NetNXT Logo

How to Configure JumpCloud Conditional Access Policies for Geofencing and Device-Based MFA?

January 29, 2026
2 min read
ByNetNXT

Overview

Conditional Access Policies (CAP) allow you to enforce rules like "MFA is required unless you are in the office" or "Block access from high-risk countries."

Scenario A: Geofencing (Block Non-Corporate Countries)

Goal: Prevent logins from outside your operating countries (e.g., block Russia/China).

  1. Navigate to Security Management > Conditional Policies.

  2. Click (+) New Policy.

  3. Name: Block - Non-Approved Countries.

  4. Conditions:

    • Location: Select Country > Does Not Include > Select your permitted countries (e.g., India, USA, UK).

  5. Action: Deny Access.

  6. Assignments: Select All Users (Excluding "Break Glass" Admins).

Scenario B: Trusted Device Bypass (MFA Reduction)

Goal: Require MFA for personal devices, but skip MFA for managed corporate laptops.

  1. Click (+) New Policy.

  2. Name: Allow - Managed Devices (No MFA).

  3. Conditions:

    • Device Trust: Select JumpCloud Managed Device.

  4. Action: Allow Access.

    • Authentication: Select Password (Do not check MFA).

  5. Assignments: All Users.

    • Note: Ensure you have a lower-priority "Catch-All" policy that requires MFA for everything else.

FAQ

1) How do I block user logins from specific countries in JumpCloud?

Create a Conditional Access Policy using the Location condition. Select “Does Not Include” and choose approved countries, then set the action to Deny Access.

2) How can I reduce MFA prompts for corporate laptops in JumpCloud?

Use a policy with the Device Trust condition set to “JumpCloud Managed Device” and allow access with password-only authentication, skipping MFA for those devices.

3) What is a “Break Glass” admin in Conditional Access policies?

A Break Glass admin is an emergency account excluded from restrictions to ensure access if policies accidentally block legitimate administrators.

4) Why do I need a catch-all MFA policy after creating exceptions?

A catch-all policy ensures all other login scenarios still require MFA, preventing gaps in protection after creating device or location-based exceptions.

5) Can Conditional Access differentiate between personal and managed devices?

Yes. JumpCloud can detect whether a device is managed by its agent and apply different authentication requirements based on device trust status.

Was this article helpful?