Showing results for 
Search instead for 
Did you mean: 
Iron II
Iron II

Many platforms require different components or add-ons so that MFA will be available to secure all of your resources. JumpCloud is different. 

Through the JumpCloud open directory platform, MFA can be implemented environment-wide, all from the cloud. This reduces administrative overhead and the expense of standing up servers or needing additional subscriptions (on top of what you’re already paying for). 

JumpCloud leverages the best technologies that are available on devices from biometrics and security keys to TPM/Secure Enclaves for modern authentication if you deploy JumpCloud Go for managed users/devices. FaceID and Windows Hello are automatically leveraged, if they’re enabled.

Demo Overview

Let’s begin by setting up TOTP, which is useful for when there’s limited connectivity or as a backup method. You can specify the enrollment period for a soft rollout for existing users. 

Push MFA is usually more user friendly, i.e. accepted, and we provide JumpCloud Protect app for free on Android and iOS to accommodate that requirement. We’ll show you how to set it up.

We’ll also share some tips and resources for a smooth deployment.

Let’s face it: you can face some resistance when you’re doing this. Traditional MFA can lead to user fatigue, which bad actors have taken advantage of when they’re attacking organizations. That’s why we also provide phishing-resistance with JumpCloud Go, a hardware-bound credential that secures your endpoints but is easier on users. We cover Go in another walkthrough, but it’s worth keeping it in mind as an option for cross-OS modern authentication.


Not every step here is necessary to complete this tutorial. However, if you want to experience your evaluation of this (and other) feature as if you’re implementing the product, we recommend the following:

To complete this tutorial, we recommend that you have completed the following walkthroughs (or have set up your instance with the appropriate assets on your own):

Demo Walkthrough

Step 1: Prepare and Support Your Users

It’s important to have a plan. Learn about how to handle pre-rollout, implementation, and ongoing use of MFA in your organization. It may surprise you that the people may be more challenging than the technology.

JumpCloud offers training for both IT admins and end users; end-user training includes a course, guided simulations on user enrollment and user login, and support documentation to help users familiarize themselves with the tool, see it in action, and go back and reference support material when they get stuck. 

Resources: 5 Human Challenges To Implementing MFA

Step 2: Require TOTP MFA for Users

To begin a soft TOTP MFA enrollment period from the more actions menu: 

  • Log in to the Admin Portal:
  • Go to USER MANAGEMENT > Users.
  • Select the users you want to be in the enrollment period.
  • In the top right, click more actions, then select Require User MFA. 
  • From the Require MFA on User Portal modal, enter the number of days users have to enroll in MFA. 
  • Click Require.

Optional: Forced MFA Enrollment

If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy.

Simulation: User TOTP MFA Enrollment

Resources: MFA for Users, Authenticate to RADIUS with MFA, Configure MFA for LDAP, Configure SSH Settings

Step 3: Choose Other Authentication Methods

Push MFA

To configure Push MFA for your org:

  • Log in to the Admin Portal:
  • Go to Security Management > MFA Configurations. 
  • In the JumpCloud Protect Mobile Push area, select Enable. 
  • To require biometric User Verification, select Never, If Enabled on the Device, or Always Required from the dropdown.

Simulations: JumpCloud Protect User Enrollment, JumpCloud Protect User Login

JumpCloud Go™

JumpCloud Go enables secure passwordless authentication to JumpCloud-protected web resources on managed devices. Users can verify their identity using device authenticators with biometrics (Apple Touch ID and Windows Hello) versus password sign-in challenges. This improves security by simplifying the user login flow, reducing MFA fatigue, and minimizing password use. JumpCloud Go authentication also satisfies any User Portal MFA requirements.

JumpCloud Go provides instant revocation when a user status changes from “active” to “suspended”. That’s possible because the Open Directory platform has integrated identity and device management.

Tutorial: Using JumpCloud Go

Resources: Enable MFA for Admin Portal, JumpCloud Protect for End Users, Get Started with JumpCloud Go

Bonus Simulations

Experience the user experience for yourself before committing to a deployment. This will make it easier for you to support your users and ensure that your project goes smoothly.

Simulation: User Portal MFA TOTP Login

Simulation: User Portal MFA WebAuthn Login

Simulation: Mac MFA Encryption Login

Simulation: Windows MFA Password Reset

Simulation: Windows MFA Login

Simulation: Linux SSH MFA Login

Final Results

It’s important to use MFA as broadly as possible. You’ve learned how to meet that objective using JumpCloud and how JumpCloud streamlines MFA deployments to all resources. MFA doesn’t do organizations any good if it’s not being used. We make it easier to use. Everywhere.

Get prepped now

JumpCloud Protect can be used to log into the Admin Portal, User Portal, or devices (Windows, Mac, Linux). Before your users can use the JumpCloud Protect mobile app, you, as an administrator, must enable it.