{
	"id": "e0cc0fa1-1656-4795-abcc-593d99f27274",
	"created_at": "2026-04-06T00:11:04.33238Z",
	"updated_at": "2026-04-10T03:20:47.6284Z",
	"deleted_at": null,
	"sha1_hash": "07e087fc6a06b0a029dbee34567533515dd934d3",
	"title": "Get Started: Conditional Access Policies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 156909,
	"plain_text": "Get Started: Conditional Access Policies\r\nArchived: 2026-04-05 13:31:35 UTC\r\n___\r\nGet Started: Conditional Access Policies\r\nTo implement Zero Trust security for your organization, create conditional access policies that secure access to\r\nresources based on conditions like a user's identity, their network, or the type of device they’re on. For example,\r\nlock down your environment with policies that deny access when users are on unmanaged devices or unapproved\r\nnetworks. Alternatively, relax access and let users log in to the User Portal without Multi-factor Authentication\r\n(MFA) when they’re using a VPN or managed device. \r\nConsiderations:\r\nDesktop access policies using Device Trust Certificates are only supported on the following browsers:\r\nWindows: Google Chrome, Microsoft Edge\r\nmacOS: Google Chrome, Safari\r\nLinux: Google Chrome\r\nWhen Device Trust Certificates are enabled and users use JumpCloud Go to log in to web applications,\r\nJumpCloud Go takes precedence over the certificate to verify the device's management status.\r\nMobile devices are supported using Mobile Device Trust. See Get Started: Mobile Device Trust to learn\r\nmore.\r\nAn access policy becomes a conditional access policy when you add a condition. Adding a condition for\r\nthe User Portal or SSO Applications is a Premium feature and is part of our Platform Prime plan.\r\nTip:\r\nYou can remotely apply policies that make your managed devices and third-party apps secure and meet\r\ncompliance levels. See Get Started: Policies. \r\nConditional Access Policies List View \r\nTo find the list view, log in to the JumpCloud Admin Portal and go to Security \u003e Conditional Access Policies.\r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 1 of 7\n\nImportant:\r\nIf your data is stored outside of the US, check which login URL you should be using depending on your region,\r\nsee JumpCloud Data Centers to learn more.\r\nFrom the list view you can: \r\nSee a list of the access policies that you’ve configured.\r\nTo make changes to the default access policies, click Edit in Settings under Default Access Policies.\r\nSee Set a Default Access Policy\r\nConfigure (or delete) new access policies for the User Portal, SSO Applications, or JumpCloud LDAP.\r\nSee Configure a Conditional Access Policy\r\nAccess the Conditional Policy Settings page, where you can enable Certificate Distribution, manage\r\nDefault Access Policies, and customize conditional access deny message displayed to users.\r\nTo create a custom deny message for users, click the Custom tab, and enter the message as\r\nrequired. You can also give a hyperlink to a help article by clicking the Link toggle key.\r\nUnderstanding Policy Precedence\r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 2 of 7\n\nTip:\r\nConditional Access Policies work in conjunction with Default Access Policies. If none of the set access policies\r\napply to a user, the Default Access Policies are enforced as fallback policies.\r\nBefore you create several access policies, it’s important to understand policy precedence so that you don’t\r\naccidentally lock out your users. When you have several policies enabled, the policy precedence is the following:\r\nA policy set to deny access is first priority.\r\nA policy set to allow access with MFA is second priority.\r\nA policy set to allow access without MFA is third priority. \r\nThis means if several policies with different actions apply to a single user, the policy that denies access takes\r\neffect over policies that allow access with or without MFA. \r\nFor example: consider these two policies:\r\nOne policy denies access to the User Portal if a user isn’t on an approved network (conditional). You\r\ninclude a specific user group with this policy.\r\nAnother policy allows access to the user portal with MFA. You include all your users with this policy. \r\nResult: If a user is included in both policies and they try to log in to the User Portal from an unapproved network,\r\nthey’re denied access. \r\nWith that in mind, we recommend being very specific when you create a policy that denies access. If you’re not\r\ncareful, you could prevent your users from being able to access resources. \r\nWhen no conditional access policies apply to a user, the Default Access Policy takes effect. For example, say you\r\nhave:\r\nAn access policy that allows access without MFA.\r\nA user who isn’t included in the policy.\r\nThe Default Access Policy set to allow access with MFA.\r\nIn this case, the user is required to authenticate with MFA.\r\nSupported Resources\r\nYou can create access policies for the User Portal, SSO applications, and LDAP applications. An access policy\r\nbecomes a conditional access policy when you add a condition. Adding a condition for the User Portal or SSO\r\nApplications is a Premium feature and is part of our Platform Prime plan.\r\nA policy can only have one resource type associated with it, so you can’t have one policy that applies to both the\r\nUser Portal and SSO Applications. \r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 3 of 7\n\nUser Portal: Configure a policy that relaxes, restricts, or denies access to the User Portal.\r\nFor example, use a device condition to let users log in to the User Portal without MFA when they’re\r\non a JumpCloud-managed device, or set a policy across all your users that requires MFA to access\r\nthe User Portal. \r\nImportant:\r\nTo avoid account lockout and password reset failure issues, we recommend informing your users to set up an MFA\r\nfactor in their User Portal before you apply a conditional access policy to the User Portal. For user instructions on\r\nhow to do this, see Set up an Authenticator App.\r\nYou can also enable your users to reset their password when MFA is enforced for the User Portal but they have not\r\nyet enrolled. See Manage Password and Security Settings.\r\nSSO Applications: Use a policy to relax, restrict or deny access to SSO applications when users access\r\nthem from the User Portal or through service provider-initiated authentication.\r\nFor example, enable a policy for your software engineer user groups that requires them to use MFA\r\nwhen they access AWS and GitHub applications.\r\nLDAP Applications: Use a policy to relax, restrict or deny access to LDAP applications when users access\r\nthem from the User Portal.\r\nFor example, enable a policy for your users that requires them to use MFA when accessing the VPN.\r\nNote that conditions are not applicable for LDAP access policies.\r\nNote:\r\nIf you plan to create policies that require MFA, you need to set up MFA in SECURITY\r\nMANAGEMENT \u003e MFA Policies. See MFA Guide for Admins to decide which type of MFA to set up.\r\nWhen you create an access policy that requires MFA, users who are included in the policy but don’t have MFA set\r\nup will be required to enroll in MFA the next time they log in to the User Portal. \r\nAdmin Portal: Use a policy to relax, restrict or deny access to Admin portal when Admins access it. See\r\nConfiguring Conditional Access Policies For Admin Portal to learn more.\r\nSupported Conditions\r\nConfigure your access policies with conditions to control level of access to the User Portal, SSO Applications, and\r\nAdmin Portal. Conditions are a premium feature and are part of the Platform Prime plan.\r\nExamples of ways to leverage conditions to support your security posture include:\r\nDevice Management\r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 4 of 7\n\nBlock access to work applications from unmanaged devices.\r\nRequire users to use MFA when they access work applications on managed devices.\r\nDisk Encryption\r\nDeny access to resources when the device does not have disk encryption enabled.\r\nLocation\r\nBlock access to secure resources when the authentication request is coming from an unknown or\r\nuntrusted country.\r\nIP Address\r\nRelax MFA requirements if the request to authenticate is coming from inside the corporate network.\r\nRequire step-up authentication when the request to authenticate is coming from outside a trusted\r\nnetwork.\r\nOperating System\r\nEnable granular control and target specific device types by operating system in a policy. For\r\nexample:\r\nConfigure a policy with the Device Management condition to block devices not managed by\r\nJumpCloud, but add the Operating System condition for macOS, Windows, and Linux. This\r\nallows access for mobile devices, while preventing access from unmanaged desktop devices.\r\nOr configure a policy with the Device Management condition and use the Operating System\r\ncondition to target mobile devices specifically (iOS/iPad OS and Android).\r\nWas this information helpful?\r\nStill Have Questions?\r\nIf you cannot find an answer to your question in our FAQ, you can always contact us.\r\nSubmit a Case\r\nWe Care About Your Privacy\r\nBy clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation,\r\nanalyze site usage, and assist in our marketing efforts. See our cookie policy.\r\nPrivacy Preference Center\r\nPrivacy Preference Center\r\nYour Privacy\r\nStrictly Necessary Cookies\r\nPerformance Cookies\r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 5 of 7\n\nFunctional Cookies\r\nTargeting Cookies\r\nYour Privacy\r\nWhen you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.\r\nThis information might be about you, your preferences or your device and is mostly used to make the site work as\r\nyou expect it to. The information does not usually directly identify you, but it can give you a more personalized\r\nweb experience. Because we respect your right to privacy, you can choose not to allow some types of cookies.\r\nClick on the different category headings to find out more and change our default settings. However, blocking\r\nsome types of cookies may impact your experience of the site and the services we are able to offer.\r\nMore information\r\nStrictly Necessary Cookies\r\nThese cookies are necessary for the website to function and cannot be switched off in our systems. They are\r\nusually only set in response to actions made by you which amount to a request for services, such as setting your\r\nprivacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these\r\ncookies, but some parts of the site will not then work. These cookies do not store any personally identifiable\r\ninformation.\r\nPerformance Cookies\r\nThese cookies allow us to count visits and traffic sources so we can measure and improve the performance of our\r\nsite. They help us to know which pages are the most and least popular and see how visitors move around the site.\r\nAll information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies\r\nwe will not know when you have visited our site, and will not be able to monitor its performance.\r\nFunctional Cookies\r\nThese cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or\r\nby third party providers whose services we have added to our pages. If you do not allow these cookies then some\r\nor all of these services may not function properly.\r\nTargeting Cookies\r\nThese cookies may be set through our site by our advertising partners. They may be used by those companies to\r\nbuild a profile of your interests and show you relevant adverts on other sites. They do not store directly personal\r\ninformation, but are based on uniquely identifying your browser and internet device. If you do not allow these\r\ncookies, you will experience less targeted advertising.\r\nYour Privacy [`dialog closed`]\r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 6 of 7\n\nSource: https://jumpcloud.com/support/get-started-conditional-access-policies\r\nhttps://jumpcloud.com/support/get-started-conditional-access-policies\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://jumpcloud.com/support/get-started-conditional-access-policies"
	],
	"report_names": [
		"get-started-conditional-access-policies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434264,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07e087fc6a06b0a029dbee34567533515dd934d3.pdf",
		"text": "https://archive.orkl.eu/07e087fc6a06b0a029dbee34567533515dd934d3.txt",
		"img": "https://archive.orkl.eu/07e087fc6a06b0a029dbee34567533515dd934d3.jpg"
	}
}