Manage Conditional Access Policy Certificates for Desktop

Conditional Access Policies let you relax, restrict, or deny user access to resources based on conditions that you set. Unmanaged or managed devices are conditions you can use to determine how users access the User Portal and SSO applications. 

To use a policy with a device condition, you need to distribute device certificates to your desktop devices. Device certificates for desktops allow authentication mechanisms to recognize if login requests are coming from JumpCloud managed devices.


Looking to enforce device trust on mobile devices? See Get Started: Mobile Device Trust to learn more.

For information such as supported browsers for each supported OS, see Get Started: Conditional Access Policies



  • Conditional access policies introduced the jumpcloud-user-agent, which is installed alongside the JumpCloud Agent to distribute device certificates. The jumpcloud-user-agent is installed regardless of whetherConditional Access Policies are enabled or not. 
  • When you enable Global Certificate Distribution, certificates are distributed to every device and every JumpCloud managed user on a device.
    • However, the managed device condition does not currently apply to mobile devices managed by MDM.
  • For the agent to install certificates, JumpCloud managed users need to be logged in to their device. 
  • When a user accesses a resource, they need to be the same user who is logged in to the device. If a user accesses a resource and they’re not the same user who is logged in to the device, they’re treated as unmanaged. 
  • Distribution can take a few minutes. 
  • Some browsers may prompt users to select the certificate on their next visit to the JumpCloud User Portal. Users need to confirm certificate selection or restart their browser for the certificate to take effect.  We recommend that you notify your users about this before you turn on certificate distribution.
  • Certificates are only used with Device Trust policies.
  • When you disable Global Certificate Distribution, certificates are removed from every device and every user on a device. 
  • For a certificate to be removed from a user on a device, the user needs to be logged in to the device. 
  • After Global Certificate Distribution is disabled, any existing managed device policies treat users as unmanaged, and this takes effect immediately. 

Storage Location of Global Device Certificates


  • Certificates are stored in the user’s NSS database (~/.pki/nssdb/cert9.db, ~/.pki/nssdb/key4.db).
  • If the database does not exist, the agent will create a new one
  • Certificate auto-select filters are found in /etc/opt/chrome/policies/managed/JumpCloudCertificateAutoselect.json.


  • Certificates are stored in a new jumpcloud-device-trust-keychain in the user’s Library/Keychains folder.
  • The generated password for the new keychain is stored in the user’s login keychain, in a generic password item named JumpCloud Device Trust Keychain Password. This allows the user agent to unlock the Device Trust keychain when it needs access to install or renew certificates.
  • The Device Trust keychain password is rotated every time a certificate is installed or renewed.


  • The agent installs the root (CA) certificate in the system cert store.
  • The user-agent installs the intermediate certificate in the user’s Intermediate Certification Authorities store, and the Device Trust certificate in the user’s Personal store.

Distributing Global Device Certificates 

Distribute device certificates from the Conditional Policies Settings page or when you create your first policy that uses a device condition. See Configure a Conditional Access Policy to learn how to distribute certificates when you create your first device-based policy. 

To distribute a device certificate from the Conditional Policies Settings page

  1. Log in to the Admin Portal: 
  2. Go to SECURITY MANAGEMENT > Conditional Policies
  3. Click on the Settings icon that’s in the top right. 
  4. In Device Certificates, set Global Certificate Distribution to ON
  5. Click save

Removing Global Device Certificates

You can remove global device certificates after you’ve distributed them. When you disable Global Device Certificates, existing policies aren’t updated, and any custom MacOS Keychain Application Access configurations are removed. To make sure users have uninterrupted access to their resources, disable policies with a device condition before you remove global device certificates. Learn how to disable a policy in Configure a Conditional Access Policy

To remove global device certificates:

  1. Log in to the Admin Portal: 
  2. Go to SECURITY MANAGEMENT > Conditional Policies
  3. Click on the Settings icon that’s in the top right. 
  4. In Device Certificates, set Global Certificate Distribution to OFF.  
  5. Click disable

Lease and Renewal Timeframes of Global Device Certificates

Global Device Certificates have a time-to-live of 30 days, but are renewed every 2 weeks by the user agent.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case