How do I connect to the JEA network?
JEA employees, retirees and contractors may connect to the JEA network remotely for business purposes. Citrix- The preferredmethod of access is via the Citrix Receiver. You must utilize Citrix to access Oracle.
Is remote JEA safe to use?
Moreover, Remote JEA is slightly inactive on social media. This site’s reputation is almost good, but it is important to note that its child safety remains unrated by users. Welcome to the JEA Remote Access Portal JEA employees, retirees and contractors may connect to the JEA network remotely for business purposes.
How do I know if JeA is working remotely using PowerShell?
If the current user account has access to the JEA endpoint, you can omit the Credential parameter. When the PowerShell prompt changes to [localhost]: PS> you know that you're now interacting with the remote JEA session. You can run Get-Command to check which commands are available.
How do I grant full access to multiple users in JEA?
By default, when a JEA endpoint has multiple role capabilities, the WinRM ACL is configured to allow access to all mapped users. For example, a JEA session configured using the following commands grants full access to CONTOSO\JEA_Lev1 and CONTOSO\JEA_Lev2.
What is JEA in PowerShell?
With JEA, you can configure a management endpoint for DNS administrators that gives them access only to the PowerShell commands they need to get their job done. This means you can provide the appropriate access to repair a poisoned DNS cache or restart the DNS server without unintentionally giving them rights to Active Directory, or to browse the file system, or run potentially dangerous scripts. Better yet, when the JEA session is configured to use temporary privileged virtual accounts, your DNS administrators can connect to the server using non-admin credentials and still run commands that typically require admin privileges. JEA enables you to remove users from widely privileged local/domain administrator roles and carefully control what they can do on each machine.
Where to find JEA DSC?
Sample JEA configurations and the JEA DSC resource can be found in the JEA GitHub repository.
What is just enough administration?
Just Enough Administration (JEA) is a security technology that enables delegated administration for anything managed by PowerShell. With JEA, you can:
What is JEA used for?
JEA can also be used in automation systems and in user applications, such as in-house helpdesk apps and websites. The approach is the same as that for building apps that talk to unconstrained PowerShell endpoints. Ensure the program is designed to work with limitation imposed by JEA.
How does implicit remoting work?
Implicit remoting works by importing cmdlets from an existing PowerShell session. You can optionally choose to prefix the nouns of each proxy cmdlet with a string of your choosing. The prefix allows you to distinguish the commands that are for the remote system. A temporary script module containing all the proxy commands is created and imported for the duration of your local PowerShell session.
Why is implicit remoting useful?
Implicit remoting is useful when working with JEA because it allows you to work with JEA cmdlets in a full language mode. You can use tab completion, variables, manipulate objects, and even use local scripts to automate tasks against a JEA endpoint.
Can you use PowerShell Direct with JEA?
You can use PowerShell Direct with JEA to give a Hyper-V administrator limited access to your VM. This can be useful if you lose network connectivity to your VM and need a datacenter admin to fix the network settings.
Can a dedicated user access a VM?
It's recommended you create a dedicated user account with the minimum rights needed to manage the system for use by a Hyper-V administrator. Remember, even an unprivileged user can sign into a Windows machine by default, including using unconstrained PowerShell. That allows them to browse the file system and learn more about your OS environment. To lock down a Hyper-V administrator and limit them to only access a VM using PowerShell Direct with JEA, you must deny local logon rights to the Hyper-V admin's JEA account.
Can you use JEA in PowerShell?
If you're testing your JEA configuration or have simple tasks for users, you can use JEA the same way you would a regular PowerShell remoting session. For complex remoting tasks, it's recommended to use implicit remoting. Implicit remoting allows users to operate with the data objects locally.
Need a jea.com Account?
Sign up for a jea.com account and enjoy many of our features including: online bill pay, fast extension requests, usage breakdowns and more.
Have a jea.com Account?
Sign in to pay your bill, report a service issue, update your information, take advantage of the newest JEA products and much more.
Impacting Our Community for Good
JEA employees support community causes through volunteerism, educational programs and direct support to those in need. Because the real power of community comes from helping others.
Helping Small Businesses Thrive
Partner with JEA to discover special savings, tools and programs to help your small business do more business. Our Small Business Hub is your one-stop shop.
Higher Than Usual Bill?
Many factors can affect your bill, including hot outdoor temperatures and being at home more. It doesn’t have to have a large impact on your bill, though. You have the power to control your bill, and we’re here to help.
Breaking Down Your Bill
Confused about some of the fees, taxes, and terms on your bill? Our interactive tool goes page-by-page, line-by-line, to explain what it all means.
What is a run as account in JEA?
Each JEA endpoint has a designated run-as account. This is the account under which the connecting user's actions are executed. This account is configurable in the session configuration file , and the account you choose has a significant bearing on the security of your endpoint.
What is a Jea endpoint?
JEA uses a PowerShell session configuration to create a new entry point for users to manage the system. Users who need elevated, but not unlimited, access to the machine to do administrative tasks can be granted access to the JEA endpoint.
What is a unique virtual account in a JEA endpoint?
This unique account helps you track user actions in a JEA endpoint back to the original user who ran the command. Virtual account names follow the format WinRM Virtual UsersWinRM_VA_<ACCOUNTNUMBER>_<DOMAIN>_<sAMAccountName> For example, if user Alice in domain Contoso restarts a service in a JEA endpoint, the username associated with any service control manager events would be WinRM Virtual UsersWinRM_VA_1_contoso_alice.
What is a gmsa?
Group-managed service accounts (gMSAs) are useful when a member server needs to have access to network resources in the JEA session. For example, when a JEA endpoint is used to control access to a REST API service hosted on a different machine. It's easy to write functions to invoke the REST APIs, but you need a network identity to authenticate with the API. Using a group-managed service account makes the second hop possible while maintaining control over which computers can use the account. The effective permissions of the gMSA are defined by the security groups (local or domain) to which the gMSA account belongs.
Why shouldn't you use RunAsCredential on a JEA endpoint?
You shouldn't use a RunAsCredential on a JEA endpoint because it's difficult to trace actions back to specific users and lacks support for mapping users to roles.
Why is it important to design a Jea role?
When designing JEA roles, it's important to remember that the virtual and group-managed service accounts running behind the scenes can have unrestricted access to the local machine. JEA role capabilities help limit the commands and applications that can be run in that privileged context. Improperly designed roles can allow dangerous commands that may permit a user to break out of the JEA boundaries or obtain access to sensitive information.
Does WinRM affect JEA?
The WinRM ACL doesn't affect the mapping of users to JEA roles. Mapping is controlled by the RoleDefinitions field in the session configuration file used to register the endpoint. By default, when a JEA endpoint has multiple role capabilities, the WinRM ACL is configured to allow access to all mapped users.
What happens when you unregister a JEA endpoint?
Unregistering a JEA endpoint causes the WinRM service to restart. This interrupts most remote management operations in progress, including other PowerShell sessions, WMI invocations, and some management tools. Only unregister PowerShell endpoints during planned maintenance windows.
What is the last step in a Jea endpoint?
Once you have your role capabilities and session configuration file created , the last step is to register the JEA endpoint. Registering the JEA endpoint with the system makes the endpoint available for use by users and automation engines.
Where are roles placed in PowerShell?
One or more roles has been created and placed in the RoleCapabilities folder of a PowerShell module.
Do you need to create a session configuration file when using the JEA DSC resource?
Settings for the session configuration have been determined. You don't need to create a session configuration file when using the JEA DSC resource.
