JIT implementation in Trigger-it enables administrators to grant users or power users temporary access to managed endpoints, allowing them to obtain temporary administrative privileges on these endpoints.
How JIT Works in Trigger-it:
When a Trigger-it administrator configures a JIT request on a managed endpoint, the endpoint will receive the following instructions:
- Email of the end user who will receive access.
- Access start time.
- Access end time.
- Access specifications, such as which group on the local machine the temporary account will be created for.
The machine will generate a random username and password, which will be emailed to the end user. There are two options for sending the SMTP email:
- The SMTP email can be sent directly from the endpoint.
- The SMTP email can be sent from the backend.
This is configured by selecting “Use Server Side SMTP” in the JIT Wizard.
The enduser will receive the crednetials in an email like the below
Temporary Account has been created and the username is: X9qqkbBqb and account password is: wubAtdcvn you can login until:3/30/2024 10:31 PM
sample email received by the enduser.
The account will be created locally but in a disabled state. Three minutes before the start of the access period, the account will be enabled to allow the user to log in.
Once the access time comes to an end, the user will be automatically logged off, and the temporary account will be deleted, even if the end user is still working. To request access again, the administrator must submit a new JIT request.
JIT Prerequisities:
Before using JIT, administrators must configure a policy on the client using the Agent Settings policy element, which includes configuring the SMTP server FQDN, username, password, and port.
JIT Implemetnation in Trigger-it
To grant users temporary access or JIT, Trigger-it admin can request temporary access on managed endpoints from the console by selecting Security > Privilege Access management:
Once Selected, the JIT Wizard will open:
In the main screen, configure the JIT parameters:
- Select Operation Type: for now the only supported type is Temporary Access:
- Account Name: Enter the email address of the enduser who will receive the JIT credentials.
- Desired Group: Choose between Administrators, Power Users or Users.
- Access Start Time: this is when the access will start.
- Access End Time: This is when the access will end.