Grant instant time limited Local Admin rights

Admin By Request: a simple to deploy, infrastructure free security solution for the control and management of local administrative rights on desktops and servers.

• Greatly reduce the ability of malware and ransomware to propagate.

• Allow or block local admin rights for specific applications.

• Elevate unprivileged domain user accounts to local admin - useful for contractors working on servers.

• Works both online or offline via PIN code token.

• Configurations for Cloud, Hybrid or On Premises.

• Ships with a fully integrated & comprehensive auditing, geographic asset tracking solution.

ABR enables the IT Helpdesk keep the local admins group completely locked down but enabling controlled, time limited privilege elevation users so they are able to install software while maintaining a full audit trail. You will never need to remote control computers again to elevate user rights to perform tasks that require elevation such as installing drivers or software.

Why you need Admin By Request

You are probably reading this, because you know you have a problem. Either your company allows users to be local administrators or you have to do countless remote installs. We can solve this for you with little effort.

You have the flexibility to set Admin By Request to approve automatically or require IT staff to verify the request. Once a user is approved, they get a time-limited, real-time, local admin elevation to install the requested software. Once finished, you have a full audit trail of the user’s activity and an overview of all activities across the board.

Users are never blocked from doing their job and you can use your IT resources on other activities, knowing you have a full audit trail. It's win/win for you and your users. Contact us today for a live demo. Let us show you how to regain control of your local admin accounts.

How it works

Admin By Request basically consists of a portal account and a small client program for Windows or Mac. Nothing needs to be installed or modified on-premise and you can therefore set this up for testing or proof of concept in minutes. Everything happens in the cloud. All data are collected to your cloud account and processed here. The collected data is mostly non-sensitive data and we have a best-in-class cloud Azure set up to secure your data. If you have GDPR concerns or concerns about collection of sensitive data (user's name, email address and phone number), all these can be disabled at your preference.

Requesting access

The user will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user's desktop (Windows) or in the dock (Mac). When the user needs to do something that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session.

When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app and an email flow starts. In either case, the user will see the window below and must enter reason for this need. You can disable the screen for users that do not require approval.



Approving access from the app

If the user is not auto-approved, a portal user with approval rights has to approve the request. The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval request to all approvers in real-time. When you press the Approve or Deny button, the user will receive an email with instructions.

Approving access in the portal

You can also approve requests in the portal. Typically, you would set up an email notification to all users that can approve requests. When you click the email link, it simply takes you to the "Requests" page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data.

Simply click Approve or Deny for each request, as you would in the app.

Administrator Session

If the user is auto-approved or the request has been accepted by you, the user can start the session. This happens on-the-fly without having to log off and on and you can configure, how much time the user is administrator.

Once the user either stops the timer or the time runs out, data about the session will be uploaded to the portal. You can then see who and when had the session and which software was installed or uninstalled and on Windows, which applications were run UAC elevated during the session.



Preventing abuse

So what prevents the user from abusing the system? The fact that the user has to request IT for access will in itself prevent the most obvious abuse. But as part of your settings, you can also configure a Codes of Conduct page. Here you customize verbage that suits your company policy. For example, what is the penalty for using the administrator session for personal objectives. You can also choose to explain, what you can monitor from the portal. When you enable the Codes of Conduct ("instructions") screen in the settings, this screen will appear right before the administrative session starts. You can also customize company name and logo for all screens, so there is no doubt this message is authentic and indeed from the user's own company. 

Offline computers

Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client and all data going the other way is queued, so the user experience will be no different, whether the computer has internet or not.

PIN code

Computers work the same online or offline - except of course, if you require approval and the computer is offline. Then no one will know the user has a pending request until the computer has an internet connection, at which time it will flush its upload queue. This would rarely be a real-world problem, but there are examples, where a computer is offline for a long period of time with no option to get online. This is not a problem in itself, because the computer will just collect data and flush the queue later - but if approval is required, the user is stuck. This is where the PIN code comes in. If you look at the screen further up, you can see a link that says "I have a PIN code". This link only appears, if you have approval mode on - and there is no internet. Then the user can call your Help Desk over the phone and get a temporary PIN code that you can generate in the portal. When the user clicks "I have a PIN code", the screen below appears and the user can start the administrator session without internet.