The macOS Client User Interface
Introduction
The user interface is graphical and is accessed via the icon menu in the menu bar (top right) of the screen.
The color of the icon depends on the currently logged-in user: if the user is an administrator, the icon is red, whereas if the user is a standard user, the tray icon is black:
Click the icon to display the menu and select About Admin By Request for further information (Administrator and Standard User) or Request Administrator Access to carry out an admin task (Standard User only):
In this topic
Requesting Administrator Access
Setting-up a Break Glass Account
About Admin By Request
Once installed, Admin By Request is running in the background for as long as the endpoint is powered-on. Selecting the app from the menu bar or the dock launches the user interface, which comprises a simple window with four buttons down the left-hand side:
The default panel is About Admin By Request, which is accessed via the top button. It shows the current workstation edition, license details, website link, and copyright information.
Click the About button to get back to this panel if viewing one of the other panels.
-
Diagnostics – provides a way to send useful diagnostic data on this workstation to the ABR support team (see Submitting Diagnostics for more information):
-
Uninstall – enables administrators to uninstall Admin By Request from this workstation. See Uninstalling Admin By Request for more information:
Submitting Diagnostics
Diagnostic information is available on each endpoint that has Admin By Request installed. The details recorded help IT administrators and the Admin By Request support team to troubleshoot issues that might be occurring.
The following data is recorded and submitted:
-
Current system configuration
-
Errors from the system log
-
Admin By Request-related crash logs
-
Admin By Request service log
To send diagnostic information about how Admin By Request is running on this workstation, select the Diagnostics button on the About Admin By Request panel and click Submit Diagnostics Data.
It's a good idea to submit diagnostics when raising a support ticket for a new issue. The Admin By Request support team will frequently ask for diagnostics when responding to tickets if the information is not already available.
Using Run As Admin
Run As Admin (also known as App Elevation) allows for the elevation of a single application.
This capability negates the need for users to initiate an Admin Session. Elevating privileges for execution of a single file is the much safer option compared to elevating the user’s privileges across the endpoint.
Some Mac applications (e.g. Grammarly and Spotify) require wide-ranging permissions to install properly and can only be successfully installed via an Admin Session. Further, these applications almost always require the same wide-ranging permissions when they auto-upgrade, meaning that another Admin Session must be started before upgrading the app.
This is simply due to the nature of how processes work on the macOS operating system. When attempting to run an installation or upgrade via Run As Admin, a pop-up window prompting for admin credentials will be triggered by the OS whenever a separate executable that handles access to another area of the file system is invoked. At the time of writing, the only way around this is to carry out the installation or upgrade via an Admin Session.
A standard user executing a program that requires elevated privileges initiates the following sequence of events:
-
Download the package or application file for installation.
-
Admin By Request suspends installation and asks for phone, email, and reason. Enter these details and click OK to continue.
-
Now the installer has the elevated privileges required to run, but it still needs authorization from the current user. Start the installation a second time, supply credentials for the current user (who will be a standard user) and click OK to start authorized installation with elevated privileges.
The elevated privileges last only for the duration of the install and apply only to the particular application or package authorized.
For any .app file, initiate Run As Admin by dragging and dropping the application file over the Admin By Request Dock icon. At the account control pop-up, enter credentials and hit OK to run the installer as an administrator. Note that this works only for .app files; it does not work for .pkg files.
Check the audit log in the portal for details on the user, the endpoint, the application run and execution history.
Requesting Administrator Access
Requesting administrator access is also known as requesting an Admin Session, which is a time-bound period during which a standard user has elevated privileges and can carry out administrator-level tasks..
As with About Admin By Request,
Submitting a request for administrator access is the primary mechanism for gaining elevated privileges.
A standard user making this selection initiates the following sequence of events.
-
The user enters email, phone and reason information into the form and clicks OK.
NOTE:Settings in the portal control the full extent of what is displayed to the user:
-
If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (Portal > Settings > Workstation Settings > macOS Settings > Endpoint > INSTRUCTIONS).
-
If Require approval is OFF, the approval steps are skipped (Portal > Settings > Workstation Settings > macOS Settings > Authorization > AUTHORIZATION > Admin Session).
-
-
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.
-
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.
See Changing Admin Session Duration for more information on changing the duration of the countdown timer.
During an Admin Session, users can install programs requiring admin rights, install drivers and change system settings other than user administration. All activity during the elevated session is audited, so you can see in the audit log the reason why the person needs the elevation; anything installed, uninstalled, or executed.
During an Admin Session, users cannot uninstall Admin By Request, or add, remove or modify user accounts.
Setting-up a Break Glass Account
The Break Glass feature extends the functionality of MS LAPS. It creates a new, temporary, one-time-use Administrator account on an endpoint, that works on domains, Azure AD, and stand-alone, which audits all elevated activity, and terminates within a pre-defined amount of time or on log out.
Security benefits
The Break Glass feature includes the following security benefits:
-
Break Glass circumvents the need to use the built-in local Administrator account – you can disable it completely to add an extra later of security to your endpoints.
-
The account must be used within an hour of being generated, minimizing the potential attack window and risk of account compromise.
-
Risk is further minimized by a one-time-only log in functionality: the user can log in once, and after log out, the account is terminated.
-
The user has only the time specified under Expiry when the Break Glass account was generated to use the administrator account; this duration is indicated on the built-in desktop background of each account. When the time-period is up, the session is terminated.
-
Measures are in place to ensure the Expiry time cannot be tampered with: if the Account user attempts to extend their time limit by adjusting the clock, the Account automatically logs out / terminates.
-
All Usernames and Passwords are automatically generated, random, and complex, minimizing the possibility for a successful brute force attack.
-
Passwords are stored within the web application, only accessible by Portal users / IT Admins via credentials – a safer option compared to MS LAPS' storage of admin account passwords in plain text along with the AD computer record.
When would I use a Break Glass account?
A Break Glass account is useful in the following scenarios:
-
Regaining Domain-Trust Relationship
As the name suggests, the Break Glass feature is ideal for "last resort" situations, such as when the domain-trust relationship is broken and needs to be reconnected using an Administrator account. -
Provisioning a Just-In-Time Administrator Account
The Break Glass Account doubles up as a Just-In-Time account that can be used for specific purposes / situations when necessary; e.g., provisioning an account for someone who doesn’t have credentials, but requires access to service an endpoint. -
Extra Possibilities with Server Edition
Further to point 2, with Admin By Request Windows Server Edition you can provision an admin account to a consultant without giving them domain-wide permissions at any point in time.
Using the Break Glass feature
Setting-up and using a Break Glass account comprises three tasks:
-
Generate
Create a Break Glass account:
-
From the Expiry drop-down menu, select an amount of time for which you want the Account to be available. The default is 2 hours, but the period can range from a minimum of 15 minutes, to an unlimited amount of time.
-
Once generated, the status of the Break Glass account is updated in real-time in the Portal. The four possible states are:
-
Waiting for Endpoint – The account is generated in the User Portal but not yet created on the endpoint (to create the account on the endpoint, see the next section Activate).
-
Ready to Log On – The account is created but has not yet been activated / used (i.e., logged in to).
-
Session in Progress – The account is currently in use.
-
Account Removed – The account has been terminated either due to the user logging out, or the pre-defined Expiry time being reached.
-
-
Optionally, you can send the new Break Glass account credentials via SMS (i.e., text message) by entering the intended recipient’s mobile number into the text box and clicking Send SMS.
-
Activate
Activate the Break Glass account using one of the following methods:
-
Restart the device, then wait approximately 30 seconds for the account to be created. The Portal will update the status message when the account is ready, and the account will appear in the bottom-left of the Windows log on screen along with the other accounts available on the endpoint:
-
If enabled, you can select Other User in the Windows log in screen and enter the generated Break Glass account User and Password into the fields. Remember to prefix the User credential with the device name (e.g. DESKTOP-LMSEFL8\ABR524154).
NOTE:This may fail on the first attempt; if so, wait 10 seconds and then try again.
-
A third method to activate the account is by logging in to another account on the endpoint, selecting the Admin By Request icon from the bottom toolbar, and clicking the About item from the menu.
-
-
Terminate
Use the account and log out:
-
Once logged in to the Break Glass account, the user has administrator privileges to do what they need to do, within the Expiry time displayed on the built-in screensaver:
-
Terminate the account by either logging-out, or allowing the account to log out automatically when the Expiry time is reached – whichever comes sooner.
-