JumpCloud Protect for Admins

Your users can download the JumpCloud Protect® mobile app to secure their accounts using Multi-Factor Authentication (MFA). The app can be downloaded from the iOS App Store or the Google Play Store. Once your users have downloaded the app and successfully enrolled their devices, they can authenticate using Push MFA or Verification (TOTP) Code.


JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second timeout period. You can try again after the timeout or after you have approved or denied the initial request. 

JumpCloud Protect can be used to log into the Admin Portal, User Portal, or devices (Windows, Mac, Linux). Before your users can use the JumpCloud Protect mobile app, you, as an administrator, must enable it. 


JumpCloud Protect is designed to operate on Android 8 and iOS 13 and higher. It may operate on older versions, but they are not supported by JumpCloud. 


  • The JumpCloud Protect mobile app supports iOS version 13 and above, and Android 8.0 and above.
    • Google Playstore is blocked in China, so users cannot download JumpCloud Protect there. Please have them authenticate with TOTP using an authenticator app that is available in China.
    • Additionally, push notifications on Android devices may not work in countries such as China because the Google Cloud Messaging (GCM) service may be blocked.
  • If users have an Apple Watch paired with the iPhone running JumpCloud Protect they can see and respond to their push notifications on the watch.
  • The JumpCloud Protect mobile app may run on a tablet but is not optimized for tablets at this time. 
  • If admins require mobile biometric as additional user verification, the device should support biometric, PIN, or Passcode.
    • User verification is a security measure that verifies that the person authenticating to a service is in fact who they say they are.
  • A user can only be enrolled in JumpCloud Protect on one device.
  • JumpCloud Protect supports both Push MFA and TOTP MFA. However, your users must enroll in each form separately.


Users can authenticate into their local account without internet access, and TOTP MFA will still be enforced in this situation.

  • Protect will collect certain diagnostic and usage data for troubleshooting issues and continuous app improvements. There is no user information collected. Although these options default to on, users can turn off data collection on the app:
    • Tap More > Settings > Privacy to display options for turning off Share Diagnostic Data and Share Usage Data

Security Practices to Reduce Push Bombing and MFA Fatigue Risks

Push Bombing is a hacking method of triggering multiple 2FA attempts using push notifications until the user may accept the request accidentally.  MFA Fatigue is the term for when, due to the multiple 2FA requests, a user accepts the fraudulent request out of frustration.
Here are ways to protect your organization against such an attack: 

  • An attacker can initiate a Push MFA request after obtaining a user’s password. Setting a strong password policy and using account lockout policies will reduce password brute force attacks.
  • Enable biometric on JC Protect for an extra layer of identity protection.
  • Leverage Conditional Access Policies for additional safeguards.
  • Educate users to check application and location information before approving a push request, and to deny any request they suspect as fraudulent. Keep in mind that location information does not have 100% accuracy, especially at the city level.


JumpCloud protects against fraudulent push attempts by blocking more than one notification per resource within a sixty second period, except for RADIUS and LDAP attempts. Admins can turn this off, or increase the limit for maximum concurrent attempts, in MFA Configurations. 
Users can try again after the timeout or after the user has approved or denied the request. The blocked event will appear in Directory Insights under the event name push_mfa_attempt_failed; error message is ‘too many concurrent push requests’.

jumpcloud protect push notification

Before Enabling JumpCloud Protect

Before you enable JumpCloud Protect, you must first require your users to use MFA to log into their JumpCloud account. You can do this by creating a Conditional Access Policy and assigning to your users or user groups. 

Alternatively, you can require individual users to use MFA when they log into their JumpCloud account. To do so:

  1. Go to USER MANAGEMENT  > Users.
  2. Select a user to view their Details
  3. In the User Security Settings and Permissions section, select Require Multi-factor Authentication for User Portal.

Enabling JumpCloud Protect

To enable JumpCloud Protect for your users:

  1. Log in to the Admin Portal: https://console.jumpcloud.com.
  2. Navigate to SECURITY MANAGEMENT > MFA Configurations.
  3. In the JumpCloud Protect Mobile Push area, click the Enable button.
    1. In the Mobile Biometric Verification dropdown, select Never Required, Required If Enabled on Device, or Always Required.
      1. Never Required – default option; user will not be prompted for biometric
      2. Required If Enabled on Device – user will be prompted for biometric if the user’s device has biometric verification enabled; if it is not enabled on the device authentication will not fail
      3. Always Required – user will be prompted for biometric; authentication will fail if device does not have it enabled or if user fails to provide biometric or passcode/PIN
  4. Click Save.


If Required if Enabled on Device or Always Required are selected, the user will not be able to accept or deny from the lock screen of their device or their Apple Watch.

Viewing User Device Details and Enrollment Status

After you have enabled JumpCloud Protect for your users, you can view details of the individual user’s enrollment. To view these details:

  1. Log in to the Admin Portal: https://console.jumpcloud.com.
  2. Navigate to: USER MANAGEMENT > Users.
  3. Click the user you want to view the enrollment status of. 
  4. In the User Details pane, expand User Security Settings and Permissions. See the screenshot below:

In that pane, you can view the following information:

  • Display Label: Nickname of the device
  • Device Type: Type of device. For example, iPhone 8
  • Device OS: OS version currently running on the device
  • App Version: Version of JumpCloud Protect currently running on the device
  • Authentication: Shows what type of User Verification is supported by the device
  • Actions: Click the trashcan to remove the device


If the user has not finished enrollment, a message will display.

You can also view MFA status on the Users main page. Use the columns dropdown to choose MFA: JumpCloud Protect. When you hover over the status, you can see Protect MFA status details for a user.

Deleting a User’s Device

You can delete a user’s device from the User Security Settings and Permissions screen. To do so:

  1. Under Actions, click the trashcan icon.
  2. In the confirmation window, click confirm.

Disabling JumpCloud Protect

If you no longer wish to use the JumpCloud Protect Mobile App, you can disable it. To do so:

  1. Log in to the Admin Portal: https://console.jumpcloud.com.
  2. Navigate to: SECURITY MANAGEMENT > MFA Configurations.
  3. Under the JumpCloud Protect Mobile Push window, click Disable.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case