Admin by Request - Getting Started/How To

About Admin by Request (ABR)

Admin by Request is installed on all TTI workstations and is enabled by default for all TTI users. This use includes the two primary methods detailed in this article: Run as Admin and Requesting Admin Session. Using these features does not require any special access or group membership. The Run as Admin feature allows you to run individual apps without needing a timed session that must be renewed and should be the most commonly used feature. Those applications should be automatically approved for elevation. Less commonly used applications may not be automatically approved and sent to NIS for a brief approval process. Similarly, Requesting Admin Session access will require a brief review and approval by NIS, so we encourage trying to run an application as administrator before trying to request an admin session.

If you believe that you will need enhanced and more frequent access to run applications as administrator for more than occasional access, please complete this form for review by NIS Security and Compliance: Administrative Access Request : TTI Help Desk. If approved, this will grant access to run applications and admin sessions without the need for review by NIS. This form will need to be renewed each year and is required for reporting to the State of Texas. We highly encourage the use of the two primary methods for ABR use before requesting enhanced administrative access.

Once installed, Admin by Request runs in the background for as long as the endpoint is powered-on. Selecting the app from the tool tray (or launching from the desktop if the shortcut is installed) launches the user interface, which comprises a simple window with five buttons down the left-hand side:

The default panel is About Admin By Request, which is accessed via the top button. It shows the current workstation edition, license details, website link, and copyright information.

Click the About button to get back to this panel if viewing one of the other panels.

Requests are typically reviewed and approved within 15-30 minutes. However, please allow up to 1-2 hours for review of requests and applications that are not automatically approved.

Using Run as Admin

Run As Admin (also known as App Elevation) allows for the elevation of a single application.

This capability negates the need for users to initiate an Admin Session. Elevating privileges for execution of a single file is the much safer option compared to elevating the user’s privileges across the endpoint.

A standard user executing a program that requires elevated privileges to install initiates the following sequence of events.

Download the file for installation.
Start the installation by right-clicking and selecting Run as Administrator:
Admin By Request suspends installation and asks for phone, email, and optional reason. Enter these details and click OK to continue:
A notification now advises that the request for approval has been sent:
When the request is approved, a further notification advises the request has been approved:
Now the installer has the elevated privileges required to run - click Yes to start authorized installation with elevated privileges.

The elevated privileges last only for the duration of the installation and apply only to the specific application or package authorized.

Requesting Administrator Access (Admin Session)

Administrator Access (also known as Session Elevation) allows for elevated privileges system-wide for a predefined amount of time (session duration).

Any user given full session elevation gets full local admin rights on their system. Full session elevation mode is ideal for situations such as when elevated access to ‘system’ resources such as drivers or printers etc. is required, when a user needs elevation only for a specific amount of time, or when a Developer requires the use of multiple elevated applications.

Requesting administrator access is also known as requesting an Admin Session, which is a time-bound period during which a standard user has elevated privileges and can carry out administrator-level tasks.

As with About Admin by Request, users can double-click the Admin by Request desktop icon, or select the icon from tray tools to display the menu and select Request administrator access:

Submitting a request for administrator access is the primary mechanism for gaining elevated privileges.

A standard user making this selection where approval is required initiates the following sequence of events.

A request Administrator Access form appears:
Please enter your TTI email, phone and reason information into the form and click OK

The request is submitted to NIS for review:
The IT administration team is notified via the Admin by Request portal that a new request for administrator access has arrived.

The following example shows how two new requests might appear in the portal:
One of the team either approves or denies the request. If approved, the user is advised accordingly:
The user clicks Yes, which starts the session and displays a countdown timer:
The duration of an admin session is set to 15 minutes per TTI security standards, and the countdown timer ticks down to zero, at which time the session ends. The user can optionally end the session at any time once it has started by clicking Finish.

During an Admin Session, users can install programs requiring admin rights, install drivers and change system settings other than user administration.

All activity during the elevated session is audited and logged and may be reviewed by IT Administrators. The activity includes elevation request reasons, anything installed, uninstalled, or executed.

No Internet/Offline Computers

Admin By Request functions seamlessly whether a computer is online or offline. Key settings like portal configurations, domain groups, and organizational units (OUs) are stored locally on the device. Any data generated while offline is queued and automatically synchronized once the computer reconnects to the internet. This ensures a consistent user experience both on your local network and when working remotely without internet access.

PIN Code

When approval is required for a request and the computer is offline, the pending request remains invisible until the device reconnects to the internet and processes the queue. While this situation is uncommon, it can occur if a computer stays offline for an extended period.

Example:

Red Cross Scenario: Workers in remote areas may be offline for weeks. Their computers will queue data until they reconnect. If a request needs approval, users must either wait for internet access or use an alternative connection method, such as a phone hotspot.

Emergency PIN Code Request:

Step 1: The user requests a PIN code and receives a 6-digit "PIN 1."
Step 2: The user contacts the Help Desk (979-317-2345) Monday through Friday 8am-5pm (CST) to obtain a corresponding 6-digit "PIN 2."
Security: PIN 2 is uniquely generated using PIN 1, the customer ID, and the computer name, ensuring security even if PIN 1 is duplicated on another device.

This streamlined process allows users to proceed with urgent requests securely, even when internet connectivity is unavailable.