in with JumpCloud and provisioning their account on the login window. Admins must bind users to devices for them to appear on the login window.
9. Go to the Devices tab to bind the policy to a device, or the Device Groups tab to bind it to a group of devices.
10. (Optional) Go to the Policy Groups tab to add this policy to an existing group of policies.

11. Click Save.

After saving the policy, it may take a few minutes for the device to enforce it. You can view its status to determine if it applied successfully or if additional steps are needed.

Once the policy applies, Sign in with JumpCloud appears on the device login window. If you don't see it immediately, it will be visible after the login window refreshes or the device restarts.

Understanding Policy Priority 

When you configure multiple SSAP policies for specific devices or device groups and they conflict with the global setting, the system prioritizes least privileged access. You’ll be notified of these policy conflicts. 

The following list outlines the priority order for resolving conflicting SSAP settings and policies, from highest to lowest:

1. Disabled
2. Enabled (First User) - Standard Permissions
3. Always Enabled (Multiple Users) - Standard Permissions
4. Enabled (First User) - Administrator Permissions
5. Always Enabled (Multiple Users) - Administrator Permissions