Home » <a href="/application-control/help/">Help</a> » Passwordless Admin Elevation
 

How to Configure Passwordless Admin Elevation

Key Points
Pre-Configuration
Creating a Privileged Application List & Deploying Policy
What happens after Deployment

Overview

This guide explains how to configure passwordless admin elevation in Application Control Plus using Endpoint Privilege Management (EPM). It focuses on enabling controlled, application-specific elevation so users can run approved programs with administrative rights without knowing or entering admin credentials. The goal is to maintain productivity while significantly reducing privilege-related risks.

The document outlines the rationale for least-privilege enforcement, the core EPM capabilities that support secure elevation, and the steps required to create and deploy elevation policies. It also covers how users trigger elevated execution, how administrators monitor and audit privilege use, and how these controls help minimize standing privileges across endpoints. 

Enable secure, passwordless admin elevation with Application Control Plus!

Enable Now

Pre-Configuration

Before configuring passwordless admin elevation, the below conditions have to be run through to ensure endpoints can receive and enforce EPM policies reliably.

  • Existing Local Administrator Rights
    Audit endpoints to identify users who currently have local admin privileges. Determine which rights can be safely removed once EPM policies are deployed, and which accounts should remain exempt for operational reasons.
  • User and Device Groups
    Plan which users or endpoints require elevation capabilities. Create or update custom groups to reflect roles, departments, or system types. Keep groups tightly scoped to avoid unnecessary privilege assignment.
  • Applications Requiring Elevation
    Gather a list of applications, installers, tools, or workflows that legitimately require admin rights. Validate their trust level and confirm that elevation is essential rather than a workaround for poor configuration.

Creating a Privileged Application List & Deploying Policy

This section walks you through how to build a Privileged Application List in ManageEngine Application Control Plus, and then how to deploy that list to endpoints.

  1. Navigate to the Privilege Management and create/modify the privileged application list.
  2. Enable the privilege-elevation as required. Refer this page to learn more about the different elevation options.
  3. Once saved, navigate to Deploy Policy and click Associate Policy.
  4. Choose the Custom Group with the user-devices that require privileged access to those applications. After completion, click Yes to Associate the Privileged Application List to the chosen custom group.
  5. Once deployed, the endpoints in the custom group will enforce the privilege-elevation policy.

What Happens After Deployment

Depending on the type of elevation chosen, below are the ways in which the applications will be elevated:

  • When a user launches a permitted application (manually via “Run as ManageEngine” or automatically if auto-elevation is enabled), Application Control Plus grants elevated privileges only for that application (and any child processes it spawns).
  • If you used allowlists + Privileged Application List without elevating all apps, unapproved applications continue to run only with standard user privileges or may be blocked (depending on your broader application control settings).
  • Administrative overhead is minimized: you don’t need to grant broad local-admin rights, yet users retain ability to run essential apps. Application Control Plus enables fine-grained privilege control and supports security compliance by limiting the attack surface.

 

Start your 30-day free trial and manage unlimited endpoints — secure and protected!