How to enrol a Windows device into JumpCloud via a Windows Provisioning Package (.ppkg-file)

TL;DR

There are a couple of options to enrol a Windows device into JumpCloud to get it managed. You can simply run the installer manually, you can use a PowerShell-script and both options (binary only or script) can be used in conjunction with an existing RMM-solution. Users can also - if enabled - self-enrol a device by using the installer acquired from the User Console.

Windows Provisioning Packages can be an alternative option for you where you just need to distribute the package in some way to your admin or user. Once you have created the package containing the correct payload including the JumpCloud Agent, you have the following options:

• Manual execution (post initial setup)
• Execution during OOBE (while setting up a device)
• Execution remotely managed via powershell

Packages are created by using the Windows Configuration Designer which is freely available either via Windows ADK or the Windows Store.

How to bundle the JumpCloud Agent into a Provisioning Package?

By using the Windows Configuration Designer, you can either choose the so-called Desktop Wizard Method or you use the Advanced Editor mode which unveils all configurations. Both options will make use of the same simple configuration used to get the agent installed.

The documentation for reference can be found here and elaborates about multiple ways to get apps bundled into a package.

You basically just need to acquire the JumpCloud Agent (i.e. from the admin console) and then upload the file into the Windows Configuration Designer. Navigate to:

ProvisioningCommands / Command / Primary Context / Command / File

Next you need to specify the CommandLine which is used to run the installer while the package is applied to a Windows device:

cmd /c "jumpcloudinstaller.exe" -k ‘YOUR_CONNECT_KEY’ /VERYSILENT /SUPPRESSMSGBOXES

Replace YOUR_CONNECT_KEY with the actual connect key. Do not worry about an unwanted exposure of the key: The package itself can be encrypted and protected with a password when the build process is executed. By doing so, you can add some level of extra security.

You have additional options available for configuration, i.e. if you want to make a restart required, if you want to add dependency packages or define a specific return code for a successful installation.

Other additional options within a Provisioning Package

These packages give you way more options in general to provision a device with a single configuration file.

For example you can:

• Set a device name
• Upgrade the Windows Product edition
• Configure the device for shared use
• Remove pre-installed software
• Configure a wifi network
• Create a local admin account
• Prevent users from adding/using Microsoft-Accounts
• Add certificates
• ... and so on. A full set of settings is documented here.

Build and execution

Once you've configured everything, click the Export button to kick off the build process. Provide a name, an owner, a version and if needed a rank (0 is the default).

In the next screen you can Encrypt and Sign the package:

When completed, you will find a log, a cat-file, an xml-file and the actual ppkg-file in the project folder.

The latter is the one you gonna distribute to your devices.

When executing it (manually) you will be prompted by the UAC to confirm the execution:

Then enter the password and in the last screen you will get an overview presented before finally applying your config:

That's it. Your device will restart in the case after around 2-3 minutes and the newly provisioned device will also show up on your JumpCloud admin console almost instantly. Now you're able to further provision the device by applying policies, executing required commands, deploy software, assign users and configure device-level MFA and more.