JumpCloud’s Device Trust lets you allow or deny access to resources such as the User Portal and applications, based on the device the user utilizes to authenticate. Device Trust is established when the User Portal requests that the client present a certificate, and the user’s browser provides that certificate. Device Trust can save users time and allow seamless access to applications.
Conditional Access Policies, which let you relax, restrict, or deny user access to resources, works in tandem with Device Trust Certificates for any policy that uses a device condition. You’ll need to create a conditional access policy before you can implement device trust. Conditional Access is a Platform Plus feature. See Configure a Conditional Access Policy.
See JumpCloud pricing for more information about Platform Plus.
When you enable certificate distribution, the agent server sends an update that causes the agent (along with the user-agent where applicable) to request and install Device Trust certificate bundles on the device. One certificate request is made per managed user.
The managed device condition does not currently apply to mobile devices managed by MDM.
Understanding the Device Trust Certificate Bundle
Root Certificate - The ‘JumpCloud Production Device Identification Root CA’ certificate is a self-signed certificate and displays as untrusted in some certificate managers but this is not an issue.
- Root Certificate – The JumpCloud Production Device Identification Root CA certificate is a self-signed certificate and displays as untrusted in some certificate managers but this is not an issue.
- Intermediate Certificate – The device-trust.intermediate certificate.
- Leaf Certificate – The JumpCloud Device Trust Certificate – …….. certificate. The browser presents this certificate in response to the challenge from the agent server. The ‘……..’ contains an eight-digit hexadecimal identifier. The identifier is only used to ensure that two different leaf certs will have unique names.
- Private key – The Imported Private Key was created by the agent on the user’s behalf to generate the certificate signing request, as part of requesting the Device Trust certificate. It’s packaged along with the certificates so it can be used to sign requests to the agent server.
In addition to requesting and installing the Device Trust certificate, the agent or the user-agent must also create certificate selection filters so that the user’s browser can locate the correct certificate when challenged.
Finding the Storage Location of Global Device Certificates
On macOS:
- The certificates are stored in a new jumpcloud-device-trust-keychain in the user’s Library/Keychains folder.
- The generated password for the new keychain is stored in the user’s login keychain, in a generic password item named JumpCloud Device Trust Keychain Password. This allows the user agent to unlock the Device Trust keychain when it needs access to install or renew certificates.
- The Device Trust keychain password will be rotated every time a certificate is installed or renewed.
On Windows:
- The agent installs the root (CA) certificate in the system cert store
- The user-agent installs the intermediate certificate in the user’s Intermediate Certification Authorities store, and the Device Trust certificate in the user’s Personal store.
On Linux:
- Certificates are stored in the user’s NSS database (~/.pki/nssdb/cert9.db, ~/.pki/nssdb/key4.db).
- If the database does not exist, the agent will create a new one
- Certificate auto-select filters are found in /etc/opt/chrome/policies/managed/JumpCloudCertificateAutoselect.json
Distributing Global Device Certificates
Distribute device certificates from the Conditional Policies Settings page or when you create your first policy that uses a device condition. See Configure a Conditional Access Policy to learn how to distribute certificates when you create your first device-based policy.
To distribute a device certificate from the Conditional Policies Settings page:
- Log in to the Admin Portal: https://console.jumpcloud.com/login.
- Go to SECURITY MANAGEMENT > Conditional Policies.
- Click Settings to the right of the policies. You can also click Edit in Settings under Global Policies.
- In Device Certificates, set Global Certificate Distribution to ON.
- Click save changes.
Global Device Certificates have a time-to-live of 30 days, but are renewed every two weeks by the user agent.
Removing Global Device Certificates
You can remove global device certificates after you’ve distributed them. When you disable Global Device Certificates, existing policies aren’t updated, and any custom macOS Keychain Application Access configurations are removed. To make sure users have uninterrupted access to their resources, disable policies with a device condition before you remove global device certificates. Learn how to disable a policy in Configure a Conditional Access Policy.
To remove global device certificates:
- Log in to the Admin Portal: https://console.jumpcloud.com/login.
- Go to SECURITY MANAGEMENT > Conditional Policies.
- Click Settings to the right of the policies. You can also click Edit in Settings under Global Policies.
- In Device Certificates, set Global Certificate Distribution to OFF.
- Click save changes.
Note: Disabling Global Certificate Distribution removes certificates from every device and every user on a device. Any existing managed device policies treat users as unmanaged, and this takes effect immediately.
Users: Selecting a Device Trust Certificate
As part of Device Trust, users may see prompts to select Device Trust certificates when browsing to the JumpCloud User Portal or using some SSO-enabled applications after certificate distribution is enabled. You should inform users that these types of prompts are legitimate and expected, and to select the JumpCloud Device Trust Certificate and let the application or browser proceed.
The prompt may present multiple JumpCloud Device Trust Certificate options, but they are all the same certificate, and the user can select any one.
Note: When using Chrome on macOS, the certificate selection prompt may persistently appear, even when the user has previously selected the certificate. To resolve this issue, restart the device.