The Admin By Request value proposition
You are probably reading this, because you know you have a problem. Either your company allows users to maintain
local administrator rights or you have to do countless urgent remote installs.
We can solve this for you with little effort and at the same time free up your IT resources.
We have customers with tens of thousands of computers, who have tried to implement whitelisting solutions, but failed
and came to us, because this way you can only see the world in retrospect. You don't know, what your users need today.
Instead of speculating on this by creating whitelists and software packages ahead of time, Admin By Request works proactively the other
way around. When your user has an administrator need, all they have to do is request permission.
You can set Admin By Request to approve automatically or require IT staff to verify the request via the portal or real-time push to the app.
Once a user has approval, the user gets a time-limited, real-time, local admin elevation to install the requested software.
Once finished, you have a full audit trail of activity in the app and in the portal. It's that simple.
Users are never blocked from doing their job and you can use your scarse IT resources on more meaningful activities, knowing
you have a full audit trail. It's win/win for you and your users.
Contact us today for a live demo.
Interested? Go to www.adminbyrequest.com or read on for more details.
How it works
Admin By Request basically consists of a portal account and a 2 megabyte client MSI file.
With your portal login, you configure settings, view data and download your MSI file.
You can optionally also use the free mobile app for easier access to portal data and approving requests.
You can get a free fully functional trial login right away by hitting the "Download" link at the top.
The user will see a green icon in the system tray. You can also have Admin By Request put a shortcut on the user's desktop.
When the user needs to do something that requires administrator rights, the user just has to click the icon
to request a time-limited on-the-fly administrator session.
When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen.
When you are signed in to this portal, you decide in your settings, whether you allow administrator access with
auto-approval or not. You can granulate who gets auto-approved based on domain user/computer group or OU.
If you are using Azure AD only, you can filter by Azure groups.
If you allow access with auto-approval, the user becomes time-limited administrator right away. If you do not,
someone must approve the request in the portal and an email flow starts. In either case, the user will see the window below
and must enter reason for this need. You can disable the screen for auto-approved users.
User interfaces and email communications are automatically localized to Spanish, French, German, Danish, Norwegian and Swedish,
if the user is using one of these languages as the Windows language. More languages will added in the future.
Approving access from the app
If the user is not auto-approved, a portal user with approval rights has to approve the request.
The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval
request to all approvers in real-time (see below). When you press the Approve or Deny button, the user will receive an email with instructions.
Emails can be customized with company specific information, such as a Help Desk phone number. If you have GDPR concerns, you can disable collection of
user name, email address and phone number. Refer to our SLA & Compliance
page for more information.
The app also provides a great insight to what's going on a daily basis, as shown below.
Click the download icon under the screenshots on your iPhone to download the free app. Android version will be released November 5th 2018.
Approving access in the portal
You can also approve requests in the portal, instead of using the app. Typically, you would set up an email notification to all users that can approve requests,
so the user doesn't have to wait longer than necessary. When you click the email link, it simply takes you to the "Requests" page in the portal.
Here you will see a list of pending requests, as shown below,
including contact information and computer data. You then simply click Approve or Deny for each request, as you would in the app.
If the user is auto-approved or the request has been accepted by you, the user can start the session.
This happens on-the-fly without having to log off and on and you can configure, how much time the user is administrator.
When the timer starts, the user can run applications elevated. Account Control (UAC) is still in effect, if enabled.
If the user needs to run an application elevated, the user still has to select "Run as administrator" and
enter their own credentials. If the user starts an installation, Windows Installer or similar installer will automatically
ask for elevation and trigger the prompted for user's credentials to continue.
Once the user either stops the timer or the time runs out, the information will be uploaded to this portal.
You can see who and when and also which software was installed and which applications were run elevated during
the administrator session.
So what prevents the user from abusing the system?
The fact that the user has to request IT for access will in itself prevent the most obvious abuse.
But as part of your settings, you can also configure a Codes of Conduct page. Here you customize
verbage that suits your policy. For example, what is the penalty for using the administrator session
for personal objectives. You can also choose explain, what you can monitor from the portal.
When you enable the instructions screen in the settings, this screen will appear right before the administrative
session starts. You can also customize company name and logo for all screens, so there is no doubt
this message is indeed from the user's own company. This is the configuration part of the portal,
where you set authorization, company logo, policies, email communications, etc.
The administrators group will be snapshotted before the session starts and restored after session end.
If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of
the session. If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message
saying that Admin By Request cannot be uninstalled during an active session.
If the user has a local admin account that no one knows about, this is not a problem. Because when a user logs on,
rights are simply revoked. The reason all accounts are not revoked in general, is because you may have service accounts
that you want to continue to have administrative rights.
Refer to our FAQ page
for more information.
Admin By Request works the same whether the computer is online or offline.
Portal settings are cached on the client and all data going the other way is queued,
so the user experience will be no different at all, whether the computer has internet or not.
Computers work the same online or offline - except of course, if you require approval and the computer is offline.
Then no one will know the user has a pending request until the computer has an internet connection,
at which time it will flush its upload queue. This would rarely be a real-world problem, but there are examples,
where a computer is offline for a long period of time with no option to get online. A good example is our customer
Red Cross, which has workers going offline for weeks to a village in Africa. This is not a problem in itself,
because the computer will just collect data and flush the queue later - but if approval is required, the user is stuck.
This is where the PIN code comes in. If you look at the screen further up, you can see a link that says "I have a PIN code".
This link only appears, if you have approval mode on - and there is no internet.
Then the user can call your Help Desk over the phone and get a temporary PIN code that you can generate in the portal.
When the user clicks "I have a PIN code", the screen below appears and the user can start the administrator session without
Legacy applications / Whitelisting
Some legacy applications require local administrator rights, simply because they were written back in the day,
when everything was open and using the same folder for application files and data was the norm. You can make a
white-list of applications in the portal which will automatically elevate. You can also create blacklists
of programs you never want the user to run, such as cmd.exe or regedit.exe.
Maybe your company took over another company, so you have no idea, which applications users run as administrator
simply because they are legacy applications that do not run without admin rights. For this, we have a feature
called Learning Mode that you can configure in the portal. It's kind of a pre-production mode, where you install
the Admin By Request client, but it doesn't do anything but sit there and "listen" to which applications users
start as administrator. Then after a period of time, you can go through the collected list in the portal and click
a whitelist button on the relevant application. Once you are ready to go “live” you just disable Leaning Mode and
Admin By Request starts revoking admin rights.
The hidden risk of security solutions
Replacing Windows system files or components can lead to future problems because of Windows Updates, which could ultimately
break your OS installs to the extent that computers can no longer boot.
A significant advantage to the Admin By Request client software is that it does not change or replace any system files or components.
It uses only what is already built into Windows. It also does not consume any system resources, unless it is invoked.
Please review the videos below and check our FAQ page
. If this does not answer your question,
please feel free to contact us using the top menu. If you need to purchase a license, please contact us or use the Quote option at the top.