Support

Usage guide: Manage local admin permissions

This page outlines various ways to use the pack, including use case examples.

Administrators can refer to the Configuration guide: Manage local admin permissions to set up and customize the installed content.

The Manage local admin permission library pack enables IT teams to:

  • Automate the approval and revocation of local admin rights.

  • Reduce the risk of security breaches by ensuring admin access is strictly temporary.

  • Improve IT operational efficiency by minimizing manual intervention.

  • Strengthen compliance with IT policies through automated logging and auditing.

  • Provide employees with a seamless and timely process for requesting admin privileges.

Library pack uses

Jump to Use cases on this page to see relevant scenario applications.

Use the library pack content for the following purposes.

Visibility

This library pack focuses on the Manage local admin permission workflow. It streamlines the process of granting and revoking temporary local administrator privileges. All actions are logged in the IT service management (ITSM) ticketing system, ensuring a complete audit trail for compliance and security purposes.

Workflow triggering

This workflow is designed to be initiated on a specific device during a support call with an employee or in response to a request for temporary local admin privileges. It can be triggered from device view (as shown below) or Amplify. The workflow utilizes the Incident number parameter to track progress.

Use cases

In addition to the relevant use cases covered below, you may uncover other troubleshooting scenarios specific to your environment.

Initial compliance check

Granting local administrator rights to a user, even for a temporary period, can lead to abuse and carries a significant risk. Any change of this nature should be reported in ITSM and a pre-existing ticket should be created before this workflow is launched. The workflow includes a parameter that allows the ticket ID to be entered upon workflow execution.

To ensure that the user making the request is the same person using the device, an additional step is required. The workflow contains a parameter for username, which has to be filled out at the point of execution. The workflow will check this username against the currently logged-in user and will only proceed if they match.

The final check is authorization by the user's manager. This is obtained by sending an MS Teams message.

Grant local admin permission, and set a delay

If all compliance checks are complete and manager approval has been granted, the user will now be granted local administrator privileges on the device. This can be achieved for both Windows and macOS devices using different remote actions. In both cases, the successful execution of the remote action is checked and the ITSM ticket is updated in case of failure.

Following successful executions of the remote action(s), the ITSM ticket is updated and the user is then informed, allowing them to perform the local action that triggered the ticket generation. A custom-defined time delay (defaulting to 30 minutes) is then initiated.

Removal of local admin permissions

To minimize the risk associated with elevated permissions, after the predefined delay, the workflow will continue and revoke the local admin permission on the device using the same operating-specific remote actions used earlier.

The execution of each remote action is checked, and any failures are logged in ITSM for further investigation and manual revocation of admin rights.

If the process is successful, the ITMS ticket is updated and then closed.

RELATED TOPICS

Last updated

Was this helpful?