Introduction
End-User Elevation (EUE) allows end-users to temporarily elevate their privileges to perform administrative tasks.
Our implementation uses a structured approval process where technicians can review and approve or deny elevation requests.
Prerequisites
- End User Elevation enabled by your Account Rep
Contact your Rep - Configure your CyberQP Dashboard to Support Elevation
https://support.getquickpass.com/hc/en-us/articles/26113522980759-Configuring-End-User-Elevation - Technician Level Access to the Customer and End User accounts
End User Elevation Usage
-
Submit an Elevation Request
- Using the credentials for an end-user account that's imported into one of your enabled customers, log into any of the following system types:
AD Member, AD Workstation, Server, Workstation. - Attempt to run a executable that will cause the UAC prompt to display on screen. (EG: Run the install file for Acrobat Reader, Notepad++,...)
- Observe how the UAC prompt will appear including our special content to request for an End-User Elevation. A new section should appear on the UAC prompt that reads "Request Admin Access"
- Fill in the "reason" field and click "OK"
Alternatively, the End User can request elevation from the Tray Icon
- Using the credentials for an end-user account that's imported into one of your enabled customers, log into any of the following system types:
-
Review and Approve/Deny Request
- As the technician, In CyberQP, navigate to your tenant sidebar > "Elevation Requests" (or click into "Active Requests") from the main Dashboard page.
- An email will be submitted to the email address(es) supplied when configured:
https://support.getquickpass.com/hc/en-us/articles/26113522980759-Configuring-End-User-Elevation - Clicking the link at the bottom of the email will take the technician directly to the Elevation Requests page.
- An email will be submitted to the email address(es) supplied when configured:
- Review the pending request that will appear at the top of the screen or received via email.
- Click the request > Select a Duration > Click "Approve".
Once the Activation of the Elevation has been approved, the status on the CyberQP Dashboard will change to "Awaiting User Activation"
- As the technician, In CyberQP, navigate to your tenant sidebar > "Elevation Requests" (or click into "Active Requests") from the main Dashboard page.
-
Activate and Observe
- When the request is approved from CyberQP, the end-user should activate the elevation via the desktop notification or email link.
NOTE: Clicking the link in the email or the Elevation Tray icon will open in the End User's default web browser. Ensure that the End User is using a modern browser. - Once the end-user "activates" their approved request they will immediately be added to the local "Administrators group" for that system and the countdown timer will begin.
- Once the timer runs out, CyberQP will remove the group addition. CyberQP will automatically revoke the "Administrators group" from the end-user.
- When the request is approved from CyberQP, the end-user should activate the elevation via the desktop notification or email link.
- The End User would then run the application or adjust the system setting that they were attempting to launch. Since the CURRENT session for the End User has not been elevated, they will have to populate the Username and Password field with their credentials.
Only the process that was just launched will have the Elevated Permissions. This applies for any system changes or applications that the End User makes during the period the timer is running. Each administrative action will require the End User to enter their credentials. - Once the End User has completed the actions that they needed the elevation for, they can either allow the timer to expire OR they can click the "Finish Now" button in the lower left corner of their screen.
- When the timer runs out or the Finish Now is clicked, the permissions will be removed from the Local Administrator group and any additional Elevation that is needed, will require a new Elevation request be submitted. The End User can close the pop up with the X in the corner.
- Once completed, the Elevation request, on the CyberQP Dashboard, will be moved to the "Completed Requests" section.
- When the timer runs out or the Finish Now is clicked, the permissions will be removed from the Local Administrator group and any additional Elevation that is needed, will require a new Elevation request be submitted. The End User can close the pop up with the X in the corner.
FAQs
- What if an End User logs out or reboots their system while the account is Elevated?
- An End user will be logged off with a warning timer after the Elevation Timer runs out. This will ensure that the session with Elevated permissions is ended and the End User will no longer have Admin privileges.
- What happens if the system is shutdown or the agent is offline before the timer runs out?
- A retry of the removal of the Admin privileges will be attempted when the Agent comes back online. This will follow the above mentioned process to ensure the End User is no longer an Administrator.
- Will process based or digital signature based Elevation be provided by CyberQP?
- Future updates to the Elevation suite will include whitelisting of processes via Digital Signature.
- How Long is an Elevation request email link valid for?
- A request to the MSP from an End User is valid for 24 hours.
- An approved request from the MSP back to the End User does not expire.
Comments
0 comments
Please sign in to leave a comment.