Just-In-Time Admin Access on macOS Devices

Administrator accounts are prime targets for hackers, as compromising a device grants them full control over all Admin actions. This includes tasks like managing users, accessing files, installing apps, and more. In a school environment, users typically require Admin privileges on their Macs for less than 5 minutes per month. However, to accommodate these brief needs, such as removing an app, users are granted Admin privileges for hundreds of hours each month, posing a significant security risk.

Hence comes the need for just-in-time admin access which ensures that users operate with Standard privileges, offering a secure way to access temporary Admin privileges only when absolutely necessary.

The Just-In-Time Admin feature enables standard users to request a temporary upgrade to Admin status. This feature grants users access to accounts and resources for a limited time when they need them. Thus, it reduces the risks associated with giving users more privileges than they require by providing this access only when required.

Through Scalefusion Dashboard, IT Admins can create configurations that control how and when users can request admin access and also monitor the usage of the privilege. Let us understand what configurations we offer and how they can be implemented, with the help of this article.

Pre-Requisites

1. Devices should be enrolled with Scalefusion
2. Latest version of Scalefusion MDM client should be installed on macOS devices
3. Just-In Time feature should be enabled for your account.

Step 1: Create Configuration

1. On Scalefusion Dashboard, navigate to OneIdP > Just-In-Time Admin and click on Create Configuration. 
2. This will bring up the Create Just-In Time Config window.
3. Enter the Configuration name on the top
4. The left side menu will show the following:
   1. JIT Admin Configuration
   2. Logs & Activities
      
5.  JIT Admin Configuration: From this section, configure the following settings

Logs & Activities: After configuring JIT Admin configuration, move to the next section from the left menu Logs & Activities. Configure the following from here:

1. Collect logs of critical operations performed while having Admin Privileges:Configure if logs of critical operations performed with Admin privileges should be captured and synced to the dashboard.
   Logs are captured only during the timeframe when a Standard user is elevated to an Admin user.
2. Terminate Applications on User downgrade: Configure the applications that need to be terminated when an Admin user is downgraded to a Standard user. Select from where the applications should be terminated. Following are the options:
   1. Terminal
   2. System Settings
3. After configuring the above, click on Save Configuration on top.

The configuration will be created and displayed under JIT Admin Configurations tab.

Step 2: Publish JIT Admin Configuration

The next step is to publish the configuration on devices. To do so,

1. Click on Publish icon in front of the JIT admin config.
   
2. This will bring up the Publish dialog. Select the device profiles on which you want to allow the JIT admin access, and click Publish
3. The configuration will be pushed to devices.

Additional Actions 

Following are the additional actions that can be taken on a JIT Admin Configuration from Scalefusion Dashboard:

1. Edit: Allows you to make changes in the existing configuration. On clicking edit, you will get the Edit Just-In-Time config info 
2. Unpublish: This will unpublish the configuration from the profile(s) on which you have already published it.
3. Delete: Deleting the configuration will unpublish the settings from the applied profile(s). All the data related to the configuration will also get deleted.

JIT Admin Access on Device

Once configuration is pushed to devices, 

1. Open the Scalefusion MDM Client (agent app for macOS) on the macOS device.
2. On the left side menu, navigate to JIT Admin. 
3. In the text area, provide a justification as to why you are requesting admin privileges and click on the button Elevate as Admin.
   
4. You will receive a success message. 
5. Once the account is elevated to admin, a confirmation message will flash on the top right side of device.
   

JIT Admin Access Summary

On Scalefusion Dashboard, you can get a summarized view of JIT Admin access on devices and other details from JIT Admin access summary section. Following information is available:

1. Device Summary: Gives a summarized view with following details:
   1. Total Devices: Total number of devices that have JIT Admin configuration applied.
   2. Standard Users: Total number of standard users that are available on these devices.
   3. Admin Users: Total number of admin users that are available on these devices.
2. Request Summary: Gives a summarized view of requests with following details:     
   1. Admin Requests Today: No. of Admin requests made during the day. This is calculated based on the timezone of the dashboard
   2. Total Admin Requests: Total number of Admin requests made during last 60 days.
3. Devices Overview: Here, you can get a consolidated tabular view with list of the devices where the configuration has been applied.
   1. Name: Displays the Device name.
   2. Serial Number: Displays the Device Serial number.
   3. Requests Today: Number of Requests received from the Device today.
   4. Total Requests: Total number of admin Requests received from the Device. 
   5. Configuration: The name of the configuration applied on the device.
   6. Actions: Clicking on View will take you to the Activity Logs tab with the details of the selected Device.
      
4. You can also apply filters to get results at a granular level, such as:
   1. Sort By: The results will be sorted based on:
      1. Device Name
      2. Requests Today
      3. Total Requests
      4. Configuration
   2. Select Configurations: Select all or any particular JIT admin configuration
   3. Pages: Select no. of results on a single page
   4. Download Device Report: Clicking on this will download the report in csv format containing following information:
      1. Name
      2. Serial Number
      3. Requests Today
      4. Total Request
      5. Configuration
         

Activity Logs

From this section you can view and download the logs of activities undertaken by users on the device, during their elevation from standard to admin user. The admin sessions are listed with the following information:

1. Name: Displays the Device name
2. Serial Number: Displays the Serial number
3. Username: Name of the User who requested for the JIT Admin feature.
4. Start Time: Start time of the JIT Admin Activity, i.e, when the user is elevated to Admin. This will be shown based on the time zone selected in the settings.
5. End Time: End time of the JIT Admin Activity, i.e, when the user is downgraded back as Standard user. This will be shown based on the time zone selected in the settings.
6. Justification: Clicking on View will display the a popup with Justification text entered. 
7. Logs: Click on Download to download the log file of activities during admin session.
   

Recommendations

This section provides a summarized view of the Admin Accounts available on the devices. Following details are available:

1. Name: Displays the Device name.
2. Serial Number: Displays the Device Serial number.
3. Total Users: Displays the total number of users on the device.
4. Total Admins: Displays the total number of Admins on the device.
5. Managed Admins: Displays the number of managed Admins, i.e, Global admins. Currently we do not have Global admins in macOS so it will be 0 for now.
6. JIT Configuration: Displays the name of the JIT Admin configuration applied on the device. If no configuration is applied, it will display NA
7. Actions: 
   1. Publish: From here you can select and publish the JIT configuration on the device. This will be enabled only for devices where a JIT configuration is not applied. On clicking Publish, a dialog box will be displayed:
      1. Show Configurations: Clicking this will navigate the Admin to the JIT Admin Configuration section.
   2. Downgrade Admins: Select Admin users to downgrade as Standard user. Clicking this will display the following dialog with list of admin users to be downgraded. Select the users (to be downgraded) by selecting the checkbox and proceed.
      
      To downgrade all users in one go, simply select the checkbox in front of each row and click on the button Downgrade All Users