All FAQ

Introduction

All frequently asked questions about Admin By Request in one place.

In these lists, the most recent frequently asked questions are at the top.

Endpoint

Windows
Mac
Linux

Why am I getting a UAC popup instead of an ABR one?

On ABR for Windows Workstation, the most common causes of unexpected UAC prompts are the following:

Running an EXE directly from a browser download prompt.
Outside of Tray Tools, trying to modify settings that are classed as "Advanced System Settings".
Running an installer in user mode that subsequently triggers another MSI or EXE requiring elevated privileges.
Modifying an item that exists on the Public Desktop (e.g. a shortcut).
Using File Explorer to copy a file to a location that requires elevated privileges.

In addition to these, membership of the following groups is also known to cause problems in some instances:

Power Users
Network Configuration Operators
Group Policy Creator

As a rule, Admin By Request users who are administrators (i.e., red icon) typically do not receive ABR-style pop-ups when executing tasks that require elevated privileges. This is because the ABR client does not interfere if the logged-on user is an administrator - it simply defers to the Windows UAC pop-up. However, Admin By Request will still log everything that is done with elevated privileges.

Refer to User Account Control for more information.

Is Admin By Request compatible with Windows 11 24H2?

Yes, Admin By Request is compatible with all build versions of Windows 11, including 24H2.

What are all the ways to uninstall a Windows client?

For Windows, you can uninstall a single endpoint or multiple endpoints at once:

Single endpoint uninstall
- Using a PIN Code
- Via the msi installation file
Multiple endpoints uninstall
- Using msiexec
- Using PsExec
- Using a PowerShell script

Refer to Uninstalling Admin By Request for more information.

How do I allow users to change their local time zone?

It is possible to allow users to change their local time zone on Windows computers by adding a tray tool for the Control Panel app timedate.cpl.

The tray tool menu item can then be made available to users who would otherwise be "blocked by policy".

In the portal, go to Endpoint Privilege Management > Settings > Windows Settings > App Control > TRAY TOOLS and click New Tray Tool.
In the Tray Tools panel, add the item using the following data:
Click Save. The new tray tool is now available:

Can I allow any app within a specific folder to Run As Admin?

Yes, all apps in a folder can be authorized to Run As Admin. In the Portal, select Settings > Windows Settings and then App Control from the left menu. Click New entry and in field Type, select Run As Admin location pre-approval (all files in folder tree):

Enter the Directory name (following the instructions in red) and click Save.

This is also available under Linux Settings (version 3.0), but not for Mac Settings (version 4.1), although you can pre-approve all apps from a specify Vendor under Mac Settings.

How do I uninstall Windows clients using PsExec?

Uninstall via Path:

Copy

psexec -s -e -h -u DOMAIN\user -p password \\REMOTECOMPUTERNAME msiexec /x "\\path\to\ABR\MSI\Admin By Request x.x.x (xxxxx) Workstation.msi (file://path/to/ABR/MSI/Admin%20By%20Request%20x.x.x%20(xxxxx)%20Workstation.msi)" /qn

Uninstall via MSI-code:

Copy

psexec -s -e -h -u DOMAIN\user -p password \\REMOTECOMPUTERNAME msiexec /x {MSI-PRODUCT-CODE} /passive

Uninstall via Endpoint Name:

Copy

psexec -s -e -h -u DOMAIN\user -p password \\REMOTECOMPUTERNAME wmic product where "name like 'admin by request%%'" call uninstall

How do I install Windows clients via Intune?

To install Windows clients via Intune:

Before adding the application to Intune, create a package in the .intunewin format using the Microsoft Win32 Content Prep Tool.
Run the tool (IntuneWinAppUtil.exe) at a Windows command line, entering data as shown:

This creates an Admin By Request package file that can be used by Intune.
Go to Intune and open Apps > Windows and click Add:
Select Windows app (Win32) and click Select.
Choose the Admin By Request package file created in step 2 and click OK:
In the (1) App information window, enter Publisher and App Version if not already given:
In the (2) Program window, enter change the Uninstall command to:
powershell.exe -command "Get-Package -Name 'Admin By Request Workstation' | Uninstall-Package -AllVersions -Force"
In the (3) Requirements window:
1. For Operating system architecture, select both 32-bit and 64-bit:
2. For Minimum operating system, select Windows 10 1607:
In the (4) Detection rules window, for Rules format, select Manually configure detection rules and click + Add::
In the Detection rule window, change the Path to C:\Program Files (x86)\FastTrack Software\Admin By Request:
Continue with the Intune package process, accepting the defaults for all remaining prompts/questions.

Troubleshooting Windows Tray Tool in v8.3

The tray tools for Network Adapter Settings and Uninstall Program were developed in an effort to allow access to these via the Admin By Request approval flow.

The intention is for these to replace the previous iteration of these tools for the most common purposes, whereas more advanced functionality still requires elevating the Control Panel.

Two issues were identified and resolved regarding the tray tool for network adapter settings in version 8.3:

Some network adapters were showing up as inactive even though they were not.
Switching from automatic to manual IP configuration was not setting the gateway correctly – causing an exception when re-opening the applet.

In addition, changes were made to mimic the native behavior of the basic network adapter settings more closely.

These resolutions are available in all production releases from version 8.3.1.

NOTE

Version 8.3.1 fixes only inconsistent or unintended behavior with the tray tool for Network Adapter Settings - the Uninstall Program applet is unchanged.

Is Azure Virtual Desktop supported?

ABR is supported on Azure Virtual Desktop for Windows 10 and Windows 11.

How does ABR handle Windows Subsystem for Linux (WSL)?

Windows Subsystem for Linux (WSL) can be used with ABR installed on the endpoint and ABR handles this as it does other applications.

Do you still support Windows 7?

Not officially.

Any use of operating systems not supported by the manufacturer is at your own risk.

Admin By Request version 7.4 is the last version to officially support Windows 7 (Pro and Enterprise only). If you need to use this version, login to the portal and visit our Download Archive.

While newer versions of Admin By Request should still function on the Windows 7 operating system, they are not tested for compatibility, so we cannot guarantee stability.

If you experience issues with Admin By Request on Windows 7, we would likely still perform basic troubleshooting, but may be unable to resolve problems specific to the operating system.

If stability of the client is important, you should disable Auto Update on Windows 7 devices, and subsequently manually test new versions before wider implementation. Disable Auto Update in the portal at Endpoint Privilege Management > Settings > Windows Settings > Endpoint > AUTO-UPDATE.

To prevent select devices from auto updating, a registry key needs to be set that overrules the global auto update setting:

HKEY_LOCAL_MACHINE\Software\FastTrack Software\Admin By Request\Policies

The Policies key does not exist by default, so this may have to be created first.

In the Policies key, create a REG_DWORD named InternetUpdate, and set its value to either 0 (disabled) or 1 (enabled).

Note that a local administrator account is required to create/modify the registry for Admin By Request.

Windows Settings: Red-check vs Green-check

Please refer to Windows Settings: Red-check vs Green-check.

Why is the tray icon for ABR red rather than green?

If the logged-in user is a member of certain "exempt" Active Directory groups, Admin By Request places the user in the workstation's Local Administrators Group, indicating this with a red/orange tray icon. You can see what the icon looks like in About Admin By Request.

As well as Local Administrators, groups that trigger this action include Domain Administrators and any group that is assigned either the Global Administrator or Azure AD Joined Device Local Administrator role.

To make sure the logged-in user does not automatically get elevated privileges (and thus has a green tray icon upon login), check that the user is not a member of any exempt Active Directory groups.

Refer to The Windows Client User Interface for more information.

Why can my standard users install some apps, but not others?

The reason is that not every app requires elevated privileges to install. For applications that don't need Administrator privileges, Admin By Request will not deploy.

Admin By Request works by removing Administrator from the user's profile, and then acting as a "middle man" UAC (on windows) to provide momentary Administrator access.

Can I use PowerShell to query ABR?

PowerShell can be used to submit queries to the Admin By Request API for a range of data. Refer to Using PowerShell to Query ABR for step-by-step instructions.

Where are Settings described?

Settings are covered in the Portal section:

How does an Admin Session work on Windows?

A standard user making this selection where approval is required initiates the following sequence of events.

An empty Request Administrator Access form appears:
The user enters email, phone and reason information into the form and clicks OK.
NOTE
Settings in the portal control the full extent of what is displayed to the user:
- If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).
- If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).
The request is submitted to the IT administration team and the user is advised accordingly:
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

The following example shows how two new requests might appear in the portal:
One of the team either approves or denies the request. If approved, the user is advised accordingly:
The user clicks Yes, which starts the session and displays a countdown timer:
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

How do I pre-approve an already-installed app on Windows?

Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).

NOTE

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.
Expand on the application entry, and select Pre-approve this file under Actions:
On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.
Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

What happens to the local admin group after installation?

During installation, if the computer is in a domain, Domain Users will be removed from the local administrator’s group right away. That is all that happens initially.

When a user then logs on, the user will be removed from the local administrator’s group unless:

You have unchecked “Revoke admins rights” in the portal settings
The user is in the list of excluded accounts in the portal settings
The user is member of a group that is the local administrator’s group (such as domain admins)

The reason all users are not just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally remove any service accounts. Please refer to the Windows client technical details page for more information.

How can I prevent users from tampering?

The users and groups administration will be removed entirely from Computer Management during an administrator session.

Even if the user still manages to tamper the local administrator’s group, the administrator’s group is snapshotted before the session starts and restored after the session ends. If the user tries to add other users or groups to the administrator’s group, these will simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy keys, these are also snapshotted and restored after sessions.

Please refer to the Windows client technical details page for more information.

Can we keep some domain users as local administrators?

You can keep some domain users as local administrators.

Domain groups (except Domain Users) are not removed from the local administrator’s group. This means that if a domain user logs on and is member of a domain group that is in the local administrator’s group (for example a Help Desk domain group) the user is always local administrator. In this case the tray icon is red and hovering it, you can see the tool tip saying “You are logged on as administrator”. You can also specify specific user accounts to exclude in the portal settings.

To change this setting in the portal, go to Endpoint Privilege Management > Settings > Windows Settings > Lockdown > ADMIN RIGHTS, or refer to Admin Rights tab for more information.

How do I get started on Windows?

Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.

For more information, please refer to Getting Started in our Documentation Center.

How do I download and install the Windows client?

To download and install the Admin By Request Windows endpoint client:

If you haven't already, login to the Admin By Requestportal.
In the portal, click the Download menu link to download the Windows endpoint client and store the .msi file in a suitable location:
Double-click the .msi file to start the installation and click Install when prompted:

NOTE
You might be prompted for administrator credentials, depending on the endpoint's UAC configuration.

When the installation completes, the Admin By Request icon appears in the system tray in the bottom right corner of the screen. The icon is red if you are logged-on as an Administrator and green if you are logged-on as a Standard User. Refer to The Windows Client User Interface for a description of the differences.

Click the icon to show details about the client or to start an Admin Session:

Depending on installation preferences, Admin By Request shortcut icons may also be placed on the desktop:

Installation is now complete.

Why are my Macs not auto-updating?

If your Macs are not auto-updating to the latest version of Admin By Request, check the currently installed version on your endpoints. There was an auto-update problem with macOS version 3.2.1 - any Macs running that version of ABR will need to be manually updated.

The problem has been fixed in later versions of Admin By Request (macOS client).

Auto-Update deployment

Admin By Request software updates are deployed using our Auto-Update process. However, when we release a new version we do not deploy it right away to all customers via auto-update. This is simply to mitigate any unforeseen issues.

Admin By Request software updates to Linux endpoints are delivered via the distribution package update process. Please note that, when we release a new version, we do not make it immediately available to the update process. This is simply to mitigate any unforeseen issues.

Our rule-of-thumb for a new release is to activate auto-updatemake it available within 4 - 8 weeks of release, but this is subject to change, depending on feedback and any potential issues that might arise.

Contact us if you wish to receive the latest version right now. You can also raise a support ticket requesting the latest update.

You can also visit the Download Archive for previous versions of Admin By Request.

How do I pre-approve an already-installed app on the Mac?

NOTE

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.
Expand on the application entry, and select Pre-approve this file under Actions:
On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.
Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

Pre-Approval is not working for some Mac applications

Some Mac applications (e.g. Grammarly and Spotify) require wide-ranging permissions to install properly and can only be successfully installed via an Admin Session. Further, these applications almost always require the same wide-ranging permissions when they auto-upgrade, meaning that another Admin Session must be started before upgrading the app.

This is simply due to the nature of how processes work on the macOS operating system. When attempting to run an installation or upgrade via Run As Admin, a pop-up window prompting for admin credentials will be triggered by the OS whenever a separate executable that handles access to another area of the file system is invoked. At the time of writing, the only way around this is to carry out the installation or upgrade via an Admin Session.

Where do I find client errors on the Mac?

You can find the error log under /var/log/adminbyrequest.log.

How do I uninstall on a Mac?

On a Mac, while logged-in as an Admin user, run the uninstall program /Library/adminbyrequest/uninstall.

NOTE The uninstall program cannot be run during a normal (i.e. Standard user) Admin By Request admin session.

Refer to Uninstalling Admin By Request for more information.

How do I get started on macOS?

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

For more information, please refer to Getting Started in our Documentation Center.

Can I run a package by dragging it to the dock?

On a Mac, some packages (i.e. .app files) can be executed under Run As Admin by dragging them over the Admin By Request icon in the dock. However, Full Disk Access (FDA) must be enabled first.

To enable FDA, refer to Enable Full Disk Access (FDA).

For any .app file, initiate Run As Admin by dragging and dropping the application file over the Admin By Request Dock icon. At the account control pop-up, enter credentials and hit OK to run the installer as an administrator. Note that this works only for .app files; it does not work for .pkg files.

Why is Admin By Request on my Mac not working, although installation appears successful?

Immediately after installation of the ABR endpoint client, FDA must be checked to make sure that Admin By Request is enabled to fully protect Mac endpoints.

NOTE

Admin By Request must be installed prior to enabling FDA, so that its apps and extensions appear in the list of apps available under Full Disk Access.

Refer to Enable Full Disk Access (FDA) for more information on enabling FDA.

What is "Last Admin Check"?

If you log on to a Mac that is not joined to Active Directory and expect the user account to be downgraded from Admin to User, but it doesn’t happen and the icon appears red in the toolbar, you are most likely hitting the “Last Admin Check”.

You can confirm this by clicking the red icon. The intention of this check is to make sure you always have a service account. If you don’t have at least one admin account, you cannot change, modify or delete user accounts on the computer and you can never uninstall Admin By Request.

If you use the “Revoke admins rights” option in the portal to revoke user rights, all user accounts will be downgraded from Admin to User, when they log on. In the portal settings, you can specify user accounts that are excluded. These would typically be service accounts for a Help Desk or similar. If no excluded accounts are specified and the machine is not joined to Active Directory, the revoke will not be executed for the last administrator and it falls under the “Last Admin Check”.

NOTE

Last Admin Check is no longer used - please refer to Portal Administration for Mac for more information.

How do I make a Mac user the device owner?

To make a Mac user the device owner:

In the portal, go to the Inventory top menu and locate the device.
Click either the computer name (in column Computer) or the Details link (in column Details) to show information for the device.
Select the left menu option Owner.
Click button Make Owner:

How do I enable FDA (Full Disk Access)?

Following installation of the macOS 5.0 endpoint client, there are two apps that need full disk access:

adminbyrequest - The main app for enabling Admin By Request endpoint client features, including the ability to drag a file over the ABR icon in the dock to elevate privileges.
Admin By Request System Extension - The extension app enables a range of functionality, but the main feature for macOS 5.0 is the ability to install an app by dragging its icon over the Applications folder. This app requires macOS 11+.

Immediately after installation of the ABR endpoint client, FDA must be checked to make sure that Admin By Request is enabled to fully protect Mac endpoints.

NOTE

Admin By Request must be installed prior to enabling FDA, so that its apps and extensions appear in the list of apps available under Full Disk Access.

The following procedures describe three ways to enable FDA:

These procedures are not sequential - pick one or a combination of all three, depending on your requirements.

On the Mac - FDA
The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on Apple Macs running:
macOS 10.15 (Catalina), macOS 11 (Big Sur) and macOS 12 (Monterey)
On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

Select both adminbyrequest and Admin By Request System Extension in the list of apps (i.e. ensure the boxes are checked):

Lock the tab to save changes and close the System Preferences window.
macOS 13 (Ventura), macOS 14 (Sonoma) and macOS 15 (Sequoia)
On your Mac device, navigate to System Settings > Privacy & Security tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

Select both adminbyrequest and Admin By Request System Extension in the list of apps (i.e. ensure the toggles are on):

Close the System Settings window.
Using Jamf - FDA
Admin By Request provides a set of configuration files to assist with configuration in Jamf. Download the set here and visit Creating and Uploading PLIST or .mobileconfig File for instructions on deployment.

Alternatively, follow the procedure below if you wish to build your own Jamf Configuration Profiles to manage Mac endpoints:
1. In Jamf, go to Computers > Configuration Profiles.
2. Create a new profile and configure it as follows:
  1. Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR - PPPC.
  2. Category, select Applications.
  3. Distribution Method, select Install Automatically.
  4. Level, select Computer Level.
3. Navigate from the General tab to the Privacy Preferences Policy Control tab:
  1. Identifier, enter /Library/adminbyrequest/adminbyrequest.
  2. Identifier Type, select Path.
  3. For Code Requirement, enter the following line of code:
    
    Copy
    identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
    
    IMPORTANT
    The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.
  4. Under App or Service, select SystemPolicyAllFiles and under Access, select Allow:
    
    Under App or Service, select Accessibility and under Access, select Allow.
  5. Save the profile.
4. Deploy and use this profile to enable FDA for all your macOS endpoints.
Using Intune - FDA
Similar to Jamf, Intune uses Configuration Profiles to manage Mac endpoints:
1. In Intune, under Configuration Profiles, select Create Profile.
2. Enter the following details into the Create a Profile form:
  - Platform: macOS
  - Profile type: Templates
  - Template name: ABR – FDA
3. Click Create.
4. Under Device restrictions, go to Configuration settings.
5. Select Privacy preferences and click Add:
6. In the Edit Row form, enter the following:
  - Name: ABR – FDA
  - Identifier type: Path
  - Identifier: /Library/adminbyrequest/adminbyrequest
  - For Code Requirement, enter the following line of code:
    
    Copy
    identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
    
    IMPORTANT
    The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.
7. Finally, select Allow in field Full disk access:

How do I download and install the Mac client?

To download and install the Admin By Request macOS endpoint client:

If you haven't already, login to the Admin By Requestportal.
In the portal, click the Download menu link to download the Mac endpoint client and store the file in a suitable location:
Double-click the downloaded package to begin the installation.

The package runs a check to determine if Admin By Request can be installed:
Continue with the installation, providing Administrator credentials if necessary:
If using system extension and prompted with System Extension Blocked, click Open System Settings and allow system software from Admin By Request:
When done, close the installer and (optionally) move the installer package to the bin:

Installation is now complete. The next step is to ensure that Full Disk Access (FDA) is enabled for Admin By Request.

How does an Admin Session work on a Mac?

A standard user making this selection where approval is required initiates the following sequence of events.

A prompt asks “Do you want to start an administrator session?”. The user clicks Yes to continue:
An empty Request Administrator Access form appears:
The user enters email, phone and reason information into the form and clicks OK.
NOTE
Settings in the portal control the full extent of what is displayed to the user:
- If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).
- If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).
The request is submitted to the IT administration team and the user is advised accordingly:
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

The following example shows how two new requests might appear in the portal:
One of the team either approves or denies the request. If approved, the user is advised accordingly:
The user clicks Yes, which starts the session and displays a countdown timer:
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

Why are fonts distorted for the Linux GUI?

On the Linux client, screen resolution scaling can make a difference to how fonts appear in the Admin By Request GUI. If the font appears distorted, large, compressed or with overlapping lines (or is simply unreadable), check the UI scaling percentage (Settings > Displays > Scale). If the value is greater than 100%, fonts in the GUI panels can appear distorted:

This will be fixed in a future release of the Linux client. Until then, the workaround is to reduce scaling to 100%. Note that functionality is unchanged - the client will still work as intended.

How does an Admn Session work on Linux?

A standard user making this selection where approval is required initiates the following sequence of events.

An empty Request Administrator Access form appears:
The user enters email, phone and reason information into the form and clicks OK.
NOTE
Settings in the portal control the full extent of what is displayed to the user:
- If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).
- If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).
The request is submitted to the IT administration team and the user is advised accordingly:
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

The following example shows how two new requests might appear in the portal:
One of the team either approves or denies the request. If approved, the user is advised accordingly:
The user clicks Yes, which starts the session and displays a countdown timer:
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

How do I get started on Linux?

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

For more information, please refer to Getting Started in our Documentation Center.

Are there any prerequisites for the Linux CLI?

The Linux command line interface requires the following:

The CLI commands are designed for the command line. If run inside a graphical interface's terminal window, certain commands will defer to the GUI version.
Using the CLI requires Admin By Request for Linux version 3.1.9 or greater.

Refer to Prerequisites for more information.

What is the process for uninstalling ABR on a Linux machine?

Use the following process to uninstall Linux from an endpoint. Note that you must know the root password for the endpoint:

Shutdown and reboot the computer.
Do one of the following:
- If your computer boots using BIOS, press and hold down the Shift key while GRUB is loading.
- If your computer boots using UEFI, press the Escape key (Esc) while GRUB is loading.
- As you’re booting the computer, wait for the manufacturer logo to flash from the BIOS. If your computer boots too quickly, you’re going to need to do this immediately after powering it on. Quickly press the Escape key.
The timing has to be near perfect on some computers, so you may have to press the key repeatedly. If you miss the window, reboot and try again.
At the GRUB boot menu. you’ll see an entry for “Advanced Options ...”. Select it and press Enter.
Choose the most recent recovery mode option and press Enter.
If a menu similar to that shown below appears, choose the option that gets you to a shell prompt:
At the Password: prompt, enter the root password..
Now you can uninstall Admin By Request for Linux by executing the following command:

apt -y purge abr-* && apt -y autoremove

Why is the Linux app not installing on Ubuntu (and there are no error messages)?

The most likely reason the Linux client fails to install is because the system has broken dependencies from earlier failed installations.

The first thing the Admin By Request Linux installer script does is run update + upgrade, to make sure the system is fully (and successfully) up-to-date. If anything fails during that process, then ABR will not install correctly. Check the system logs and resolve any outstanding failed installations before continuing with ABR install.

Is sudo supported on both Mac and Linux endpoints?

sudo is supported on both Mac and Linux endpoints - this is controlled in the portal.

To enable sudo support for macOS, go to Endpoint Privilege Management > Settings > Mac Settings > Lockdown > ADMIN SESSION and make sure Allow sudo terminal commands is ON.

To enable sudo support for Linux, go to Endpoint Privilege Management > Settings > Linux Settings > Lockdown > SUDO and make sure Allow sudo terminal commands is ON. You can then further control non-sudoers and sudo interactive sessions.

What's happened to Applications in Linux Global Settings?

The portal has recently undergone some changes and reorganization. What was Applications is now known as App Control and is found at Settings > Linux Settings > App Control, as indicated in the screenshot:

From here, you can PRE-APPROVE or BLOCK applications by clicking New entry and providing the relevant details.

Why is the Linux client so small (only ~14Kb downloaded)?

The Linux installation file is a script made in Python. It's a text file - you can open it with Window's Notepad to see its content.

Due to the name of the file ending with ".0", Windows sees this file as a ".0" file type, contra a Linux file system, which simply sees it as a normal data file.

How do I download and install the Linux client?

To download and install the Admin By Request Linux endpoint client:

If you haven't already, login to the Admin By Requestportal.
In the portal, click the Download menu link to download the Linux endpoint client and store the file in a suitable location:
If you haven’t already, start a terminal session and make sure the file is executable:
Copy
```
chmod +x 'abr-installer'
```
Run the installation script:
Copy
```
sudo ./'abr-installer'
```
When the installation completes, the Admin By Request icon appears in the top right corner of the screen. Click the icon to show details about the client or start an Admin Session.

Installation is now complete.

Portal

Settings
Remote Access
Connectivity

Can I end a user's admin session remotely?

A user's Admin Session runs until it expires, or until the user ends it locally via the Finish button. Sessions cannot be ended remotely.

Can the 60-day device inactivity cleanup be modified?

The 60-day device inactivity period cannot be modified, but, for licensed users, you can delete endpoints manually through the Inventory or with the Inventory API and this way make the period shorter.

Unlicensed (i.e. free plan) users must wait for 60 days before licenses are released.

IMPORTANT

If the device comes back online with ABR still installed, it will reappear in the inventory and the 60-day inactivity period will reset.

How often does the inventory for group membership sync/refresh?

The inventory refreshes every four hours when the endpoint is online.

How do I find all the occurrences of PIN Code use?

To find all occurrences of PIN code use, use the Reports menu:

In the portal, go to Reports > Endpoint Reports > Events.
Make sure you're on tab ALL EVENTS, then click the filter icon on column Event.
Expand the box width if necessary and scroll until you find PIN code entries.

PIN Code entries have event names such as:
- Admin Session PIN 2 issued
- Admin Session PIN code used
- Application block PIN 2 issued
Select the required event - only matching events will now appear in the list.

Once the list is filtered, the browser window shrinks to show only the matching events. To view the full list of events again, click the filter icon once more and choose (All) at the very top of the filter list.

What is the retention policy for audit log caching?

You can set the Auditlog retention policy in Settings > Tenant Settings > Retention > DATA RETENTION. The range is from three months to five years and the standard period (i.e. the default) is one year.

What is AI Approval?

AI Approval allows our AI scoring system to auto-approve trivial Run As Admin requests for common applications.

At the time of writing, our app database comprises more than 12 million known applications. Each of these is scored by our AI engine in real-time based on popularity, reputation and trends. If, for example, the App score is enabled at 20, it means that any request is auto-approved if the App score is 20 or above.

Refer to AI Approval for more information.

Where's the PDF for the AI Approval article?

Technical Note - AI Approval

Where are privacy settings now?

Data Privacy Settings have moved to Tenant Settings (Settings > Tenant Settings > Privacy > PRIVACY).

Refer to Data Privacy for more information.

How do I change configuration for an existing SSO/SCIM user?

By design, SCIM-provisioned users cannot be edited once they have been created.

SCIM-provisioned users can only authenticate using Office 365 or OKTA, as these are the only two currently supported methods for SCIM. With that in mind, best practice is to decide which authentication method to use during SCIM setup as this cannot be changed later.

A later product version may allow additional authentication methods for SCIM-provisioned users (e.g. ADFS). At present, if portal users need to use ADFS, their accounts need to be created manually.

Can my users have accounts that are different to their email addresses?

Users can have email addresses that are different from their user accounts. This is to prevent the error message that can occur when requests for elevation are approved: "Single Sign-on Error: Email addresses do not match".

To configure this in the portal:

Go to Settings > Workstation Settings > Windows Settings and select the Endpoint left menu.
Select the UAC tab and the Multi-factor Authentication option:
Set Email match to Off and click Save.

Why is the logo not showing?

For best results, you should add the logo in the portal before turning on Use logo file and before downloading or otherwise deploying the msi installation file. Doing so makes sure your logo is included correctly.

Refer to Branding tab under Windows Settings for more information.

In the portal, what are "product views"?

A "product view" is the information displayed in the portal for that product.

The portal customizes the information displayed depending on the product selected. The information available for display across all menus (Summary, Auditlog, Requests, Inventory etc.) is called the "view" for that product:

The menu selection Endpoint Privilege Management shows the product view for managing local admin rights on your endpoint clients.
The menu selection Secure Remote Access shows the product view for managing your endpoints that can be remotely accessed.

How do I change my password in the portal?

To change your password in the portal, click the User Account drop-down in the header on any page.

Refer to Header parts for more information.

When do clients sync with the portal?

By default, endpoint clients synchronize with the portal approximately every four hours. If an immediate sync is needed on a particular client, you can achieve this by opening Admin By Request from the tray tool (Windows) or menu bar (macOS and Linux) and selecting About Admin By Request.

At the same time, you should verify that connectivity is OK by clicking the Connectivity button.

Refer to Synchronizing Clients with the Portal for more information, or if you are having problems with synchronization.

Can I setup sub-administrators to see only parts of the data?

Yes. You can set a scope for portal logins to only see and approve part of the data based on the end user or computers groups or Organizational Units.

For example, an administrator in a region could be set up to only see and approve requests and data from computers in his/her own scope, assuming for example that all computers are in a specific Organizational Unit.

Refer to Logins for more information.

Can I add more IT people to approve requests and see the auditlog?

Yes. In the portal, you can create additional logins for more people. You can also define which roles they have, such as read-only view, whether or not they can edit settings, access to the audit log and if the person is allowed to approve requests.

In the portal, go to Logins > User Logins > New user.

Refer to Logins for more information.

How do I pre-approve an app using the Auditlog?

NOTE

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.
Expand on the application entry, and select Pre-approve this file under Actions:
On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.
Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

How do I turn off everything except logging?

IMPORTANT

Turning off everything effectively means giving users back their local admin rights. Think about this carefully before doing it.

To turn off everything except logging actions to the Auditlog, you need to:

Authorization: turn On Allow Run As Admin and turn Off all other toggles
Authorization: turn On Allow Admin Sessions and turn Off all other toggles.
Authorization: make the Access time (minutes) a large number that covers most of the day. For example, 480 minutes (8 hours).
Lockdown: turn Off Revoke admin rights.

For more information, refer to Authorization tab under Windows Settings.

You can also check out the WHIZ usage persona for a 10-minute video on how to accommodate developers or power users.

Do I need to approve each time a user wants admin access?

You do not need to approve each time a user wants admin access. You can use a setting after sign-in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when, and an auditlog of installed software and executed applications.

In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts. The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.

Change this setting in the portal at Settings > [OS] Settings > Authorization > AUTHORIZATION.

Can I force clients to sync with the portal?

At the same time, you should verify that connectivity is OK by clicking the Connectivity button.

Refer to Synchronizing Clients with the Portal for more information, or if you are having problems with synchronization.

Can I add my company logo (if so, where)?

You can add your company logo to both the portal and the dialog boxes that users see on their endpoints. The setting is in the portal at Endpoint Privilege Management > Settings > Windows Settings > Endpoint > BRANDING.

Refer to Branding tab under Windows Settings for more information.

Are other customers typically using auto-approval mode?

Yes.

The most typical pattern we see for new customers is that they start with approval required. Then after an initial period, when the psychological effects on end users are clear and there is reassurance end users do not violate rules, they shift to auto-approval mode combined with reason requirement and Code of Conduct screen.

This is the point where the whole administrator access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.

Code of Conduct screen

Change this setting in the portal at Settings > [OS] Settings > Authorization > AUTHORIZATION.

What if I want a manager IT to approve some requests?

You can set a scope for portal logins to only see part of the data based on the end users or computers groups and/or Organizational Units.

For example, sales managers can be set up to only see users and computers in sales. They will then only get approval requests from their own staff. You can also set up a manager to not have approval ability, but only the ability to see the auditlog for his/her own staff.

How would I setup an external auditor?

You can create a portal user account that can see only the auditlog and, optionally, the inventory. No other data will be visible.

I'm an MSP – how can I give my customer a limited view?

To give a user a limited view within the portal, you simply create a user account that cannot approve requests. This way, your customer can see the data you choose without the ability to approve requests.

If you have on-premise remote gateways configured, you can also remove access to the portal entirely by limiting user access to those computers accessible via the relevant gateway. This is controlled in the admin portal under setting Logins > User Logins, EDIT or New user, tab ACCOUNT, heading Rights, field Limit to access.work.

NOTE

If you don't see field Limit to access.work, you have not yet configured an on-premise gateway.

How can I stop devices from taking up Remote Access licenses?

Clicking the drill-down link opens an inventory-style list of all devices accessible via this gateway. Devices can be entered manually or they can be discovered.

Devices can be ACTIVE or INACTIVE and are displayed in the corresponding tab:

ACTIVE: able to be connected to via Unattended Access and consume a license.
INACTIVE: are not able to be connected via Unattended Access and do not consume a license.

Use the Disable/Enable links to make a device active/inactive respectively.

Use the Search button to search for devices in large lists and the Export buttons to export data in the format shown.

Refer to Devices (n) for more information.

What is Remote Support?

Remote Support is part of the Secure Remote Access product by Admin By Request, that allows you to share screens and remotely control devices inside of your Admin By Request inventory, while using all of the well-known features of the Admin By Request ecosystem, such as: inventory, auditlog, settings and sub-settings, approval flows etc.

Remote Support allows either end users or IT admins to initiate a secure, just-in-time, remote support session – allowing them to share and control the end-user's device – and tear everything down once the session is done – eliminating any access points for bad actors.

This document covers getting started with Product Enrollment and Remote Support. It also describes key settings that can be administered from the portal.

Refer to Remote Support Overview for more information.

How does Remote Support work?

Remote Support is based on the same gateway concept as the Unattended Access gateway, which is also part of the Admin By RequestSecure Remote Access product. It allows a just-in-time setup between the gateway and the endpoint by establishing a secure Cloudflare tunnel.

Once the tunnel is established, a just-in-time server session is created on the endpoint – allowing for screen sharing and remote control via the browser.

Once the session is terminated or expires, the tunnel and the server session are terminated, leaving the endpoint in the same state as before the remote support session.

The setup is fully cloud-based and does not require any on-premise setup besides what’s mentioned in the prerequisites:

Refer to How does Remote Support work? for more information.

What is a "self-hosted implementation"?

A self-hosted implementation means that you run Unattended Access on-premise inside your own infrastructure, including the ability to run Docker containers. To establish a secure tunnel, your infrastructure must also allow outbound connections to Cloudflare.

Refer to How do I setup a Self-hosted Implementation? for more information.

What is a "managed service"?

A managed service is a way of operating Unattended Access so that your infrastructure allows an outbound connection to establish a secure tunnel from your respective endpoints and that these have the Admin By Request endpoint client installed.

Refer to How do I setup a Managed Service? for more information.

How do I remotely access a computer?

Before trying to remotely access a device, make sure all setup has been done and the gateway to your device is "live". Refer to Getting Started with Unattended Access for more information on prerequisites and setting up gateways.

To remotely access a device:

In order to allow Admin By Request to connect to your endpoints, they need to allow traffic on the following ports:

RDP - 3389
SSH - 22
VNC - 5900 and 5901

From the portal, head over to your Inventory and make sure you're in the Secure Remote Access view. Select an endpoint with the Admin By Request client installed:
Click the Remote link for this endpoint, enter User name and Password and click Connect:

After a few seconds, the connection appears directly in your browser.

Where is the CLOUD tab?

The CLOUD tab becomes visible only when an on-premise gateway is created. If no on-premise gateway has been created, the CLOUD tab is not available and Unattended Access uses the managed service option, which is enabled by default and requires no configuration.

Creating an on-premise gateway means the cloud gateway must be disabled (see How do I setup a Self-hosted Implementation?), which is why the CLOUD tab becomes visible when a gateway is created.

What is Vendor Access?

Vendor Access, also known as access.work (https://access.work), is a feature of Secure Remote Access that allows users to connect to devices through their browsers without needing access to the Admin By Request Portal.

Refer to Using Vendor Access for more information.

How do I enable Unattended Access?

Via the portal:

To enable Unattended Access, log in to the Admin By Request portal and head over to Secure Remote Access > Settings > Unattended Access Settings.
Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access is turned On:

Refer to Getting Started with Unattended Access for more information.

How do I get started with Unattended Access?

Getting started with Unattended Access is simply a matter of enabling it in the portal:

To enable Unattended Access, log in to the Admin By Request portal and head over to Secure Remote Access > Settings > Unattended Access Settings.
Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access is turned On:

For more information, refer to Getting Started with Unattended Access.

What is Unattended Access?

Unattended Access is a feature of Secure Remote Access that allows you to connect remotely to your servers and network endpoints directly from your browser, using a lot of the well-known Admin By Request features like: inventory, auditlog, settings and sub-settings, approval flows, integrations etc.

The implementation of Unattended Access can use either a "Cloud" or an "On-premise" gateway, eliminating the need for VPN and jump servers, while still maintaining a secure and segregated setup.

Refer to Unattended Access Overview for more information.

What is Product Enrollment?

Product enrollment is the mechanism of determining which Admin By Request licenses – and hence product capabilities – should be available to specific endpoints.

Refer to Product Enrollment for more information.

How does "Test Drive" work?

The Test Drive mode allows a portal user to cherry pick which devices are enrolled with the selected product. This can either be done by specifying a computer group scope or by manually picking devices.

Refer to Product Enrollment (Test Drive) for more information.

What are the new data centers?

As of May 2025, Admin By Request has added two new data centers. They are:

London, UK
Frankfurt, Germany

Data Center location

Your data is stored in a data center that is located in one of the geographic locations listed below. These are in Europe, the USA and the UK.

To determine your data location, go to page Tenant Settings > Retention in the portal and note the geographic location shown in field Data Location. It will be one of the following:

EU West (Netherlands) (Europe - Netherlands)
Virginia, United States (USA)
London, United Kingdom (UK)
Frankfurt, Germany (Europe - Germany)

Data Center URL

To determine your data center, go to page Tenant Settings > API Keys in the portal and check which API prefix is shown under About API Keys. The data center (which is also the API prefix) will be one of the following:

https://dc1api.adminbyrequest.com (Europe - Netherlands)
https://dc2api.adminbyrequest.com (USA)
https://dc3api.adminbyrequest.com (UK)
https://dc4api.adminbyrequest.com (Europe - Germany)

Make a note of your prefix - among other things, this is the domain used when an API Key is created.

You can also see your API prefix on the API web pages (e.g. Public API > Auditlog API). However, a small script runs in the background that determines to which data center you are attached, so JavaScript must be enabled in your browser for this to work.

How do I determine which Data Center I'm connected to?

Data Center location

Your data is stored in a data center that is located in one of the geographic locations listed below. These are in Europe, the USA and the UK.

To determine your data location, go to page Tenant Settings > Retention in the portal and note the geographic location shown in field Data Location. It will be one of the following:

EU West (Netherlands) (Europe - Netherlands)
Virginia, United States (USA)
London, United Kingdom (UK)
Frankfurt, Germany (Europe - Germany)

Data Center URL

https://dc1api.adminbyrequest.com (Europe - Netherlands)
https://dc2api.adminbyrequest.com (USA)
https://dc3api.adminbyrequest.com (UK)
https://dc4api.adminbyrequest.com (Europe - Germany)

Make a note of your prefix - among other things, this is the domain used when an API Key is created.

Cloud Gateways

If you are using Secure Remote Access, you need to allow your browsers access to the following cloud gateways:

cloudgatewayeu1.accessbyrequest.com (Europe - Netherlands)
cloudgatewayus1.accessbyrequest.com (USA)
cloudgatewayuk1.accessbyrequest.com (UK)
cloudgatewaygermany1.accessbyrequest.com (Europe - Germany)

They are called over WSS (Websockets Secure) on port 443 from the browser.

Further, if you wish to remotely access endpoints using Unattended Access and Remote Support:

Outbound MQTT broker connectivity via Websockets- port 443 for the following:
- If your data is located in Europe (Netherlands):
  Ten nodes (FastTrackHubEU1.azure-devices.net to FastTrackHubEU10.azure-devices.net)
- If your data is located in the USA:
  Ten nodes (FastTrackHubUS1.azure-devices.net to FastTrackHubUS10.azure-devices.net)
- If your data is located in the UK:
  Ten nodes (FastTrackHubUK1.azure-devices.net to FastTrackHubUK10.azure-devices.net)
- If your data is located in Europe (Germany):
  Ten nodes (FastTrackHubGermany1.azure-devices.net to FastTrackHubGermany10.azure-devices.net)
For Unattended Access, RDP needs to be enabled on port 3389 on the device

What IP addresses should we allow in our proxy and firewalls?

IP addresses and API URLs

Admin By Request uses port 443 and the IP addresses and API URLs that need access through firewalls are as follows.

If your data is located in Europe (Netherlands):

IP: 104.45.17.196
DNS: api1.adminbyrequest.com
DNS: macapi1.adminbyrequest.com
DNS: linuxapi1.adminbyrequest.com

If your data is located in the USA:

IP: 137.117.73.20
DNS: api2.adminbyrequest.com
DNS: macapi2.adminbyrequest.com
DNS: linuxapi2.adminbyrequest.com

If your data is located in the UK:

IP: 85.210.211.164
DNS: api3.adminbyrequest.com
DNS: macapi3.adminbyrequest.com
DNS: linuxapi3.adminbyrequest.com

If your data is located in Europe (Germany):

IP: 9.141.94.162
DNS: api4.adminbyrequest.com
DNS: macapi4.adminbyrequest.com
DNS: linuxapi4.adminbyrequest.com

You can also use api.adminbyrequest.com, but the regional URLs will likely be more responsive.

Cloud Gateways

If you are using Secure Remote Access, you need to allow your browsers access to the following cloud gateways:

cloudgatewayeu1.accessbyrequest.com (Europe - Netherlands)
cloudgatewayus1.accessbyrequest.com (USA)
cloudgatewayuk1.accessbyrequest.com (UK)
cloudgatewaygermany1.accessbyrequest.com (Europe - Germany)

They are called over WSS (Websockets Secure) on port 443 from the browser.

Further, if you wish to remotely access endpoints using Unattended Access and Remote Support:

Outbound MQTT broker connectivity via Websockets- port 443 for the following:
- If your data is located in Europe (Netherlands):
  Ten nodes (FastTrackHubEU1.azure-devices.net to FastTrackHubEU10.azure-devices.net)
- If your data is located in the USA:
  Ten nodes (FastTrackHubUS1.azure-devices.net to FastTrackHubUS10.azure-devices.net)
- If your data is located in the UK:
  Ten nodes (FastTrackHubUK1.azure-devices.net to FastTrackHubUK10.azure-devices.net)
- If your data is located in Europe (Germany):
  Ten nodes (FastTrackHubGermany1.azure-devices.net to FastTrackHubGermany10.azure-devices.net)
For Unattended Access, RDP needs to be enabled on port 3389 on the device

What are the supported versions of the ServiceNow integration?

Admin By Request supports ServiceNow up to and including Yokohama (Q2 2025).

Troubleshooting ServiceNow integration

Failure to Establish API Connection:

The following steps can sometimes fix an API problem even if the key appears fine:
1. Regenerate the API Key in your Admin By Request portal and ensure you have clicked the Save button (the green tick icon appears upon successful save).
2. Replace the API Key in the ServiceNow Properties page and click Save. Ensure the “Properties Saved” message appears at the top of the page.
No Auditlog or Request Data coming through:
- Ensure the Flow has been configured correctly (task C in the ServiceNow Integration). In ServiceNow, go to the Flow Designer, locate the Admin By Request Flow, and ensure all three are Active. Check that the Trigger is set to a reasonably short interval (e.g., two hours).
- Ensure there is data in your Admin By Request portal to be pulled through to ServiceNow. If no data exists in Admin By Request, create some test data by making and consuming a request on the endpoint.
Unable to Access ServiceNow Features:

Ensure the account you are signed-in to ServiceNow has the appropriate administrative permissions enabled to access the features required for this integration. (Admin access is required for tasks A through D. in the ServiceNow Integration).

What is "InternalServerError" with the ABR Sentinel API?

In Microsoft Sentinel, "InternalServerError" can be caused by trying to refer to the wrong data center when using an API key:

https://dc1api.adminbyrequest.com (Europe - Netherlands)
https://dc2api.adminbyrequest.com (USA)
https://dc3api.adminbyrequest.com (UK)
https://dc4api.adminbyrequest.com (Europe - Germany)

Make a note of your prefix - among other things, this is the domain used when an API Key is created.

When setting-up MS Sentinel configuration, if a different domain is used in the JSON code, it can result in an "InternalServerError" error when the API key is used.

To modify the JSON code, refer to .

Can I modify the Audit list?

Yes. Refer to ServiceNow Troubleshooting for detailed steps.

Troubleshooting Teams integration

The integration is not asking for an API key:

If you are not asked for an API Key during setup of the Teams integration, it could be due to lack of permissions.

Use the Teams Admin Center to manage permissions and make sure that third-party apps are allowed:
Check that the Teams webhook is working normally:

In the portal, go to Endpoint Privilege Management >Settings > Integrations > Teams and make sure the entry under Teams Apps is Functional:

Where is the JSON code for Sentinel integration?

There are two "sets" of JSON code for integrating Admin By Request with Microsoft Sentinel:

Entered Azure AD data is incorrect

If this error occurs when configuring an Entra ID Connector for a tenant, it is most likely because the Secret ID has been input rather than the Value:

The Value is able to be read immediately after creation, after which it is hidden and would need to be created anew to copy. Make sure you enter the data in the Value field and not the Secret ID.

How long after the release of a new version will it roll out to my devices?

Contact us if you wish to receive the latest version right now. You can also raise a support ticket requesting the latest update.

You can also visit the Download Archive for previous versions of Admin By Request.

Is there an updated PDF for Jira integration?

Yes - please refer to the Jira Integration guide. This document includes all the online material in PDF form.

Troubleshooting Jira integration

If your Jira integration is not working, check the following:

Custom fields are created (see Overview) and a custom Request Type is created (see Overview). In particular, make sure the Request form tab is selected when adding your custom fields and the Description field is also added.
The integration with ABR completes successfully (see Overview). Make sure you use the correct email address as your Jira username and you have at least one service desk instance available.
If you plan to extend the integration with Jira automation rules, don't forget the Jira audit log that is available with each rule (see Overview).

How do I deploy using Intune?

Refer to Multiple endpoints - via Intune package for more information on Intune deployment.

Troubleshooting requests denied due to company policy

If your users are receiving messages like "request denied due to company policy", check the following:

Device Owner - in the portal, check Settings > [OS] Settings > Lockdown > OWNER. Only the owner of the endpoint is able to use Run As Administrator or start an Administrator Session.

The device owner is first non-administrator that logs on to the endpoint. You can change the owner in the inventory.
macOS version - make sure your Mac endpoints are running the latest version of Admin By Request. There was a problem identified in versions prior to 4.2.1 where certain scenarios caused "request denied" messages to users.
Admin rights - in the portal, check the following under Settings > [OS] Settings > Lockdown:
- ADMIN RIGHTS - If On, make sure accounts to be excluded are entered.
- RUN AS ADMIN - Deny elevating system files prevents the user from starting any file from the System32 directory with administrative privileges, such as cmd.exe or regedit.exe. You can define exceptions under Settings > [OS] Settings > > App Control -> PRE-APPROVE.
- ADMIN SESSION - The same as for RUN AS ADMIN.

Is an Internet connection required?

This may be surprising, but no. The client is only required to have an occasional internet connection (like a guest WIFI anywhere). The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator temporarily and will queue the data locally and log what has been done, including date & time, installed applications, exe files run as administrator and so on.

Once the client has an internet connection again, it will flush the queue to the cloud service and all data is uploaded. This means that the client works exactly the same whether online or offline. The only difference is the time the reporting data becomes available in the cloud service.

Does it work with Entra ID / Azure AD joined machines?

Yes.

Refer to Entra ID tab for details on how to setup the Entra ID Connector and Integrations > Single Sign-On (SSO) for details on setting up SSO.

Why are notification emails not being sent?

The most likely cause is an incorrect email address, either from misspelling or inadvertent entry of extra characters that are not visible. This is particularly true if notifications have been configured for the ABR mobile app and they are being sent correctly, but notifications via email are not.

Remove the email address and re-enter it, then try the operation again.

Does it work without a domain?

Yes

How can you possibly know where my computers are?

When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data. The expected accuracy is at a city level.

Should I be concerned about internet bandwidth consumption?

Do not be concerned about Internet bandwidth consumption. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and, if the connection is bad, we don’t want to consume bandwidth.

Inventory data is collected intelligently, so only delta data is collected. If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.

What if approval is required and the user is offline?

In this case, the client cannot allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline (i.e. has no Internet access) and, on the approval screen, a note will automatically appear telling the user that elevation can happen only if the user either seeks an internet connection or, if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication. The PIN code will appear in the left menu on computer details in the inventory if you enable approval mode.

General

Licensing
Security

What happens if my subscription expires?

Typically, when an Admin By Request tenant no longer has any paid licenses, it will fall back to become a Free Plan tenant. This means only 25 workstation licenses, along with 10 server licenses, will become available for use.

The implications of this are:

Only 25 endpoints will be visible under Endpoint Privilege Management
Only 10 servers will be visible under Endpoint Privilege Management
Only 25 endpoints will be available for remote access under Secure Remote Access
You will not be able to manually delete registered devices from your inventory list.
Access to Technical Support is removed (you no longer have the option of submitting a Support ticket from the portal)

Note that you can still contact Sales personnel via the chat function of the adminbyrequest.com website
The priority of the auto-update feature is lowered for your tenant

For the 25 available licenses on the devices where the ABR client is installed, both end users and portal administrators would be able to continue as normal; request an elevation, approve requests and so on.

What's the catch with the free plan?

There is no catch with the free plan. You can freely use the full EPM product in your production environment on up to 25 workstations and 10 servers in your organization. Further, you can remotely access up to 25 workstations using the Secure Remote Access product.

NOTE

You can have a Free Plan and/or a Paid Plan, but not a combination of both. This means that, if you want 35 licenses, you don't get the first 25 licenses for free and only pay for the remaining 10 - if you have a Paid Plan, you must pay for all licenses under that plan. However, you can have a Free Plan as well as a Paid Plan. This can be useful for testing purposes and is a common setup for customers.

For more information, refer to Licensing.

How do I recover licenses?

Licenses are automatically removed after 60 days for inactive endpoints. If you don't want to wait that long, there are several other ways:

You can uninstall ABR from an endpoint - the license is instantly recovered.
You can find the endpoint in the Inventory and use either the Delete menu (at left) or the DELETE tab to remove the computer.
There is a bulk delete capability available using API calls, described here: https://www.adminbyrequest.com/en/docs/inventory-api. A video is available showing how bulk delete can be done in Postman: https://www.dropbox.com/s/nsoyi0crma63y4i/Multi-Inventory-ID-Delete.m4v?dl=0.

For more information, refer to Licensing.

For Frequently Asked Questions about licensing, refer to All FAQ (Licensing).

How do I get started?

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

For more information, please refer to Getting Started in our Documentation Center.

How can I try before buying?

From the Admin By Request home page, click Download the Free Plan to start on a free plan. You can use the free plan for proof of concept without using trial-ware. If you need more licenses for proof of concept, please contact us.

How does Admin By Request pricing work?

Under the Free Plan, 25 workstation and 10 remote access clients are always free - you can start with those right now. For a Paid Plan, it depends how many clients you need and which types they are (i.e. server or workstation). Please use the quote form here and we will return a quote today.

For more information, refer to Licensing.

How do I upgrade to a paid plan?

Please use the quote form here and we will return a quote today. If you purchase a paid plan, we will upgrade your free plan to a paid one on-the-fly without you having to do anything.

What does the paid plan cost?

NOTE

For more information, refer to Licensing.

How many licenses do I need?

The number of licenses you need depends on how many endpoints you wish to manage at your organization. Please use the quote form here and we will return a quote today.

Do I need two different licenses for Windows and Mac?

No.

You buy a number of Workstation licenses and these can freely be mixed between Windows, Mac and Linux. In other words, you need one license for each installed endpoint.

For more information, refer to Licensing.

Is the mobile app free?

The mobile app is free - find it in the Apple App or Google Play stores.

What are the minimum requirements for the mobile app?

The iPhone app works on iOS 10.0+. Android version works on version 4.4+ (KitKat).

How can I get a demo?

Visit web page Book a Demo, fill out and submit the form, and we will get back to you asap. We can usually schedule a demo next business day.

How do I get in touch with an account manager?

When you request a free plan, you will get an email from us that you can respond to, asking any questions you might have.

If you did not receive an email, please use our contact details page (Contact Sales) to send us a message, and we will contact you.

How is data transferred to the cloud service?

This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.

For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

Who can see devices in my tenant?

The only people who can see devices in your tenant are the primary login that was first used to register with Admin By Request and the users listed in the portal under Logins > User Logins.

The installer file downloaded from the portal is unique to your tenant. Depending on the target operating system, it can be an executable file, a package or a script and it is signed with a license that applies only to installers downloaded from the tenant in which you are currently logged-in. The same license file is applied to each of the operating system client installers: Windows, macOS, Linux and Server.

This is true for free plans as well as paid plans.

When installed on an endpoint, once the endpoint connects successfully, you will see in real time the status of the endpoint in your Inventory, which is also unique to your tenant. You will not see other endpoints installed with files downloaded from other tenants - this is simply not possible.

Which IP addresses are endpoints communicating with?

Admin By Request uses port 443 and the IP addresses and API URLs that need access through firewalls are as follows.

If your data is located in Europe (Netherlands):

IP: 104.45.17.196
DNS: api1.adminbyrequest.com
DNS: macapi1.adminbyrequest.com
DNS: linuxapi1.adminbyrequest.com

If your data is located in the USA:

IP: 137.117.73.20
DNS: api2.adminbyrequest.com
DNS: macapi2.adminbyrequest.com
DNS: linuxapi2.adminbyrequest.com

If your data is located in the UK:

IP: 85.210.211.164
DNS: api3.adminbyrequest.com
DNS: macapi3.adminbyrequest.com
DNS: linuxapi3.adminbyrequest.com

If your data is located in Europe (Germany):

IP: 9.141.94.162
DNS: api4.adminbyrequest.com
DNS: macapi4.adminbyrequest.com
DNS: linuxapi4.adminbyrequest.com

You can also use api.adminbyrequest.com, but the regional URLs will likely be more responsive.

How do I let users keep full access, but log what they do?

Allowing your users to retain full access rights is equivalent to turning off all Admin By Request's protections.

IMPORTANT

Turning off everything effectively means giving users back their local admin rights. Think about this carefully before doing it.

To turn off everything except logging actions to the Auditlog, you need to:

Authorization: turn On Allow Run As Admin and turn Off all other toggles
Authorization: turn On Allow Admin Sessions and turn Off all other toggles.
Authorization: make the Access time (minutes) a large number that covers most of the day. For example, 480 minutes (8 hours).
Lockdown: turn Off Revoke admin rights.

For more information, refer to Authorization tab under Windows Settings.

You can also check out the WHIZ usage persona for a 10-minute video on how to accommodate developers or power users.

Which data is collected?

This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.

For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

How do you store the data?

This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.

For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

What regulatory frameworks do you support?

Admin By Request can help you comply with a number of regulatory frameworks, including GDPR, ISO 27001, NIST SP 800-53, DORA and NIS2. We continually assess frameworks for compatibility and use their requirements as one of the inputs to our development process.

Refer to Compliance Mapping for more information.

Are you fully GDPR compliant?

Yes. For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

Which IP addresses are used to send webhooks?

The following IP addresses are used to send webhooks:

If your data is located in Europe: 104.40.134.41 and 40.91.214.18
If your data is located in the USA: 13.90.244.80 and 40.121.45.3

Which IP addresses are used to send notification emails?

All emails are sent from noreply@fasttracksoftware.com. We use Twilio SendGrid to send emails and the dedicated IP address is: 149.72.185.15.

Can Admin By Request help with stolen computers?

Yes.

Once a stolen machine is booted and communicates with the Inventory, the public IP address of the thief’s router becomes available. The endpoint client does not require anyone to log on to a computer to upload data, so when the thief simply turns on the computer, inventory data is sent transparently. You can now see the public IP address and upload time in your client view and give this to the police. The police can then get the name and address of the IP address owner from the thief’s internet service provider (ISP).

Have you published any CVEs for Admin By Request?

Yes, we have published two CVEs in 2019. These were found by Improsec in September 2019 in the production version 6.1. We notified our customers and released version 6.2 on October 11th 2019 with fixes for these two vulnerabilities.

For more information, refer to CVE-2019-17201 and CVE-2019-17202.

NOTE

We generally have two separate companies run penetration tests before every major release. We also get copies on a monthly basis of clean reports executed secretly by customers.

I'm a Penetration Tester - how do I contact you with findings?

Please use our contact details page Get in Touch > Something Else to report your findings.

NOTE

The scope of a vulnerability has to be escalation of privileges from a non-administrator user to obtain admin rights.

What happens when I delete a computer?

All collected data associated with the computer is deleted.

NOTE

When a computer is deleted from the Inventory, make sure that its endpoint client software is removed .If the computer is subsequently powered on with a network connection, and the endpoint client is still installed, the computer will show up again and re-upload inventory data.