Support Home > Devices > Provision New Users on Device Login

Provision New Users on Device Login

Self-Service Account Provisioning lets users bind their account to a JumpCloud-managed macOS or Windows device directly from the login window. This streamlines the onboarding experience for users and enables light-touch device configuration for admins.  

When enabled, users will see Sign in with JumpCloud at the device login window and enter their credentials to begin the user-led provisioning process.

Note:

Sign in with JumpCloud is only present on devices that have no current JumpCloud user associations.

Understanding the Benefits:

  • Manage wireless connectivity from the improved macOS device login window. 
  • Save time and IT resources spent manually associating users to devices with a light-touch device onboarding process for admins.
  • Simplify the onboarding experience and let users start working quickly from their JumpCloud-managed account on their JumpCloud-managed device.
  • Enable login of federated user identities to JumpCloud-managed devices. See Get Started: Federated Authentication.

Prerequisites:

  • macOS and Windows devices that meet JumpCloud’s Agent Compatibility and System Requirements.
    • Windows Home editions aren’t supported.
    • Windows Server editions aren’t supported.
    • Windows ARM editions are not supported. Sign in with JumpCloud won’t appear on the login window of these devices.
    • Active Directory (AD) and Azure Active Directory (AAD) joined devices are not supported. 
  • The JumpCloud agent has to be installed and running on macOS and Windows devices. See Install the Mac Agent and Install the Windows Agent
  • The device cannot have an existing JumpCloud-bound user account.

Considerations

  • Self-Service Account Provisioning can only add a new JumpCloud user to a device. Takeover of an existing local account on a device is not supported. Device association will fail if the user signing in has a JumpCloud username that matches an existing local account. 

Enabling Self-Service Account Provisioning (Admin)

To enable Self-Service Account Provisioning for your org: 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices > Device Settings.
  3. Under Self-Service Account Provisioning:
    1. Click to toggle macOS to On to enable Self-Service Account Provisioning on macOS devices.
    2. Click to toggle Windows to On to enable Self-Service Account Provisioning on Windows devices.
  4. Under User Permission-level, choose what permissions are assigned to a user when they’re provisioned on the device:
    1. Choose Administrator to assign admin or sudo privileges to the user.   
    2. Choose Standard to assign non-administrative or non-sudo privileges to the user. 

Note:

See Set Admin/Sudo Permissions to learn more about admin/sudo privileges on devices. 

Exploring the macOS Login Window

Enabling Self-Service Account Provisioning deploys the updated login window to macOS devices. There are several benefits over the standard macOS login window:

  1. Manage WiFi connectivity from the login window by clicking Wireless
  2. Refresh the login window to update any user association changes made by admins. 
  3. View internet connectivity status at a glance with the red or green indicator in the top right menu bar. 
  4. Review device health and diagnostic details by clicking the (i) in the top right menu bar for System Information.

Using Self-Service Account Provisioning (User)

When your admin enables the feature, the Sign in with JumpCloud button appears on your macOS or Windows device login window. The login process will differ slightly depending on the OS of your device. 

Signing in on a macOS Device 

To use Sign In with JumpCloud on a macOS device:

  1. In the macOS menu bar at the top right, ensure the device is connected to the internet and shows Online status before continuing.
  2. On the macOS login window, click Sign in with JumpCloud.
  3. In the User Login window, enter your email address and click Continue.
  4. Enter your password and click Login.

Note:

During account creation, user and device MFA requirements are ignored. After account creation, you'll be prompted for MFA on next login if enforced by your admin. 

  1. After successful authentication, the account is created on the device and directs you back to the login screen.
  2. Click the newly added icon for your account and then enter your password.
  3. Follow the on-screen prompts to complete the macOS account configuration.
  4. Once completed, you’ll be logged in.

Signing in on a Windows Device

To use Sign In with JumpCloud on a Windows device:

  1. Ensure the device is connected to the internet before continuing.
  2. On the Windows login window, click Sign In with JumpCloud at the bottom left.
  3. Under JumpCloud, Click here to sign in.
  4. In the User Login window, enter your email address and click Continue.
  5. Enter your password and click Login.

Note:

During account creation, user and device MFA requirements are ignored. Once the account is created, you will be prompted for MFA on next login if enforced by your admin. 

  1. You’ll be prompted to enter your password and set a PIN to complete the setup. The PIN can be used as an alternative to the JumpCloud account password.

Note:
  • The PIN must be at least 6 characters. 
  • If PIN sign in is blocked by a Group Policy Object (GPO) on the device, accounts will be provisioned but not automatically signed in. Users must restart their device to sign into the new account. See Troubleshoot: Provision New Users on Device Login.
  1. The Windows account provisioning process will begin. Once completed, you’ll be logged in.

Disabling Self-Service Account Provisioning (Admin)

To disable Self-Service Account Provisioning for your org: 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices > Device Settings.
  3. Under Self-Service Account Provisioning:
    1. Click to toggle macOS to Off to disable on macOS devices.
    2. Click to toggle Windows to Off to disable on Windows devices.

Important:

Disabling Self-Service Account Provisioning will not remove any existing JumpCloud users on devices. You can manage user to device associations in the JumpCloud Admin Console. See Bind Users to Devices.

FAQ

What if I only want to enable the new macOS login window with wireless connectivity?

You can enable Self-Service Account Provisioning for macOS devices to take advantage of the new login window. If JumpCloud users are already bound to devices via Admin action, the Sign in with JumpCloud button will not appear. 

Can I still manually associate users to devices when Self-Service Account Provisioning is enabled?

Yes, you can still associate users to devices via the Devices list in the Admin Portal. However, the Sign in with JumpCloud option will not be present on device login to add additional user accounts.

Does Self-Service Account Provisioning support account takeover?

No, only the creation of a new JumpCloud account on a device is supported. Device association will fail if the JumpCloud username matches an existing local account on the device.

What happens if users need to enroll in MFA?

When users Sign in with JumpCloud on a device, MFA requirements are temporarily ignored for provisioning. Users will need to enroll in MFA in a JumpCloud User Portal browser session. See MFA for Users.

Troubleshooting

See Troubleshoot: Provision New Users on Device Login.

List IconIn this Article

Notebook IconLearn More

Troubleshoot: Provision New Users on Device Login

Tutorial: Self-Service Account Provisioning

Bind Users to Devices

Log in to Device with Authenticator App

Set Admin/Sudo Permissions

Get Started: Federated Authentication

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case