Subscribe to Help Center RSS FeedIf your organization has on-premise Active Directory (AD) or Entra ID joined Windows devices, you can install the JumpCloud agent on them and bring them into your JumpCloud org. This enables you to remotely and securely manage the device as well as take advantage of JumpCloud’s System Insights feature.
JumpCloud's Identity Management behaves differently depending on whether the Windows device is joined to on-premise Active Directory (AD) or Entra ID. If you connect users to an on-premise Active Directory domain-joined device, the device will ignore the association and you will be unable to verify your identity on the device. However, on Entra ID joined-devices, the JumpCloud agent will create a separate local user account for added management capabilities.
- If a JumpCloud-managed device with JumpCloud users bound to it joins an on-premise AD domain, those user accounts will be suspended. This is expected behavior as Identity Management is not supported on on-premise AD domain-joined devices.
- If you attempt to bind an Entra ID imported user to an Entra ID joined device, this may result in unexpected behavior.
Why Use the JumpCloud Agent for Domain Joined Devices?
The table below shows the features that are supported on JumpCloud devices, Active Directory devices, and Entra ID devices:
| Telemetry | Commands | Management Policy | Software Management | Patch Management | Remote Access | User Management & Authentication | |
|---|---|---|---|---|---|---|---|
| JumpCloud Devices | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| On-Premise Active Directory Devices | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Entra ID Joined Devices | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
When you install the JumpCloud agent on domain joined devices, you can take advantage of JumpCloud’s System Insights feature and view information such as:
- Reliability of your organization devices: Gather information about device uptime to leverage when diagnosing device issues.
- Memory and storage statistics: Gather information about your org device memory and storage capacity to leverage when making device upgrade decisions.
- Devices that are protected by disk encryption: See which org devices are protected by disk encryption and which devices you need to update with encryption protection.
- Hardware inventory details: Gather inventory information such as vendor, model, serial number, and more.
See Get Started: System Insights to learn more.
Installing the JumpCloud Agent on Domain Joined Windows Devices
You install the JumpCloud Agent on domain joined Windows devices using the same process as installing it on non-domain joined devices. See JumpCloud Agent Windows Installation Walkthrough for more information.
If you are migrating from Active Directory to JumpCloud, ensure that you bind the device's users to the device through JumpCloud before you remove the device from Active Directory. Doing so ensures that the device remains active and the user can continue to use it.
After the initial restart after a JumpCloud device joins Active Directory, the user will see a tile on the login screen where they will be prompted for their JumpCloud credentials. However, they will not be able to log in using those credentials. Instead, they will log in using the “Other User” tile with their Active Directory credentials. This is the correct behavior, and on subsequent logins, the user will not see the tile for their JumpCloud user account.
Applying Policies for AD Joined Devices
For a given policy, an on-premises AD policy will override a JumpCloud policy. For example, if you have an AD policy that configures the screensaver, and a JumpCloud policy that also configures the screensaver, the AD policy will take effect, ignoring the JumpCloud policy. To avoid unexpected behavior, JumpCloud recommends that you only set JumpCloud policies rather than setting both a JumpCloud policy and an AD policy.
For troubleshooting, you can use the Resultant Set of Policy snap in console. In this console, JumpCloud policies display as "Local Group Policy" and AD policies show as group policies. Group policies override local policies.
See Migrating Windows Devices from AD On-Prem to JumpCloud for additional information about migrating Windows devices to JumpCloud.
The following policies are currently unsupported on AD joined devices:
- Rename Local Administrator Account
- Enable/Disable Local Administrator Account
- Rename Local Guest Account
- Enable/Disable Local Guest Account
Regarding the lock screen, if policies are set in both JumpCloud and Active Directory, whichever policy has the lowest timeout will take effect.
Full Disk Encryption with Bitlocker
BitLocker is an encryption feature built into computers running Windows. It secures your data by scrambling it so it can’t be read without using a recovery key. BitLocker differs from most other encryption programs because it uses your Windows login to secure your data; no extra passwords necessary. Once you’re logged in, you can access your files normally. After you log out, everything’s secured.
See BitLocker Policy to learn more.
Windows Automated Patch Management
JumpCloud’s automated patch management helps you monitor which version and release your Windows, macOS, or Linux devices are currently using, and remotely schedule and install updates. You can create an OS patch management policy to control which devices will have the policy applied and when it will be applied.
See Create a Windows Patch Policy to learn more.
Viewing Device Details
Once the device has been added, you view additional information about the device from the Device Details page. To view it:
- Log into your JumpCloud Admin Portal.
If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.
- Navigate to Device Management > Devices.
- Select the device to view the details of.
From this screen, you can view information such as:
- Device name, status, and other immutable details.
- Device Agent Logs. Click Actions > Get Agent Logs to download the most recent logs for the device. Logs are available only for online devices.
- Device Settings.
- Enable JumpCloud's System Insights to gather useful information from your JumpCloud managed devices and view that information on the Device panel Insights tab. Learn More.
Viewing a User’s Domain Joined Devices in JumpCloud
You can view the domain joined devices in JumpCloud by viewing a user’s details. If the user has a domain joined device, it will show under their list of devices as AD JOINED.
To view the domain joined devices:
- Log in to the JumpCloud Admin Portal.
- Navigate to Identity Management > Users.
- Select the user in the user list.
- Select the Devices tab.
In the previous screenshot, the device outlined in red is the domain joined device.
User Functionality on Entra ID Joined Devices
If a device is already part of an Entra ID domain, it will already have an account for each user. When you add that device to your JumpCloud domain, a separate JumpCloud account will be created for each user on that device.
- The existing Entra ID accounts on the device remain unchanged and cannot be managed by JumpCloud. The Entra ID accounts can continue to be used for any Entra ID programs and files on the device.
- The JumpCloud accounts can be used for Identity Management features, such as identity verification.
The existing Entra ID accounts and newly bound JumpCloud user accounts are not linked. JumpCloud can only manage the JumpCloud-bound account.
Features Unsupported by On-Premise AD Joined Devices
The following JumpCloud features are unsupported by on-premise AD domain joined devices at this time:
- Identity Management
- Locked User use cases
- Password Expiration
- Password Change
- Account Takeover
- Admin User
- Binding User to Device
- Device MFA
Private Preview – JumpCloud Device Trust and Go Support for AD-Joined Devices
This feature is in Private Preview. If you don’t see it, contact your Account Manager to enable it. Features in Preview are continuing to evolve with the help of feedback directly from our users. If you have suggestions, let us know at the bottom of this article.
Active Directory Joined Devices
With this feature, you can now bind JumpCloud users to devices joined to an Active Directory (AD) domain, including on-premise or hybrid domains (for example, using Microsoft Entra Connect).
- SID Matching: The agent only manages bound JumpCloud users with a Security Identifier (SID) that matches an existing AD user on the device. Non-AD users remain unmanaged. You can view the SID for a domain-bound user directly in the Admin Portal.
- Supported Capabilities: For managed users with a matching SID, the agent supports device trust certificates and JumpCloud Go authentication.
- Authentication: The JumpCloud Credential Provider remains disabled on AD-bound devices, allowing users to authenticate using their AD domain credentials without conflicts.
- Suspensions & Lockouts: JumpCloud account suspension and lockout actions do not prevent AD-bound users from logging in to the device using their AD credentials.
- Unsupported Capabilities: The agent does not support traditional device-level Identity Management functionality for AD-joined users. This includes user creation, disabling, password synchronization, password changes, admin privileges, and device Multi-Factor Authentication (MFA).
Populating the AD SID
To manage users on an AD-joined device, the JumpCloud user's SID must match the AD SID.
- If you use the JumpCloud Active Directory Integration (ADI) import agent on your domain controllers, the SID is automatically imported and populated for each user. See Configure Active Directory Integration (ADI) to learn more.
- If the ADI import agent is not installed, you must set the SID via the JumpCloud API.
To update a user's SID:
- API Endpoint:
https://console.jumpcloud.com/api/v2/activedirectories/{activedirectory_id}/user/update - Supported Operations:
PUT - Required Values:
user_ID: Your JumpCloud User ID.object_SID: The Base64-encoded SID for the user.object_guid: The GUID for the user.
The object_guid is required in the body of the request, but you can pass an empty value if you do not wish to populate it. Only the SID is required for AD user takeover features.
To retrieve AD users:
- API Endpoint:
https://console.jumpcloud.com/api/v2/activedirectories/{activedirectory_id}/users - Supported Operations:
GET
Features Unsupported by On-Premise AD Joined Devices
The following JumpCloud features are unsupported by on-premise AD domain joined devices at this time:
- Identity Management
- Locked User use cases
- Password Expiration
- Password Change
- Admin User
- Device MFA
FAQ
- Can JumpCloud manage an AD-joined device?
Yes, but Identity Management specific functionality is limited to Device Trust certificate distribution and JumpCloud Go support. - How do I enable this functionality for users on AD-joined devices?
Users must have an AD SID assigned in JumpCloud that matches the SID of an AD user (profile) on the device. Users must be bound to the device in JumpCloud. - How do I populate the AD SID?
The ADI import agent will automatically populate the SID. If the ADI import agent is not in use, the SID may be added via the API. Jump to Populating the AD SID. - Will bound users have a JumpCloud password synced to the device?
No. Password sync from JumpCloud is disabled. Users will continue to login against AD on the device. - Can I suspend the user in JumpCloud and have this sync to the user on the device?
No. Any Identity Management functionality outside of Device Trust certificate distribution and JumpCloud Go support is not available. - If I unbind the user in JumpCloud, will they be deactivated on the device?
No. JumpCloud does not perform Identity Management functions on AD users.
Troubleshooting
JumpCloud creates local user accounts on Windows hosts it manages, these hosts are not part of a domain.
When remotely logging into a non-domain host (for example, a JumpCloud-managed Windows device) from a host that is part of a Microsoft Active Directory domain, the remote desktop client will default to attempting to authenticate with the current domain. This results in a failure to login for all JumpCloud users on the JumpCloud-managed host.
To login correctly, you'll need to specify no domain:
\<jumpcloud-user-name>
Or. specify the work group name of the host (which defaults to WORKGROUP), as in:
WORKGROUP\<jumpcloud-user-name>
In this Article
Learn More