In a bid to make the discussion of use cases for Admin By Request more interesting, relatable, and perhaps also memorable, we created a number of Admin Right ‘personas’ based around our company mascot.
For each persona we will cover the ‘traits’ to help you identify it and examine traditional ‘tricks’ used to address it (without the benefit of Admin By Request). Finally, we demonstrate how Admin By Request is the perfect solution for POP-type requests.
Example Scenario – How to Spot a Pop
It’s Monday, 9:02 am and you just broke the surface of the Flat White that you grabbed on your way in to work.
On logging in to your computer in your IT desktop support role, you start working through the meticulously planned desktop systems hardware refresh for the week ahead.
Suddenly, your boss transfers over an urgent call from a senior executive needing admin rights to install software for a Jabra headset needed for an important investor MS Teams call with the board. Your intervention is required… right now, your desktop refresh plan…. just went Pop!
Pop-ping Out without Admin By Request
Here are some – not ideal – techniques which customers have told us they have used to solve problems similar to our example POP scenario, before they purchased Admin By Request.
Fudge 1: Remote desktop to the user in question (if online), use your own IT Helpdesk admin credentials to install the Jabra software.
- Highly labour-intensive, disruptive and unproductive for the requestor, a major generator of ‘support ticket confetti’.
- Requires both IT staff member and user to be available in order for the remote-control session to take place. Such sessions can sometimes be difficult to co-ordinate as the user knows they will likely not be able to use their system for the duration of the session.
- Requires the user to be both online and have working remote control software.
- Requires IT helpdesk staff to have global Local Admin rights themselves, which can open up compliance issues.
Fudge 2: Log in to your company directory (AD or AAD) and add the user to a specially designated Local Admin capable group, making a task note to manually remove the user later.
- Likely not ‘immediate’ as directory changes often take time to apply and in the case of Azure AD/Intune, cannot be relied upon to always apply & report changes within a set time frame.
- User will likely have to log out / log back in, in order for the change to apply.
- Total reliance on remembering to remove the users Local Admin rights once the task has been completed.
Fudge 3: Run an in-house built PowerShell script that adds the user to the Local Admin group for a certain amount of time before automatically removing again.
- Script might need to be invoked from MDM, which might impact responsiveness.
- The user would need to be online for this method to work.
- No real time logging / visibility / logging of what is being done.
- Script will need to be fully maintained, independently tested to ensure it’s safe to run / has no vulnerabilities.
- No solution for Mac users.
- Full Admin rights are granted, so the user could use the opportunity to perform other admin tasks, including making them their own admin account to avoid having to ask IT for access in future.
Fudge 4: MS LAPS. You issue the user a LAPS user / password combination that will enable them to acquire user full Local Admin rights in order to install the Jabra software.
- Though a ‘Just In Time’ solution, the user is still being given a full Local Admin account, and as such, is essentially given the ‘keys to the car’ for an all-night Admin Rights party.
- This solution also requires the presence of a permanent LAPS user in the Local Admin group, plus requires a working AD / AAD connection that is constantly recycling the password.
- Customers have told us that MS LAPS can be a pain to manage.
- No solution for Mac users.
- You are fully dependent on the user keeping their endpoint connected so that the password changes with the next recycle. If the user chose to disconnect their system, they would end up with essentially unlimited, un-audited Local Admin rights, for as long as their PC was offline.
- Nothing the user elevates whilst logged in with the LAPS user is easily audited / alerted.
Admin By Request: POP without the Bang
When a POP pops up and you have Admin By Request deployed, dealing with this type of request is as silky smooth as the tight layer of foam on your morning brew. Admin By Request provides a means to get ‘POPs’ off your plate securely whilst providing real time visibility of the before, during and after of the elevation task, with logs exported to your SIEM if you so desire.
1. Typical Configuration
The most typical way to handle ‘POP!’ with Admin By Request would be to allow the user to request elevation of the Jabra Headset software by way of a ‘Run As Admin’ type request with Approval enabled.
2. No user training required
The user will start to run the Jabra installer just as they would do normally. There is a subtle difference in that the ‘Run As Administrator’ icon is different from standard Windows when you do a ‘right click’ on the file to run it as Administrator.
3. When approval is enabled, the user must complete a short request form
When admin rights are required after launching the installer, if approval is configured, the user will be presented with a form which they need to complete to request permission to elevation the Jabra software.
4. Requests can come in to one place centrally, can be split out to heads of departments, or routed via workflows using integrations such as ServiceNow
Once the request is sent by the user, a portal administrator is instantly sent a notification of the request (portal/mobile app/slack/teams/API call) presented with the request’s details, together with big ‘approve’ or ‘deny’ action buttons. Once the request is actioned, the user receives a notification and if approval is granted, they can re-run the installer. If the user is offline a PIN code would be requested, and this can be dished out by IT/someone with access to the portal or our mobile app.
5. In addition to your EDR engine, Admin By Request Malware checks the hash of files for elevation against a battery of additional engines, without any resource impact on the endpoint
Prior to executing the elevated process, whether approval is enabled or not, Admin By Requests built in file reputation solution queries up to twenty different A/V provider engine databases to check if the file being elevated is safe to run.
6. Approvals can be actioned via the Admin By Request web portal, our free mobile app, or using our many integrations such as Slack, MS Teams, ServiceNow, Ticketing systems that support REST
If clear, the request can be approved via a single button push and the user would receive a desktop notification that they can now complete the elevation, but for that specific application only and only for a one-time installation.
7. Use the Audit Log to Keep track of all requests, either globally, or filtered by group / department
This entire process is fully audited in real time, and when configured with ticketing system It can be notified of the elevation start, and completion. This process could be managed by central IT, or perhaps a departmental head of the requesting user, something which would both speed up the approval process, and offload workload from central IT.
Admin By Request: Fill your Day with POP-ular Outcomes!
By far the most common of our five personas, ‘POPs’ can totally blow up your day due to their disruptive characteristics of high volume + unpredictability + urgency. The larger your organization the bigger the productivity problem. All your IT Helpdesk KPIs go out the window and create knock on side effects that will likely have a major impact on the roll out of strategic non-urgent (but no less important) long term IT projects.
Admin By Request enables you to easily enable a simple request workflow to cover qualifying company workstation devices in a matter of minutes and crucially, does this in such as way that it does not require the end user to learn any new behavior in order to perform Just In Time, application specific elevation.
The dramatic impact of solving your organization’s POP problem means IT get way more time to do what they do best – harnessing technology to transform the resiliency, efficiency and competitiveness of the business.
P.s. stay tuned for the next post in our Persona series!