Use Conditional Access Policies to implement Zero Trust security in your organization. You can create conditional access policies that secure access to resources based on conditions like a user's identity and the network and device they’re on. For example, lock down your environment with policies that deny access when users are on unmanaged devices or unapproved networks. Alternatively, relax access and let users log in to the User Portal without Multi-factor Authentication (MFA) when they’re on a VPN or managed device.
Conditional Policies are only supported on the following browsers:
- Windows: Google Chrome, Microsoft Edge
- macOS: Google Chrome, Safari
- Linux: Google Chrome
Conditional Access Policies List View
To find the list view, log into the Admin portal at https://console.jumpcloud.com/ then go to SECURITY MANAGEMENT > Conditional Policies.
From the list view you can:
- View the status of the configured Global Policies . To make changes to these policies, click Edit in Settings.
- See a list of the conditional access policies that you’ve configured.
- Configure (or delete) new conditional access policies for the User Portal, SSO Applications, or JumpCloud LDAP.
- Access the Conditional Policy Settings page, where you can enable Certificate Distribution and manage Global Policy Settings.
- See: Set a Global Policy
Understanding Policy Precedence
Conditional Access Policies work in conjunction with Global Policies. If none of the set conditional policies apply to a user, the Global Policies then are enacted as fallback policies.
Before you create several conditional access policies, it’s important to understand policy precedence so that you don’t accidentally lock out your users. When you have several policies enabled, the policy precedence is the following:
- A policy set to deny access is first priority.
- A policy set to allow access with MFA is second priority.
- A policy set to allow access without MFA is third priority.
This means if several policies with different actions apply to a user, the policy that denies access takes effect over policies that allow access with or without MFA.
For example: consider these two policies:
- One policy denies access to the User Portal if a user isn’t on an approved network. You include a specific user group with this policy.
- Another policy allows access to the user portal with MFA. You include all your users with this policy.
Result: If a user is included in both policies and they try to log in to the User Portal from an unapproved network, they’re denied access.
With that in mind, we recommend being very specific when you create a policy that denies access. If you’re not careful, you could prevent your users from being able to access resources.
When no conditional access policies apply to a user, the Global Policy takes effect. For example, say you have:
- A conditional access policy that allows access without MFA.
- A user who isn’t included in the policy.
- The Global Policy set to allow access with MFA.
In this case, the user is required to authenticate with MFA.
You can create Conditional Access Policies for the User Portal, SSO applications, and LDAP applications. A policy can only have one resource type associated with it, so you can’t have one policy that applies to the User Portal and SSO Applications.
- User Portal: Configure a policy that relaxes, restricts, or denies access to the User Portal.
- For example, use a device condition to let users log in to the User Portal without MFA when they’re on a JumpCloud managed device or set a policy across all your users that requires MFA to access the User Portal.
To avoid account lockout and password reset failure issues, we recommend informing your users to set up an MFA factor in their User Portal before you apply a conditional access policy to the User Portal. For user instructions on how to do this, see Set up an Authenticator App.
- SSO Applications: Use a policy to relax, restrict or deny access to SSO applications when users access them from the User Portal or through SP initiated authentication.
- For example, enable a policy for your software engineer user groups that requires them to use MFA when they access AWS and GitHub applications.
- LDAP Applications: Use a policy to relax, restrict or deny access to LDAP applications when users access them from the User Portal.
- For example, enable a policy for your users that requires them to use MFA when accessing the VPN.
- When you create a conditional access policy that requires MFA, users who are included in the policy but don’t have MFA set up will be required to enroll in MFA the next time they log in to the User Portal.