Least privilege principles, Just-In-Time elevation

Endpoint Privilege Management

Orange admin by request circle tick logo. » admin by request

The Value Proposition

You're probably reading this because you know you have a problem. Either your company allows users to maintain local administrator rights, or your Helpdesk has to do countless remote installs. We can solve both issues for you with little effort, and at the same time, free up your IT resources.

We have customers with tens of thousands of users who have tried to implement allowlist solutions but have failed and come to us - because even with unlimited resources, it’s impossible to predict what your users need today. Speculating on allowlists in advance takes time and effort, and users will hate you for blocking their workday when you get it wrong.

Instead of relying on speculation, our Endpoint Privilege Management solution works proactively the other way around.

If a user starts to install software, the Admin By Request client intercepts and installs the software with a full audit trail - without the user ever being elevated to administrator. Think of it as a self-checkout at the supermarket.

It is also safer than traditional allowlist solutions; just because an administrator adds a file to an allowlist, that doesn't mean it is safe. We real-time scan files with more than 35 anti-virus engines before allowing those files to run with administrative privileges.

Nothing needs to be installed or changed on-premises. Users do not need to be re-educated, and no one in IT needs to create endless allowlists or spend hours on remote installs. All you have to do is to deploy the Admin By Request endpoint security software. This ease of use is why we are the fastest growing EPM solution in the world.

Let us show you.

FAQs

Endpoint Privilege Management (EPM) is a form of Privileged Access Management (PAM) that controls administrative privileges across endpoints. Rather than requiring permanent admin rights, EPM provides just-in-time privilege elevation with audit trails. This eliminates the common dilemma of choosing between giving users full admin access or forcing them to submit tickets for every software installation. EPM significantly improves endpoint security because when malware compromises an endpoint, it can only operate with standard user privileges instead of full administrative control. 

Admin By Request EPM intercepts privilege requests at the system level and elevates only the specific application or process that needs admin rights, not the entire user session (when using Run as Admin – single app elevation). This sandboxed approach allows users to install software autonomously while maintaining policy enforcement. You get two elevation modes: Run As Admin for individual applications and Admin Session for time-limited full administrative access. 

Our EPM product includes allowlist capabilities through Pre-Approval, where administrators can create policies based on file location, vendor certificates, or checksums. What sets us apart is flexibility in how these allowlists are built and maintained. Machine learning automatically adds frequently approved applications to allowlists, AI approval uses application popularity scores, and you can quickly pre-approve applications directly from audit logs. You can start with traditional allowlist approaches but evolve to more dynamic, data-driven policies. 

Yes, Admin By Request EPM works whether endpoints are online or offline. Portal settings and elevation logs are cached locally on each device and sync when connectivity is restored. For offline scenarios requiring manual approval, administrators can generate unique PIN codes that users enter to complete their elevation requests. This ensures business continuity even when devices can’t reach the corporate network. 

Admin By Request EPM includes a Break Glass feature that generates a one-time, time-limited full local admin account on any endpoint with a single click. This enhanced LAPS solution is ideal for emergency situations where a user becomes disconnected from the directory and no permanent admin account exists on the device. Break Glass accounts are fully logged in the portal, and all processes elevated under these accounts are audit logged for complete visibility. 

Endpoint Privilege Management includes audit and asset tracking features as standard. Every privilege elevation is logged with detailed information including user identity, application details, timestamps, and approval decisions. The system provides filterable views of all managed computers, reporting of installed software and hardware, and API access for integration with SIEM tools. All elevation activity can be exported in PDF, XLS, or CSV formats for compliance reporting. 

No, we don’t require customers to purchase minimum service hours. Our Zero Trust platform is built for ease of use, allowing most organizations to deploy and manage it without ongoing support costs. There’s also no on-premises infrastructure required (no servers, VM appliances, or databases). It’s a SaaS-based solution that you can start testing immediately with our Free Plan covering up to 25 endpoints. 

Admin By Request EPM is designed to be intuitive enough that most organizations can deploy it without professional setup services, even across thousands of endpoints. However, if you prefer assistance with configuration or other aspects, our team is happy to offer that support.  

EPM supports Windows, macOS, and Linux endpoints with cross-platform licensing. The lightweight agent (under 2MB) deploys using standard tools like SCCM, Microsoft Intune, or Jamf. It works across diverse environments including standalone workgroups, multi-domain Active Directory, and Entra ID deployments. The same EPM policies and audit capabilities apply consistently across all supported platforms. 

Organizations typically see immediate endpoint security improvements once admin rights are revoked and Admin By Request EPM is deployed. The pre-revocation logging feature allows you to understand current admin usage patterns before making changes. Most customers report reduced helpdesk tickets within weeks of deploying our PAM product. 

Abr endpoint pam executive summary page 1 » admin by request
Abr endpoint pam executive summary page 2 » admin by request

EPM

Executive Summary

Download PDF

With Admin By Request:

Said the implementation time was less than expected
1 %
Were fully deployed within three months
1 %
Failed to implement a competitive solution
1 %
Will implement our solution in their next job
1 %

This feature is ideal for users with the occasional need for app elevations. It elevates the application – not the user. Use Run as Admin when you need to run one or two apps with admin privileges rather than many.

The Admin Session feature is the better choice for users who have a high need for administrative privileges. It gives the user administrator rights on their device for a predefined period of time, during which they can run multiple apps elevated. Use this feature when you need to undertake several admin tasks at a time.

The PIN Code elevation feature is for use in situations where the user who requires app elevation is excluded from being able to use Admin By Request – that is, they are not able to use the usual elevation methods of Run as Admin, Admin Session, and / or Pre-Approved apps. User Portal administrators can generate a single-use challenge / response PIN code which allows the user to start an elevated session.

The Break Glass / LAPS-replacement feature is the game changer which allows the provisioning of temporary, Just-In-Time local admin accounts. This feature is ideal for cases such as when the domain-trust relationship is broken and needs to be reconnected using an Administrator account, or to provision an admin account for someone who doesn’t have credentials but requires access to service an endpoint. With Windows Server Edition it’s also possible to give privileged access to a consultant without giving them domain-wide permissions at any point in time.

With Pre-Approval, you can add frequently used, known applications to the Pre-Approved list so that users can skip the approval flow (i.e., making a request, providing a reason, and waiting for approval) and access the pre-approved application from the get-go.

The AI feature designates applications two scores between 0 and 100% based on both the application and its vendor’s popularity. The higher each of the scores, the more trustworthy the app is considered to be, and the less risk attached in allowing it to be automatically approved by the Admin By Request AI engine.

Machine Learning allows the system to handle creating the list of applications that are safe for approval as applications are used. You can set a number of times that applications need to be manually approved by an IT Admin before they are added to the Machine Learning Auto-Approved list.

Granular Access and App Control

Elevation Methods

Read More

Security Measures

Sandboxed Environment

In most cases, users need admin rights to install or update software, such as Adobe Reader, Visual Studio or VPN software. The tricky part about revoking local admin rights is doing it in a way that doesn't hinder your user’s productivity, but does lock down local admin rights. That's what Admin By Request's Endpoint Privilege Management product can do for you.

When a user starts an install, the process is intercepted and the user has to enter a reason, email and phone number to continue. You can adjust settings to automatically approve installs for some users and require IT approval for others.

The true value of this approach is not a technical one; users do the same as they have always done, but they don't have admin rights to make any changes on the machine. Because users do the same as they have always done, no users are unhappy, and no re-education is needed – Admin By Request EPM seamlessly fits into their everyday work life. Think about the value of being able to smoothly revoke admin rights and improving endpoint security without having to re-educate all your users.

Malware Detection

When it comes to malware concerns - don't worry; we’ve got your back. When users request to run a file with admin privileges, we real-time scan the file with more than 35 anti-virus engines. This gives you assurance that the file is safe.

 

Malware is often hidden in "too good to be true" freebies, such as free PDF generators, ISO tools, or cleaner tools that your users can be tempted to run. We use OPSWAT's MetaDefender technology to make sure your users are blocked from running any malware with administrative privileges before the damage is done.

Here's How it Works

Watch the Video

At Your Fingertips

The Mobile App

Side-shot of iphone showing auditlog » admin by request
Why choose us as your endpoint security provider. » admin by request
The mobile app makes approving requests easy for your team. A request for privileges will be pushed, real-time, to your administrators’ phones. The mobile app gives you access to your full audit log and inventory from your pocket without you having to go to the web portal for data.
Side-shot of iphone showing request details. » admin by request

Reporting Capabilities

The audit log and reporting tools allow you to extract anything in real-time, such as a graphical representation of the requests and elevations happening – as they happen. Admin By Request’s management tools put you in the front seat of the whole operation.

Device Location

See where all of your devices are on a scalable Google Map. Drill down for detailed info on each device.

New Devices

At a glance, see which devices have recently installed Admin By Request software.

Inventory

Get extensive details on hardware, software, local admins, events, and loads more for each endpoint.

Local Admins

Track and manage your local administrators from a central, birds-eye-view point.

Activity

Tracked activity includes API, Login, and SCIM activity, mobile app usage, and a settings changelog.

Elevated Apps

Use the Auditlog to see which apps have been elevated, by who, why, and when.

Miniature city lit with orange lights representing admin by request remote access » admin by request

Easy Configuration

Configuration is super easy. All you have to do is log into your portal account and apply the settings you want. You can customize settings for users or computers based on their Active Directory groups or Organizational Unit. If you are using Azure AD only, you can filter by Azure groups.

Headstart your configuration