Run As Admin

What is it?

Run As Admin (also known as App Elevation) removes local admin rights while preserving the user’s ability to install or update apps. When a user without admin rights attempts such actions (for example, installing WebEx or Adobe Reader), Admin By Request intercepts and runs the installation in a sandboxed admin environment, fully audited via both the local application and the Admin By Request portal

In short, Run As Admin allows for the elevation of a single application. It negates the need for users to initiate an Admin Session. (Because elevating privileges for execution of a single file is the safer option compared to elevating a user’s privileges across the endpoint.)

Using Run As Admin

A standard user executing a program that requires elevated privileges to install initiates the following sequence of events.

  1. Download the file for installation.

  2. Start the installation by right-clicking and selecting Run as Administrator:

  3. Admin By Request suspends installation and asks for phone, email, and reason. Enter these details and click OK to continue:

  4. A notification now advises that the request for approval has been sent:

  5. When the request is approved, a further notification advises the request has been approved:

  6. Now the installer has the elevated privileges required to run - click Yes to start authorized installation with elevated privileges.

Check the audit log in the portal for details on the user, the endpoint, the application run and execution history.

NOTE

Elevated privileges last only for the duration of the install and apply only to the particular application or package authorized.

Example 1 - Install app VLC

A standard user, requiring elevated privileges to execute the VLC installation program, initiates the following sequence of events:

  1. Download the package or application file for installation.

  2. Start the installation by opening the Downloads folder and dragging the VLC icon to the Applications folder. If the download is a .dmg file, double-click it first to mount it:

    If a warning about VLC being downloaded from the Internet pops-up, click Open to continue.

  3. Admin By Request suspends installation and checks the organization's portal settings.

    1. Endpoint Privilege Management > Settings > Mac Settings > Authorization > AUTHORIZATION:

      Authorization (i.e. approval) is not required, so installation can proceed. This is also the case when approval is  required, but the app is pre-approved.

    2. Endpoint Privilege Management > Settings > Mac Settings > Endpoint > AUTHENTICATION:

      Authentication is always required and the mode in this case is Confirm. so the following prompt is displayed and the user simply has to click OK to continue:

  4. Once authenticated, installation proceeds to completion and Admin By Request displays a note from the application installer saying that installation has completed successfully.

After installation, portal administrators can check the audit log in the portal for details on the user, the endpoint, the application and execution history:

Example 2 - Install app Foxit PDF Reader

A standard user, requiring elevated privileges to execute the Foxit PDF Reader installation program, initiates the following sequence of events:

  1. Download the package or application file for installation.

  2. Start the installation by opening the Downloads folder and double-clicking the .pkg file:

    If a warning about the file being downloaded from the Internet pops-up, click Open to continue.

  3. Admin By Request suspends installation and checks the organization's portal settings.

    1. Endpoint Privilege Management > Settings > Mac Settings > Authorization > AUTHORIZATION:

      Authorization (i.e. approval) is required, so Admin By Request prompts for phone, email address and reason. This information is submitted for approval and the user is advised they will be notified via email when approved:

      A portal administrator receives the request and approves it:

      When approval arrives via email, the user can continue the installation with authentication (step 3.b below).

    2. Endpoint Privilege Management > Settings > Mac Settings > Endpoint > AUTHENTICATION:

      Authentication is always required and the mode in this case is Authenticate. so the following prompt is displayed and the user must supply credentials to continue:

  4. Once authentication is provided, installation proceeds to completion and Admin By Request displays a note from the application installer saying that installation has completed successfully.

After installation, portal administrators can check the audit log in the portal for details on the user, the endpoint, the application and execution history:

Check the audit log in the portal for details on the user, the endpoint, the application run and execution history.

NOTE

Elevated privileges last only for the duration of the install and apply only to the particular application or package authorized.

In Linux, a single line sudo command implements Run As Admin, where elevated privileges are required.

The following steps illustrate how to download and install Foxit PDF Reader (64-bit) on Ubuntu 22.04 using a terminal session:

  1. Copy 
    wget http://cdn01.foxitsoftware.com/pub/foxit/reader/desktop/linux/2.x/2.4/en_us/FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz
  2. Copy 
    cd ~/Downloads

  3. Unpack the tar file to create a .run file:

    Copy 
    tar xzvf FoxitReader*.tar.gz

  4. Check that the .run file is executable. If not, make it so:

    Copy 
    chmod a+x FoxitReader*.run

  5. Use sudo to install Foxit PDF Reader system-wide (installs in /opt rather than /home):

    Copy 
    sudo ./FoxitReader*.run

    If approval is required, a pop-up will appear asking for information, including reason. If approval is not required, a reason might still be needed for logging purposes.

  6. Continue with the installation. When the sudo command is complete, check details logged for the install in the portal under Auditlog > RUN AS ADMIN rather than Auditlog > ADMIN SESSIONS. The sudo command is logged under RUN AS ADMIN.

Pre-approved applications run without prompting for a reason and the activity is logged under RUN AS ADMIN. (e.g. the sleep command).

Check the audit log in the portal for details on the user, the endpoint, the application run and execution history.

NOTE

Elevated privileges last only for the duration of the install and apply only to the particular application or package authorized.

The short video below demonstrates a typical "installation with approval" process:

Auditing

Before elevation, Admin By Request can present:

  • A Reason prompt, asking users to justify why they need admin privileges.

  • A Code of Conduct screen, reminding users of policy expectations, audit logging, and support channels.

Once elevation begins, the portal logs a "Running" status; after completion, it switches to "Finished" and provides details on installed or uninstalled software, along with all started processes:

App Elevation & “Run As Administrator”

Whether triggered by an installer or via Windows Explorer's right-click “Run As Administrator,” Admin By Request recognizes the request:

  • The system icon changes to the Admin By Request logo.

  • The same Reason/Code of Conduct prompts appear (if enabled).

  • The user enters their own credentials - not admin credentials.

  • The process gains elevated privileges and is fully logged.

Configuration Options

Admins set preferences in the portal’s Settings section, controlling:

  • App Elevation: elevation of individual apps or installers.

  • Admin Session: temporary admin sessions for IT or developers, offering full audit logging.

Settings can be tailored per user/computer group or OU. In this example, "Require approval" is not required (OFF) for Run As Admin, but is required (ON) for Admin Session:

Blocking Specific Apps

You can create a blocklist of applications that are prevented from elevation (e.g. Dropbox, WhatsApp, regedit):

System files can also be globally blocked from being elevated:

Approval Workflow

Under Require Approval mode:

  • All elevation requests are routed to the portal’s Requests section for approval or denial.

  • Real-time notifications can be sent to admins via mobile app.

  • Once approved, elevation proceeds; if rejected, the user is informed.

Approval / Denial via mobile app:

1

2

3

4

Running With Admin Credentials

If a user provides full admin credentials (not just their own), Admin By Request performs no logging or prompts, allowing classic platform "Run Elevated" or "Run As Administrator” behavior.

Selecting the Best Settings

Deciding between Require Approval and Reason only depends on your organizational policy and resourcing:

  • Many teams start with Require Approval to monitor activity.

  • Over time, most disable it; the awareness and audit trail are sufficient to prevent misuse, saving admin time .

  • You can also customize settings via sub-groups; some users may need approval, others not.

  • If in doubt, the Admin By Request team is available via chat or official contact channels

For more information

Refer to Run As Admin Settings for information on configuring Run As Admin.