Admin By Request 7 Review
By Joymalya Basu Roy
Joymalya Basu Roy is an experienced professional in the IT services field within M365 Mobility and Security. He is currently working as a Technical Architect on Microsoft Intune with Atos. He is an ex-Microsoft employee working as Premiere Support Engineer on Microsoft Intune. This page is a copy of the original blog from Joymalya's "Learn with Joy" blog series that can be found here.
What’s New with Admin By Request version 7 – Learn With Joy
A few months back, I wrote a blog on the topic of how to manage and control local admin rights on a modern managed Windows 10 device using Admin By Request – a product from Fastrack Software.
It was great that the Admin By Request team liked the blog and featured it on their official blog site as well.
Admin By Request Product Review By Joy – Blog post featured in Admin By Request official website
The team recently surprised me by approaching to check if I would want to check out the upcoming new Windows client – Admin By Request version 7.
You can guess it already. Today’s blog post is all about the upcoming new release of Admin By Request Windows client version 7 that is expected to make a GA release on 16th November 2020.
But before we get started with what’s new in the upcoming release, for those who are not familiar with the product Admin By Request and are yet to read my previous post on the same, we would start with a short insight into the product.
Quick Recap – Admin By Request
Admin By Request from Fastrack Software is a Privileged Access Management (PAM) solution for your Windows and Mac endpoints.
Admin By Request allows revoking local admin rights of the end-users from the workstations/endpoints (Windows/Mac) without interrupting the normal work habits. For actions that require elevated permissions, it provides on-demand elevation of privilege on request which can be controlled and time-restricted, while maintaining a full audit trail. The service also utilizes the OPSWAT MetaDefender Cloud service to provide real-time cloud threat detection capabilities.
Admin By Request is a complete SaaS service hosted in Microsoft Azure as such you can be assured of service SLA and Compliance. Check Trust Center.
A Privileged Access Management solution should always be considered as an integral part of a Digital Workplace solution, as not only it is a functional requirement but also aids the Zero-Trust stance of an organization, much required in this modern times of remote working.
If your Digital Workplace solution is made up of the Microsoft 365 stack, Admin By Request can integrate with your infrastructure with minimal efforts and as such definitely earns a recommendation.
Admin By Request now comes with a Fully Functional Free Plan
When I wrote my previous blog on AdminByRequest, at that time, it used to allow a Fully Functional Trial for a limited number of days to help you check and test the product.
Though it was good, you might feel that the trial period is not always enough to complete all your test sessions, especially true for the IT Pros at the helm of large and complex enterprise organizations.
The Team has listened and things has changed…
Admin By Request now comes with a Fully Functional FREE Plan – 25 licenses to evaluate the product on your endpoints (Windows/Mac) at No Cost for an Unlimited number of Days.
You just need to sign-up for the Free Plan with your work email address.
Admin By Request now comes with a Fully Functional FREE Plan – 25 licenses to evaluate the product on your endpoints (Windows/Mac) at No Cost foran Unlimited number of Days.
This allows you more flexibility in setting up a test environment to check the product on up to 25 Windows/Mac endpoints to see if the product meets the requirements.
Read more about the Admin By Request licensing FAQs.
What’s New with Admin By Request version 7
My previous article on Admin By Request was based on the then-current GA release of the Windows client (version 6.3). At the time of writing this article, the current GA release of the Windows client is version 6.4, which I have used to compare and check for what’s new with the upcoming Windows client release – Admin By Request version 7.
Current Windows client version 6.4 which will be replaced with upcoming new Windows client Admin By Request version 7
It seems that the engineering team behind the product received a good amount of feedback which made them re-work some features of the Windows client to further aid in a better user experience.
The team is currently running a beta testing program to test the new client for further improvement opportunities and bug fixes. As I know, the Beta testing will be available till 9th November 2020.
If you are interested in the product and want to check out the latest release under this program, you can contact firstname.lastname@example.org for further instructions.
I was provided with the pre-release client when the drivers of the new client version were yet to be Microsoft WHQL certified, and as such required to test on a Windows machine with Secure Boot turned Off and Windows in Test mode. You can pretty well understand, it was hot and fresh from the labs of Fastrack Software.
The current Beta release (used for this blog) is Microsoft WHQL certified as such if you decide to sign-up for the Beta test program, you would face no issues in getting the client deployed from Intune and testing the new client.
Admin By Request version 7 beta client which is expected to be GA released on 16th November 2020
With that being said, let’s now check out what has been really worked upon in the upcoming new version of Admin By Request Windows client version 7.
New Desktop Logo for Easy Identification
First thing you would notice about the Admin By Request Windows client version 7 is the new unique desktop icon to help end-users recognize that the current logged on Windows session is under the effect of Admin By Request.
Admin By Request new Windows client version 7 – New Desktop Icon to aid End-User experience.
This is a welcome change from the current Windows client version 6 of Admin By Request where the icon is a standard UAC icon.
Admin By Request Windows client version 6 – Standard UAC desktop icon was hard to recognize amidst all other desktop icons.
A unique logo gives the product a much-needed identity than using a Windows standard UAC icon, as well as, helps the product’s association and relatability with end-users
Consider the most common IT workplace scenario where the end-users desktop screen is stashed with several items and shortcuts. Comparing the old logo with the new one, you would agree that the new logo makes it much easier for the end-user to recognize if the current windows session is under the effect of AdminByRequest or not.
Modern UI – Look and Feel of the new Client
The upcoming new version of Admin By Request Windows client version 7 offers a modern UI experience as it follows the latest Windows 10 design guides.
Admin By Request upcoming new Windows client version 7 offers modern UI experience to end-users. Follows Windows mode as set per user preference.
Auto-detect will detect the current Windows mode (light or dark) set as per user preference and will follow the same unless the Admin has explicitly configured the look and feel of the client to either Gray (Windows mode Light) or Black (Windows mode Black, which is also the Windows default now).Admin By Request upcoming new Windows client version 7 offers modern UI experience to end-users. Follows Windows mode as set per user preference.
New UI Addition – Pop up window shows the Application name for which Run as Admin is being requested
When requesting for Run as admin to run an application with elevated privilege with the current Windows client version 6 (soon to be deprecated), it starts with a pop-up window as shown below.
Admin By Request current Windows client version 6.4 pop-up windows UI is a bit plain and bland – not very modern and sleek, does not shows the application/program name which is being elevated.
As you can see, it does not shows what application the request is being made for, or what application is being elevated, which do hampers a good user experience.
Things has been changed with the upcoming version.
Admin By Request windows client version 7 shows a pop-up window which shows the application/program name for which the Run as admin request is being made or processed, till all the conditions are satisfied and the application starts with elevated privilege, or the conditions fail and the request is aborted.
Admin By Request upcoming new Windows client verison 7 – Pop-up window UI is branded and modern, shows the application/program name which is being elevated. Much more functinal design than the current version which it will replace.
AdminByRequest Client version 6.4 vs AdminByRequest Client version 7 – User experience
Note: In portal, under Run as admin settings, Require reason is set to On and Require approval is set to Off
Admin By Request environment settings for comparing the current client vs the upcoming new client [version 6 vs version 7]
For the current GA Windows client of Admin By Request (version 6.4), requesting a Run as admin for an application on the endpoint brings up the below prompt
Admin By Request current Windows client version 6.4 – Window to prompt user to enter Reason for requesting elevation
Once end-user provides the reason and clicks on OK, there comes the next pop-up window which is the Code of Conduct window as below.
Admin By Request current Windows client version 6.4 – Window to display the Code of Conduct which the user needs to accept
Clicking on OK, will throw up Windows UAC to confirm end user credentials.
Admin By Request current Windows client version 6.4 – UAC Window to prompt end-user to provide credetials for audit records
Once the user enters the credentials and clicks on Yes, the program in context starts with elevated privilege.
With the upcoming new Admin By Request windows client version 7, there is only a minor change to the above flow from the current GA release client (soon to be deprecated version 6).
The settings in the portal remaining the same as above, with the new client, end-user requesting Run as admin for a program will get the below Windows UAC prompt.
Admin By Request upcomnig Windows client version 7 – uses UAC Window to prompt end-user to provide Reason for audit requesting elevation/run as admin – notice the change from the current client which used custom client window
Once the end-user provides the reason and clicks on OK, there would be the next pop-up window showing the Code of Conduct window as below.
Admin By Request upcomnig Windows client version 7 – the window to display Code of Conduct is in-line with the new modern design – branding of Admin By Request as well as custom branding of the organization.
Notice the subtle change in the UI elements of the client Windows for the upcoming new beta client (version 7) from the current GA client (version 6).
Clicking on OK, there can be two scenarios
- The program will start with elevated privilege. (When UAC is set to Confirmation)
- There will be another UAC screen requesting to confirm credentials post which the application/program will start with elevated privilege. (When UAC is set to Credentials)
These two scenarios as stated above is what brings me to the next radical design change of the product.
Admin By Request 7 now utilizes Windows UAC
The upcoming new version of AdminByRequest Windows client version 7 will allow a new option to either utilize Windows User Access Control (UAC) to confirm elevation requests or require Credentials as usual. But the new option do commands some planning on the Global Settings and Sub Settings scope level to implement in the environment, considering the security and usability.
As I have shown above with the current GA client version 6.4, invoking Run as admin requires a credential verification to ensure that audit captures the correct user identity for the corresponding elevation request. This is by design to comply with legal audits.
However, for advanced IT end-users who require to invoke Run as admin more frequently (developers, IT staff, etc.), filling the credential verification prompt every time do tends to get in the way of work, hindering the modern desktop experience.
The engineering team considered the feedback received on the same and introduced a new feature to utilize the Windows UAC prompt to confirm an elevation request instead of asking for credential verification.
Admin By Request version 7 Windows Client uitlizes Windows UAC – There will be a new option to configure UAC settings under Endpoint in the ABR portal
Thus with Global Settings scope and one or more Sub Settings scope in place, Admin can plan to have most users to verify elevation requests via Credentials while allowing trusted and advanced IT users only to confirm elevation request without requiring to provide credentials.
With below configuration in the Admin By Request portal,
- under Run as admin settings > Require reason and Require approval both is set to Off
- under Endpoint settings > UAC is set to Confirmation
For the new client (version 7), requesting Run as admin for an application will result the below UAC prompt
Admin By Request client version 7 – New UAC prompt to confirm elevation request
Clicking on Yes starts the requested application with elevated privilege. There is no credential input required by the end-user.
This is definitely more convenient for advanced and trusted end-users since it saves the annoying time and effort required to input credentials every time an elevation is requested.
Elevation performance improvement for Pre-approved applications
With the previous version of the Windows client for Admin By Request (version 6.x), the end-user was still forced to provide credentials when starting a pre-approved application using Run as admin.
Since the application in context is already pre-approved by Admin, this complexity of requiring credentials impacted the performance – time and effort required to elevate a pre-approved app was higher.
With the upcoming new release of the Windows client – Admin By Request Windows client version 7, if UAC is set to Confirmation, the end-user will not be prompted with the UAC prompt to confirm the elevation action when starting a pre-approved application with Run as admin.
With Admin By Request windows client version 7, pre-approved application will start in elevated context when invoked as Run as admin by end-user without requiring any further inputs, provided you have UAC set to Confirmation.
A pop-up notification window will appear over the System Tray to let the end-user know the application is running with elevated privilege under the effect of Admin By Request, which disappears after 3 seconds.
This radically improves elevation performance requiring much lesser time to elevate a pre-approved application, thereby improving the end-user experience.
AdminByRequest v7 – Smaller client size
The size of the upcoming new release of the Windows client – Admin By Request version 7 is significantly smaller than the previous client which it will replace, making client deployments lighter on the network bandwidth.
In total, the team has done some great work with the new upcoming windows client – Admin By Request version 7 improving the overall performance as with the new client, elevation requests are processed much faster, further helping the end-user experience.
If you are already using Admin By Request, hope you would find this post useful to understand the upcoming improvements and changes coming with the new upcoming version 7 of the Windows client.
If you are looking for a PAM solution to manage and control local admin rights of your modern managed Windows 10 fleet, do check out the product. As mentioned earlier, you get 25 licenses Free to test the product on up to 25 endpoints (Windows/Mac) just by signing-up.
Well that was all for today. Continue to stay safe!