262-299-4606 • Email us

The value proposition

You are probably reading this, because you know you have a problem. Either your company allows users to maintain local administrator rights or you have to do countless remote installs. We can solve this for you with little effort and at the same time free up your IT resources.

We have customers with tens of thousands of users, who have tried to implement whitelisting solutions, but failed and came to us, because this way you can only see the world in retrospect. Your users will hate you for blocking their workday. Even with unlimited resources, no one can predict what your users need today. Instead of speculating on this by creating whitelists ahead of time, Admin By Request works proactively the other way around. If your user starts to install software, the client software intercepts this and installs the software - without the user being administrator. It's like the self-checkout at the supermarket.

It is also safer than traditional whitelisting solutions, because an administrator whitelisting a file doesn't mean it is safe, We real-time scan files with more than 20 anti-virus engine before allowing a file to run with administrative privileges.

Nothing needs to be installed on-premise. Users do not need to be re-educated and no one in IT has to spent endless time on whitelists or remote installs. All you have to do is to deploy the client software. Let us show you - request a demo today.

Request a free demo

Gartner names Privileged Access Management (PAM) the top project to reduce cybersecurity risks

Privileged accounts (or administrative or highly empowered accounts) are attractive targets for attackers. A PAM project will highlight necessary controls to apply to protect these accounts, which should be prioritized via a risk-based approach. PAM projects should cover human and nonhuman system accounts and support a combination of on-premises, cloud and hybrid environments, as well as APIs for automation.
Source article at gartner.com

Sandboxed software installs

In most cases, users need admin rights to install or update software, such as WebEx, Adobe Reader or TeamViewer. With Admin By Request active, user's admin rights are revoked, but the user can still install software. When the user starts an install, the process is intercepted and the user has to enter a reason, email and phone number to continue (if configured). The email and phone number are pre-populated from Active Directory or Azure AD. The fact that the user is confronted with this reason screen (see next section for screenshot) and has to validate contact details in itself has a huge preemptive effect. This in itself takes away a lot of the most obvious abuse, as the user is forced to give thought to the fact that "someone will know what I am doing now". Whether you wish to approve each interception or use auto-approval is up to you. The video shows the user experience with IT approval enabled.

Let's take a practical example. An employee needs to invite other people to a WebEx meeting and therefore needs to install the WebEx desktop app. But here is the problem - the desktop app requires admin rights to install. Let's assume the user has no special Windows skills, so the user will simply Google and download the install file and eventually get stuck in the browser without admin rights. But with Admin By Request installed, exactly the same happens - except the result is different. The user enters unprivileged credentials and the install runs without the user actually being administrator. And you will know, because the install is logged to the Auditlog menu here in the portal.

Install without local admin rights

Request Admin rights

Admin By Request installed

Request Admin rights
This solves the local admin security problem. But the true value of this is not a technical one. Users do the same as they have always done, but they don't have admin rights to change anything on the machine. And because the user does the same as they have always done - no users are unhappy and no re-education of users is needed. Think about the value of not have to re-educate all your users for a second. If you click the button below, it will take you to a page that talks about "Run As Admin" in greater detail.

Run As Admin in detail

Click the image to watch the video

Malware detection

When a user requests to run a file with administrative privileges, we real-time scan the file with more than 20 anti-virus engines. This gives you an assurance that the file is safe.

Malware is often hidden in "too good to be true" freebies, such as free PDF generators, ISO tools or cleaner tools. If the video below, you can see how Admin By Request caught malware, when a user tried to install a free Outlook PST file recovery tool. For more details on how it works, please click the button.

Click the image to watch the video

Malware detection in detail

Administrator session

Some expert users, such as a developer, may have a need to do more than installing software or running applications as administrator. The video shows how the user experience of an Administrator Session is with IT approval enabled.

Click the image to watch the video

You can allow some of your users to request a protected administrator session that grants the user temporary administrator rights under full audit. If this feature is enabled, users will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user's desktop (Windows) or in the dock (Mac). When the user needs to do something advanced that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session under full audit.


Request Admin rights


Request Admin rights
When the user makes the request for administrator rights, two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app first. In either case, the user will see the screen below before starting and must enter a reason for this need. You can disable this screen for some or all users.


Request Admin rights


Request Admin rights
If the user is allowed to start without approval or the request has been accepted by you, the session can start. This happens on-the-fly without having to log off and on and you can configure the maximum time the user is allowed to be administrator. You can also configure whether applications that run after the timer runs out are killed or not.


Request Admin Approved


Request Admin Approved
Once the user either stops the timer or the time runs out, data about the session will be uploaded to the portal. You can then see who had the session when and which software was installed or uninstalled and on Windows, which applications were run UAC elevated during the session. Admin By Request protects the computer during the session from tampering, such as users trying to add new local users or remove Admin By Request.

Configuring Authorization

When you log into the portal and select the "Settings" top-menu, you define authorization settings. You can differentiate these settings for users or computers based on their Active Directory groups or Organizational Unit through the "sub settings" menu. If you are using Azure AD only, you can filter by Azure groups.

Request Admin right window
If you click the button below, it will take you to go a page that talks about the approval flow in greater detail. It explains how you use sub settings to differentiate authorization for different users in your organization and it also talks about how you can pre-approve applications, network shares or vendors to avoid trivial approvals or logging of applications known to be good. You can also find a video that goes through the scenario where both Run As Admin and Admin Sessions are disabled - but users are allowed to self-install files from a network share of install files sanctioned by IT, without users ever having admin rights.

Approval flow in detail

Approving access from the app

If the user requests Run As Admin or an Admin Session and approval is required, a portal user with approval rights has to approve the request. The easiest way to do that is to use the mobile app or an Apple Watch to get a real-time push notification. Because this is a real-time push, someone will often react right away and the user experience is that there is no delay. When you press the Approve or Deny button, the user will receive an email with instructions. These emails can be customized with company specific information, such as a Help Desk phone number. The app also provides a great insight to what's going on a daily basis. Click the download icon under the screenshots on your iPhone, iPad or Android device to download the free app.

Download on the App Store Get it on Google Play
Learn more about the app

Approving access in the portal

You can also approve requests in the portal, instead of using the app. Typically, you would set up an email notification to all users that can approve requests, so the user doesn't have to wait longer than necessary. When you click the email link, it simply takes you to the "Requests" page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data. You then simply click Approve or Deny for each request, as you would in the app. The entire approval flow is described in greater detail on this page.

Approving access

Preventing abuse

So what prevents the user from abusing an Admin Session? The fact that the user has to request IT for access will in itself prevent the most obvious abuse. But as part of your settings, you can also configure a Codes of Conduct page. Here you customize wording that suits your company policy. For example, what is the penalty for using the administrator session for personal objectives. You can also choose to explain, what you can monitor from the portal. When you enable the Codes of Conduct ("instructions") screen in the settings, this screen will appear right before the administrative session starts, as shown further up. You can also customize company name and logo for all screens, so there is no doubt this message is authentic and indeed from the user's own company. This is the configuration part of the portal, where you set authorization, company logo, policies, email communications, etc:

Codes of conduct

Offline computers

Admin By Request works the same whether the computer is online or offline. Portal settings, domain groups and OU are cached on the client and all data going the other way are queued, so the user experience is exactly the same, when a computer is away from your LAN or even when it has no internet connection.

PIN code

Computers work the same online or offline - except of course, if you require approval and the computer is offline. Then no one will know the user has a pending request until the computer has an internet connection, at which time it will flush its upload queue. This would rarely be a real-world problem, but there are examples, where a computer is offline for a long period of time with no option to get online. A good example is our customer Red Cross, which has workers going offline for weeks to a village in Africa. This is not a problem in itself, because the computer will just collect data and flush the queue later - but if approval is required, the user is stuck. If the user makes a request and approval is required, the user is informed that either the user has to wait, seek internet (for example by connection sharing on the phone) or queue the request until there is internet. Or request a PIN code in case of urgency and internet connectivity is impossible. If the user requests a PIN code, the user will see a 6 digit "PIN 1" code and must call, say, your Help Desk over the phone and get the matching 6 digit "PIN 2". PIN 2 is a one-time PIN code that is hashed from PIN 1, customer id and computer name. Therefore, in the odd chance the same PIN 1 appears on a different computer, the PIN 2 is different.

Click the image to watch the video


PIN Code


PIN Code


Our reporting tools put you in the front seat of the whole operation. When logged on to the portal, select the "Reports" top-menu and you have a whole data mining universe available. You can extract anything real-time, such as seeing a graphical representation of how many request and elevations are going on right now, what's the approver activity this week per approver, backlogs, new computers being deployed on a daily chart, a real-time map of where your computers are right now and so much more. Below is a snippet of some of the reporting tools.

Reporting tools


For technical details of the client software, please refer to the Windows client page or the Mac client page. You can also find answers to frequently asked questions here. If you have further questions, feel free to contact us using the chat or the "Contact" top-menu.

Product overview video

This video goes through the benefits of Admin By Request. The bottom video will go through the approval flow in detail.

Portal overview video

This video goes through the portal that will be accessible to you during your trial or as licensed customer.

For more videos, please click the "Videos" top menu