The Michigan Medicine community depends on user computing devices for all aspects of research, education, clinical, and administrative service. HITS strives to continuously improve its fleet of devices to support innovation and teamwork. Yet, in the face of increasing cybersecurity threats, we must also take steps to keep the enterprise safe while using these devices.
HITS is in the process of rolling out the Michigan Medicine Endpoint Privilege Manager. This service will be used to monitor and handle requests for elevated privileges. This work is part of a wider strategy to improve managed devices while responding to cybersecurity threats.
When is it arriving?
- March 10: All HITS CoreImage Windows devices and targeted Champions devices.
- Week of 3/24: All Michigan Medicine CoreImage Windows devices
- June 27: Pilot of active mode on select devices
- July 25: Small selection of HITS Staff will have EPM Activated
- August 15-29: Rollout of active mode to the CoreImage Windows fleet
What will it look like?
System Tray Icon
When EPM service is installed on a CoreImage Windows device it will appear in the system tray as the CyberArk agent highlighted in the image.
User Access Control (UAC) prompt for non-handled privileges
If the EPM service does not handle the elevated privilege it will show the normal Windows UAC prompt.
User Access Control (UAC) prompt for handled privileges
If the EPM service does handle the elevated privilege a new UAC prompt will display.
How do I request and use privileged access?
Details and written instructions about the requesting and usage of Privileged Access, aka Just in Time or Admin Rights, are available on our article, KB0019206: How To Create and Manage Your Just-in-Time (JIT) Elevated Privilege Account.
Will I get remote access to a device with privileged access?
No. The new process does not provide remote access to a device. If you need to be able to remotely connect to a CoreImage device please use the Remote Access to CoreImage Windows Machines catalog request.
What happens when my privileged access (JIT) expires?
Just In Time (JIT) elevated privileges can be enacted in time blocks from 2hrs up to 12hrs, after the chosen length of time passes the elevated privileges will expire. When elevated privileges expires one of two things will happen depending on how your elevated privileges were activated:
- If you were already logged in on the device when JIT was activated, any elevated applications will close immediately.
- If you logged into the device after activating JIT, you will be immediately logged off.
An example image of the warning message that your privileged access is expiring soon is available on KB0019206: How To Create and Manage Your Just-in-Time (JIT) Elevated Privilege Account.
Why is EPM important?
How will I know if my device is managed by EPM?
The EPM service is being activated in phases across the Michigan Medicine CoreImage Windows fleet. If you attempt to do an action that is managed by the EPM service you will see a new type of User Access Control (UAC) prompt that will provide instructions on how to proceed. For an example UAC prompt see our “What will it look like?” section.
What do I do if my request for elevated privileges was denied?
If your request for elevated privileges was denied you can appeal your denial by following the steps detailed in KB0019350: Request elevated Privilege Management Rights for an individual who does not meet Stated Requirements.
What is Active mode?
Active mode means the EPM service agent has been enabled and will apply our privilege escalation policies. If an escalation privilege is handled by the EPM service you will see a new User Access Control (UAC) window. If the EPM service does not handle the privilege escalation you will see the normal Windows UAC. For more information and example images of the UAC prompts, see the "what will it look like section".
What is Passive mode?
Passive mode means the EPM service agent will be installed on the device but will not enforce any security policies. This will not affect any current administrative privileges.
CoreImage Windows users will follow a new process when requesting admin rights.