3   Data Collection

3.1  Data flow inside the system

The following communications take place:

  • The client software communicates with the cloud service

  • Administrators and help desk personnel access the portal through single sign-on

  • OPTIONAL: Files and checksums are sent to OPSWAT MetaDefender for multi-engine malware scan (enabled by default)

  • OPTIONAL: Customer API can be used to consume data from your own systems (disabled by default)

3.2  Encryption

3.2.1  Encryption at rest

We use Azure SQL transparent data encryption for all data at rest to ensure no unauthorized access to data is possible.

3.2.2  Encryption in transit

The data communication between the client software and our servers uses TLS 1.2 encryption. The load balancer IP depends on your region - refer to the list below.

Admin By Request uses port 443 and the IP addresses and API URLs that need access through firewalls are as follows.

If your data is located in Europe (Netherlands):

  • IP: 104.45.17.196

  • DNS: api1.adminbyrequest.com

  • DNS: macapi1.adminbyrequest.com

  • DNS: linuxapi1.adminbyrequest.com

If your data is located in the USA:

  • IP: 137.117.73.20

  • DNS: api2.adminbyrequest.com

  • DNS: macapi2.adminbyrequest.com

  • DNS: linuxapi2.adminbyrequest.com

If your data is located in the UK:

  • IP: 85.210.211.164

  • DNS: api3.adminbyrequest.com

  • DNS: macapi3.adminbyrequest.com

  • DNS: linuxapi3.adminbyrequest.com

If your data is located in Europe (Germany):

  • IP: 9.141.94.162

  • DNS: api4.adminbyrequest.com

  • DNS: macapi4.adminbyrequest.com

  • DNS: linuxapi4.adminbyrequest.com

If your data is located in Asia (Singapore):

  • IP: 52.230.54.129

  • DNS: api6.adminbyrequest.com

  • DNS: macapi6.adminbyrequest.com

  • DNS: linuxapi6.adminbyrequest.com

Wherever you are, you can also use api.adminbyrequest.com, but the regional URLs will likely be more responsive.

3.3  What data does the inventory collect?

You are in control of your data. We offer the option to further limit the collection and processing of certain categories of personal information, or to disable the entire inventory. Once logged-in to the portal, these preferences can be updated at any time in the portal Settings menu according to your needs.

Refer to Data Privacy Settings for more information.

3.4  What data is extracted from domain controllers?

The client software collects this information from a domain controller for domain computers:

  • User and computer OU names

  • User's phone number and email address

  • List of computer and user groups

The traffic is marginal and refreshed every 4 hours only. You can monitor the traffic on an endpoint by running the ADInsight SysInternals tool.

3.5  Session data collected

When a user has completed an App Elevation (Run As Admin) or an Admin Session, the client collects:

  • Computer name

  • Session duration

  • Installed and uninstalled software

  • UAC elevated programs

  • Reason for administrator need (if configured)

  • User's account name and full name (if configured)

If the Reason screen is used, email address and phone number are also collected, as entered by the user in the pop-up window. As mentioned earlier in this article, you can disable collection of user name, email address and phone number in portal Settings.

3.6  Diagnostics data collected

In a support situation, one of our support engineers might ask the end user to invoke the endpoint Admin By Request About screen, click the Diagnostics button and ask the end user to click Submit. This action sends trivial system data to us to understand the history of the endpoint software.

If the end user clicks Submit, the client submits:

  • Current configuration state (downloaded settings)

  • Data in queue to be uploaded

  • When the endpoint software was installed or upgraded

  • When the services of the endpoint software were started or stopped

  • Events from the local event log related to Admin By Request.

NOTE

  • Data cannot be extracted by us without the user clicking the Submit button.

  • Submitted data is kept for a limited time only - typically one week, although longer if a support ticket requires more time to resolve.

  • An end user cannot create a support ticket - only your portal administrators can do this.

3.7  Data cached on the endpoint

The client software for domain joined computers works exactly the same off your LAN as it does on your LAN.

This is possible because the endpoint clients cache an encrypted copy of domain groups’ names and OU name of the computer and the logged-on user, in order to determine sub settings both online and offline:

  • If your computers are Azure AD joined, a similar group cache is kept for performance reasons.

  • If your computers are stand-alone, no data is cached.