JumpCloud Community

Key Takeaways

• Self-Service Account Provisioning enables users to create and manage their own accounts, significantly reducing the administrative burden on IT staff. By employing this feature, organizations can expedite the onboarding process for new users, making it more efficient and user-friendly.
• Self-Service Account Provisioning settings also provide default options to ensure that users have the appropriate level of access and permissions.
• The Help Center Article offers a well-structured guide on getting started with Self-Service Account Provisioning, providing a solid foundation for those new to this feature.
• The Tutorial takes a deeper dive into Self-Service Account Provisioning, ideal for individuals looking to expand their knowledge and utilize this feature to its full potential.
• There's a wealth of information available in the community post, where Scott answers countless questions. It's a fantastic resource for anyone looking to understand the nitty-gritty of Self-Service Account Provisioning. Engaging with the community post also gives you the opportunity to ask any further questions you may have and interact with other individuals who are exploring or have already adopted this feature.

 

Introduction

Scott Reed, Senior Product Manager at JumpCloud, delivers an exhaustive Q&A session on Self-Service Account Provisioning (SSAP) during the IT Hour, addressing a myriad of queries from the basics to more complex scenarios. Leveraging his substantial expertise in corporate IT, Scott elucidates how SSAP empowers users to create and manage their own accounts, significantly alleviating the administrative load on IT personnel.

Through the Q&A thread, not only does Scott explain the theoretical underpinnings of SSAP, but also provides practical insights based on real-world queries from the audience, reflecting his extensive experience. His responses highlight the feature's potential to expedite the onboarding process, enhance security, and ultimately modernize the user management experience within contemporary organizational IT frameworks.

You can find the full video recording here: The IT Hour | Self Service Account Provisioning 10.13.23

Speakers

Scott Reed, Senior Product Manager, JumpCloud

Becky Scott, Head of Community, JumpCloud

Transcript

Scott Reed:

And let's start getting into any and all of the questions.

Toggle On/Off Experience

Becky Scott:

Okay, so this is kind of a long one from Keith. “Scott, I want to deploy this, but the new login window troubleshooting section gives me pause to deploy it and it's Get Started: Self-Service Account Provisioning. Question: What do I do if someone can't log in? Answer: turn off new login window experience. What's the edge case? Should we expect to have to toggle it on and off globally?”

Scott Reed:

It can only be toggled on and off globally. And again, we at JumpCloud had two instances where developers had modified their devices in very, very curious ways, and we resolved both of those issues. Additionally, since making the changes, we have not had any reasons to toggle on and off but know that that's there, that is there and recognize the point that I made about when toggling it on and off, you're not changing the experience for any users other than ones that are at their login window. 

So this is a percentage of time people on their computer is like less than 0.1%. You're at your login window again when you restart after that, you're seeing the screen wake and this new login window has no impact on that screen wake screen, which is what I see every time I sit down at my work computer. The only time I see my login window is when a patch policy forces my device to restart, and you only actually see it if you're enforcing two-factor authentication after that, because we'll pass through from that FileVault Disk Encryption screen, making an assumption that everyone has encrypted drives, all the way to the login.

“Were the issues resolved by fixing the machines or updating the code” Combination? There was a really weird host file that didn't make any sense to anyone and it was amazing to me that that computer even worked. So that was one of 'em. And then the second one was an agent connectivity thing. Long story short, there's no dependency on the agent being running now to get logging into your device and that was a known issue that again, we were, as we dog food things, we assumed that risk for our organization. So I have very, very high confidence that this toggle on and off, it's like that emergency exit on a plane, the handle's there, very rare and hopefully never that you have to use it.

Global Setting Edge Cases

Becky Scott:

I'm seeing a couple of comments on this global thing that I'm sure you're seeing too. “I'd love for group-based enablement versus everything always being global. Global feels risky for new features” and “I have a problem with this global setting, it should be per group so that it can be tested. I have lots of stories with edge cases.”

Scott Reed:

Yeah, totally hear that feedback. The way that accounts can turn this on, the recommendation is that if you want to test it, let's get you set up. If you don't have it with the sandbox JumpCloud production environment, the 10 users Free Forever was a mantra that existed until we made some changes to our signup flow. Where very often, this was turned on inside of an org, a sandbox that was outside of their production org. 

We can totally take that feedback of enabling things globally, but the net is that the value here is for all your users. We're building these features with confidence. They work. We don't want questions in, well, it only kind of works. These work. We are building strong valuable features that work globally and that is the intent for why they're global features. We have the utmost confidence in the features that we build and the value that they can deliver to you and your employees.

Setting for Standard or Administrator

Becky Scott:

Yeah, Jeff has an interesting comment about “The setting for standard or administrator on the setting screen gives me pause. I don't want to accidentally lose the ability to admin my own laptop.”

Scott Reed:

So again, remember this is for new account provisioning, and this is making a choice to say when a user is adding their account to their device, what is the default? After that being a JumpCloud admin, any toggles can be changed to promote a user to administrator. Additionally, the flag “Global Admin” on a user, “Global Sudo” on a user for any of their associations will promote any user to an admin regardless of if that default is set to standard. So we have a least privileged model that allows you to make intentional choices on who is an admin and if you as an admin have multiple devices you want it to be down to just give yourself that Global Admin Sudo and don't worry about it, you'll be an admin everywhere all the time, all at once regardless of the binds.

New User Configuration

Becky Scott:

Josh is asking “Is it possible to have a new user configure their password for the first time from this screen?”

Scott Reed:

Not yet, but I love that idea. As we talk about what's coming, we're thinking about how the device can be the onboarding flow to get users to set their password. There's a number of immense benefits here, not just for new account creation but really for a term that we call takeover, where oftentimes the people on this call we're JumpCloud customers. We've gone through the process of onboarding to JumpCloud. When you onboarded to JumpCloud, there was a takeover process that had to occur to get existing devices onboard JumpCloud and existing local accounts onboarded to JumpCloud. That takeover process is all admin-led right now where an admin binds a user to a device, the usernames of their JumpCloud account matches the local account, and their account is taken over. That process can get better for the end user experience because that takeover process sends a password change inbound, and in sending that password change inbound, it can blow away Windows credentials and also it can reset the keychain if the user doesn't know what their old password was when doing that takeover. So asking your question about having users set passwords from their devices, yes, and we are looking at it not just for new accounts but also for the takeover flows so that we have a much more seamless experience for users’ first impression of JumpCloud when an organization is onboarding.

Old Accounts vs. PINs

Becky Scott:

Very cool. Brandon wants to know “How will old accounts happen for PINs, previous JumpCloud managed accounts not having PINs.”

Scott Reed:

You can go into login options and Windows and set a PIN. You can go into login options and Windows and set up a biometric. There's some questions about, oh, PINs don't work with JumpCloud MFA. It's not exactly true. The way that we've implemented MFA at the login window is that you can't use a PIN as a primary authentication method. At the login window with JumpCloud MFA enforced it's a password plus one of the other MFA authenticators that we have, be it Push or TOTP. Inside of an active window session, a PIN can be used to do things like authenticate and step up for administrative actions. But, I want to highlight that there were some questions or uncertainty about how JumpCloud supports a PIN, and truthfully it's going to come back to now what JumpCloud Go enables where JumpCloud Go looks at local device authenticators for daily verification and local device authenticators can be any of the ones that are set up.

Password is what JumpCloud sets by default. You see us now doing password and PIN with this flow as I demonstrated here. And what's most seamless for users and most secure in terms of the user experience, is getting to that inheritance factor. Whether it's doing Windows Hello with face or Windows Hello with touch, that's the most seamless user experience. And again, why that matters now and why we're talking about it now is that's what JumpCloud Go unlocks. You're using your local device authenticator to prove that you're there to authenticate and unlock your device in your sessions, and that's why we're making steps to make getting to that biometric easier.

Yes, Michael, I, too, am very excited about the takeover flow, and we're starting to think about different words, right? Takeover, it's kind of an angry word, right? “We're going to take over the land”. Migration is what we're looking at making intentional, make migration intentional. A user starts a migration, and if something fails, they're not locked out from their account; they can still use their account until they try that migration again. Takeover can lead to some poor results for users when you take over the account, and then the user says I can't get into it. So in addition to this, I'm very keen on words. We want to make administrative actions intentional. 

Accounts and Devices Tabs

So what you'll see coming out next year is right now, there's a user's tab on the device's side. We're going to bring an accounts tab to the device's side where the Accounts is going to accurately display all the information of all the accounts that are on the device and highlight which ones are JumpCloud managed, which ones aren't, which ones are active, which ones are suspended.

The user's tab makes a ton of sense in other parts of JumpCloud. For example, on the user groups tab, right? Which users are in this group? When we think about a device and how a device lives in the real world and when you're onboarding a device to JumpCloud, maybe for the first time, you might have no idea which accounts are on there. Bringing that accounts tab front and center to show you what's there, I'm super excited about bringing that. And then the other keen thing that an accounts tab brings in is it makes actions intentional. Where right now you do a bind and one of two things happen - you either take over the account or provision a new account. 

We want to give you absolute certainty when you're doing a device identity administrative action - Will you be provisioning a new account? Is that what you wanted to do? Or will you be taking over a new account? So very, very excited to work towards that vision where migration is a word you're going to be hearing from us where a user is migrating an existing local account to JumpCloud, and that's going to be very clear and apparent for both the user and for you as the admin.

PIN Login Logs

Becky Scott:

Very cool. Another PIN question, Luke wants to know if PIN logins are going to be logged in Directory Insights.

Scott Reed:

I will have to put a thread into that. Right now, I'm thinking about how Directory Insight events are decorated in terms of the metadata, and a login is a login as a login. So let's put a pin in that because that's a great highlight to call out understanding how users are logging in. I'll take that back to the team for discussion, but right now, a login is a device login, and it is not saying which authenticator was used.

Additional Users in the Provisioning Flow

Becky Scott:

Okay. Then “In the provisioning flow would that apply to additional users wanting to log into that device? Meaning would any JumpCloud user be able to log in on that device?”

Scott Reed:

So right now, there's a global rule that says the “Sign-in with JumpCloud” button shows up when there are zero managed users. I had the pleasure of joining some of our executive team on the campfire sessions and talking about these features before we release them. One of the key things that popped up was the IT admin saying, “Hey, we want that button to be there regardless of how many managed users are on the device”. And their reasoning was “Users only know their JumpCloud credentials. If I get physical access to that device, I want to be able to add my account to it because I'm an admin, and I need to do something on that device.” That was one perspective, and another perspective was “This opens up the computer lab use case for us. We have multiple users, multiple devices, and we want users to be able to walk up to any device in our computer lab and add their account to that device. They only know their credentials, they don't know anyone else's credentials, and we're going to default it to standard.” So that would be a future increment that I have confidence that we will deliver. I can't give you a timetable on it yet, but it's not large. 

To give you the option inside of org settings to determine, I should probably take your feedback, right? Not globally, but probably per device via device group, per device, not globally, which devices have the ability to keep that button so any user with a valid set of credentials for your organization can add their account. Kind of goes without saying, but I don't want to make any assumptions. Directory affinity. Only users with a JumpCloud valid username and password for the org that that device enrolled in can add their account to their device. I couldn't walk up to one of your computers, sign with my valid JumpCloud account, and add my account. It requires that affinity between the device that's managed by this org and the user account in this org.

Naming the Computer

Becky Scott:

Gotcha. Alright, next one. “Will this Provisioning Package have a way to name the computer as part of that process? So it's not a random name. We use asset tags as part of the name.” So Steven's asking that one.

Scott Reed:

So I'm a huge believer in trying to unlock opportunities in the most intentional way possible. Provisioning packages, you could build it today. So you could download the Windows Imaging and Configuration Designer tool today and build a provisioning package and have a script that installs the JumpCloud agent. But that takes time, expertise, and understanding all the steps it would take there. The way that we'll be bringing Provisioning Packaging to market is we'll be giving you the XML to do the needful and enroll that device into jump cut MDM. From there, you can do whatever you want inside a provisioning package. You can unlock an immense amount of value in naming computers, which is one of the things that's in there. One of the things that I want to highlight for the Provisioning Package that every organization's going to have a choice to make is what is the local account that gets created so that you skip the setup screen using a Provisioning Package.

And oftentimes, in organizations, this is like the backdoor admin account, but you'll have a choice as an organization to make with your Provisioning Package to create that account and do other things like do you want to update the name? Do you want to install other applications? Provisioning Package, we're just touching the tip of the iceberg to enrolling the device for the MDM, but there's an immense amount that technology can do and what you can do to customize the provisioning package that you use. It all comes down to putting that file onto a flash drive. But what's in the XML of that file? It's totally up to you guys.

Self-Enrollment Returns with Removal of All Managed Users

Becky Scott:

Awesome. And I think you already said this, but just to get it on record for Brandon, “If all JumpCloud managed users are removed from a machine to self-enrollment come back, and I believe you demonstrated that.”

Scott Reed:

Yeah, totally demonstrated that you remove it, go back to zero Managed Users, it shows up again.

Disabled PINs

Becky Scott:

Yeah, and let's see another one from Brandon - “If we have PINs (Windows Hello) disabled by a group policy, how will this conflict with a new login screen creation flow?”

Scott Reed:

Great question. Let's put a pin in that and circle back to that, but if it's disabled… I don't have that on the tip of my tongue. Okay.

Temporary Logins

Becky Scott:

No pun intended with the PIN, putting a pin in it. A couple of really good comments too. So Jeff had said “For labs, having a temporary login for a user would be great. So you have to sign in via JumpCloud each time, and it also keeps the login screen clean.”

Scott Reed:

Yeah, get creative, get creative with commands, get command creative with scheduling. Again, these are all things that are possible, for better or for worse, using automations to get there. I know that there's a number of organizations that have incredible automations that are far outside the realm of what we have configured for click actions, but from the APIs that can manage Device Associations to commands that can clean up accounts after that. 

One thing that I'm very, I just want to draw a line in the sand, is that JumpCloud does not delete user data. So when you unbind an account from a device, right, that puts that account in a suspended state. We are not in the business of deleting data. So if you wanted to get that device back into a state where the user could add their account again, there would have to be a cleanup command that would be run to delete that account from the device. That doesn't happen organically through just a disassociation between a user and a device.

Admin User Exception

Becky Scott:

Gotcha. And Steven says “We have an admin login that is shared between all computers. So it would be nice just to have that user as an exception.”

Scott Reed:

So that's kind of where we have what I would say is our best lapse solution right now where a device group and a user group where that device is, there's one user in the user group, that admin account, and all of the devices are in the associated device group gets you with that admin account on all your devices. Now the “Sign-in with JumpCloud” feature would give you the ability to create that account on demand. The bottom line is on-demand versus having it there, you have the ability to have it there. The on-demand is what we're talking about. And the point I want to make is that depending on the scenario, right? 

When I had these campfire sessions and organizations said, “Hey, we want that button to stay there. Doesn't matter.”. The reason why they were saying that is because users only knew their credentials and they were only going to, that button is useless to them on that device. They already have their account there, they're not going to add it again. So my question to ask would be, are you in scenarios where you would basically want to have that button persist but be able to control which accounts could authenticate to it, recognizing that you don't want other users to walk up to other people's computers and add their accounts, you just want your admin account there. Is that the use case?

Force to a Specific Hostname

Becky Scott:

Yeah, we'll have Stephen try to answer that in the chat. And then, while he's doing that, Luke said, “In our exploration of Provision Packages, you are limited with hostname structures, meaning we've not seen the ability to prompt for input. There are some variables available, but I've not seen an option to force to a specific hostname.”

Scott Reed:

Yeah, I've poked around it too. I think it has serial number kind of hard coded, and then there's an incremental integer with a string. I really want, and I've been advocating for us, to just kind of put in those default commands where you can update the device's hostname just by typing it in so it stays in sync with the display name. I believe in our commands template gallery, you can see how to do that with commands. But that is a multi-step process where we could easily make that more intentional. So I hear you there. The provisioning package, we're at the mercy of what our overlord Microsoft offers. The net is that hostnames getting a hostname updated, you can do it with commands, but we should absolutely be able to make that easier for you. And the Provisioning Package is just one way to update the hostname after that device exists. You can use commands for that. And again, I want to make that easier for you guys.

Becky Scott:

Yeah, and Michael, your comment about the Provisioning Package, creating a local admin account and random password, you say that would be nice. I hope that you are putting in a feature request for that. Hint hint.

Feature Requests

Scott Reed:

That. Yeah, the more feature requests you guys can put in for the lapse use case, I feel strongly that lapse is something that we can invest harder in, and I am looking to the community to help rally around what you're looking for and what features you need. But that local admin password solution, Microsoft is improving this and Microsoft Entra, how those are set, how those are stored, how those are rotated. Again, anything's possible in an open directory with open APIs, but the lapse solution right now for us is, as I talked about, the single account to all devices, and then the reality is there's one password for all those accounts on all devices. So feature request, feature request, feature requests, we hear you guys. The data to back it, you give it to us in those feature requests.

When Will the Provisioning Package Be Available?

Becky Scott:

Absolutely. And Urvashi just posted the link to the feature request site in the comments, and you can do it from your console. So when you log to the JumpCloud, you can do it there too. And Matthew is saying, “When will that Provisioning Package/flash drive be available?”

Scott Reed:

I'm going to stand on it and say before the end of the year, I'm standing on that, and I will keep the pressure to do everything in my power to help that delivery come to fruition.

Becky Scott:

Nice.

Scott Reed:

More than seeds are planted, the tree is growing, we're waiting on the fruits.

Schedule Command Nightly Cleanup Script

Becky Scott:

All right, awesome. And Jeff says that “The cleanup script each night through schedule command. Great idea.” Agreed.

Scott Reed:

Yeah, commands are amazing. Commands are really, really amazing. And there's some cool stuff in commands. Let me see if I can find it in the API docs. You can make commands unique for each device. You can put payloads in the JSON of commands. Inside of the JumpCloud PowerShell module, once upon a time, there was a Invoke-JC command deployment that I wrote way back when with a new deployment template. So there's some really, really powerful stuff that you can do with commands. So inside of this link, navigate to the command functions and dig into those Invoke-JC command deployments. Again, this shows you how to do it in PowerShell, but it's just the API. Anything the module can do is just using our API, and it can be integrated in any other language. PowerShell was just the tool I was familiar with using as a former IT admin and humble brag, yes, I created the PowerShell module way back when. So much of the code in it is still the initial commits I made.

Share Your Commands

Becky Scott:

And I would love to see y'all share in the community how you're using these things. Share which commands you're using and how you're doing them, in the community, and help each other out. I mean that's what we would like to see. If you've got an idea or you don't know which one to use, ask. And if you're using one to great effect, then let other people know.

Trust On First Use (TOFU)

Scott Reed:

So let me jump on Luke's question. So we love acronyms here at JumpCloud. We love acronyms and when we were developing the new login window and Self-Service Account Provisioning, one of the acronyms, Luke, was TOFU - Trust On First Use. Inside of Zero Touch for Apple Business Manager and onboarding a device, same thing for a Microsoft Azure AD Join out of the box, it's a one-time action. You take a box, let's go the Microsoft route, you take a device out of the box in Microsoft, you sign in with a Microsoft account, you provision that account to the device. It's a one-time action. Self-Service Account Provisioning is the same. When there are zero managed users on the device, any user in that organization can add their account to the device, and that's a one-time action. After that, it's not available anymore. 

So that Global Toggle is only going to present that button to “Sign-in with JumpCloud” on devices with zero managed users, and only on those devices with zero managed users can a single user add their account to that device after that button's gone. So again, Trust On First Use was the term that I think wraps up how this works in the industry where with Apple Business Manager, a zero-touch enrollment flow, you sign with your work account, you add your work account to your device, that is a one-time action. Does that make sense?

Time Zones and Sending Commands to Bulk Amounts of Machines

Becky Scott:

Alright, so there was one other thing from Brandon. “Has anyone had issues with sending commands to bulk amounts of machines?” 

Scott Reed:

We've got a queue, you can see what's going on. What I know from my time testing with commands is some of the “gotchas” there - devices have to be online. We now have a queue. So if devices aren't online, they'll get those commands when they come online, you can see the status of that queue. But ultimately, the biggest room for opportunity that we still have in the platform is looking at command results. And the best way to do that right now to actually see the output of those results is through our API. It's a click per result to see the details of the result. But that makes reporting a little tough. 

But generally, sending a ton of commands to a ton of devices, recognize that devices have to be online to get those commands. They are sent incrementally through a queue. So it's not like a shotgun blast all at once. It's more of a queued, think like a Pez dispenser, shooting really fast, sending those commands to devices, and then reading the results; the output is a bit harder. Additionally, reoccurring commands run at the scheduled time of the time on the device. So time zone issues can come into play and be confusing.

Becky Scott:

Brandon saying “Biggest issue is I have a reoccurring command that is sometimes running, but sometimes not on certain machines.”

Scott Reed:

Time zones is what I would dig into because it's going to be the schedule for when that runs will be based on the time zone of that machine. And that's a fairly big “gotcha” where we think that's global, but it's not. So if you schedule it for 10:00 AM it's 10:00 AM local time of that machine. So if the 10 machines all with different 10:00 AMs, you're going to see those results come back incrementally based on the 10:00 AM of those machines.

Becky Scott:

Okay, and Luke it said “Yes, but” so…

Building Out Incrementally

Scott Reed:

Exactly. So that's the “yes but”. The “yes but” is, listening to you guys is the feature to keep that button there does not exist. Right now, “Sign-in with JumpCloud” is singular. Trust On First Use. It's a one-time action for provisioning a single account to a device when there are zero managed. The incremental feature that we're ideating on as a group is - what if we want to keep the button there. And my listening from you guys is don't make that global, make it a toggle per device first, and then per device group would be an evolution of that. Being able to toggle that attribute. And where my head goes is a future increment would be able to do inclusions or exclusions just thinking about how things get built incrementally.

Becky Scott:

Or maybe, at the very least, how we've done where we have early groups where you do a small group of users and get them in there first, make sure it's working. The people that are more able and willing. To have an early testers group before you then start to roll it out, and rolling out more groups globally or something like that. Just where it's not all or nothing, I think is what I'm hearing.

Scott Reed:

And toggling Self-Service Account Provisioning on for Windows in an organization that's using JumpCloud and onboarding today will change nothing about the user experience for users. If they have a managed account on a device, there's no change. That button won't show up, there's nothing there. So no change at all to the user experience. Again, it's really just for getting closer to zero-touch onboarding workflows. So my strong belief is that turning this on, it's going to add value to the next Windows devices that you onboard and hopefully take away that step where you're having to add users to devices. It'll get you closer to a stack of MacBooks ready for your users and a stack of Windows ready for your users, and you just have those ready to roll for anyone and just ship them out.

Becky Scott:

Awesome.

Scott Reed:

I hear Luke, I'm going to address that. That is exactly my vision, Luke. Everything should have defaults and then have, not exclusions, but rules, and then be able to prioritize those rules. So that is exactly what I'm advocating for.

Becky Scott:

Yeah, that would be awesome. And then, to follow up on Brandon, because we keep hopping back and forth between Brandon and Luke, Brandon was clarifying that the commands are not running, not something delayed. So he's going to open up a ticket to dig into that more. Since it wasn't the time zone, it doesn't seem to be the time zone thing. So we're good there. And Michael's saying that “Windows sign-in will be a huge time saver. Totally awesome.” So, great to hear that Michael.

Scott Reed:

Taking a screenshot and sharing that with the team right now.

Becky Scott:

Absolutely. And I think I saw, oh, Brandon said, “Scott, the Windows sign in with JumpCloud might actually fix one of our main “gotchas”. Thanks so much for you and your team's work.” So you should grab a screenshot of that one too. Awesome. Keith says, “TOFU plus ignore specific bound admin accounts”. So one option of that. Luke says, “I get that Agile goes to a quick win with global, but as a user admin, global as default first choice is terrifying”. Yeah, we hear you. We hear you Luke, we hear you on that one. And Rob wishes he has more than one Windows machine, so he could test this out. 

Testing with a Global Default

Scott Reed:

I guess what's nice in testing, well, for better or for worse, the testing with a global default is having a sandbox org, and we can absolutely help you get that sandbox org for your organization. You have a different production org. We use the term inside of JumpCloud that our organization that all of our work devices are on is dog food. Well, I have what's called the cat food org, which is my production organization, real devices. That is my org that you saw me just demoing in. We can help you get those cat food orgs for your organization. And then from there, because this feature is not dependent on MDM enrollment, it's much easier to test on Mac devices where you can install the agent and don't have to go through the wildness of serial number spoofing to get them enrolled to turn that on. So there's opportunities for us to help you make it easier to test with those global settings. I hear you loud and clear from those global settings, but I want to give you guys confidence that we build global settings because these features are thoroughly tested thoroughly QA’d, and they're ready for prime time. And I want to essentially try to make your lives easier with an easy button and give you optionality where that optionality has opportunity to expand. But loud and clear. We can always do better, and we will do better in giving you that optionality.

Becky Scott:

And we really do appreciate the feedback. So thank you for letting us know and telling us what you're looking for and what works and doesn't work. That really does help us a lot. Luke says “Sandbox makes sense, but for large multi-country org deployment, global is still scary. Don't hate me, Scott.” 

Scott Reed:

Don't hate you. Yeah, of course I don't hate you, but I hope I've demonstrated that toggle on and off so that you know that you've got that to back you. Demonstrated multiple times. And again, as we went through a multi-month dogfooding of this new login window, we actually early on had to do that global toggle. And remember the login window, we do not see it that often, right? The login window is something that we only see on our Mac and Windows devices when we restart or intentionally sign out. And kind of the design of everyday things, the way people work, people aren't starting their days often with restarts anymore. They're starting their days with touching their finger on the device from the screen lock screen to get back into their computer.

Apple System Provision via ADE

Becky Scott:

And I know we're over time. One last thing from Nathan, “Sorry if I missed this, but for newer refreshed Apple systems provision via ADE, does that existing process change?”

Scott Reed:

It doesn't. The thing that would change for them is with ADE, the account gets added during the enrollment, and then they'd see the new login window, and they would see their JumpCloud managed icon. There would be no button there to sign-in again because they'd provision their account, but it would show them the new login window. And with ADE, they would be connected to wireless, so they wouldn't have to connect to wireless from the login window. But you would see with ADE now - unbox the device, choose a language, MDM enrollment, sign in with an account, that account gets provisioned. Then you're at the new login window, you click on your account, and you sign in.

Becky Scott: 

All good. Jonathan says “It is now safe to turn off your computer.” I think that’s the perfect spot to end this Friday the 13th. You did it! You got through the demos on Friday the 13th, with blatantly tempting the demo gods. So thanks for joining us again Scott. Lots of great questions today, really interactive and everyone really going all in on this. We will see you next week. Enjoy your weekend everyone, we’ll see you soon.