Forum Discussion
Clarification related to JIT for EDLP
Can someone help clarify how JIT actually works and in which scenario we should enable JIT.
The Microsoft documentation is very differently from what I’m observing during hands-on testing.
I enabled JIT for a specific user (only 1 user). For that user, no JIT toast notifications appear for stale files when performing EDLP activities such as copying to a network share, etc. However, for all other users even though JIT is not enabled for them their events are still being captured in Activity Explorer.
See SS below.
1 Reply
Hey Mansha, Microsoft clearly states the below in its documentation:
"When JIT is enabled for devices all user activities are audited, even the activities of the users who aren't in the scope of the policy. Egress activities are audited and blocked for users who are in the policy scope."So seeing activities from other users is totally normal. For the scoped user's issue, I can think of a few obvious but effective ways:
1. Check if the anti-malware Client version is 4.18.23080 or later.2. Go to Data Loss Prevention > Diagnostics page, and select 'Endpoint DLP not working' card to check whether the scoped devices have met JIT prerequisite or not.
3. It is possible that the file wasn't really stale. This can be a common scenario especially for network share files. Please check if the file is really stale by checking the last label/classification timestamp. You can also try to use an intentionally unclassified file or force a stale classification scenario (rename or copy to an unclassified path) and re-test.
If any of the above helps in any way, please like and/or accept as an answer!
