DocumentationAPI ReferenceRelease Notes
Log In
Documentation

JIT Admin access settings

Suggest Edits

Overview

Just In Time (JIT) Admin provides your end users an administrator like experience for a limited amount of time.

  • Users can request a JIT admin session that can be approved or denied by internal support teams.
  • On approval users are granted admin rights for the duration of the session to perform tasks.
  • When the session ends admin rights are revoked.

❗️

The user is automatically logged off the session when the allocated time expires.

Security

During a JIT Admin session, the user is added to the Administrators group and therefore has local admin privileges. To mitigate misuse the following protections are added automatically:

  • Preventing the user adding themselves or other users to the local Administrators group
  • Enabling Agent Protection for the duration of the session

Auditing

Auditing records actions taken by a user during a session.

  • Prohibit Privilege Account Management (PPAM) audits when a user was prevented from managing privilege accounts.
  • Launching applications requiring elevation raises:
    • Passive token event (106)
    • Elevate for on-demand (101)
  • User logon events (300) ensures IT admins can get an accurate view of the time line of the user.
  • For any events raised, an Elastic section, EPMWinMac.Session.JITAdmin, populates RequestIdentifier and TicketIdentifier fields with unique values that identifies the session.

Just-in-time Admin access workflow

  • To configure JIT admin access, an EPM user requires permissions or the Admin role
  • Configure JIT admin access.
  • Activate Just-in-time admin on the workstyle
  • Manage requests

Set permissions for configuration settings

Set the following permissions to a standard user type or assign the admin role:

  • AdminAccessRequestSettingsViewer
  • AdminAccessRequestSettingsAdmin

Activate JIT admin access

You must activate the JIT admin access before you can use the admin access on a workstyle.

ℹ️

Note

If Just-in-time Admin configuration is disabled after applying to users, those users can request a Just-in-time session but EPM automatically declines the request and displays a message stating Just-in-time requests are disabled.

To activate the admin access:

  1. Select Configuration from the main menu.
  2. Select JIT Configuration, and then Admin Acess.
  3. To turn on the integration, select Enable Just-in-time (JIT) Admin Access Integration.
  4. If required, select the check box if users must enter a notes for the admin access.
  5. Select Save Changes.

Apply JIT admin access on a workstyle

Activate Just-in-time (JIT) admin access on a workstyle to provide temporary local admin permissions to your standard users.

  • JIT admin access is activated on a workstyle.
  • Users that are members in the selected workstyle can request admin access through their EPM endpoint app. JIT admin access cannot explicitly be denied to particular users.
  • The EPM endpoint app is accessible from the System Tray (Windows) or Menu bar (macOS).

JIT admin requests are managed in JIT Admin Management, where authorized users can approve or deny requests.

The feature is available for both Windows and macOS.

  1. Select the Policies menu.
  2. Select the policy in the list and select Open Policy.
  3. Select a Workstyle, and then select Enable JIT Admin from the menu.

In the EPM endpoint app, the user requesting the admin access can see the status of their requests.

Manage requests

Approve or deny JIT Admin access requests on the JIT Access Management page.

Managing JIT Admin access requests requires special permissions. Assign the following permissions when creating the user account or assign the Admin role:

  • AdminAccessRequestApprover
  • AdminAccessRequestViewer

To access JIT Admin access:

  1. Select JIT Access Management from the main menu.
  2. Select the Admin Access Requests tab.
  3. Review the requests.
  4. Select the menu for a request to access the approve and deny options.

Set a request already approved to deny if the session is no longer required or approved in error.

Manage requests on the endpoint app

On the endpoint app:

  • Users can request a session duration between 5 minutes and 24 hours. The approver sets the session duration during the approval process.
  • Users can have only one request open at a time.
  • Notifications are issued when 5 minutes and 1 minute remain in the session. The user is logged off the session when the time expires.
  • Users can select End Session to close the session before the allocated session time passes.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.