Body
Requests should not be approved by the requestor, in the event you do need something approved, it should be approved by a peer or manager.
When an application that is not already pre-approved is attempted to be run as administrator or there is a request for a timed administrator session, you can view the request in either ServiceNow, the Admin By Request web portal, or the mobile application.
Viewing, Approving, and Denying Requests
To view requests in ServiceNow, you click on the “All” button in the top left of the page, search for “Admin by Request”, then select “Requests”. This will open the current pending requests. Once you select a pending request, you’ll see the requestor’s information, and the reason they submitted their request. Below that is where you will find the approve and deny buttons. The requests and approvals don’t populate instantly, they can take 15-30 seconds to go through.
Admin by Request
To view requests in in the Admin by Request portal, navigate to the Admin by Request web portal linked above, click on “Microsoft 365” listed underneath Corporate Sign in and use your dash account to sign in. If you have already signed in with your regular device account on the same browser, you may need to use a different browser or incognito to have it prompt you for the account you’d like to sign in with. After signing in, you will be able to see pending requests by clicking on the “Requests” tab. You will see the same information for the request as you would in ServiceNow.
Mobile Application
The mobile application is also an available tool, but the functionality is limited to viewing the inventory, audit log, PIN codes, and approving or denying requests. For viewing requests on the mobile application, simply open the application your mobile device and select the requests tab from the bottom navigation bar.
Alternative Methods
In the event that a local administrator account is needed, there is a “Break Glass” feature only available on the Admin by Request portal which will create temporary timed local administrator account on the specific device. This feature requires internet connectivity to function. To create a break glass account, sign into the Admin by Request portal, then navigate to the Inventory tab and select the specific device. On the left side navigation, click on break glass, select a duration of time, by default it is set to 2 hours, then click generate. The device will need to be restarted, and you should now be able to sign in with the break glass local administrator account.
PIN Codes
Lastly, there is also a pin code that can be generated on the Admin by Request portal or mobile application for when a device is offline.
You will first need to generate a PIN code on the target device to later generate the matching PIN code on the web portal or mobile application. Below are the steps to generate and use PIN codes on the web portal and mobile application.
Admin By Request Web Portal:
1) Generate a pin code from the device in question by selecting “I wish to use a PIN code” in any of the Admin by Request prompts that come up.
2) Sign into the Admin by Request portal, navigate to the inventory tab, and select the target device.
3) On the left side navigation, click on “PIN code”
4) Enter the PIN code generated from the device in the “PIN 1” field and click generate.
5) The “PIN 2” field will generate a PIN code, enter this into the target device.
Admin by Request Mobile Application:
1) Generate a pin code from the device in question by selecting “I wish to use a PIN code” in any of the Admin by Request prompts that come up.
2) Open the Admin by Request mobile application
3) Click on Inventory and search for the device.
4) Select the target device and click on the PIN code tab at the top.
5) Enter the PIN code generated from the device in the “PIN 1” field and click generate.
6) The “PIN 2” field will generate a PIN code, enter this into the target device.
Uninstall PIN Codes
Uninstall PIN codes should only be used as a last resort after attempting the other methods above and LAPS.
To generate and use an uninstall pin codes:
1) Navigate to the inventory tab and select the target device.
2) On the left side navigation, click on “PIN code”
3) Select the “Uninstall PIN” tab at the top and click “Generate PIN”. Note: A matching PIN code is not needed for this.
4) On the device this PIN code was generated for:
4A) Windows: Click on the Admin by Request tray icon, select about, select uninstall, and enter the pin code.
4B) Mac: Click on the Admin by Request icon from the top menu bar, select about, select uninstall and enter the pin code.
Note: Uninstalling will not keep Admin by request uninstalled, it will re-install the application once it checks in with MDM (Either Intune or JAMF). If someone needs to be excluded from Admin by Request, it needs to be approved by InfoSec/Casey Moore.