Just In Time (JIT) Administrator Privileges - macOS
Just In Time (JIT) administrator privileges is used to grant temporary administrator access to computers without having to create unique policies for applications with this need. Normally, policies only apply to certain applications, but in JIT mode, any application that requires elevation can be run as an administrator by the user.
macOS JIT Admin Privilege Requests are supported on macOS agent versions 12.0.2 and later.
The Sample JIT Policy
The provided sample policy is macOS JIT Admin Privilege Request (Sample).
This policy includes the sample filter macOS JIT Admin Privilege Filter and sample action macOS JIT Admin Privilege Request Action (Sample) - Approval Request Message Action (HTML).
Approval Request Message action
Select the macOS JIT Admin Privilege Request Action (Sample) - Approval Request Messge Action (HTML). The action is an Approval Request Message action that has been updated for JIT.
The Approval Type must be Default macOS JIT Admin Privilege Request Type. This Approval type is identified by the macOS agent when scanning for the policy to use when you request JIT administrator privileges.
If this Approval type is not used in the action of a JIT policy, then JIT will not work.
Do not change the Message Type. It must remain set at Approval Request Message.
The filter in the policy is a placeholder filter. The agent will ignore any filters in a JIT policy because the filter is not needed. Again, this is because the agent looks for the special Approval type when a user requests JIT Admin Privileges.
Using JIT Mode
Specific procedures are used to request JIT mode, as well as work in JIT mode.
Requesting JIT mode
You request administrator privileges using the Verify Privilege Manager Agent Utility or through the menu bar Icon with Request JIT Admin Privileges….
If the sample policy is enabled, an Approval Needed message window (shown below) displays, or whatever action in the JIT Admin Privilege Request policy executes.
Next, a response displays.
If a JIT Admin Privilege Request policy cannot be located, or some other error occurs, the agent displays one of these error notifications.
Otherwise, if a correct JIT Admin Privilege Request policy is located, the request will be approved or denied.
Working as an Administrator in JIT Mode
When working as an administrator, periodic notifications appear when working as an administrator, indicating the time remaining.
Hovering over the menu bar icon also shows the time remaining.
You can also select Remove JIT Admin Privileges prior to the expiration time to remove JIT Admin Privileges early.
Once JIT Admin Privileges expire or the administrator revokes the approval, the user will be notified.
As an administrator, you can change the expiration time of JIT Admin Privileges. The user will be notified and the time in the Agent Utility and menu bar will be updated accordingly.
Approving or Denying a JIT Request
Administrators receive requests for JIT Admin Privileges. Access the Approvals page to approve or deny the requests using any of the following methods:
-
Click the notification bell in the top right corner or the page
-
Go to Admin | Approvals
-
Click on the Pending Approval Requests tile from the Home page
The new approval request shows the JIT Admin Privileges Request policy being used. For example, if the sample policy is being used, it will read: macOS JIT Admin Privilege Request (Sample).
Auditing macOS JIT Administrative Privileges
In order to log or audit events that occur when a user has JIT Admin Privileges, create a policy with the following criteria:
-
applies to all processes
-
targets macOS machines
-
has a user context filter that matches the user to the administrator group
This policy impacts performance when enabled. It targets all administrator users, not just users that are administrator users during JIT Admin Privileges.
Prerequisite
You must enable Log Policy Events in the macOS JIT Admin Privileges policy in order to view users (Policy Events tab) who requested JIT Admin Privileges.