Admin by Request

Overview

Admin By Request (ABR), is a temporary administrator rights solution to allow you to install approved applications and make necessary changes to your computer without needing to be an administrator on the computer, improving University of Idaho's security posture.

Before using ABR to install software, always check Software Center or Self Service (macOS) first to see if the software needed is already available for install.

Benefits of ABR

  • Common applications can be pre-approved for installation even if they require admin privileges - no user ticket to OIT needed.
  • Applications that are repeatedly approved, can be automatically added to the pre-approval list for most users.
  • Applications that are pre-approved to run with admin privileges can do so transparently, without increasing risk of other applications being also run as admin.
  • For low risk areas, users can supply application justification to satisfy compliance and automatically gain access (audit-only mode).
  • Reduced risk across the university from malware, ransomware, and other exploits.

 

How to use ABR

Please attempt to install the application without admin privileges if you are unsure that it requires this level of privilege 

When installing approved applications or updates requiring administrator level of access you will need to right click on the executable (exe) file and select “Run as Administrator”

  • For MSI files, simply opening the application will trigger Admin by Request if needed.

 

Once you have clicked on Run as Administrator you will be prompted for a reason for access. Please provide us with a reason for the elevated access. There should be enough information in the reason for an admin to help make a decision. Vague answers may be denied or trigger further inquiry which will delay the process. If applicable please, provide a TDX ticket number if you are already working with OIT, along with the link to the site you downloaded the installation files from.

Once you have submitted the request will be reviewed. 

If your request is approved, you will then receive a prompt to install the application or update.

This will allow you to perform the installation, and/or, update for the task at hand. If ABR does not work please, submit a Software Services ticket and the TSP team will get in contact with you to resolve the issue.

 

Extended Access with ABR

For the times when extended access is needed, please click on the carrot icon down on the taskbar to the left of the clock, and then click on the green circle with a white check mark icon.

A sub menu will appear providing you with several options. For extended access click on Request administrative access.  To uninstall applications, a printer, or modify some computer properties, clock on tools and then the desired sub-menu item.

When selecting Request Administrative Access, a reason for elevated access is required before access is granted.  Please provide a detailed reason for the elevated access, in the field provided.

ABR Tools – Sub-menu:

Uninstall Program: ABR gives you the ability to remove programs quickly. Within tools sub-menu click on Uninstall Program.  A new will appear with the list of programs installed on the computer.  Click on the program to be uninstalled and then click on uninstall.  A prompt requiring a reason for the uninstall is required. Please, note not all programs can be uninstalled.

When using the other sub-menu items, please work with the TSP team ahead of time to ensure the appropriate information is available to make the task at hand as smooth as possible.

 

Installing Applications on macOS with ABR

Before using ABR to install software, always check Self Service first to see if the software is already available for install without needing elevated privileges.

macOS handles application installation differently than Windows. Most applications arrive as a .dmg (disk image) or .pkg (package installer) file, and ABR integrates into the installation process to provide temporary elevation when needed.

Installing a .pkg File

Package installers (.pkg) will typically trigger an Admin by Request prompt automatically when elevated privileges are required:

  1. Open the .pkg file by double-clicking it.
  2. If administrator access is needed, ABR will intercept the installation and prompt you for a reason for elevated access.
  3. Provide a clear, detailed justification — include a TDX ticket number if you are already working with OIT, and the URL where you downloaded the installer.
  4. Once your request is approved, the installer will proceed normally.

Installing a .dmg File

Disk image (.dmg) files typically require you to drag the application into your Applications folder:

  1. Open the .dmg file by double-clicking it.
  2. Drag the application icon to the Applications folder as directed.
  3. If a privilege prompt appears during this process, ABR will intercept it and ask for a justification — follow the same steps as above.
  4. If the app requires a post-install setup or helper tool that needs admin rights, ABR will prompt at that stage.

Requesting an Admin Session for Complex Installations

Some installations require sustained elevated access (for example, installers that run multiple scripts or configuration steps). In these cases:

  1. Click the ABR menu bar icon (the green circle with a white checkmark) in the top-right menu bar.
  2. Select Request Administrative Access.
  3. Provide a detailed reason for the session.
  4. Once approved, you will have a temporary administrator session during which you can complete the installation.

Note: Admin sessions are time-limited. Begin your installation promptly after approval.

macOS-Specific Notes

  • sudo is disabled by ABR. If a terminal-based installation requires sudo, you must first request an Admin Session from ABR. See the Does ABR interfere with sudo? FAQ entry above for details on terminal access based on your data access level.
  • Gatekeeper prompts (the "app can't be opened because it's from an unidentified developer" message) are separate from ABR. If you encounter one, right-click the app and select Open, then proceed through the ABR elevation prompt if it appears.
  • System Extensions and kernel-level software (such as VPNs or security tools) may require OIT involvement even with ABR. If your installation stalls or fails at this stage, submit a Software Services ticket for assistance.

 

ABR FAQ

My file was blocked as malicious. What can I do about this?

Choices are very limited. Admin By Request does not conduct False Positive* investigations. The only two options recommended currently are:

  • Try to use a different version that is still security-updated.
    • Blocked applications are often updated regularly and newer versions are often cleared for use when released.
  • Find an alternate application which supports the intent.
     

Does ABR interfere withsudo (macOS)?

Yes. Admin By Request removes administrative privileges and prevents elevation through the use of sudo. If you need to use sudo then you should request an Admin Session from ABR.

Are terminals allowed to be elevated?

Administrator sessions for terminal applications such as command prompt, Mac Terminal, or Powershell are required to be controlled when run or elevated.

  • Users without access to high risk data are allowed to elevate a terminal session using MFA (SSO) credentials.
  • Users with access to high risk data are required to have stricter controls in place. The technical controls are not yet available within Admin By Request to granularity control the terminal applications. As a result, a PIN is required to bypass ABR whenever this is needed. To request a PIN, please submit a ticket to OIT.
  • If you feel that you have been included in the wrong category, please first consult the KB article on how to identify high risk data for a quick refresher (https://support.uidaho.edu/TDClient/40/Portal/KB/ArticleDet?ID=1659). If further clarification is needed, please submit a ticket to OIT.
     

I received an "Administrator Error" from ABR

Uploaded Image (Thumbnail)

When attempting to elevate privileges using Admin By Request (ABR), you may encounter an “Administrator Error” indicating that you must be the owner of the device. This message appears when ABR detects that the signed‑in user is not listed as the primary owner of the computer. For security reasons, ABR only allows local admin elevation for users who are officially assigned as the device owner in the university’s device management systems. If the device is assigned to someone else, marked as shared, or does not have an owner recorded, ABR will block the elevation to prevent unauthorized access.

If you receive this error, please verify that you are using a device that is assigned to you. University‑owned devices may sometimes be incorrectly attributed, recently reassigned, or configured as shared or checkout/loaner systems. If you believe you are the correct owner or need administrative access for work-related tasks, contact the OIT Help Desk or submit a ticket to https://oit.uidaho.edu. TSPs can review the device record, correct ownership if appropriate, or guide you through the approved exception process for temporary administrative access.

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

What do I need to do when I see a Windows UAC prompt?

For some windows services and settings, they do not route through ABR directly, as a result, they show the Windows UAC prompt requesting an administrator account. In these instances please request an administrator session and try again. To request an administrator session. Right click the ABR icon in the system tray, and select 'Request administrator access'

Print Article