diff --git a/home/.chezmoiscripts/universal/run_onchange_before_03-jumpcloud.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_before_03-jumpcloud.sh.tmpl
new file mode 100644
index 00000000..646ba7a4
--- /dev/null
+++ b/home/.chezmoiscripts/universal/run_onchange_before_03-jumpcloud.sh.tmpl
@@ -0,0 +1,21 @@
+{{- if and (eq .host.distro.family "linux") (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (or (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "JUMPCLOUD_CONNECT_KEY")) (env "JUMPCLOUD_CONNECT_KEY")) -}}
+#!/usr/bin/env bash
+# @file JumpCloud Device Enrollment
+# @brief Enrolls the device as a JumpCloud asset if `JUMPCLOUD_CONNECT_KEY` is defined
+# @description
+#     This script enrolls the device as a JumpCloud managed asset. The `JUMPCLOUD_CONNECT_KEY` secret should
+#     be populated using one of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
+#
+#     *Note: You should check out the supported systems before trying to enroll devices.*
+#
+#     ## Links
+#
+#     * [JumpCloud device management requirements](https://support.jumpcloud.com/support/s/article/jumpcloud-agent-compatibility-system-requirements-and-impacts1)
+
+{{ includeTemplate "universal/profile-before" }}
+{{ includeTemplate "universal/logg-before" }}
+
+logg info 'Enrolling device with JumpCloud by running the kickstart script'
+curl --tlsv1.2 --silent --show-error --header 'x-connect-key: {{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "JUMPCLOUD_CONNECT_KEY")) }}{{- includeTemplate "secrets/JUMPCLOUD_CONNECT_KEY" | decrypt -}}{{ else }}{{- env "JUMPCLOUD_CONNECT_KEY" -}}{{ end }}' https://kickstart.jumpcloud.com/Kickstart | sudo bash
+
+{{ end -}}
\ No newline at end of file
diff --git a/home/.chezmoiscripts/windows/run_onchange_before_03-jumpcloud.ps1.tmpl b/home/.chezmoiscripts/windows/run_onchange_before_03-jumpcloud.ps1.tmpl
new file mode 100644
index 00000000..cc3d00f7
--- /dev/null
+++ b/home/.chezmoiscripts/windows/run_onchange_before_03-jumpcloud.ps1.tmpl
@@ -0,0 +1,3 @@
+{{- if and (eq .host.distro.family "windows") (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (or (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "JUMPCLOUD_CONNECT_KEY")) (env "JUMPCLOUD_CONNECT_KEY")) -}}
+cd $env:temp | Invoke-Expression; Invoke-RestMethod -Method Get -URI https://raw.githubusercontent.com/TheJumpCloud/support/master/scripts/windows/InstallWindowsAgent.ps1 -OutFile InstallWindowsAgent.ps1 | Invoke-Expression; ./InstallWindowsAgent.ps1 -JumpCloudConnectKey "{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "JUMPCLOUD_CONNECT_KEY")) }}{{- includeTemplate "secrets/JUMPCLOUD_CONNECT_KEY" | decrypt -}}{{ else }}{{- env "JUMPCLOUD_CONNECT_KEY" -}}{{ end }}"
+{{- end -}}
\ No newline at end of file
diff --git a/home/.chezmoitemplates/secrets/JUMPCLOUD_CONNECT_KEY b/home/.chezmoitemplates/secrets/JUMPCLOUD_CONNECT_KEY
new file mode 100644
index 00000000..f770ab3c
--- /dev/null
+++ b/home/.chezmoitemplates/secrets/JUMPCLOUD_CONNECT_KEY
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WGJ1YytScVd3Y2M5Qld5
+TUNkNGRUcnE2dDM2MXlhWGVBQnRiamtQK25zCnZLNE9uaU8wWm1OUi9pTzhidFc3
+Nk9RVVdBVlNScUpibUxWbzRtcUw4UEEKLS0tIFArZ1M0S2huNmFGdjZnTHE0Z3Fv
+dHgzYzRyZHdNME51bktQenRrVjRSY2cKE8he0EmO8f42R16QvRaOvhwKhoEM7V1f
+1Lb/SEx5SIrvQbs17Sx762L9Gwkx0VaOErX/mJK2CvmCcXZ2ZB1QX1Ui7lbF5sCc
+hg==
+-----END AGE ENCRYPTED FILE-----
\ No newline at end of file