Admin By Request Concept
The problem most companies are still facing is that users need to be local administrators, typically to install software or to run legacy applications.
And to some extent, the local administrator rights are abused for personal reasons.
To totally avoid this, you (the IT department) would have to script every piece of software any user may need - or alternatively, you would have to manually install
software for all users. Both are extremely time consuming and therefore the pragmatic solution is often to let users be local administrators
and hope for the best with User Account Control (UAC). Although UAC along with protective software do prevent most viruses, malware and ransomware from being installed,
attacks happen anyway. Here is why. What would your users do, if they see this?
Java? Yes, I probably need that. All it takes is one user clicking "Yes"
. Think about that for a minute.
The user is not aware that there has to be a valid certificate from "Oracle America, Inc" for it to be the file they expected,
nor can they be expected to know so. The file on the image might very well be Russian malware.
This is why you need Admin By Request (ABR). When you install ABR on clients, users are no longer local administrators by default,
unless you give them a "window". When a user wants to be administrator, the user has to request such a window from you first.
If the user has a legitimate reason, you can approve the access, such as the need to install AutoCAD for a new employee.
You do not need to remote the computer to do the actual work and you can always audit that the user actually did just that and only that.
The user will see an icon in the system tray, which is green, when the user is not administrator.
If the user needs to be administrator, the user would have to right-click to request permission.
User interfaces and email communications are automatically localized from English to German, Danish, Spanish and French
More languages will added in the future.
When the user does this, two things can happen. Under "My Account" on this web site, you decide, if you always allow
administrator access without pre-approval. This is also called Audit Only and can still make sense,
because the user is still under full audit. In this mode, the user now becomes administrator under audit (see further down).
You can also decide that you must approve each request for administrative access. This is called Admin By Request mode, hence the product name.
In this mode, the user will see this window and will have to send a request to you with a reason for this need.
Approving Access in Admin By Request Mode
If you are using Admin By Request mode, you will receive a notification email that a user has requested administrative access.
When you click the link in the email on your phone or computer (or select "Pending Approvals" under "My Account"), you will see a list of pending requests,
including contact information and computer data. You must then simply click the Approve or Deny button for each request.
When you press either button, the user will receive an email with instructions. You can also preapprove a session by locating a computer in
the inventory and set a pre-approval token.
Once the request has been accepted by you, the user can start the session - or Audit Only mode is used, in which case the session starts right away.
Under "My Account", you can configure how much time the user is administrator. The user will clearly see that he or she is temporary administrator and must be careful.
When the timer starts, the user has the option
to run applications elevated, just as a “real” administrator has. If the user needs to run an application elevated, he or she still has to select "Run as administrator" and enter own credentials.
Once the user either stops the timer or the time runs out, the information will be uploaded to this website, so you can see when the window
was started and stopped. You can also see which software was installed during the window and a complete list of administrator usage
on any given computerm, which you can export the data to Excel, PDF file or a CSV file, in case someone outside IT needs to audit.
Some legacy applications require local administrator rights, simply because they were written back in the day, when everything was
open and using the same folder for application files and data was the norm. You can make a white-list of applications that will
elevate automatically. Refer to the policies page
for more information.
The administrators group will be snapshotted before the session start and restored after session end.
If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session.
If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message saying that
Admin By Request cannot be uninstalled during an active session.
A user might need to be administrator offline (meaning without internet connection). In this case, the Admin By Request mode window
will always appear - even in Audit Only mode - simply because it's impossible to know, what the current configuration is in your portal
account. Once the user is online, the request will be send. If at this time, it is detected that Audit Only mode is used, the user will
be auto-approved the same way as if you manually clicked "Approve". You can however force Audit Only mode using
OfflineMode and AutoApprove policies
If the need to be administrator is urgent and the user cannot get online for what-ever reason, the user can click the PIN code
link on the Admin By Request form. The user has to call you to get this PIN code, which you find in the computer details in the inventory.
It's a daily PIN code that is unique for this computer on the day. Once the correct PIN code is entered, the window starts.
The PIN code is hashed from the computer name, your license ID and the date. Therefore, the same PIN code can be generated by the client and
the portal without connection.
Please review the video below and check our FAQ page
. If this does not answer your question,
please feel free to contact us using the top menu. If you need to purchase a license, please contact us and use the Quote options.