How to Configure JumpCloud Conditional Access Policies for Geofencing and Device-Based MFA?
Overview
Conditional Access Policies (CAP) allow you to enforce rules like "MFA is required unless you are in the office" or "Block access from high-risk countries."
Scenario A: Geofencing (Block Non-Corporate Countries)
Goal: Prevent logins from outside your operating countries (e.g., block Russia/China).
Navigate to Security Management > Conditional Policies.
Click (+) New Policy.
Name: Block - Non-Approved Countries.
Conditions:
Location: Select Country > Does Not Include > Select your permitted countries (e.g., India, USA, UK).
Action: Deny Access.
Assignments: Select All Users (Excluding "Break Glass" Admins).
Scenario B: Trusted Device Bypass (MFA Reduction)
Goal: Require MFA for personal devices, but skip MFA for managed corporate laptops.
Click (+) New Policy.
Name: Allow - Managed Devices (No MFA).
Conditions:
Device Trust: Select JumpCloud Managed Device.
Action: Allow Access.
Authentication: Select Password (Do not check MFA).
Assignments: All Users.
Note: Ensure you have a lower-priority "Catch-All" policy that requires MFA for everything else.
FAQ
1) How do I block user logins from specific countries in JumpCloud?
Create a Conditional Access Policy using the Location condition. Select “Does Not Include” and choose approved countries, then set the action to Deny Access.
2) How can I reduce MFA prompts for corporate laptops in JumpCloud?
Use a policy with the Device Trust condition set to “JumpCloud Managed Device” and allow access with password-only authentication, skipping MFA for those devices.
3) What is a “Break Glass” admin in Conditional Access policies?
A Break Glass admin is an emergency account excluded from restrictions to ensure access if policies accidentally block legitimate administrators.
4) Why do I need a catch-all MFA policy after creating exceptions?
A catch-all policy ensures all other login scenarios still require MFA, preventing gaps in protection after creating device or location-based exceptions.
5) Can Conditional Access differentiate between personal and managed devices?
Yes. JumpCloud can detect whether a device is managed by its agent and apply different authentication requirements based on device trust status.
