The Mac Client User Interface

Introduction

The user interface is graphical and is accessed via the icon menu in the menu bar (top right) of the screen.

The color of the icon depends on the currently logged-in user: if the user is an administrator, the icon is red, whereas if the user is a standard user, the icon is black:

Click the icon to display the menu and select About Admin By Request for further information (Administrator and Standard User) or Request Administrator Access to carry out an admin task (Standard User only):

In this topic


About Admin By Request

Submitting Diagnostics

Requesting Assistance (Support Assist)

Uninstalling via PIN Code

Using Run As Admin

Requesting Administrator Access

Setting-up a Break Glass Account

About Admin By Request

Once installed, Admin By Request is running in the background for as long as the endpoint is powered-on. Selecting the app from the menu bar or the dock launches the user interface, which comprises a simple window with four buttons down the left-hand side:

The default panel is About Admin By Request, which is accessed via the top button. It shows the following information:

  • Current workstation edition

  • License details - this information matches the organization details in the portal

  • Website link

  • Copyright information

Other panels presented in the user interface are accessed via buttons at the left. Clicking a button opens its corresponding panel and clicking the About button gets back to the default panel if viewing one of the others.

Submitting Diagnostics

Diagnostic information is available on each endpoint that has Admin By Request installed. The details recorded help IT administrators and the Admin By Request support team to troubleshoot issues that might be occurring.

The following data is recorded and submitted:

  • Current system configuration

  • Errors from the system log

  • Admin By Request-related crash logs

  • Admin By Request service log

To send diagnostic information about how Admin By Request is running on this workstation, select the Diagnostics button on the About Admin By Request panel and click Submit Diagnostics Data.

The button changes to text Diagnostics submitted, indicating that diagnostics have been sent for analysis:

NOTE:

It's a good idea to submit diagnostics when raising a support ticket for a new issue. The Admin By Request support team will frequently ask for diagnostics when responding to tickets if the information is not already available.

Requesting Assistance (Support Assist)

Assistance  (also known as Support Assist or Remote Assist) is a feature that allows users to ask for help from someone who can use a third-party tool to connect remotely to the user's computer and provide technical assistance with tasks that the logged-on user would not normally be able to complete.

Support Assist  has been designed to be used with a non-admin user, so that customers can apply the best practice "principle of least privilege" to help desk staff as well as end users. The non-admin user helps the logged-on user (also non-admin) to carry out a task with less restrictive settings than the logged-on user during a remote control session.

IMPORTANT:

At the time of writing, Support Assist  is available only to users logged-in under Azure SSO.
Support Assist  does not establish a remote control session - a third-party tool must be used for that.

The following scenarios are examples of when this might be useful:

  • End users who are not allowed to install software at all (i.e. neither Run As Admin  nor Admin Sessions  are enabled).

  • End users who don’t know where to get the software they need to use.

  • End users who are not IT savvy enough to self-service.

  • End users who refuse to take on the responsibility of installing software on their work computers, knowing they will be audited.


Uninstalling via PIN Code

Offline users can obtain a challenge/response PIN, which allows the user to perform tasks requiring elevated privileges. A PIN Code can also be used to uninstall Admin By Request when online and this is the purpose of the Uninstall panel in the About Admin By Request window.

The first few steps in this procedure require access to the portal.

  1. In the Admin By Request portal, navigate to the Inventory  page and identify the device on which to perform the uninstall.

  2. Locate the device in the inventory list - in the PIN column, click PIN for that device (columns can be switched around - the PIN column in your portal might not be the right-most column):

  3. Click tab UNINSTALL PIN and then click button Generate PIN:

    Note that clicking UNINSTALL PIN also displays a list of previous uninstall events on this computer (below the Uninstall Pin Code  window):

  4. Copy the PIN.

  5. Back on the device on which you want to uninstall Admin By Request, go to the About  panel (i.e. select the Admin By Request icon from the top menu bar and click About Admin By Request).

  6. In the Uninstall  window, select Uninstall from the left button group, enter the PIN copied from the Portal, and click Uninstall:

Using Run As Admin

Run As Admin (also known as App Elevation) allows for the elevation of a single application.

This capability negates the need for users to initiate an Admin Session. Elevating privileges for execution of a single file is the much safer option compared to elevating the user’s privileges across the endpoint.

Example 1 - Install app VLC

A standard user, requiring elevated privileges to execute the VLC installation program, initiates the following sequence of events:

  1. Download the package or application file for installation.

  2. Start the installation by opening the Downloads folder and dragging the VLC icon to the Applications folder. If the download is a .dmg file, double-click it first to mount it:

    If a warning about VLC being downloaded from the Internet pops-up, click Open to continue.

  3. Admin By Request suspends installation and checks the organization's portal settings.

    1. EPM > Settings > Mac Settings > Authorization > AUTHORIZATION:

      Authorization (i.e. approval) is not required, so installation can proceed. This is also the case when approval is  required, but the app is pre-approved.

    2. EPM > Settings > Mac Settings > Endpoint > AUTHENTICATION:

      Authentication is always required and the mode in this case is Confirm. so the following prompt is displayed and the user simply has to click OK to continue:

  4. Once authenticated, installation proceeds to completion and Admin By Request displays a note from the application installer saying that installation has completed successfully.

After installation, portal administrators can check the audit log in the portal for details on the user, the endpoint, the application and execution history:

Example 2 - Install app Foxit PDF Reader

A standard user, requiring elevated privileges to execute the Foxit PDF Reader installation program, initiates the following sequence of events:

  1. Download the package or application file for installation.

  2. Start the installation by opening the Downloads folder and double-clicking the .pkg file:

    If a warning about the file being downloaded from the Internet pops-up, click Open to continue.

  3. Admin By Request suspends installation and checks the organization's portal settings.

    1. EPM > Settings > Mac Settings > Authorization > AUTHORIZATION:

      Authorization (i.e. approval) is required, so Admin By Request prompts for phone, email address and reason. This information is submitted for approval and the user is advised they will be notified via email when approved:

      A portal administrator receives the request and approves it:

      When approval arrives via email, the user can continue the installation with authentication (step 3.b below).

    2. EPM > Settings > Mac Settings > Endpoint > AUTHENTICATION:

      Authentication is always required and the mode in this case is Authenticate. so the following prompt is displayed and the user must supply credentials to continue:

  4. Once authentication is provided, installation proceeds to completion and Admin By Request displays a note from the application installer saying that installation has completed successfully.

After installation, portal administrators can check the audit log in the portal for details on the user, the endpoint, the application and execution history:

IMPORTANT:

Elevated privileges last only for the duration of the install and apply only to the particular application or package authorized.

Multi-Factor Authentication (MFA)

MFA is available as an option for authenticating users prior to granting Run As Admin  privileges. The three options in the portal for authenticating users are:

  1. Confirm - User must confirm with Yes or No to elevate via Run As Admin.

  2. Multi-factor Authentication - User must validate identity using MFA through SSO.

  3. Authenticate - User must validate with credentials, face recognition, fingerprint, smartcard or similar.

Refer to Mac Settings (Authentication tab) for more information.

Intuitive app updates

Prior to Mac 5.0, updating already-installed applications required an Admin Session. Now, pre-approved apps can be updated when the apps themselves prompt for it on manufacturer release. Alternatively, IT departments can control app updating by withholding pre-approval for the next release of an app until full testing has been completed.

As with the initial installation, portal settings determine if users must request approval to update (authorization) and, once approved, they are asked to confirm an update via Confirm, MFA or Authenticate with credentials (authentication).

Requesting Administrator Access

Requesting administrator access is also known as requesting an Admin Session, which is a time-bound period during which a standard user has elevated privileges and can carry out administrator-level tasks..

As with About Admin By Request, click the menu bar icon to display the menu and select Request administrator access:

Submitting a request for administrator access is the primary mechanism for gaining elevated privileges.

A standard user making this selection where approval is required initiates the following sequence of events.

  1. A prompt asks “Do you want to start an administrator session?”. The user clicks Yes to continue:

  2. An empty Request Administrator Access form appears:

  3. The user enters email, phone and reason information into the form and clicks OK.

    NOTE:

    Settings in the portal control the full extent of what is displayed to the user:

    • If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > macOS Settings > Endpoint > INSTRUCTIONS).

    • If Require approval is OFF, the approval steps are skipped (EPM > Settings > macOS Settings > Authorization > AUTHORIZATION > Admin Session).

  4. The request is submitted to the IT administration team and the user is advised accordingly:

  5. The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

    The following example shows how two new requests might appear in the portal:

  6. One of the team either approves or denies the request. If approved, the user is advised accordingly:

  7. The user clicks Yes, which starts the session and displays a countdown timer:

  8. The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

See Changing Admin Session Duration for more information on changing the duration of the countdown timer.

During an Admin Session, users can install programs requiring admin rights, install drivers and change system settings other than user administration. All activity during the elevated session is audited, so you can see in the audit log the reason why the person needs the elevation; anything installed, uninstalled, or executed.

IMPORTANT:

During an Admin Session, users cannot uninstall Admin By Request, or add, remove or modify user accounts.

Multi-Factor Authentication (MFA)

MFA is available as an option for authenticating users prior to allowing an Admin Session. The three options in the portal for authenticating users are:

  1. Confirm - User must confirm with Yes or No to start an Admin Session.

  2. Multi-factor Authentication - User must validate identity using MFA through SSO.

  3. Authenticate - User must validate with credentials, face recognition, fingerprint, smartcard or similar.

Refer to Mac Settings (Authentication tab) for more information.

Setting-up a Break Glass Account

The Break Glass feature extends the functionality of MS LAPS. It creates a new, temporary, one-time-use Administrator account on an endpoint, that works on domains, Azure AD, and stand-alone, which audits all elevated activity, and terminates within a pre-defined amount of time or on log out.

Using the Break Glass feature

Setting-up and using a Break Glass account comprises three tasks:

Refer to Features > Break Glass / LAPS for more information on the feature.