FAQ: JumpCloud Protect Admins

Your users can download the JumpCloud Protect® mobile app to secure their accounts using Multi-Factor Authentication (MFA). The app can be downloaded from the iOS App Store or the Google Play Store. Once your users have downloaded the app and successfully enrolled their devices, they can authenticate using Push MFA or Verification (TOTP) Code MFA.

This KB article will answer common questions and offer suggestions to troubleshoot any issues that may arise during your team’s use of JumpCloud Protect.

Frequent Questions and Answers

What software package is JumpCloud Protect included in?

JumpCloud Protect is available in all JumpCloud tiers.

Where can my users download JumpCloud Protect?

JumpCloud Protect can be downloaded from the iOS App Store or the Google Play Store.

What versions of Android and iOS does JumpCloud Protect support?

iOS 13 and above, and Android 8 and above. 

Are there any countries where JumpCloud Protect can’t be downloaded?

The JumpCloud Protect mobile app may not be available in restricted countries such as Iran, Cuba, Syria, Sudan, North Korea, Russia, Belarus, and the Crimean region. Google Playstore is blocked in China, so users will not be able to download JumpCloud Protect on Android devices there. Even when downloaded elsewhere, JumpCloud Protect push won't work when traveling to certain countries.

Can my users enroll multiple devices at once?

No. Currently, users can only enroll one device at a time with JumpCloud Protect. If they get a new device, they should enroll the new device before wiping the old, or log in using another factor to enroll the new device. If those steps are missed they will need to contact admin for enrollment on the new device.

If my users enroll in Push MFA, are they automatically enrolled in Verification Code MFA?

No. Your users need to enroll in each type of MFA separately.

Can my users transfer Push MFA enrollment to another device?

No, enrollments cannot be transferred. Users must unenroll the old device before enrolling the new device through the JumpCloud User Portal. 

What data does JumpCloud Protect collect?

JumpCloud Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected.

Users can opt out of diagnostic and usage data collection from the Settings > Privacy screen.

My users are already enrolled in Verification Code MFA through Google Authenticator/Authy/Duo. Can they continue to use that?

Yes. If you decide to use JumpCloud Protect for verification code MFA in the future, your users will need to enroll in it using the JumpCloud User Portal. Once they do so, their current enrollment will be reset and they will use JumpCloud Protect. 

What security practices are employed by the JumpCloud Protect app?

JumpCloud Protect is highly secure and uses asymmetric key cryptography for security. When a device is enrolled and activated, an asymmetric key pair (public and private key) is generated. The private key is stored securely on the device while the public key is stored on JumpCloud’s servers. The push requests and responses are then signed by the key pair making the transactions highly secure.The communication between the mobile app and JumpCloud’s servers is encrypted. All communication is sent through https connections using TLS.

How can I protect users against Push Bombing and MFA Fatigue Risks?

Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally.  MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.

Here are ways to protect your organization against such an attack: 

  • An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks. 
  • Enable biometric on JC Protect for an extra layer of identity protection.
  • Leverage Conditional Access Policies for additional safeguards.
  • Educate users to check application and location information before approving a push request, and to deny any request they suspect is fraudulent.
    • Keep in mind that location information does not have 100% accuracy, especially at the city level. 

Important:

JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights.

Troubleshooting Issues and Resolutions

My users cannot receive push notifications.

Here are some troubleshooting hints to ensure your users receive push notifications: 

  • Verify that the device is not in “Do Not Disturb” mode.
  • Ensure that the device is connected to a strong Wi-Fi or cellular data signal.
  • If using iOS, ensure that the JumpCloud Protect app has permission to receive push notifications in Settings. 
  • Restart the device and see if notifications have resumed.
  • Contact JumpCloud’s Support team.

Tip:

A rare scenario (for example an OS update) is that the token used for the push notification could change and cause this. In this case, the user should open the app, which will refresh the token, and notifications should resume. If the notifications still are not working, try having the IT Admin remove enrollment and re-enroll the user.

My JumpCloud Protect notification did not display on my Android device.

On Android devices, Push notifications do not wake the device from sleep, though a sound may play if enabled. Your users will need to wake the device before interacting with the Push notification. Also, notifications get grouped, so a user must drag down on the notifications from the top to view all of them.

What if one of my users wiped their device or got a new device?

If your users have configured an alternate MFA method such as TOTP or WebAuthn, they can use that method to log into their User Portal and remove Push enrollment and re-enroll. If they have not set up an alternative factor, the IT admin can remove Push enrollment.

Mobile Biometric authentication is not working.
  • Touch ID could fail because of a wet finger or something similar. User can revert to using passcode or can try TouchID again.
  • Face ID could fail for multiple reasons (awkward positioning, mask-wearing). User can revert to using passcode or can try Face ID again.
  • If Biometric is still not working the user should use a different factor such as TOTP or webauthn.

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case