Announcing enhancements to Just-In-Time Privileged Accounts
We are excited to announce various improvements to the Just-In-Time Privileged Accounts feature. Enhancements include:
- Created "Just In Time Accounts" OU for all JIT accounts to prevent issues with auto-importing and provide better organization. Existing JIT accounts will remain unaffected, but re-enabled accounts are migrated to the new OU.
- Improved JIT account expiry in Active Directory to address potential failures and ensure accurate timing.
- Accounts can now expire even if the agent is offline or uninstalled. Safeguard solution implemented using native Active Directory functionality.
- Improved error handling for username length limitation. Updated error message to display "Username must be 20 characters or less. Please choose a shorter username."
- Added email alerts for JIT account enabling, sent to Super and Primary login users. Emails include relevant details and provide a link to the appropriate CyberQP Dashboard based on the user's region.
- Improved JIT account security by removing the privileged security group on account expiry and re-adding it upon re-enabling.
- Privileged security group information is tracked and stored in the database and retrieved when the account is re-enabled thus decreasing standing privileges on your disabled JIT accounts.
- Implemented local event logging on the agent for JIT account actions.
- Events logged under "Quickpass Events" in Windows Event Viewer.
- Logged events include JIT account creation, deletion, enabling, and disabling.