Portal Administration for Windows

Introduction

This topic describes several key areas of the Admin Portal that can be used to manage Windows Settings  and Sub Settings.

Fields that can be set and/or configured in the portal are presented in tables, with each table showing:

  • Setting - the name of the field that controls the setting

  • Type - the type of value that can be entered or selected and its default value

  • Description - how the setting is used and notes about any implications it may have on other settings

To change any of the settings in the portal, log in to the portal and select the setting from the menu.

In this topic


Entra ID Support

Run As Admin Settings

Admin Session Settings

Admin Rights Setting

Tray Tools Settings

Pre-Approval Settings

Machine Learning

Privacy Settings

Preventing Abuse

Policies for Windows

Supplementary Technical Information

Entra ID Support

Portal menu: Settings > Tenant Settings > Groups > ENTRA ID / AZURE AD

NOTE:

Azure AD has been renamed by Microsoft to Entra ID. This version of the site pages uses both terms interchangeably, but future versions will refer to Entra ID only.

A selling point for the Admin By Request PAM solution is its flexibility and tools for granular access control; organizations can configure every setting to their specific needs and the needs of all, some, or even individual users.

Settings act as rules, such as whether the Run as Admin  or Admin Session  features are enabled, and whether or not users need approval to use them. You likely wouldn’t want the rules applied for an IT Administrator to be the same as those applied for a Customer Relations employee, so settings can be differentiated based on Sub-Settings, which allow different rules to be applied to different users and/or groups.

For all endpoint clients, we’ve built in support for Entra ID groups, meaning you can now apply Sub-Settings to existing Entra ID / Azure AD user and device groups.

For more information, refer to Tenant Settings.

For more information on the Entra ID / Azure AD feature, refer to Features > Azure AD Connector.

Entra ID SSO (Single Sign On)

There are two methods that can be used to setup Admin By Request SSO in Entra ID, depending on whether or not users are allowed to grant consent to applications that might request access to data:

Run As Admin Settings

Portal menu: EPM > Settings > Windows Settings > Authorization > AUTHORIZATION

Admin Session Settings

Portal menu: EPM > Settings > Windows Settings > Authorization > AUTHORIZATION

Changing Admin Session Duration

Admin session duration (access time) is the maximum amount of time in minutes an Admin Session may last. This time must be sufficient for the user to install software or perform any other necessary tasks.

To change the time allocated for an administrator session:

  1. Log in to the Portal and select menu Settings > Windows Settings.

  2. From the Authorization left menu, make sure the AUTHORIZATION tab is displayed (it is the default) and update the Access time (minutes) field in the Admin Session panel:

  3. Click Save when done.

UAC Setting

Portal menu: EPM > Settings > Windows Settings > Endpoint > UAC

Admin Rights Setting

Portal menu: EPM > Settings > Windows Settings > Lockdown > ADMIN RIGHTS

Tray Tools Settings

Portal menu: EPM > Settings > Windows Settings > App Control > TRAY TOOLS

Pre-Approval Settings

Portal menu: EPM > Settings > Windows Settings > App Control > PRE-APPROVE

Pre-Approval (known sometimes as Whitelisting) refers to the method of working out which applications are trusted and frequently used, and adding them to a list that automatically allows users to elevate those applications when they need to. This is essentially the opposite of Blocklisting/Blacklisting – creating a list of applications that cannot be elevated.

This method of “allow most, deny some” has proven to be extremely resource-efficient for large enterprises compared to the method of denying all applications and only allowing elevations on a case-by-case basis.


Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).

NOTE:

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

  1. Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.

  2. Expand on the application entry, and select Pre-approve this file under Actions:

  3. On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.

  4. Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

Machine Learning

Portal menu: EPM > Settings > Windows Settings > App Control > MACHINE LEARNING

The idea behind Machine Learning Auto-Approval is to kill two birds with one stone by allowing customers to build a Pre-Approved list as their employees use the software. This removes the need for enterprises to spend considerable amounts of time and effort figuring out and manually configuring which applications should be pre-approved ahead of time.

The way it works is, it allows you to create a simple rule that says:

“If approval for elevation of an application is granted X times, that application is now automatically approved for incoming requests from then on.”

This allows the system to handle creating the list of applications that are safe for approval as applications are used.

For more information, including step-by-step procedures, refer to Features > Machine Learning.

Privacy Settings

Portal menu: EPM > Settings > Windows Settings > Privacy > PRIVACY

Connecting Remotely

Remote Support  is a feature of "Secure Remote Access", the refreshed and enhanced product previously called "Remote Access".

There are three features (i.e. components) to Secure Remote Access - Unattended Access, Vendor Access  and Remote Support:

From version 8.4, Admin By Request for Windows provides support for the Remote Support  component, which allows portal admins to establish a connection to an endpoint, initiated either by the admin from the portal or by the user at the endpoint.

Once connected, the session can be controlled in two ways:

  1. By either party, simply by using mouse and/or keyboard

  2. By the user only, with the admin effectively watching in "view-only" mode

The session is fully audited and can also be recorded for later playback.

Refer to Secure Remote Access for more information.

Preventing Abuse

So what prevents the user from abusing an Admin Session? The fact that the user has to ask IT for access will in itself prevent the most obvious abuse. But as part of your settings, you can also configure a Code of Conduct page. Here you customize wording that suits your company policy. For example, what the penalty is for using the administrator session for personal objectives. You can also choose to explain the things you can monitor from the portal.

When you enable the Code of Conduct ("instructions") screen in the settings, this screen appears right before the administrative session starts. You can also customize company name and logo for all screens, so there is no doubt this message is authentic and indeed from the user’s own company. This is the configuration part of the portal, where you set authorization, company logo, policies, email communications, etc.

For example:

Offline Computers

Admin By Request works the same whether the computer is online or offline. Portal settings, domain groups and OUs for the currently logged-in user are cached on the client and data going the other way are queued, so the user experience is exactly the same when a computer is away from your LAN or even when it has no internet connection.

PIN Code

Computers work the same online or offline – except of course, if you require approval and the computer is offline. Then no one will know the user has a pending request until the computer has an internet connection, at which time it will flush its upload queue. This would rarely be a real-world problem, but there are examples, where a computer is offline for a long period of time with no option to get online.

A good example is our customer Red Cross, which has workers going offline for weeks to a village in Africa. This is not a problem in itself, because the computer will just collect data and flush the queue later – but if approval is required, the user is stuck. If the user makes a request and approval is required, the user is informed that they have to either wait and queue the request until there is internet access, or seek internet access now (for example by connection sharing on a phone).

Or - request a PIN code in case of urgency and internet connectivity is impossible. If the user requests a PIN code, the user will see a 6 digit “PIN 1” code and must call, say, your Help Desk over the phone and get the matching 6 digit “PIN 2”. PIN 2 is a one-time PIN code that is hashed from PIN 1, customer id and computer name. Therefore, in the odd chance the same PIN 1 appears on a different computer, PIN 2 is different.

For example:

Policies for Windows

Settings in the Admin By Request client application are controlled in the portal under “Windows Settings” (Portal > Settings > Windows Settings). You can also define sub settings based on Computer or User Groups and/or OU.

It is highly recommended that you configure settings in the portal instead of using Group Policy Objects. If, for what-ever reason, you still want to overrule settings wholly or in part, you can set Policy keys either by using an ADMX file or by setting registry keys using GPO or by other means. Policy settings always overrule web settings.

IMPORTANT:

Please note we do not recommend that you use group policy to control client behavior. Instead, we recommend that you use portal settings and sub settings for better transparency and for real-time control of computers not connected to your LAN.

If you have any questions about portal settings or would like a demo of these or a copy of an ADMX file, please feel free to contact us.

Supplementary Technical Information

This section provides more information on the following: