Admin By Request version 7 Exploring What’s New?

Admin By Request version 7 - What's New?

Admin By Request version 7 for Windows workstations introduced some radical changes to the product design to better aid the user experience. So let us explore what has changed.

This blog post is about the current release of Admin By Request client version 7 for Windows 10 workstations which is globally available since 16th November 2020.

For those who are not familiar with Admin By Request, you can read my previous post on the same.

Still let’s start with a short insight into the product for the benefit of all.

[Recap] Get to know Admin By Request

Admin By Request from Fastrack Software is a Privileged Access Management (PAM) solution for your Windows 10 and Mac endpoints (and also Windows Servers if you are interested!).

Admin By Request allows revoking local admin rights from the end-users on the managed workstations without interrupting the normal work habits.

For actions that require elevated permissions, it provides an on-demand elevation of privilege on request which can be controlled and time-restricted, while maintaining a full audit trail.

The service utilizes the OPSWAT MetaDefender Cloud service to provide real-time cloud threat detection capabilities.

Admin By Request is a complete SaaS service hosted in Microsoft Azure as such you can be assured of service SLA and Compliance. Check out the Admin By Request Trust Center.

The product can be easily incorporated into your Zero-Trust strategy.

ADMIN BY REQUEST COMES WITH A FULLY FUNCTIONAL FREE PLAN

Admin By Request comes with a lifetime Fully Functional FREE Plan allowing you 25 licenses to evaluate the product in your environment.

You just need to sign-up for the Free Plan with your work email address.

Admin By Request comes with a Lifetime Fully Functional FREE Plan with 25 licenses to help you evaluate the product in your environment.
Admin By Request comes with a Lifetime Fully Functional FREE Plan with 25 licenses to help you evaluate the product in your environment.

Read more about the AdminByRequest licensing FAQs.

What’s New with Admin By Request version 7

Having worked with Admin By Request client version 6.3.7 and 6.4 for Windows 10 workstations, it seems that the engineering team received a good amount of feedback which made them re-work some client features.

The end result is a significantly improved end-user experience.

To help you understand the differences, this blog post compares the deprecated version 6.4 vs the current version 7 of the Admin By Request client for the Windows 10 platform.

So let’s check what’s new.

New Desktop Logo for easy identification

First thing you would notice about the Admin By Request Windows client version 7 is the new unique desktop icon to help end-users recognize that the current Windows session is under the effect of Admin By Request.

Admin By Request client version 7 comes with a new ABR branded desktop icon as compared to the standard UAC desktop icon used by the previous client.

This is a welcome change from the previous client version of Admin By Request where the icon was a standard UAC icon.

A unique logo helps in better product relatability as well as gives the product an own identity than using a Windows standard icon.

Consider the most common IT workplace scenario where the end-users desktop screen is stashed with several items. When you compare, the new logo of Admin By Request version 7 makes it much easier for the end-user to recognize if the current windows session is under the effect of Admin By Request or not.

Modern UI – Look and Feel of the new client

Admin By Request Windows client version 7 offers a modern UI experience as it uses the latest Windows 10 design guides.

Admin By Request version 7 – The new client offers modern UI experience which can be further controlled by the IT Admin from the portal.
Admin By Request version 7 – The new client offers modern UI experience which can be further controlled by the IT Admin from the portal.

Auto-detect will detect the current Windows mode (light or dark) set as per user preference and will follow the same, unless the Admin has specifically configured the look and feel of the client to either

  • Gray which relates to Windows mode Light, or
  • Black which relates to Windows mode Black (Windows default now).
Admin By Request version 7 – The new client follows the user preference for the Windows mode.

The pop-up window displays the application name for which elevation is being requested

When requesting for Run as admin to run an application with elevated privilege with the deprecated Admin By Request client version 6, it starts with a pop-up window as shown below.

Admin By Request older client version – Did not display the name of the application/process which is being elevated.
Admin By Request older client version – Did not show the name of the application/process which is being elevated.

The old client pop-up window did not display what application the request was being made for, or what application was being elevated.

However, things have been changed with the current Admin By Request Version 7.

The pop-up window generated by the new client do display the application/program name for which the Run as admin request is being made or processed.

Admin By Request version 7 – The new client shows the name of the application/process which is being elevated.
Admin By Request version 7 – The new client shows the name of the application/process which is being elevated.

End-User Experience:

Admin By Request new client version 7 vs the old client version 6.4

Note: In the portal, under Run as admin settings, Require reason is set to On, and Require approval is set to Off.

Below snap shows my Global Scope with no sub-settings scopes configured.

Admin By Request portal showing the Authorization settings as configured.
Admin By Request portal showing the Authorization settings as configured.

Requesting Run as admin with the old client (version 6.4) used to bring up a client-generated window to prompt the end-user to provide a reason for requesting elevation.

For the new (current) client version 7, requesting Run as admin prompts user with a Windows UAC prompt window instead to provide elevation reason.

Admin By Request Old client vs New client: Prompt to request elevation reason from end-user

Considering that the end-user provided a reason and clicked on OK, there comes the next pop-up window known as the Code of Conduct window.

Below shows the Code of Conduct window for the old client (version 6.4) vs the new client version 7.

Admin By Request Old client vs New client: Code of Conduct Window

Noticed the branding! A subtle change in the UI from the client version 6.4. The windows generated by the (current) client version 7 are more modern compared to the deprecated client.

Now for the old client (version 6.4), after clicking on OK,  it always used to throw up a Windows UAC window to prompt the user to provide and confirm end-user credentials.

Once the user entered the credentials and clicked on Yes, post validating the same, the program in context was allowed to execute with elevated privilege.

Admin By Request old client version 6.4 – UAC Window to confirm user credential. (Required for the old client in all conditions)

But with the new (current) client (version 7), after clicking on OK, there can be two scenarios

  • The program will start with elevated privilege. (When UAC is set to Confirmation)
  • There will be another UAC screen requesting to confirm credentials post which the application/program will start with elevated privilege. (When UAC is set to Credentials)

These two scenarios as stated above is what brings us to the next radical design change of the product that was introduced with Admin By Request client version 7 for Windows workstations.

Admin By Request version 7 – Utilization of the Windows UAC to confirm Elevation request

Admin By Request version 7 allows a new option to either utilize the Windows User Access Control (UAC) to confirm elevation requests from the end -user or require the user to provide Credentials as usual like the old version.

This commands some planning on the Global Settings and Sub Settings scope level to implement in the environment, considering the security and usability.

Till client version 6.4 of Admin By Request,

Run as admin enforced a credential verification to ensure that the audit captures the correct user identity for the corresponding elevation request. This was by design to comply with legal audits.

However, for advanced IT end-users who require to invoke Run as admin more frequently (developers, IT staff, etc.), filling the credential verification prompt every time is cumbersome and does tend to get in the way of work, hindering the modern desktop experience.

Listening to the feedback, with Admin By Request version 7, the product engineering team introduced the new feature to utilize the Windows UAC prompt to confirm an elevation request instead of asking for credential verification.

Admin By Request version 7 introduced the new feature to utilize the Windows UAC prompt to confirm an elevation request instead of requiring credential verification.
Admin By Request version 7 introduced the new feature to utilize the Windows UAC prompt to confirm an elevation request instead of requiring credential verification.

Thus with Global Settings scope and one or more Sub Settings scope in place, IT Admin can plan to have most users to verify elevation requests via credentials while still be able to allow only trusted and advanced IT users to confirm elevation requests without requiring to provide credentials.

With below configuration in the Admin By Request portal,

  • under Run as admin settings > Require reason and Require approval both is set to Off
  • under Endpoint settings > UAC is set to Confirmation

For Admin By Request client version 7, requesting Run as admin for an application results in the below UAC prompt.

Admin By Request version 7 when configured can utilize the Windows UAC prompt to the end-user to confirm an elevation request.
Admin By Request version 7 when configured can utilize the Windows UAC prompt to the end-user to confirm an elevation request.

Clicking on Yes starts the requested application with elevated privilege. There is no credential input required by the end-user.

This is definitely more convenient for advanced and trusted end-users since it saves the annoying time required to input credentials every time an elevation is requested.

Improved Elevation Performance for pre-approved Applications with the new client

With the old deprecated version of the Windows client for Admin By Request (version 6.x), the end-user required to provide credentials even when starting a pre-approved application using Run as admin.

Since the application in context is already pre-approved by IT Admin, this complexity of requiring credentials impacted the performance – time required to elevate a pre-approved app was higher.

With the current Windows client for Admin By Request (version 7), if UAC is set to Confirmation, the end-user is not required to provide credentials. Instead, the end-user is prompted with the Windows UAC prompt to confirm the elevation action when starting a pre-approved application with Run as admin.

A pre-approved application now starts in an elevated context when invoked as Run as admin by end-user without requiring any further inputs, provided you have UAC set to Confirmation.

A pop-up notification window will appear over the System Tray to let the end-user know the application is running with elevated privilege under the effect of Admin By Request, which disappears after 3 seconds.

With the new client Admin By Request version 7, pre-approved applications now start in an elevated context when invoked as Run as admin without requiring any further inputs from the end-users, provided UAC is set to Confirmation.

This radically improves elevation performance requiring much lesser time to elevate a pre-approved application, thereby improving the end-user experience.

Reduced client size helps save bandwidth

The size of the current Windows client – Admin By Request version 7 is significantly smaller than the old deprecated client version 6.4, making client deployments lighter on the network bandwidth.

Admin By Request version 7 – The new Windows client is lighter than the previous old clients which makes it easy on the bandwidth consumption when deploying clients at scale.
Admin By Request version 7 – The new Windows client is lighter than the previous old clients which makes it easy on the bandwidth consumption when deploying clients at scale.

The End

Hope after reading this, you would have a better clarity of what has been worked upon, enhanced and changed with the Admin By Request cleint version 7 for Windows workstations.

Well that was all for today.