- \n
- MacOS<\/strong> – JumpCloud password complexity requirements are enforced by the device. This means that any changes made to password settings will also apply to unmanaged local users of JumpCloud devices and not just for JumpCloud-managed users on the device.<\/li>\n\n\n\n
- Windows<\/strong> – JumpCloud password complexity requirements are enforced by the device. This means that any changes made to password settings will also apply to unmanaged local users of JumpCloud devices and not just for JumpCloud-managed users on the device.\n
- \n
- Local password complexity requirements are enforced for non-JumpCloud managed users on the JumpCloud-managed device only if all four password requirements are turned on in the Admin Portal.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Setting Length, Complexity, and Originality Requirements<\/h3>\n\n\n\n
To set password minimum length, complexity and originality:<\/strong> <\/p>\n\n\n\n
- \n
- Under Settings<\/strong> > Security<\/strong> > Password Settings<\/strong>, set the Password Minimum Length<\/strong> to the desired number of characters. <\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nThe minimum password length for new orgs is 12 characters by default. The minimum allowable setting is 8 characters.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, select one or more Password Complexity<\/strong> requirements to apply to all user passwords in your org. Users won\u2019t be able to create a password that doesn’t adhere to the complexity you specify. The options are that a password:\n\n\n\n\n
- \n
- Must include a lowercase letter.<\/li>\n\n\n\n
- Must include an uppercase letter.<\/li>\n\n\n\n
- Must include a number.<\/li>\n\n\n\n
- Must include a special character (including accented characters and symbols).<\/li>\n\n\n\n
- Must not be a commonly used password.<\/li>\n\n\n\n
- Must not include repeated or sequential patterns of 3 or more alpha-numeric characters.<\/li>\n\n\n\n
- Must not include the username.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
- \n
- Commonly used passwords include simple passwords like test123, cyber1234, name1234.<\/li>\n\n\n\n
- Here are some examples of sequential patterns that are not allowed:\n
- \n
- Secur3Passw0rd!111, Secur3Passw0rd!aaaa, Secur3Passw0rd!123, Secur3Passw0rd!ABCD<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save<\/strong> to implement your changes. A confirmation modal appears.<\/li>\n\n\n\n
- Users will need to comply with the selected requirements on their next password change. Click Apply<\/strong> to confirm.
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/07\/apply-new-password-req.png\")
<\/li>\n\n\n\n- If you prefer to set a custom date by which your users must update their password, click Custom Date<\/strong> and select the target date from the calendar. \n
- \n
- New users added before this date must adhere to the updated password requirements. If existing users reset their password before this date, their updated password must adhere to the new requirements.
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/07\/apply-password-reqs-custom.png\")
<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n- \n
- If users don\u2019t reset their password by this date, they may be locked out of their account and connected resources until they create a password that meets the new complexity requirements. <\/li>\n\n\n\n
- An email is sent to all administrators for your organization and their users to notify them of the change.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Setting Aging Requirements<\/h3>\n\n\n\n
- \n
- See Manage Your Password Expiration Strategy<\/a>.<\/li>\n<\/ul>\n\n\n\n
Setting Password Lockout<\/h3>\n\n\n\n
You can trigger account lockout to protect your managed devices. Account lockout is triggered from the User Portal and locks users out of the User Portal and device endpoints.<\/p>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nIf a user becomes locked out while they are in a session, they will remain logged into their account until they log out. Once the user logs out, they won’t be able to log back in until their account becomes unlocked. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Considerations<\/strong>:<\/p>\n\n\n\n
- \n
- If a user has forgotten their password, they can reset it from the User Portal login page. Users are encouraged to change their passwords from their device to avoid out-of-sync passwords. Learn more about Change Your User Portal Password<\/a>.<\/li>\n\n\n\n
- Password lockout doesn’t affect Google Workspaces or Microsoft 365 to accommodate self-service password reset via email.<\/li>\n\n\n\n
- A user account can\u2019t be locked out via persistent login attempts on a Linux device. Accounts will only lock out via repeated failed SSH attempts, or user portal attempts. <\/li>\n\n\n\n
- After a user account is locked due to failed login attempts, admins can restore the account in their Admin Portal. Learn more about Unlock User Accounts<\/a>.<\/li>\n\n\n\n
- You can configure the actions taken when a user is locked out for Google Workspace<\/a>, RADIUS<\/a>, LDAP<\/a> and M365\/Entra ID via the JumpCloud API. <\/li>\n\n\n\n
- Optionally, under Settings<\/strong> > Security<\/strong> > Password Settings<\/strong> > Password Lockout<\/strong> select one or more requirements for lockout, then specify the numerical details of each. Learn more about the options below:\n
- \n
- (xxx) failed password attempts until lockout<\/strong> sets the number of times a user can fail logging in before it locks the account from being accessed. <\/li>\n\n\n\n
- (between 5 – 90) minutes until locked account is automatically unlocked<\/strong> allows a user to log in to their User Portal without an admin\u2019s help. If you select this option, users will see an error message on the User Portal login screen prompting them to try logging in again after the specified amount of time has passed.\n
- \n
- Note<\/strong>: If you enable this option, users that are currently locked out aren\u2019t affected by this. If you disable this option, users that are scheduled to have their accounts unlocked aren\u2019t affected and their accounts are unlocked after 10 minutes. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- (between 5 – 1440) minutes until failed password attempts counter is automatically reset<\/strong> reduces the amount of lockouts by resetting the counter to zero if the specified amount of time has elapsed since the last failed login attempt.\n
- \n
- Note<\/strong>: This is checked by default with a set time of 30 minutes until the counter is reset.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click Save<\/strong> if these are your only changes.<\/li>\n\n\n\n
- Duo (an MFA factor) failed attempts are not counted towards the total that would lock a user out of their JC account.<\/li>\n<\/ul>\n\n\n\n
Setting Password Reset Options<\/h3>\n\n\n\n
When MFA is enforced through a conditional access policy for users accessing the JumpCloud User Portal, but they have not yet enrolled in an MFA method, select Allow users to reset their password without MFA enrollment<\/strong> to allow users to be able to reset their password and prevent lockouts. On successful password reset and login with the new password, they will be prompted to set up MFA.<\/p>\n\n\n\n
Password Recovery Email<\/h2>\n\n\n\n
Users can reset their passwords with a different email than their organization email. Password resets will go to both email address and resetting from the recovery email requires MFA. This address is editable from the JumpCloud User Portal.<\/p>\n\n\n\n
To enable Password Recovery Email:<\/strong><\/p>\n\n\n\n
- \n
- Under Settings<\/strong> > Security<\/strong> > Password Recovery Email<\/strong>, click Enable\/Disable Password Recovery Email for users<\/strong>.<\/li>\n\n\n\n
- Click Save<\/strong> if these are your only changes.<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nWhile an admin can define a recovery email for a user, the user will need to verify it in their User Portal > Profile > Recovery Email before it can be used.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/a>Enable UID\/GID (User ID)<\/strong><\/h2>\n\n\n\n
A User ID (UID) is a unique value assigned by a Unix operating device to each user. Users are identified to their device by their UID, and usernames are generally used only as an interface for humans. The UID\/GID and other access control criteria (POSIX) determine which device resources a user can access. The JumpCloud Agent provides a method for manually assigning the UID and GID information for users within the JumpCloud Administrator Portal.<\/p>\n\n\n\n
Considerations:<\/strong><\/p>\n\n\n\n
- \n
- UID and GID management for users won\u2019t handle conflict management in scenarios where a UID or GID already exists on the devices. This functionality expects that any existing UID and GID assignments with the device are known, and a unique identifier is provided within the JumpCloud configuration.<\/li>\n\n\n\n
- Duplicate UID\/GID values are generally not recommended.\n
- \n
- A variety of problems can result from duplicate UID\/GIDs, such as a failure to bind users to devices.<\/li>\n\n\n\n
- JumpCloud doesn\u2019t prevent you from creating duplicate UID\/GID values and won\u2019t give a warning when you create duplicate values.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Duplicate entries aren\u2019t the same as UID\/GID conflicts, which will appear as configuration alerts<\/a>.<\/li>\n<\/ul>\n\n\n\n
- Click Save<\/strong> if these are your only changes.<\/li>\n<\/ol>\n\n\n\n
- Click Save<\/strong> if these are your only changes.<\/li>\n\n\n\n
- (between 5 – 1440) minutes until failed password attempts counter is automatically reset<\/strong> reduces the amount of lockouts by resetting the counter to zero if the specified amount of time has elapsed since the last failed login attempt.\n
- (between 5 – 90) minutes until locked account is automatically unlocked<\/strong> allows a user to log in to their User Portal without an admin\u2019s help. If you select this option, users will see an error message on the User Portal login screen prompting them to try logging in again after the specified amount of time has passed.\n
- If a user has forgotten their password, they can reset it from the User Portal login page. Users are encouraged to change their passwords from their device to avoid out-of-sync passwords. Learn more about Change Your User Portal Password<\/a>.<\/li>\n\n\n\n
- See Manage Your Password Expiration Strategy<\/a>.<\/li>\n<\/ul>\n\n\n\n
- Users will need to comply with the selected requirements on their next password change. Click Apply<\/strong> to confirm.
- Click Save<\/strong> to implement your changes. A confirmation modal appears.<\/li>\n\n\n\n
- Secur3Passw0rd!111, Secur3Passw0rd!aaaa, Secur3Passw0rd!123, Secur3Passw0rd!ABCD<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- Optionally, select one or more Password Complexity<\/strong> requirements to apply to all user passwords in your org. Users won\u2019t be able to create a password that doesn’t adhere to the complexity you specify. The options are that a password:\n\n\n\n\n
- Under Settings<\/strong> > Security<\/strong> > Password Settings<\/strong>, set the Password Minimum Length<\/strong> to the desired number of characters. <\/li>\n<\/ol>\n\n\n\n
- Windows<\/strong> – JumpCloud password complexity requirements are enforced by the device. This means that any changes made to password settings will also apply to unmanaged local users of JumpCloud devices and not just for JumpCloud-managed users on the device.\n