×![]()
×
×![]()
×
×
Frequently Asked Questions (FAQ)
While deploying a policy in strict mode, it can be configured to permit user requests by enabling the option 'Allow users to request applications which are unmanaged'.
Endpoint Privilege Management
What is Endpoint Privilege Management?
Endpoint Privilege Management is the process of allocating application-specific privileged access to users based on their requirements. You can easily adopt the principle of least privilege through out your network, without it affecting your productivity using this feature. It enables privileged access to applications without compromising the privileged credentials or any unnecessary privilege elevation.
When should I enable application level privileged access to users?
Using the Endpoint Privilege Management feature, you can elevate application specific privileges of certain users, without compromising the privileged credentials or elevating their entire organizational level privileges.
What is the significance of the 'Run as Application Control Plus' option that is displayed in the File menu of a few applications?
The 'Run as Application Control Plus' option is displayed to standard users whose endpoints were added to Custom Groups that were associated with the Privileged Application List during policy deployment. By selecting this option, the standard users can run said applications as administrators without entering any extra credentials, even while they remain as standard users with minimum privileges.
I added an application to the Privileged Application List in the Privilege Management module, however it is not being elevated when run. Why is it so?
These are the suggested resolution techniques:
- Only allowlisted applications can be elevated, even if present in the Privileged Application List otherwise. Check whether the application in question is allowlisted to the target user-device.
- Ensure that you have checked 'Yes' for the Associate Privileged Application List option during policy deployment.
- Only standard users can access applications with elevated privileges using the 'Run as Manageengine' option. Other administrators will have to use their credentials as usual, even if the Privileged Application List is associated with them. Lowering their privileges to standard user type can remedy this.
- Modify the Privileged Application List by enabling elevation to "All allowlisted application", this might act as an intermediate fix. Also try testing elevation of other applications in the endpoint to assess the extent of the issue.
- If nothing works, you can upload the agent logs from the "C:\Program Files (x86)\DesktopCentral_Agent(or UEMS_Agent)\logs" for us to analyze. Specifying if only a single application has the issue or if it is prevalent with all apps can help us fix it sooner.
How does the elevation of applications using the Endpoint Privilege Management feature work?
Allowisted applications that are added to the Privileged Application List, can be accessed with elevated privileges by the user-devices that are present in the custom groups associated with them. Even standard users can access applications as administrators using this feature, as it elevates the privileges specific to the application and not the user.
Will an application added to the Privileged Application List and associated to a Custom Group during policy deployment execute in the target machines, if they arent allowlisted to them?
No, they have to be allowlisted for them to executed.
How does application elevation work when all allowlisted applications or specific applications are selected?
If elevation is enabled for all allowlisted applications or the specific applications selected with the 'Allow users to elevate all applications' option turned on, those applications can be elevated directly without additional justification, while the others can be elevated only after providing reason.
Removal of Admin Rights
What are local admin accounts?
User accounts in computers can be classified as standard user accounts and local admin user accounts. Local admin accounts enable users to accomplish management activities on their local computers, whereas standard user accounts grant minimal to no management privileges. Here are a few capabilities that local admin accounts possess:
- Installing and uninstalling any software
- Adding or removing devices like printers
- Creating, deleting or modifying files, folders, and other computer settings
- Creating accounts for other users on the computer
What are built-in administrator accounts?
Windows machines come with built-in administrator accounts. They can be used to set up other standard user and local admin accounts initially. These accounts also have privileges similar to the local admin account. However, unlike local admin accounts, they can never be deleted from the machine, only disabled.
How can a new administrator account be added to a machine where all local administrator privileges have been revoked?
If all local administrator rights have been removed from a machine, a new administrator account can be added using the Application Control Plus console. Follow these steps:
- Navigate to the Application Control Plus console -> Tools -> System Manager.
- Click the agent live status icon and select System Manager (This option will appear only when the agent is live).
- Select Groups -> Administrators.
- Add the members.
You can verify the addition of the administrator account through either of the following methods:
- Type the command-line prompt `net localgroup Administrators` to list all administrators.
Open Windows Run and type `lusrmgr.msc`. Go to Groups > Administrators, and the added member will be listed under the Administrators group.
