Hello, to increase security in our deployment we try to combine Jenkins with Windows “Just Enough Admin” (JEA, see for example Overview of Just Enough Administration (JEA) - PowerShell | Microsoft Learn).
So we created the file in C:\Program Files\WindowsPowerShell\Modules\RoleCapabilities to enable the role definitions (commands the Jenkins service user is allowed to do) and we created the possession file to enable it in C:\Program Files\WindowsPowerShell\Modules\RoleCapabilities\hereistheservername_JEASessionConf.pssc and did some configuration in Jenkins to make this to happen.
So the result is that the service user can use all the defined commands on the remote sessions, this is working fine as long as the single commands would be passed (tested manually) to the target server. So far tested and working.
But the point is instead of sending single commands to the target server that Jenkins creates a random named PS1 powershell script including these commands on the remote server and JEA does not allow this file to be executed. JEA would work fine if the PS1 file would create a fixed (always the same) PS1 file name and we can allow that filename with JEA method or if we could configure JEA that the user is allowed to run wildacrd PS1 scripts like C:\Users\insertserviceusernamehere\Local\Temp\jenkins*. PS1. (exmple jenkins2475773S76823492S4.PS1)
How to fix that? How to force Jenkins to
a) use always the same file name for the remote powershell script, or
b) make Jenkins to send the single commands instead of the powershell script, or
c) configure JEA to allow wildcard pattern filename (jenkins*. PS1)
Any idea for this?