Just In Time (JIT) Access

Just In Time (JIT) access is used to grant temporary administrator access to either Windows or macOS workstations without having to create unique policies for applications with this need. For example, JIT access allows a support engineer or technician to temporarily run arbitrary programs with elevation or to perform arbitrary software installations, usually to correct issues.

Normally, policies only apply to certain applications, but in JIT mode, any application that requires elevation can be run as Administrator by the user.

Overview

JIT requires an approval from the administrator, and that is by design. Once the administrator approves the request, every program the user runs gets elevated.

When the approval period for JIT is over, new programs no longer run automatically with elevation and any elevated programs that are still running will automatically self-terminate in an ungraceful manner to ensure that they cannot be used to perform any administrative functions beyond the end of the approval period. The default is four hours.

Even if the user reboots the computer or logs off and logs on again, the approval remains in effect such that requesting JIT mode again during the valid approval period will result in automatic enabling of JIT again, until the approval period expires.

Platforms

Refer to the following topics.

JIT elevation is supported on Windows agent versions 11.4.2 and later and macOS agent versions 12.02 and later. Assigning this policy to older agents will cause ALL policy processing to fail.

• Just In Time (JIT) Elevated Access - Windows

• Just In Time (JIT) Administrator Privileges - macOS