When a user has a need to install software, the user either starts the installation and let Admin By Request intercept the installation
or invokes the Windows "Run As Administrator" feature. This is called "Run As Admin" and is explained here
If the user has a need to do something advanced, the user has to request an administrator session, as explained on
In both scenarios, the user experience is either:
- Computer shows denied right away (disallowed)
- It works right away (allowed + approval not required + reason not required)
- Have to enter a reason and then it works (allowed + approval not required + reason required)
- Have to enter a reason and wait for approval (allowed + approval required + reason required)
You configure these rules in your portal account settings and you can also configure different rules based on Active Directory user or computer groups or OU.
This is called subsettings. An example could be to allow developers to use both Run As Admin and Administrator Sessions without approval,
but only allow Run As Admin for customer relations and sales - and always only by approval. In all cases, the approval flow is as follows for both
Run As Admin and Administrator Sessions:
Naturally in any organization, you would not want the same rules for all employees. You may have anything from expert IT users
to external personnel that would have no reason to do anything on a computer. The way you solve this is
that you set default settings, also known as Global Settings. These would typically be the most restrictive to handle
a case, where a user or computer by mistake is not in any groups or OUs of any subsetting. This is the Authorization
page of Global settings from the portal "Settings" menu:
In the portal, you have a submenu called "Subsettings". Subsettings is for defining other rules than the Global/default for some users or computers.
When you create a new subsetting, you must enter the scope of the subsettings. The scope is based on the user or computer and can be
one or more groups and/or one or more OUs.
All settings can be overruled in subsettings. In this case, you would want to enter different rules under "Authorization" than the Global settings.
You may wonder, if this works of the LAN, as it is based on Active Directory. It does - because computers cache this information encrypted for
usage off the LAN. This means that all your changes are real-time and not depending on laptops visiting your LAN from time to time.
If Run As Admin or Admin Session is not allowed and user is shown an access denied message, it is possible to use a PIN code. The PIN code option is
also shown, when a computer is totally offline (no internet connection) and approval is required. The PIN code can be found in the inventory for the
given computer and can overrule the settings. A scenario could be when a Help Desk employee is doing a remote control of a user's computer and needs
to perform the operation without logging off and on. This is explained in greater detail on this page
Approving a request
When approval is required, the request is pushed to the mobile app in real-time. An administrator can then press either Approve or Deny without
unlocking the phone or click the notification message for more information. The mobile app is explained in greater detail here
The same requests will appear in the portal under "Requests". If you are not using the app, you can set up an email notification
to administrators in the Authorization section of your portal settings to be notified of new entries in the requests list.
If you have questions not answered on this page, please contact us using the chat or the contact menu at the top.