US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
ES Spanish
  • Home
  • AutoElevate Knowledgebase
  • General & Troubleshooting

Just-in-Time (JIT Admin Login)

Discover the benefits of Just-in-Time (JIT) administration for a secure, efficient login process.

Written by Owen Parry

Updated at December 2nd, 2024

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing How to Videos
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • Changelogs for Autoelevate and Password Boss
  • Current Status
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
+ More

Table of Contents

Important Notice: Just-in-Time Admin Login Limitations Just-in-Time Admin Login with Windows Authentication Products Quick Start Enabling - Additional Options & Info Persistent Users Selecting Username How it works Auditing

AutoElevate's Just-in-Time Admin Login feature enables technicians to access a computer as a signed-in Admin user by scanning a QR code to authenticate, making it easy and secure to perform critical tasks. However, it's worth noting that when the Agent creates or takes control of an existing user, access will only be granted to the Agent. This feature is designed and supported for 64-bit Windows workstations, including versions 10, and 11.

Note: your agents must be on v2.8+ for this feature to be available.


Important Notice: Just-in-Time Admin Login Limitations

JIT Admin Login does not currently work within the lock screen of an already connected RDC session (Remote Desktop Connection) or for a Windows 365 cloud computer. You will need to connect to the login screen and then select the JIT user from there.

Also, domain controllers and multi-session machines are currently not supported. 

 

Just-in-Time Admin Login with Windows Authentication Products

Please note that certain Windows authentication products might prevent the display of the JIT Admin Login button on the Windows login screen. These products prevent our credential provider from loading. This is the case with DUO and WatchGuard AuthPoint.

For instructions on how to whitelist AutoElevate with DUO, please refer to the following article: DUO with Admin Login.

 

 

Quick Start


  • From the Settings screen select Global> Just-in-Time (JIT) Admin Login> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
  • Check the "Enabled" box, set custom User name then SAVE.
     

    Just-in-Time Admin Login location

     
     

 

  • Then select Global> Agent Security> Just-in-Time Admin Login Authorization> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
     
  • Select Role or Users you wish to allow access to this feature and SAVE.
     

    Just-in-Time Admin Login Authorization

     
     

Enabling - Additional Options & Info


From the Settings screen, select either Global > Just-in-Time (JIT) Admin Login > Just-in-Time (JIT) Admin Configuration > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.

  • Enabled: Check to enable.
     
  • Username: Set a username. When adding a user, it's important to note that if the username already exists on the machine, its password will be overwritten. This can be helpful for existing admin accounts on the end-user's computer. However, it's crucial to exercise caution when using this feature to avoid overwriting a user's password of a user that the technician did not intend to modify. Always verify that the correct username has been entered before proceeding.
     
  • Credential Title Label Override: Coming soon! Customize the title name at the login screen.
     
  • Delete User After Every Log Off: Check to enable. This option allows technicians to create temporary admin users that are automatically removed when they are no longer in use. 

    Persistent Users

    Please note persistent users are standard users at rest, not Admins. They will not be deleted during uninstallation or when the "Admin Login" setting is disabled.

     

 

Selecting Username 

It is advisable to avoid using the usernames of Administrator or ~0000AEAdmin. These usernames cannot be deleted, preventing Admin Login access, specifically when the Delete User After Every Log Off option is enabled.

 
  • Save


Next, select either Global > Agent Security > Just-in-Time Admin Login Authorization > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.

  • Select the Role or Users you wish to allow access to this feature.
     
  • Save


     

Finally, select either Global > Agent Customizations & Behavior > Logo (Square) > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.

  • Upload an image that will be used for the User icon at the Windows Lock Screen.
     
    • The image cannot be larger than 1MB.
       
    • Does not support “.webp” images.
       
    • Transparent images will not be transparent. The transparent space will be replaced with a white background.
       
  • Save


     

How it works


Enabling the "Just-in-Time Admin Login" setting adds a "Credential Provider" to the system, which appears on the Windows Lock Screen. This gives the technician access to an admin account, allowing them to sign in without needing a password.

A QR code is displayed to authenticate the technician as no password is required to log in to the admin account. This code expires after 10 minutes. If the technician's role or the technician themselves have been authorized in the Just-in-Time Admin Login Authorization setting, they can use the AutoElevate Notify app to scan the QR code and grant access.

Upon logging in, the session is automatically entered into Technician mode.

The Credential Provider comes with a built-in self-recovery feature. If it detects any issues, it will disable itself automatically to avoid further problems. In such cases, the AutoElevate Agent service or the computer can be restarted to reset the Credential Provider and restore its functionality.

The Credential Provider is designed not to load in Safe Mode, providing an alternative method of recovery in case the credential provider fails. This ensures that the Credential Provider does not interfere with other system-level changes necessary in Safe Mode. In the event of a failure, users can access the computer in Safe Mode and then disable or reset the Credential Provider to restore normal functionality.


 

Auditing


To monitor if a computer has logged in using JIT Admin Login, you can access the computer's View screen (indicated by an eye icon) from the Computer grid. This screen displays detailed information about the computer's activity and login history.

In addition to the Computer grid, you can view a computer's General Information and State Information by expanding the dropdown menu. This provides a quick overview of the computer's status and any relevant information that may impact its security.

To track attempted JIT Admin Login, you can access the JIT Admin Logins section. This will display the date and time when the login attempt was made (Date Created), whether it was successful or not (Date Updated), and the name of the user who authenticated the login (Authenticated By).

admin login access beta

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Enabling Browser Based Notifications For Technicians
  • Troubleshooting: Computers Not Appearing in Admin Portal After Install
  • Elevation Types
  • How to Automatically Remove Admin Privileges
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand