> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Guide - JIT for computers

> Set up JIT admin access for computers.

## What is JIT for computers?

In this guide we will set up the [Just-in-time Admin Access (JIT) for computers](/jit-for-computers/jit-for-computers-overview) feature that is part of the [Privileged Access Management (PAM)](/pam-for-msps-overview) offering for MSPs.

Just-in-time Admin Access (JIT) is all about eliminating shared credentials and standing privileges when accessing Windows and macOS workstations and servers. Idemeum will automatically generate unique named admin accounts for your technicians, enable these accounts only for the duration of the session, and rotate passwords automatically after every login. Every login is protected with Passwordless [FIDO2](https://fidoalliance.org/passkeys/) compliant MFA, and every session is tracked in the audit trail.

## Set up JIT for computers

<Info>
  We are assuming you already have your MSP idemeum cloud tenant provisioned. If not, reach out to our [support](/support) team for help.
</Info>

<Steps>
  <Step title="Create idemeum child tenant">
    As a first step you need to create a child organization in your parent MSP tenant.

    * Login to MSP admin portal
    * Navigate to `Tenants` and create a child organization

    <Info>
      More information about how to [create](/multi-tenant-portal/multi-tenant-portal-overview) a child organization.
    </Info>
  </Step>

  <Step title="Configure JIT settings (optional)">
    <Info>
      If you want to use JIT `domain accounts`you need to install idemeum agent on Domain Controllers as well as domain workstations. And you need to enable JIT login with domain accounts. If all you need is acess to computers with `local admin accounts`, you can simply skip this step.
    </Info>

    * Navigate to your child tenant admin portal
    * Access `Settings` → `JIT access`
    * If you want to use `domain accounts` choose that option in the `domain login mode`
    * Configure any other additional settings if you need to. More about the configuration options [here](/jit-for-computers/configure-jit-for-computers).

    <Frame>
      <img src="https://mintcdn.com/idemeum/TbZO1wXo4Lot6zZc/images/CleanShot2026-02-23at12.05.35@2x.png?fit=max&auto=format&n=TbZO1wXo4Lot6zZc&q=85&s=3aacaff7991e0c31450c5c6cd9ffe596" alt="Clean Shot 2026 02 23 At 12 05 35@2x" width="2724" height="2132" data-path="images/CleanShot2026-02-23at12.05.35@2x.png" />
    </Frame>
  </Step>

  <Step title="Grab installation command and deploy agents">
    Now you need to access the child organization, click `Install new agent`, grab the installation command for Windows or macOS and install idemeum agent.

    <Info>
      More about how to [install idemeum agent](/desktop-agent/agent-install).
    </Info>
  </Step>

  <Step title="Perform test JIT login">
    Now you can log out from the workstation and perform passwordless JIT login by scanning a QR-code. Click on the QR-code at the bottom left of the screen, open your idemeum mobile application, choose `Login`, scan the code and approve with biometrics. 

    <Frame>
      <img src="https://mintcdn.com/idemeum/TbZO1wXo4Lot6zZc/images/CleanShot2026-02-23at12.10.30@2x.png?fit=max&auto=format&n=TbZO1wXo4Lot6zZc&q=85&s=283185273a1a8a9383bf7ff92e45f638" alt="Clean Shot 2026 02 23 At 12 10 30@2x" width="2768" height="1922" data-path="images/CleanShot2026-02-23at12.10.30@2x.png" />
    </Frame>
  </Step>
</Steps>