• Greatly reduce the ability of malware and ransomware to propagate.
• Allow or block local admin rights for specific applications.
• Give time limited privilege elevation.
• Works both online or offline via PIN code token.
• Configurations for Cloud, Hybrid or On Premises.
• Ships with a fully integrated & comprehensive auditing, geographic asset tracking solution.
• Audit trail of user activity, admin logons & software installs.
• Action privilege elevation requests from your smart phone (iPhone/Android).
Why you need Admin By Request
Our solution completely removes the need for IT to perform disruptive and time consuming remote control sessions of staff computers. If your IT department is tied up continually with routine tasks such as printer drivers, VPN software and plugin installations then Admin By Request is the solution for you.
Contact us today for a live demo. Let us show you how to regain control of your local admin accounts.
How it works Admin By Request Privilege Management
Admin By Request consists of 2 parts:
- On premise agent (Windows or Mac). This executes elevation requests and communicates configured information to the portal (e.g. logs, requests and settings). Portal communication is recommended but not mandatory.
- Management portal. The collection of agent settings, computer inventory and elevation workflow requests in a secure enterprise class cloud hosted environment. The portal also enables free mobile app functionality. For a test or P.O.C. all that is required is a free trial account, Admin By Request requires no additional on-premises infrastructure (servers, databases etc…).
Sandboxed software installation
In many cases, a user needs admin rights to install or update software, such as WebEx, Adobe Reader or TeamViewer.
For example, an employee needs to invite other people to a WebEx meeting and therefore needs to install the WebEx desktop app… but the desktop app requires admin rights to install. Let’s assume the user has no special Windows skills, so the user will simply Google and download the install file and eventually get stuck in the browser without admin rights:
With Admin By Request active, the user’s admin rights are revoked, but the user can still install software (dependent on settings). When the user starts an installation, the process is intercepted and the user has to optionally enter a reason to continue to the actual installation.
The user enters unprivileged credentials and the installation runs without the user actually being administrator. And you will know, because the installation is logged in the Auditlog menu in the portal.
This solves the local admin security problem. But the true value of this is not a technical one. Users do the same as they have always done, but they don’t have admin rights to change anything on the machine. And because the user does the same as they have always done – no users are unhappy and no re-education of users is needed. Think about the value of not have to re-educate all your users for a second.
Privilege Elevation Requests
Some expert users might have a need to do more than running applications as administrator. You can allow all or some of your users to request a protected administrator session that grants the user temporary administrator rights under full audit. If this is enabled, users will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user’s desktop (Windows) or in the dock (Mac). When the user needs to do something that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session under full audit.
When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app first. In either case, the user will see the screen below before starting and must enter a reason for this need. You can disable this screen for users that do not require approval.
In the “Settings” menu in the portal, you can define authorization settings. You can differ these settings for users or computers based on their groups or Organizational Unit through the “Sub settings” menu. If you are using Azure AD only, you can filter by Azure groups. You can choose to completely overrule all cloud settings on client computers by registry policy keys on Windows and a policy file on Mac.
Approving access in the App
If the user is not auto-approved, a portal user with approval rights has to approve the request. The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval request to all approvers in real-time. When you press the Approve or Deny button, the user will receive an email with instructions. Emails can be customized with company specific information, such as a Help Desk phone number. The app also provides a great insight to what’s going on a daily basis.
Approving access in the portal
You can also approve requests in the portal, instead of using the app. Typically, you would set up an email notification to all users that can approve requests, so the user doesn’t have to wait longer than necessary. When you click the email link, it simply takes you to the “Requests” page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data. You then simply click Approve or Deny for each request, as you would in the app.
The user can start their elevated session if they are auto-approved or the request has been accepted in the portal workflow.
Logging off is not required to gain elevation and at session start they are presented with a count-down timer (configure duration).
Session details are uploaded to the portal once the user either stops the timer or the time runs out. Audit the session details in the portal (via webpage or mobile app), for example which software was installed or uninstalled and which applications were run UAC elevated (Windows only) during the session.
Learning Mode records elevation activity without enforcing rights removal, an ideal technique for initial roll out/discovery phase. Easily white or black list applications once application elevation activity is “learnt in”.
A report of all elevation activity is also easily exportable for auditing purposes.
Asset segmentation and workflow delegation
Within the portal you can group and filter assets per department in order to delegate request processing.
Admin By Request clients that require common settings (differing from global default settings) can be grouped into sub settings via the portal. Different departments could be set with different elevation request email recipients for example.
Restrict a portal user so that they can only view the assets relevant to them by configuring the portal with multiple admin accounts with filters.
Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client, when offline, elevation logs are stored locally on the client and synced with the portal when the client is next online.
If a computer is offline and a user requires approval then they have the ability to obtain a temporary PIN code by contacting an IT administrator/ help desk with portal access where the codes are generated. Each PIN code is unique for each client and is valid for that day only.
Audit & Asset Tracking
Included as standard is a powerful tracking, auditing and inventory solution that requires absolutely no additional configuration to setup.
The inventory system provides a filterable view of all Admin By Request enabled computers, providing centralised reporting of Software, Hardware, Administrators and Cloud Jobs (various exports to PDF, XLS, CSV, RTF):
Computer name, logged in user name, domain, OU, Computer type, Teamviewer ID System install date, hardware manufacturer, Model, Serial Number FSH version CPU type, Speed, Disk Size, Disk Free, Disk Status, RAM Geographic location city, region and country (link to Google maps) Operating System, Architecture and Service Pack / Build Public IP address, IP Hostname, Private IP, MAC address, network speed Primary monitor resolution and number of monitors.
Each application installed on that system includes a breakdown of version number, install date, size and architecture.
Admin By Request comes with a suite of advanced anti tampering functionality. Once installed Admin By Request will be the only means by which a user can gain privileged elevation. The user also receives a customisable code of conduct message. That an audit is taking place and a display of the company policy, for example.