Just In Time Elevated Access

Just In Time (JIT) elevated access is used to grant temporary administrator access to workstations without having to create unique policies for applications with this need. Normally, policies only apply to certain applications, but in JIT mode, any application that requires elevation can be run as Administrator by the user.

JIT elevation is supported on agent versions 11.4.2 and later. Assigning this policy to older agents will cause ALL policy processing to fail.

Three policies are involved in setting up JIT functionality. They are:

  • JIT Mode (Startup and Approval) (Sample) - applies to the JIT mode helper application.

  • JIT Mode (Sample) - handles elevating access while JIT elevated access mode is running.

  • JIT Mode (Child Processes)(Sample) - tracks applications to ensure that everything run during JIT mode is shut down at the end of the approved time limit.

Configuring JIT Mode

Enable the JIT Mode policies

Navigate to the Application Policies in the default Windows Computer Group and locate each of the three JIT Mode policies. Click the Active toggle to activate each policy.

To assign the default JIT policies to another Computer Group, duplicate, then edit the default JIT policies.

Enable the JIT mode shortcut

Navigate to Agent Configuration and set the Create JIT mode shortcut toggle to Yes.

Using JIT Mode

Requesting JIT mode

You use a shortcut to enter into JIT mode elevated access for your agent. Find the Start Delinea JIT Elevated Access shortcut and select it to initiate an approval request for JIT mode. For Windows 10 workstations, the shortcut is listed in the top level of the programs list. For Windows 11 workstations, the shortcut is listed in the Delinea folder.

Your request for elevated access is sent for approval.

Windows 10 Windows 11

(Admin) Approving a JIT Request

Administrators receive requests for JIT elevation and need to approve those requests.

If you are an Administrator, navigate to Admin | Manage Approvals.

Enable the JIT Mode (Startup and Approval)(Sample) policy and click Approve Selected.

Select the For option and set the time for the elevated access and click Approve. (The One Time access is only in instances where you need to use a default elevation time of 30 minutes.)

Working as Administrator in JIT Mode

Once approved, a Windows notification appears, indicating that JIT elevated access has started. You can now run any application of your choice as an Administrator.

Periodic Windows notifications appear during elevation as a reminder of time remaining. Additionally, an icon appears in the system tray. Click the icon to see the time remaining in JIT mode. If desired, click Exit JIT Access to end elevation mode early.

Carefully monitor the time remaining in JIT mode. At the end of the approved time, any application elevated as part of JIT mode will be terminated, and may result in the loss of any unsaved work.