![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"){kind=icon}
<\/p><\/div>
- \n
- You can take advantage of JumpCloud Go for Mobile without enforcing device trust. By configuring the necessary prerequisites without creating CAPs, users can register their devices with JumpCloud Protect and use JumpCloud Go for seamless access to the User Portal and SSO apps. <\/li>\n\n\n\n
- When you enforce CAPs, users on devices that don\u2019t meet the minimum criteria will not be able to access the protected resources.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \n- \n
- See Understand Device Trust Readiness<\/a> to learn how to configure your org as an admin to use Mobile Device Trust.<\/li>\n\n\n\n
- See Users: Configure Mobile Device Trust on Apple and Android Devices<\/a> to learn how users can prepare their mobile devices and access resources.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Prerequisites<\/strong><\/h2>\n\n\n\n
JumpCloud Go for Mobile<\/strong><\/h3>\n\n\n\n
- \n
- JumpCloud Go is enabled for your org. See Get Started: JumpCloud Go<\/a> to learn more.<\/li>\n\n\n\n
- Device Management is enabled for your org:\n
- \n
- For Apple devices, see Set up Apple MDM<\/a> to learn more.<\/li>\n\n\n\n
- For Android devices, see Set Up Android EMM<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Mobile devices are enrolled in JumpCloud Device Management:\n
- \n
- Apple devices are enrolled in Apple MDM with the following supported enrollment types:\n
- \n
- Automated Device Enrollment (ADE).<\/li>\n\n\n\n
- Profile-driven Device Enrollment.<\/li>\n\n\n\n
- Profile-driven User Enrollment.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Android devices are enrolled in Android EMM with the following supported enrollment types:\n
- \n
- Work Profile (Personal device).<\/li>\n\n\n\n
- Work Profile (Company-owned device).<\/li>\n\n\n\n
- Fully managed device.<\/li>\n\n\n\n
- Dedicated device.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Users are bound to their devices in JumpCloud, otherwise the JumpCloud Go for Mobile registration process will fail.\n
- \n
- Company-owned devices using Android Zero Touch, Apple Automated Device Enrollment (ADE), or Admin Portal enrollments require you to bind the user to the mobile device record in JumpCloud. See Bind Users to Devices<\/a> to learn more. <\/li>\n\n\n\n
- BYOD devices using User Enrollment for iOS or Work Profile for Android automatically bind the user to the device during enrollment if initiated via the User Portal.\n
- \n
- BYOD\/User Enrolled Apple devices require Managed Apple IDs (MAIDs) to enroll in MDM. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Apple VPP and\/or Software Management for Android are enabled for your org to deploy the managed JumpCloud Protect app (v2.2.2+) to user devices:\n
- \n
- For Apple devices, see Manage Software with Apple\u2019s VPP<\/a> to learn more.<\/li>\n\n\n\n
- For Android devices, Software Management is enabled automatically after configuring Android EMM. See Software Management: Android<\/a> to learn more. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>Note:<\/strong> \n- \n
- Devices without the JumpCloud Protect app will not be able to use JumpCloud Go for Mobile or access resources protected by Device Trust.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Device Trust<\/strong><\/h3>\n\n\n\n
- \n
- Conditional Access Policies (CAPs) are configured for each resource that you want to protect using the Device Management<\/strong> condition.\n
- \n
- Optionally, use Operating System <\/strong>conditions for granular control of device types. See Configure a Conditional Access Policy<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- On mobile devices (iOS\/Android), Device Trust is established using JumpCloud Go via the JumpCloud Protect app.<\/li>\n\n\n\n
- On desktop devices (macOS, Windows, Linux) Device Trust can be established using either JumpCloud Go or Device Trust Certificates for Desktop. See Manage Device Trust Certificates for Desktop<\/a> to learn more.\n
- \n
- CAPs using the Device Management<\/strong> condition are evaluated based on the platform of the device requesting access. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Android MDT Requirements<\/h3>\n\n\n\n
Before you enroll in Android Mobile Device Trust (MDT), ensure your device meets the minimum version requirements for both the Android OS<\/strong> and JumpCloud Protect application<\/strong> to effectively enhance your security posture with MDT.<\/p>\n\n\n\n
<\/p><\/div>Important:<\/strong> \n- \n
- Android devices enrolled in MDT will have a persistent, system-mandated background notification enabled for JumpCloud Go.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Minimum Version Requirements<\/strong><\/p>\n\n\n\n
- \n
- Android OS:<\/strong> version 12 or higher<\/li>\n<\/ul>\n\n\n\n
- \n
- JumpCloud Protect application: <\/strong>\u00a0version 2.2.10 or higher<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- Android MDT enrollment requires Android OS versions 12 or higher to maintain strong security standards.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Considerations<\/h3>\n\n\n\n
- \n
- Persistent background notifications<\/strong>\n
- \n
- In the work profile on the managed Android device, there will be a persistent background notification running for JumpCloud Go in the Android message drawer.<\/li>\n\n\n\n
- These background notifications are required to enable the continuous operation and total transparency of JumpCloud\u2019s background activities on your device.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Android MDT vs. Android EMM<\/strong>\n
- \n
- Android Mobile Device Trust (MDT)<\/strong> focuses on establishing your device’s security posture and granting access. To maintain security standards, enrolling in Android MDT requires Android OS versions 12 or higher. <\/li>\n\n\n\n
- Android Enterprise Mobility Management (EMM)<\/strong> focuses on mobility management, including mobile device management (MDM). Android EMM can be used with Android OS versions 5.1 and higher.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Enforcing Device Trust <\/h2>\n\n\n\n
When you configure CAPs to enforce Mobile Device Trust, users can\u2019t access protected resources on untrusted devices. When users first access a protected resource on a trusted device, they\u2019re redirected to the JumpCloud Protect app to register their device with JumpCloud Go. After entering their credentials (and MFA challenge if enabled by the admin), their device is registered with JumpCloud Go, establishing their device as trusted.<\/p>\n\n\n\n
When users access protected resources, they verify their identity using JumpCloud Go via the JumpCloud Protect app with device biometrics, granting access. The hardware-backed JumpCloud Go token is valid for 1 year. <\/p>\n\n\n\n
For a mobile device to be considered trusted:<\/p>\n\n\n\n
- \n
- The device is enrolled in Device Management: Apple MDM and\/or Android EMM.<\/li>\n\n\n\n
- JumpCloud Protect is deployed to the device using Apple VPP and\/or Software Management.<\/li>\n\n\n\n
- The device passes integrity and jailbreak detection checks.<\/li>\n<\/ul>\n\n\n\n
Accessing the JumpCloud User Portal <\/h3>\n\n\n\n
If your users access their company resources from the JumpCloud User Portal, you can create a CAP that restricts access on unmanaged devices. Because users require access to the User Portal to register their devices with JumpCloud Go, rather than explicitly block access, the highest level of MFA is used for authentication.<\/p>\n\n\n\n
Protecting Individual SSO Apps <\/h3>\n\n\n\n
You can create CAPs for specific SSO apps available to your users. For example, Slack may contain privileged information that you want users to only access from trusted devices. To do so, create a CAP for the Slack SSO app and restrict access on untrusted devices using the Managed Device<\/strong> condition. <\/p>\n\n\n\n
Admin Configuration Workflow<\/h2>\n\n\n\n
After enabling the prerequisite features, configure your mobile devices to start using JumpCloud Go for Mobile and Device Trust:<\/p>\n\n\n\n
- \n
- Enroll your devices in Device Management. Depending on the device and configuration type, devices can be company enrolled or personally enrolled. \n
- \n
- For company enrolled devices:\n
- \n
- Apple: See Add Company-Owned Apple Devices to MDM with Device Enrollment<\/a> to learn more.<\/li>\n\n\n\n
- Android: See Add and Manage Android Devices<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- For personal devices, user can enroll their device via the User Portal: \n
- \n
- Apple: See Add Personal Apple Devices to MDM with User Enrollment<\/a> to learn more.\n
- \n
- Note<\/strong>: Managed Apple IDs (MAIDs) are required to enroll personal devices in MDM. To perform this action in bulk, see Run the MAID Import Script<\/a>. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Android: See Add and Manage Android Devices<\/a> to learn more. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Deploy the JumpCloud Protect app (v2.2.2+\u0192) to devices using Apple VPP and\/or Android Software Management. See Get Started: Software Management<\/a>.\n
- \n
- Apple: See Manage Software with Apple\u2019s VPP<\/a> to learn more.<\/li>\n\n\n\n
- Android: See Software Management: Android<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>Important:<\/strong> \nAdditional configuration is required to use the JumpCloud Protect Android app. See JumpCloud Protect Android App<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Create CAPs in JumpCloud that limit access to the User Portal, SSO apps, or both using the Managed Device<\/strong> condition. Optionally, use the Operating System<\/strong> condition to target specific device types. See Configure a Conditional Access Policy<\/a> to learn more. <\/li>\n<\/ul>\n\n\n\n
FAQ<\/h2>\n\n\n\n
Can I use JumpCloud Go for Mobile without configuring access policies? <\/a>\nYes, if you don\u2019t enforce CAPs. You can use JumpCloud Go to enable secure and seamless authentication on mobile devices. <\/p>\n<\/div><\/div><\/div>\n\n\n\n
What is the difference between a managed and trusted device?<\/a>\n- \n
- Managed device: A device that is enrolled in Device Management (MDM for Apple devices or Google EMM for Android devices). Device management is only one requirement to establish a device as trusted. <\/li>\n\n\n\n
- Trusted device: A device that meets all of the requirements to be trusted by JumpCloud. This includes enrollment in Device Management as well as JumpCloud Protect and JumpCloud Go registration.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nDo I need to be enrolled into JumpCloud Device Management to get Mobile Device Trust? If so, why?<\/a>\n
- \n
- Yes, your mobile device needs to be under management in JumpCloud. NOTE: this is applicable to company-owned and BYO devices.<\/li>\n\n\n\n
- The current release of Mobile Device Trust uses a number of technologies that are only available via the MDM\/EMM protocols.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nWhat if I have contractors that already have management on their devices or are unwilling to enroll in JumpCloud management?<\/a>\n
Currently, devices must be JumpCloud managed to get access to Mobile Device Trust functionality. See the previous FAQ for more information.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
My employees are concerned about the privacy associated with enrolling into JumpCloud. What can I do to assure them that it\u2019s safe?<\/a>\n- \n
- End user privacy is a critical pillar for JumpCloud, Apple, and Google. Apple and Google have built enrollment types that specifically cater to employee owned devices to ensure data separation and privacy. JumpCloud built its BYOD offering on top of Apple\u2019s and Google\u2019s MDM\/EMM protocols so we are not able to enforce or collect more data than what is enabled by the OEMs.<\/li>\n\n\n\n
- For details on Apple\u2019s iOS\/iPadOS User Enrollment, see User Enrollment and MDM – Apple Support<\/a> to learn more. <\/li>\n\n\n\n
- For details on Google\u2019s Android Work Profile, see What policies is my organization enforcing on my device? – Android Enterprise Help<\/a> to learn more. <\/li>\n\n\n\n
- Things that JumpCloud can never see on your enrolled BYO mobile device:\n
- \n
- Calling history<\/li>\n\n\n\n
- Web browsing history<\/li>\n\n\n\n
- Personal emails<\/li>\n\n\n\n
- Personal text messages<\/li>\n\n\n\n
- Personal contacts<\/li>\n\n\n\n
- Personal calendar<\/li>\n\n\n\n
- Personal passwords<\/li>\n\n\n\n
- Pictures, including what’s in the photos app or camera roll<\/li>\n\n\n\n
- Content of user created documents<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nI have employees that are already accessing company SSO endpoints on their unmanaged personal devices. How do I prevent this or remove their access?<\/a>\n
Once you\u2019ve rolled out Mobile Device Trust and enable CAPs to block unmanaged instances, you need to consider forcing a password reset on user accounts. This will terminate long-lived mobile sessions and force user re-authentication. When users re-authenticate, the latest CAPs are evaluated and personal\/unmanaged access is blocked.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
With iOS User Enrollment, I can\u2019t have multiple instances of the same application. What happens if I have a company use case involving a mobile app that my employees also use for personal use?<\/a>\nApple\u2019s User Enrollment is currently limited to a single app. If you want complete control of the app (for it to be marked as a Managed Application for example), you need to ask users to delete the personally redeemed application and allow for JumpCloud MDM to push the managed version.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
What are the minimum OS requirements?<\/a>\n- \n
- Android 5.0+<\/li>\n\n\n\n
- iOS\/iPadOS 14+<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nDoes Mobile Device Trust work on iPadOS?<\/a>\n
Yes. You will need to install the iOS Protect application and the in-app experience will be a scaled version of the iOS experience but all the functionality required for Mobile Device Trust will exist.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
Do I need a Managed Apple ID (MAID)? If so, why?<\/a>\n- \n
- A Managed Apple ID (MAID) is required to enroll a personal iOS device in JumpCloud MDM. The option to do User Enrollment in the User Portal will not appear if the user account has an empty Managed Apple ID field in the JumpCloud Admin Console.<\/li>\n\n\n\n
- See the following references to learn more:\n
- \n
- Run the MAID Import Script<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\nIs there a Google equivalent of Managed Apple IDs and do I need it?<\/a>\n
- \n
- Currently, all Android EMM enrollments are completed with Managed Google Play accounts that are created at time of enrollment. So at this time, you only need to configure Android EMM.<\/li>\n\n\n\n
- Google does intend to consolidate the user sign-in experience during device enrollment. End users will in the future use a single managed Google account to log into Android, ChromeOS, and other Google services.<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\n
- Run the MAID Import Script<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/div><\/div>\n\n\n\n
- For details on Google\u2019s Android Work Profile, see What policies is my organization enforcing on my device? – Android Enterprise Help<\/a> to learn more. <\/li>\n\n\n\n
- Android: See Software Management: Android<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Android: See Add and Manage Android Devices<\/a> to learn more. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Note<\/strong>: Managed Apple IDs (MAIDs) are required to enroll personal devices in MDM. To perform this action in bulk, see Run the MAID Import Script<\/a>. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Android: See Add and Manage Android Devices<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Apple: See Add Company-Owned Apple Devices to MDM with Device Enrollment<\/a> to learn more.<\/li>\n\n\n\n
- For company enrolled devices:\n
- Enroll your devices in Device Management. Depending on the device and configuration type, devices can be company enrolled or personally enrolled. \n
- Android Enterprise Mobility Management (EMM)<\/strong> focuses on mobility management, including mobile device management (MDM). Android EMM can be used with Android OS versions 5.1 and higher.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Android Mobile Device Trust (MDT)<\/strong> focuses on establishing your device’s security posture and granting access. To maintain security standards, enrolling in Android MDT requires Android OS versions 12 or higher. <\/li>\n\n\n\n
- Persistent background notifications<\/strong>\n
- Android MDT enrollment requires Android OS versions 12 or higher to maintain strong security standards.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- JumpCloud Protect application: <\/strong>\u00a0version 2.2.10 or higher<\/li>\n<\/ul>\n\n\n\n
- Android OS:<\/strong> version 12 or higher<\/li>\n<\/ul>\n\n\n\n
- Android devices enrolled in MDT will have a persistent, system-mandated background notification enabled for JumpCloud Go.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- CAPs using the Device Management<\/strong> condition are evaluated based on the platform of the device requesting access. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- Optionally, use Operating System <\/strong>conditions for granular control of device types. See Configure a Conditional Access Policy<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Conditional Access Policies (CAPs) are configured for each resource that you want to protect using the Device Management<\/strong> condition.\n
- For Android devices, Software Management is enabled automatically after configuring Android EMM. See Software Management: Android<\/a> to learn more. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- For Apple devices, see Manage Software with Apple\u2019s VPP<\/a> to learn more.<\/li>\n\n\n\n
- BYOD devices using User Enrollment for iOS or Work Profile for Android automatically bind the user to the device during enrollment if initiated via the User Portal.\n
- Company-owned devices using Android Zero Touch, Apple Automated Device Enrollment (ADE), or Admin Portal enrollments require you to bind the user to the mobile device record in JumpCloud. See Bind Users to Devices<\/a> to learn more. <\/li>\n\n\n\n
- For Android devices, see Set Up Android EMM<\/a> to learn more.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Device Management is enabled for your org:\n
- See Users: Configure Mobile Device Trust on Apple and Android Devices<\/a> to learn how users can prepare their mobile devices and access resources.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- See Understand Device Trust Readiness<\/a> to learn how to configure your org as an admin to use Mobile Device Trust.<\/li>\n\n\n\n