All FAQ

Introduction

All frequently asked questions about Admin By Request in one place.

In the Endpoint  and Portal  lists, the most recent frequently asked questions are at the top.

Endpoint


  • Windows
  • Mac
  • Linux



Windows Settings: Red-check vs Green-check

Please refer to Windows Settings: Red-check vs Green-check.

Do you still support Windows 7?

Not officially.

Admin By Request version 7.4 is the last version to officially  support Windows 7 (Pro and Enterprise only). If you need to use this version, login to the portal and visit our Download Archive.

While newer versions of Admin By Request should still function on the Windows 7 operating system, they are not tested for compatibility, so we cannot guarantee stability.

If you experience issues with Admin By Request on Windows 7, we would likely still perform basic troubleshooting, but may be unable to resolve problems specific to the operating system.

If stability of the client is important, you should disable Auto Update on Windows 7 devices, and subsequently manually test new versions before wider implementation. Disable Auto Update in the portal at Endpoint Privilege Management > Settings > Windows Settings > Endpoint > AUTO-UPDATE.

To prevent select devices from auto updating, a registry key needs to be set that overrules the global auto update setting:

HKEY_LOCAL_MACHINE\Software\FastTrack Software\Admin By Request\Policies

The Policies key does not exist by default, so this may have to be created first.

In the Policies key, create a REG_DWORD named InternetUpdate, and set its value to either 0 (disabled) or 1 (enabled).

Note that a local administrator account is required to create/modify the registry for Admin By Request.

What are all the ways to uninstall a Windows client?

For Windows, you can uninstall a single endpoint or multiple endpoints at once:

  • Single endpoint uninstall

    • Using a PIN Code

    • Via the msi installation file

  • Multiple endpoints uninstall

    • Using msiexec

    • Using PsExec

    • Using a PowerShell script

Refer to Uninstalling Admin By Request for more information.

Troubleshooting Windows Tray Tool in v8.3

The new tray tools for Network Adapter Settings and Uninstall Program  from version 8.3 were developed in an effort to allow access to these via the Admin By Request approval flow. The intention is for these to replace the previous iteration of these tools for the most common purposes, whereas more advanced functionality still requires elevating the Control Panel.

Two issues have been identified and resolved regarding the new tray tool for network adapter settings in 8.3:

  • Some network adapters were showing up as inactive even though they were not.

  • Switching from automatic to manual IP configuration was not setting the gateway correctly – causing an exception when re-opening the applet.

In addition, changes have been made to mimic the native behavior of the basic network adapter settings more closely.

These resolutions are available in our most recent production release version 8.3.1. This is the version currently available on the main download page.

NOTE:

This version fixes only inconsistent or unintended behavior with the tray tool for Network Adapter Settings - the Uninstall Program applet is unchanged.

How do I allow users to change their local time zone?

It is possible to allow users to change their local time zone on Windows computers by adding a tray tool for the Control Panel app timedate.cpl.

The tray tool menu item can then be made available to users who would otherwise be "blocked by policy".

  1. In the portal, go to Endpoint Privilege Management > Settings > Windows Settings > App Control > TRAY TOOLS and click New Tray Tool.

  2. In the Tray Tools panel, add the item using the following data:

  3. Click Save. The new tray tool is now available:

Can I allow any app within a specific folder to Run As Admin?

Yes, all apps in a folder can be authorized to Run As Admin. In the Portal, select Settings > Windows Settings and then App Control from the left menu. Click New entry and in field Type, select Run As Admin location pre-approval (all files in folder tree):

Enter the Directory name (following the instructions in red) and click Save.

This is also available under Linux Settings (version 3.0), but not for Mac Settings (version 4.1), although you can pre-approve all apps from a specify Vendor under Mac Settings.

How do I install Windows clients via Intune?

To install Windows clients via Intune:

  1. Before adding the application to Intune, create a package in the .intunewin format using the Microsoft Win32 Content Prep Tool.

  2. Run the tool (IntuneWinAppUtil.exe) at a Windows command line, entering data as shown:

    This creates an Admin By Request package file that can be used by Intune.

  3. Go to Intune and open Apps > Windows and click Add:

  4. Select Windows app (Win32) and click Select.

  5. Choose the Admin By Request package file created in step 2 and click OK:

  6. In the (1) App information window, enter Publisher and App Version if not already given:

  7. In the (2) Program window, enter change the Uninstall command to:
    powershell.exe -command "Get-Package -Name 'Admin By Request Workstation' | Uninstall-Package -AllVersions -Force"

  8. In the (3) Requirements window:

    1. For Operating system architecture, select both 32-bit and 64-bit:

    2. For Minimum operating system, select Windows 10 1607:

  9. In the (4) Detection rules window, for Rules format, select Manually configure detection rules and click + Add::

  10. In the Detection rule window, change the Path to C:\Program Files (x86)\FastTrack Software\Admin By Request:

  11. Continue with the Intune package process, accepting the defaults for all remaining prompts/questions.

Why is the tray icon for ABR red rather than green?

If the logged-in user is a member of certain "exempt" Active Directory groups, Admin By Request places the user in the workstation's Local Administrators Group, indicating this with a red/orange tray icon. You can see what the icon looks like in About Admin By Request.

As well as Local Administrators, groups that trigger this action include Domain Administrators and any group that is assigned either the Global Administrator or Azure AD Joined Device Local Administrator role.

To make sure the logged-in user does not automatically get elevated privileges (and thus has a green tray icon upon login), check that the user is not a member of any exempt Active Directory groups.

Refer to The Windows Client User Interface for more information.

Why can my standard users install some apps, but not others?

The reason is that not every app requires elevated privileges to install. For applications that don't need Administrator privileges, Admin By Request will not deploy.

Admin By Request works by removing Administrator from the user's profile, and then acting as a "middle man" UAC (on windows) to provide momentary Administrator access.

Where are Settings described?

Settings are covered in the Portal section:

How does an Admin Session work on Windows?

A standard user making this selection where approval is required initiates the following sequence of events.

  1. An empty Request Administrator Access form appears:

  2. The user enters email, phone and reason information into the form and clicks OK.

    NOTE:

    Settings in the portal control the full extent of what is displayed to the user:

    • If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).

    • If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).

  3. The request is submitted to the IT administration team and the user is advised accordingly:

  4. The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

    The following example shows how two new requests might appear in the portal:

  5. One of the team either approves or denies the request. If approved, the user is advised accordingly:

  6. The user clicks Yes, which starts the session and displays a countdown timer:

  7. The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

How do I pre-approve an already-installed app on Windows?

Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).

NOTE:

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

  1. Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.

  2. Expand on the application entry, and select Pre-approve this file under Actions:

  3. On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.

  4. Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

What happens to the local admin group after installation?

During installation, if the computer is in a domain, Domain Users will be removed from the local administrator’s group right away. That is all that happens initially.

When a user then logs on, the user will be removed from the local administrator’s group unless:

  • You have unchecked “Revoke admins rights” in the portal settings

  • The user is in the list of excluded accounts in the portal settings

  • The user is member of a group that is the local administrator’s group (such as domain admins)

The reason all users are not just removed right away is to only remove accounts that are actually interactive user accounts and not accidentally remove any service accounts. Please refer to the Windows client technical details page for more information.

How can I prevent users from tampering?

The users and groups administration will be removed entirely from Computer Management during an administrator session.

Even if the user still manages to tamper the local administrator’s group, the administrator’s group is snapshotted before the session starts and restored after the session ends. If the user tries to add other users or groups to the administrator’s group, these will simply be removed at the end of the session. If the user tries to uninstall Admin By Request during a session, Windows Installer will show an error message saying that Admin By Request cannot be uninstalled during an active session. If the user tries to tamper policy keys, these are also snapshotted and restored after sessions.

Please refer to the Windows client technical details page for more information.

Can we keep some domain users as local administrators?

You can keep some domain users as local administrators.

Domain groups (except Domain Users) are not removed from the local administrator’s group. This means that if a domain user logs on and is member of a domain group that is in the local administrator’s group (for example a Help Desk domain group) the user is always local administrator. In this case the tray icon is red and hovering it, you can see the tool tip saying “You are logged on as administrator”. You can also specify specific user accounts to exclude in the portal settings.

To change this setting in the portal, go to Endpoint Privilege Management > Settings > Windows Settings > Lockdown > ADMIN RIGHTS, or refer to Admin Rights tab for more information.

How do I get started on Windows?

Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.

For more information, please refer to Getting Started  in our Documentation Center.

How do I download and install the Windows client?

To download and install the Admin By Request Windows endpoint client:

  1. Download the Windows endpoint client from
    https://account.adminbyrequest.com/ABRDownload
    and store the .msi file in a suitable location.

  2. Double-click the .msi file to start the installation and click Install when prompted:

    NOTE:

    You might be prompted for administrator credentials depending on the endpoint's UAC configuration.

    3. When the installation completes, the Admin By Request icon appears in the system tray in the bottom right corner of the screen. The icon is red if you are logged-on as an Administrator and green if you are logged-on as a Standard User. Refer to The Windows Client User Interface for a description of the differences.

  3. Click the icon to show details about the client or to start an Admin Session:

    Depending on installation preferences, Admin By Request shortcut icons may also be placed on the desktop:

Installation is now complete.


How do I pre-approve an already-installed app on the Mac?

Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).

NOTE:

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

  1. Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.

  2. Expand on the application entry, and select Pre-approve this file under Actions:

  3. On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.

  4. Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

Pre-Approval is not working for some Mac applications

Some Mac applications (e.g. Grammarly and Spotify) require wide-ranging permissions to install properly and can only be successfully installed via an Admin Session. Further, these applications almost always require the same wide-ranging permissions when they auto-upgrade, meaning that another Admin Session must be started before upgrading the app.

This is simply due to the nature of how processes work on the macOS operating system. When attempting to run an installation or upgrade via Run As Admin, a pop-up window prompting for admin credentials will be triggered by the OS whenever a separate executable that handles access to another area of the file system is invoked. At the time of writing, the only way around this is to carry out the installation or upgrade via an Admin Session.

Where do I find client errors on the Mac?

You can find the error log under /var/log/adminbyrequest.log.

How do I uninstall on a Mac?

On a Mac, while logged-in as an Admin user, run the uninstall program /Library/adminbyrequest/uninstall.

NOTE: The uninstall program cannot be run during a normal (i.e. Standard user) Admin By Request admin session.

Refer to Uninstalling Admin By Request for more information.

How do I get started on macOS?

Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.

For more information, please refer to Getting Started  in our Documentation Center.

Can I run a package by dragging it to the dock?

On a Mac, some packages (i.e. .app files) can be executed under Run As Admin by dragging them over the Admin By Request icon in the dock. However, Full Disk Access (FDA) must be enabled first.

To enable FDA, refer to Enable Full Disk Access (FDA).

For any .app file, initiate Run As Admin by dragging and dropping the application file over the Admin By Request Dock icon. At the account control pop-up, enter credentials and hit OK to run the installer as an administrator. Note that this works only for .app files; it does not work for .pkg files.

Why is Admin By Request on my Mac not working, although installation appears successful?

Immediately after  installation of the ABR endpoint client, FDA must be checked to make sure that Admin By Request is enabled to fully protect Mac endpoints.

NOTE:

Admin By Request must be installed prior to enabling FDA, so that its apps and extensions appear in the list of apps available under Full Disk Access.

Refer to Enable Full Disk Access (FDA) for more information on enabling FDA.

What is "Last Admin Check"?

If you log on to a Mac that is not joined to Active Directory and expect the user account to be downgraded from Admin to User, but it doesn’t happen and the icon appears red in the toolbar, you are most likely hitting the “Last Admin Check”.

You can confirm this by clicking the red icon. The intention of this check is to make sure you always have a service account. If you don’t have at least one admin account, you cannot change, modify or delete user accounts on the computer and you can never uninstall Admin By Request.

If you use the “Revoke admins rights” option in the portal to revoke user rights, all user accounts will be downgraded from Admin to User, when they log on. In the portal settings, you can specify user accounts that are excluded. These would typically be service accounts for a Help Desk or similar. If no excluded accounts are specified and the machine is not joined to Active Directory, the revoke will not be executed for the last administrator and it falls under the “Last Admin Check”.

NOTE:

Last Admin Check is no longer used - please refer to Portal Administration for Mac for more information.

How do I make a Mac user the device owner?

To make a Mac user the device owner:

  1. In the portal, go to the Inventory top menu and locate the device.

  2. Click either the computer name (in column Computer) or the Details link (in column Details) to show information for the device.

  3. Select the left menu option Owner.

  4. Click button Make Owner:

How do I enable FDA (Full Disk Access)?

Following installation of the macOS 5.0 endpoint client, there are two apps that need full disk access:

  • adminbyrequest - The main app for enabling Admin By Request endpoint client features, including the ability to drag a file over the ABR icon in the dock to elevate privileges.

  • Admin By Request System Extension - The extension app enables a range of functionality, but the main feature for macOS 5.0 is the ability to install an app by dragging its icon over the Applications folder. This app requires macOS 11+.

Immediately after  installation of the ABR endpoint client, FDA must be checked to make sure that Admin By Request is enabled to fully protect Mac endpoints.

NOTE:

Admin By Request must be installed prior to enabling FDA, so that its apps and extensions appear in the list of apps available under Full Disk Access.

The following procedures describe three ways to enable FDA:

These procedures are not sequential - pick one or a combination of all three, depending on your requirements.

  1. The procedure to enable FDA is slightly different for different macOS versions. The following steps describe how to enable FDA on Apple Macs running:

    1. On your Mac device, navigate to System Preferences > Security & Privacy > Privacy tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

    2. Select both adminbyrequest and Admin By Request System Extension in the list of apps (i.e. ensure the boxes are checked):

    3. Lock the tab to save changes and close the System Preferences window.

    1. On your Mac device, navigate to System Settings > Privacy & Security tab and select Full Disk Access from the list. You’ll need to supply your password to unlock and make changes.

    2. Select both adminbyrequest and Admin By Request System Extension in the list of apps (i.e. ensure the toggles are on):

    3. Close the System Settings window.

  2. Admin By Request provides a set of configuration files to assist with configuration in Jamf. Download the set here and visit Creating and Uploading PLIST or .mobileconfig File for instructions on deployment.

    Alternatively, follow the procedure below if you wish to build your own Jamf Configuration Profiles to manage Mac endpoints:

    1. In Jamf, go to Computers > Configuration Profiles.

    2. Create a new profile and configure it as follows:

      1. Name: give the profile a name that helps explain what application it is giving rights to. In this example, we use ABR - PPPC.

      2. Category, select Applications.

      3. Distribution Method, select Install Automatically.

      4. Level, select Computer Level.

    3. Navigate from the General tab to the Privacy Preferences Policy Control tab:

      1. Identifier, enter /Library/adminbyrequest/adminbyrequest.

      2. Identifier Type, select Path.

      3. For Code Requirement, enter the following line of code:

        Copy 
        identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
        IMPORTANT:

        The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.

      4. Under App or Service, select SystemPolicyAllFiles and under Access, select Allow:

        Under App or Service, select Accessibility and under Access, select Allow.

      5. Save the profile.

    4. Deploy and use this profile to enable FDA for all your macOS endpoints.

  3. Similar to Jamf, Intune uses Configuration Profiles to manage Mac endpoints:

    1. In Intune, under Configuration Profiles, select Create Profile.

    2. Enter the following details into the Create a Profile form:

      • Platform: macOS

      • Profile type: Templates

      • Template name: ABR – FDA

    3. Click Create.

    4. Under Device restrictions, go to Configuration settings.

    5. Select Privacy preferences and click Add:

    6. In the Edit Row form, enter the following:

      • Name: ABR – FDA

      • Identifier type: Path

      • Identifier: /Library/adminbyrequest/adminbyrequest

      • For Code Requirement, enter the following line of code:

        Copy 
        identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
        IMPORTANT:

        The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.

      7. The completed form:

    7. Finally, select Allow in field Full disk access:

How do I download and install the Mac client?

To download and install the Admin By Request macOS endpoint client:

  1. Sign-in to your Admin By Request account at https://www.adminbyrequest.com/Login.

  2. Download the Mac client from the Download  page and store the client file in a suitable temporary location.

  3. Double-click the downloaded package to begin the installation.

    The package runs a check to determine if Admin By Request can be installed:

  4. Continue with the installation, providing Administrator credentials if necessary:

  5. If using system extension and prompted with System Extension Blocked, click Open System Settings and allow system software from Admin By Request:

  6. When done, close the installer and (optionally) move the installer package to the bin:

Installation is now complete. The next step is to ensure that Full Disk Access (FDA) is enabled for Admin By Request.

How does an Admin Session work on a Mac?

A standard user making this selection where approval is required initiates the following sequence of events.

  1. A prompt asks “Do you want to start an administrator session?”. The user clicks Yes to continue:

  2. An empty Request Administrator Access form appears:

  3. The user enters email, phone and reason information into the form and clicks OK.

    NOTE:

    Settings in the portal control the full extent of what is displayed to the user:

    • If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).

    • If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).

  4. The request is submitted to the IT administration team and the user is advised accordingly:

  5. The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

    The following example shows how two new requests might appear in the portal:

  6. One of the team either approves or denies the request. If approved, the user is advised accordingly:

  7. The user clicks Yes, which starts the session and displays a countdown timer:

  8. The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.


Why are fonts distorted for the Linux GUI?

On the Linux client, screen resolution scaling can make a difference to how fonts appear in the Admin By Request GUI. If the font appears distorted, large, compressed or with overlapping lines (or is simply unreadable), check the UI scaling percentage (Settings > Displays > Scale). If the value is greater than 100%, fonts in the GUI panels can appear distorted:

This will be fixed in a future release of the Linux client. Until then, the workaround is to reduce scaling to 100%. Note that functionality is unchanged - the client will still work as intended.

How does an Admn Session work on Linux?

A standard user making this selection where approval is required initiates the following sequence of events.

  1. An empty Request Administrator Access form appears:

  2. The user enters email, phone and reason information into the form and clicks OK.

    NOTE:

    Settings in the portal control the full extent of what is displayed to the user:

    • If Code of Conduct is enabled, the user must acknowledge a Code of Conduct pop-up to continue (EPM > Settings > Windows Settings > Endpoint > INSTRUCTIONS).

    • If Require approval is OFF, the approval steps are skipped (EPM > Settings > Windows Settings > Authorization > AUTHORIZATION > Admin Session).

  3. The request is submitted to the IT administration team and the user is advised accordingly:

  4. The IT administration team is notified via the Admin By Request portal that a new request for administrator access has arrived.

    The following example shows how two new requests might appear in the portal:

  5. One of the team either approves or denies the request. If approved, the user is advised accordingly:

  6. The user clicks Yes, which starts the session and displays a countdown timer:

  7. The duration of an admin session is set via the portal (15 minutes in this example) and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

How do I get started on Linux?

Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.

For more information, please refer to Getting Started  in our Documentation Center.

Are there any prerequisites for the Linux CLI?

The Linux command line interface requires the following:

  1. The CLI commands are designed for the command line. If run inside a graphical interface's terminal window, certain commands will defer to the GUI version.

  2. Using the CLI requires Admin By Request for Linux version 3.1.9 or greater.

Refer to Prerequisites for more information.

What is the process for uninstalling ABR on a Linux machine?

Use the following process to uninstall Linux from an endpoint. Note that you must know the root password for the endpoint:

  1. Shutdown and reboot the computer.

  2. Try any of the following:

    • If your computer boots using BIOS, press and hold down the Shift key while GRUB is loading.

    • If your computer boots using UEFI, press the Escape key (Esc) while GRUB is loading.

    • As you’re booting the computer, wait for the manufacturer logo to flash from the BIOS. If your computer boots too quickly, you’re going to need to do this immediately after powering it on. Quickly press the Escape key.

    The timing has to be near perfect on some computers, so you may have to press the key repeatedly. If you miss the window, reboot and try again.

  3. At the GRUB boot menu. you’ll see an entry for “Advanced Options ...”. Select it and press Enter.

  4. Choose the most recent recovery mode option and press Enter.

  5. If a menu similar to that shown below appears, choose the option that gets you to a shell prompt:

  6. At the Password: prompt, enter the root password..

  7. Now you can uninstall Admin By Request for Linux by executing the following command:

    apt -y purge abr-* && apt -y autoremove

Why is the Linux app not installing on Ubuntu (and there are no error messages)?

The most likely reason the Linux client fails to install is because the system has broken dependencies from earlier failed installations.

The first thing the Admin By Request Linux installer script does is run update + upgrade, to make sure the system is fully (and successfully) up-to-date. If anything fails during that process, then ABR will not install correctly. Check the system logs and resolve any outstanding failed installations before continuing with ABR install.

Is sudo supported on both Mac and Linux endpoints?

sudo is supported on both Mac and Linux endpoints - this is controlled in the portal.

To enable sudo support for macOS, go to Endpoint Privilege Management > Settings > Mac Settings > Lockdown > ADMIN SESSION and make sure Allow sudo terminal commands is ON.

To enable sudo support for Linux, go to Endpoint Privilege Management > Settings > Linux Settings > Lockdown > SUDO and make sure Allow sudo terminal commands is ON. You can then further control non-sudoers and sudo interactive sessions.

What's happened to Applications in Linux Global Settings?

The portal has recently undergone some changes and reorganization. What was Applications is now known as App Control and is found at Settings > Linux Settings > App Control, as indicated in the screenshot:

From here, you can PRE-APPROVE or BLOCK applications by clicking New entry and providing the relevant details.

Why is the Linux client so small (only ~14Kb downloaded)?

The Linux installation file is a script made in Python. It's a text file - you can open it with Window's Notepad to see its content.

Due to the name of the file ending with ".0", Windows sees this file as a ".0" file type, contra a Linux file system, which simply sees it as a normal data file.

How do I download and install the Linux client?

To download and install the Admin By Request Linux endpoint client:

  1. Download the Linux client from https://account.adminbyrequest.com/ABRDownload and store the client file in a suitable temporary location.

  2. If you haven’t already, start a terminal session and make sure the file is executable:

    Copy 
    chmod +x 'abr-installer'

  3. Run the installation script:

    Copy 
    sudo ./'abr-installer'

  4. When the installation completes, the Admin By Request icon appears in the top right corner of the screen. Click the icon to show details about the client or start an Admin Session.

Installation is now complete.

Portal


  • Admin Portal
  • Remote Access
  • Connectivity



What is AI Approval?

AI Approval allows our AI scoring system to auto-approve trivial Run As Admin requests for common applications.

At the time of writing, our app database comprises more than 12 million known applications. Each of these is scored by our AI engine in real-time based on popularity, reputation and trends. If, for example, the App score is enabled at 20, it means that any request is auto-approved if the App score is 20 or above.

Refer to AI Approval for more information.

In the portal, what are "product views"?

A "product view" is the information displayed in the portal for that product.

The portal customizes the information displayed depending on the product selected. The information available for display across all menus (Summary, Auditlog, Requests, Inventory etc.) is called the "view" for that product:

  • The menu selection Endpoint Privilege Management  shows the product view for managing local admin rights on your endpoint clients.

  • The menu selection Secure Remote Access  shows the product view for managing your endpoints that can be remotely accessed.

How do I change my password in the portal?

To change your password in the portal, click the User Account drop-down in the header on any page.

Refer to Header parts for more information.

When do clients sync with the portal?

By default, endpoint clients synchronize with the portal approximately every four hours. If an immediate sync is needed on a particular client, you can achieve this by opening Admin By Request from the tray tool (Windows) or menu bar (macOS and Linux) and selecting About Admin By Request.

At the same time, you should verify that connectivity is OK by clicking the Connectivity button.

Refer to Synchronizing Clients with the Portal for more information, or if you are having problems with synchronization.

Can I setup sub-administrators to see only parts of the data?

Yes. You can set a scope for portal logins to only see and approve part of the data based on the end user or computers groups or Organizational Units.

For example, an administrator in a region could be set up to only see and approve requests and data from computers in his/her own scope, assuming for example that all computers are in a specific Organizational Unit.

Refer to Logins for more information.

Can I add more IT people to approve requests and see the auditlog?

Yes. In the portal, you can create additional logins for more people. You can also define which roles they have, such as read-only view, whether or not they can edit settings, access to the audit log and if the person is allowed to approve requests.

In the portal, go to Logins > User Logins > New user.

Refer to Logins for more information.

How do I pre-approve an app using the Auditlog?

Admin By Request allows for quick pre-approval of trusted applications from the Auditlog. Pre-Approval is based on the application vendor or checksum, visible when the Application Control screen is displayed (step 3 below).

NOTE:

At the time of writing, this functionality is not available for Linux clients.

Once an application has been installed on an endpoint with Admin By Request:

  1. Log in to the portal and navigate to the application’s corresponding entry in the portal Auditlog.

  2. Expand on the application entry, and select Pre-approve this file under Actions:

  3. On the Application Control screen, modify any settings as required. For more information on pre-approval settings, refer to the Settings Table below.

  4. Click Save verify that the app has been added to the list of pre-approved applications.

For example, the following applications are pre-approved:

How do I turn off everything except logging?
IMPORTANT:

Turning off everything effectively means giving users back their local admin rights. Think about this carefully before doing it.

To turn off everything except logging actions to the Auditlog, you need to:

  1. Authorization: turn On  Allow Run As Admin and turn Off all other toggles

  2. Authorization: turn On  Allow Admin Sessions and turn Off all other toggles.

  3. Authorization: make the Access time (minutes) a large number that covers most of the day. For example, 480 minutes (8 hours).

  4. Lockdown: turn Off  Revoke admin rights.

For more information, refer to Authorization tab under Windows Settings.

You can also check out the WHIZ usage persona for a 10-minute video on how to accommodate developers or power users.

Do I need to approve each time a user wants admin access?

You do not need to approve each time a user wants admin access. You can use a setting after sign-in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when, and an auditlog of installed software and executed applications.

In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts. The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.

Change this setting in the portal at Settings > [OS] Settings > Authorization > AUTHORIZATION.

Can I force clients to sync with the portal?

By default, endpoint clients synchronize with the portal approximately every four hours. If an immediate sync is needed on a particular client, you can achieve this by opening Admin By Request from the tray tool (Windows) or menu bar (macOS and Linux) and selecting About Admin By Request.

At the same time, you should verify that connectivity is OK by clicking the Connectivity button.

Refer to Synchronizing Clients with the Portal for more information, or if you are having problems with synchronization.

Can I add my company logo (if so, where)?

You can add your company logo to both the portal and the dialog boxes that users see on their endpoints. The setting is in the portal at Endpoint Privilege Management > Settings > Windows Settings > Endpoint > BRANDING.

Refer to Branding tab under Windows Settings for more information.

Are other customers typically using auto-approval mode?

Yes.

The most typical pattern we see for new customers is that they start with approval required. Then after an initial period, when the psychological effects on end users are clear and there is reassurance end users do not violate rules, they shift to auto-approval mode combined with reason requirement and Code of Conduct screen.

This is the point where the whole administrator access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.

Code of Conduct screen

You do not need to approve each time a user wants admin access. You can use a setting after sign-in to allow elevation without approval. In this case, you still get the benefits of auditing; who elevated, when, and an auditlog of installed software and executed applications.

In auto-approval mode, you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity. You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts. The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing administrator elevation.

Change this setting in the portal at Settings > [OS] Settings > Authorization > AUTHORIZATION.

What if I want a manager IT to approve some requests?

You can set a scope for portal logins to only see part of the data based on the end users or computers groups and/or Organizational Units.

For example, sales managers can be set up to only see users and computers in sales. They will then only get approval requests from their own staff. You can also set up a manager to not have approval ability, but only the ability to see the auditlog for his/her own staff.

How would I setup an external auditor?

You can create a portal user account that can see only the auditlog and, optionally, the inventory. No other data will be visible.

I'm an MSP – how can I give my customer a limited view?

To give a user a limited view within the portal, you simply create a user account that cannot approve requests. This way, your customer can see the data you choose without the ability to approve requests.

If you have on-premise remote gateways configured, you can also remove access to the portal entirely by limiting user access to those computers accessible via the relevant gateway. This is controlled in the admin portal under setting Logins > User Logins, EDIT or New user, tab ACCOUNT, heading Rights, field Limit to access.work.

NOTE:

If you don't see field Limit to access.work, you have not yet configured an on-premise gateway.


How can I stop devices from taking up Remote Access licenses?

Clicking the drill-down link opens an inventory-style list of all devices accessible via this gateway. Devices can be entered manually or they can be discovered.

Devices can be ACTIVE or INACTIVE and are displayed in the corresponding tab:

  • ACTIVE: able to be connected to via Unattended Access and consume a license.

  • INACTIVE: are not able to be connected via Unattended Access and do not consume a license.

Use the Disable/Enable links to make a device active/inactive respectively.

Use the Search button to search for devices in large lists and the Export buttons to export data in the format shown.

Refer to Devices (n) for more information.

What is Remote Support?

Remote Support is part of the Secure Remote Access product by Admin By Request, that allows you to share screens and remotely control devices inside of your Admin By Request inventory, while using all of the well-known features of the Admin By Request ecosystem, such as: inventory, auditlog, settings and sub-settings, approval flows etc.

Remote Support allows either end users or IT admins to initiate a secure, just-in-time, remote support session – allowing them to share and control the end-user's device – and tear everything down once the session is done – eliminating any access points for bad actors.

This document covers getting started with Product Enrollment and Remote Support. It also describes key settings that can be administered from the portal.

Refer to Remote Support Overview for more information.

How does Remote Support work?

Remote Support is based on the same gateway concept as the Unattended Access gateway, which is also part of the Admin By RequestSecure Remote Access product. It allows a just-in-time setup between the gateway and the endpoint by establishing a secure Cloudflare tunnel.

Once the tunnel is established, a just-in-time server session is created on the endpoint – allowing for screen sharing and remote control via the browser.

Once the session is terminated or expires, the tunnel and the server session are terminated, leaving the endpoint in the same state as before the remote support session.

The setup is fully cloud-based and does not require any on-premise setup besides what’s mentioned in the prerequisites:



The flow for a Remote Support session can be initiated either by an end user or by an IT administrator via the portal .

Refer to How does Remote Support work? for more information.

What is a "self-hosted implementation"?

A self-hosted implementation  means that you run Unattended Access  on-premise inside your own infrastructure, including the ability to run Docker containers. To establish a secure tunnel, your infrastructure must also allow outbound connections to Cloudflare.

Refer to How do I setup a Self-hosted Implementation? for more information.

What is a "managed service"?

A managed service  is a way of operating Unattended Access  so that your infrastructure allows an outbound connection to establish a secure tunnel from your respective endpoints and that these have the Admin By Request endpoint client installed.

Refer to How do I setup a Managed Service? for more information.

How do I remotely access a computer?

Before trying to remotely access a device, make sure all setup has been done and the gateway to your device is "live". Refer to Getting Started with Unattended Access for more information on prerequisites and setting up gateways.

To remotely access a device:

NOTE:

In order to allow Admin By Request to connect to your endpoints, they need to allow traffic on the following ports:

  • RDP - 3389

  • SSH - 22

  • VNC - 5900 and 5901

  1. From the portal, head over to your Inventory and make sure you're in the Secure Remote Access view. Select an endpoint with the Admin By Request client installed:

  2. Click the Remote link for this endpoint, enter User name  and Password  and click Connect:

After a few seconds, the connection appears directly in your browser.

Where is the CLOUD tab?

The CLOUD tab becomes visible only when an on-premise gateway is created. If no on-premise gateway exists, Unattended Access will use the managed service option, which is enabled by default and requires no configuration.

Configuring an on-premise gateway means disabling the cloud gateway (see How do I setup a Self-hosted Implementation?) which is why the CLOUD tab becomes available when a gateway is created.

What is Vendor Access?

Vendor Access, also known as access.work  (https://access.work), is a feature of Secure Remote Access that allows users to connect to devices through their browsers without  needing access to the Admin By Request Portal.

Refer to Using Vendor Access for more information.

How do I enable Unattended Access?

Via the portal:

  1. To enable Unattended Access, log in to the Admin By Request portal and head over to Secure Remote Access > Settings > Unattended Access Settings.

  2. Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access  is turned On:

Refer to Getting Started with Unattended Access for more information.

How do I get started with Unattended Access?

Getting started with Unattended Access is simply a matter of enabling it in the portal:

  1. To enable Unattended Access, log in to the Admin By Request portal and head over to Secure Remote Access > Settings > Unattended Access Settings.

  2. Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access  is turned On:

For more information, refer to Getting Started with Unattended Access.

What is Unattended Access?

Unattended Access is a feature of Secure Remote Access that allows you to connect remotely to your servers and network endpoints directly from your browser, using a lot of the well-known Admin By Request features like: inventory, auditlog, settings and sub-settings, approval flows, integrations etc.

The implementation of Unattended Access can use either a "Cloud" or an "On-premise" gateway, eliminating the need for VPN and jump servers, while still maintaining a secure and segregated setup.

This document covers getting started with Product Enrollment, Unattended Access and Vendor Access. It also describes key settings that can be administered from the portal.

Refer to Unattended Access Overview for more information.

What is Product Enrollment?

Product enrollment is the mechanism of determining which Admin By Request licenses – and hence product capabilities – should be available to specific endpoints.

Refer to Product Enrollment for more information.

How does "Test Drive" work?

The Test Drive mode allows a portal user to cherry pick which devices are enrolled with the selected product. This can either be done by specifying a computer group scope or by manually picking devices.

Refer to Product Enrollment (Test Drive) for more information.


Is an Internet connection required?

This may be surprising, but no. The client is only required to have an occasional  internet connection (like a guest WIFI anywhere). The reason is, clients will ask the cloud service roughly once a day for current settings. The client then knows your current rules in case the user needs to elevate offline. If you then have auto-approval on, the client will allow the user to become administrator temporarily and will queue the data locally and log what has been done, including date & time, installed applications, exe files run as administrator and so on.

Once the client has an internet connection again, it will flush the queue to the cloud service and all data is uploaded. This means that the client works exactly the same whether online or offline. The only difference is the time the reporting data becomes available in the cloud service.

Does it work with Entra ID / Azure AD joined machines?

Yes.

Refer to ENTRA ID / AZURE AD tab for details on how to setup the Entra ID Connector and Integrations > Single Sign-On (SSO) for details on setting up SSO.

Why are notification emails not being sent?

The most likely cause is an incorrect email address, either from misspelling or inadvertent entry of extra characters that are not visible. This is particularly true if notifications have been configured for the ABR mobile app and they are being sent correctly, but notifications via email are not.

Remove the email address and re-enter it, then try the operation again.

Does it work without a domain?

Yes

How can you possibly know where my computers are?

When data is sent to the server, the sender IP address is cross-referenced to internet service provider (ISP) registration data. The expected accuracy is at a city level.

Should I be concerned about internet bandwidth consumption?

Do not be concerned about Internet bandwidth consumption. This has always been a primary focus on the development side, because metered connections still exist in some places in the world and, if the connection is bad, we don’t want to consume bandwidth.

Inventory data is collected intelligently, so only delta data is collected. If nothing changes from day to day and the user does not request admin elevation, no traffic happens. The actual data transferred from the client to the cloud service is minimal. If you take a random client and divide the traffic from typical use for a month, divide by days, we are talking about 5K of data per day. Or said in another way, you can expect a thousand machines to consume only about 150 megabytes of bandwidth per month.

What if approval is required and the user is offline?

In this case, the client cannot allow the elevation and you cannot see an approval request. The client will intelligently determine it is indeed offline (i.e. has no Internet access) and, on the approval screen, a note will automatically appear telling the user that elevation can happen only if the user either seeks an internet connection or, if not possible, contact IT and get a daily PIN code. The PIN code is a code the client and server know without having communication. The PIN code will appear in the left menu on computer details in the inventory if you enable approval mode.

General


  • Licensing
  • Security



How do I get started?

Visit web page Download the Free Plan and register for a free plan (up to 25 endpoint devices and 10 server licenses). We will email you login credentials, which you can use to access the Admin Portal using the Login button at the top.

Once logged-in, click Download on the portal top menu and download an .msi file (Windows) or a .pkg file (macOS/Linux) to install on your computer endpoints.

After login, you can adjust any settings as you wish to see how they affect the privileges granted to end users. You can also view an audit log and a full software and hardware inventory of your clients. Finally, there is a mobile app, which is also free.

For more information, please refer to Getting Started  in our Documentation Center.

How can I try before buying?

From the Admin By Request home page, click Download the Free Plan to start on a free plan. You can use the free plan for proof of concept without using trial-ware. If you need more licenses for proof of concept, please contact us.

What's the catch with the free plan?

There is no catch with the free plan. You can freely use the full product in your production environment on up to 25 workstations and 10 servers in your organization.

How does Admin By Request pricing work?

The first 25 workstation (and 10 server) clients are always free - you can start with those right now. For a paid plan, it depends how many clients you need and which types they are (i.e. server or workstation). Please use the quote form here and we will return a quote today.

How do I upgrade to a paid plan?

Please use the quote form here and we will return a quote today. If you purchase a paid plan, we will upgrade your free plan to a paid one on-the-fly without you having to do anything.

What does the paid plan cost?

The first 25 workstation (and 10 server) clients are always free - you can start with those right now. For a paid plan, it depends how many clients you need and which types they are (i.e. server or workstation). Please use the quote form here and we will return a quote today.

How many licenses do I need?

The number of licenses you need depends on how many endpoints you wish to manage at your organization. Please use the quote form here and we will return a quote today.

Do I need two different licenses for Windows and Mac?

No.

You buy a number of Workstation licenses and these can freely be mixed between Windows, Mac and Linux. In other words, you need one license for each installed endpoint.

Is the mobile app free?

The mobile app is free - find it in the Apple App or Google Play stores.

What are the minimum requirements for the mobile app?

The iPhone app works on iOS 10.0+. Android version works on version 4.4+ (KitKat).

How can I get a demo?

Visit web page Book a Demo, fill out and submit the form, and we will get back to you asap. We can usually schedule a demo next business day.

How do I get in touch with an account manager?

When you request a free plan, you will get an email from us that you can respond to, asking any questions you might have.

If you did not receive an email, please use our contact details page (Contact Sales) to send us a message, and we will contact you.

How do I recover licenses?

Licenses are automatically removed after 60 days for inactive endpoints. If you don't want to wait that long, there are several other ways:


How is data transferred to the cloud service?

This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.

For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

Who can see devices in my tenant?

The only people who can see devices in your tenant are the primary login that was first used to register with Admin By Request and the users listed in the portal under Logins > User Logins.

The installer file downloaded from the portal is unique to your tenant. Depending on the target operating system, it can be an executable file, a package or a script and it is signed with a license that applies only  to installers downloaded from the tenant in which you are currently logged-in. The same license file is applied to each of the operating system client installers: Windows, macOS, Linux and Server.

This is true for free plans as well as paid plans.

When installed on an endpoint, once the endpoint connects successfully, you will see in real time the status of the endpoint in your Inventory, which is also unique to your tenant. You will not see other endpoints installed with files downloaded from other tenants - this is simply not possible.

Which IP addresses are endpoints communicating with?

Admin By Request uses port 443 and the IP addresses and URLs that need access through firewalls are as follows.

If your data is located in Europe:

  • IP: 104.45.17.196

  • DNS: api1.adminbyrequest.com

  • DNS: macapi1.adminbyrequest.com

  • DNS: linuxapi1.adminbyrequest.com

If your data is located in the USA:

  • IP: 137.117.73.20

  • DNS: api2.adminbyrequest.com

  • DNS: macapi2.adminbyrequest.com

  • DNS: linuxapi2.adminbyrequest.com

If you wish to remotely access endpoints using Unattended Access  and Remote Support:

  • Outbound MQTT broker connectivity via Websockets- port 443 for the following:

    • FastTrackHubEU1.azure-devices.net (if your data is located in Europe)

    • FastTrackHubUS1.azure-devices.net (if your data is located in the USA)

  • For Unattended Access, RDP needs to be enabled on port 3389 on the device

How do I let users keep full access, but log what they do?

Allowing your users to retain full access rights is equivalent to turning off all Admin By Request's protections.

IMPORTANT:

Turning off everything effectively means giving users back their local admin rights. Think about this carefully before doing it.

To turn off everything except logging actions to the Auditlog, you need to:

  1. Authorization: turn On  Allow Run As Admin and turn Off all other toggles

  2. Authorization: turn On  Allow Admin Sessions and turn Off all other toggles.

  3. Authorization: make the Access time (minutes) a large number that covers most of the day. For example, 480 minutes (8 hours).

  4. Lockdown: turn Off  Revoke admin rights.

For more information, refer to Authorization tab under Windows Settings.

You can also check out the WHIZ usage persona for a 10-minute video on how to accommodate developers or power users.

Which data is collected?

This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.

For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

How do you store the data?

This is fully explained in How We Handle Your Data. Please also refer to our SLA in the Trust Center.

For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

What regulatory frameworks do you support?

Admin By Request can help you comply with a number of regulatory frameworks, including GDPR, ISO 27001, NIST SP 800-53, DORA and NIS2. We continually assess frameworks for compatibility and use their requirements as one of the inputs to our development process.

Refer to Compliance Mapping for more information.

Are you fully GDPR compliant?

Yes. For more information on how Admin By Request meets its compliance obligations and helps your organization do the same, refer to Compliance Mapping.

Which IP addresses are used to send webhooks?

The following IP addresses are used to send webhooks:

  • If your data is located in Europe: 104.40.134.41 and 40.91.214.18

  • If your data is located in the USA: 13.90.244.80 and 40.121.45.3

Which IP addresses are used to send notification emails?

All emails are sent from noreply@fasttracksoftware.com. We use Twilio SendGrid to send emails and the dedicated IP address is: 149.72.185.15.

Can Admin By Request help with stolen computers?

Yes.

Once a stolen machine is booted and communicates with the Inventory, the public IP address of the thief’s router becomes available. The endpoint client does not require anyone to log on to a computer to upload data, so when the thief simply turns on the computer, inventory data is sent transparently. You can now see the public IP address and upload time in your client view and give this to the police. The police can then get the name and address of the IP address owner from the thief’s internet service provider (ISP).

Have you published any CVEs for Admin By Request?

Yes, we have published two CVEs in 2019. These were found by Improsec in September 2019 in the production version 6.1. We notified our customers and released version 6.2 on October 11th 2019 with fixes for these two vulnerabilities.

For more information, refer to CVE-2019-17201 and CVE-2019-17202.

NOTE:

We generally have two separate companies run penetration tests before every major release. We also get copies on a monthly basis of clean reports executed secretly by customers.

I'm a Penetration Tester - how do I contact you with findings?

Please use our contact details page Get in Touch > Something Else to report your findings.

NOTE:

The scope of a vulnerability has to be escalation of privileges from a non-administrator user to obtain admin rights.

What happens when I delete a computer?

All collected data associated with the computer is deleted.

NOTE:

When a computer is deleted from the Inventory, make sure that its endpoint client software is removed .If the computer is subsequently powered on with a network connection, and the endpoint client is still installed, the computer will show up again and re-upload inventory data.