This article includes details about OS compatibility, installation requirements, and changes made to your device during installation of JumpCloud’s agent. Use this information to perform these tasks:
- Make sure you’re using a supported OS before you install the agent.
- Find the files and directories used during installation to troubleshoot issues.
- Verify files and directories are installed correctly before you contact Support.
You can review our prospective end of support timelines in Prepare Now for End of Support.
Note: JumpCloud supports iOS devices, such as iPhones, iPads, and Apple TVs, but the JumpCloud agent is not installed on those devices.
Mac
Supported macOS versions
- Big Sur 11.x
- Monterey 12.x
- Ventura 13.x
- Intel and Apple Silicon devices are supported.
Considerations
- For Macs running macOS Monterey and later, the JumpCloud Agent requires Full Disk Access permissions to enable communication with the authentication controls on the device.
- Pre-release or Release Candidate (RC) versions of OS releases are not supported.
- If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
- As of December 15, 2021, we will no longer support the JumpCloud agent on macOS Mojave 10.14.
- As of November 30, 2020, we don’t support the JumpCloud agent on macOS High Sierra 10.13.
- As of June 30, 2020, we don’t support the JumpCloud agent on Debian 8 systems.
- As of April 14, 2020, we don’t support the JumpCloud agent on macOS Sierra 10.12.
Note: If an unsupported device is assigned to the JumpCloud MDM server in Apple Business Manager (ABM), it will attempt to install the agent, which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.
Warning: Do NOT release the device from ABM. Devices released from ABM will need to be re-enrolled using Apple Configurator for iOS. See the Apple Configurator User Guide.
| Term | Definition & Service |
|---|
| Login Password (or User Password) | - This is the primary credential that is linked with your keychain and FileVault (if enabled).
- This password is used to log into your local user account in macOS.
|
| Bootstrap Token | - Bootstrap Tokens grant a secure token to mobile or MDM administrator accounts.
- These won't be created automatically if the first user created is a standard user during MDM enrollment, or if local account creation is skipped entirely.
- Only available after MDM enrollment (JumpCloud MDM currently doesn't use this feature).
|
| Keychain | - Keychains are linked to the user when the user is created.
- Shares password with user account.
- Keychain password is only available to the user, and not the administrator.
- If the keychain password is lost, the user loses access to that keychain, and a new keychain is created.
- Keychain passwords can become out of sync two different ways:
- User login password change outside the Mac. For example, an Active Directory (AD) password change done in AD outside of macOS.
- User login password reset executed by an administrator on device.
|
| FileVault (FV) | - FileVault is the service that encrypts disks in macOS using an encryption key.
- Shares password with the administrator account that enabled it.
- This key can become out of sync if the following occurs:
- A password change via script.
- AD password change outside the Mac.
- You can avoid FV lockouts in the following ways:
- Having a second administrator on the Mac with a secure token.
- If the password is changed, store the old password somewhere safe, it can be used to decrypt FV.
- Warning: Do not reboot!
- If you have rebooted, you will need another account with a secure token to unlock FV.
- If you don't have the passwords, or a valid account and password to decrypt the FV volume, you have to use the Recovery Key.
|
Changes Made to Your MacOS Device During Installation
| Installation Files, Directories, or Settings | Locations and Details |
| Installer Filename | jumpcloud-agent.pkg |
| Launch Daemon | com.jumpcloud.darwin-agent |
| Primary Installation Directory | /opt/jc/ |
| Installation and Service Log Directory | /var/log/jc*.log You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online devices. |
| JumpCloud Menu Bar App Tray Log Directory | ~/Library/Logs/JumpCloud |
| Device Trust | The jumpcloud-user-agent application handles actions that must be performed in a user’s context: - App location - /opt/jc_user_ro/jumpcloud-user-agent
- Log file - /Users/<username>/Library/Logs/JumpCloud/jc-user-agent.log
The log file is present for every user on the device, whether or not the user is managed by JumpCloud, because the user-agent runs for each logged-in user. However, the agent will only install and manage certificates for managed users. |
| User-agent Management | To ensure that the JumpCloud user-agent is started when the user logs in and is restarted automatically, the agent installer places a properties list file here: /Library/LaunchAgents/com.jumpcloud.user-agent.plist |
| Certificate Management | When the JumpCloud user-agent requests new Device Trust certificates for the user, it creates a new MacOS keychain: /Users/username/Library/Keychains/jumpcloud-device-trust-keychain-db It stores the password to unlock this keychain in the user’s login keychain in this item: JumpCloud Device Trust Keychain Password. The user-agent imports the Device Trust certificates and private key into this new keychain. |
| Certificate Auto-Selection for Safari | Safari looks for identity preference settings in the user’s login keychain to automatically select certificates. The user-agent creates identity preferences in the keychain to associate the Device Trust certificate with two JumpCloud URLs: |
| Certificate Auto-Selection for Chrome | On MacOS, Chrome uses a properties list (plist) file to configure certificate auto-selection filters. The user agent will update the user’s current ‘Library/Preferences/com.google.chrome.plist’ file if it’s present or create a new file if it's not. The auto-selection filters allow Chrome to find a certificate in the keychain to apply to a given URL. The selection filters will match a cert with a Subject Organizational Unit (SUBJECT:OU) of JumpCloud Device Trust to two JumpCloud URLs: |
| Custom Login Window | /Library/Preferences/com.apple.loginwindow.plist /Library/Security/SecurityagentPlugins/jumpcloud-loginwindow.bundle/Contents/Info.plist |
| TOTP Key Files | When enabled, key files are stored on a per user basis in this directory at this path: /etc/ssh/jumpcloud_totp/${USER} JumpCloud manages this based on users having uploaded public keys to JumpCloud. |
| JumpCloud-managed Sudo Users | JumpCloud enables sudo users by adding those users to: /etc/sudoers.d/00-USERNAME-jumpcloud All JumpCloud-managed users will be added to the path. However, non-privileged users will contain a configuration file that explicitly denies sudo privileges. |
| System Insights OS Query | /opt/jc/bin/jcosqueryi Note: OS query is only installed when System Insights is enabled. |
Additional MacOS Considerations:
- For all supported macOS versions, a native Administrator service account is created, and credentials are required during installation for support with secure token in conjunction with FileVault.
- Syncing login passwords with Apple’s iCloud service is not supported, and attempting to turn it on may result in undefined and unsupported behavior.
- See JumpCloud Agent Port Requirements.
- JumpCloud is proud to natively support Apple silicon Macs.
Windows
Supported Windows Versions:
- 10 (64 bit)
- 11
- Server: 2012 R2
- Server: 2016 (64 bit)
- Server: 2019
- Server: 2022
Considerations:
- If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
- As of June 16, 2023, the JumpCloud agent will not be updated past version 1.115.1 on 32-bit devices.
- As of June 16, 2023, the JumpCloud tray application will not be updated past version 1.32.0 on 32-bit devices.
- As of February 18, 2022, JumpCloud no longer supports Windows 8.1.
- Beginning on May 11, 2021, we only support Windows 10 build 1909 and above. Learn more: Windows 10 Release Information.
- As of June 30, 2020, we don’t support the JumpCloud agent on 32-bit devices.
- As of June 30, 2020, we don’t support the JumpCloud agent on Windows 8.
- As of April 14, 2020, we don’t support the JumpCloud agent on Windows 7 or Windows 2008 + R2.
- International versions of Windows are supported. However, certain international character sets may cause the following issues:
- Cosmetic issues in the Devices detail views
- Adverse results in Command execution in the Admin Portal
- Non-English locales aren’t supported by JumpCloud policies
- Home versions of Windows are supported in the following ways:
- The JumpCloud agent can be installed
- Conditional access is supported
- JumpCloud policies and security commands are currently unsupported
- Enhanced Security Configuration on Windows Server 2019 blocks our ability to auto-select the certificate in Internet Explorer and certain versions of Edge; disable Enhanced Security Configuration for users so that they aren’t prompted when accessing JumpCloud-managed resources.
- Release Candidate (RC) versions of O/S releases are not supported.
- The JumpCloud agent is not compatible with Duo System Agent Authentication for Windows.
- The JumpCloud agent does not support Windows ARM devices.
Note: PowerShell is required for Windows agent functionality.
| Component | Requirement |
|---|
| Disk Usage | 166 MB minimum This includes C++ runtime components |
| Memory Usage | 6 MB minimum |
| C++ Runtimes | MS Visual C++ 2013 Redistributable package (x86_64) |
Changes Made to Your Windows Device During Installation
| Installation Files, Directories, or Settings | Locations and Details |
| Installer Filename | JumpCloudInstaller.exe |
| SERVICE-NAME | jumpcloud-agent |
| Primary Location of JumpCloud Agent | For 64-bit: C:\Program Files\JumpCloud For 32-bit: C:\Program Files (x86)\JumpCloud |
| Service Log Directory | C:\Windows\Temp\jcagent.log You can download the most recent 1 MB of logs for a device from the System Details panel by clicking Get system logs. Logs are only available for online devices. |
| Installation Log Directory | C:\Users\username\AppData\Local\Temp\jcagent.log The log file lives in the directory for the admin user who installs the agent. |
| Device Trust | The jumpcloud-user-agent application handles actions that must be performed in a user’s context: - App location - C:\Program Files\JumpCloud\jumpcloud-user-agent\jumpcloud-user-agent.exe
- Log file - C:\Users\<username>\AppData\Local\Temp\jc-user-agent.log
|
| Certificate Management | The agent and user-agent import certificates into Windows Certificate Stores: - The agent imports the root certificate into the System Certificate Store. This action requires administrative privileges, which is why the agent performs this import.
- The user-agent imports the intermediate certificate into the user’s Intermediate Certificate Store.
- The user-agent imports the leaf cert and private key into the user’s Personal Certificate Store.
|
| Certificate Auto-Selection for Chrome and Edge | To support certificate auto-selection in Chrome and Edge, the agent creates the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ AutoSelectCertificateForUrls HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ AutoSelectCertficateForUrls The agent adds an entry for the ‘https://device-cert.jumpcloud.com’ URL if it doesn't exist. |
| Registry Keys Added | HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\JumpCloud agent\ConfigFile HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\{96542816-DAD1-4D02-8363-CA4121E5CAE7}_is1 |
| System Insights OS Query | C:\Program Files\JumpCloud\jcosqueryi.exe |
Additional Windows Considerations
- After you create a JumpCloud account for a user and the account is active, you can associate the user with a JumpCloud-managed Windows device. When you bind a user to a device, we add the user’s account to the following local groups:
- Standard User Windows Local Groups (for user accounts with no local administrator permissions):
- Users
- Remote Desktop Users
- Administrator User Windows Local Groups(for user accounts with local administrator permissions):
- Administrators
- Users
- Remote Desktop Users
- If you manually remove a user account from one of these groups, the agent on the Windows device restores these associations when you save any changes in the Administrator Portal.
- Windows Live! isn’t supported.
- See JumpCloud agent Port Requirements.
- See Adding the JumpCloud agent to an allow list.
Linux
Core packages are central to the running of a Linux distribution because they contain files for functionality, such as connecting to the Internet, managing and repairing file systems, and the system setup process (e.g. openssh). The packages you’re required to install for the JumpCloud agent to work varies by OS version and are listed in the following table.
Considerations
- Release Candidate (RC) versions of O/S releases aren’t supported.
- If the JumpCloud agent is installed on an unsupported version, JumpCloud neither ensures nor provides guarantees full or even partial functionality of device management. Furthermore, functionality may or may not work as intended and may be hindered based on future product releases:
- As of December 2022, we don’t support the JumpCloud agent on the following systems:
- As of September 2022, we don’t support the JumpCloud agent on the following systems:
- Debian 9
- Fedora 34
- Mint 18
- Ubuntu 21.04
- As of August 8, 2022, we don’t support the JumpCloud agent on Amazon Linux 2013 – 2018.
- As of April 30, 2021, we don’t support the JumpCloud agent on Ubuntu 16.04.
- As of November 30, 2020, we don’t support the JumpCloud agent on the following systems:
- CentOS 6
- RHEL 6
- Ubuntu 19.04
- As of June 30, 2020, we don’t support the JumpCloud agent on Debian 8 systems.
Supported Linux Versions
| Distribution | Requirements |
|---|
Amazon Linux (amd64, arm64): 2, 2022 | The following core packages must be installed: - chkconfig
- coreutils
- curl
- dmidecode
- glibc-common
- grep
- initscripts
- lsof
- net-tools
- nss
- nss-tools
- openssl
- psmisc
- redhat-lsb-core
- rpm
- shadow-utils
- sudo
- tar
- util-linux
- yum
|
| The following core packages must be installed: - chkconfig
- coreutils
- curl
- dnf
- findutils
- gawk
- glibc-common
- grep
- initscripts
- lsof
- net-tools
- nss
- nss-tools
- openssl
- policycoreutils
- psmisc
- redhat-lsb-core
- rpm
- shadow-utils
- sudo
- tar
- util-linux
- which
- yum
|
Debian (amd64): 10 Debian (amd64, arm64): 11 | The following core packages must be installed: - apt-rdepends
- apt-show-versions
- coreutils
- curl
- dpkg
- grep
- hostname
- libc-bin
- libnss3
- libnss3-tools
- libpam-runtime
- libpam-modules
- lsb-release
- lsof
- mawk
- openssl
- passwd
- procps
- psmisc
- sudo
- sysv-rc
- sysvinit-utils
- tar
|
| The following core packages must be installed: - chkconfig
- coreutils
- curl
- dnf
- findutils
- gawk
- glibc-common
- grep
- initscripts
- lsof
- net-tools
- nss
- nss-tools
- openssl
- policycoreutils
- psmisc
- redhat-lsb-core
- rpm
- rsyslog
- shadow-utils
- sudo
- tar
- util-linux
- which
- yum
|
Linux Mint (Cinnamon) (amd64): 19, 20, 21 | The following core packages must be installed: - apt-rdepends
- apt-show-versions
- coreutils
- curl
- dpkg
- grep
- hostname
- libc-bin
- libnss3
- libnss3-tools
- lsb-release
- lsof
- mawk
- openssl
- passwd
- procps
- sudo
- sysvinit-utils
- tar
|
| The following core packages must be installed: - apt-rdepends
- apt-show-versions
- coreutils
- curl
- dpkg
- grep
- hostname
- libc-bin
- libnss3-tools
- lsb-release
- lsof
- mawk
- passwd
- procps
- sudo
- sysvinit-utils
- tar
|
RHEL (amd64): 7, 8 RHEL (amd64, arm64): 9 | The following core packages must be installed: - chkconfig
- coreutils
- curl
- dnf
- findutils
- gawk
- glibc-common
- grep
- initscripts
- lsof
- net-tools
- nss
- nss-tools
- openssl
- psmisc
- redhat-lsb-core
- rpm
- shadow-utils
- sudo
- tar
- util-linux
- which
- yum
|
Rocky Linux (amd64, arm64): 8, 9 | The following core packages must be installed: - coreutils
- curl
- findutils
- gawk
- glibc-common
- grep
- initscripts
- lsof
- net-tools
- nss-tools
- policycoreutils
- psmisc
- rpm
- shadow-utils
- sudo
- tar
- util-linux
- which
- yum
|
Ubuntu (amd64, arm64): 18.04, 20.04, 22.04 | The following core packages must be installed: - apt-rdepends
- apt-show-versions
- coreutils
- apt-curl
- dpkg
- grep
- hostname
- libc-bin
- libnss3
- libnss3-tools
- lsb-release
- lsof
- mawk
- openssl
- passwd
- procps
- sysvinit-utils
- sudo
- tar
|
Linux Installation Requirements
| Component | Requirement |
|---|
| Disk Usage | 21 MB minimum |
| Memory Usage | 5 MB minimum |
Changes Made to Your Linux Device During Installation
| Installation Files, Directories, or Settings | Locations and Details |
|---|
| Installer Filename | jcagent-<os-version-arch>.<deb/rpm> |
| Installed Services | jcagent, agent-monitor (init.d systems) |
| Primary Installation Directory | |
| Service Control Scripts | The following script lives on Linux devices that use System V init scripts: /etc/init.d/jcagent All other versions use systemd initialization and will have the following script: /lib/systemd/system/jcagent.service |
| Google Auth PAM Plugin | This is the OS and Arch lib directory, for example: /lib, /lib64, etc.
/security/pam_google_authenticator.so The JumpCloud agent adds the following configuration lines to the device's /etc/pam.d/sshd configuration file: auth required pam_google_authenticator.so nullok user=root secret=/etc/ssh/jumpcloud_totp/${USER} auth required pam_permit.so These configuration lines are removed when ssh with MFA is disabled. |
| Installation and Service Logs | /var/log/jc* You can download the most recent 1 MB of logs for a device from the Device Details panel by clicking Get agent log. Logs are only available for online systems. |
| Enabling Syslog for the Events API (logging user events) | JumpCloud appends a local host address (127.0.0.1:14028) when enabling Syslog for the Events API (logging user events). /etc/rsyslog.d/jumpcloud.conf |
| sshd Config File | Contains one or more of the following parameters: [PermitRootLogin, PasswordAuthentication, UsePAM, PubkeyAuthentication, ChallengeResponseAuthentication]. Other config management systems may cause a conflict if it also tries to manage this file. /etc/ssh/sshd_config |
| TOTP Key Files | When enabled, TOTP key files are stored on a per user basis at this path: /etc/ssh/jumpcloud_totp/${USER} |
| Sudo Users | JumpCloud enables sudo users by adding those users to: /etc/sudoers.d/00-USERNAME-jumpcloud All JumpCloud-managed users will be added to the path. However, non-privileged users will contain a configuration file that explicitly denies sudo privileges. |
| Authorized Keys | JumpCloud manages this based on users having uploaded public keys to JumpCloud. /root/.ssh/authorized_keys, /home/${USER} .ssh/authorized_keys |
| System Insights OS Query Installation Location | |
| Device Trust | The JumpCloud agent handles all Device Trust actions. |
| Certificate Management | The agent imports the Device Trust certificates into a Network Security Services (NSS) SQLite database (one per managed user). The databases are located in the user’s home directory: - Certificate database: /home/username/.pki/nssdb/cert9.db
- Key database: /home/username/.pki/nssdb/key4.db
If the databases don't exist, the agent creates them. |
| Certificate Auto-Selection for Chrome | The agent creates a system-wide policy configuration for Chrome in the file ‘/etc/opt/chrome/policies/managed/JumpCloudCertificateAutoselect.json’. This file contains ‘AutoSelectCertificateForUrls’ settings that match the JumpCloud Device Trust certificate to the following JumpCloud URL: https://device-cert.jumpcloud.com. |
Additional Linux Considerations:
- For Linux account takeover to complete successfully, the /home/directory must exist for that user.
- If it’s not already installed by default, an admin will need to install OpenSSH server for the specific case where they intend to require MFA to log in via SSH. If MFA is desired over SSH, ensure openssh-server is installed before installing the agent.
- See Agent Networking and Port Requirements
