Introduction

Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled, removed from the privileged security group, and their passwords rotated upon expiry, making them highly secure.

Each JIT account is created for an individual, which creates an audit log that can be easily tracked to that person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.

CyberQP provides the convenience of directly creating and managing your JIT accounts from the dashboard. As of the latest update to this KB article, the dashboard now supports Active Directory accounts. Local accounts and Entra ID accounts have now been released as well.  Please see the bottom of this KB to find links on how to implement these features.

In this article, we'll walk you through the steps of setting up and using JIT accounts.

NOTE:  Due to limitations of the .NET framework and the password rotation requirements for these accounts, Server 2008 R2 is not supported. Just-in-Time (JIT) accounts are not compatible with Server 2008 R2 Domain Controllers. 

Prerequisite

• Machines must have the latest CyberQP agent installed
• Active QGuard subscription
• Either possess the primary or super role or be a part of a CyberQP group that has access to the Just-in-time feature. Please follow the instructions in this article to enable the JIT feature first
  Enabling Just-in-time privileged accounts feature for QGuard

Creating an AD JIT account from the dashboard

1. Navigate to a customer that has agents installed (At the time of writing this, we support agents running on Active Directory Domain Controllers)
2. Click Just-in-time Accounts in the sidebar
3. Click Create Account
4. Adjust the username, and duration if needed
5. Provide a reason for the creation of the JIT account
6. Select the directory source type "Active Directory"
7. Specify an Active Directory Privileged Security Group
8. Click the now-activated Create Account button
   
   

Re-enabling a previously used JIT Account from the dashboard

Preconditions

• Have a Just-in-time account that exceeded its duration time and has already automatically disabled

1. Navigate to a customer that has agents installed (At the time of writing this, we support agents running on Active Directory Domain Controllers
2. Click Just-in-time Accounts in the sidebar
3. Locate the JIT Account that you wish to re-enable > Click the three-dot menu > "Enable Account"
4. Provide a reason and extend or shorten the duration if needed

If a different JIT Policy is desired (for different levels of access to the resource), click the Pencil Icon beside the suggested/last used JIT policy and select a different Policy.

Create a JIT account from the desktop app

Prerequisites

You'll need to have the Quickpass Desktop app installed on your computer
Please follow the instructions in this article on how to install the desktop app
https://support.getquickpass.com/hc/en-us/articles/10792022794647

Process

1. Open the Quickpass Desktop app and login using the same credentials used to log into the Quickpass Dashboard.
2. Select the customer for which you want to create a JIT account.
3. Click on 'Just-in-time Accounts' on the side nav. (Only logins who have access to JIT accounts will see this option.)
   
4. Click the 'Create JIT account' button to create a new JIT account.
   
5. On the JIT account creation form, you can set up the account configuration, including:
   1. Account Information
      
      
      1. This includes the name of the account (if you don't like the default you can modify the value that it will use (this will be the name of the JIT account for that Technician/Login Role and it cannot be changed once created)).
         
         NOTE: There is a known bug if the username value is longer than 20 characters (including the _jit) so please ensure the value you have there is less than 16 characters.
         
         
      2. Duration should be set to the lowest amount that is technically practical.  If the account is needed for longer than this period, the account can be Enabled/Activated again.
      3. Reason for Creating - this is a mandatory field to advise the reason for creation of the account.
   2. Administrator Account Type
      
      
      
   3. Select Privileged Security Group
      
      
      1. Select from the list of Active Directory Groups that were originally selected by the Primary/Super at the time of JIT being enabled.
6. Hit 'Create' to create the JIT account on the Active Directory domain for this customer.
   You can now use this JIT account for the specified duration.
   
   1. A "Just In Time Accounts" OU gets created when you create a JIT account the first time and the JIT account is stored in that OU. All future JIT account creations will be stored in that OU. Existing JIT accounts will remain unaffected, but re-enabled accounts are migrated to the new OU.

Re-enabling a previously used JIT Account

1. After logging into the Desktop App, selecting the Customer and the Just in Time Accounts section any previously created JIT account for this Login for this customer will be displayed.
   
   
   1. The status will show the current status of the JIT Account.  If this shows Disabled, this means that the previous usage time of the account have expired.  This account will need to be "re-enabled" in order to use this moving forward.
2. To Activate/Re-enable the previously created JIT account select the 3 dot menu beside the account.
   
   
   1. Selecting the Enable Account will show you this screen.
      
   2. You must fill in the the Reasons for Enabling and select a duration that is appropriate and then click Enable.
      
   3. The JIT Accounts list will update once the account has been Enabled again.
      

Other Articles

How to create and use Just-In-Time Privileged accounts (Azure AD)

How to create and use Just-In-Time Privileged accounts (LOCAL)

Answering Just-In-Time FAQ – CyberQP (getquickpass.com)