AI Approval
Introduction
There are two main reasons for enterprises to remove their users’ admin rights:
-
To prevent them from installing unwanted applications on company devices.
-
More importantly, for security reasons – to prevent malware infection and spread.
History and experience tells us that malware often comes attached to unknown, ‘freebie’ applications which users download for one-off use. For example, a user who has obtained an ISO file but has no way to extract it, may do a quick Google search for a tool which will help them complete the job; download, install – and find that their system is now infected.
So how can an organization easily distinguish between which apps are safe for approval, and which should be blocked or looked at more closely? With the Artificial Intelligence Auto-Approval feature in Admin By Request, you can let our AI engine decide which files are safe for approval, and which should be considered potentially dangerous and handled manually instead.
AI Approval – What Is It?
Large enterprises with thousands of users need to carefully balance productivity with security – manually approving each request for elevation would consume extensive resources, as would figuring out which applications are most used and creating enormous pre-approved lists to cover all possibilities.
The AI Approval feature is the safer, more efficient alternative as it allows organizations to make a rule that says any applications that are popular / known / elevated frequently will be automatically approved.
Behind the Feature
The idea behind this feature came from looking at trends in our massive database of applications and concluding that most of the applications run with elevated privileges are the same across the board – and these common apps are generally safe for elevation. So, the question arose, how could we use this data to help each customer?
We created a system that assigns an application two percentage scores between 0 and 100 based on (1) the application itself and (2) its vendor’s popularity. A very well-known app from a reputable vendor (e.g., Microsoft Office) would score in the higher end of the scale, whereas a rarely used app from an unknown vendor would receive a low score.
The higher each of the scores, the more trustworthy the app is considered to be, and the less risk attached in allowing it to be automatically approved by the Admin By Request AI engine.
Very low scores (i.e., 0-1) indicate ‘exotic’ apps – rare software from unknown vendors that are much more likely to have malware attached. These exotic applications are those that you would not want to be auto-approved by the AI engine, and instead approved manually on a case-by-case basis.
How It Works
The idea with the scoring system is to allow customers to set a score of their choosing, and then enable AI Auto-Approval for every application that meets this score or higher – using the AI engine to approve applications that are very common, and therefore, likely safe.
For example, if you set both App and Vendor scores to 10, and enable auto-approvals for both, all applications that meet the threshold for one of the scores will be automatically approved.
Only one of the scores (i.e., App OR Vendor) has to be met in order for an application to be Auto-Approved, and it is possible to only have one or the other enabled for the feature to work.
Any apps that score below the set value will not be AI Auto-Approved, and can be dealt with upon individual Request by users, or via Machine Learning – another feature of Admin By Request since version 8.0.
Configuring AI Approvals
Each organization can tailor the feature to suit their needs and preferences – but how do you know what to set your App and Vendor Auto-Approval scores to?
Within the Admin By Request portal, we’ve created a database of over 12 million known applications and their scores. This list can be used to gauge which applications have what score, and give each organization an idea of where to set their AI Auto-Approval thresholds.
Because of the huge size of the database, only a sample of the most common applications is presented. For the same reason, searching for a particular app is not possible (at the time of writing).
If the app you wish to approve via AI Approval is not listed in the sample, you can check it's current scores by installing it on an Admin By Request test computer. Once installed, go to the Auditlog and check the scores.
Example
We want to allow users to install two common apps using AI Approval and neither of these apps appears in the samples at the time of checking (although they might appear at a later date).
User installation may or may not require approval, depending on your tenant's App and Vendor scores.
In this example, the apps are:
-
Visual Studio Code Setup
-
Zoom Meetings Installer
To check their current App and Vendor scores, make sure both App and Vendor auto-approval are OFF initially (i.e. not enabled). The AI Approval setting is found in the portal at Endpoint Privilege Management > Settings > Windows Settings > App Control > AI APPROVAL.
Using an admin account, install both apps on an Admin By Request test computer and then review the installation entries in the Auditlog:
-
Visual Studio Code Setup - App Score 72, Vendor Score 100:
-
Zoom Meetings Installer - App Score 5, Vendor Score 8:
VS Code Setup scores highly for both App and Vendor, while Zoom Meetings Installer does not score highly at all.
If we set our tenant scores to 45 and 90 for App and Vendor respectively, any app exceeding either of these will install without requiring approval, whereas any app falling below both values will require approval.
The following procedure describes how to do this.
To set AI Approval scores:
-
Navigate to Endpoint Privilege Management > Settings > Windows Settings > App Control > AI APPROVAL and check the Sample Application Scores table.
The App Score and Vendor Score columns show each application’s score in the database. In the image below, the list is ordered based on highest App Score (simply click the column heading to toggle ascending or descending) and we can see that the top scoring applications are all well-known:
When we order the list by lowest scoring app Vendors (click Vendor Score column heading), most of the low-scoring applications are not particularly well-known:
-
Now, in the portal, configure your tenant's App and Vendor Enabled toggles and score their values as desired. Following our example, we use App Score 45 and Vendor Score 90:
KEY POINT:AI Approval will have no effect unless you have Require approval toggled ON under Endpoint Privilege Management > Settings > Windows Settings > Authorization > AUTHORIZATION:
Regardless, you must accept the AI Disclaimer that pops up when either App or Vendor auto-approval is enabled:
-
When AI auto-approval is enabled, users installing applications may or may not need approval, depending on your tenant's App and Vendor scores.
In our example, when a non-admin user installs these apps, the following entries are logged in the Auditlog:
-
Visual Studio Code Setup: App Score 72, Vendor Score 100. Required scores from settings: App Score 45, Vendor Score 90 => no approval required (see AI Auto-Approved below):
-
Zoom Meetings Installer - App Score 5, Vendor Score 8. Required scores from settings: App Score 45, Vendor Score 90 => approval required (see Approved by below):
-
Sub-Settings
Like all Admin By Request features, you can set Global settings to apply to all users, and create Sub-Settings as ‘exceptions to the rule’. The same goes for AI Approvals.
A use case for a Sub-Settings could be members of the IT Department, who are more likely to require ‘exotic’ applications from time to time – not just the common apps used frequently by other users.
For this Sub-Setting, you could override Global Settings and set the auto-approve App score to a lower value, e.g., 5, so that auto approvals include less-common applications. For all other users (outside of the Sub-Setting scope), the App Score threshold would remain at 45:
Refer to Windows Settings > App Control > AI Approval tab for settings information.