From Individual User Accounts<\/h3>\n\n\n\nTo require MFA factors for the User Portal on an individual user account<\/strong>:<\/p>\n\n\n\n
\n- Edit a user or create a new user in the Admin Portal. See Get Started: Users<\/a>.<\/li>\n\n\n\n
- In the User Security Settings and Permissions<\/strong> section, select Require Multi-factor Authentication for User Portal<\/strong> option. Note<\/strong>: The enrollment period only affects TOTP MFA.<\/li>\n\n\n\n
- Click save user<\/strong>.<\/li>\n<\/ol>\n\n\n\n
From the More Actions Menu<\/h3>\n\n\n\nTo require MFA factors for the User Portal on existing users from the more actions menu<\/strong>:<\/p>\n\n\n\n
\n- Select any users you want to require MFA for.<\/li>\n\n\n\n
- Click more actions, then select Require MFA on User Portal<\/strong>.<\/li>\n\n\n\n
- Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.<\/li>\n\n\n\n
- Click require<\/strong> to add this requirement to the selected users.<\/li>\n<\/ol>\n\n\n\n
With a Conditional Access Policy<\/h3>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>
Important:<\/strong> \nTo require MFA factors with a Conditional Access Policy<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to SECURITY MANAGEMENT <\/strong>> Conditional Policies<\/strong>.<\/li>\n\n\n\n
- Click (+<\/strong>). <\/li>\n\n\n\n
- Enter a unique Policy Name<\/strong>.<\/li>\n\n\n\n
- Optionally, enter a description for the policy.<\/li>\n\n\n\n
- If you don\u2019t want the policy to take effect right away, toggle the Policy Status<\/strong> to OFF<\/strong> and finish the rest of the configuration. When you\u2019re ready for the policy to apply, you can toggle the Policy Status<\/strong> to ON<\/strong>. <\/li>\n\n\n\n
- For Users<\/strong>, choose one of the following options:\n
\n- Select All Users<\/strong> if you want the policy to apply to all users. <\/li>\n\n\n\n
- Select Selected User Groups<\/strong> if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Get Started: User Groups<\/a>. <\/li>\n\n\n\n
- If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally, set the conditions a user needs to meet. Note<\/strong>: Conditions is a premium feature available in the Platform Prime plan. Learn more about conditions in Get Started: Conditional Access Policies<\/a>. <\/li>\n\n\n\n
- In Action<\/strong>, select Allow authentication into selected resources<\/strong>, then select the Require MFA <\/strong>option. <\/li>\n\n\n\n
- Click create policy<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Understanding User MFA Enrollment Options<\/h2>\n\n\n\nThere are two types of MFA enrollment for users:<\/p>\n\n\n\n
\n- Forced MFA Enrollment<\/li>\n\n\n\n
- Soft TOTP MFA Enrollment<\/li>\n<\/ol>\n\n\n\n
About Forced MFA Enrollment<\/h3>\n\n\n\n
If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy<\/a> above. <\/p>\n\n\n\n
About Soft TOTP MFA Enrollment<\/h3>\n\n\n\nSoft TOTP MFA enrollment applies to TOTP MFA only. If there’s more than one MFA solution enabled, a user can select to enroll with an MFA solution that isn’t TOTP. After they finish setting up the non-TOTP MFA solution, they need to go back and enroll in TOTP MFA. If a user doesn’t enroll in TOTP MFA during the enrollment period, they are locked out of resources that are protected by TOTP MFA and you need to reset TOTP MFA for the user. <\/p>\n\n\n\n
Starting TOTP MFA Enrollment for Your Users<\/h3>\n\n\n\nYou can start a soft TOTP MFA enrollment period from an individual user account or with the More Actions menu.<\/p>\n\n\n\n
To begin a soft TOTP MFA enrollment period from an individual account<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select an existing user or create a new one. To learn how to create a new user, see Get Started: Users<\/a>. <\/li>\n\n\n\n
- Select the Details<\/strong> tab, then expand User Security Settings and Permissions<\/strong>.<\/li>\n\n\n\n
- For Multi-Factor Authentication Settings<\/strong>, select Require Multi-factor Authentication on the User Portal<\/strong>, then enter the number of days the user has to enroll in MFA. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To begin a soft TOTP MFA enrollment period from the more actions menu<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the users you want to be in the enrollment period.<\/li>\n\n\n\n
- In the top right, click more actions<\/strong>, then select Require User MFA.<\/strong> <\/li>\n\n\n\n
- From the Require MFA on User Portal<\/strong> modal, enter the number of days users have to enroll in MFA. <\/li>\n\n\n\n
- Click require<\/strong>. <\/li>\n<\/ol>\n\n\n\n
When you begin an enrollment period, users receive an email notification. The email lets them know how long their enrollment period is and gives them a link to set up TOTP MFA. <\/p>\n\n\n\n
Resetting TOTP MFA Enrollment for a User<\/h2>\n\n\n\nIf a user doesn\u2019t set up TOTP MFA and the enrollment period expires, the user is locked out of their account, and you need to reset their enrollment period. <\/p>\n\n\n\n
To reset a user\u2019s TOTP MFA enrollment period<\/strong>:<\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the user from the Users list. <\/li>\n\n\n\n
- On the left side of the User Panel, select TOTP MFA expired<\/strong>, then click reset TOTP MFA<\/strong>. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Viewing Users\u2019 TOTP MFA Status<\/h2>\n\n\n\nYou can view users\u2019 TOTP MFA status to monitor who\u2019s set up MFA, still in the enrollment period, and has had the enrollment period expired. <\/p>\n\n\n\n
To view a users TOTP MFA status<\/strong>:<\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n<\/ol>\n\n\n\n
The Users list MFA column, which defaults to TOTP, shows you a user’s TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:<\/p>\n\n\n\n
\n- A user has enrolled sucessfully in TOTP MFA .<\/li>\n\n\n\n
- A user has not completed TOTP enrollment.<\/li>\n\n\n\n
- A user is in a TOTP MFA enrollment period (dates included). <\/li>\n\n\n\n
- A user’s TOTP MFA enrollment period has expired (expiration date included). <\/li>\n\n\n\n
- A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.<\/li>\n<\/ul>\n\n\n\n
You can also view a user’s MFA status in their user details.<\/p>\n\n\n\n
You can filter the Users list to show MFA status and requirement. See Get Started: Users<\/a>. <\/p>\n\n\n\n
Learn more in Resetting MFA Enrollment for a User<\/a> above. <\/p>\n\n\n\n
Looking at the User Workflow <\/h2>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>
Note:<\/strong> \n\n- If you begin an enrollment period and a user already has set up MFA, they don\u2019t see the enrollment modal. <\/li>\n\n\n\n
- You can use JumpCloud Protect for Push MFA as well as Verification Code (TOTP) MFA. See JumpCloud Protect for End Users<\/a> for more information.<\/li>\n\n\n\n
- If you enabled Duo Security MFA, there\u2019s no additional setup for users, so Duo isn\u2019t part of the enrollment modal. <\/li>\n\n\n\n
- WebAuthn can\u2019t be the only MFA solution enabled. You need to enable Duo or TOTP with WebAuthn. See MFA for Admins<\/a> for more information. <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
When you begin an enrollment process, the following is what the user experience is like for a user who hasn\u2019t set up MFA:<\/p>\n\n\n\n
\n- The user will receive an email, or will get a prompt when they log in to the User Portal.<\/li>\n\n\n\n
- The user sees a Set Up Multi-Factor Authentication modal. If it\u2019s a forced enrollment, the user won\u2019t be able to skip it. If it includes a soft TOTP MFA enrollment, the user can skip it.\n
\n- If you enabled TOTP MFA as the single MFA solution, the user has to set up TOTP MFA.<\/li>\n\n\n\n
- If you enabled TOTP MFA and WebAuthn, the user can choose which MFA solution to set up first. By default, TOTP MFA is selected. Note<\/strong>: If the users sets up WebAuthn first, they need to go back and set up TOTP MFA. <\/li>\n\n\n\n
- If you set up Duo MFA and WebAuthn, the user has to set up WebAuthn.<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- After an\u00a0MFA solution has been selected, the user clicks continue and sets up MFA. \n
\n- The user will be provided with a QR code and TOTP token that can be used to configure a qualified TOTP app (we recommend that users use the JumpCloud Protect app for TOTP).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>
Tip:<\/strong> \nFor backup purposes, we recommend that users copy and paste their TOTP key string below the QR code and store it in a secure location. This key can be used to reset TOTP MFA if a users loses their device with the TOTP token app.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nWhen a user’s enrollment is close to expiring, they are sent a reminder 24 hours in advance notifying them that their TOTP MFA enrollment period is about to expire. After their enrollment period expires, they are locked out of the User Portal until their TOTP MFA requirement is removed by an administrator or their enrollment time is extended. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nHere’s a guided simulation: User Portal MFA TOTP Login<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
From the More Actions Menu<\/h3>\n\n\n\nTo require MFA factors for the User Portal on existing users from the more actions menu<\/strong>:<\/p>\n\n\n\n
\n- Select any users you want to require MFA for.<\/li>\n\n\n\n
- Click more actions, then select Require MFA on User Portal<\/strong>.<\/li>\n\n\n\n
- Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.<\/li>\n\n\n\n
- Click require<\/strong> to add this requirement to the selected users.<\/li>\n<\/ol>\n\n\n\n
With a Conditional Access Policy<\/h3>\n\n\n\n<\/p><\/div>
Important:<\/strong> \nTo require MFA factors with a Conditional Access Policy<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to SECURITY MANAGEMENT <\/strong>> Conditional Policies<\/strong>.<\/li>\n\n\n\n
- Click (+<\/strong>). <\/li>\n\n\n\n
- Enter a unique Policy Name<\/strong>.<\/li>\n\n\n\n
- Optionally, enter a description for the policy.<\/li>\n\n\n\n
- If you don\u2019t want the policy to take effect right away, toggle the Policy Status<\/strong> to OFF<\/strong> and finish the rest of the configuration. When you\u2019re ready for the policy to apply, you can toggle the Policy Status<\/strong> to ON<\/strong>. <\/li>\n\n\n\n
- For Users<\/strong>, choose one of the following options:\n
\n- Select All Users<\/strong> if you want the policy to apply to all users. <\/li>\n\n\n\n
- Select Selected User Groups<\/strong> if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Get Started: User Groups<\/a>. <\/li>\n\n\n\n
- If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally, set the conditions a user needs to meet. Note<\/strong>: Conditions is a premium feature available in the Platform Prime plan. Learn more about conditions in Get Started: Conditional Access Policies<\/a>. <\/li>\n\n\n\n
- In Action<\/strong>, select Allow authentication into selected resources<\/strong>, then select the Require MFA <\/strong>option. <\/li>\n\n\n\n
- Click create policy<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Understanding User MFA Enrollment Options<\/h2>\n\n\n\nThere are two types of MFA enrollment for users:<\/p>\n\n\n\n
\n- Forced MFA Enrollment<\/li>\n\n\n\n
- Soft TOTP MFA Enrollment<\/li>\n<\/ol>\n\n\n\n
About Forced MFA Enrollment<\/h3>\n\n\n\n
If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy<\/a> above. <\/p>\n\n\n\n
About Soft TOTP MFA Enrollment<\/h3>\n\n\n\nSoft TOTP MFA enrollment applies to TOTP MFA only. If there’s more than one MFA solution enabled, a user can select to enroll with an MFA solution that isn’t TOTP. After they finish setting up the non-TOTP MFA solution, they need to go back and enroll in TOTP MFA. If a user doesn’t enroll in TOTP MFA during the enrollment period, they are locked out of resources that are protected by TOTP MFA and you need to reset TOTP MFA for the user. <\/p>\n\n\n\n
Starting TOTP MFA Enrollment for Your Users<\/h3>\n\n\n\nYou can start a soft TOTP MFA enrollment period from an individual user account or with the More Actions menu.<\/p>\n\n\n\n
To begin a soft TOTP MFA enrollment period from an individual account<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select an existing user or create a new one. To learn how to create a new user, see Get Started: Users<\/a>. <\/li>\n\n\n\n
- Select the Details<\/strong> tab, then expand User Security Settings and Permissions<\/strong>.<\/li>\n\n\n\n
- For Multi-Factor Authentication Settings<\/strong>, select Require Multi-factor Authentication on the User Portal<\/strong>, then enter the number of days the user has to enroll in MFA. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To begin a soft TOTP MFA enrollment period from the more actions menu<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the users you want to be in the enrollment period.<\/li>\n\n\n\n
- In the top right, click more actions<\/strong>, then select Require User MFA.<\/strong> <\/li>\n\n\n\n
- From the Require MFA on User Portal<\/strong> modal, enter the number of days users have to enroll in MFA. <\/li>\n\n\n\n
- Click require<\/strong>. <\/li>\n<\/ol>\n\n\n\n
When you begin an enrollment period, users receive an email notification. The email lets them know how long their enrollment period is and gives them a link to set up TOTP MFA. <\/p>\n\n\n\n
Resetting TOTP MFA Enrollment for a User<\/h2>\n\n\n\nIf a user doesn\u2019t set up TOTP MFA and the enrollment period expires, the user is locked out of their account, and you need to reset their enrollment period. <\/p>\n\n\n\n
To reset a user\u2019s TOTP MFA enrollment period<\/strong>:<\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the user from the Users list. <\/li>\n\n\n\n
- On the left side of the User Panel, select TOTP MFA expired<\/strong>, then click reset TOTP MFA<\/strong>. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Viewing Users\u2019 TOTP MFA Status<\/h2>\n\n\n\nYou can view users\u2019 TOTP MFA status to monitor who\u2019s set up MFA, still in the enrollment period, and has had the enrollment period expired. <\/p>\n\n\n\n
To view a users TOTP MFA status<\/strong>:<\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n<\/ol>\n\n\n\n
The Users list MFA column, which defaults to TOTP, shows you a user’s TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:<\/p>\n\n\n\n
\n- A user has enrolled sucessfully in TOTP MFA .<\/li>\n\n\n\n
- A user has not completed TOTP enrollment.<\/li>\n\n\n\n
- A user is in a TOTP MFA enrollment period (dates included). <\/li>\n\n\n\n
- A user’s TOTP MFA enrollment period has expired (expiration date included). <\/li>\n\n\n\n
- A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.<\/li>\n<\/ul>\n\n\n\n
You can also view a user’s MFA status in their user details.<\/p>\n\n\n\n
You can filter the Users list to show MFA status and requirement. See Get Started: Users<\/a>. <\/p>\n\n\n\n
Learn more in Resetting MFA Enrollment for a User<\/a> above. <\/p>\n\n\n\n
Looking at the User Workflow <\/h2>\n\n\n\n<\/p><\/div>
Note:<\/strong> \n\n- If you begin an enrollment period and a user already has set up MFA, they don\u2019t see the enrollment modal. <\/li>\n\n\n\n
- You can use JumpCloud Protect for Push MFA as well as Verification Code (TOTP) MFA. See JumpCloud Protect for End Users<\/a> for more information.<\/li>\n\n\n\n
- If you enabled Duo Security MFA, there\u2019s no additional setup for users, so Duo isn\u2019t part of the enrollment modal. <\/li>\n\n\n\n
- WebAuthn can\u2019t be the only MFA solution enabled. You need to enable Duo or TOTP with WebAuthn. See MFA for Admins<\/a> for more information. <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
When you begin an enrollment process, the following is what the user experience is like for a user who hasn\u2019t set up MFA:<\/p>\n\n\n\n
\n- The user will receive an email, or will get a prompt when they log in to the User Portal.<\/li>\n\n\n\n
- The user sees a Set Up Multi-Factor Authentication modal. If it\u2019s a forced enrollment, the user won\u2019t be able to skip it. If it includes a soft TOTP MFA enrollment, the user can skip it.\n
\n- If you enabled TOTP MFA as the single MFA solution, the user has to set up TOTP MFA.<\/li>\n\n\n\n
- If you enabled TOTP MFA and WebAuthn, the user can choose which MFA solution to set up first. By default, TOTP MFA is selected. Note<\/strong>: If the users sets up WebAuthn first, they need to go back and set up TOTP MFA. <\/li>\n\n\n\n
- If you set up Duo MFA and WebAuthn, the user has to set up WebAuthn.<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- After an\u00a0MFA solution has been selected, the user clicks continue and sets up MFA. \n
\n- The user will be provided with a QR code and TOTP token that can be used to configure a qualified TOTP app (we recommend that users use the JumpCloud Protect app for TOTP).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nFor backup purposes, we recommend that users copy and paste their TOTP key string below the QR code and store it in a secure location. This key can be used to reset TOTP MFA if a users loses their device with the TOTP token app.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nWhen a user’s enrollment is close to expiring, they are sent a reminder 24 hours in advance notifying them that their TOTP MFA enrollment period is about to expire. After their enrollment period expires, they are locked out of the User Portal until their TOTP MFA requirement is removed by an administrator or their enrollment time is extended. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nHere’s a guided simulation: User Portal MFA TOTP Login<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
With a Conditional Access Policy<\/h3>\n\n\n\n<\/p><\/div>
Important:<\/strong> \nTo require MFA factors with a Conditional Access Policy<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to SECURITY MANAGEMENT <\/strong>> Conditional Policies<\/strong>.<\/li>\n\n\n\n
- Click (+<\/strong>). <\/li>\n\n\n\n
- Enter a unique Policy Name<\/strong>.<\/li>\n\n\n\n
- Optionally, enter a description for the policy.<\/li>\n\n\n\n
- If you don\u2019t want the policy to take effect right away, toggle the Policy Status<\/strong> to OFF<\/strong> and finish the rest of the configuration. When you\u2019re ready for the policy to apply, you can toggle the Policy Status<\/strong> to ON<\/strong>. <\/li>\n\n\n\n
- For Users<\/strong>, choose one of the following options:\n
\n- Select All Users<\/strong> if you want the policy to apply to all users. <\/li>\n\n\n\n
- Select Selected User Groups<\/strong> if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Get Started: User Groups<\/a>. <\/li>\n\n\n\n
- If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally, set the conditions a user needs to meet. Note<\/strong>: Conditions is a premium feature available in the Platform Prime plan. Learn more about conditions in Get Started: Conditional Access Policies<\/a>. <\/li>\n\n\n\n
- In Action<\/strong>, select Allow authentication into selected resources<\/strong>, then select the Require MFA <\/strong>option. <\/li>\n\n\n\n
- Click create policy<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Understanding User MFA Enrollment Options<\/h2>\n\n\n\nThere are two types of MFA enrollment for users:<\/p>\n\n\n\n
\n- Forced MFA Enrollment<\/li>\n\n\n\n
- Soft TOTP MFA Enrollment<\/li>\n<\/ol>\n\n\n\n
About Forced MFA Enrollment<\/h3>\n\n\n\n
If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy<\/a> above. <\/p>\n\n\n\n
About Soft TOTP MFA Enrollment<\/h3>\n\n\n\nSoft TOTP MFA enrollment applies to TOTP MFA only. If there’s more than one MFA solution enabled, a user can select to enroll with an MFA solution that isn’t TOTP. After they finish setting up the non-TOTP MFA solution, they need to go back and enroll in TOTP MFA. If a user doesn’t enroll in TOTP MFA during the enrollment period, they are locked out of resources that are protected by TOTP MFA and you need to reset TOTP MFA for the user. <\/p>\n\n\n\n
Starting TOTP MFA Enrollment for Your Users<\/h3>\n\n\n\nYou can start a soft TOTP MFA enrollment period from an individual user account or with the More Actions menu.<\/p>\n\n\n\n
To begin a soft TOTP MFA enrollment period from an individual account<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select an existing user or create a new one. To learn how to create a new user, see Get Started: Users<\/a>. <\/li>\n\n\n\n
- Select the Details<\/strong> tab, then expand User Security Settings and Permissions<\/strong>.<\/li>\n\n\n\n
- For Multi-Factor Authentication Settings<\/strong>, select Require Multi-factor Authentication on the User Portal<\/strong>, then enter the number of days the user has to enroll in MFA. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To begin a soft TOTP MFA enrollment period from the more actions menu<\/strong>: <\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the users you want to be in the enrollment period.<\/li>\n\n\n\n
- In the top right, click more actions<\/strong>, then select Require User MFA.<\/strong> <\/li>\n\n\n\n
- From the Require MFA on User Portal<\/strong> modal, enter the number of days users have to enroll in MFA. <\/li>\n\n\n\n
- Click require<\/strong>. <\/li>\n<\/ol>\n\n\n\n
When you begin an enrollment period, users receive an email notification. The email lets them know how long their enrollment period is and gives them a link to set up TOTP MFA. <\/p>\n\n\n\n
Resetting TOTP MFA Enrollment for a User<\/h2>\n\n\n\nIf a user doesn\u2019t set up TOTP MFA and the enrollment period expires, the user is locked out of their account, and you need to reset their enrollment period. <\/p>\n\n\n\n
To reset a user\u2019s TOTP MFA enrollment period<\/strong>:<\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the user from the Users list. <\/li>\n\n\n\n
- On the left side of the User Panel, select TOTP MFA expired<\/strong>, then click reset TOTP MFA<\/strong>. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Viewing Users\u2019 TOTP MFA Status<\/h2>\n\n\n\nYou can view users\u2019 TOTP MFA status to monitor who\u2019s set up MFA, still in the enrollment period, and has had the enrollment period expired. <\/p>\n\n\n\n
To view a users TOTP MFA status<\/strong>:<\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n<\/ol>\n\n\n\n
The Users list MFA column, which defaults to TOTP, shows you a user’s TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:<\/p>\n\n\n\n
\n- A user has enrolled sucessfully in TOTP MFA .<\/li>\n\n\n\n
- A user has not completed TOTP enrollment.<\/li>\n\n\n\n
- A user is in a TOTP MFA enrollment period (dates included). <\/li>\n\n\n\n
- A user’s TOTP MFA enrollment period has expired (expiration date included). <\/li>\n\n\n\n
- A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.<\/li>\n<\/ul>\n\n\n\n
You can also view a user’s MFA status in their user details.<\/p>\n\n\n\n
You can filter the Users list to show MFA status and requirement. See Get Started: Users<\/a>. <\/p>\n\n\n\n
Learn more in Resetting MFA Enrollment for a User<\/a> above. <\/p>\n\n\n\n
Looking at the User Workflow <\/h2>\n\n\n\n<\/p><\/div>
Note:<\/strong> \n\n- If you begin an enrollment period and a user already has set up MFA, they don\u2019t see the enrollment modal. <\/li>\n\n\n\n
- You can use JumpCloud Protect for Push MFA as well as Verification Code (TOTP) MFA. See JumpCloud Protect for End Users<\/a> for more information.<\/li>\n\n\n\n
- If you enabled Duo Security MFA, there\u2019s no additional setup for users, so Duo isn\u2019t part of the enrollment modal. <\/li>\n\n\n\n
- WebAuthn can\u2019t be the only MFA solution enabled. You need to enable Duo or TOTP with WebAuthn. See MFA for Admins<\/a> for more information. <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
When you begin an enrollment process, the following is what the user experience is like for a user who hasn\u2019t set up MFA:<\/p>\n\n\n\n
\n- The user will receive an email, or will get a prompt when they log in to the User Portal.<\/li>\n\n\n\n
- The user sees a Set Up Multi-Factor Authentication modal. If it\u2019s a forced enrollment, the user won\u2019t be able to skip it. If it includes a soft TOTP MFA enrollment, the user can skip it.\n
\n- If you enabled TOTP MFA as the single MFA solution, the user has to set up TOTP MFA.<\/li>\n\n\n\n
- If you enabled TOTP MFA and WebAuthn, the user can choose which MFA solution to set up first. By default, TOTP MFA is selected. Note<\/strong>: If the users sets up WebAuthn first, they need to go back and set up TOTP MFA. <\/li>\n\n\n\n
- If you set up Duo MFA and WebAuthn, the user has to set up WebAuthn.<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- After an\u00a0MFA solution has been selected, the user clicks continue and sets up MFA. \n
\n- The user will be provided with a QR code and TOTP token that can be used to configure a qualified TOTP app (we recommend that users use the JumpCloud Protect app for TOTP).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nFor backup purposes, we recommend that users copy and paste their TOTP key string below the QR code and store it in a secure location. This key can be used to reset TOTP MFA if a users loses their device with the TOTP token app.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nWhen a user’s enrollment is close to expiring, they are sent a reminder 24 hours in advance notifying them that their TOTP MFA enrollment period is about to expire. After their enrollment period expires, they are locked out of the User Portal until their TOTP MFA requirement is removed by an administrator or their enrollment time is extended. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nHere’s a guided simulation: User Portal MFA TOTP Login<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
<\/p><\/div>
To require MFA factors with a Conditional Access Policy<\/strong>: <\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to SECURITY MANAGEMENT <\/strong>> Conditional Policies<\/strong>.<\/li>\n\n\n\n
- Click (+<\/strong>). <\/li>\n\n\n\n
- Enter a unique Policy Name<\/strong>.<\/li>\n\n\n\n
- Optionally, enter a description for the policy.<\/li>\n\n\n\n
- If you don\u2019t want the policy to take effect right away, toggle the Policy Status<\/strong> to OFF<\/strong> and finish the rest of the configuration. When you\u2019re ready for the policy to apply, you can toggle the Policy Status<\/strong> to ON<\/strong>. <\/li>\n\n\n\n
- For Users<\/strong>, choose one of the following options:\n
- \n
- Select All Users<\/strong> if you want the policy to apply to all users. <\/li>\n\n\n\n
- Select Selected User Groups<\/strong> if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Get Started: User Groups<\/a>. <\/li>\n\n\n\n
- If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optionally, set the conditions a user needs to meet. Note<\/strong>: Conditions is a premium feature available in the Platform Prime plan. Learn more about conditions in Get Started: Conditional Access Policies<\/a>. <\/li>\n\n\n\n
- In Action<\/strong>, select Allow authentication into selected resources<\/strong>, then select the Require MFA <\/strong>option. <\/li>\n\n\n\n
- Click create policy<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Understanding User MFA Enrollment Options<\/h2>\n\n\n\n
There are two types of MFA enrollment for users:<\/p>\n\n\n\n
- \n
- Forced MFA Enrollment<\/li>\n\n\n\n
- Soft TOTP MFA Enrollment<\/li>\n<\/ol>\n\n\n\n
About Forced MFA Enrollment<\/h3>\n\n\n\n
If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy<\/a> above. <\/p>\n\n\n\n
About Soft TOTP MFA Enrollment<\/h3>\n\n\n\n
Soft TOTP MFA enrollment applies to TOTP MFA only. If there’s more than one MFA solution enabled, a user can select to enroll with an MFA solution that isn’t TOTP. After they finish setting up the non-TOTP MFA solution, they need to go back and enroll in TOTP MFA. If a user doesn’t enroll in TOTP MFA during the enrollment period, they are locked out of resources that are protected by TOTP MFA and you need to reset TOTP MFA for the user. <\/p>\n\n\n\n
Starting TOTP MFA Enrollment for Your Users<\/h3>\n\n\n\n
You can start a soft TOTP MFA enrollment period from an individual user account or with the More Actions menu.<\/p>\n\n\n\n
To begin a soft TOTP MFA enrollment period from an individual account<\/strong>: <\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select an existing user or create a new one. To learn how to create a new user, see Get Started: Users<\/a>. <\/li>\n\n\n\n
- Select the Details<\/strong> tab, then expand User Security Settings and Permissions<\/strong>.<\/li>\n\n\n\n
- For Multi-Factor Authentication Settings<\/strong>, select Require Multi-factor Authentication on the User Portal<\/strong>, then enter the number of days the user has to enroll in MFA. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To begin a soft TOTP MFA enrollment period from the more actions menu<\/strong>: <\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the users you want to be in the enrollment period.<\/li>\n\n\n\n
- In the top right, click more actions<\/strong>, then select Require User MFA.<\/strong> <\/li>\n\n\n\n
- From the Require MFA on User Portal<\/strong> modal, enter the number of days users have to enroll in MFA. <\/li>\n\n\n\n
- Click require<\/strong>. <\/li>\n<\/ol>\n\n\n\n
When you begin an enrollment period, users receive an email notification. The email lets them know how long their enrollment period is and gives them a link to set up TOTP MFA. <\/p>\n\n\n\n
Resetting TOTP MFA Enrollment for a User<\/h2>\n\n\n\n
If a user doesn\u2019t set up TOTP MFA and the enrollment period expires, the user is locked out of their account, and you need to reset their enrollment period. <\/p>\n\n\n\n
To reset a user\u2019s TOTP MFA enrollment period<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n\n\n\n
- Select the user from the Users list. <\/li>\n\n\n\n
- On the left side of the User Panel, select TOTP MFA expired<\/strong>, then click reset TOTP MFA<\/strong>. <\/li>\n\n\n\n
- Click save user<\/strong>. <\/li>\n<\/ol>\n\n\n\n
Viewing Users\u2019 TOTP MFA Status<\/h2>\n\n\n\n
You can view users\u2019 TOTP MFA status to monitor who\u2019s set up MFA, still in the enrollment period, and has had the enrollment period expired. <\/p>\n\n\n\n
To view a users TOTP MFA status<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER MANAGEMENT<\/strong> > Users<\/strong>.<\/li>\n<\/ol>\n\n\n\n
The Users list MFA column, which defaults to TOTP, shows you a user’s TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:<\/p>\n\n\n\n
- \n
- A user has enrolled sucessfully in TOTP MFA .<\/li>\n\n\n\n
- A user has not completed TOTP enrollment.<\/li>\n\n\n\n
- A user is in a TOTP MFA enrollment period (dates included). <\/li>\n\n\n\n
- A user’s TOTP MFA enrollment period has expired (expiration date included). <\/li>\n\n\n\n
- A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.<\/li>\n<\/ul>\n\n\n\n
You can also view a user’s MFA status in their user details.<\/p>\n\n\n\n
You can filter the Users list to show MFA status and requirement. See Get Started: Users<\/a>. <\/p>\n\n\n\n
Learn more in Resetting MFA Enrollment for a User<\/a> above. <\/p>\n\n\n\n
Looking at the User Workflow <\/h2>\n\n\n\n
<\/p><\/div>Note:<\/strong> \n- \n
- If you begin an enrollment period and a user already has set up MFA, they don\u2019t see the enrollment modal. <\/li>\n\n\n\n
- You can use JumpCloud Protect for Push MFA as well as Verification Code (TOTP) MFA. See JumpCloud Protect for End Users<\/a> for more information.<\/li>\n\n\n\n
- If you enabled Duo Security MFA, there\u2019s no additional setup for users, so Duo isn\u2019t part of the enrollment modal. <\/li>\n\n\n\n
- WebAuthn can\u2019t be the only MFA solution enabled. You need to enable Duo or TOTP with WebAuthn. See MFA for Admins<\/a> for more information. <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
When you begin an enrollment process, the following is what the user experience is like for a user who hasn\u2019t set up MFA:<\/p>\n\n\n\n
- \n
- The user will receive an email, or will get a prompt when they log in to the User Portal.<\/li>\n\n\n\n
- The user sees a Set Up Multi-Factor Authentication modal. If it\u2019s a forced enrollment, the user won\u2019t be able to skip it. If it includes a soft TOTP MFA enrollment, the user can skip it.\n
- \n
- If you enabled TOTP MFA as the single MFA solution, the user has to set up TOTP MFA.<\/li>\n\n\n\n
- If you enabled TOTP MFA and WebAuthn, the user can choose which MFA solution to set up first. By default, TOTP MFA is selected. Note<\/strong>: If the users sets up WebAuthn first, they need to go back and set up TOTP MFA. <\/li>\n\n\n\n
- If you set up Duo MFA and WebAuthn, the user has to set up WebAuthn.<\/li>\n<\/ol>\n<\/li>\n\n\n\n
- After an\u00a0MFA solution has been selected, the user clicks continue and sets up MFA. \n
- \n
- The user will be provided with a QR code and TOTP token that can be used to configure a qualified TOTP app (we recommend that users use the JumpCloud Protect app for TOTP).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Tip:<\/strong> \n
For backup purposes, we recommend that users copy and paste their TOTP key string below the QR code and store it in a secure location. This key can be used to reset TOTP MFA if a users loses their device with the TOTP token app.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nWhen a user’s enrollment is close to expiring, they are sent a reminder 24 hours in advance notifying them that their TOTP MFA enrollment period is about to expire. After their enrollment period expires, they are locked out of the User Portal until their TOTP MFA requirement is removed by an administrator or their enrollment time is extended. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>Tip:<\/strong> \nHere’s a guided simulation: User Portal MFA TOTP Login<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
- The user will be provided with a QR code and TOTP token that can be used to configure a qualified TOTP app (we recommend that users use the JumpCloud Protect app for TOTP).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n