Company logoHelp Center
Visit oncld.io

Deployment Guide: AdminByRequest EPM for Workstations

7 min. readlast update: 09.23.2024

Deployment Guide: AdminByRequest EPM for Workstations

AdminByRequest (ABR) is an Endpoint Privilege Management (EPM) solution designed to manage and control local administrative rights on user devices, providing secure ways to elevate privileges when necessary. The platform operates through a cloud-based management portal and agents deployed on endpoint devices such as workstations, laptops, and servers.

AdminByRequest supports Windows, macOS, and Linux devices, making it suitable for diverse IT environments. Here’s a step-by-step deployment guide to implement AdminByRequest EPM effectively across your organization.

1. Architecture Overview
- Cloud-Based Management Portal: AdminByRequest's centralized portal allows administrators to manage settings, policies, and users.
- Endpoint Agents: Agents installed on each device interact with the portal to enforce policies, collect data, and handle privilege elevation requests.

2. Setting Up the Tenant
The first step is to set up your AdminByRequest tenant:
- Sign up or access your existing tenant from the AdminByRequest portal.
- Complete the basic configuration of the tenant, ensuring all relevant organization information and settings are updated.
  
This step ensures that your organization is ready to deploy agents and manage devices.

For the AdminByRequest agent to communicate with the portal, you should ensure that the following URLs are accessible over the required ports:

Admin By Request uses port 443 and the IP addresses and URLs that need access through firewalls are as follows. this is agent to portal traffic only and not vice versa. 

If your data is located in Europe:

  • IP: 104.45.17.196

  • DNS: api1.adminbyrequest.com

  • DNS: macapi1.adminbyrequest.com

  • DNS: linuxapi1.adminbyrequest.com

If your data is located in the USA:

    • IP: 137.117.73.20

    • DNS: api2.adminbyrequest.com

    • DNS: macapi2.adminbyrequest.com

    • DNS: linuxapi2.adminbyrequest.com

3. Connecting AdminByRequest to Entra ID (Azure AD)
To integrate AdminByRequest with your user directory:
- Navigate to the Settings in AdminByRequest and select Connect to Entra ID (Azure AD).
- Follow the prompts guide and grant AdminByRequest the necessary permissions to manage access users, groups and devices through your Azure AD (Entra ID) tenant.

This integration allows for single sign-on (SSO) for admin users to the management portal, and allows you to select groups of users from Entra ID to assign policies (sub-settings) to.

4. Adjust Global Settings to Retain Admin Rights Initially
Initially, it’s important to disable the automatic revocation of admin rights to gather data before restricting access:
- Go to the Global Settings tab and disable the Revoke Admin Rights setting.
  
This gives users temporary admin rights while the system collects data about elevated processes and applications.

5. Deploying Agents on Workstations
There are two ways to deploy the AdminByRequest agents:
  
Manual Deployment:
- Download the agent from the AdminByRequest portal.
- Run the installer on each endpoint manually or use a script to automate installation across multiple devices.

MDM Platform Deployment:
- For environments using an MDM solution such as Microsoft Intune, create a new App Package in your MDM platform.
- Upload the AdminByRequest agent, configure deployment settings, and assign it to your device groups for automatic installation.

6. Data Collection Phase
After deploying agents, it is recommended to wait a week to collect data on the software and processes that users elevate on their devices:
- AdminByRequest will log all elevation requests, providing insights into which applications are elevated most frequently.
  
This information is critical for building your pre-approved apps list in the next step.

7. Building a Pre-Approved Apps List

Once you’ve gathered data on elevated applications, it’s time to configure your pre-approved apps list:
- Navigate to the Admin Portal and review the logs for common applications users elevate.
- Begin creating a pre-approved list, which ensures that users can elevate specific applications without needing approval, minimizing interruptions.

AdminByRequest offers several ways to pre-approve applications:
- Pre-Approved Based on Certificate: Any version of a software signed with a trusted certificate can be allowed to run without needing explicit approval. This is useful for allowing applications across versions.
- Pre-Approved Based on Checksum: You can allow specific applications based on their checksum, providing strict control over which exact versions can be elevated.
- Pre-Approved Based on Location: AdminByRequest allows you to approve applications from specific local or remote locations, such as a file server. This ensures that only apps installed or run from trusted locations are elevated.
- Forced Elevation for Legacy Apps: For older applications that don’t support User Account Control (UAC), you can configure AdminByRequest to force elevation for these apps, ensuring they still run securely despite their lack of UAC support.

This flexibility ensures that the right applications are approved for elevation in a way that best suits your environment and security needs.

If the software is required for all users, you can approve it in the Global Settings, if it required for a group of users it can be approved in the specific sub-setting assigned to that group. When using Sub-Settings, any app that have been pre-approved in the global setting are also available for elevation.

8. Configuring Tray Tools (Control Panel Applets)
AdminByRequest allows you to add tray tools, which are small applets accessible from the AdminByRequest agent icon in the user’s taskbar:
- Add Control Panel applets like "Network Settings" or other useful system tools.
  
These tray tools provide users with quick access to essential settings without requiring admin rights.

9. Gradually Revoke Admin Rights
After building the pre-approved apps list, it’s time to gradually revoke admin rights:
- Go back to Global Settings and enable the Revoke Admin Rights option.
- Start with small user groups and gradually expand as you refine the settings based on user feedback.

It’s essential to monitor user behavior closely during this phase to ensure they can perform necessary tasks without unnecessary disruptions.

10. Sub-Settings Based on Groups

AdminByRequest supports sub-settings based on groups, offering more granular control over specific user groups or devices. These groups can be:
- Local AD groups or Entra ID groups: Assign policies based on user roles or departments, whether in a local AD or Azure AD (Entra ID) environment.
- Device Groups: Apply settings based on device groupings.
  
In local AD environments, you can also configure settings based on Organizational Units (OUs). This flexibility ensures tailored security measures based on the group or device.

- Global Settings apply to all devices, while sub-settings override global policies for specific groups or devices.
- Workgroup devices automatically follow the Global Settings.

11. Handling Feedback and Adjustments
During the admin rights revocation process, some users may encounter User Account Control (UAC) prompts or be unable to perform certain tasks:
- Adjust your pre-approved apps list or policies as needed.
- Continue gathering feedback from users to refine settings.

12. Applying Helpdesk Policies
Helpdesk teams require greater flexibility to support users, so you should configure a separate policy for them:
- Allow helpdesk employees to elevate any application after approval, but ensure that an approval workflow is in place.

This ensures that helpdesk teams can efficiently resolve issues without security risks.

13. Using the Admin Rights Report and Break-Glass Feature
AdminByRequest provides an Admin Rights Report to identify any remaining users with local admin privileges:
- Review the report and ensure all local admin accounts are removed.
- Use the break-glass feature to allow emergency admin access when necessary, without permanently restoring admin rights.

14. Mobile App for Helpdesk Teams
Helpdesk teams can use the AdminByRequest mobile app to approve ad-hoc elevation requests on the go:
- Ensure the app is installed and configured for your helpdesk team, allowing them to approve requests quickly from anywhere.

15. Connecting to a Ticketing System or Communication Tools
AdminByRequest integrates with ticketing systems or communication platforms like Slack and Teams:
- Configure the platform to send elevation requests and approval workflows directly to your preferred ticketing or communication system.
  
This ensures that requests are logged and responded to efficiently within your existing workflows.

16. Integrating with SIEM Solutions
For better security monitoring and incident response, integrate AdminByRequest with your organization’s SIEM solution:
- SIEM platforms like Microsoft Sentinel, Splunk, or QRadar can receive logs from AdminByRequest, providing real-time insights into elevated privilege activities and potential security threats.

 17. Additional Teaks 

- The EPM platform has two methods of elevation - Run-As-Admin which is single process elevation. it is best to have a request and approval mechanism in place. Additional method is Admin-Session which gives the user full admin rights on the device. Admin Session is usually not granded to end users and should only be used by the helpdesk team, since you can already pre-approve anything the user needs.

By following this guide, you will ensure a smooth and secure deployment of AdminByRequest EPM across your organization, providing tailored privilege management, minimizing disruption to users, and maintaining strong security practices across all devices.

Was this article helpful?