Provision New Users on Device Login

Self-Service Account Provisioning lets users bind their account to a JumpCloud-managed macOS or Windows device directly from the login window. This streamlines the user onboarding experience and allows for light-touch device configuration for admins.  

When enabled, users see Sign in with JumpCloud at the device login window and enter their existing JumpCloud user credentials to begin the user-led provisioning process.

Note:

By default, Sign in with JumpCloud only appears on devices that have no existing JumpCloud user associations. On Windows devices, you can customize the behavior by configuring a policy. See Create a Windows Self-Service Account Provisioning Policy to learn more.

Understanding the Benefits:

  • Manage wireless connectivity from the improved macOS device login window. 
  • Save time and IT resources by eliminating manual user-to-device association, providing a light-touch device onboarding for admins.
  • Simplify the onboarding experience and let users start working quickly from their JumpCloud-managed account on their JumpCloud-managed device.
  • Enable federated user identity login to JumpCloud-managed devices. See Get Started: Federated Authentication.

Prerequisites:

Considerations:

  • On macOS devices, Self-Service Account Provisioning can only add an existing JumpCloud user to a device that doesn't have any existing JumpCloud user associations.
    • On Windows devices, you can customize the behavior by configuring a policy. See Create a Windows Self-Service Account Provisioning Policy to learn more.
    • Takeover of an existing local account on a device isn't supported. Device association will fail if the user signing in has a JumpCloud username that matches an existing local account. 
  • This feature doesn't support creating a new JumpCloud user at the device login window. The JumpCloud user must exist in the org and have credentials assigned.

Enabling Self-Service Account Provisioning (Admin)

To enable Self-Service Account Provisioning for your org: 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices > Device Settings.
  3. Under Self-Service Account Provisioning:
    1. Click to toggle macOS to On to enable Self-Service Account Provisioning on macOS devices.
    2. Click to toggle Windows to On to enable Self-Service Account Provisioning on Windows devices.
  4. Under User Permission-level, choose the permissions assigned to a user when they’re provisioned on the device:
    1. Choose Administrator to assign administrator/sudo privileges to the user.   
    2. Choose Standard to assign non-administrative or non-sudo privileges to the user. 
  5. (Optional) Under Custom Self-Service Account Provisioning Policy, click Create Policy to customize behavior on Windows devices. See Create a Windows Self-Service Account Provisioning Policy to learn more.

Note:
  • See Set Admin/Sudo Permissions to learn more about administrator/sudo privileges on devices. 
  • By default, new users added to devices have their JumpCloud password synced to their device. You can disable Password Synchronization to have users enter a local password to log into their device instead. See Device Password Sync to learn more.

Exploring the macOS Login Window

Enabling Self-Service Account Provisioning deploys the updated login window to macOS devices. There are several benefits over the standard macOS login window:

  1. Manage WiFi connectivity from the login window by clicking Wireless
  2. Refresh the login window to update any user association changes made by admins. 
  3. View internet connectivity status at a glance with the red or green indicator in the top right menu bar. 
  4. Review device health and diagnostic details by clicking the (i) in the top right menu bar for System Information.

Using Self-Service Account Provisioning (User)

When your admin enables the feature, the Sign in with JumpCloud button appears on your macOS or Windows device login window. The login process will differ slightly depending on your device's operating system.

Note:

During account creation, user and device MFA requirements are ignored. On your next login, you'll be prompted for MFA if your admin enforces it.

Signing in on a macOS Device 

To use Sign In with JumpCloud on a macOS device:

  1. In the top right of the macOS menu bar, ensure the device is connected to the internet and displays Online status before continuing.
  2. On the macOS login window, click Sign in with JumpCloud.
  3. In the User Login window, enter your email address and click Continue.
  4. Enter your password and click Login.
  1. After successful authentication, the account is created on the device and redirects you back to the login window.
  2. Click the newly added icon for your account and then enter your password.
  3. Follow the on-screen prompts to complete the macOS account configuration.
  4. Once completed, you’ll be logged in.

Signing in on a Windows Device

To use Sign In with JumpCloud on a Windows device:

  1. Ensure the device is connected to the internet before continuing.
  2. At the bottom left of the Windows login window, click Sign In with JumpCloud.
  3. Under JumpCloud, select Click here to sign in.
  4. In the User Login window, enter your email address and click Continue.
  5. Enter your password and click Login.
  6. Next enter your password and create a PIN to complete the setup. Use the PIN as an alternative to your JumpCloud password to sign in to the device.

Note:
  • Creating a PIN is required and it must be at least 6 characters. 
  • If PIN sign in is blocked on the device by a Group Policy Object (GPO), accounts are provisioned but not automatically signed in. Users must restart their device to sign in to the new account. See Troubleshoot: Provision New Users on Device Login.
  1. The Windows account provisioning process will begin. Once completed, you’ll be logged in.

Disabling Self-Service Account Provisioning (Admin)

To disable Self-Service Account Provisioning for your org: 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DEVICE MANAGEMENT > Devices > Device Settings.
  3. Under Self-Service Account Provisioning:
    1. Click to toggle macOS to Off to disable on macOS devices.
    2. Click to toggle Windows to Off to disable on Windows devices.

Important:

Disabling Self-Service Account Provisioning won't remove any existing JumpCloud users on devices. You can manage user to device associations in the Admin Portal. See Bind Users to Devices.

FAQ

What if I only want to enable the updated macOS login window with wireless connectivity?

You can enable Self-Service Account Provisioning for macOS devices to take advantage of the updated login window. If JumpCloud users are already bound to devices via Admin action, the Sign in with JumpCloud button won't appear. 

Can I still manually associate users to devices when Self-Service Account Provisioning is enabled?

Yes, you can still associate users to devices via the Devices list in the Admin Portal. However, the Sign in with JumpCloud option will not be present on device login to add additional user accounts.

Does Self-Service Account Provisioning support account takeover?

No, only the creation of a new JumpCloud account on a device is supported. Device association will fail if the JumpCloud username matches an existing local account on the device.

What happens if users need to enroll in MFA?

When users Sign in with JumpCloud on a device, MFA requirements are temporarily ignored for provisioning. Users will need to enroll in MFA in a JumpCloud User Portal browser session. See MFA for Users.

Troubleshooting

See Troubleshoot: Provision New Users on Device Login.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case