Just In Time (JIT) Administrator Privileges - macOS
Just In Time (JIT) administrator privileges is used to grant temporary administrator access to computers without having to create unique policies for applications with this need. Normally, policies only apply to certain applications, but in JIT mode, any application that requires elevation can be run as an administrator by the user.
macOS JIT Admin Privilege Requests are supported on macOS agent versions 12.0.2 and later.
The Sample JIT Policy
The provided sample policy is macOS JIT Admin Privilege Request (Sample).
This policy includes the sample filter macOS JIT Admin Privilege Filter and sample action macOS JIT Admin Privilege Request Action (Sample) - Approval Request Message Action (HTML).
Approval Request Message action
Select the Approval Request Message Action (HTML). The action is an Approval Request Message action that has been updated for JIT.
To use a message type other than Approval Request Message, duplicate the action and change the Message Type. The Approval Type must be Default macOS JIT Admin Privilege Request Type. This Approval type is identified by the macOS agent when scanning for the policy to use when you request JIT administrator privileges.
If this Approval type is not used in the action of a JIT policy, then JIT will not work.
The filter in the policy is a placeholder filter. The agent will ignore any filters in a JIT policy because the filter is not needed. Again, this is because the agent looks for the special Approval type when a user requests JIT Admin Privileges.
Using JIT Mode
Specific procedures are used to request JIT mode, as well as work in JIT mode.
Requesting JIT mode
You request administrator privileges using the Verify Privilege Manager Agent Utility or through the menu bar Icon with Request JIT Admin Privileges….
If the sample policy is enabled, an Approval Needed message window (shown below) displays, or whatever action in the JIT Admin Privilege Request policy executes.
Next, a response displays.
If a JIT Admin Privilege Request policy cannot be located, or some other error occurs, the agent displays one of these error notifications.
Otherwise, if a correct JIT Admin Privilege Request policy is located, the request will be approved or denied.
Working as an Administrator in JIT Mode
Periodic notifications appear when working as an administrator, indicating the time remaining. For example:
You can hover over the menu bar icon to see the time remaining.
You can also remove JIT Admin Privileges early. Select Remove JIT Admin Privileges prior to the expiration time.
Once JIT Admin Privileges expire, the user will be notified.
(Administrator) Approving a JIT Request
Administrators receive requests for JIT elevation and need to approve those requests. If you are an administrator, navigate to Admin | Manage Approvals.
Select the item that shows the JIT Admin Privileges Request policy being used. For example, if the sample policy is being used, it will read macOS JIT Admin Privilege Request (Sample).
Select the For option and set the time for the elevated access and click Approve. (The One Time access is only in instances where you need to use a default elevation time of 4 hours.)
Auditing macOS JIT Administrative Privileges
In order to log or audit events that occur when a user has JIT Admin Privileges, create a policy with the following criteria:
-
applies to all processes
-
targets macOS machines
-
has a user context filter that matches the user to the administrator group
This policy impacts performance when enabled. It targets all administrator users, not just users that are administrator users during JIT Admin Privileges.
Prerequisite
You must enable Log Policy Events in the macOS JIT Admin Privileges policy in order to view users (Policy Events tab) who requested JIT Admin Privileges.