Just-in-Time (JIT Admin Login)
Discover the benefits of Just-in-Time (JIT) administration for a secure, efficient login process.
Table of Contents
AutoElevate's Just-in-Time Admin Login feature enables technicians to access a computer as a signed-in Admin user by scanning a QR code to authenticate, making it easy and secure to perform critical tasks. However, it's worth noting that when the Agent creates or takes control of an existing user, access will only be granted to the Agent. This feature is designed and supported for 64-bit Windows workstations, including versions 10, and 11.
Note: your agents must be on v2.8+ for this feature to be available.
Important Notice: Just-in-Time Admin Login Limitations
JIT Admin Login does not currently work within the lock screen of an already connected RDC session (Remote Desktop Connection) or for a Windows 365 cloud computer. You will need to connect to the login screen and then select the JIT user from there.
Just-in-Time Admin Login with Windows Authentication Products
Please note that certain Windows authentication products might prevent the display of the JIT Admin Login button on the Windows login screen. These products prevent our credential provider from loading. This is the case with DUO and WatchGuard AuthPoint.
For instructions on how to whitelist AutoElevate with DUO, please refer to the following article: DUO with Admin Login.
Quick Start
- From the Settings screen select Global> Just-in-Time (JIT) Admin Login> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
- Check the "Enabled" box, set custom User name then SAVE.
Just-in-Time Admin Login location
- Then select Global> Agent Security> Just-in-Time Admin Login Authorization> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
- Select Role or Users you wish to allow access to this feature and SAVE.
Just-in-Time Admin Login Authorization
Enabling - Additional Options & Info
From the Settings screen, select either Global > Just-in-Time (JIT) Admin Login > Just-in-Time (JIT) Admin Configuration > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.
-
Enabled: Check to enable.
-
Username: Set a username. When adding a user, it's important to note that if the username already exists on the machine, its password will be overwritten. This can be helpful for existing admin accounts on the end-user's computer. However, it's crucial to exercise caution when using this feature to avoid overwriting a user's password of a user that the technician did not intend to modify. Always verify that the correct username has been entered before proceeding.
-
Credential Title Label Override: Coming soon! Customize the title name at the login screen.
-
Delete User After Every Log Off: Check to enable. This option allows technicians to create temporary admin users that are automatically removed when they are no longer in use. Persistent users will not be deleted during uninstallation or when the "Admin Login" setting is disabled.
Selecting Username
It is advisable to avoid using the usernames of Administrator or ~0000AEAdmin. These usernames cannot be deleted, preventing Admin Login access, specifically when the Delete User After Every Log Off option is enabled.
- Save
Next, select either Global > Agent Security > Just-in-Time Admin Login Authorization > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.
- Select the Role or Users you wish to allow access to this feature.
-
Save
Finally, select either Global > Agent Customizations & Behavior > Logo (Square) > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.
- Upload an image that will be used for the User icon at the Windows Lock Screen.
- The image cannot be larger than 1MB.
- Does not support “.webp” images.
- Transparent images will not be transparent. The transparent space will be replaced with a white background.
- The image cannot be larger than 1MB.
-
Save
How it works
Enabling the "Just-in-Time Admin Login" setting adds a "Credential Provider" to the system, which appears on the Windows Lock Screen. This gives the technician access to an admin account, allowing them to sign in without needing a password.
A QR code is displayed to authenticate the technician as no password is required to log in to the admin account. This code expires after 10 minutes. If the technician's role or the technician themselves have been authorized in the Just-in-Time Admin Login Authorization setting, they can use the AutoElevate Notify app to scan the QR code and grant access.
Upon logging in, the session is automatically entered into Technician mode.
The Credential Provider comes with a built-in self-recovery feature. If it detects any issues, it will disable itself automatically to avoid further problems. In such cases, the AutoElevate Agent service or the computer can be restarted to reset the Credential Provider and restore its functionality.
The Credential Provider is designed not to load in Safe Mode, providing an alternative method of recovery in case the credential provider fails. This ensures that the Credential Provider does not interfere with other system-level changes necessary in Safe Mode. In the event of a failure, users can access the computer in Safe Mode and then disable or reset the Credential Provider to restore normal functionality.
Auditing
To monitor if a computer has logged in using JIT Admin Login, you can access the computer's View screen (indicated by an eye icon) from the Computer grid. This screen displays detailed information about the computer's activity and login history.
In addition to the Computer grid, you can view a computer's General Information and State Information by expanding the dropdown menu. This provides a quick overview of the computer's status and any relevant information that may impact its security.
To track attempted JIT Admin Login, you can access the JIT Admin Logins section. This will display the date and time when the login attempt was made (Date Created), whether it was successful or not (Date Updated), and the name of the user who authenticated the login (Authenticated By).