Least privilege principles, Just-In-Time elevation

Endpoint Privilege Management

Orange admin by request circle tick logo. » admin by request » admin by request

The Value Proposition

You're probably reading this because you know you have a problem. Either your company allows users to maintain local administrator rights, or your Helpdesk has to do countless remote installs. We can solve both issues for you with little effort, and at the same time, free up your IT resources.

We have customers with tens of thousands of users who have tried to implement allowlist solutions but have failed and come to us - because even with unlimited resources, it’s impossible to predict what your users need today. Speculating on allowlists in advance takes time and effort, and users will hate you for blocking their workday when you get it wrong.

Instead of relying on speculation, Admin By Request works proactively the other way around.

If a user starts to install software, the Admin By Request client intercepts and installs the software with a full audit trail - without the user ever being elevated to administrator. Think of it as a self-checkout at the supermarket. It is also safer than traditional allowlist solutions; just because an administrator adds a file to an allowlist, that doesn't mean it is safe. We real-time scan files with more than 35 anti-virus engines before allowing those files to run with administrative privileges.

Nothing needs to be installed or changed on-premises. Users do not need to be re-educated, and no one in IT needs to create endless allowlists or spend hours on remote installs. All you have to do is to deploy the Admin By Request endpoint software. This ease of use is why we are the fastest growing EPM solution in the world.

Let us show you.

Abr endpoint pam executive summary page 1 » admin by request » admin by request
Abr endpoint pam executive summary page 2 » admin by request » admin by request

EPM

Executive Summary

With Admin By Request:

Said the implementation time was less than expected
1 %
Were fully deployed within three months
1 %
Failed to implement a competitive solution
1 %
Will implement our solution in their next job
1 %
This feature is ideal for users with the occasional need for app elevations. It elevates the application – not the user. Use Run as Admin when you need to run one or two apps with admin privileges rather than many.
The Admin Session feature is the better choice for users who have a high need for administrative privileges. It gives the user administrator rights on their device for a predefined period of time, during which they can run multiple apps elevated. Use this feature when you need to undertake several admin tasks at a time.
The PIN Code elevation feature is for use in situations where the user who requires app elevation is excluded from being able to use Admin By Request – that is, they are not able to use the usual elevation methods of Run as Admin, Admin Session, and / or Pre-Approved apps. User Portal administrators can generate a single-use challenge / response PIN code which allows the user to start an elevated session.
The Break Glass / LAPS-replacement feature is the game changer which allows the provisioning of temporary, Just-In-Time local admin accounts. This feature is ideal for cases such as when the domain-trust relationship is broken and needs to be reconnected using an Administrator account, or to provision an admin account for someone who doesn’t have credentials but requires access to service an endpoint. With Windows Server Edition it’s also possible to give privileged access to a consultant without giving them domain-wide permissions at any point in time.
With Pre-Approval, you can add frequently used, known applications to the Pre-Approved list so that users can skip the approval flow (i.e., making a request, providing a reason, and waiting for approval) and access the pre-approved application from the get-go.
The AI feature designates applications two scores between 0 and 100% based on both the application and its vendor’s popularity. The higher each of the scores, the more trustworthy the app is considered to be, and the less risk attached in allowing it to be automatically approved by the Admin By Request AI engine.
Machine Learning allows the system to handle creating the list of applications that are safe for approval as applications are used. You can set a number of times that applications need to be manually approved by an IT Admin before they are added to the Machine Learning Auto-Approved list.

Granular Access and App Control

Elevation Methods

Security Measures

Sandboxed Environment

In most cases, users need admin rights to install or update software, such as Adobe Reader, Visual Studio or VPN software. The tricky part about revoking local admin rights is doing it in a way that doesn't hinder your user’s productivity, but does lock down local admin rights. That's what Admin By Request can do for you.

When a user starts an install, the process is intercepted and the user has to enter a reason, email and phone number to continue. You can adjust settings to automatically approve installs for some users and require IT approval for others.

The true value of this approach is not a technical one; users do the same as they have always done, but they don't have admin rights to make any changes on the machine. Because users do the same as they have always done, no users are unhappy, and no re-education is needed – Admin By Request seamlessly fits into their everyday work life. Think about the value of being able to smoothly revoke admin rights without having to re-educate all your users.

Malware Detection
When it comes to malware concerns - don't worry; we’ve got your back. When users request to run a file with admin privileges, we real-time scan the file with more than 35 anti-virus engines. This gives you assurance that the file is safe.

Malware is often hidden in "too good to be true" freebies, such as free PDF generators, ISO tools, or cleaner tools that your users can be tempted to run. We use OPSWAT's MetaDefender technology to make sure your users are blocked from running any malware with administrative privileges before the damage is done.

Here's How it Works

At Your Fingertips

The Mobile App

Side-shot of iphone showing auditlog » admin by request » admin by request
Why choose us as your endpoint security provider. » admin by request » admin by request
The mobile app makes approving requests easy for your team. A request for privileges will be pushed, real-time, to your administrators’ phones. The mobile app gives you access to your full audit log and inventory from your pocket without you having to go to the web portal for data.
Side-shot of iphone showing request details. » admin by request » admin by request

Reporting Capabilities

The audit log and reporting tools allow you to extract anything in real-time, such as a graphical representation of the requests and elevations happening – as they happen. Admin By Request’s management tools put you in the front seat of the whole operation.

Device Location

See where all of your devices are on a scalable Google Map. Drill down for detailed info on each device.

New Devices

At a glance, see which devices have recently installed Admin By Request software.

Inventory

Get extensive details on hardware, software, local admins, events, and loads more for each endpoint.

Local Admins

Track and manage your local administrators from a central, birds-eye-view point.

Activity

Tracked activity includes API, Login, and SCIM activity, mobile app usage, and a settings changelog.

Elevated Apps

Use the Auditlog to see which apps have been elevated, by who, why, and when.

Miniature city lit with orange lights representing admin by request remote access » admin by request » admin by request

Easy Configuration

Configuration is super easy. All you have to do is log into your portal account and apply the settings you want. You can customize settings for users or computers based on their Active Directory groups or Organizational Unit. If you are using Azure AD only, you can filter by Azure groups.

Headstart your configuration