AutoElevate's Just-in-Time Admin Login feature enables technicians to access a computer as a signed-in Admin user by scanning a QR code to authenticate, making it easy and secure to perform critical tasks. However, it's worth noting that when the Agent creates or takes control of an existing user, access will only be granted to the Agent. This feature is designed and supported for 64-bit Windows workstations, including versions 10, and 11.

Note: your agents must be on v2.8+ for this feature to be available.

Quick Start

• From the Settings screen select Global> Just-in-Time (JIT) Admin Login> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
• Check the "Enabled" box, set custom User name then SAVE.
   

  Just-in-Time Admin Login location

  

  

   

   

• Then select Global> Agent Security> Just-in-Time Admin Login Authorization> Edit (Pencil icon) or create a new Level Setting (Whole Company, Location or Computer) using the "+" icon from the top of the grid.
   
• Select Role or Users you wish to allow access to this feature and SAVE.
   

  Just-in-Time Admin Login Authorization

  

  

   

   

Enabling - Additional Options & Info

From the Settings screen, select either Global > Just-in-Time (JIT) Admin Login > Just-in-Time (JIT) Admin Configuration > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.

• Enabled: Check to enable.
   
• Username: Set a username. When adding a user, it's important to note that if the username already exists on the machine, its password will be overwritten. This can be helpful for existing admin accounts on the end-user's computer. However, it's crucial to exercise caution when using this feature to avoid overwriting a user's password of a user that the technician did not intend to modify. Always verify that the correct username has been entered before proceeding.
   
• Credential Title Label Override: Coming soon! Customize the title name at the login screen.
   
• Delete User After Every Log Off: Check to enable. This option allows technicians to create temporary admin users that are automatically removed when they are no longer in use. Persistent users are standard users at rest and will not be deleted during uninstallation or when the "Admin Login" setting is disabled.
  
  

• Save

Next, select either Global > Agent Security > Just-in-Time Admin Login Authorization > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.

• Select the Role or Users you wish to allow access to this feature.
   
• Save
  
  
   

Finally, select either Global > Agent Customizations & Behavior > Logo (Square) > Edit (Pencil icon) or create a new Level Setting (Whole Company, Location, or Computer) using the + icon from the top of the grid.

• Upload an image that will be used for the User icon at the Windows Lock Screen.
   
  • The image cannot be larger than 1MB.
     
  • Does not support “.webp” images.
     
  • Transparent images will not be transparent. The transparent space will be replaced with a white background.
     
• Save
  
  
   

How it works

Enabling the "Just-in-Time Admin Login" setting adds a "Credential Provider" to the system, which appears on the Windows Lock Screen. This gives the technician access to an admin account, allowing them to sign in without needing a password.

A QR code is displayed to authenticate the technician as no password is required to log in to the admin account. This code expires after 10 minutes. If the technician's role or the technician themselves have been authorized in the Just-in-Time Admin Login Authorization setting, they can use the AutoElevate Notify app to scan the QR code and grant access.

Upon logging in, the session is automatically entered into Technician mode.

The Credential Provider comes with a built-in self-recovery feature. If it detects any issues, it will disable itself automatically to avoid further problems. In such cases, the AutoElevate Agent service or the computer can be restarted to reset the Credential Provider and restore its functionality.

The Credential Provider is designed not to load in Safe Mode, providing an alternative method of recovery in case the credential provider fails. This ensures that the Credential Provider does not interfere with other system-level changes necessary in Safe Mode. In the event of a failure, users can access the computer in Safe Mode and then disable or reset the Credential Provider to restore normal functionality.


 

Auditing

To monitor if a computer has logged in using JIT Admin Login, you can access the computer's View screen (indicated by an eye icon) from the Computer grid. This screen displays detailed information about the computer's activity and login history.

In addition to the Computer grid, you can view a computer's General Information and State Information by expanding the dropdown menu. This provides a quick overview of the computer's status and any relevant information that may impact its security.

To track attempted JIT Admin Login, you can access the JIT Admin Logins section. This will display the date and time when the login attempt was made (Date Created), whether it was successful or not (Date Updated), and the name of the user who authenticated the login (Authenticated By).