Just-In-Time (JIT) Request Management
Creating JIT Request (Admin-Initiated)
SureMDM allows IT administrators to manually create JIT admin sessions for users.
Steps to Create a Live Request from SureMDM Console
Navigate to SureMDM Console > Security > SureMDM JIT Admin > macOS > Live Requests.
In the Live Reqeusts accordion, click Create.
In the Create Live Requests popup, configure the following options and click Save
Request Details
| Settings | Description |
|---|---|
| JIT Access Name | Specify the Just-In-Time access name. |
| User account name | Enter the user account name for JIT access. If the username does not match on the target device, elevation from standard to administrator account will be ignored. |
| Duration Type | Select the access type. Options: - Fixed: Deploying the Just-In-Time Access configuration as a Fixed type will immediately initiate the access once it is deployed on the target devices. - Scheduled: Deploying the Just-In-Time Admin Access configuration as a Scheduled type will initiate the access only at the specified date & time |
| Just-In-Time Admin Access Duration | Specify the duration for Just-In-Time access. Applicable only if Duration Type is selected as Fixed. |
| Date & Time | Set the date & time for Just-In-Time access. Applicable only if Duration Type is selected as Scheduled. |
| Internet Access Required | If enabled, when the device goes offline during an active JIT session, the access will be revoked within 5 minutes. It will remain revoked until the device reconnects to the internet. |
Group or Device Assignment - Select the target device or group(s).
- Click Save.
The created request will list in the respective section based on the request type (Either on Active or Scheduled Requests).
JIT Request Entries
The SureMDM Just-In-Time (JIT) Admin request entries are organized into two main sections (accordions) within the console for better clarity and management:
- Live Requests – Displays all active, pending, and scheduled JIT requests that are currently in progress or awaiting action.
- Past Requests – Serves as an audit trail, listing all completed, denied, revoked, expired, or failed JIT requests for reference and compliance purposes.
1. Live Requests
The Live Requests accordion is used for managing time-bound admin access initiated by users or created manually by IT admins. This section is organized into three tabs, each representing a different lifecycle state of a JIT request:
a. Pending Requests
This tab displays all access requests that are awaiting administrative action.
Actions Available:
- Approve: Grants access and moves the request to the Active tab.
- Deny: Rejects the request, moving it to Past Requests.
- View/Modify: Adjust the time window before approving.
Each entry includes the JIT Name, duration, device info, justification and other related information.
When a user raises a Just-In-Time request from the SureMDM Agent, a real-time notification is shown in the SureMDM console. Clicking the notification will take the admin directly to this tab.
b. Active Requests
Displays all ongoing JIT sessions currently in effect on devices.
- Each active request is tied to a timer based on the approved duration.
- Admins can view progress and intervene if needed.
- The request is automatically moved to Past Requests once the time expires or access is revoked.
- If Internet Access Required was enabled during configuration and the device goes offline for more than 5 minutes, access is revoked automatically and will not resume until the device is online again.
Actions Available:
- Revoke: Revokes the JIT access of an ongoing JIT session.
- Extend Access: Extends the JIT access for an ongoing JIT session.
c. Scheduled Requests
The Scheduled Requests tab under the Live Requests accordion lists all JIT access sessions that have been configured to start at a specific time in the future.
- Requests can be scheduled by IT admins for time-bound maintenance, audits, or deployments.
- When the scheduled time arrives, SureMDM will automatically activate the request on the target devices.
- Once active, the request will move to the Active Requests tab, and the session timer will begin.
- After the scheduled duration elapses, the session ends automatically and is moved to Past Requests for auditing.
Actions Available:
- Revoke: Revokes the JIT access of the scheduled JIT session.
Live Request Table Columns
Columns might vary based on the request section
| Column Name | Description |
|---|---|
| JIT Access Name | Name given to the JIT request. |
| Device Details | Device(s) the request applies to. |
| Remaining Time | Time left before the session expires (active only). |
| User Name | Username for which access is granted. |
| Duration Type | Fixed or Scheduled. |
| Requested By | Request initiator (User/Admin). |
| Requested Date & Time | Timestamp when the request was created. |
| Expiry Date & Time | Scheduled end time. |
| Approved By | Username of the approver. |
| Approved Date & Time | Timestamp when the request was perfromed with approval action. |
| JIT Status | Current status — Pending, Active, Scheduled, etc. |
| Reason By User | User’s justification. |
| Reason By Admin | Admin notes at the time of approval or denial. |
2. Past Requests
The Past Requests accordion functions as an audit trail, listing all previously approved, denied, or expired JIT sessions.
Column Definitions
| Column Name | Description |
|---|---|
| JIT Access Name | Name of the completed or expired JIT session. |
| Device Details | Device(s) where JIT was executed. |
| User Account | Account with elevated access. |
| Requested By | User/Admin who created the request. |
| Duration Type | Fixed or Scheduled. |
| JIT Access Duration | Total duration of the JIT Access. |
| JIT Status | Completed, Denied, Expired, Revoked, etc. |
| Requested Date & Time | When the request was submitted. |
| Approved By | Username of the approver. |
| Approved Date & Time | Timestamp when the request was perfromed with approval action. |
| Start Time | When the JIT session began. |
| End Time | When the session ended. |
| Reason By User | User’s reason for the request. |
| Reason By Admin | Admin’s remarks. |
| JIT Access Revoked By | Admin who revoked the session. |
| Extension Requested | Whether extension was requested. |
Status Desciption
| Status | Description |
|---|---|
| Completed | Displayed when an approved JIT session has successfully ended. |
| Revoked | Displayed when an approved JIT request is revoked from the console before the session is completed. |
| Pre-Revoked | Displayed when an approved JIT request is revoked from the console before the session begins. |
| Expired | Displayed when an approved JIT request fails to initiate within the specified period. |
| Active | Displayed when a JIT session is currently in progress. |
| Scheduled | Displayed when a JIT session is planned to start at a future time. |
Available Table Controls
- Search
- Refresh
- Export
- Column Chooser
This section ensures compliance teams and IT auditors have full visibility into all privileged access activities.
Operational Notes
- Admins can manage the following JIT configurations through SureMDM Agent Settings:
- Daily Request Limit – Define how many JIT requests a user can submit per day. By default, the limit is 3 requests per day.
- Visibility Control – Choose whether the SureMDM JIT Admin section is displayed in the Agent.
- Request Submission Restriction – Prevent users from submitting JIT requests directly from the Agent.
- If device loses internet:
- JIT session continues unless Internet Access Required is enabled
- Time always continues to decrement
- Access is auto-revoked once timer expires.