Get Started: Google Device Login

This article provides a high-level overview of using Google Workspace as the Identity Provider (IdP) for Mac computers and Windows devices. By configuring this integration, users authenticate to their devices using their Google Workspace credentials, creating a unified identity across web applications and physical hardware.

Overview

JumpCloud uses two protocols to facilitate this integration:

• OIDC: Used for web-based authentication, such as logging into the JumpCloud User Portal.
• Secure LDAP: Used for device authentication. The JumpCloud agent on the device communicates with Google’s Secure LDAP service to verify credentials during login.

Prerequisites:

• You must have Administrator with Billing permissions in JumpCloud and super administrator access to the Google Workspace Admin console and Google Cloud Console.
• An active Google Workspace directory and macOS or Windows devices with the JumpCloud agent installed.
• Devices must have an active internet connection to perform the initial password validation and synchronization with Google.

Considerations:

• Once enabled, Google Workspace becomes the authoritative source for passwords. Password changes performed in the JumpCloud Admin Portal will not sync to Google.
• This feature is applied at the User Group level. Only users in assigned groups will be prompted to use Google credentials for device login.
• Do not use standalone deferral or restriction policies that interfere with the JumpCloud Login Window (macOS) or the JumpCloud Credential Provider (Windows).

Understanding the Workflow

1. Configure the Handshake in Google

Before JumpCloud can verify identities, you must establish secure connections in the Google environment:

• Google Cloud Console: Create an OAuth 2.0 Client ID to enable web-based OIDC login. This provides the Client ID and Client Secret required by JumpCloud. See Preparing Your IdP to Configure with JumpCloud.
• Google Workspace Admin Console: Add JumpCloud as an LDAP client. This generates a digital certificate and private key used by JumpCloud to verify device-level logins. See Preparing the Google Workspace LDAP Client (Device Login).

2. Create the Identity Provider in JumpCloud

In the JumpCloud Admin Portal, you create a new Identity Provider for Google. During this step, you upload the OIDC credentials and the LDAP certificate files. You then assign the policy to specific User Groups to determine which users are required to use Google authentication. See Configuring Google Cloud as an IdP in JumpCloud.

3. Provision Accounts to Devices

You can provision accounts to devices by manually binding them, see Bind Users to Devices. 

Optionally, to automate the creation of local accounts, you can enable Self-Service Account Provisioning (SSAP) or Automated Device Enrollment (ADE).

• With SSAP, a user can walk up to a new device and enter their Google Workspace email.
• JumpCloud verifies the identity with Google and immediately creates a local managed profile on the device.

4. Manage the User Experience

Once configured, the user's login experience shifts to the Google password:

• Initial Login: Users enter their Google password at the JumpCloud Login Window (macOS) or the Windows login screen.
• Password Synchronization: If a user updates their password at myaccount.google.com, the change is detected at the next logout or reboot.
  • macOS: After a full logout, if a user is at the Mac login window, they will be prompted to reset it. If the user locks their device, upon unlocking, the Menu Bar App prompts for a sync.
  • Windows: After a logout or locking their device, the user is prompted to provide their old and new passwords at the next login to ensure local data (like the macOS Keychain) remains accessible.

Next Steps

• Configure Google Workspace as an Identity Provider
• Provision New Users on Device Login
• Manage Windows Passwords
• Users: Change Your macOS Password