On - Allows users to elevate privileges for a selected file. Enables Require approval and Require reason. Disables Block Run As Admin.

Off - Denies users the ability to elevate privileges for a selected file. Enables Block Run As Admin, which is how users with admin credentials can still elevate privileges.

On - Denies users the ability to execute Run As Admin even if administrator credentials are available (i.e. no authentication window is presented).

Off - Allows users with administrator credentials to execute Run As Admin (i.e. authentication window pops-up asking for admin credentials).

On - Sends a request to the IT team, which must be approved before elevation is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to elevate file privileges (and thus perform the action) as soon as the action is selected. For example, selecting "Run as administrator" to execute a program occurs immediately, without requiring approval. Makes Require reason optional (i.e. can be either On or Off).

On - Extends the authentication window and asks the user to enter email address, phone number and reason. Reason must comprise at least two words. This information is stored in the Auditlog.

Off - No reason is required by the user, but details of the actions performed are stored in the Auditlog.

On - Allows users to effectively become a local administrator for the number of minutes specified in Access time (minutes). Enables Require approval, Require reason and Access time (minutes).

Off - Denies users the ability to become a local administrator. Hides all other options under Admin Session.

On - Sends a request to the IT team, which must be approved before the request is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to become a local administrator as soon as the request is made. Makes Require reason optional (i.e. can be either On or Off).

On - Extends the authentication window and asks the user to enter email address, phone number and reason. This information is stored in the Auditlog.

Off - No further information is required by the user, but user and computer details are stored in the Auditlog.

The maximum duration in minutes an Admin Session may last. This time must be sufficient for the user to install software or perform any other tasks that require elevation.

On - Additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Standard email address format. Use a new line for each address.

Auto-detect - The skin (light or dark) depends on what is currently being used by the operating system.

Light - Uses a light skin for Admin By Request dialog boxes.

Dark - Uses a dark skin for Admin By Request dialog boxes.

Follow Operating System - The skin (light or dark) depends on what is currently being used by the operating system.

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

On - Instructions are shown to the user per the period selected below via the drop-down. User clicks OK to close the instructions window.

Off - Instructions are not shown.

A title for the instructions window.

The instructions displayed to the user.

A frequency indicating when instructions are to be displayed:

• Show every time

• Show once a day

• Show once a week

• Show once a month

On - Instructions are shown to the user per the period selected below via the drop-down selection field. User clicks OK to close the instructions window.

Off - Instructions are not shown.

A title for the instructions window.

The instructions displayed to the user.

A frequency indicating when instructions are to be displayed:

• Show every time

• Show once a day

• Show once a week

• Show once a month

On - Includes an image with the illustrating how to select a program to "Run as administrator".

Off - No image is shown with instructions.

On - Admin privileges are removed for all users except those appearing in the Excluded accounts list..

Off - Admin privileges are not removed for users configured locally as administrators.

The account name(s) to retain local admin privileges. Multiple accounts must be specified on separate lines. Domain accounts must be prefixed with domain and backslash.

On - The logged-in user is in the sudoers file and can run sudo commands.

Off - The user cannot run sudo commands, even though they are in the sudoers file.

On - The logged-in user is not in the sudoers file, but can run sudo commands.

Off - The user cannot run sudo commands.

On -The logged-in user can start a sudo interactive session.

Off - The user cannot start a sudo interactive session.

On - This endpoint allows users to login as root, or the logged-in user can su (switch user) to root.

Off - The endpoint does not allow root logins.

On - This endpoint allows users to login as root, and also allows the logged-in user to change the root password.

Off - The endpoint allows root logins, but the root password cannot be changed.

Run As Admin application pre-approval - Pre-approve this application for Run As Admin.

Run As Admin location pre-approval (all files in folder tree) - Pre-approve all applications in the specified folder, including any sub-folders.

Selecting this option enables the Directory field and hides all other fields.

Prevent users from bypassing pre-approval by file renaming.

File must be located in read-only directory - The recommended method. File must be in a read-only location. You only need to know the name and location and you are not bound to a specific file version.

File must match checksum - A checksum of a specific file version. If the file is updated, the checksum no longer matches and a new one must be collected.

No protection (not recommended) - Not recommended for anything except testing. The file can be located anywhere and is a file renaming vulnerability, in case a user is aware of (or can guess) the file name.

A read-only location where the application to be added is stored.

If the directory entered is not on the local machine, a UNC path can be used. The endpoint software will automatically translate drive letters to UNC path.

The name of the application. Mandatory, although used for convenience only to help identify applications in the list.

Enter file name.

Note that adding the app via the Auditlog will auto-populate this field.

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Block file from running as administrator - Block this application for Run As Admin.

Block location from running as admin (all files in folder tree) - Block all applications in the specified folder, including any sub-folders.

Selecting this option enables the Directory field and hides all fields except the optional fields.

Condition applies only when a file is blocked.

No condition (block always) - The default (and recommended) method.

Block if located in directory - File must be located in this folder or directory to be blocked.

Block if matching checksum - A checksum of a specific file version. If the file is updated, the checksum no longer matches and a new one must be collected.

File must be located in this directory or a sub-folder.

A read-only location where the application is stored. Can include the following environment variables:

• %PROGRAMFILES%

• %WINDIR%

• %USERPROFILE%

• %APPDATA%

If the directory entered is not on the local machine, a UNC path can be used. The endpoint software will automatically translate drive letters to UNC path.

The name of the application. Mandatory, although used for convenience only to help identify applications in the list.

The file name of the app to be blocked.

Note that blocking the app via the Auditlog will auto-populate this field.

A checksum of a specific file version.

A message that appears as a rejection to the user, when the application is attempted to be executed.

Optional comments that IT admins might wish to add about the blocked application.

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Approved email - Loads a template that advises the user (i.e. requester) that the request for access has been approved.

Denied email - Loads a template that advises the request for access has been denied without giving a reason.

Denied with reason - Loads a template that advises the request for access has been denied and provides the reason.

Administrator notify - Loads a template that advises the administrator (i.e. person who approves or denies) that a request for access is waiting for attention.

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Refer to Email Domain for more information on configuring an email address to be used as the sender for all user notifications.

Text that will appear in the subject line of emails.

Loads the default Email template for the option selected.

NOTE:

• Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

• Using this button will overwrite any customization you might have done in the Template body.

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE:

This is optional, but you cannot add an email sender field of e.g. "tom@mydomain.com" unless  you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).

The body of the email to be sent.

Includes three views:

• Design: WYSIWYG view of content. Enter and format body text here.

• HTML: The same content in HTML format. Can also be edited if necessary and changes will be reflected in Design and Preview.

• Preview: What the recipient sees. Read only - switch to Design view to make changes.

Dynamic content tags

Tags can be used in the body, which are place holders in curly braces. These are replaced with actual request values when emails are sent.

The following tags are available:

• {UserFullName} Name of requesting user

• {UserEmail} Email address of requesting user

• {UserPhone} Phone number of requesting user

• {UserReason} Reason the requesting user gave

• {DenyReason} Admin's reason for denial (only used for denial with reason)

• {ComputerName} Name of requesting computer

• {AdminUserName} Name of administrator receiving notification (only for admin notify)

The email address to which emails intended for your ticket system will be sent.

For example: itsupport@mycompany.com

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Text that will appear in the subject line of emails.

Loads the default Email template for the option selected.

NOTE:

• Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

• Using this button will overwrite any customization you might have done in the Template body.

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE:

This is optional, but you cannot add an email sender field of e.g. "tom@mydomain.com" unless  you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).