All FAQ
Introduction
All frequently asked questions about Admin By Request in one place.
In the Endpoint and Portal lists, the most recent frequently asked questions are at the top.
Endpoint
- Windows
- Mac
- Linux
Please refer to Windows Settings: Red-check vs Green-check.
Not officially.
Admin By Request version 7.4 is the last version to officially support Windows 7 (Pro and Enterprise only). If you need to use this version, login to the portal and visit our Download Archive.
While newer versions of Admin By Request should still function on the Windows 7 operating system, they are not tested for compatibility, so we cannot guarantee stability.
If you experience issues with Admin By Request on Windows 7, we would likely still perform basic troubleshooting, but may be unable to resolve problems specific to the operating system.
If stability of the client is important, you should disable Auto Update on Windows 7 devices, and subsequently manually test new versions before wider implementation. Disable Auto Update in the portal at Endpoint Privilege Management > Settings > Windows Settings > Endpoint > AUTO-UPDATE.
To prevent select devices from auto updating, a registry key needs to be set that overrules the global auto update setting:
HKEY_LOCAL_MACHINE\Software\FastTrack Software\Admin By Request\Policies
The Policies key does not exist by default, so this may have to be created first.
In the Policies key, create a REG_DWORD named InternetUpdate, and set its value to either 0 (disabled) or 1 (enabled).
Note that a local administrator account is required to create/modify the registry for Admin By Request.
For Windows, you can uninstall a single endpoint or multiple endpoints at once:
-
Single endpoint uninstall
-
Using a PIN Code
-
Via the msi installation file
-
-
Multiple endpoints uninstall
-
Using msiexec
-
Using PsExec
-
Using a PowerShell script
-
Refer to Uninstalling Admin By Request for more information.
The new tray tools for Network Adapter Settings and Uninstall Program from version 8.3 were developed in an effort to allow access to these via the Admin By Request approval flow. The intention is for these to replace the previous iteration of these tools for the most common purposes, whereas more advanced functionality still requires elevating the Control Panel.
Two issues have been identified and resolved regarding the new tray tool for network adapter settings in 8.3:
-
Some network adapters were showing up as inactive even though they were not.
-
Switching from automatic to manual IP configuration was not setting the gateway correctly – causing an exception when re-opening the applet.
In addition, changes have been made to mimic the native behavior of the basic network adapter settings more closely.
These resolutions are available in our most recent production release version 8.3.1. This is the version currently available on the main download page.
This version fixes only inconsistent or unintended behavior with the tray tool for Network Adapter Settings - the Uninstall Program applet is unchanged.
It is possible to allow users to change their local time zone on Windows computers by adding a tray tool for the Control Panel app timedate.cpl.
The tray tool menu item can then be made available to users who would otherwise be "blocked by policy".
Yes, all apps in a folder can be authorized to Run As Admin. In the Portal, select Settings > Windows Settings and then App Control from the left menu. Click New entry and in field Type, select Run As Admin location pre-approval (all files in folder tree):
Enter the Directory name (following the instructions in red) and click Save.
This is also available under Linux Settings (version 3.0), but not for Mac Settings (version 4.1), although you can pre-approve all apps from a specify Vendor under Mac Settings.
To install Windows clients via Intune:
-
Before adding the application to Intune, create a package in the .intunewin format using the Microsoft Win32 Content Prep Tool.
-
Select Windows app (Win32) and click Select.
-
Continue with the Intune package process, accepting the defaults for all remaining prompts/questions.
If the logged-in user is a member of certain "exempt" Active Directory groups, Admin By Request places the user in the workstation's Local Administrators Group, indicating this with a red/orange tray icon. You can see what the icon looks like in About Admin By Request.
As well as Local Administrators, groups that trigger this action include Domain Administrators and any group that is assigned either the Global Administrator or Azure AD Joined Device Local Administrator role.
To make sure the logged-in user does not automatically get elevated privileges (and thus has a green tray icon upon login), check that the user is not a member of any exempt Active Directory groups.
Refer to The Windows Client User Interface for more information.
The reason is that not every app requires elevated privileges to install. For applications that don't need Administrator privileges, Admin By Request will not deploy.
Admin By Request works by removing Administrator from the user's profile, and then acting as a "middle man" UAC (on windows) to provide momentary Administrator access.
Settings are covered in the Portal section:
A standard user making this selection where approval is required initiates the following sequence of events.
-
The user enters email, phone and reason information into the form and clicks OK.
NOTESettings in the portal control the full extent of what is displayed to the user:
-
If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).
-
If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).
-
-
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.
-
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.
Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).
At the time of writing, this functionality is not available for Linux clients.
Once an application has been installed on an endpoint with Admin By Request:
-
Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.
-
On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.
-
Click Save verify that the app has been added to the list of pre-approved applications.
During installation, if the computer is in a domain, Domain Users will be removed from the local administrator’s group right away. That is all that happens initially.
When a user then logs on, the user will be removed from the local administrator’s group unless:
-
You have unchecked “Revoke admins rights” in the portal settings
-
The user is in the list of excluded accounts in the portal settings
-
The user is member of a group that is the local administrator’s group (such as domain admins)
The reason all users are not just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally remove any service accounts. Please refer to the Windows client technical details page for more information.
The users and groups administration will be removed entirely from Computer Management during an administrator session.
Even if the user still manages to tamper the local administrator’s group, the administrator’s group is snapshotted before the session starts and restored after the session ends. If the user tries to add other users or groups to the administrator’s group, these will simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy keys, these are also snapshotted and restored after sessions.
Please refer to the Windows client technical details page for more information.
You can keep some domain users as local administrators.
Domain groups (except Domain Users) are not removed from the local administrator’s group. This means that if a domain user logs on and is member of a domain group that is in the local administrator’s group (for example a Help Desk domain group) the user is always local administrator. In this case the tray icon is red and hovering it, you can see the tool tip saying “You are logged on as administrator”. You can also specify specific user accounts to exclude in the portal settings.
To change this setting in the portal, go to Endpoint Privilege Management > Settings > Windows Settings > Lockdown > ADMIN RIGHTS, or refer to Admin Rights tab for more information.
Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.
Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.
After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.
For more information, please refer to Getting Started in our Documentation Center.
To download and install the Admin By Request Windows endpoint client:
-
Download the Windows endpoint client from
https://account.adminbyrequest.com/ABRDownload
and store the .msi file in a suitable location. -
NOTE
You might be prompted for administrator credentials depending on the endpoint's UAC configuration.
-
Click the icon to show details about the client or to start an Admin Session:
Depending on installation preferences, Admin By Request shortcut icons may also be placed on the desktop:
When the installation completes, the Admin By Request icon appears in the system tray in the bottom right corner of the screen. The icon is red if you are logged-on as an Administrator and green if you are logged-on as a Standard User. Refer to The Windows Client User Interface for a description of the differences.
Installation is now complete.
Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).
At the time of writing, this functionality is not available for Linux clients.
Once an application has been installed on an endpoint with Admin By Request:
-
Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.
-
On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.
-
Click Save verify that the app has been added to the list of pre-approved applications.
Some Mac applications (e.g. Grammarly and Spotify) require wide-ranging permissions to install properly and can only be successfully installed via an Admin Session. Further, these applications almost always require the same wide-ranging permissions when they auto-upgrade, meaning that another Admin Session must be started before upgrading the app.
This is simply due to the nature of how processes work on the macOS operating system. When attempting to run an installation or upgrade via Run As Admin, a pop-up window prompting for admin credentials will be triggered by the OS whenever a separate executable that handles access to another area of the file system is invoked. At the time of writing, the only way around this is to carry out the installation or upgrade via an Admin Session.
You can find the error log under /var/log/adminbyrequest.log.
On a Mac, while logged-in as an Admin user, run the uninstall program /Library/adminbyrequest/uninstall.
Refer to Uninstalling Admin By Request for more information.
Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.
Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.
After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.
For more information, please refer to Getting Started in our Documentation Center.
On a Mac, some packages (i.e. .app files) can be executed under Run As Admin by dragging them over the Admin By Request icon in the dock. However, Full Disk Access (FDA) must be enabled first.
To enable FDA, refer to Enable Full Disk Access (FDA).
For any .app file, initiate Run As Admin by dragging and dropping the application file over the Admin By Request Dock icon. At the account control pop-up, enter credentials and hit OK to run the installer as an administrator. Note that this works only for .app files; it does not work for .pkg files.
Immediately after installation of the ABR endpoint client, FDA must be checked to make sure that Admin By Request is enabled to fully protect Mac endpoints.
Admin By Request must be installed prior to enabling FDA, so that its apps and extensions appear in the list of apps available under Full Disk Access.
Refer to Enable Full Disk Access (FDA) for more information on enabling FDA.
If you log on to a Mac that is not joined to Active Directory and expect the user account to be downgraded from Admin to User, but it doesn’t happen and the icon appears red in the toolbar, you are most likely hitting the “Last Admin Check”.
You can confirm this by clicking the red icon. The intention of this check is to make sure you always have a service account. If you don’t have at least one admin account, you cannot change, modify or delete user accounts on the computer and you can never uninstall Admin By Request.
If you use the “Revoke admins rights” option in the portal to revoke user rights, all user accounts will be downgraded from Admin to User, when they log on. In the portal settings, you can specify user accounts that are excluded. These would typically be service accounts for a Help Desk or similar. If no excluded accounts are specified and the machine is not joined to Active Directory, the revoke will not be executed for the last administrator and it falls under the “Last Admin Check”.
Last Admin Check is no longer used - please refer to Portal Administration for Mac for more information.
Following installation of the macOS 5.0 endpoint client, there are two apps that need full disk access:
-
adminbyrequest - The main app for enabling Admin By Request endpoint client features, including the ability to drag a file over the ABR icon in the dock to elevate privileges.
-
Admin By Request System Extension - The extension app enables a range of functionality, but the main feature for macOS 5.0 is the ability to install an app by dragging its icon over the Applications folder. This app requires macOS 11+.
Immediately after installation of the ABR endpoint client, FDA must be checked to make sure that Admin By Request is enabled to fully protect Mac endpoints.
Admin By Request must be installed prior to enabling FDA, so that its apps and extensions appear in the list of apps available under Full Disk Access.
The following procedures describe three ways to enable FDA:
These procedures are not sequential - pick one or a combination of all three, depending on your requirements.
-
On the Mac - FDA
The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on Apple Macs running:
macOS 10.15 (Catalina), macOS 11 (Big Sur) and macOS 12 (Monterey)-
On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.
-
Lock the tab to save changes and close the System Preferences window.
macOS 13 (Ventura), macOS 14 (Sonoma) and macOS 15 (Sequoia)-
On your Mac device, navigate to System Settings > Privacy & Security tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.
-
Close the System Settings window.
-
-
Using Jamf - FDA
Admin By Request provides a set of configuration files to assist with configuration in Jamf. Download the set here and visit Creating and Uploading PLIST or .mobileconfig File for instructions on deployment.
Alternatively, follow the procedure below if you wish to build your own Jamf Configuration Profiles to manage Mac endpoints:
-
In Jamf, go to Computers > Configuration Profiles.
-
Create a new profile and configure it as follows:
-
Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR - PPPC.
-
Category, select Applications.
-
Distribution Method, select Install Automatically.
-
Level, select Computer Level.
-
-
Navigate from the General tab to the Privacy Preferences Policy Control tab:
-
Identifier, enter /Library/adminbyrequest/adminbyrequest.
-
Identifier Type, select Path.
-
For Code Requirement, enter the following line of code:
Copyidentifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
IMPORTANTThe code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.
-
Under App or Service, select Accessibility and under Access, select Allow.
-
Save the profile.
-
-
Deploy and use this profile to enable FDA for all your macOS endpoints.
-
-
Using Intune - FDA
Similar to Jamf, Intune uses Configuration Profiles to manage Mac endpoints:
-
In Intune, under Configuration Profiles, select Create Profile.
-
Enter the following details into the Create a Profile form:
-
Platform: macOS
-
Profile type: Templates
-
-
Click Create.
-
Under Device restrictions, go to Configuration settings.
-
In the Edit Row form, enter the following:
-
Name: ABR – FDA
-
Identifier type: Path
-
Identifier: /Library/adminbyrequest/adminbyrequest
-
For Code Requirement, enter the following line of code:
Copyidentifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
IMPORTANTThe code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.
-
-
Finally, select Allow in field Full disk access:
-
To download and install the Admin By Request macOS endpoint client:
-
Sign-in to your Admin By Request account at https://www.adminbyrequest.com/Login.
-
Download the Mac client from the Download page and store the client file in a suitable temporary location.
Installation is now complete. The next step is to ensure that Full Disk Access (FDA) is enabled for Admin By Request.
A standard user making this selection where approval is required initiates the following sequence of events.
-
The user enters email, phone and reason information into the form and clicks OK.
NOTESettings in the portal control the full extent of what is displayed to the user:
-
If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).
-
If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).
-
-
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.
-
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.
On the Linux client, screen resolution scaling can make a difference to how fonts appear in the Admin By Request GUI. If the font appears distorted, large, compressed or with overlapping lines (or is simply unreadable), check the UI scaling percentage (Settings > Displays > Scale). If the value is greater than 100%, fonts in the GUI panels can appear distorted:
This will be fixed in a future release of the Linux client. Until then, the workaround is to reduce scaling to 100%. Note that functionality is unchanged - the client will still work as intended.
A standard user making this selection where approval is required initiates the following sequence of events.
-
The user enters email, phone and reason information into the form and clicks OK.
NOTESettings in the portal control the full extent of what is displayed to the user:
-
If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).
-
If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).
-
-
The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.
-
The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.
Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.
Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.
After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.
For more information, please refer to Getting Started in our Documentation Center.
The Linux command line interface requires the following:
-
The CLI commands are designed for the command line. If run inside a graphical interface's terminal window, certain commands will defer to the GUI version.
-
Using the CLI requires Admin By Request for Linux version 3.1.9 or greater.
Refer to Prerequisites for more information.
Use the following process to uninstall Linux from an endpoint. Note that you must know the root password for the endpoint:
-
Shutdown and reboot the computer.
-
Try any of the following:
-
If your computer boots using BIOS, press and hold down the Shift key while GRUB is loading.
-
If your computer boots using UEFI, press the Escape key (Esc) while GRUB is loading.
-
As you’re booting the computer, wait for the manufacturer logo to flash from the BIOS. If your computer boots too quickly, you’re going to need to do this immediately after powering it on. Quickly press the Escape key.
The timing has to be near perfect on some computers, so you may have to press the key repeatedly. If you miss the window, reboot and try again.
-
-
At the GRUB boot menu. you’ll see an entry for “Advanced Options ...”. Select it and press Enter.
-
Choose the most recent recovery mode option and press Enter.
-
At the Password: prompt, enter the root password..
-
Now you can uninstall Admin By Request for Linux by executing the following command:
apt -y purge abr-* && apt -y autoremove
The most likely reason the Linux client fails to install is because the system has broken dependencies from earlier failed installations.
The first thing the Admin By Request Linux installer script does is run update + upgrade, to make sure the system is fully (and successfully) up-to-date. If anything fails during that process, then ABR will not install correctly. Check the system logs and resolve any outstanding failed installations before continuing with ABR install.
sudo is supported on both Mac and Linux endpoints - this is controlled in the portal.
To enable sudo support for macOS, go to Endpoint Privilege Management > Settings > Mac Settings > Lockdown > ADMIN SESSION and make sure Allow sudo terminal commands is ON.
To enable sudo support for Linux, go to Endpoint Privilege Management > Settings > Linux Settings > Lockdown > SUDO and make sure Allow sudo terminal commands is ON. You can then further control non-sudoers and sudo interactive sessions.
The portal has recently undergone some changes and reorganization. What was Applications is now known as App Control and is found at Settings > Linux Settings > App Control, as indicated in the screenshot:
From here, you can PRE-APPROVE or BLOCK applications by clicking New entry and providing the relevant details.
The Linux installation file is a script made in Python. It's a text file - you can open it with Window's Notepad to see its content.
Due to the name of the file ending with ".0", Windows sees this file as a ".0" file type, contra a Linux file system, which simply sees it as a normal data file.
To download and install the Admin By Request Linux endpoint client:
-
Download the Linux client from https://account.adminbyrequest.com/ABRDownload and store the client file in a suitable temporary location.
-
If you haven’t already, start a terminal session and make sure the file is executable:
Copychmod +x 'abr-installer'
-
Run the installation script:
Copysudo ./'abr-installer'
-
When the installation completes, the Admin By Request icon appears in the top right corner of the screen. Click the icon to show details about the client or start an Admin Session.
Installation is now complete.
Portal
- Admin Portal
- Remote Access
- Connectivity
AI Approval allows our AI scoring system to auto-approve trivial Run As Admin requests for common applications.
At the time of writing, our app database comprises more than 12 million known applications. Each of these is scored by our AI engine in real-time based on popularity, reputation and trends. If, for example, the App score is enabled at 20, it means that any request is auto-approved if the App score is 20 or above.
Refer to AI Approval for more information.
A "product view" is the information displayed in the portal for that product.
The portal customizes the information displayed depending on the product selected. The information available for display across all menus (Summary, Auditlog, Requests, Inventory etc.) is called the "view" for that product:
-
The menu selection Endpoint Privilege Management shows the product view for managing local admin rights on your endpoint clients.
-
The menu selection Secure Remote Access shows the product view for managing your endpoints that can be remotely accessed.
To change your password in the portal, click the User Account drop-down in the header on any page.
Refer to Header parts for more information.
By default, endpoint clients synchronize with the portal approximately every four hours. If an immediate sync is needed on a particular client, you can achieve this by opening Admin By Request from the tray tool (Windows) or menu bar (macOS and Linux) and selecting About Admin By Request.
At the same time, you should verify that connectivity is OK by clicking the Connectivity button.
Refer to Synchronizing Clients with the Portal for more information, or if you are having problems with synchronization.
Yes. You can set a scope for portal logins to only see and approve part of the data based on the end user or computers groups or Organizational Units.
For example, an administrator in a region could be set up to only see and approve requests and data from computers in his/her own scope, assuming for example that all computers are in a specific Organizational Unit.
Refer to Logins for more information.
Yes. In the portal, you can create additional logins for more people. You can also define which roles they have, such as read-only view, whether or not they can edit settings, access to the audit log and if the person is allowed to approve requests.
In the portal, go to Logins > User Logins > New user.
Refer to Logins for more information.
Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).
At the time of writing, this functionality is not available for Linux clients.
Once an application has been installed on an endpoint with Admin By Request:
-
Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.
-
On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.
-
Click Save verify that the app has been added to the list of pre-approved applications.
Turning off everything effectively means giving users back their local admin rights. Think about this carefully before doing it.
To turn off everything except logging actions to the Auditlog, you need to:
-
Authorization: turn On Allow Run As Admin and turn Off all other toggles
-
Authorization: turn On Allow Admin Sessions and turn Off all other toggles.
-
Authorization: make the Access time (minutes) a large number that covers most of the day. For example, 480 minutes (8 hours).
-
Lockdown: turn Off Revoke admin rights.
For more information, refer to Authorization tab under Windows Settings.
You can also check out the WHIZ usage persona for a 10-minute video on how to accommodate developers or power users.
You do not need to approve each time a user wants admin access. You can use a setting after sign-in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when, and an auditlog of installed software and executed applications.
In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts. The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.
Change this setting in the portal at Settings > [OS] Settings > Authorization > AUTHORIZATION.
By default, endpoint clients synchronize with the portal approximately every four hours. If an immediate sync is needed on a particular client, you can achieve this by opening Admin By Request from the tray tool (Windows) or menu bar (macOS and Linux) and selecting About Admin By Request.
At the same time, you should verify that connectivity is OK by clicking the Connectivity button.
Refer to Synchronizing Clients with the Portal for more information, or if you are having problems with synchronization.
You can add your company logo to both the portal and the dialog boxes that users see on their endpoints. The setting is in the portal at Endpoint Privilege Management > Settings > Windows Settings > Endpoint > BRANDING.
Refer to Branding tab under Windows Settings for more information.
Yes.
The most typical pattern we see for new customers is that they start with approval required. Then after an initial period, when the psychological effects on end users are clear and there is reassurance end users do not violate rules, they shift to auto-approval mode combined with reason requirement and Code of Conduct screen.
This is the point where the whole administrator access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.
Code of Conduct screen
You do not need to approve each time a user wants admin access. You can use a setting after sign-in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when, and an auditlog of installed software and executed applications.
In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts. The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.
Change this setting in the portal at Settings > [OS] Settings > Authorization > AUTHORIZATION.
You can set a scope for portal logins to only see part of the data based on the end users or computers groups and/or Organizational Units.
For example, sales managers can be set up to only see users and computers in sales. They will then only get approval requests from their own staff. You can also set up a manager to not have approval ability, but only the ability to see the auditlog for his/her own staff.
You can create a portal user account that can see only the auditlog and, optionally, the inventory. No other data will be visible.
To give a user a limited view within the portal, you simply create a user account that cannot approve requests. This way, your customer can see the data you choose without the ability to approve requests.
If you have on-premise remote gateways configured, you can also remove access to the portal entirely by limiting user access to those computers accessible via the relevant gateway. This is controlled in the admin portal under setting Logins > User Logins, EDIT or New user, tab ACCOUNT, heading Rights, field Limit to access.work.
If you don't see field Limit to access.work, you have not yet configured an on-premise gateway.
Clicking the drill-down link opens an inventory-style list of all devices accessible via this gateway. Devices can be entered manually or they can be discovered.
Devices can be ACTIVE or INACTIVE and are displayed in the corresponding tab:
-
ACTIVE: able to be connected to via Unattended Access and consume a license.
-
INACTIVE: are not able to be connected via Unattended Access and do not consume a license.
Use the Disable/Enable links to make a device active/inactive respectively.
Use the Search button to search for devices in large lists and the Export buttons to export data in the format shown.
Refer to Devices (n) for more information.
Remote Support is part of the Secure Remote Access product by Admin By Request, that allows you to share screens and remotely control devices inside of your Admin By Request inventory, while using all of the well-known features of the Admin By Request ecosystem, such as: inventory, auditlog, settings and sub-settings, approval flows etc.
Remote Support allows either end users or IT admins to initiate a secure, just-in-time, remote support session – allowing them to share and control the end-user's device – and tear everything down once the session is done – eliminating any access points for bad actors.
This document covers getting started with Product Enrollment and Remote Support. It also describes key settings that can be administered from the portal.
Refer to Remote Support Overview for more information.
Remote Support is based on the same gateway concept as the Unattended Access gateway, which is also part of the Admin By RequestSecure Remote Access product. It allows a just-in-time setup between the gateway and the endpoint by establishing a secure Cloudflare tunnel.
Once the tunnel is established, a just-in-time server session is created on the endpoint – allowing for screen sharing and remote control via the browser.
Once the session is terminated or expires, the tunnel and the server session are terminated, leaving the endpoint in the same state as before the remote support session.
The setup is fully cloud-based and does not require any on-premise setup besides what’s mentioned in the prerequisites:
Refer to How does Remote Support work? for more information.
A self-hosted implementation means that you run Unattended Access on-premise inside your own infrastructure, including the ability to run Docker containers. To establish a secure tunnel, your infrastructure must also allow outbound connections to Cloudflare.
Refer to How do I setup a Self-hosted Implementation? for more information.
A managed service is a way of operating Unattended Access so that your infrastructure allows an outbound connection to establish a secure tunnel from your respective endpoints and that these have the Admin By Request endpoint client installed.
Refer to How do I setup a Managed Service? for more information.
Before trying to remotely access a device, make sure all setup has been done and the gateway to your device is "live". Refer to Getting Started with Unattended Access for more information on prerequisites and setting up gateways.
To remotely access a device:
In order to allow Admin By Request to connect to your endpoints, they need to allow traffic on the following ports:
-
RDP - 3389
-
SSH - 22
-
VNC - 5900 and 5901
After a few seconds, the connection appears directly in your browser.
The CLOUD tab becomes visible only when an on-premise gateway is created. If no on-premise gateway exists, Unattended Access will use the managed service option, which is enabled by default and requires no configuration.
Configuring an on-premise gateway means disabling the cloud gateway (see How do I setup a Self-hosted Implementation?) which is why the CLOUD tab becomes available when a gateway is created.
Vendor Access, also known as access.work (https://access.work), is a feature of Secure Remote Access that allows users to connect to devices through their browsers without needing access to the Admin By Request Portal.
Refer to Using Vendor Access for more information.
Via the portal:
-
To enable Unattended Access, log in to the Admin By Request portal and head over to Secure Remote Access > Settings > Unattended Access Settings.
-
Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access is turned On:
Refer to Getting Started with Unattended Access for more information.
Getting started with Unattended Access is simply a matter of enabling it in the portal:
-
To enable Unattended Access, log in to the Admin By Request portal and head over to Secure Remote Access > Settings > Unattended Access Settings.
-
Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access is turned On:
For more information, refer to Getting Started with Unattended Access.
Unattended Access is a feature of Secure Remote Access that allows you to connect remotely to your servers and network endpoints directly from your browser, using a lot of the well-known Admin By Request features like: inventory, auditlog, settings and sub-settings, approval flows, integrations etc.
The implementation of Unattended Access can use either a "Cloud" or an "On-premise" gateway, eliminating the need for VPN and jump servers, while still maintaining a secure and segregated setup.
This document covers getting started with Product Enrollment, Unattended Access and Vendor Access. It also describes key settings that can be administered from the portal.
Refer to Unattended Access Overview for more information.
Product enrollment is the mechanism of determining which Admin By Request licenses – and hence product capabilities – should be available to specific endpoints.
Refer to Product Enrollment for more information.
The Test Drive mode allows a portal user to cherry pick which devices are enrolled with the selected product. This can either be done by specifying a computer group scope or by manually picking devices.
Refer to Product Enrollment (Test Drive) for more information.
This may be surprising, but no. The client is only required to have an occasional internet connection (like a guest WIFI anywhere). The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator temporarily and will queue the data locally and log what has been done, including date & time, installed applications, exe files run as administrator and so on.
Once the client has an internet connection again, it will flush the queue to the cloud service and all data is uploaded. This means that the client works exactly the same whether online or offline. The only difference is the time the reporting data becomes available in the cloud service.
Yes.
Refer to Entra ID / Azure AD tab for details on how to setup the Entra ID Connector and Integrations > Single Sign-On (SSO) for details on setting up SSO.
The most likely cause is an incorrect email address, either from misspelling or inadvertent entry of extra characters that are not visible. This is particularly true if notifications have been configured for the ABR mobile app and they are being sent correctly, but notifications via email are not.
Remove the email address and re-enter it, then try the operation again.
Yes
When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data. The expected accuracy is at a city level.
Do not be concerned about Internet bandwidth consumption. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and, if the connection is bad, we don’t want to consume bandwidth.
Inventory data is collected intelligently, so only delta data is collected. If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.
In this case, the client cannot allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline (i.e. has no Internet access) and, on the approval screen, a note will automatically appear telling the user that elevation can happen only if the user either seeks an internet connection or, if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication. The PIN code will appear in the left menu on computer details in the inventory if you enable approval mode.
General
- Licensing
- Security
Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.
Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.
After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.
For more information, please refer to Getting Started in our Documentation Center.
From the Admin By Request home page, click Download the Free Plan to start on a free plan. You can use the free plan for proof of concept without using trial-ware. If you need more licenses for proof of concept, please contact us.
There is no catch with the free plan. You can freely use the full product in your production environment on up to 25 workstations and 10 servers in your organization.
The first 25 workstation (and 10 server) clients are always free - you can start with those right now. For a paid plan, it depends how many clients you need and which types they are (i.e. server or workstation). Please use the quote form here and we will return a quote today.
Please use the quote form here and we will return a quote today. If you purchase a paid plan, we will upgrade your free plan to a paid one on-the-fly without you having to do anything.
The first 25 workstation (and 10 server) clients are always free - you can start with those right now. For a paid plan, it depends how many clients you need and which types they are (i.e. server or workstation). Please use the quote form here and we will return a quote today.
The number of licenses you need depends on how many endpoints you wish to manage at your organization. Please use the quote form here and we will return a quote today.
No.
You buy a number of Workstation licenses and these can freely be mixed between Windows, Mac and Linux. In other words, you need one license for each installed endpoint.
The mobile app is free - find it in the Apple App or Google Play stores.
The iPhone app works on iOS 10.0+. Android version works on version 4.4+ (KitKat).
Visit web page Book a Demo, fill out and submit the form, and we will get back to you asap. We can usually schedule a demo next business day.
When you request a free plan, you will get an email from us that you can respond to, asking any questions you might have.
If you did not receive an email, please use our contact details page (Contact Sales) to send us a message, and we will contact you.
Licenses are automatically removed after 60 days for inactive endpoints. If you don't want to wait that long, there are several other ways:
-
You can uninstall ABR from an endpoint - the license is instantly recovered.
-
You can find the endpoint in the Inventory and use either the Delete menu (at left) or the DELETE tab to remove the computer.
-
There is a bulk delete capability available using API calls, described here: https://www.adminbyrequest.com/en/docs/inventory-api. A video is available showing how bulk delete can be done in Postman: https://www.dropbox.com/s/nsoyi0crma63y4i/Multi-Inventory-ID-Delete.m4v?dl=0.
This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.
For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.
The only people who can see devices in your tenant are the primary login that was first used to register with Admin By Request and the users listed in the portal under Logins > User Logins.
The installer file downloaded from the portal is unique to your tenant. Depending on the target operating system, it can be an executable file, a package or a script and it is signed with a license that applies only to installers downloaded from the tenant in which you are currently logged-in. The same license file is applied to each of the operating system client installers: Windows, macOS, Linux and Server.
This is true for free plans as well as paid plans.
When installed on an endpoint, once the endpoint connects successfully, you will see in real time the status of the endpoint in your Inventory, which is also unique to your tenant. You will not see other endpoints installed with files downloaded from other tenants - this is simply not possible.
Admin By Request uses port 443 and the IP addresses and URLs that need access through firewalls are as follows.
If your data is located in Europe:
-
IP: 104.45.17.196
-
DNS: api1.adminbyrequest.com
-
DNS: macapi1.adminbyrequest.com
-
DNS: linuxapi1.adminbyrequest.com
If your data is located in the USA:
-
IP: 137.117.73.20
-
DNS: api2.adminbyrequest.com
-
DNS: macapi2.adminbyrequest.com
-
DNS: linuxapi2.adminbyrequest.com
If you wish to remotely access endpoints using Unattended Access and Remote Support:
-
Outbound MQTT broker connectivity via Websockets- port 443 for the following:
-
FastTrackHubEU1.azure-devices.net (if your data is located in Europe)
-
FastTrackHubUS1.azure-devices.net (if your data is located in the USA)
-
-
For Unattended Access, RDP needs to be enabled on port 3389 on the device
Allowing your users to retain full access rights is equivalent to turning off all Admin By Request's protections.
Turning off everything effectively means giving users back their local admin rights. Think about this carefully before doing it.
To turn off everything except logging actions to the Auditlog, you need to:
-
Authorization: turn On Allow Run As Admin and turn Off all other toggles
-
Authorization: turn On Allow Admin Sessions and turn Off all other toggles.
-
Authorization: make the Access time (minutes) a large number that covers most of the day. For example, 480 minutes (8 hours).
-
Lockdown: turn Off Revoke admin rights.
For more information, refer to Authorization tab under Windows Settings.
You can also check out the WHIZ usage persona for a 10-minute video on how to accommodate developers or power users.
This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.
For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.
This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.
For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.
Admin By Request can help you comply with a number of regulatory frameworks, including GDPR, ISO 27001, NIST SP 800-53, DORA and NIS2. We continually assess frameworks for compatibility and use their requirements as one of the inputs to our development process.
Refer to Compliance Mapping for more information.
Yes. For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.
The following IP addresses are used to send webhooks:
-
If your data is located in Europe: 104.40.134.41 and 40.91.214.18
-
If your data is located in the USA: 13.90.244.80 and 40.121.45.3
All emails are sent from noreply@fasttracksoftware.com. We use Twilio SendGrid to send emails and the dedicated IP address is: 149.72.185.15.
Yes.
Once a stolen machine is booted and communicates with the Inventory, the public IP address of the thief’s router becomes available. The endpoint client does not require anyone to log on to a computer to upload data, so when the thief simply turns on the computer, inventory data is sent transparently. You can now see the public IP address and upload time in your client view and give this to the police. The police can then get the name and address of the IP address owner from the thief’s internet service provider (ISP).
Yes, we have published two CVEs in 2019. These were found by Improsec in September 2019 in the production version 6.1. We notified our customers and released version 6.2 on October 11th 2019 with fixes for these two vulnerabilities.
For more information, refer to CVE-2019-17201 and CVE-2019-17202.
We generally have two separate companies run penetration tests before every major release. We also get copies on a monthly basis of clean reports executed secretly by customers.
Please use our contact details page Get in Touch > Something Else to report your findings.
The scope of a vulnerability has to be escalation of privileges from a non-administrator user to obtain admin rights.
All collected data associated with the computer is deleted.
When a computer is deleted from the Inventory, make sure that its endpoint client software is removed .If the computer is subsequently powered on with a network connection, and the endpoint client is still installed, the computer will show up again and re-upload inventory data.