Introduction
There is a known issue where local JIT account creation fails with an error "The JIT account was successfully created but it could not be assigned to the privileged security group". This is caused by an orphaned SIDs that may be left in the Security Group from a previous AD connection, please open the SG properties, remove the unnecessary SIDs, and try again. Our team is working on a fix for this issue.
Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled, removed from the privileged security group, and their passwords rotated upon expiry, making them highly secure.
Each JIT account is created for an individual technician so the audit log can be easily tracked to one person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.
CyberQP provides the convenience of directly creating and managing your JIT accounts from the dashboard. As of the latest update to this KB article, the dashboard now supports Active Directory accounts, Local Accounts (Early Access), and Azure/Entra/O365 Accounts (Early Access).
If Just in Time access was previously enabled for Active Directory only, the Settings page configuration will need to be disabled and re-enabled with the new Source Types selected.
In this article, we'll walk you through the steps of setting up and using Local JIT accounts.
Prerequisite
- Machines must have the latest CyberQP agent installed
- Active QGuard subscription
- Either possess the primary or super role or be a part of a CyberQP group that has access to the Just-in-time feature. Please follow the instructions in this article to enable the JIT feature first
Enabling Just-in-time privileged accounts feature for QGuard
Creating a new Local JIT account from the dashboard
- Navigate on the Quickpass Dashboard to a customer that has CyberQP agents installed
NOTE: Just in Time Accounts for Local and Azure can only be created from the Dashboard. JIT Accounts CAN be re-enabled and used for Credential injection from the Desktop App. - Click Just-in-time Accounts in the sidebar
- Click Create Account
- Adjust the username, and duration if needed
- Provide a reason for the creation of the JIT account
- Select the directory source type LOCAL Accounts
- Select computer
- Specify a Privileged Security Group
- Click the now-activated Create Account button
Re-enabling a previously used JIT Account from the dashboard
Prerequisite
- Either possess the primary or super role or be a part of a CyberQP group that has access to the Just-in-time Access feature
- Have a Just-in-time account that exceeded its duration time and has already automatically disabled
Process
- Navigate to a customer that has CyberQP agents installed
- Click Just-in-time Accounts in the sidebar
- Locate the JIT Account that you wish to re-enable > Click the three-dot menu > "Enable Account"
- Provide a reason and extend or shorten the duration if needed
- Click on enable
Re-enabling a previously created Local JIT Account from the desktop app
- After logging into the Desktop App, selecting the Customer and the Just in Time Accounts section any previously created JIT account for this Login for this customer will be displayed.
- The status will show the current status of the JIT Account. If this shows Disabled, this means that the previous usage time of the account have expired. This account will need to be "re-enabled" in order to use this moving forward.
- To Activate/Re-enable the previously created JIT account select the 3 dot menu beside the account.
- Selecting the Enable Account will show you this screen.
- You must fill in the Reasons for Enabling and select a duration that is appropriate and then click Enable.
- The JIT Accounts list will update once the account has been Enabled again.
- Selecting the Enable Account will show you this screen.
Comments
0 comments
Please sign in to leave a comment.