In this article we will be answering some frequently asked questions regarding Just-In-Time.
- What Server OS are supported for JIT-privileged accounts?
Just-in-Time (JIT) accounts for Active Directory are not compatible with Server 2008 R2 Domain Controllers. Due to limitations of the .NET framework and the password rotation requirements for these accounts, Server 2008 R2 is not supported. All Server OS newer than Server 2008 R2 are supported.
Can anyone on my team create JIT-privileged accounts?
No, only user groups selected by the admins (super or primary role) from the JIT settings on the CyberQP dashboard will have access to create JIT accounts. Selected users will have access to create JIT accounts exclusively for the customers they have been authorized to access.
- When a JIT account is created, where is it stored, for Active Directory?
A "Just In Time Accounts" OU gets created when you create a JIT account and the JIT account is stored in that OU. All future JIT account creations will be stored in that OU. Existing JIT accounts will remain unaffected, but re-enabled accounts are migrated to the new OU.
As an admin can I access all JIT accounts created by my team?
Only the account creator can access the JIT account passwords or enable JIT accounts.
Admins (Super and Primary roles) can see all the JIT accounts created by their team via the dashboard and have the ability to delete any JIT account if needed. Admins also receive an email alert whenever any new JIT account is created. Local event logging on the agent for JIT account actions is also available under the "Quickpass Events" in Windows Event Viewer. Logged events include JIT account creation, deletion, enabling, and disabling
Note: admins can not see the password of JIT accounts created by other users.
How long are JIT accounts enabled?
Users can choose the duration at the time of account creation or when re-enabling an existing JIT account. You can choose to have an account active for 1 Hour, 4 Hours, 1 Day, 3 days, 7 days, or 30 days. At expiry, the account is set to Disabled, removed from the privileged security group, and the password is rotated.
Are JIT accounts deleted after each use and a new JIT account is created the next time user wants to use the privileged account?
No, we do not delete JIT accounts at the time of expiry. JIT accounts in CyberQP are disabled in Active Directory, removed from the privileged security group, and passwords are rotated at expiry. The next time user wants to re-use the same JIT account they can enable the account for a limited time via the CyberQP desktop app. Similar behaviour will occur for Azure/Entra/O365 and Local accounts.
Is the account removed from the privileged security group at expiry?
Yes, the JIT account is removed from the privileged security group at expiry. The account is also Disabled and the password is rotated. Users will need to re-enable the JIT account the next time they want to use it, at which point the privileged security group will be re-added. Privileged security group information is tracked and stored in the database and retrieved when the account is re-enabled thus decreasing standing privileges on your disabled JIT accounts.
- What happens if the agent is offline at the time the JIT account is set to expire?
We leverage the JIT account expiry in Active Directory to address potential failures and ensure accurate timing. Accounts can now expire even if the agent is offline or uninstalled with the safeguard solution implemented using native Active Directory functionality. When the active time set for the JIT account runs out, the account will be disabled and removed from the privileged security group even if the agent is offline.
Are JIT account passwords stored in ITGlue or Hudu?
No, the JIT account passwords are always stored in the Quickpass vault. Customers using ITGlue or Hudu will not be able to store the passwords in IT Glue or Hudu.
How will JIT accounts work with DUO MFA?
When setting up a JIT account, users have the option to choose a username. If this username is configured as an alias with DUO, then MFA will function seamlessly with JIT accounts. Alternatively, users can also configure DUO MFA with an existing JIT account, which will remain active even when the account is enabled/disabled. CyberQP does not create a new JIT account each time and only activates an existing JIT account for the user.
Setup KB: https://support.getquickpass.com/hc/en-us/articles/14969359895959-Using-Duo-Authentication-for-Windows-Logon-with-Quickpass-Just-in-Time
How many JIT accounts can one user create?
For Active Directory and Azure/Entra/O365, one user can only create one JIT-privileged account on an AD domain. This privileged account should work on all AD-joined machines. For Local Just in Time accounts, a user can create one JIT-privileged account per system.
Can I delete a JIT account once created?
Admins (Super and Primary roles) can see all the JIT accounts created by their team via the dashboard and have the ability to delete any JIT account if needed. Currently, it is not possible to delete a JIT account via the desktop app.
- Are there any character limitations on the JIT Account name?
Just in Time account names should accept any character that Windows accepts in the Account name. However due to a limitation of the account creation process, they cannot start or end with the "." (period) character.