Frequently asked questions
Q: How do I get started?
Click the "Download" menu and register for a trial.
The trial is 100% free and fully functional.
You will get a login, where you download an MSI file to install
on your test computers. Then go to "My Account" to make configurations and/or "My Computers" to find your clients.
Q: What happens to the local administrators group after I install the client?
If the computer is in a domain, Domain Users will be removed from the local administrators group right away.
That is all that happens initially. When a user then logs on, the user will be removed from the local
administrators group, if the user is an explicit member (not through a group). The reason all users are not
just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally
remove any proprietary service accounts.
Q: What happens to the local administrators group, when I uninstall the client?
In licensed mode, nothing happens. In trial mode, revoked accounts will be put back in the local administrators group.
Q: How can I prevent users from tampering with the software and set themselves to become permanent administrator?
The administrators group will be snapshotted before the session starts and restored after the session ends.
If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session.
If the user tried to uninstall Admin By Request during a session, Windows Installer will show an error message saying that
Admin By Request cannot be uninstalled during an active session.
Q: How can we keep some domain users as local administrators?
Domain groups (except Domain Users) are not removed from the local administrators group. This means
that if a domain user logs on and is member of domain group that is in the local administrators group
(for example a Help Desk domain group) the user is always local administrator.
In this case the tray icon is red and hovering it, you can see the tool tip saying "You are logged on as administrator".
Q: Do I need to approve each time a user wants administrator access?
No. You can use a setting under "My Account" to allow elevation without approval. In this case, you still get the benefits
of auditing; who elevated, when and an audit log of installed software and executed applications. In auto-approval mode,
you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity.
You can (and should) also enable the Codes of Conduct message/screen that will appear just before the session starts.
The Codes of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing
Q: Are other customers typically using auto-approval mode?
Yes. The most typical pattern we see for new customers is that they start with approval required. Then after an initial period,
when the psychological effects on end users are clear and there is reassurance end users do not violate rules (see previous question),
they shift to auto-approval mode combined with reason requirement and Codes of Conduct screen. This is the point, where the whole administrator
access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.
Q: Should I be concerned about performance impact on my machines?
No. When users do not use the application, it does not consume resources, except for a brief daily inventory and settings check.
Q: Is an internet connection required?
This may be surprising, but no. The client is only required to have an occasional internet connection (like a guest WIFI anywhere).
The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules
in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator
temporarily and will queue the data locally, such as time, installed applications, executed exe files as administrator and so on.
Once the client has an internet connection again, it will flush the queue to the cloud service and you will get all data.
This means that the client works exactly the same being online or offline. The only difference is the time you get the reporting data in the cloud service.
Q: What happens, if approval is required and the client does not have internet access?
In this case the client can not allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline
and on the approval screen, a note will automatically appear telling the user the elevation can only happen, if the user either seeks an internet connection or,
if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication.
The PIN code will appear in the left menu on computer details in the inventory, if you enable approval mode.
Q: Should I be concerned about internet bandwidth consumption?
Absolutely not. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and,
if the connection is bad, we don't want to consume bandwidth. Inventory data is collected intelligently, so only delta data is collected.
If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client
to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking
about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.
Q: How is the data transferred to the cloud service?
The data is transferred via port 80 to the cloud service. The reason the data is transferred via port 80 and not SSL port 443 is because,
if you transfer data over port 443, the data can be intercepted on the client side via a program like Fiddler. For this reason, we encrypt
the data in the core client application using a 512-bit encryption and decrypt on the server-side. If you need more technical information about this, please contact us.
Q: How do you ensure that a third party does not intercept my data?
On the cloud service side, it is up to you to prevent access to your local data. The user access is entirely up to you. If someone passes credentials to a third party,
this is not something we can control. On the data transfer side, we guarantee that no one can intercept the data - see previous question.
Q: What should I do in terms of European GDPR legislation?
First of all, consider the data that is actually stored. This is not banking information, it's mostly basic inventory data, software lists and timestamps of operations.
The only data which is sensitive, are names of owners of computers to help you contact users. You have two options. One, is to fulfil the documentation requirements and
keep this data in the service. In this case, use the contact menu and start a dialogue with us about your documentation needs to be compliant.
– Two, in the settings area for clients, you can disable collection of user names, email addresses and phone numbers. You can also choose to obfuscate account names.
If you enable all these options, there is no personal data on our service. If you enabled obfuscation, you will see a 32-byte alias of a user account that neither you
or we can decode to an actual account name. This is of course impractical, because if you require approval, you are totally unaware who the user actually is and you have
no way to contact the user. In approval mode, someone writes to you to do something on a machine. Can this work for you? If you think this is the way to go, we would
recommend you to download a trial and try it yourself with these settings. A compromise could also be a way to go - for example, collect the actual account name -
but do not collect the full name, emails and phone numbers. You would have to revert to your own AD for contact info then.
Q: How do I handle legacy applications that prevent us from removing users from the local admins group?
You can distribute a policy key for each application that needs to run as administrator and thereby void the need for users to
be permanent administrators. If this policy is set for the exe file, elevation happens automatically for this application only, regardless of other settings.
Refer to the Policies
top menu for more information.
Q: What if I need more complex group/OU rules?
You can overrule settings using Group Policy Objects, which would allow you to have different policies
for different users or computers. Refer to the Policies
for more information.
Q: Can I install the Workstation edition on servers and Server edition on workstations?
You cannot install the workstation edition on a server.
But you can install the Server version on a workstation.
Q: How can you possibly know where my computers are?
When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data.
The expected accuracy is at a city level.
Q: Can it help me with stolen computers?
Yes. Once the machine is booted, you get the public IP address of the thief's router. The client does not require
anyone to log on to a computer to upload data, so when the thief turns on the computer, the inventory data is sent
transparently. You can now see the public IP address and upload time in your client view and give this to the police.
The police can then get the name and address of the IP address owner from the thief's internet service provider (ISP).
Q: What happens when I delete a computer?
The collected data associated with the computer is deleted. If the computer then turns out to be alive after all,
the computer will show up again and upload inventory data.