Deployment Guide AdminByRequest EPM for Workstations
Deployment Guide: AdminByRequest EPM for Workstations
Section titled “Deployment Guide: AdminByRequest EPM for Workstations”Overview
Section titled “Overview”AdminByRequest (ABR) is an Endpoint Privilege Management (EPM) solution designed to manage and control local administrative rights on user devices, providing secure ways to elevate privileges when necessary. The platform operates through a cloud-based management portal and agents deployed on endpoint devices such as workstations, laptops, and servers.
AdminByRequest supports Windows, macOS, and Linux devices, making it suitable for diverse IT environments. Here’s a step-by-step deployment guide to implement AdminByRequest EPM effectively across your organization.
Architecture Overview
Section titled “Architecture Overview”| Component | Function | Business Value |
|---|---|---|
| Cloud-Based Management Portal | Centralized administration for settings, policies, and users | Single pane of glass management |
| Endpoint Agents | Enforce policies, collect data, handle privilege elevation requests | Real-time security enforcement |
Step 1: Setting Up the Tenant
Section titled “Step 1: Setting Up the Tenant”The first step is to set up your AdminByRequest tenant:
- Sign up or access your existing tenant from the AdminByRequest portal
- Complete the basic configuration of the tenant, ensuring all relevant organization information and settings are updated
This step ensures that your organization is ready to deploy agents and manage devices.
Network Requirements
Section titled “Network Requirements”For the AdminByRequest agent to communicate with the portal, ensure that the following URLs are accessible over the required ports:
Admin By Request uses port 443 and the IP addresses and URLs that need access through firewalls are as follows. This is agent-to-portal traffic only and not vice versa.
European Data Region
Section titled “European Data Region”| IP Address | DNS Names | Purpose |
|---|---|---|
| 104.45.17.196 | api1.adminbyrequest.com | Primary API endpoint |
| macapi1.adminbyrequest.com | macOS agent communication | |
| linuxapi1.adminbyrequest.com | Linux agent communication |
USA Data Region
Section titled “USA Data Region”| IP Address | DNS Names | Purpose |
|---|---|---|
| 137.117.73.20 | api2.adminbyrequest.com | Primary API endpoint |
| macapi2.adminbyrequest.com | macOS agent communication | |
| linuxapi2.adminbyrequest.com | Linux agent communication |
Step 2: Connecting AdminByRequest to Entra ID (Azure AD)
Section titled “Step 2: Connecting AdminByRequest to Entra ID (Azure AD)”To integrate AdminByRequest with your user directory:
- Navigate to the Settings in AdminByRequest and select Connect to Entra ID (Azure AD)
- Follow the prompts and grant AdminByRequest the necessary permissions to manage access users, groups and devices through your Azure AD (Entra ID) tenant
This integration allows for:
| Feature | Capability | Business Impact |
|---|---|---|
| Single Sign-On (SSO) | Seamless authentication for admin users | Improved user experience |
| Group-Based Policies | Select groups from Entra ID for policy assignment | Granular access control |
Step 3: Adjust Global Settings to Retain Admin Rights Initially
Section titled “Step 3: Adjust Global Settings to Retain Admin Rights Initially”Initially, it’s important to disable the automatic revocation of admin rights to gather data before restricting access:
- Go to the Global Settings tab and disable the Revoke Admin Rights setting
This gives users temporary admin rights while the system collects data about elevated processes and applications.
Step 4: Deploying Agents on Workstations
Section titled “Step 4: Deploying Agents on Workstations”There are two primary methods for deploying the AdminByRequest agents:
Manual Deployment
Section titled “Manual Deployment”| Step | Action | Consideration |
|---|---|---|
| Download Agent | Get agent from AdminByRequest portal | Ensure correct platform version |
| Installation | Run installer manually or via script | Suitable for small environments |
MDM Platform Deployment
Section titled “MDM Platform Deployment”| Step | Action | Advantage |
|---|---|---|
| Create App Package | Set up in MDM solution (e.g., Intune) | Automated deployment |
| Assign to Groups | Target specific device groups | Scalable management |
Ideal for: Large organizations with established MDM infrastructure
Step 5: Data Collection Phase
Section titled “Step 5: Data Collection Phase”After deploying agents, it is recommended to wait a week to collect data on the software and processes that users elevate on their devices:
- AdminByRequest will log all elevation requests, providing insights into which applications are elevated most frequently
This information is critical for building your pre-approved apps list in the next step.
Step 6: Building a Pre-Approved Apps List
Section titled “Step 6: Building a Pre-Approved Apps List”Once you’ve gathered data on elevated applications, it’s time to configure your pre-approved apps list:
- Navigate to the Admin Portal and review the logs for common applications users elevate
- Begin creating a pre-approved list, which ensures that users can elevate specific applications without needing approval
Approval Methods
Section titled “Approval Methods”| Method | Use Case | Security Level |
|---|---|---|
| Certificate-Based | Allow any version of software signed with trusted certificate | Medium security, flexible |
| Checksum-Based | Allow specific application versions based on checksum | High security, precise control |
| Location-Based | Approve apps from specific local or remote locations | Network-based security |
| Forced Elevation | Legacy apps without UAC support | Compatibility solution |
Policy Application
Section titled “Policy Application”- Global Settings: Apps required for all users
- Sub-Settings: Apps required for specific groups
- Inheritance: Global pre-approved apps are available in sub-settings
Step 7: Configuring Tray Tools (Control Panel Applets)
Section titled “Step 7: Configuring Tray Tools (Control Panel Applets)”AdminByRequest allows you to add tray tools, which are small applets accessible from the AdminByRequest agent icon in the user’s taskbar:
- Add Control Panel applets like Network Settings or other useful system tools
These tray tools provide users with quick access to essential settings without requiring admin rights.
Step 8: Gradually Revoke Admin Rights
Section titled “Step 8: Gradually Revoke Admin Rights”After building the pre-approved apps list, it’s time to gradually revoke admin rights:
- Go back to Global Settings and enable the Revoke Admin Rights option
- Start with small user groups and gradually expand as you refine the settings based on user feedback
It’s essential to monitor user behavior closely during this phase to ensure they can perform necessary tasks without unnecessary disruptions.
Step 9: Sub-Settings Based on Groups
Section titled “Step 9: Sub-Settings Based on Groups”AdminByRequest supports sub-settings based on groups, offering more granular control over specific user groups or devices:
Group Types
Section titled “Group Types”| Group Type | Source | Use Case |
|---|---|---|
| Local AD Groups | On-premises Active Directory | Traditional environments |
| Entra ID Groups | Azure Active Directory | Cloud-first organizations |
| Device Groups | MDM or device collections | Device-specific policies |
| Organizational Units | Active Directory OUs | Hierarchical management |
Policy Hierarchy
Section titled “Policy Hierarchy”- Global Settings: Apply to all devices
- Sub-Settings: Override global policies for specific groups
- Workgroup Devices: Automatically follow Global Settings
Step 10: Handling Feedback and Adjustments
Section titled “Step 10: Handling Feedback and Adjustments”During the admin rights revocation process, some users may encounter User Account Control (UAC) prompts or be unable to perform certain tasks:
- Adjust your pre-approved apps list or policies as needed
- Continue gathering feedback from users to refine settings
Step 11: Applying Helpdesk Policies
Section titled “Step 11: Applying Helpdesk Policies”Helpdesk teams require greater flexibility to support users, so you should configure a separate policy for them:
- Allow helpdesk employees to elevate any application after approval, but ensure that an approval workflow is in place
This ensures that helpdesk teams can efficiently resolve issues without security risks.
Step 12: Using the Admin Rights Report and Break-Glass Feature
Section titled “Step 12: Using the Admin Rights Report and Break-Glass Feature”AdminByRequest provides an Admin Rights Report to identify any remaining users with local admin privileges:
- Review the report and ensure all local admin accounts are removed
- Use the break-glass feature to allow emergency admin access when necessary, without permanently restoring admin rights
Step 13: Mobile App for Helpdesk Teams
Section titled “Step 13: Mobile App for Helpdesk Teams”Helpdesk teams can use the AdminByRequest mobile app to approve ad-hoc elevation requests on the go:
- Ensure the app is installed and configured for your helpdesk team, allowing them to approve requests quickly from anywhere
Step 14: Connecting to a Ticketing System or Communication Tools
Section titled “Step 14: Connecting to a Ticketing System or Communication Tools”AdminByRequest integrates with ticketing systems or communication platforms like Slack and Teams:
- Configure the platform to send elevation requests and approval workflows directly to your preferred ticketing or communication system
This ensures that requests are logged and responded to efficiently within your existing workflows.
Step 15: Integrating with SIEM Solutions
Section titled “Step 15: Integrating with SIEM Solutions”For better security monitoring and incident response, integrate AdminByRequest with your organization’s SIEM solution:
| SIEM Platform | Integration Benefit | Use Case |
|---|---|---|
| Microsoft Sentinel | Native Microsoft integration | Organizations using Microsoft stack |
| Splunk | Custom log parsing | Enterprise security operations |
| QRadar | IBM security ecosystem integration | Enterprise environments |
These platforms can receive logs from AdminByRequest, providing real-time insights into elevated privilege activities and potential security threats.
Step 16: Additional Tweaks
Section titled “Step 16: Additional Tweaks”The EPM platform has two methods of elevation:
| Method | Description | Recommended Use |
|---|---|---|
| Run-As-Admin | Single process elevation | End users with approval workflow |
| Admin-Session | Full admin rights on device | Helpdesk team only |
Best Practice: Use Run-As-Admin for end users with proper approval mechanisms. Admin-Session should be restricted to helpdesk personnel since you can already pre-approve anything users need.
Conclusion
Section titled “Conclusion”By following this comprehensive guide, you will ensure a smooth and secure deployment of AdminByRequest EPM across your organization, providing:
| Benefit | Outcome | Business Value |
|---|---|---|
| Tailored Privilege Management | Granular control based on roles and needs | Reduced security risk |
| Minimal User Disruption | Pre-approved applications and smooth workflows | Improved productivity |
| Strong Security Practices | Comprehensive audit trails and approval workflows | Enhanced compliance |
Key Takeaway: A phased approach to AdminByRequest deployment ensures successful privilege management while maintaining user productivity and security standards.