Get the answers here.
Frequently Asked Questions
Licensing
Windows
macOS
Security
Admin Portal
Connectivity
Licensing
There is no catch. You can freely use the full product in your production environment on up to 25 computers in your organization.
Please use the quote form in the top menu and we will return a quote today. If you purchase a paid plan, we will upgrade your free plan to a paid one on-the-fly without you having to do anything.
Click the Download top menu to start on a free plan. You can use the free plan for proof of concept without using trial-ware. If you need more licenses for proof of concept, please contact us.
Please use the quote form in the top menu and we will return a quote today.
Please use the quote form in the top menu and we will return a quote today.
You need one license for each endpoint you intend to install the No. You buy a number of Workstation licenses and these can freely be mixed between Windows and Mac.
Go to the Contact page, fill out the Request a Demo form, and we will get back to you asap. We can usually schedule a demo next business day.
You will get an email from us, when you request a free plan, which you can respond to. If you did not receive it, please fill in the demo request above and you will be contacted.
There are three ways:
When a computer has not been active for two months, the license will automatically be recovered.
If you uninstall the Admin By Request endpoint software, the license is instantly recovered.
You can manually delete a dead computer in the inventory details.
Windows
If the computer is in a domain, Domain Users will be removed from the local administrator’s group right away. That is all that happens initially. When a user then logs on, the user will be removed from the local administrator’s group unless:
You have unchecked the “Revoke admins rights” in the portal settings
The user is in the list of excluded accounts in the portal settings
The user is member of a group that is the local administrator’s group (such as domain admins)
The reason all users are not just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally remove any service accounts. Please refer to the Windows client technical details page for more information.
The users and groups administration will be removed entirely from Computer Management during an administrator session. Even if the user still manages to tamper the local administrator’s group, the administrator’s group is snapshotted before the session starts and restored after the session ends. If the user tries to add other users or groups to the administrator’s group, these will simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy keys, these are also snapshotted and restored after sessions. Please refer to the Windows client technical details page for more information.
Domain groups (except Domain Users) are not removed from the local administrator’s group. This means that if a domain user logs on and is member of domain group that is in the local administrator’s group (for example a Help Desk domain group) the user is always local administrator. In this case the tray icon is red and hovering it, you can see the tool tip saying “You are logged on as administrator”. You can also specify specific user accounts to exclude in the portal settings. Please refer to the Windows client technical details page for more information.
You can pre-approve applications to automatically elevate when the user starts the program in question. You simply enter the path to the program and that’s it.
No. When users do not use the application, it does not consume resources, except for a brief daily inventory and settings check.
In the portal, you have settings for Workstations and Servers. These are the default settings. You can then define overruling setting based on computer or user groups and/or Organizational Unit(s). A common scenario would be to require approval for all users – except users in the IT department, who are allowed to elevate without permission.
Please refer to the Application log in the Windows event log.
No, Admin By Request works at a user level. Deployment tools (such as SCCM, Intune, PDQ or Manage Engine) run at a system level.
The installer is a standard MSI file. Just install the software normally and all components will be removed. To remove unattended, use standard msiexec.exe switches such as “msiexec.exe /X AdminByRequest.msi /QN”.
As the installer is a standard MSI file, upgrading is automatically detected. If you deploy a newer version, msi.exe will automatically perform an uninstall and an install, when installing a new MSI on a computer that has an older version of the software. To install unattended, use standard msiexec.exe switches such as “msiexec.exe /I AdminByRequest.msi /QN”.
You cannot install the workstation edition on a server. But you can install the Server version on a workstation.
macOS
Click the “Download” top menu and register for a free plan. You will get a login, where you download an MSI file to install on your computers. Use these credentials to sign in at the top and set the settings as you like. After login, you will also see an audit log and a full software and hardware inventory of your clients. The mobile app is free.
When a user logs on, the account will be downgraded from Admin to User unless:
You have unchecked the “Revoke admins rights” in the portal settings
The user is in the list of excluded accounts in the portal settings
The computer is domain joined and the user is domain admin
Please refer to the Mac client technical details page for more information.
If you log on to a Mac that is not joined to Active Directory and expect the user account to be downgraded from Admin to User, but it doesn’t happen and the icon appears red in the toolbar, you are most likely hitting the “Last Admin Check”. You can confirm this by clicking the red icon. The intention of this check is to make sure you always have a service account. If you don’t have at least one admin account, you cannot change, modify or delete user accounts on the computer and you can never uninstall Admin By Request.
If you use the “Revoke admins rights” option to revoke user rights, all user accounts will be downgraded from Admin to User, when they log on. In the portal settings, you can specify user accounts that are excluded. These would typically be service accounts for a Help Desk or similar. If no excluded accounts are specified and the machine is not joined to Active Directory, the revoke will not be executed for the last administrator and it falls under the “Last Admin Check”.
Please refer to the Mac client technical details page for more information.
That is not a concern. When users get an administrator session, the user’s role is not actually changed from user to admin. The user is granted all administrator rights – except the right to add, modify or delete user accounts. Therefore, there is no case, where the user can create a new account or change its own role and become permanent administrator. The user can also not uninstall Admin By Request, as the only program, to keep the administrator session open forever. Furthermore, all settings, configuration and program files are monitored during administrator sessions. If the user tries to remove or change any of the Admin By Request files, these are restored right away.
Users can install programs requiring admin rights, install drivers and change system settings other than user administration. User cannot run sudo or add, remove or modify user accounts.
You would normally use subsettings for this. But you can also put overruling settings on machines to overrule portal settings. Refer to this page for instructions.
No. When users do not use the application, it does not consume resources, except for a brief daily inventory and settings check.
Run the uninstall program /Library/adminbyrequest/uninstall. The program cannot be run during an Admin By Request administrator session.
You can find the error log under /var/log/adminbyrequest.log.
Security
Please refer to our SLA in the Trust Center for more info.
Please refer to our SLA in the Trust Center for more info.
Please refer to our SLA in the Trust Center for more info.
If your data is located in Europe: 104.45.17.196.
If your data is located in USA: 137.117.73.20.
If your data is located in Europe: 104.40.134.41 and 40.91.214.18.
If your data is located in USA: 13.90.244.80 and 40.121.45.3.
All emails are sent from noreply@fasttracksoftware.com. We use Twilio SendGrid to send you emails. This dedicated IP address is used to send you emails: 149.72.185.15.
Yes. Please refer to our Data Processing Agreement and Privacy Statement for GDPR compliance and to our SLA & Compliance for more general information.
Yes. Once the machine is booted, you get the public IP address of the thief’s router. The client does not require anyone to log on to a computer to upload data, so when the thief turns on the computer, the inventory data is sent transparently. You can now see the public IP address and upload time in your client view and give this to the police. The police can then get the name and address of the IP address owner from the thief’s internet service provider (ISP).
Yes, we have published two CVEs in 2019. These were found by Improsec in September 2019 in the production version 6.1. We notified our customers and released version 6.2 on October 11th 2019 with fixes for these two vulnerabilities. Click here for more information on CVE-2019-17201 and CVE-2019-17202.
We generally have two separate companies run penetration tests before every major release. We also get copies on a monthly basis of clean reports executed secretly by customers.
Contact us via the Contact page > Something Else with your findings. Note that the scope of a vulnerability has to be escalation of privileges from a non-administrator user to obtain admin rights.
The collected data associated with the computer is deleted. If the computer then turns out to be alive after all, the computer will show up again and re-upload inventory data.
Admin Portal
No. You can use a setting after sign in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when and an auditlog of installed software and executed applications. In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts. The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.
Yes. The most typical pattern we see for new customers is that they start with approval required. Then after an initial period, when the psychological effects on end users are clear and there is reassurance end users do not violate rules (see previous question), they shift to auto-approval mode combined with reason requirement and Code of Conduct screen. This is the point, where the whole administrator access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.
Yes, in the portal, you can create more logins for more people. You can also define, which roles they have, such as access to audit log and if the person is allowed to approve requests.
You can create a portal user account that can only see the auditlog and optionally the inventory. No other data will be visible.
You can set a scope for portal logins to only see part of the data based on the end users or computers groups and/or Organizational Units. For example, a sales manager can be set up to only see users and computers in sales. He will then only get approval requests from his own staff. You can also set up the manager to not have approval ability, but only ability to see the auditlog for his own staff.
Yes. You can set a scope for portal logins to only see and approve part of the data based on the end user or computers groups or Organizational Units. For example, an administrator in a region could be set up to only see and approve requests and data from computers in his own scope, assuming for example that all computers are in a specific Organizational Unit.
You simply create a user account that cannot approve requests. This way, your customer can see the data you choose without the ability to approve requests.
Connectivity
This may be surprising, but no. The client is only required to have an occasional internet connection (like a guest WIFI anywhere). The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator temporarily and will queue the data locally, such as time, installed applications, executed exe files as administrator and so on. Once the client has an internet connection again, it will flush the queue to the cloud service and you will get all data. This means that the client works exactly the same being online or offline. The only difference is the time you get the reporting data in the cloud service.
In this case the client can not allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline and on the approval screen, a note will automatically appear telling the user the elevation can only happen, if the user either seeks an internet connection or, if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication. The PIN code will appear in the left menu on computer details in the inventory, if you enable approval mode.
Absolutely not. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and, if the connection is bad, we don’t want to consume bandwidth. Inventory data is collected intelligently, so only delta data is collected. If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.
Yes, find it in the Apple App or Google Play stores.
The iPhone app works on iOS 10.0+. Android version works on version 4.4+ (KitKat).
When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data. The expected accuracy is at a city level.
