
Documentation
Jump to:
Admin By Request Version 4.0 for macOS is here, adding new and improved core features including application Pre-Approval and Run as Admin. Download it today and kick the year off with comprehensive cybersecurity across all operating systems.
New in 4.0
Pre-Approval


For applications (.app):
- Command: codesign -d -vv /path/app.app
- Result: Authority=Developer ID Application: VideoLAN (75GAHG3SZQ)
For packages (.pkg):
- Command: pkgutil –check-signature /path/app.pkg
- Result: Developer ID Installer: Oracle America, Inc. (VB5E2TV963)
Run as Admin

Machine Learning
Azure AD Support

Prerequisites
Before you get macOS v4.0 up and running, you need to ensure Admin By Request has full disk access on your Mac endpoints.
Enable Full Disk Access (FDA)
Immediately after installation, FDA must be enabled to allow Admin By Request to fully protect Mac endpoints.
NOTE: The adminbyrequest application must be installed first, so that it appears in the list of apps available under Full Disk Access.
The following procedures describe three ways to enable FDA:
- (1) On the Mac (for macOS 12 and macOS 13)
- (2) Using Jamf
- (3) Using Intune
(1) Enabling FDA on the Mac
The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on Apple Macs running:
- macOS 12 (Monterey)
- macOS 13 (Ventura)
macOS 12 (Monterey)
- On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.
- Select adminbyrequest in the list of apps (ensure the box is checked):
- Lock the tab to save changes.
macOS 13 (Ventura)
- On your Mac device, navigate to System Settings > Privacy & Security and select Full Disk Access from the list. You’ll need to supply your password to make changes.
- Select adminbyrequest in the list of apps (ensure the box is checked):
- Close System Settings.
(2) Enabling FDA using Jamf
Jamf uses Configuration Profiles to manage Mac endpoints:
- In Jamf, go to Computers > Configuration Profiles.
- Create a new profile and configure it as follows:
- Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR – PPPC.
- Category, select Applications.
- Distribution Method, select Install Automatically.
- Level, select Computer Level.
- Navigate from the General tab to the Privacy Preferences Policy Control
- Identifier, enter /Library/adminbyrequest/adminbyrequest.
- Identifier Type, select Path.
- For Code Requirement, enter the following exactly as stated below
(Tip: copy/paste this text to ensure accuracy):
identifier “com.fasttracksoftware.adminbyrequest” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP |
IMPORTANT: If you do not enter the above code correctly, this procedure for enabling FDA will not work properly.
- Under App or Service, select SystemPolicyAllFiles and under Access, select Allow:
- Under App or Service, select Accessibility and under Access, select Allow:
- Save the profile.
- Deploy and use this profile to enable FDA for all your macOS endpoints.
(3) Enabling FDA using Intune
Similar to Jamf, Intune uses Configuration Profiles to manage Mac endpoints:
- In Intune, under Configuration Profiles, select Create Profile.
- Enter the following details into the Create a Profile form:
- Platform: macOS
- Profile type: Templates
- Template name: ABR – FDA
- Click Create.
- Under Device restrictions, go to Configuration settings.
- Select Privacy preferences and click Add:
(3) Enabling FDA using Intune, Continued
- In the Edit Row form, enter the following:
- Name: ABR – FDA
- Identifier type: Path
- Identifier: /Library/adminbyrequest/adminbyrequest
- For Code Requirement, enter the following exactly as stated below
(Tip: copy/paste this text to ensure accuracy):
identifier “com.fasttracksoftware.adminbyrequest” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP |
IMPORTANT: If you do not enter the above code correctly, this procedure for enabling FDA will not work properly.
Here is an example of the completed Edit Row form:
- Finally, allow Full disk access:
macOS How-Tos:
- Admin Session – To gain full administrator privileges on the endpoint for a period of time, either select the Admin By Request icon from the top toolbar, or locate and click the app icon from the Dock or Launchpad. Follow the prompts, wait for approval (if configured), and the session will commence, indicated by the timer in the bottom right-hand corner of your desktop.
- Events & Alerting – Events are automatically sent to your User Portal; navigate to Inventory from the top menu, and select Events from the left-hand menu of the Inventory page.
- PIN Code Uninstall – In your User Portal, navigate to the Inventory page and select the device you want to perform the uninstall on. Select PIN Code from the left-hand menu, and choose the Uninstall Pin tab from the top menu in this page. Click the Generate PIN button, and copy the PIIN that is displayed. On the device you want uninstall Admin By Request on, select the Admin By Request icon from the top toolbar, and click About Admin By Request. In the System window, paste the PIN copied from your User Portal, and select Uninstall.
- Break Glass Account – See documentation here.
Technical Info


- Team ID: AU2ALARPUP
- Bundle ID: com.fasttracksoftware.adminbyrequest.extension
Removed in macOS Version 3.0 Onwards:
- Last Admin Check – no longer relevant, removed in 3.0 – the Last Admin Check feature is no longer relevant thanks to the addition of the PIN Code uninstall feature. The purpose of the Last Admin Check was to ensure that you always have at least one administrator account left, but is no longer necessary because you can now use PIN Code uninstall to remove the software on the endpoint and regain local admin rights (in the case of accidentally downgrading all users to standard user).
- Log Files – this service previously logged helpful information such as software version, detected Active Directory settings, admin downgrades, and similar changes to /var/log/adminbyrequest.log. It has been replaced in recent versions with functionality to submit diagnostics information from the About window, under Diagnostics.