Mac Settings

Authorization

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Authorization > AUTHORIZATION

Run As Admin

Run As Admin (also known as Application Elevation) elevates privileges for only the file or application selected.

It is invoked when a user drops an application on the Admin By Request dock icon to install it or by running a .pkg file. After re-authenticating with credentials, the user is able to install the application or .pkg file without having administrator rights.

Full Disk Access must be enabled. Please refer to Mac Client - Install / Uninstallfor more information.

Setting

Type

Description

Allow Run As Admin

Toggle
On | Off

Default: On

On - Allows users to elevate privileges for a selected file. Enables Require approval and Require reason. Disables Block Run As Admin.

Off - Denies users the ability to elevate privileges for a selected file. Enables Block Run As Admin, which is how users with admin credentials can still elevate privileges.

Require approval

(hidden if Allow Run As Admin is OFF)

Toggle
On | Off

Default: Off

On - Sends a request to the IT team, which must be approved before elevation is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to elevate file privileges (and thus perform the action) as soon as the action is selected. For example, selecting "Run as administrator" to execute a program occurs immediately, without requiring approval. Makes Require reason optional (i.e. can be either On or Off).

Require reason

(hidden if Allow Run As Admin is OFF)

Toggle
On | Off

Default: Off

On - Extends the authentication window and asks the user to enter email address, phone number and reason. Reason must comprise at least two words. This information is stored in the Auditlog.

Off - No reason is required by the user, but details of the actions performed are stored in the Auditlog.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Admin Session

Admin Session (also known as User Elevation) elevates the current user's privileges across the endpoint for the duration of the session.

Invoked when the user clicks the menu bar icon to request a protected administrator session, which makes the user a temporary member of the local administrator's group for a limited period of time under full audit.


Setting

Type

Description

Allow Admin Sessions

Toggle
On | Off

Default: On

On - Allows users to effectively become a local administrator for the number of minutes specified in Access time (minutes). Enables Require approval, Require reason and Access time (minutes).

Off - Denies users the ability to become a local administrator. Hides all other options under Admin Session.

Require approval

Toggle
On | Off

Default: Off

On - Sends a request to the IT team, which must be approved before the request is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to become a local administrator as soon as the request is made. Makes Require reason optional (i.e. can be either On or Off).

Require reason

Toggle
On | Off

Default: Off

On - Extends the authentication window and asks the user to enter email address, phone number and reason. This information is stored in the Auditlog.

Off - No further information is required by the user, but user and computer details are stored in the Auditlog.

Access time (minutes)

Integer

Default: 15 (minutes)

The maximum duration in minutes an Admin Session may last. This time must be sufficient for the user to install software or perform any other tasks that require elevation.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Authorization > NOTIFICATION

Email notification to administrators is available when Require approval is checked under Authorization.

Notifications can be sent for the following scenarios:

  • Each new request for approval (Run As Admin) or admin session access (Admin Session)

  • When malware is detected (Workstation Settings > [OS] Settings > Malware)

  • When unattended remote access is requested (Unattended Access)

  • When either an end user or portal admin initiates a Remote Support session.

As with other request types, new requests for approval always appear under Requests > Pending in the Portal top menu. This is the case for both Endpoint Privilege Management and Secure Remote Access.

The Notification setting enables and configures additional email notification for new requests. If multiple email addresses are specified, they must be on separate lines.

NOTE

Phone notification is separate and happens automatically via push notifications to phones with the mobile app installed.


Setting

Type

Description

Send email notifications

Toggle
On | Off

Default: Off

On - Additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Email addresses

Text

Standard email address format. Use a new line for each address.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Authorization > SCOPE

Global scope excludes specific users and/or computers from using the endpoint software. Both Run As Admin and Admin Session are denied if the user or computer fall outside the global scope.

The user is presented with a PIN code option in case elevation is denied. The PIN code is found in the computer's inventory and can be used as an exception to the rule.

NOTE

  • Local users cannot elevate when scope is used.

  • If using Entra ID / Azure AD groups for global scope, the Entra ID / Azure AD tab must be configured.

In the portal text fields, multiple groups or OUs (Organizational Units) must be specified on separate lines. OUs can be specified as either:

  • The bottom name, e.g. Sales. Any OU named Sales will match.

  • Path from root using backslashes, e.g. \US\Florida\Sales.

  • The fully distinguished name, e.g. C=US,ST=Florida,OU=Sales.


Setting

Type

Description

User must be in group

Text

A list of groups into which users are placed, with multiple groups on separate lines.

Computer in group

Text

A list of groups into which computers are placed, with multiple groups on separate lines.

User must be in OU

Text

A list of organizational units into which users are placed, with multiple OUs on separate lines.

Computer in OU

Text

A list of organizational units into which computers are placed, with multiple OUs on separate lines.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Endpoint

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Endpoint > BRANDING

Branding puts your company name and logo on all user interfaces that users see.

IMPORTANT

Add the logo in the portal before turning on Use logo file and before downloading or otherwise deploying the installation file. Doing so makes sure your logo is included correctly.

There is no set logo size, although for best results, use a logo with the following attributes:

  • A transparent PNG file (recommended to avoid having the logo appearing in a box)

  • Less than 5 KB

  • Width: approximately 120 px

  • Height: approximately 40 px

The "Your Company Logo" example below is 1.84 KB, width 117 px, height 33 px.

Once entered in the portal, the logo appears at the top left, under "Admin By Request" as the example shows:

Your company logo also appears under "Admin By Request" in the Instructions window (Code of Conduct).

When users request an admin session, the logo replaces the "Admin By Request" logo in the top left of the Request Administrator Access window:


Setting

Type

Description

Use logo file

Toggle
On | Off

Default: On

On - Use the logo file selected under Logo file.

Add the file before turning this setting on.

Off - Do not use a logo file.

Company name

Text

The name of the organization as it will appear in the portal and in Admin By Request dialog boxes on endpoints.

Logo file

Selection
(via Browse Button)

Use the Browse button to open an operating system File open dialog box. Locate and select a logo file.

Add a file here before turning on the Use logo file setting.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Endpoint > LOOK & FEEL

Email and phone settings control the behavior of the fields in the request form.

Skin determines if user interfaces are light or dark. Active skin choice can be used as an easy way to determine if sub-settings are in effect.


Setting

Type

Description

Skin

Selection

Default: Auto-detect

Auto-detect - The skin (light or dark) depends on what is currently being used by the operating system.

Light - Uses a light skin for Admin By Request dialog boxes.

Dark - Uses a dark skin for Admin By Request dialog boxes.

Follow Operating System - The skin (light or dark) depends on what is currently being used by the operating system.

Email field

Selection

Default: Mandatory

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

Phone no field

Selection

Default: Mandatory

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Endpoint > INSTRUCTIONS

Run As Admin instructions

Instructions for Run As Admin are shown after the user invokes "Run As Administrator" and after the optional reason screen.

Instructions can be used as a Code of Conduct to inform the user of the consequences of abuse, what is logged or it could be used to show contact information for your help desk in case of problems. URLs are automatically detected and will appear as clickable links.


Setting

Type

Description

Show instructions before start

Toggle
On | Off

Default: Off

On - Instructions are shown to the user per the period selected below via the drop-down. User clicks OK to close the instructions window.

Off - Instructions are not shown.

<Three fields with no labels>

Text

Text (multiline)

Selection

 

A title for the instructions window.

The instructions displayed to the user.

A frequency indicating when instructions are to be displayed:

  • Show every time

  • Show once a day

  • Show once a week

  • Show once a month

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Admin Session instructions

Instructions for Admin Session are shown after the user invokes "Request Administrator Access" and after the optional reason screen.

Instructions can be used as a Code of Conduct to inform the user of the consequences of abuse, what is logged or could be used to show contact information for your help desk in case of problems. URLs are automatically detected and will appear as clickable links.


Setting

Type

Description

Show instructions before start

Toggle
On | Off

Default: Off

On - Instructions are shown to the user per the period selected below via the drop-down selection field. User clicks OK to close the instructions window.

Off - Instructions are not shown.

<Three fields with no labels>

Text

Text (multiline)

Selection

 

A title for the instructions window.

The instructions displayed to the user.

A frequency indicating when instructions are to be displayed:

  • Show every time

  • Show once a day

  • Show once a week

  • Show once a month

Show "Run As" graphics under text

Toggle
On | Off

Default: Off

On - Includes an image with the illustrating how to select a program to "Run as administrator".

Off - No image is shown with instructions.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Endpoint > ICON

An Admin By Request icon always appears in the menu bar. By default, an icon is also placed in the dock. This setting allows you to optionally turn the setting off, so that no icon is placed in the dock.


Setting

Type

Description

Create dock icon

Toggle
On | Off

Default: On

On - An Admin By Request icon is placed in the dock during installation.

Off - No icon is placed in the dock.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Endpoint > AUTHENTICATION

The Authentication setting allows portal administrators to specify the style of prompt that is presented when users must authenticate to elevate privileges.


Setting

Type

Description

Authentication Mode

Choice:

  • Confirm

  • Multi-factor Authentication

  • Authenticate

Default: Confirm

Confirm - User must confirm with Yes or No (or via the reason screen) to perform the operation..

Multi-factor Authentication - User must validate identity using MFA through Single Sign-on. Choosing this option unhides Multi-factor Configuration (see table below).

Authenticate - User must validate with credentials, face recognition, fingerprint, smartcard or similar..

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.
Multi-factor Configuration

Appears when Multi-factor Authentication is chosen as the Authentication Mode.

Setting

Type

Description

Sign-on method

Selection:

  • Microsoft 365 / Entra ID

  • -- ADD NEW METHOD --

Default:
Microsoft 365 / Entra ID

Microsoft 365 / Entra ID - Use this as the SSO method.

-- ADD NEW METHOD -- - Create a new method. Choosing this option takes you to the portal's Single Sign-on (SSO) Setup page.

Note the following:

  • If adding a new method, you can use any SAML-based provider.

  • If you use Office 365 / Azure AD and email match is Off, you must configure . This is to make sure only users within the same Azure tenant can authenticate.

Email match

Toggle
On | Off

Default: On

On - SSO authentication must match the email address from Active Directory or Azure AD.

Off - Email address does not need to match.

MFA on pre-approvals

Toggle
On | Off

Default: Off

On - Force multi-factor authentication on pre-approved applications.

Off - Multi-factor authentication is not required on pre-approved applications

Lockdown

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Lockdown > ADMIN RIGHTS

Revoke admin rights at logon means that all user accounts will be downgraded from an Admin role to a User role, unless the account appears in the Excluded accounts list.

Excluded accounts are not removed at logon.


Setting

Type

Description

Revoke admin rights

Toggle
On | Off

Default: Off

On - Admin privileges are removed for all users except those appearing in the Excluded accounts list..

Off - Admin privileges are not removed for users configured locally as administrators.

Excluded accounts

Text

The account name(s) to retain local admin privileges. Multiple accounts must be specified on separate lines. Domain accounts must be prefixed with domain and backslash.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Lockdown > SYSTEM SETTINGS

System Settings (also known as System Preferences in earlier macOS versions) have long been part of the macOS platform, enabling users to locally customize the look and feel of their Macs. This can lead to problems if users have admin rights, because some settings chosen by users might conflict with requirements of the organization.

The Admin By Request System Settings Lockdown feature controls access to specific system settings in macOS by enabling or disabling access to their corresponding right-hand panels. Each of seven panels can be enabled or disabled from the portal simply by setting a toggle to On or Off.


Setting

Type

Description

Users & Groups

Toggle
On | Off

Default: Off

On - Users & Groups panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Login Items

Toggle
On | Off

Default: Off

On - Login Items panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Network

Toggle
On | Off

Default: Off

On - Network panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Sharing

Toggle
On | Off

Default: On

On - Sharing panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Startup Disk

Toggle
On | Off

Default: On

On - Startup Disk panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Transfer or Reset

Toggle
On | Off

Default: On

On - Transfer or Reset panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Wi-Fi

Toggle
On | Off

Default: On

On - Wi-Fi panel is not blocked for this user and will display.

Off - Panel is blocked for this user and will not display. No changes can be made.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Lockdown > ADMIN SESSION

These settings control whether or not users are able to run sudo commands during a terminal session.


Setting

Type

Description

Deny PIN code unlock

Toggle
On | Off

Default: Off

On - Remove the option to use a PIN Code to unlock an admin session or unlock a blocked application. If this option is Off and admin sessions are disabled, the system tray menu item to start an admin session will be removed.

Off - Allow access to the PIN Code unlock option (unless Allow Admin Sessions is Off under Authorization > AUTHORIZATION).

Force sudo close at end

Toggle
On | Off

Default: On

On - Forcibly close any sudo command or interactive sudo session at the end of the admin session.

Off - Do not force closure of sudo sessions.

Allow sudo terminal commands

Toggle
On | Off

Default: Off

On - Allow user to issue sudo commands from a terminal prompt.

Off - Do not allow user to issue sudo commands.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Lockdown > OWNER

This setting determines if Support Assist is enabled or not.

Support Assist is a feature whereby another user can remotely connect to assist the currently logged-on user with tasks requiring admin rights. The assisting user can be a Help Desk person, an IT Administrator, or simply a regular user who knows what to do and has the required privilege levels.

Section Requesting Assistance (Support Assist) provides an example of how Support Assist might be used.

Support Assist is initiated by invoking the About screen in the system tray and selecting the left menu button Assistance. The Auditlog will clearly show who is requesting assistance and who is providing it.

Support Assist can also be used to completely remove admin rights for end users that are unlikely to ever need them, thus ensuring the principle of least privilege. In the exceptional case that admin rights are needed, a supporting person can perform Support Assist on behalf of the end user to perform the task.

NOTE

Leaving Support Assist ON is no more dangerous than turning it OFF, because any assisting user that connects remotely can always perform the same actions by logging on to the endpoint directly.

Support Assist lockdown settings require endpoint version 5.1 or newer.


Setting

Type

Description

Allow Support Assist

Toggle
On | Off

Default: On

On - Support Assist is enabled.

Off - Support Assist is disabled.

Force close time (minutes)

Integer

Default: 240 (minutes)

The maximum duration in minutes a Support Assist session may last. This time must be sufficient for the assisting user to install software or perform any other tasks that require elevation.

If still running, Support Assist will be forcibly closed after this time, to make sure a session is not unintentionally left on-going.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Lockdown > OWNER

Upon installation of Admin By Request on an endpoint, the first non-administrator who logs in after a 24-hour stand-down period becomes the Device Owner. The stand-down period is to avoid an incorrect user being set as the Device Owner (such as an IT Admin assisting with setup post-installation).

After the 24-hour window, the Device Owner is set, although an administrator can change the Device Owner in the inventory.

Lock device to owner means that only the owner of the endpoint will be able to use Run As Admin or start an Admin Session.


Setting

Type

Description

Lock device to owner

Toggle
On | Off

Default: Off

On - Set the owner of the endpoint to the first person logging-in after the 24-hour stand-down period. Once set, only the Device Owner will be able to use Run As Admin or start an Admin Session.

Off - Device Owner will not be set regardless of who logs in.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Lockdown > INTUNE

Device must be compliant means that the endpoint must comply with Intune requirements to be able to use Run as Admin or start an Admin Session.

NOTE

You need to configure the Entra ID Connector for this feature to work.


Setting

Type

Description

Device must be compliant

Toggle
On | Off

Default: Off

On - The endpoint must be Intune-compliant to use Run as Admin or start an Admin Session.

Off - The endpoint is not required to be Intune-compliant.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Malware

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Malware > DETECT

Admin By Request uses OPSWAT's MetaDefender for malware scanning. If a file is malicious, execution is blocked on the endpoint before it runs with administrative privileges.

When a user attempts to run a file with administrative privileges using the Run as Admin feature, the file is scanned on MetaDefender Cloud and, if flagged as malicious, the endpoint blocks the file and stops the process. An entry is added in the auditlog that the file was blocked, and which engines flagged it.

If unchecking Cloud scan unknown files but leaving Real-time detection on, only checksum look-up for the known 75% is performed and the rest must be handled by the local endpoint anti-virus product. If a file is flagged as malicious, the administrators decide what happens next, in the Action setting.

Setting

Type

Description

Real-time detection

Toggle
On | Off

Default: On

On - When a user requests Run As Admin, the checksum of the file is evaluated. If the checksum is flagged, endpoint execution is blocked.

Off - The file's checksum is not evaluated prior to execution.

Cloud scan unknown files

Toggle
On | Off

Default: On

On - Unknown files will be uploaded to the OPSWAT cloud service for multi-engine malware scanning.

Off - Unknown files will not be uploaded.

Action

Selection:

  • Quarantine

  • Permanently block

Default:
Quarantine

IT Administrators have two options:

  1. Quarantine: Send files to quarantine, allowing IT staff to look at the reported data, and assess whether this file should be allowed or not,

  2. Permanently block: Block the file by choosing “Permanently block”. In this case, the file cannot be approved to run at all.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Malware > NOTIFICATION

Email notification to administrators is available when Require approval is checked under Authorization. This setting enables additional notifications to be sent when malware is detected.

Denied or quarantined requests will always appear under "Requests" or "Detected Malware" in the Settings menu, but this setting allows you to add a real-time email notification when the request occurs.

As well as malware, notifications can be sent for the following scenarios:

  • Each new request for approval via Run As Admin or Admin Session

  • When unattended remote access is requested (Unattended Access)

  • When either an end user or portal admin initiates a Remote Support session.

As with other request types, new requests always appear under Requests > Pending in the portal main menu. This is the case for both Endpoint Privilege Management and Secure Remote Access.

NOTE

Phone notification is separate and happens automatically via push notifications to phones with the mobile app installed.


Setting

Type

Description

Send email notifications

Toggle
On | Off

Default: Off

On - When malware is detected, additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Email addresses

Text

Standard email address format. Use a new line for each address.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

App Control

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > App Control > PRE-APPROVE

Pre-approved applications are application files that are pre-approved to run Run As Admin, when approval would normally be required. The intention is to remove trivial approval flows and avoid flooding the audit log with trivial data for applications known to be good, such as Adobe Reader installs.

When an application is on the pre-aproval list, the difference is:

  • The application is auto-approved, so the approval flow is bypassed

  • A reason is not required, as the application is known to be good

  • You have the option to not log to the Auditlog (e.g. for trivial data)

  • If Run As Admin is disabled, a pre-approved application will still run

Enabled toggle

A global setting that indicates whether pre-approved applications are allowed at all (On) or not (Off).

New entry (APPLICATION tab)

Click button New entry to create a new pre-approved application.

Setting

Type

Description

Log to auditlog

(hidden if User confirmation is Off)

Toggle
On | Off

Default: Off

On - .Relevant details about the application are logged.

Off - No logging is performed for this application.

User confirmation

Toggle
On | Off

Default: On

On - The user must confirm elevation on the endpoint before the application can be run. This is the typical authentication window.

Off - The user does not need to confirm elevation on the endpoint before execution. Hides the Log to auditlog field.

Type

Selection

Default: Run As Admin application pre-approval

Run As Admin application pre-approval - Pre-approve this application for Run As Admin.

Run As Admin vendor pre-approval - Pre-approve this vendor for Run As Admin.

Selecting this option enables the Vendor field and hides all other fields.

Vendor

(enabled when Run As Admin vendor pre-approval is selected)

Text

Enter vendor name. Adding the app via the Auditlog will auto-populate this field.

Protection

Selection

Default: File must match vendor

Prevent users from bypassing pre-approval by file renaming.

File must match vendor - The application name and the file name must align with the same details provided by the vendor.

File must match checksum - A checksum of a specific file version. If the file is updated, the checksum no longer matches and a new one must be collected.

No protection (not recommended) - Not recommended for anything except testing. The file can be located anywhere and is a file renaming vulnerability, in case a user is aware of (or can guess) the file name.

Application name

Text

The name of the application. Mandatory, although used for convenience only to help identify applications in the list.

File name

Text

Enter file name.

Note that adding the app via the Auditlog will auto-populate this field.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Cancel

Button

Cancels all work done in this setting and returns to the Mac Workstation Global Settings page.


Portal menu: Endpoint Privilege Management > Settings > Mac Settings > App Control > MACHINE LEARNING

Machine Learning auto-approval can automatically approve trivial Run As Admin requests for applications you have previously approved manually.

Approvals is the number of times an application must be manually approved in order to be auto-approved in the future. You can check report Reports > Settings Reports > Machine Learning for the current counts in your tenant of manual approvals (Count column), as well as App and Vendor scores for AI auto-approval.

For example, if Approvals is 2 and the first and second users get manual approval to run application X, it will be auto-approved for all future requests. This way, you can avoid building a pre-approvals list ahead of time and simply build a list by approving requests as they come in.

Setting

Type

Description

Enabled

Toggle
On | Off

Default: On

On - Machine learning auto-approval is enabled.

A Run As Admin request will be automatically approved for apps that have been previously approved, provided the required number of Approvals has been met.

Off - Machine learning auto-approval is not enabled.

Approvals

Sliding scale

Default: 0

A "click and drag" scale that can take any value from 0 to 10.

The required number of times an application must be manually approved in order to be auto-approved in the future.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Data

Privacy has been moved to Settings > Tenant Settings > Privacy > PRIVACY in the portal. Refer to Tenant Settings for more information.

Emails

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Emails > REQUEST EMAILS

Emails go out when Require approval is turned On under . You can create your own email templates here with information specific to your company, such as a Help Desk phone number and custom instructions.

Setting

Type

Description

Email template

Selection

Default: Approved email

Approved email - Loads a template that advises the user (i.e. requester) that the request for access has been approved.

Denied email - Loads a template that advises the request for access has been denied without giving a reason.

Denied with reason - Loads a template that advises the request for access has been denied and provides the reason.

Administrator notify - Loads a template that advises the administrator (i.e. person who approves or denies) that a request for access is waiting for attention.

Email sender

Text

Default: Admin By Request Team

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Refer to Email Domain for more information on configuring an email address to be used as the sender for all user notifications.

Email subject

Text

Default: Admin By Request

Text that will appear in the subject line of emails.

Get default

Button

Loads the default Email template for the option selected.

NOTE:

  • Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

  • Using this button will overwrite any customization you might have done in the Template body.

Email address

Button

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE:

This is optional, but you cannot add an email sender field of e.g. "tom@mydomain.com" unless  you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).

Template body

Formatted text

The body of the email to be sent.

Includes three views:

  • Design: WYSIWYG view of content. Enter and format body text here.

  • HTML: The same content in HTML format. Can also be edited if necessary and changes will be reflected in Design and Preview.

  • Preview: What the recipient sees. Read only - switch to Design view to make changes.

Dynamic content tags

Tags can be used in the body, which are place holders in curly braces. These are replaced with actual request values when emails are sent.

The following tags are available:

  • {UserFullName} Name of requesting user

  • {UserEmail} Email address of requesting user

  • {UserPhone} Phone number of requesting user

  • {UserReason} Reason the requesting user gave

  • {DenyReason} Admin's reason for denial (only used for denial with reason)

  • {ComputerName} Name of requesting computer

  • {AdminUserName} Name of administrator receiving notification (only for admin notify)

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Portal menu: Endpoint Privilege Management > Settings > Mac Settings > Emails > TICKETING SYSTEM

You can set up an email notification to your ticketing system and embed the tags below for dynamic content.

Setting

Type

Description

Ticket system email

Text

The email address to which emails intended for your ticket system will be sent.

For example: itsupport@mycompany.com

Email sender

Text

Default: Admin By Request Team

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Email subject

Text

Default: Admin By Request

Text that will appear in the subject line of emails.

Get default

Button

Loads the default Email template for the option selected.

NOTE:

  • Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

  • Using this button will overwrite any customization you might have done in the Template body.

Email address

Button

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE:

This is optional, but you cannot add an email sender field of e.g. "tom@mydomain.com" unless  you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).

Template body

Formatted text

The body of the email to be sent to the ticketing system.

Includes three views:

  • Design: WYSIWYG view of content. Enter and format body text here.

  • HTML: The same content in HTML format. Can also be edited if necessary and changes will be reflected in Design and Preview.

  • Preview: What the recipient sees. Read only - switch to Design view to make changes.

Dynamic content tags

Tags can be used in the body, which are place holders in curly braces. These are replaced with actual request values when emails are sent.

The following tags are available:

  • {ID} Unique auditlog trace no

  • {APIID} ID for looking up this entry through the public Auditlog API

  • {Status} Requested, Approved, Denied, Started, Finished

  • {Type} Session, Run As Admin

  • {UserFullName} Name of the requesting user

  • {UserEmail} Email address of requesting user

  • {UserPhone} Phone number of requesting user

  • {UserReason} Reason the requesting user gave

  • {DenyReason} Admin's reason for denial

  • {ComputerName} Name of requesting computer

  • {AdminUserName} Admin approving or denying request

  • {ElevationList} Applications run as administrator

  • {InstallList} Installed programs

  • {UninstallList} Uninstalled programs

  • {AuditlogURL} URL to this entry in the auditlog

  • {RequestURL} URL to this entry in requests

Ticket ID

You can find a ticket by its ticket ID using the Search button in the Auditlog.

Voided text

If a line has one or more tags and all tags in the line are empty, the entire line is automatically removed.

Run As Admin notification events

Setting

Type

Description

User requests Run As Admin approval

Toggle
On | Off

Default: On

On - Sends a notification for User requests Run As Admin approval.

Off - Does not send a notification.

Admin approves Run As Admin request

Toggle
On | Off

Default: Off

On - Sends a notification for Admin approves Run As Admin request.

Off - Does not send a notification.

Admin denies Run As Admin request

Toggle
On | Off

Default: Off

On - Sends a notification for Admin denies Run As Admin request.

Off - Does not send a notification.

User starts Run As Admin

Toggle
On | Off

Default: Off

On - Sends a notification for User starts Run As Admin.

Off - Does not send a notification.

User finishes Run As Admin

Toggle
On | Off

Default: Off

On - Sends a notification for User finishes Run As Admin

Off - Does not send a notification.

Admin Session notification events

Setting

Type

Description

User requests Admin Session approval

Toggle
On | Off

Default: On

On - Sends a notification for User requests Admin Session approval.

Off - Does not send a notification.

Admin approves Admin Session request

Toggle
On | Off

Default: Off

On - Sends a notification for Admin approves Admin Session request.

Off - Does not send a notification.

Admin denies Admin Session request

Toggle
On | Off

Default: Off

On - Sends a notification for Admin denies Admin Session request.

Off - Does not send a notification.

User starts Admin Session

Toggle
On | Off

Default: Off

On - Sends a notification for User starts Admin Session.

Off - Does not send a notification.

User finishes Admin Session

Toggle
On | Off

Default: Off

On - Sends a notification for User finishes Admin Session

Off - Does not send a notification.

Save

Button

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.