262-299-4606 • Email us

The value proposition

You are probably reading this, because you know you have a problem. Either your company allows users to maintain local administrator rights or you have to do countless urgent remote installs. We can solve this for you with little effort and at the same time free up your IT resources.

We have customers with tens of thousands of computers, who have tried to implement whitelisting solutions, but failed and came to us, because this way you can only see the world in retrospect. You don't know, what your users need today. Instead of speculating on this by creating whitelists and software packages ahead of time, Admin By Request works proactively the other way around. When your user has an administrator need, all they have to do is request permission via the Windows or Mac client software.

You can set Admin By Request to approve automatically or require IT staff to verify the request via the portal or real-time push to the app. Once a user has approval, the user gets a time-limited, real-time, local admin elevation to install the requested software. Once finished, you have a full audit trail of activity in the app and in the portal. Nothing needs to be installed on-premise. All you have to do is to install a small client program and configure your settings online.

Your users are never blocked from doing their job and you can use your scarse IT resources on more meaningful activities. It's win/win for you and your users. Contact us today for a live demo.

How it works

Admin By Request basically consists of a portal account and a small client program for Windows or Mac. Nothing needs to be installed or modified on-premise and you can therefore set this up for testing or proof of concept in minutes. Everything happens in the cloud. All data are collected to your cloud account and processed here. The collected data is mostly non-sensitive data and we have a best-in-class cloud Azure set up to secure your data. If you have GDPR concerns or concerns about collection of sensitive data (user's name, email address and phone number), all these can be disabled at your preference. Refer to our SLA & Compliance page for more information on which data is collected and what it is used for.

You can get a free fully functional trial login right away by hitting the "Download" link at the top. With your portal login, you log in and download your client program (MSI for Windows or PKG for Mac) and configure settings and you're set. With your login, you can now see administrator sessions and approve requests. It is highly recommended to also install the free mobile app on your phone as a supplement to the portal for easier access to data and approving requests.

Requesting access

The user will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user's desktop (Windows) or in the dock (Mac). When the user needs to do something that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session.

Windows

Request Admin rights

Mac

Request Admin rights
When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app and an email flow starts. In either case, the user will see the window below and must enter reason for this need. You can disable the screen for users that do not require approval.

Windows

Request Admin rights

Mac

Request Admin rights
If your clients are joined to a domain, you can granulate who gets approved based on domain user/computer group or OU using the sub settings in the portal. If you are using Azure AD only, you can filter by Azure groups. You can also choose to completely overrule cloud settings for approvals and all other settings on each machine by registry keys on Windows (see here) or a policy file on Mac (see here).

Approving access from the app

If the user is not auto-approved, a portal user with approval rights has to approve the request. The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval request to all approvers in real-time. When you press the Approve or Deny button, the user will receive an email with instructions. Emails can be customized with company specific information, such as a Help Desk phone number. The app also provides a great insight to what's going on a daily basis. Click the download icon under the screenshots on your iPhone, iPad or Android device to download the free app.

Download on the App Store Get it on Google Play
Learn more about the app

Approving access in the portal

You can also approve requests in the portal, instead of using the app. Typically, you would set up an email notification to all users that can approve requests, so the user doesn't have to wait longer than necessary. When you click the email link, it simply takes you to the "Requests" page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data. You then simply click Approve or Deny for each request, as you would in the app.

Approving access

Administrator session

If the user is auto-approved or the request has been accepted by you, the user can start the session. This happens on-the-fly without having to log off and on and you can configure, how much time the user is administrator.

Windows

Request Admin Approved

Mac

Request Admin Approved
Once the user either stops the timer or the time runs out, data about the session will be uploaded to the portal. You can then see who and when had the session and which software was installed or uninstalled and on Windows, which applications were run UAC elevated during the session.

Preventing abuse

So what prevents the user from abusing the system? The fact that the user has to request IT for access will in itself prevent the most obvious abuse. But as part of your settings, you can also configure a Codes of Conduct page. Here you customize verbage that suits your company policy. For example, what is the penalty for using the administrator session for personal objectives. You can also choose to explain, what you can monitor from the portal. When you enable the Codes of Conduct ("instructions") screen in the settings, this screen will appear right before the administrative session starts, as shown further up. You can also customize company name and logo for all screens, so there is no doubt this message is authentic and indeed from the user's own company. This is the configuration part of the portal, where you set authorization, company logo, policies, email communications, etc:

Codes of conduct

Offline computers

Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client and all data going the other way is queued, so the user experience will be no different, whether the computer has internet or not.

PIN code

Computers work the same online or offline - except of course, if you require approval and the computer is offline. Then no one will know the user has a pending request until the computer has an internet connection, at which time it will flush its upload queue. This would rarely be a real-world problem, but there are examples, where a computer is offline for a long period of time with no option to get online. A good example is our customer Red Cross, which has workers going offline for weeks to a village in Africa. This is not a problem in itself, because the computer will just collect data and flush the queue later - but if approval is required, the user is stuck. This is where the PIN code comes in. If you look at the screen further up, you can see a link that says "I have a PIN code". This link only appears, if you have approval mode on - and there is no internet. Then the user can call your Help Desk over the phone and get a temporary PIN code that you can generate in the portal. When the user clicks "I have a PIN code", the screen below appears and the user can start the administrator session without internet.

Windows

Request Admin PIN Code

Questions?

Please review the sections below for Windows or Mac, depending on which platform you are interested in. If you have questions, contact us using the chat or the contact menu at the top. You can find answers to frequently asked questions here.


Notes on Windows Client

User Account Control

User Account Control (UAC) is still enforced (if enabled) to maintain the extra layer of security. If the user needs to run an application elevated, the user still has to select "Run as administrator" and enter own credentials. If the user starts Windows Installer or similar, the installer will automatically ask for elevation and trigger the UAC prompt to continue.

Run TeamViewer setup as administrator

Tampering protection

The administrators group and policy registry keys will be snapshotted before the session starts and restored after a session ends. If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session. If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session.

Backdoor accounts

If the user has a local admin account that no one knows about, this is not a problem. Because when a user logs on, rights are simply revoked. The reason all accounts are not revoked in general, is because you may have service accounts that you want to continue to have administrative rights. Refer to our FAQ page for more information.

Legacy applications

Some legacy Windows applications require local administrator rights, simply because they were written back in the day, when everything was open and using the same folder for application files and data was the norm. Or settings were mistakenly written to HKEY_LOCAL_MACHINE. This in effect prevents you from taking away administrator rights. But you can make a whitelist of applications with Admin By Request in the portal, which will automatically elevate these applications on-the-fly without users doing anything. You can also create blacklists of programs you never want the user to run, such as cmd.exe or regedit.exe.

Learning mode

Maybe your company took over another company, so you have no idea, which legacy applications users have to run as administrator to work. For this, we have a feature called Learning Mode that you can configure in the portal. It's kind of a pre-production mode, where you install the Admin By Request client, but it doesn't do anything but sit there and "listen" to which applications users start as administrator. Then after a period of time, you can go through the collected list in the portal and click a whitelist button on relevant applications. Once you are ready to go live, you simply disable Leaning Mode again and Admin By Request starts revoking admin rights.

The hidden risk of security solutions

Replacing Windows system files or components can lead to future problems because of Windows Updates, which could ultimately break your OS installs to the extent that computers can no longer boot. A significant advantage to the Admin By Request client software is that it does not change or replace any system files or components. It uses only what is already built into Windows. It also does not consume any system resources, unless it is invoked.


Notes on Mac Client

Tampering protection

On Mac, tampering is not realistically possible. When users get an administrator session, the user's role is not actually changed from user to admin. The user is granted all administrator rights - except the right to add, modify or delete user accounts. Therefore, there is no case, where the user can create a new account or change its own role and become permanent administrator. The user can also not uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored right away.

Downgrading users

Note that on Mac, users are not downgraded from Admin to User role by default, but can be enabled through settings. The reason is that set ups vary from company to company. A typical set up would be to have a fixed named Admin service account and then on each Mac have a specific User account for the end-user.

If you have users that are in the Admin role, you can enable the revoking admin rights setting. But you have to specify the name(s) of your service account(s) in the portal to avoid downgrading all accounts. There is a built in "last admin check" to avoid cutting yourself off to service computers without Admin By Request. If revoking admin rights (downgrading from Admin to User) leaves no accounts left as Admin, the downgrade fails. The only exception is that if the Mac is domain joined, in which case a domain administrator can always log on and this check it not done. Please refer to the Mac section of the frequently asked questions page for more information.


Product overview video

This video goes through the benefits of Admin By Request. The bottom video will go through the grant flow in detail.


Portal overview video

This video goes through the portal that will be accessible to you during your trial or as licensed customer.


For more videos, please click the "Videos" top menu