Manage Your Password Expiration Strategy

Your organization’s strategy for password expiration dictates how long JumpCloud user account passwords are valid and when users need to change their password. This allows your organization to implement security policies that meet your compliance standards. 

JumpCloud’s password expiration options let you:

• Set a password lifespan for your organization.
• Require new users to change their temporary password the next time they log in.
• Immediately expire individual user passwords.

Configuring the Password Aging Settings for Expiration 

JumpCloud’s Password Aging settings for expiration apply globally for your entire organization. Access and manage these settings from Settings > Security > Password Settings. Learn more in Manage Password and Security Settings.

Considerations:

• Individual users can be exempted from password expiration. See Get Started: Users.
• If a password expires, users will remain logged in as long as they are active. Once they become inactive, such as when the device goes to sleep, the user will be locked out of their account and will need to change their expired password to log in. Learn more in Unlock User Accounts.
  • Alternatively, you can configure the actions taken when a user’s password expires for Google Workspace, RADIUS, LDAP and M365/Azure AD via the JumpCloud API.  
• Settings don’t apply to the JumpCloud Menu Bar App.
• You can’t modify the password expiration notice on the JumpCloud Menu Bar App/Windows App. Users on JumpCloud-managed Mac and Windows devices are encouraged to update their passwords in the JumpCloud Menu Bar App to keep their passwords in sync with Keychain, FileVault and other apps.
  • For MacOS, see Manage MacOS Passwords.
  • For Windows, see Manage Passwords Using the JumpCloud Windows App.

To manage Password Aging settings:

1. Log in to the JumpCloud Admin Portal.
2. Go to Settings > Security.
3. In the Password Settings section, enable and disable the Password Aging options for your org. 
4. Click Save.

You can set the following settings for password expiration:

• most recent passwords cannot match each other (limit historical reuse): Specifies the number of unique passwords a user has to create before they can reuse a previous password. Enter a number between 1-24. 
• N daysuntil password expiration: Specify the lifespan (in days) of passwords for your organization. If you don’t choose to expire passwords, they’re valid indefinitely. After the lifespan expires, users must change their password.
  • N days prior to password expiration, require password reset at login: If you choose to expire passwords, you can require users to reset their password for a certain number of days before their password expires. This option helps ensure that access to password protected resources isn’t interrupted by requiring users to change their password before it expires.    
• Allow password change after expiration: You can allow users with expired passwords to change their password from their JumpCloud-managed device, alleviating the need for admins to manually reset user passwords. See considerations below before enabling this option.

Considerations for Allow password change after expiration:

• After you expire a user’s password, it’s immediately invalid; the user is logged out of their device and connected resources, and is required to change their password from their JumpCloud-managed device the next time they log in.
• If you’ve required MFA for the User Portal, your users will need to verify their identities using one of the configured methods.
• If you haven’t enabled the Allow password change after expiration setting for your organization and attempt to expire a user’s password, you can either enable the setting for your org or cancel the password expiration. If you enable the setting for your org, all users with expired passwords are able to reset their password from their JumpCloud-managed devices.

Managing Password Expiration for New Users with Temporary Passwords

When you create new users, you can give them a temporary password. To make sure users change their password to a private, secure password quickly, you can require that they change their password the next time they log in to their JumpCloud-managed device. 

Read considerations for Allow password change after expiration.

To require a new user to change their temporary password:

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users. 
3. Click ( + ), then select Manual user entry. Learn about creating users: Get Started: Users.
4. On the New User panel’s Details tab in the User Security Settings and Permissions section, first, select the Specify initial password, then enter a temporary password for the user. 
5. Next, select the User must change password at next login option. If you haven’t enabled the Allow password change after expiration setting for your org, you’re notified on the Force Password Change modal. You can choose to enable setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password. 

Managing Password Expiration for Existing Users

You can manually expire passwords for individual users from the User panel. 

Read considerations for Allow password change after expiration.

To immediately expire a user’s password and force them to change their password:

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users.
3. Select a user to view their details.
4. Click the user’s password status, then select Force Password Change.

5. If you haven’t enabled the Allow password change after expiration setting for your org, you’re notified on the Force Password Change modal. You can choose to enable this setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password. 

Managing Password Expiration for Multiple Existing Users

You can manually expire passwords for multiple users from the Users list. 

Read considerations for Allow password change after expiration.

To immediately expire multiple users' passwords and force them to change their password:

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users.
3. Select the users whose password you want to expire.
4. Click more actions, then select Force Password Change. If you haven’t enabled the Allow password change after expiration setting for your org, you’re notified on the Force Password Change modal. You can choose to enable the setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password. 

Allowing a Password Change After Expiration

The following flows assume the Allow password change after expiration setting is enabled for an organization.

Require a New User to Change their Temporary Password

The following flow applies when admins select to require a new user to change their temporary password: 

1. An administrator creates a new user, gives the user a temporary password, and selects User must change password at next login. 
2. The user must change their password the next time they log in to their device:
   • If JumpCloud detects the user is on a Mac or Windows device, they’re asked to update their password on their device login screen. If you’ve required MFA for the User Portal, users are required to verify their identity when they change their password.
   • If JumpCloud detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can’t be dismissed. If you’ve required MFA for the User Portal, users are required to verify their identity when they change their password.

An Existing User’s Password Expires

The following flow applies when a user’s password lifespan expires:

1. The user’s password lifespan is reached and the password expires. 
2. The user is logged out of their device and all JumpCloud-managed resources.
3. The user must change their password the next time they log in to their device:
   • If JumpCloud detects the user is on a Mac or Windows device, they’re asked to update their password on their device login screen. If you’ve required MFA for the User Portal, users are required to verify their identity when they change their password.
   • If JumpCloud detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can’t be dismissed. If you’ve required MFA for the User Portal, users are required to verify their identity when they change their password.

Expire an Existing User’s Password

The following flow applies when an admin expires an existing user’s password, unless the user is the Samba user: 

1. An administrator selects to view an existing user’s details. 
2. The administrator clicks the user’s password status, then selects Force Password Change. 
3. The password is immediately expired and the user is logged out of their device and all JumpCloud-managed resources. 
4. The user must change their password the next time they log in to their device:
   • If JumpCloud detects the user is on a Mac or Windows device, they’re asked to update their password on their device login screen. If you’ve required MFA for the User Portal, users are required to verify their identity when they change their password.
   • If JumpCloud detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can’t be dismissed. If you’ve required MFA for the User Portal, users are required to verify their identity when they change their password.

Implementing a Rolling Password Expiration Policy

When enabling password expiration for a JumpCloud organization, the default behavior is to set the password expiration date to the same date and time for all users of a JumpCloud organization. To limit the number of accounts that are set to expire on a given date and time, admins can create a phased, rolling password expiration policy for their organization.

This can be done by enabling the Password Never Expires setting for all users in an organization before enabling password expiration for an organization and then disabling the setting for batches of users at a time.

For organizations that already have password expiration in place, the steps can also be implemented, but doing so will update all users' existing password expiration dates.

Only once the Password Never Expires setting is disabled per user will the global password expiration setting apply to the user's account. 

Examples from the JumpCloud PowerShell Module example library are used to modify users and implement a rolling password expiration policy:

• Step 1: Enable the Password Never Expires setting for all users in the organization.
• Step 2: Enable a password expiration policy in the Admin Portal.
• Step 3: Disable the Password Never Expires setting for users in batches.

When the setting Password Never Expires setting is disabled for a user, the user’s account will be set to expire at the current time plus the number of days configured for expiration. As an administrator, you can choose the duration between batches of users you disable the expire setting for in your organization.

Forcing an Org-Wide Password Reset

Organizations may want, or sometimes have an immediate need, to have their entire user base reset passwords. There are many ways to facilitate this with the JumpCloud. There are advantages and disadvantages for each option, ways to initiate the reset flows, and variations in user experience that result.

Password reset using password expiration settings

Expiration is a well worn method of enforcing rotation of passwords. This is typically used to manage password aging in a rotating fashion, but it may also be employed to enforce a more urgent reset across an organization’s user base. This method allows some customization in how that reset is enforced and experienced by users.

All users receive certain nudges from JumpCloud when their passwords are near expiration. These include:

• A daily email to users notifying them that their password will expire. This will start seven days prior to expiration. The email has a link to the User Portal where they will be prompted to change their password. This is a dismissible prompt.
• A Change Password prompt will appear each time a user logs into their User Portal. This will start within seven days of their password expiration. This is a dismissible prompt.

A daily notification will appear to a user on a managed device with the JumpCloud tray app nudging them to use the app to reset their password. This will start within 10 days prior to their password expiration. This looks slightly different on Macs and Windows.

To review expiration settings:

Before enforcing any form of password expiration, there are a few settings that should be reviewed to ensure that expiration will not have undesired consequences on managed resources.

1. Log in to your JumpCloud Admin Portal.
2. Navigate to Settings > Security and scroll down to the Password Configurations section.
   
   • For any configured instances of Google Workspace, M365/AzureAD, RADIUS, or LDAP, ensure the desired settings are selected for Password Expiration. These settings will determine if users are maintained, removed, disabled, or have access removed when passwords expire. Take into consideration if you want user email accounts suspended and emails bounced while passwords are expired, or if Wifi access should be cut off from the device the user is logged into.
3. In the Password Aging section:
   • Review the first setting for most recent passwords cannot match each other (limit historical reuse). It’s recommend this be enabled with a value of at least 1.
   • Determine if you want to enable the Allow password change after expiration setting. When passwords expire, access to resources through JumpCloud will be disrupted. This option allows users a path to self-recover from an expired password upon login to their User Portal or managed device.
4. Click Save when finished.

To initiate a reset within a limited timeframe:

This is a good option if there is a desire to enforce a reset, but urgency allows for this reset to take place within a prescribed timeframe. Providing a window of time for users to perform a reset can be less disruptive to productivity and distribute the potential admin remediation should a user experience confusion or challenges with the reset.

1. Log in to your JumpCloud Admin Portal.
2. Navigate to Settings > Security and scroll down to the Password Aging section.
3. If not yet enabled, enable the days until password expiration setting and update the number of days that you’d like to allow for your organization to reset all passwords.  
4. Determine if you want to enable the days prior to password expiration, require password reset at login setting for a certain number of days prior to expiration. This is the same prompt that all users receive prior to expiration, but is not dismissible, thus a nice way to ensure users don’t delay a reset in the days leading up to expiration. 
5. Click Save when finished.

To initiate a reset immediately:

This method of initiating reset will be far more disruptive to active users within an organization and will also ensure that compromised passwords are no longer active. Please consider the urgency of action appropriate to the identified vulnerability.

When passwords expire, users will lose access and their account status will be updated on all JumpCloud managed resources. This may include access to emails that can notify them of expiration, communication applications commonly used to recover users, devices, and networks those devices are connected through.

If opting to force a reset via expiring passwords immediately, consider if you would like users to be able to self-recover from this expiration. The “Allow password change after expiration” will allow users to use their expired password to enter a reset flow in the JumpCloud User Portal or a managed device at login.

1. Log in to your JumpCloud Admin Portal.
2. Navigate to User Management > Users.
3. Select the users needing a password reset.
4. Click on the more actions dropdown and select Force Password Change.
5. Review the Force Password Change confirmation modal and if correct, select force change.

Password reset using a reset request

If there isn’t great urgency, requesting a reset of passwords is the least disruptive option for initiating an org wide reset. While protecting productivity, when a request isn’t disruptive, it also tends to be less effective in prompting users to take action, so this is not a recommended path of remediation if there is a concern that passwords may be compromised.

To send an admin-specified reset request:

There is a way to send a password reset request through the JumpCloud Admin Portal that comes in the form of an email to each users’ company email address. The users follow a link in the email to a reset form that requests a new password and a confirmation of that password. This is a simple flow, but as mentioned above, users may be rightfully skeptical of the request if they aren’t expecting it—if you decide to use this method, we suggest letting users know in advance to expect the email from JumpCloud. There is also a potential that if users have devices JumpCloud managed by JumpCloud, they may need to confirm their password is synced to their device.

1. Log in to your JumpCloud Admin Portal.
2. Navigate to User Management > Users.
3. Select the users needing a reset request.
4. Select Resend Email.
5. The selected users will receive the following email. The existing password is not required for this reset request.

To send a customized reset request:

Every organization has a unique IT environment, and leverages JumpCloud to access different collections of resources. Thus, a request coming from a trusted administrator with customized instructions for a reset is likely to be more effective than a generic reset request. Learn more: Customizing Email Templates.