262-299-4606 • Email us

Frequently asked questions

If your question is not answered here, feel free to contact us

GETTING STARTED

Click the "Download" top menu and register for a trial. The trial is 100% free and fully functional. You will get a login, where you download an MSI file to install on your test computers. Use these credentials to sign in at the top and set the settings as you like. After login, you will also see an audit log and a full software and hardware inventory of your clients. The mobile app is free.


WINDOWS CLIENT


If the computer is in a domain, Domain Users will be removed from the local administrators group right away. That is all that happens initially. When a user then logs on, the user will be removed from the local administrators group unless:
  • You have unchecked the "Revoke admins rights" in the portal settings
  • The user is in the list of excluded accounts in the portal settings
  • The user is member of a group that is the local administrators group (such as domain admins)
The reason all users are not just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally remove any service accounts.
The users and groups administration will be removed entirely from Computer Management during an administrator session. Even if the user still manages to tamper the local administrators group, the administrators group is snapshotted before the session starts and restored after the session ends. If the user tries to add other users or groups to the administrators group, these will simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy keys, these are also snapshotted and restored after sessions.
Domain groups (except Domain Users) are not removed from the local administrators group. This means that if a domain user logs on and is member of domain group that is in the local administrators group (for example a Help Desk domain group) the user is always local administrator. In this case the tray icon is red and hovering it, you can see the tool tip saying "You are logged on as administrator". You can also specify specific user accounts to exclude in the portal settings.
Yes
Yes
You can whitelist applications to automatically elevate, when the user starts the program in question. You simply enter the path to the program and that's it. If you are not sure, which applications are problematic, you can use Learning Mode; see next session.
Learning Mode helps you identify programs that requires administrator rights to use, before you take away user's admin rights. When deploying Admin By Request, users are removed from the local administrators group, when Learning Mode is not enabled. Before revoking these rights, you can enable Learning Mode in the portal settings, which will instead detect which applications users actually run as administrator and collect them to a candidate list in the portal. When you see the list in the portal, as it is collected from client, you can simply press a button on each candidate program and say whitelist or hide. When Learning Mode is on and the user is still administrator and the tray icon will be a green plus.
In the portal, you have settings for Workstations and Servers. These are the default settings. You can then define overruling setting based on computer or user groups and/or Organizational Unit(s). A common scenario would be to require approval for all users - except users in the IT department, who are allowed to elevate without permission.
Please refer to the Application log in the Windows event log.
You cannot install the workstation edition on a server. But you can install the Server version on a workstation.
In licensed mode, nothing happens. In trial mode, revoked accounts will be put back in the local administrators group.


MAC CLIENT


When a user logs on, the account will be downgraded from Admin to User unless:
  • You have unchecked the "Revoke admins rights" in the portal settings
  • The user is in the list of excluded accounts in the portal settings
  • The computer is domain joined and the user is domain admin
If you log on and expect the user account to be downgraded from Admin to User, but it doesn't happen and the icon appears red in the toolbar, you are most likely hitting the "Last Admin Check". You can confirm this by clicking the red icon. The intention of this check is to make sure you always have a service account. If you don't have at least one admin account, you cannot change, modify or delete user accounts on the computer and you can never uninstall Admin By Request.

If you use the "Revoke admins rights" option to revoke user rights, all user accounts will be downgraded from Admin to User, when they log on. In the portal settings, you can specify user accounts that are excluded. These would typically be service accounts for a Help Desk or similar. If no excluded accounts are specified and the machine is not joined to Active Directory, the revoke will not be executed for the last administrator and it falls under the "Last Admin Check".
That is not a concern. When users get an administrator session, the user's role is not actually changed from user to admin. The user is granted all administrator rights - except the right to add, modify or delete user accounts. Therefore, there is no case, where the user can create a new account or change its own role and become permanent administrator. The user can also not uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored right away.
Users can install programs requiring admin rights, install drivers and change system settings other than user administration. User cannot run sudo or add, remove or modify user accounts.
You can put overruling settings on machines to overrule default settings. Refer to this page for instructions.
Run the uninstall program /Library/adminbyrequest/uninstall. The program cannot be run during an Admin By Request administrator session.
You can find the error log under /var/log/adminbyrequest.log.


PORTAL


No. You can use a setting after sign in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when and an auditlog of installed software and executed applications. In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Codes of Conduct message/screen that will appear just before the session starts. The Codes of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.
Yes. The most typical pattern we see for new customers is that they start with approval required. Then after an initial period, when the psychological effects on end users are clear and there is reassurance end users do not violate rules (see previous question), they shift to auto-approval mode combined with reason requirement and Codes of Conduct screen. This is the point, where the whole administrator access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.
Yes, in the portal, you can create more logins for more people. You can also define, which roles they have, such as access to audit log and if the person is allowed to approve requests.
You can create a portal user account that can only see the auditlog and optionally the inventory. No other data will be visible.
You can set a scope for portal logins to only see part of the data based on the end users or computers groups and/or Organizational Units. For example, a sales manager can be set up to only see users and computers in sales. He will then only get approval requests from his own staff. You can also set up the manager to not have approval ability, but only ability to see the auditlog for his own staff.
Yes. You can set a scope for portal logins to only see and approve part of the data based on the end user or computers groups or Organizational Units. For example, an administrator in a region could be set up to only see and approve requests and data from computers in his own scope, assuming for example that all computers are in a specific Organizational Unit.
You simply create a user account that cannot approve requests. This way, your customer can see the data you choose without the ability to approve requests.


PERFORMANCE


No. When users do not use the application, it does not consume resources, except for a brief daily inventory and settings check.


LICENSING


It it licensed by number of computers running the client software. Contact us for pricing.
No. You buy a number of Workstation licenses and these can freely be mixed between Windows and Mac clients.


CONNECTIVITY


This may be surprising, but no. The client is only required to have an occasional internet connection (like a guest WIFI anywhere). The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator temporarily and will queue the data locally, such as time, installed applications, executed exe files as administrator and so on. Once the client has an internet connection again, it will flush the queue to the cloud service and you will get all data. This means that the client works exactly the same being online or offline. The only difference is the time you get the reporting data in the cloud service.
In this case the client can not allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline and on the approval screen, a note will automatically appear telling the user the elevation can only happen, if the user either seeks an internet connection or, if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication. The PIN code will appear in the left menu on computer details in the inventory, if you enable approval mode.
Absolutely not. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and, if the connection is bad, we don't want to consume bandwidth. Inventory data is collected intelligently, so only delta data is collected. If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.
When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data. The expected accuracy is at a city level.


SECURITY


Please refer to our SLA & Compliance for more information.
Please refer to our SLA & Compliance for more information.
Please refer to our SLA & Compliance for more information.
Yes. Please refer to our Data Processing Agreement and Privacy Statement for GDPR compliance and to our SLA & Compliance for more general information.
Yes. Once the machine is booted, you get the public IP address of the thief's router. The client does not require anyone to log on to a computer to upload data, so when the thief turns on the computer, the inventory data is sent transparently. You can now see the public IP address and upload time in your client view and give this to the police. The police can then get the name and address of the IP address owner from the thief's internet service provider (ISP).
The collected data associated with the computer is deleted. If the computer then turns out to be alive after all, the computer will show up again and upload inventory data.


MOBILE APP


Yes
The iPhone app works on iOS 10.0+. Android version works on version 4.4+ (KitKat).