Overview
Admin By Request (ABR), is a temporary administrator rights solution to allow you to install approved applications and make necessary changes to your computer without needing to be an administrator on the computer, improving University of Idaho's security posture.
Before using ABR to install software, always check Software Center or Self Service (macOS) first to see if the software needed is already available for install.
- Common applications can be pre-approved for installation even if they require admin privileges - no user ticket to OIT needed.
- Applications that are repeatedly approved, can be automatically added to the pre-approval list for most users.
- Applications that are pre-approved to run with admin privileges can do so transparently, without increasing risk of other applications being also run as admin.
- For low risk areas, users can supply application justification to satisfy compliance and automatically gain access (audit-only mode).
- Reduced risk across the university from malware, ransomware, and other exploits.
When installing approved applications or updates requiring administrator level of access you will need to right click on the executable (exe) file and select “Run as Administrator”
- For MSI files, simply opening the application will trigger Admin by Request if needed.
Once you have clicked on Run as Administrator you will be prompted for a reason for access. Please provide us with a reason for the elevated access. There should be enough information in the reason for an admin to help make a decision. Vague answers may be denied or trigger further inquiry which will delay the process. If applicable please, provide a TDX ticket number if you are already working with OIT, along with the link to the site you downloaded the installation files from.
Once you have submitted the request will be reviewed.
If your request is approved, you will then receive a prompt to install the application or update.
This will allow you to perform the installation, and/or, update for the task at hand. If ABR does not work please, submit a Software Services ticket and the TSP team will get in contact with you to resolve the issue.
Extended Access with ABR
For the times when extended access is needed, please click on the carrot icon down on the taskbar to the left of the clock, and then click on the green circle with a white check mark icon.
A sub menu will appear providing you with several options. For extended access click on Request administrative access. To uninstall applications, a printer, or modify some computer properties, clock on tools and then the desired sub-menu item.
When selecting Request Administrative Access, a reason for elevated access is required before access is granted. Please provide a detailed reason for the elevated access, in the field provided.
ABR Tools – Sub-menu:
Uninstall Program: ABR gives you the ability to remove programs quickly. Within tools sub-menu click on Uninstall Program. A new will appear with the list of programs installed on the computer. Click on the program to be uninstalled and then click on uninstall. A prompt requiring a reason for the uninstall is required. Please, note not all programs can be uninstalled.
When using the other sub-menu items, please work with the TSP team ahead of time to ensure the appropriate information is available to make the task at hand as smooth as possible.
ABR FAQ
Does ABR interfere withsudo (macOS)?
Yes. Admin By Request removes administrative privileges and prevents elevation through the use of sudo. If you need to use sudo then you should request an Admin Session from ABR.
Are terminals allowed to be elevated?
Administrator sessions for terminal applications such as command prompt, Mac Terminal, or Powershell are required to be controlled when run or elevated.
- Users without access to high risk data are allowed to elevate a terminal session using MFA (SSO) credentials.
- Users with access to high risk data are required to have stricter controls in place. The technical controls are not yet available within Admin By Request to granularity control the terminal applications. As a result, a PIN is required to bypass ABR whenever this is needed. To request a PIN, please submit a ticket to OIT.
- If you feel that you have been included in the wrong category, please first consult the KB article on how to identify high risk data for a quick refresher (https://support.uidaho.edu/TDClient/40/Portal/KB/ArticleDet?ID=1659). If further clarification is needed, please submit a ticket to OIT.
I received an "Administrator Error" from ABR
When attempting to elevate privileges using Admin By Request (ABR), you may encounter an “Administrator Error” indicating that you must be the owner of the device. This message appears when ABR detects that the signed‑in user is not listed as the primary owner of the computer. For security reasons, ABR only allows local admin elevation for users who are officially assigned as the device owner in the university’s device management systems. If the device is assigned to someone else, marked as shared, or does not have an owner recorded, ABR will block the elevation to prevent unauthorized access.
If you receive this error, please verify that you are using a device that is assigned to you. University‑owned devices may sometimes be incorrectly attributed, recently reassigned, or configured as shared or checkout/loaner systems. If you believe you are the correct owner or need administrative access for work-related tasks, contact the OIT Help Desk or submit a ticket to https://oit.uidaho.edu. TSPs can review the device record, correct ownership if appropriate, or guide you through the approved exception process for temporary administrative access.
What do I need to do when I see a Windows UAC prompt?
For some windows services and settings, they do not route through ABR directly, as a result, they show the Windows UAC prompt requesting an administrator account. In these instances please request an administrator session and try again. To request an administrator session. Right click the ABR icon in the system tray, and select 'Request administrator access'