Self-Service Account Provisioning lets users bind their account to a JumpCloud-managed macOS or Windows device directly from the login window. This streamlines the onboarding experience for users and enables light-touch device configuration for admins.
When enabled, users see Sign in with JumpCloud at the device login window and enter their existing JumpCloud user credentials to begin the user-led provisioning process.
Sign in with JumpCloud is only present on devices that have no current JumpCloud user associations.
Understanding the Benefits:
- Manage wireless connectivity from the improved macOS device login window.
- Save time and IT resources spent manually associating users to devices with a light-touch device onboarding process for admins.
- Simplify the onboarding experience and let users start working quickly from their JumpCloud-managed account on their JumpCloud-managed device.
- Enable login of federated user identities to JumpCloud-managed devices. See Get Started: Federated Authentication.
Prerequisites:
- macOS and Windows devices that meet JumpCloud’s Agent Compatibility and System Requirements.
- Windows Home editions aren't supported.
- Windows Server editions aren't supported.
- Windows ARM editions are not supported. Sign in with JumpCloud won't appear on the login window of these devices.
- Active Directory (AD) and Entra ID joined devices are not supported.
- The JumpCloud agent has to be installed and running on macOS and Windows devices. See Install the Mac Agent and Install the Windows Agent.
- The device cannot have an existing JumpCloud-bound user account.
Considerations
- Self-Service Account Provisioning can only add an existing JumpCloud user to a device that doesn't have any JumpCloud user associations.
- Takeover of an existing local account on a device isn't supported. Device association will fail if the user signing in has a JumpCloud username that matches an existing local account.
- This feature doesn't support creating a new JumpCloud user at the device login window. The JumpCloud user must exist within the org and have credentials assigned.
Enabling Self-Service Account Provisioning (Admin)
To enable Self-Service Account Provisioning for your org:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices > Device Settings.
- Under Self-Service Account Provisioning:
- Click to toggle macOS to On to enable Self-Service Account Provisioning on macOS devices.
- Click to toggle Windows to On to enable Self-Service Account Provisioning on Windows devices.
- Under User Permission-level, choose the permissions assigned to a user when they’re provisioned on the device:
- Choose Administrator to assign administrator/sudo privileges to the user.
- Choose Standard to assign non-administrative or non-sudo privileges to the user.
- See Set Admin/Sudo Permissions to learn more about administrator/sudo privileges on devices.
- By default, new users added to devices have their JumpCloud password synced to their device. You can disable Password Synchronization to have users enter a local password to log into their device instead. See Device Password Sync to learn more.
Exploring the macOS Login Window
Enabling Self-Service Account Provisioning deploys the updated login window to macOS devices. There are several benefits over the standard macOS login window:
- Manage WiFi connectivity from the login window by clicking Wireless.
- Refresh the login window to update any user association changes made by admins.
- View internet connectivity status at a glance with the red or green indicator in the top right menu bar.
- Review device health and diagnostic details by clicking the (i) in the top right menu bar for System Information.
Using Self-Service Account Provisioning (User)
When your admin enables the feature, the Sign in with JumpCloud button appears on your macOS or Windows device login window. The login process will differ slightly depending on the OS of your device.
Signing in on a macOS Device
To use Sign In with JumpCloud on a macOS device:
- In the macOS menu bar at the top right, ensure the device is connected to the internet and shows Online status before continuing.
- On the macOS login window, click Sign in with JumpCloud.
- In the User Login window, enter your email address and click Continue.
- Enter your password and click Login.
During account creation, user and device MFA requirements are ignored. After account creation, you'll be prompted for MFA on next login if enforced by your admin.
- After successful authentication, the account is created on the device and directs you back to the login screen.
- Click the newly added icon for your account and then enter your password.
- Follow the on-screen prompts to complete the macOS account configuration.
- Once completed, you’ll be logged in.
Signing in on a Windows Device
To use Sign In with JumpCloud on a Windows device:
- Ensure the device is connected to the internet before continuing.
- On the Windows login window, click Sign In with JumpCloud at the bottom left.
- Under JumpCloud, Click here to sign in.
- In the User Login window, enter your email address and click Continue.
- Enter your password and click Login.
During account creation, user and device MFA requirements are ignored. Once the account is created, you will be prompted for MFA on next login if enforced by your admin.
- You’ll be prompted to enter your password and set a PIN to complete the setup. The PIN can be used as an alternative to the JumpCloud account password.
- The PIN must be at least 6 characters.
- If PIN sign in is blocked by a Group Policy Object (GPO) on the device, accounts will be provisioned but not automatically signed in. Users must restart their device to sign in to the new account. See Troubleshoot: Provision New Users on Device Login.
- The Windows account provisioning process will begin. Once completed, you’ll be logged in.
Disabling Self-Service Account Provisioning (Admin)
To disable Self-Service Account Provisioning for your org:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Devices > Device Settings.
- Under Self-Service Account Provisioning:
- Click to toggle macOS to Off to disable on macOS devices.
- Click to toggle Windows to Off to disable on Windows devices.
Disabling Self-Service Account Provisioning will not remove any existing JumpCloud users on devices. You can manage user to device associations in the JumpCloud Admin Portal. See Bind Users to Devices.
FAQ
You can enable Self-Service Account Provisioning for macOS devices to take advantage of the updated login window. If JumpCloud users are already bound to devices via Admin action, the Sign in with JumpCloud button won't appear.
Yes, you can still associate users to devices via the Devices list in the Admin Portal. However, the Sign in with JumpCloud option will not be present on device login to add additional user accounts.
No, only the creation of a new JumpCloud account on a device is supported. Device association will fail if the JumpCloud username matches an existing local account on the device.
When users Sign in with JumpCloud on a device, MFA requirements are temporarily ignored for provisioning. Users will need to enroll in MFA in a JumpCloud User Portal browser session. See MFA for Users.
Troubleshooting
See Troubleshoot: Provision New Users on Device Login.