Enable TOTP MFA for Devices

JumpCloud gives organizations the power to layer Multi-Factor Authentication (MFA) on top of nearly any resource you need to secure: Windows, Mac, Linux, applications, networks, infrastructure and more.

If you'd like to use the JumpCloud Protect Push MFA mobile app for your MFA needs, see JumpCloud Protect for End Users.

Prerequisites:

Considerations

  • When TOTP MFA is enabled on a device, only users who have completed setup are prompted for TOTP MFA when they log in to the device.
  • See individual considerations for each OS, listed below.

Note:

Internet connectivity is not required to use TOTP MFA on devices.

Before you can require your users to use TOTP MFA to log into their JumpCloud device, you must complete two procedures: 

  1. Enable TOTP MFA at the org level.
  2. Enable TOTP MFA on the devices.

Enabling TOTP MFA at the Org Level

To enable TOTP MFA at the org level:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Navigate to SECURITY MANAGEMENT > MFA Configurations.
  3. Under the Time-based One Time Password window, click Enable.

Any device in your org for which MFA has been enabled will now require TOTP MFA. Enable MFA on the devices manually by following the steps below.

Enabling TOTP MFA for Your Devices

To enable TOTP MFA on your devices:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to DEVICE MANAGEMENT > Devices
  3. Select the checkbox next to the devices you want to enable TOTP MFA on. 
  4. Click more actions. 
  5. Select Enable MFA
  6. Confirm by selecting enable.

Once devices are enabled, users need to be enabled and they need to enroll in TOTP MFA. See Configure TOTP MFA for User Accounts for more information. 

Learn more about enabling TOTP MFA for individual devices below:

Tip:

To see your users' experience when logging in with TOTP, see JumpCloud Protect for End Users.

Enable TOTP MFA for Linux

Considerations:

  • If it’s not already installed by default, an admin will need to install an OpenSSH server for the specific case where they intend to require MFA to log in via SSH. If you want to require MFA for SSH logins, ensure openssh-server is installed before installing the JumpCloud agent.

To enable MFA for SSH on a Linux system:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to DEVICE MANAGEMENT > Devices.
  3. Select a Linux device.
  4. If MFA Login is disabled, deselect Allow SSH Password Login or Enable Public Key Authentication. If both options are selected, MFA can’t be enabled.
  5. Click MFA Login Disabled and choose Enable MFA Login.
  6. Click Save Device.

Tip:

You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.

Enable MFA for Mac

Considerations

  • Don’t enable TOTP MFA for OS X if the device is already using or has configured another multi-factor authentication service or authentication plug-in. Doing so could cause adverse results, like not being able to access the device.
  • TOTP MFA only affects the OS login screen. FileVault decryption, screen saver, lock screen, etc. aren’t affected by this setting.
  • Devices that run macOS 12 Monterey on devices with small display areas might experience issues. MacOS Monterey has reduced the size of the login window for all MFA logins, including TOTP and Push. If your macOS Monterey device has a display that is less than 900 px in height, you might experience a display overlap between the login area and the policy text that is displayed on the screen. There is no workaround, and JumpCloud suggests that you use a macOS device with a vertical display that is more than 900 px high.

To enable MFA for a Mac Device:

  1. Log in to the Administrator Portal: https://console.jumpcloud.com/login.
  2. Go to DEVICE MANAGEMENT > Devices
  3. Check the box next to the Mac device that you want to view Details for. 
  4. Click on the more actions dropdown menu in the right-hand corner. 
  5. Click Enable MFA or Disable MFA.
  6. You receive a pop-up with information about enabling MFA on your selected device, click enable, and you will receive a notification that the device was saved successfully.
  7. The MFA Status column is updated with a green lock icon.
  8. You can disable MFA from the selected device’s Details page on the Highlights tab > Device Configuration, toggle MFA Login Enabled to MFA Login Disabled.
  9. Save Device.
  10. After you enable MFA for a device, users will see a modified login window that prompts for a TOTP token.

Tip:

You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.

Enable MFA for Windows

Considerations:

  • MFA is only supported and functional for Windows 10 and above.
  • JumpCloud MFA employs the use of a credential provider. When MFA is enabled on a Windows system, and a user that is required to use MFA is bound to the system, all other Windows credential providers are disabled.
  • To ensure systems can be recovered when users have issues logging in, MFA can be bypassed by booting a Windows system in safe mode. You can prevent non-admin users from logging in to Windows systems in safe mode by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SafeModeBlockNonAdmins registry to 1
  • A TOTP token is only required when a user initially logs in to their JumpCloud-managed Windows system. When a user locks their screen, they aren’t required to enter a TOTP token to unlock their system.

Note:

If the 'Display User Info When the Session is Locked' policy AND the 'Do Not Display Last Username on Logon Screen' policy are enabled, users will have to enter MFA to unlock their system. These policies are included in each of the templated JumpCloud Enhanced Security groups.

  • Newer versions of Windows have the configurable option to keep users logged in through a reboot. The default setting for this option is to keep users logged in. As a result, users of computers with this option enabled aren’t required to provide a TOTP token after a reboot.
  • Users must have a TOTP app to generate TOTP tokens. JumpCloud recommends using JumpCloud Protect.
  • TOTP MFA is supported for Remote Desktop.
  • You may need to disable Windows Automatic Restart Sign-on (ARSO) to force the TOTP authentication prompt on the Windows login screen after a machine reboot. This can be done one of two ways – via a policy or via a PowerShell command. See To disable Windows ARSO below.

To enable MFA for a Windows system:

  1. Go to DEVICE MANAGEMENT > Devices
  2. Check the box next to the Windows device that you want to view Details for. 
  3. Click on the more actions dropdown menu in the right-hand corner. 
  4. Click Enable MFA or Disable MFA.
  5. You receive a pop-up with information about enabling MFA on your selected device, click enable, and you will receive a notification that the device was saved successfully.
  6. The MFA Status column is updated with a green lock icon.
  7. You can disable MFA from the selected device’s Details page on the Highlights tab > Device Configuration, toggle MFA Login Enabled to MFA Login Disabled.
  8. Save Device.
  9. After you enable MFA for a device, users will see a modified login window that prompts for a TOTP token.

Tip:

You can enable MFA for multiple devices from the Devices tab by clicking more actions and choosing Enable MFA.

After you save, TOTP MFA is enabled on the system and users that have been required TOTP MFA and are connected to the system will see a modified login screen that prompts them for a TOTP token.

Disabling Windows ARSO

You may need to disable Windows Automatic Restart Sign-on (ARSO) to force the TOTP authentication prompt in the Windows login screen after a machine reboot. This can be done one of two ways - via a policy or via a PowerShell command.

To disable Windows ARSO with a policy:

Create a policy with the following values to disable Windows ARSO:

  • Registry Key Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value Name: DisableAutomaticRestartSignOn
  • Type: DWORD
  • Data: 1

Important:

This registry key (and interface change) will not appear until the device has run through a group policy update cycle. The default group policy update cycle time is every 90 minutes with a randomized offset of up to 30 minutes.

To disable Windows ARSO with a command:

Run the following PowerShell command using the JumpCloud Commands module to disable Windows ARSO:

#Get Execution Policy currently
$exec_pol = Get-ExecutionPolicy
#Set Execution Policy to run script
Set-ExecutionPolicy Unrestricted
# Import JC PoSh module
Import-Module "C:\Program Files\JumpCloud\policies\JumpcloudPolicies\JumpcloudPolicies"
$automaticRestartSignOn = @{
  policypath = 'C:\Windows\system32\GroupPolicy\Machine\Registry.pol';
  policykey = 'Software\Microsoft\Windows\CurrentVersion\Policies\System';
  policyValuename = 'DisableAutomaticRestartSignOn';
  policyType = 'DWord';
  policyData = '1'
}
install-jcpolicy @automaticRestartSignOn
gpupdate /force
Set-ExecutionPolicy $exec_pol

To reverse the PowerShell command and remove the local group policy, run the following PowerShell command on the device in JumpCloud Commands:  

# Import JC PoSh module
Import-Module "C:\Program Files\JumpCloud\policies\JumpcloudPolicies\JumpcloudPolicies"$automaticRestartSignOn = @{  
policypath = 'C:\Windows\system32\GroupPolicy\Machine\Registry.pol';  
policykey = 'Software\Microsoft\Windows\CurrentVersion\Policies\System';  
policyValuename = 'DisableAutomaticRestartSignOn';
}
uninstall-jcpolicy @automaticRestartSignOn
gpupdate /force

Viewing Users’ MFA Status on the Device

To determine the TOTP MFA status of users connected to this device:

  1. Go to the DEVICE MANAGEMENT > Devices.
  2. Select a device and click the Users tab..
  3. The user MFA Status is shown in the MFA:TOTP column. 

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case