Editions & Features
Introduction
This page compares the editions of Admin By Request and describes the features used for comparison.
|
Workstation |
Workstation |
Workstation |
Server |
Administrator Access Lockdown |
|
|
|
|
Tampering Protection |
|
|
|
|
Local Admins Group Cleanup |
|
|
|
|
Local Admins Group Protection |
|
|
|
|
Email Approval Flow |
|
|
|
|
Elevated Session Cloud Auditing |
|
|
|
|
Hardware And Software Cloud Inventory |
|
|
|
|
Administrator’s group Cloud Inventory |
|
|
|
|
PIN Code Offline Elevation |
|
|
|
|
Block Applications |
|
|
|
|
Multi-lingual Support |
|
|
|
|
Group Policy Control (ADMX) |
|
|
|
|
Administrator Logon Cloud Auditing |
|
|
|
|
Support for Servers |
|
|
|
|
|
|
|
|
|
Features explained
Administrator Access Lockdown
Admin By Request allows you to permanently remove your users' administrator rights and instead have users request a temporary real-time, time-limited, administrator session. Refer to Core Features for more details.
-
Windows: Users are removed from the local administrator’s group at logon.
-
Mac: Users are downgraded from admin user role to standard user role.
Tampering Protection
The user is limited to installing software and performing trivial tasks. The user cannot change local users or tamper the system during an administrator session. Furthermore, Admin By Request cannot be uninstalled during a temporary administrator session. This prevents the user from keeping the temporary administrator session permanently by uninstalling the product.
Local Admins Group Cleanup
-
Windows: Admin By Request removes Domain Users from the local administrator’s group and all local or domain accounts that log on interactively that are not either administrators through a domain group or the built-in administrators account. This is by default disabled on servers, but can be enabled through policies.
-
Mac: User’s admin role is downgraded to standard user role and granted certain rights during an administrator session without getting the full privileges of an Admin. Refer to the FAQ for more information.
Local Admins Group Protection
-
Windows: When a user is granted a temporary administrator session, Admin By Request snapshots the existing administrator’s group. If the user puts a user account or domain groups into the administrator’s group during an administrator session, it is simply removed when the admin session ends and the snapshot is restored.
-
Mac: This problem does not exist in the same way, because the user is not really promoted to be a full administrator. The user can, during an administrator session, do everything except change, add or modify user accounts.
Group Policy Control (ADMX)
In the portal for Admin By Request, you define rules for approval of temporary administrator sessions. You can install a custom ADMX file in your environment to control these locally. This also allows you to add granularity by having different settings for different OUs through different Group Policies. You can also add blocking and pre-approval of applications through Group Polices. Refer to Endpoint Software > Windows Policies for more information.
Blocking and Auto-Elevation of Applications
Using Group Polices, you can create a list of applications you never want users to run, either permanently or only during administrator sessions. Refer to Endpoint Software > Windows Policies for more information.
Multi-lingual Support
Admin By Request automatically adapts to the operating system language of the user. Supported languages are English, German, Spanish, French, Danish, Swedish, Norwegian, Dutch, Italian, Korean, Chinese, Polish and Russian.
Elevation File Logging
File logging logs to a log file, when a user is granted temporary administrator access and when the session ends.
Email Approval Flow
When a user requests an administrator session and you do not have auto-approval enabled, you (as administrator) receive an email in real-time with a link to approve or deny the request. The email notification ensures that the end user does not have to wait until someone logs in to the portal to check for administrator requests.
Elevation Cloud Auditing
When a user is granted an administrator session, the session is audited to the portal, meaning start and end time, user name and a delta of installed and uninstalled applications during the session. This allows you to cross-reference the reason the user gave to be granted the session with the actual delta of applications on the machine during the administrator session.
Hardware And Software Cloud Inventory
You get a full hardware and software inventory in your cloud portal by installing Admin By Request on a machine, even if no one uses the application to request sessions.
PIN code elevation
In case approval mode is enabled and a computer is without internet connection, a PIN code can be granted to elevate offline. Refer to Core Features for more information.
Administrator’s group Cloud Inventory
The members of the administrator’s group are collected as part of your inventory. This allows you to catch unexpected administrator accounts across your network in a simple flat view.
Administrator Logon Cloud Auditing
On servers, when any administrator logs on, the session is audited in the same way as an approved elevated temporary administrator session. The audit of elevated sessions combined with these administrator logons gives you a complete central picture of all administrator access on your servers in real-time.
Note the following:
-
On a server, the request access icon will not appear, except for users who are members of a specific domain group. This allows you to put, for example, external consultants in this group.
-
An external consultant on the server will need to request administrator access on a case-by-case basis instead of having permanent administrator rights.
-
When a normal user has a remote desktop session, the icon will not appear.
-
An administrator will see a red icon and a member of this domain group will see the request administrator access icon, just like on a workstation.