Just In Time (JIT) Elevated Access - Windows
Just In Time (JIT) elevated access is used to grant temporary administrator access to workstations without having to create unique policies for applications with this need. Normally, policies only apply to certain applications, but in JIT mode, any application that requires elevation can be run as Administrator by the user.
JIT elevation is supported on agent versions 11.4.2 and later. Assigning this policy to older agents will cause ALL policy processing to fail.
Three policies are involved in setting up JIT functionality. They are:
-
JIT Mode (Startup and Approval) (Sample) - applies to the JIT mode helper application.
-
JIT Mode (Sample) - handles elevating access while JIT elevated access mode is running.
-
JIT Mode (Child Processes)(Sample) - tracks applications to ensure that everything run during JIT mode is shut down at the end of the approved time limit.
Configuring JIT Mode
Policy Configuration
Enable the JIT Mode policies
Navigate to the Application Policies in the default Windows Computer Group and locate each of the three JIT Mode policies. Click the Active toggle to activate each policy.
To assign the default JIT policies to another Computer Group, duplicate, then edit the default JIT policies.
Agent Configuration
Enable the JIT mode shortcut
Navigate to Agent Configuration and set the Create JIT mode shortcut toggle to Yes.
Review the Agent Priority
If you are not modifying the agent configuration policy for the Windows Computers group, and are modifying the agent configuration policy for another computer group, be sure to expand the Advanced section of that computer group and set the Priority to a number between 1-12 so it applies before the configuration of the Windows Computers group.
Refer to Agents on Windows Systems and Policy Priority.
Using JIT Mode
Requesting JIT mode
You use a shortcut to enter into JIT mode elevated access for your agent.
If the JIT shortcut does not populate, review the Priority in your agent configuration and set it to a value from 1-12. Refer to Agent Configuration
Find the Start Delinea JIT Elevated Access shortcut and select it to initiate an approval request for JIT mode. For Windows 10 workstations, the shortcut is listed in the top level of the programs list. For Windows 11 workstations, the shortcut is listed in the Delinea folder.
Your request for elevated access is sent for approval.
Windows 10 | Windows 11 |
(Admin) Approving a JIT Request
Administrators receive requests for JIT elevation and need to approve those requests.
If you are an Administrator, navigate to Admin | Manage Approvals.
Enable the JIT Mode (Startup and Approval)(Sample) policy and click Approve Selected.
Select the For option and set the time for the elevated access and click Approve. (The One Time access is only in instances where you need to use a default elevation time of 30 minutes.)
Working as Administrator in JIT Mode
Once approved, a Windows notification appears, indicating that JIT elevated access has started. You can now run any application of your choice as an Administrator.
Additionally, an icon appears in the system tray. Click the icon to see the time remaining in JIT mode. If desired, click Exit JIT Access to end elevation mode early.
Carefully monitor the time remaining in JIT mode. At the end of the approved time, any application elevated as part of JIT mode will be terminated, and may result in the loss of any unsaved work.
The periodic Windows notifications appear during elevation according to the time remaining as follows.
JIT Duration Time | Notifications |
---|---|
More than 1 hour | 30 minutes prior to end time 5 minutes prior to end time 1 minute prior to end time |
1 hour - 30 minutes | 10 minutes prior to end time 5 minutes prior to end time 1 minute prior to end time |
29 minutes - 5 minutes | 2 minutes prior to end time 1 minute prior to end time |
Less than 5 minutes |
20 seconds prior to end time 5 seconds prior to end time |