Privilege Management solution for PC, Mac & Server

Admin By Request: a simple to deploy, infrastructure free security solution for the control and management of local administrative rights on desktops and servers.

• Greatly reduce the ability of malware and ransomware to propagate.

• Allow or block local admin rights for specific applications.

• Elevate unprivileged domain user accounts to local admin - useful for contractors working on servers.

• Works both online or offline via PIN code token.

• Configurations for Cloud, Hybrid or On Premises.

• Ships with a fully integrated & comprehensive auditing, geographic asset tracking solution.

ABR enables the IT Helpdesk keep the local admins group completely locked down but enabling controlled, time limited privilege elevation users so they are able to install software while maintaining a full audit trail. You will never need to remote control computers again to elevate user rights to perform tasks that require elevation such as installing drivers or software.

Why you need Admin By Request

Our solution completely removes the need for IT to perform disruptive and time consuming remote control sessions of staff computers. If your IT department is tied up continually with routine tasks such as printer drivers, VPN software and plugin installations then Admin By Request is the solution for you. Regain control of your local admin accounts.

How it works

Admin By Request consists of 2 parts:

  • On premise agent (Windows or Mac). This executes elevation requests and communicates configured information to the portal (e.g. logs, requests and settings). Portal communication is recommended but not mandatory.

  • Management portal. The collection of agent settings, computer inventory and elevation workflow requests in a secure enterprise class cloud hosted environment. The portal also enables free mobile app functionality. For a test or P.O.C. all that is required is a free trial account, Admin By Request requires no additional on-premises infrastructure (servers, databases etc…).

Requesting access

Some expert users might have a need to do more than running applications as administrator. You can allow all or some of your users to request a protected administrator session that grants the user temporary administrator rights under full audit. If this is enabled, users will see a checkmark icon in the system tray (Windows) or icon bar (Mac). You can additionally choose to have Admin By Request place a shortcut on the user’s desktop (Windows) or in the dock (Mac). When the user needs to do something that requires administrator rights, the user just has to click the icon to request a time-limited on-the-fly administrator session under full audit.

When the user makes the request for administrator rights (hence the name Admin By Request), two things can happen. When you are signed in to the portal, you configure your settings, including whether you allow administrator access without approval or not. If you allow access without approval, the user becomes time-limited administrator right away. If you do not, someone must approve the request in the portal or in the app and an email flow starts. In either case, the user will see the window below and must enter reason for this need. You can disable the screen for users that do not require approval.



Configuring Authorization

In the “Settings” menu in the portal, you can define authorization settings. You can differ these settings for users or computers based on their groups or Organizational Unit through the “Sub settings” menu. If you are using Azure AD only, you can filter by Azure groups. You can choose to completely overrule all cloud settings on client computers by registry policy keys on Windows and a policy file on Mac.

Approving access from the app

If the user is not auto-approved, a portal user with approval rights has to approve the request. The easiest way to do that is to use the Admin By Request mobile app, which pushes an approval request to all approvers in real-time. When you press the Approve or Deny button, the user will receive an email with instructions.

Approving access in the portal

You can also approve requests in the portal. Typically, you would set up an email notification to all users that can approve requests. When you click the email link, it simply takes you to the "Requests" page in the portal. Here you will see a list of pending requests, as shown below, including contact information and computer data.

Simply click Approve or Deny for each request, as you would in the app.

Elevated Session

The user can start their elevated session if they are auto-approved or the request has been accepted in the portal workflow. Logging off is not required to gain elevation and at session start they are presented with a count-down timer (configure duration). Session details are uploaded to the portal once the user either stops the timer or the time runs out. Audit the session details in the portal (via webpage or mobile app), for example which software was installed or uninstalled and which applications were run UAC elevated (Windows only) during the session.



Learning Deployment Mode

Learning mode records elevation activity without enforcing rights removal, an ideal technique for initial roll out/discovery phase. Easily white or black list applications once application elevation activity is “learnt in”. A report of all elevation activity is also easily exportable for auditing purposes.

Asset segmentation and workflow delegation

Within the portal you can group and filter assets per department in order to delegate request processing. Admin By Request clients that require common settings (differing from global default settings) can be grouped into sub settings via the portal. Different departments could be set with different elevation request email recipients for example. Restrict a portal user so that they can only view the assets relevant to them by configuring the portal with multiple admin accounts with filters.

Offline Computers

Admin By Request works the same whether the computer is online or offline. Portal settings are cached on the client, when offline, elevation logs are stored locally on the client and synced with the portal when the client is next online.

If a computer is offline and a user requires approval then they have the ability to obtain a temporary PIN code by contacting an IT administrator/ help desk with portal access where the codes are generated. Each PIN code is unique for each client and is valid for that day only.

Audit & Asset Tracking

Included as standard is a powerful tracking, auditing and inventory solution that requires absolutely no additional configuration to setup.

The inventory system provides a filterable view of all Admin By Request enabled computers, providing centralised reporting of Software, Hardware, Administrators and Cloud Jobs (various exports to PDF, XLS, CSV, RTF):

Computer name, logged in user name, domain, OU, Computer type, Teamviewer ID System install date, hardware manufacturer, Model, Serial Number FSH version CPU type, Speed, Disk Size, Disk Free, Disk Status, RAM Geographic location city, region and country (link to Google maps) Operating System, Architecture and Service Pack / Build Public IP address, IP Hostname, Private IP, MAC address, network speed Primary monitor resolution and number of monitors. Each application installed on that system includes a breakdown of version number, install date, size and architecture.

Preventing abuse

Admin By Request comes with a suite of advanced anti tampering functionality. Once installed Admin By Request will be the only means by which a user can gain privileged elevation. The user also receives a customisable code of conduct message. That an audit is taking place and a display of the company policy, for example.

 Codes of conduct