Home » Products » Admin By Request » How It Works


Admin By Request

How it works: Admin By Request Privilege Management. A simple to deploy, infrastructure free security solution for the control and management of local administrative rights on PC, Mac and Server.
Simply install the client program and configure your settings online. No need to educate users. No need to waste time in IT for whitelists and remote software installs.

• Greatly reduce the ability of malware and ransomware to propagate.

• Allow or block local admin rights for specific applications.

• Give time limited privilege elevation.

• Works both online or offline via PIN code token.

• Configurations for Cloud, Hybrid or On Premises.

• Ships with a fully integrated & comprehensive auditing, geographic asset tracking solution.

• Audit trail of user activity, admin logons & software installs.

• Action privilege elevation requests from your smart phone (iPhone/Android).

Admin By Request enables IT departments to identify local admin group usage, automate rights revocation and perform per request, time limited privilege elevation with full audit trail.

You will never need to remote control computers again to elevate user rights to perform tasks that require elevation such as installing drivers or software.


Why you need Admin By Request

Our solution completely removes the need for IT to perform disruptive and time consuming remote control sessions of staff computers. If your IT department is tied up continually with routine tasks such as printer drivers, VPN software and plugin installations then Admin By Request is the solution for you.

Contact us today for a live demo. Let us show you how to regain control of your local admin accounts.

How it works Admin By Request Privilege Management

Admin By Request consists of 2 parts:

  • On premise agent (Windows or Mac). This executes elevation requests and communicates configured information to the portal (e.g. logs, requests and settings). Portal communication is recommended but not mandatory.
  • Management portal. The collection of agent settings, computer inventory and elevation workflow requests in a secure enterprise class cloud hosted environment. The portal also enables free mobile app functionality. For a test or P.O.C. all that is required is a free trial account, Admin By Request requires no additional on-premises infrastructure (servers, databases etc…).

Sandboxed software installation

In many cases, a user needs admin rights to install or update software, such as WebEx, Adobe Reader or TeamViewer. 
For example, an employee needs to invite other people to a WebEx meeting and therefore needs to install the WebEx desktop app… but the desktop app requires admin rights to install. Let’s assume the user has no special Windows skills, so the user will simply Google and download the install file and eventually get stuck in the browser without admin rights: 

WebEx Meeting Plugin

With Admin By Request active, the user’s admin rights are revoked, but the user can still install software (dependent on settings). When the user starts an installation, the process is intercepted and the user has to optionally enter a reason to continue to the actual installation. 

WebEx Meeting Plugin

The user enters unprivileged credentials and the installation runs without the user actually being administrator. And you will know, because the installation is logged in the Auditlog menu in the portal. 

Request Admin right window

This solves the local admin security problem. But the true value of this is not a technical one. Users do the same as they have always done, but they don’t have admin rights to change anything on the machine. And because the user does the same as they have always done – no users are unhappy and no re-education of users is needed. Think about the value of not have to re-educate all your users for a second.

Privilege Elevation Requests

Some expert users might have a need to do more than running applications as administrator. You can allow all or some of your users to request a protected administrator session that grants the user temporary administrator rights under full audit. If this is enabled, users will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user’s desktop (Windows) or in the dock (Mac). When the user needs to do something that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session under full audit.

When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app first. In either case, the user will see the screen below before starting and must enter a reason for this need. You can disable this screen for users that do not require approval.



Configuring Authorization

In the “Settings” menu in the portal, you can define authorization settings. You can differ these settings for users or computers based on their groups or Organizational Unit through the “Sub settings” menu. If you are using Azure AD only, you can filter by Azure groups. You can choose to completely overrule all cloud settings on client computers by registry policy keys on Windows and a policy file on Mac.Request Admin right window

Approving access in the App

If the user is not auto-approved, a portal user with approval rights has to approve the request. The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval request to all approvers in real-time. When you press the Approve or Deny button, the user will receive an email with instructions. Emails can be customized with company specific information, such as a Help Desk phone number. The app also provides a great insight to what’s going on a daily basis.

Discover more about the app here…

Approving access in the portal

You can also approve requests in the portal, instead of using the app. Typically, you would set up an email notification to all users that can approve requests, so the user doesn’t have to wait longer than necessary. When you click the email link, it simply takes you to the “Requests” page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data. You then simply click Approve or Deny for each request, as you would in the app.

Approving access

Elevated Session

The user can start their elevated session if they are auto-approved or the request has been accepted in the portal workflow.

Logging off is not required to gain elevation and at session start they are presented with a count-down timer (configure duration).

Session details are uploaded to the portal once the user either stops the timer or the time runs out. Audit the session details in the portal (via webpage or mobile app), for example which software was installed or uninstalled and which applications were run UAC elevated (Windows only) during the session.



Learning Mode

Learning Mode records elevation activity without enforcing rights removal, an ideal technique for initial roll out/discovery phase. Easily white or black list applications once application elevation activity is “learnt in”.
A report of all elevation activity is also easily exportable for auditing purposes.

Asset segmentation and workflow delegation

Within the portal you can group and filter assets per department in order to delegate request processing.
Admin By Request clients that require common settings (differing from global default settings) can be grouped into sub settings via the portal. Different departments could be set with different elevation request email recipients for example.
Restrict a portal user so that they can only view the assets relevant to them by configuring the portal with multiple admin accounts with filters.

Offline Computers

Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client, when offline, elevation logs are stored locally on the client and synced with the portal when the client is next online.

If a computer is offline and a user requires approval then they have the ability to obtain a temporary PIN code by contacting an IT administrator/ help desk with portal access where the codes are generated. Each PIN code is unique for each client and is valid for that day only.

PIN Code

Audit & Asset Tracking

Included as standard is a powerful tracking, auditing and inventory solution that requires absolutely no additional configuration to setup.

The inventory system provides a filterable view of all Admin By Request enabled computers, providing centralised reporting of Software, Hardware, Administrators and Cloud Jobs (various exports to PDF, XLS, CSV, RTF):

Computer name, logged in user name, domain, OU, Computer type, Teamviewer ID System install date, hardware manufacturer, Model, Serial Number FSH version CPU type, Speed, Disk Size, Disk Free, Disk Status, RAM Geographic location city, region and country (link to Google maps) Operating System, Architecture and Service Pack / Build Public IP address, IP Hostname, Private IP, MAC address, network speed Primary monitor resolution and number of monitors.
Each application installed on that system includes a breakdown of version number, install date, size and architecture.

Discover more about audit and asset tracking here…

Preventing abuse

Admin By Request comes with a suite of advanced anti tampering functionality. Once installed Admin By Request will be the only means by which a user can gain privileged elevation. The user also receives a customisable code of conduct message. That an audit is taking place and a display of the company policy, for example.

Codes of conduct