- 20 Sep 2024
- 7 読む分
- 印刷する
- PDF
Just-In-Time Admin Access on Windows Devices
- 更新日 20 Sep 2024
- 7 読む分
- 印刷する
- PDF
The Just-In-Time Admin feature enables users to get temporary access to launch app(s) in admin mode on Windows devices, for a limited time when they need them. Thus, it reduces the risks associated with giving users more privileges than they require by providing this access only when required. It ensures that users operating with elevated privileges for a limited time, get a secure way to launch the apps and also perform other activities only when absolutely necessary.
Through Scalefusion Dashboard, IT Admins can create configurations that control how and when users can request access to any app in admin mode and also monitor the usage of the privilege. Let us understand what configurations we offer and how they can be implemented on Scalefusion managed Windows devices, with the help of this article.
Pre-Requisites
- Devices should be enrolled with Scalefusion.
- Latest version (v15.2.0) of Scalefusion MDM agent should be installed on Windows devices.
- Just-In Time feature should be enabled for your account.
- Supported Device Configurations: Windows OS 10 & above (Server, LTSC, LTSB)
Step 1: Create Configuration
- On Scalefusion Dashboard, navigate to OneIdP > Just-In-Time Admin and click on Create Configuration.
- This will bring up the Create Just-In Time Config window.
- Enter the Configuration name on the top
- The left side menu will show the following:
- JIT Admin Configuration
- Logs & Activities
- Elevation Scope
- JIT Admin Configuration: From this section, configure the following settings:
Setting | Description |
Duration of Admin Privilege | Specify the duration (in minutes) during which the user can access the app in elevated mode. Once time gets over, the app will be automatically closed. Duration can be from 5 to 60 minutes. Note: This duration can be overridden from Elevation scope section |
Allowed number of Requests per Day | Configure the number of requests (for accessing any app with admin privileges), the user is allowed to make per day. It can be from 1 to 10. |
Enforce Request justification text | By toggling on this setting, user will be required to enter the reason for requesting access to any application with elevated access. |
Enforce active internet connection | On enabling this setting, the user is required to have active internet connection in order to request for accessing any application in admin mode. |
Allow users to elevate using other Admin credentials | Allows users to elevate the applications with admin privileges by entering other Admin's credentials, else users will be able to elevate applications using only the Scalefusion Account. |
Configure Disclaimer Note | Configure disclaimer text that will be shown on the JIT Admin screen. Enter the note in the text area. A default note is provided which can be updated. |
b. Logs & Activities: After configuring JIT Admin configuration, move to the next section from the left menu Logs & Activities. Configure the following from here:
- Monitor Admin Access and Collect logs: Configure if logs of critical operations and/or application start/stop times performed with Admin privileges should be captured and synced to the dashboard. Please note, the data collected varies between macOS and Windows platforms.
c. Elevation Scope: From here you can configure the scope of elevation to admin with following settings:
- Configure accounts that can request Admin access: From the drop-down, select any one:
- All Non-admin accounts: All non-admin accounts on the device can request for accessing application in elevated mode.
- Specific Accounts: Only specific accounts can request for accessing application in elevated mode. On selecting this, provide the user account names in the text area below to whom you want to provide access. Please note Custom Properties are also supported here.
- Select Applications that can be Run As Administrator: The options available are:
- All Allowed Applications: All applications enabled in Select Apps section of Device Profile
- All Applications: All applications can be run as administrator
- Specific Applications: Only specific applications can be run as administrator. On selecting this, add the app name by clicking on Add Application and add other related details with regards to the app like app name, version etc.
- Override Duration of Admin Privilege: Specify the duration (in minutes) after which the admin privileges will be automatically revoked which will automatically close the app and this will override the duration of admin privileges specified under JIT Admin Configuration section. The time duration can be anywhere between 1 to 1440 mins.
After configuring the above, click on Save Configuration on top.
The configuration will be created and displayed under JIT Admin Configurations tab.
Step 2: Publish JIT Admin Configuration
The next step is to publish the configuration on devices. To do so,
- Click on Publish icon in front of the JIT admin config.
- This will bring up the Publish dialog. Select the device profiles on which you want to allow the JIT admin access, and click Publish
- The configuration will be pushed to devices.
Additional Actions
Following are the additional actions that can be taken on a JIT Admin Configuration from Scalefusion Dashboard:
- Edit: Allows you to make changes in the existing configuration. On clicking edit, you will get the Edit Just-In-Time config info
- Unpublish: This will unpublish the configuration from the profile(s) on which you have already published it.
- Delete: Deleting the configuration will unpublish the settings from the applied profile(s). All the data related to the configuration will also get deleted.
JIT Admin Access on Device
Once configuration is pushed to devices,
- Open the application which has to be run in admin mode (Right click on it and choose Run as Administrator).
- This will open the User Account Control dialog. Notice, inside the window, the duration, Disclaimer etc. you have configured in the JIT admin configuration, will be displayed along with Run with Scalefusion Privilege account.
- In the text area, provide a reason as to why you are requesting admin privileges and click on Yes.
- You can continue using the application as administrator.
JIT Admin Access Summary
On Scalefusion Dashboard, you can get a summarized view of JIT Admin access on devices and other details from JIT Admin access summary section. Following information is available:
- Device Summary: Gives a summarized view with following details:
- Total Devices: Total number of devices that have JIT Admin configuration applied.
- Standard Users: Total number of standard users that are available on these devices.
- Admin Users: Total number of admin users that are available on these devices.
- Request Summary: Gives a summarized view of requests with following details:
- Admin Requests Today: No. of Admin requests made during the day. This is calculated based on the timezone of the dashboard
- Total Admin Requests: Total number of Admin requests made during last 60 days.
- Devices Overview: Here, you can get a consolidated tabular view with list of the devices where the configuration has been applied.
- Name: Displays the Device name.
- Serial Number: Displays the Device Serial number.
- Requests Today: Number of Requests received from the Device today.
- Total Requests: Total number of admin Requests received from the Device.
- Configuration: The name of the configuration applied on the device.
- Actions: Clicking on View will take you to the Activity Logs tab with the details of the selected Device.
- You can also apply filters to get results at a granular level, such as:
- Sort By: The results will be sorted based on:
- Device Name
- Requests Today
- Total Requests
- Configuration
- Select Configurations: Select all or any particular JIT admin configuration
- Pages: Select no. of results on a single page
- Download JIT Report: Clicking on this will download the report in csv format containing following information:
- Name
- Serial Number
- Requests Today
- Total Request
- Configuration
- Sort By: The results will be sorted based on:
Activity Logs
From this section you can view the activities undertaken by users on the device, during their elevation from standard to admin user. The admin sessions are listed with the following information:
- Name: Displays the Device name
- Serial Number: Displays the Serial number
- Username: Name of the User who requested for the JIT Admin feature.
- File Name: Name of file accessed by user
- Start Time: Start time of the JIT Admin Activity, i.e, when the user is elevated to Admin. This will be shown based on the time zone selected in the settings.
- End Time: End time of the JIT Admin Activity, i.e, when the user is downgraded back as Standard user. This will be shown based on the time zone selected in the settings.
- Justification: Clicking on View will display the a popup with Justification text entered.
- Logs: Will show as N/A
Recommendations
This section provides a summarized view of the Admin Accounts available on the devices. Following details are available:
- Name: Displays the Device name.
- Serial Number: Displays the Device Serial number.
- Total Users: Displays the total number of users on the device. Clicking on the count will open a small window showing list of users.
- Total Admins: Displays the total number of Admins on the device. Clicking on the count will open a small window showing list of admins.
- Managed Admins: Displays the number of managed Admins. Managed Admins are the users created by Scalefusion MDM agent for using some features. End users do not have access to these accounts. Clicking on the count will open a small window showing list of managed admins.
- JIT Configuration: Displays the name of the JIT Admin configuration applied on the device. If no configuration is applied, it will display NA
- Actions:
- Publish: From here you can select and publish the JIT configuration on the device. This will be enabled only for devices where a JIT configuration is not applied. On clicking Publish, a dialog box will be displayed:
- Show Configurations: Clicking this will navigate the Admin to the JIT Admin Configuration section.
- Show Configurations: Clicking this will navigate the Admin to the JIT Admin Configuration section.
- Publish: From here you can select and publish the JIT configuration on the device. This will be enabled only for devices where a JIT configuration is not applied. On clicking Publish, a dialog box will be displayed: