On - Allows users to elevate privileges for a selected file. Enables Require approval and Require reason. Disables Block Run As Admin.

Off - Denies users the ability to elevate privileges for a selected file. Enables Block Run As Admin, which is how users with admin credentials can still elevate privileges.

On - Denies users the ability to execute Run As Admin even if administrator credentials are available (i.e. no UAC window is presented).

Off - Allows users with administrator credentials to execute Run As Admin (i.e. UAC window pops-up asking for admin credentials).

On - Sends a request to the IT team, which must be approved before elevation is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to elevate file privileges (and thus perform the action) as soon as the action is selected. For example, selecting "Run as administrator" to execute a program occurs immediately, without requiring approval. Makes Require reason optional (i.e. can be either On or Off).

On - Extends the UAC window and asks the user to enter email address, phone number and reason. Reason must comprise at least two words. This information is stored in the Auditlog.

Off - No reason is required by the user, but details of the actions performed are stored in the Auditlog.

On - Allows users to effectively become a local administrator for the number of minutes specified in Access time (minutes). Enables Require approval, Require reason and Access time (minutes).

Off - Denies users the ability to become a local administrator. Hides all other options under Admin Session.

On - Sends a request to the IT team, which must be approved before the request is granted. Makes Require reason mandatory (i.e. must be On).

Off - Allows the user to become a local administrator as soon as the request is made. Makes Require reason optional (i.e. can be either On or Off).

On - Extends the UAC window and asks the user to enter email address, phone number and reason. This information is stored in the Auditlog.

Off - No further information is required by the user, but user and computer details are stored in the Auditlog.

The maximum duration in minutes an Admin Session may last. This time must be sufficient for the user to install software or perform any other tasks that require elevation.

On - Additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Standard email address format. Use a new line for each address.

A list of groups into which users are placed, with multiple groups on separate lines.

A list of groups into which computers are placed, with multiple groups on separate lines.

A list of organizational units into which users are placed, with multiple OUs on separate lines.

A list of organizational units into which computers are placed, with multiple OUs on separate lines.

On - Use the logo file selected under Logo file.

Add the file before turning this setting on.

Off - Do not use a logo file.

The name of the organization as it will appear in the portal and in Admin By Request dialog boxes on endpoints.

Use the Browse button to open an operating system File open dialog box. Locate and select a logo file.

Add a file here before turning on the Use logo file setting.

Auto-detect - The language used is the same as that used by the operating system.

Force <Language> - The language used is the one chosen from this selection list.

Auto-detect - The skin (light or dark) depends on what is currently being used by the operating system.

Light - Uses a light skin for Admin By Request dialog boxes.

Dark - Uses a dark skin for Admin By Request dialog boxes.

Follow Operating System - The skin (light or dark) depends on what is currently being used by the operating system.

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

Mandatory - Field appears in dialog boxes and must be filled-in.

Optional - Field appears in dialog boxes, but does not have to be filled-in.

Hide - Field does not appear in dialog boxes.

On - Instructions are shown to the user per the period selected below via the drop-down. User clicks OK to close the instructions window.

Off - Instructions are not shown.

A title for the instructions window.

The instructions displayed to the user.

A frequency indicating when instructions are to be displayed:

• Show every time

• Show once a day

• Show once a week

• Show once a month

On - Instructions are shown to the user per the period selected below via the drop-down selection field. User clicks OK to close the instructions window.

Off - Instructions are not shown.

A title for the instructions window.

The instructions displayed to the user.

A frequency indicating when instructions are to be displayed:

• Show every time

• Show once a day

• Show once a week

• Show once a month

On - Includes an image with the illustrating how to select a program to "Run as administrator".

Off - No image is shown with instructions.

On - An Admin By Request icon is placed on the user's desktop during installation.

Off - No icon is placed on the desktop.

The text to be used as a label for the icon. Leave this field blank to use the default text "Administrator Access".

Confirm - User must confirm with Yes or No (or via the reason screen) to perform the operation..

Multi-factor Authentication - User must validate identity using MFA through Single Sign-on. Choosing this option unhides Multi-factor Configuration (see table below).

Authenticate - User must validate with credentials, face recognition, fingerprint, smartcard or similar..

Azure AD / Office 365 - Use this as the SSO method.

-- ADD NEW METHOD -- - Create a new method. Choosing this option takes you to the portal's Single Sign-on (SSO) Setup page.

On - SSO authentication must match the email address from Active Directory or Azure AD.

Off - Email address does not need to match.

On - Admin privileges are removed for all users except those appearing in the Excluded accounts list..

Off - Admin privileges are not removed for users configured locally as administrators.

The account name(s) to retain local admin privileges. Multiple accounts must be specified on separate lines. Domain accounts must be prefixed with domain and backslash.

On - Prevent the user from starting any file from the System32 directory with administrative privileges, such as cmd.exe or regedit.exe. Define exceptions under App Control > PRE-APPROVE.

Off - Allow user to run system files with admin privileges.

On - Prevent spawning any sub-processes of system files. Requires endpoint software version 8.3+.

Off - Do not prevent spawning of sub-processes.

On - Remove the option to use a PIN code to unlock a blocked application.

Off - Allow access to the PIN Code unlock option.

On - Prevent the user from starting any file from the System32 directory with administrative privileges, such as cmd.exe or regedit.exe. Define exceptions under App Control > PRE-APPROVE.

Off - Allow user to run system files with admin privileges.

On - Prevent spawning any sub-processes of system files. Requires endpoint software version 8.3+.

Off - Do not prevent spawning of sub-processes.

On - Remove the option to use a PIN Code to unlock an admin session or unlock a blocked application. If this option is Off and admin sessions are disabled, the system tray menu item to start an admin session will be removed.

Off - Allow access to the PIN Code unlock option (unless Allow Admin Sessions is Off under Authorization > AUTHORIZATION).

On - Forcibly close any application that runs UAC-elevated at the end of the admin session. This prevents users from keeping a permanently elevated process running as administrator.

Note that long-running installations that run past the allowed admin time will also be forcibly closed. To avoid this, make sure the access time is sufficient to install software.

Off - Do not force closure of applications that run UAC-elevated.

On - Additional email notifications are sent to the email addresses listed in Email addresses.

Off - Email notifications are not sent.

Standard email address format. Use a new line for each address.

Run As Admin application pre-approval - Pre-approve this application for Run As Admin.

Run As Admin vendor pre-approval (digital certificate) - Pre-approve all applications based on the specifiedVendor digital certificate.

Selecting this option enables the Vendor field and hides all other fields.

Run As Admin location pre-approval (all files in folder tree) - Pre-approve all applications in the specified folder, including any sub-folders.

Selecting this option enables the Directory field and hides all other fields.

Force running application elevated (legacy application) - Pre-approve this application to run elevated regardless of any other conditions.

Use the Browse button to select a valid Vendor certificate file.

Prevent users from bypassing pre-approval by file renaming.

File must be located in read-only directory - The recommended method. File must be in a read-only location. You only need to know the name and location and you are not bound to a specific file version.

File must match digital certificate - Vendor digital certificate of a file. Recommended if you have a copy of the file.

File must match checksum - A checksum of a specific file version. If the file is updated, the checksum no longer matches and a new one must be collected.

No protection (not recommended) - Not recommended for anything except testing. The file can be located anywhere and is a file renaming vulnerability, in case a user is aware of (or can guess) the file name.

Program Files or subfolder - The Program Files folder, typically either C:\Program Files or C:\Program Files (x86).

Windows directory or subfolder - The Windows system folder, typically C:\Windows\System32.

Custom read-only location - Shows an additional field labeled Directory if selected.

A read-only location where the application to be added is stored. Can include the following environment variables:

• %PROGRAMFILES%

• %WINDIR%

• %USERPROFILE%

• %APPDATA%

If the directory entered is not on the local machine, a UNC path can be used. The endpoint software will automatically translate drive letters to UNC path.

The name of the application. Mandatory, although used for convenience only to help identify applications in the list.

Use the Browse button to open an operating system File open dialog box. Locate and select a file with one of the following extensions:

• exe

• msi

• msc

• cpl

Note that adding the app via the Auditlog will auto-populate this field.

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Block file from running as administrator - Block this application for Run As Admin.

Block vendor files from running as admin (digital certificate) - Block all applications based on the specifiedVendor digital certificate.

Selecting this option enables the Vendor field and hides all other fields.

Block location from running as admin (all files in folder tree) - Block all applications in the specified folder, including any sub-folders.

Selecting this option enables the Directory field and hides all fields except the optional fields.

Block always - Block this application regardless of any other conditions.

Condition applies only when a file is blocked.

No condition (block always) - The default (and recommended) method.

Block if located in directory - File must be located in this folder or directory to be blocked.

File must match digital certificate - Vendor digital certificate of a file. Recommended if you have a copy of the file.

Block if matching checksum - A checksum of a specific file version. If the file is updated, the checksum no longer matches and a new one must be collected.

Program Files or subfolder - The Program Files folder, typically either C:\Program Files or C:\Program Files (x86).

Windows directory or subfolder - The Windows system folder, typically C:\Windows\System32.

In user profile - A folder that appears in the user's profile.

Custom location - Shows an additional field labeled Directory if selected.

File must be located in this directory or a sub-folder.

A read-only location where the application is stored. Can include the following environment variables:

• %PROGRAMFILES%

• %WINDIR%

• %USERPROFILE%

• %APPDATA%

If the directory entered is not on the local machine, a UNC path can be used. The endpoint software will automatically translate drive letters to UNC path.

The name of the application. Mandatory, although used for convenience only to help identify applications in the list.

Use the Browse button to open an operating system File open dialog box. Locate and select a file with one of the following extensions:

• exe

• msi

• msc

• cpl

Note that blocking the app via the Auditlog will auto-populate this field.

A checksum of a specific file version.

A message that appears as a rejection to the user, when the application is attempted to be executed.

Optional comments that IT admins might wish to add about the blocked application.

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

On - Machine learning auto-approval is enabled.

A Run As Admin request will be automatically approved for apps that have been previously approved, provided the required number of Approvals has been met.

Off - Machine learning auto-approval is not enabled.

A "click and drag" scale that can take any value from 0 to 10.

The required number of times an application must be manually approved in order to be auto-approved in the future.

On - AI auto-approval for applications is enabled. An app will be automatically approved if it's score is higher than the value set for App score.

Off - AI auto-approval for apps is not enabled.

A "click and drag" scale that can take any value from 0 to 100.

On - AI auto-approval for vendors is enabled. An app will be automatically approved if it's score is higher than the value set for Vendor score.

Off - AI auto-approval for vendors is not enabled.

A "click and drag" scale that can take any value from 0 to 100.

The caption used for the system tray menu item. Enter the text to be used for the name or caption. Does not have to match the executable File name.

Note that any webhooks you have created appear in a selection list when you click this field. The list is for convenience only and simply "pastes" the webhook caption into the field - no other fields are populated.

The name of the executable file, including it's full path.

You can also specify a web address (i.e. URL) in this field, in which case the Run As Admin toggle should be Off for security reasons.

Text values entered here are appended to the File as parameters during execution.

On - Allows the executable file named in File to be Run As Admin (i.e. run as an administrator).

Off - Does not allow the executable file named in File to be Run As Admin. This should be the option selected if the entry in File is a web address.

On - Inserts a line above this menu item. Allows tray tool menu items to be grouped.

Off - No line is inserted.

Saves customization and changes to any fields.

Note that reloading any defaults does not take effect until Save is clicked.

Approved email - Loads a template that advises the user (i.e. requester) that the request for access has been approved.

Denied email - Loads a template that advises the request for access has been denied without giving a reason.

Denied with reason - Loads a template that advises the request for access has been denied and provides the reason.

Administrator notify - Loads a template that advises the administrator (i.e. person who approves or denies) that a request for access is waiting for attention.

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Refer to Email Domain for more information on configuring an email address to be used as the sender for all user notifications.

Text that will appear in the subject line of emails.

Loads the default Email template for the option selected.

NOTE:

• Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

• Using this button will overwrite any customization you might have done in the Template body.

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE:

This is optional, but you cannot add an email sender field of e.g. "tom@mydomain.com" unless  you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).

The body of the email to be sent.

Includes three views:

• Design: WYSIWYG view of content. Enter and format body text here.

• HTML: The same content in HTML format. Can also be edited if necessary and changes will be reflected in Design and Preview.

• Preview: What the recipient sees. Read only - switch to Design view to make changes.

Dynamic content tags

Tags can be used in the body, which are place holders in curly braces. These are replaced with actual request values when emails are sent.

The following tags are available:

• {UserFullName} Name of requesting user

• {UserEmail} Email address of requesting user

• {UserPhone} Phone number of requesting user

• {UserReason} Reason the requesting user gave

• {DenyReason} Admin's reason for denial (only used for denial with reason)

• {ComputerName} Name of requesting computer

• {AdminUserName} Name of administrator receiving notification (only for admin notify)

• {AppName} Name of Run As Admin application

The email address to which emails intended for your ticket system will be sent.

For example: itsupport@mycompany.com

The email address to be used as the sender for the email. Can be used with custom domains. Use the Email address button to set up custom domains.

Text that will appear in the subject line of emails.

Loads the default Email template for the option selected.

NOTE:

• Default email templates are created by Admin By Request. Contact us if you wish to customize a default email template.

• Using this button will overwrite any customization you might have done in the Template body.

Switches to Email Domain in Tenant Settings in the portal, allowing you to use a custom domain as the sender.

This allows sending email from domains other than @adminbyrequest.com.

NOTE:

This is optional, but you cannot add an email sender field of e.g. "tom@mydomain.com" unless  you have first set up the custom email domain "mydomain.com" via the Email Domain setting in the portal (Settings > Tenant Settings > Email Domain).