SureMDM Just-In-Time (JIT) Admin – Windows
Overview
The SureMDM Just-In-Time (JIT) Admin feature helps IT teams enforce the principle of least privilege by granting temporary, time-bound local administrator access to users on managed Windows devices. Instead of maintaining permanent admin rights - which increases the risk of misuse or compromise - users can be elevated only when required and for a specified duration.
This feature is available exclusively to Enterprise tier customers and requires Windows devices with SureMDM Agent version 6.10.0 or later.
Enabling JIT Admin Access
- Navigate to SureMDM Console > Security > SureMDM JIT Admin > Windows.
- Click Configure SureMDM Just-In-Time Admin.
- You’ll be redirected to Account Settings > Windows Management > Miscellaneous.
- Enable the checkbox "Enable SureMDM Just-In-Time Admin."
Choose one of the following configurations for granting admin access to devices:
Option 1: Use Default SureMDM JIT Account
- Check the box: Use Default SureMDM JIT Account
- SureMDM will automatically create and manage a temporary local admin account on the device to grant JIT access.
Option 2: Use Custom Local Admin Account
- Leave the Use Default SureMDM JIT Account box unchecked
- Enter the following fields manually:
- Local Admin Account Name
- Password
- SureMDM will use this specified account to elevate permissions during JIT sessions.
- Click Apply to save the changes.
- Return to the SureMDM JIT Admin screen to access full functionality.
Once enabled, the Windows tab under SureMDM JIT Admin will display three key sections (accordions):
- Pre-Approved Apps
- Live Requests
- Past Requests
1. Pre-Approved Apps
The Pre-Approved Apps section allows administrators to define a set of trusted applications that users can launch with elevated privileges — without submitting a request or waiting for approval.
Use Case
Commonly used applications like code editors, internal development tools, or installers that always require admin rights can be pre-authorized, improving productivity while maintaining control.
How to Configure:
- Click Create.
- Enter a name for the JIT access.
- Click Add App and list the executables (.exe) that should run with elevated access.
- Click Next, then choose the target device group(s).
- Click Save to deploy the configuration.
Result: Users on those devices can right-click the listed application and select “Run with SureMDM JIT”. The application runs with administrative privileges without any additional steps.
Pre-approved Apps Table
| Column Name | Description |
|---|---|
| JIT Access Name | Name of the JIT policy created for pre-approved applications. |
| Device Details | Count of devices assigned to the JIT access. Clickable to view device-specific details and deployment status. |
| Application Name | List of executable (.exe) files configured for elevated access. |
| Last Modified | Timestamp of the last update made to the JIT entry. |
| Last Modified By | Console user who last modified the JIT configuration. |
2. Live Requests
The Live Requests accordion is used for managing time-bound admin access initiated by users or created manually by IT admins. This section is organized into three tabs, each representing a different lifecycle state of a JIT request:
a. Pending Requests
This tab displays all access requests that are awaiting administrative action.
Actions Available:
- Approve: Grants access and moves the request to the Active tab.
- Deny: Rejects the request, moving it to Past Requests.
- View/Modify: Adjust the time window before approving.
Each entry includes the request type (App/Account/Script), duration, device info, and justification.
When a user raises a Just-In-Time request from the SureMDM Agent, a real-time notification is shown in the SureMDM console. Clicking the notification will take the admin directly to this tab.
b. Active Requests
Displays all ongoing JIT sessions currently in effect on devices.
- Each active request is tied to a timer based on the approved duration.
- Admins can view progress and intervene if needed.
- The request is automatically moved to Past Requests once the time expires or access is revoked.
- If Internet Access Required was enabled during configuration and the device goes offline for more than 5 minutes, access is revoked automatically and will not resume until the device is online again.
c. Scheduled Requests
The Scheduled Requests tab under the Live Requests accordion lists all JIT access sessions that have been configured to start at a specific time in the future.
- Requests can be scheduled by IT admins for time-bound maintenance, audits, or deployments.
- When the scheduled time arrives, SureMDM will automatically activate the request on the target devices.
- Once active, the request will move to the Active Requests tab, and the session timer will begin.
- After the scheduled duration elapses, the session ends automatically and is moved to Past Requests for auditing.
If Internet Access Required is enabled, JIT access will not activate if the device is offline at the scheduled start time, and will only begin once the device reconnects.
Creating Live Requests (Admin-Initiated)
SureMDM allows IT administrators to manually create JIT admin sessions for users.
Steps to Create a Live Request:
- Click Create under the Live Requests accordion.
- Enter a meaningful JIT Access Name.
- Choose the Access Type:
- Application Access – Grant admin rights to specific applications only.
- Account Access – Grant full local administrator privileges to the specified user account.
Based on the selected type:
- If Application is selected, specify one or more applications the user will run with elevated privileges.
- If Account is selected, specify the user account that should be granted elevated permissions.
Choose the Duration Type:
- Fixed – Specify a duration in minutes or hours.
- Scheduled – Define a specific start and end time.
Internet Access Required:
- If enabled, JIT access will be revoked automatically if the device is offline for more than 5 minutes. It remains disabled until the device comes back online.
- Select the target device group(s).
- Click Save to create the request.
Only Windows devices with SureMDM Agent v6.10.0 or later are eligible.
Live Requests Table
| Column Name | Description |
|---|---|
| JIT Access Name | Name given to the JIT request. |
| Device Details | Device(s) the request applies to. |
| Remaining Time | Time left before the session expires (active only). |
| User Name | Username for which access is granted. |
| JIT Access Type | Application, Account, or Script. |
| Application Name | Elevated apps (if Application Access selected). |
| Script Name | Script file uploaded (if applicable). |
| Duration Type | Fixed or Scheduled. |
| Requested By | Request initiator (User/Admin). |
| Requested Date & Time | Timestamp when the request was created. |
| Expiry Date & Time | Scheduled end time. |
| JIT Status | Current status — Pending, Active, etc. |
| Reason By User | User’s justification. |
| Approver Comments | Admin notes at the time of approval or denial. |
3. Past Requests
The Past Requests accordion functions as an audit trail, listing all previously approved, denied, or expired JIT sessions.
Column Definitions
| Column Name | Description |
|---|---|
| JIT Access Name | Name of the completed or expired JIT session. |
| Device Details | Device(s) where JIT was executed. |
| User Account | Account with elevated access. |
| JIT Access Type | Application, Account, or Script. |
| Application Name | Associated application(s). |
| Requested By | User/Admin who created the request. |
| Duration Type | Fixed or Scheduled. |
| Publisher Name | Application vendor (if applicable). |
| JIT Status | Completed, Denied, Expired, Revoked, etc. |
| Requested Date & Time | When the request was submitted. |
| Approval Action By | Admin who approved or denied it. |
| Approved Date & Time | When the action was taken. |
| Start Time | When the JIT session began. |
| End Time | When the session ended. |
| Reason By User | User’s reason for the request. |
| Reason By Admin | Admin’s remarks. |
| JIT Access Revoked By | Admin who revoked the session. |
| Extension Requested | Whether extension was requested. |
Available Controls
- Search
- Refresh
- Export
- Column Chooser
This section ensures compliance teams and IT auditors have full visibility into all privileged access activities.
End-User Experience
On the device side:
- Open SureMDM Agent > SureMDM JIT Tab
- Click Create JIT Request
- Choose Access Type:
- App: Drag and drop executable
- Script: Upload script
- Account: Choose access duration
- Specify the duration
- Submit the request
Once Approved:
- The user receives a notification confirming JIT access is active.
- For applications, the user can right-click the app and select Run with SureMDM JIT to launch it with elevated privileges.
- Admin rights remain in effect for the approved duration.
- Before the session expires, a prompt appears allowing the user to request an extension if needed.
Operational Notes
- Users can submit up to 3 JIT requests per day (default)
- This can be increased via SureMDM Agent Settings.
- If device loses internet:
- JIT session continues unless Internet Access Required is enabled
- Time always continues to decrement
- Access is auto-revoked once timer expires.