262-299-4606 • Email us

The value proposition

You are probably reading this, because you know you have a problem. Either your company allows users to maintain local administrator rights or you have to do countless remote installs. We can solve this for you with little effort and at the same time free up your IT resources.

We have customers with tens of thousands of computers, who have tried to implement whitelisting solutions, but failed and came to us, because this way you can only see the world in retrospect. Your users will hate you for blocking their workday. Even with unlimited resources, no one can predict what your users need today. Instead of speculating on this by creating whitelists and software packages ahead of time, Admin By Request works proactively the other way around. If your user starts to install software, the client software intercepts this and installs the software - without the user being administrator. It's like the self-checkout at the supermarket.

You can allow install or pause the process in real-time and require IT staff to evaluate the request via the portal or real-time push to the app. Once an install finishes, you have a full audit trail. You can also grant advanced users like developers a time-limited local admin session with security restrictions to perform advanced tasks.

Nothing needs to be installed on-premise. All you have to do is to install the client program and configure your settings online. No need to educate users. No need to waste time in IT for whitelists and remote software installs.

Contact us today for a live demo.

Lean Privileged Access Management

Admin By Request only consists of a portal account and a small client program for Windows or Mac. All you need to do is deploy the client program and you're set. It's that simple. There is no initial work for endless whitelists or on-premise installs. Nothing needs to be installed or modified on-premise and you can therefore literally set this up for proof of concept in minutes.

Try for free

You can get a free fully functional trial login right away by using the "Download" top menu. With your portal login, you download your Windows or Mac client program and configure settings and you're set. You can now see activity and approve requests. It is highly recommended to also install the free mobile app on your phone as a supplement to the portal for easier access to data and approving requests. If you prefer a personal one-on-one demo first, please contact us and we will set this up right away.

Sandboxed software installation

In most cases, users needs admin rights to install or update software, such as WebEx, Adobe Reader or TeamViewer. With Admin By Request active, user's admin rights are revoked, but the user can still install software. When the user starts an installation, the process is interecepted and the user has to optionally enter a reason to continue to the actual installation.

Let's take a practical example. An employee needs to invite other people to a WebEx meeting and therefore needs to install the WebEx desktop app. But here is the problem - the desktop app requires admin rights to install. Let's assume the user has no special Windows skills, so the user will simply Google and download the install file and eventually get stuck in the browser without admin rights:

WebEx Meeting Plugin
But with Admin By Request installed, exactly the same happens - except the result is different. The user enters unprivileged credentials and the installation runs without the user actually being administrator. And you will know, because the installation is logged to the Auditlog menu here in the portal.

WebEx Meeting Plugin
This solves the local admin security problem. But the true value of this is not a technical one. Users do the same as they have always done, but they don't have admin rights to change anything on the machine. And because the user does the same as they have always done - no users are unhappy and no re-education of users is needed. Think about the value of not have to re-educate all your users for a second. Click the button below for more information on App Elevation.

App Elevation in detail

Requesting a session

Some expert users might have a need to do more than running applications as administrator. You can allow all or some of your users to request a protected administrator session that grants the user temporary administrator rights under full audit. If this is enabled, users will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user's desktop (Windows) or in the dock (Mac). When the user needs to do something that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session under full audit.

Windows

Request Admin rights

Mac

Request Admin rights
When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app first. In either case, the user will see the screen below before starting and must enter a reason for this need. You can disable this screen for users that do not require approval.

Windows

Request Admin rights

Mac

Request Admin rights
If the user is auto-approved or the request has been accepted by you, the session can start. This happens on-the-fly without having to log off and on and you can configure the maximum time the user is allowed to be administrator for.

Windows

Request Admin Approved

Mac

Request Admin Approved
Once the user either stops the timer or the time runs out, data about the session will be uploaded to the portal. You can then see who had the session when and which software was installed or uninstalled and on Windows, which applications were run UAC elevated during the session.

Configuring Authorization

In the "Settings" menu in this portal, you can define authorization settings. You can different these settings for users or computers based on their groups or Organizational Unit through the "Sub settings" menu. If you are using Azure AD only, you can filter by Azure groups. You can choose to completely overrule all cloud settings on client computers by registry policy keys on Windows (see here) and a policy file on Mac (see here).

Request Admin right window

Approving access from the app

If the user is not auto-approved, a portal user with approval rights has to approve the request. The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval request to all approvers in real-time. When you press the Approve or Deny button, the user will receive an email with instructions. Emails can be customized with company specific information, such as a Help Desk phone number. The app also provides a great insight to what's going on a daily basis. Click the download icon under the screenshots on your iPhone, iPad or Android device to download the free app.

Download on the App Store Get it on Google Play
Learn more about the app

Approving access in the portal

You can also approve requests in the portal, instead of using the app. Typically, you would set up an email notification to all users that can approve requests, so the user doesn't have to wait longer than necessary. When you click the email link, it simply takes you to the "Requests" page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data. You then simply click Approve or Deny for each request, as you would in the app.

Approving access

Preventing abuse

So what prevents the user from abusing an Admin Session? The fact that the user has to request IT for access will in itself prevent the most obvious abuse. But as part of your settings, you can also configure a Codes of Conduct page. Here you customize verbage that suits your company policy. For example, what is the penalty for using the administrator session for personal objectives. You can also choose to explain, what you can monitor from the portal. When you enable the Codes of Conduct ("instructions") screen in the settings, this screen will appear right before the administrative session starts, as shown further up. You can also customize company name and logo for all screens, so there is no doubt this message is authentic and indeed from the user's own company. This is the configuration part of the portal, where you set authorization, company logo, policies, email communications, etc:

Codes of conduct

Offline computers

Admin By Request works the same whether the computer is online or offline. Portal settings, domain groups and OU are cached on the client and all data going the other way are queued, so the user experience will be no different, whether the computer has internet or not.

PIN code

Computers work the same online or offline - except of course, if you require approval and the computer is offline. Then no one will know the user has a pending request until the computer has an internet connection, at which time it will flush its upload queue. This would rarely be a real-world problem, but there are examples, where a computer is offline for a long period of time with no option to get online. A good example is our customer Red Cross, which has workers going offline for weeks to a village in Africa. This is not a problem in itself, because the computer will just collect data and flush the queue later - but if approval is required, the user is stuck. If the user makes a request and approval is required, the user is informed that either the user has to wait, seek internet (for example by connection sharing on the phone) or queue the request until there is internet. Or request a PIN code in case of urgency and internet connectivity is impossible. If the user requests a PIN code, the user will see a 6 digit "PIN 1" code and must call, say, your Help Desk over the phone and get the matching 6 digit "PIN 2". PIN 2 is a one-time PIN code that is hashed from PIN 1, customer id and computer name. Therefore in the odd chance the same PIN 1 appears on a different computer, the PIN 2 is different.

Windows

PIN Code

Mac

PIN Code


Questions?

Please review the sections below for Windows or Mac, depending on which platform you are interested in. If you have questions, please contact us using the chat or the contact menu at the top. You can find answers to frequently asked questions here.


Notes on Windows Client

The hidden risk of security solutions

Replacing Windows system files or components is dangerous and can lead to future problems because of Windows Updates, which could ultimately break your OS installs to the extent that computers can no longer boot. A significant advantage to the Admin By Request client software is that it does not change or replace any system files or components. It uses only what is already built into Windows and only interfaces well documented by Microsoft. And because of this, it also does not consume any resources at all, unless it is invoked.

User Account Control

User Account Control (UAC) is still enforced (if enabled) to maintain the extra layer of security. If the user needs to run an application during an Admin Session, the user still has to envoke "Run as administrator" directly or indirectly and enter own credentials. This is intentional to avoid reducing the security level. Admin By Request does not replace or tap into UAC for the reasons stated in the previous section.

Tampering protecting Admin Sessions

The administrators group and policy registry keys will be snapshotted before the session starts and restored after a session ends. The Local Users and Groups snap-in in Computer Management will also be removed during admin sessions. If the user finds other ways to manipulate users or groups in the administrators group, these will simply be removed at the end of the session. If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session.

Backdoor accounts

If the user has a local admin account that no one knows about, this is not a problem. Because when a user logs on interactively, rights are simply revoked at logon. The reason all accounts are not revoked in general right away, is because you may have service accounts that you want to continue to have administrative rights. Service accounts would not be used for interactive logons and therefore righs are never revoked. You can exclude specific interactive accounts from revokation. Refer to our FAQ page for more information.

Legacy applications

Some legacy Windows applications require local administrator rights, simply because they were written back in the day, when everything was open and using the same folder for application files and data was the norm. Or settings were mistakenly written to HKEY_LOCAL_MACHINE. This in effect prevents you from taking away administrator rights. But you can make a whitelist of applications with Admin By Request in the portal, which will automatically elevate these applications on-the-fly without users doing anything. You can also create blacklists of programs you never want the user to run, such as cmd.exe or regedit.exe.

Learning mode

Maybe your company took over another company, so you have no idea, which legacy applications users have to run as administrator on Windows to do their work and users cannot be expected to know that they would have to invoke "Run As Administrator" to make it work. For this, we have a feature called Learning Mode that you can configure in the portal. It's kind of a pre-production mode, where you install the Admin By Request client, but it doesn't do anything but sit there and "listen" to which applications users start as administrator. Then after a period of time, you can go through the collected list in the portal and click a whitelist button on relevant applications. Once you are ready to go live, you simply disable Leaning Mode again and Admin By Request starts revoking admin rights.


Notes on Mac Client

Tampering protection

On Mac, tampering is not realistically possible. When users get an administrator session, the user's role is not actually changed from user to admin. The user is granted all administrator rights - except the right to add, modify or delete user accounts. Therefore, there is no case, where the user can create a new account or change its own role and become permanent administrator. The user can also not uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored right away.

Downgrading users

Note that on Mac, users are not downgraded from Admin to User role by default, but can be enabled through settings. The reason is that set ups vary from company to company. A typical set up would be to have a fixed named Admin service account and then on each Mac have a specific User account for the end-user.

If you have users that are in the Admin role, you can enable the revoking admin rights setting. But you have to specify the name(s) of your service account(s) in the portal to avoid downgrading all accounts. There is a built in "last admin check" to avoid cutting yourself off to service computers without Admin By Request. If revoking admin rights (downgrading from Admin to User) leaves no accounts left as Admin, the downgrade fails. The only exception is that if the Mac is domain joined, in which case a domain administrator can always log on and this check it not done. Please refer to the Mac section of the frequently asked questions page for more information.


Product overview video

This video goes through the benefits of Admin By Request. The bottom video will go through the grant flow in detail.


Portal overview video

This video goes through the portal that will be accessible to you during your trial or as licensed customer.


For more videos, please click the "Videos" top menu