Hello @way2qk4u2c, when onboarding an estate I would highly recommend utilizing our QuickStart template as a starting point for your users, as this has been developed from BeyondTrust’s experiences in implementing across thousands of customers, and is intended to balance security with user freedom.
https://docs.beyondtrust.com/epm-wm/docs/bi-epm-quickstart-templates
These templates are preconfigured with Workstyles, application groups, messages, and custom tokens (configured with Endpoint Privilege Management and Application Control) but, for your specific use case of ad-hoc elevation, I would like to draw your attention to the On-Demand application rules, which allow users to launch applications with specific privileges (usually admin rights), on demand from a right-click Windows context menu.
https://docs.beyondtrust.com/epm-wm/docs/gpo-windows-policies#on-demand-application-rules
Hey @way2qk4u2c
Great question! There’s two path forward here that can be taken with the on-prem solution:
Service Now JIT Integration
The On-Prem version for this matching the JIT capabilities in EPM-SaaS would be the JIT Application Admin connection into ServiceNow.
Documentation: EPM Integration - ServiceNow
KB article with video: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019815
Challenge/Response Messaging
Alternatively, the solution is to use User Messaging that would require a service desk code to contact the service desk to run the application. The rule could allow child processes so it’s inherited from the approved parent to go through.
Documentation: Messages - Add a Challenge/Response authorization
KB article around best practices around challenge/response: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017940
KB article with response code generator with video: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021020
Additional Information
To not leave you complete with links to documentation, I’ll also highlight other areas where similar questions have been asked:
- Related query discussing the SNOW integration (yes, cloud, but the JIT Application Admin is the same regardless): EPM & JIT Service Now integration | Community
- BT University Success Included: The self-paced online administrative course for EPM is available and goes over a few
Appreciate the reply but i have tried setting it up similar using a reason when prompted to install an executable. The user gets prompted for the reason and enters a reason but then halfway through the install it fails since it doesn’t elevate all the way through. I have tried to set child process to run as well but it still doesn’t allow it. Unless I’m missing something else that would solve this issue in the policy. This is my first time setting up this product so i’m learning every day.
Appreciate the reply but i have tried setting it up similar using a reason when prompted to install an executable. The user gets prompted for the reason and enters a reason but then halfway through the install it fails since it doesn’t elevate all the way through. I have tried to set child process to run as well but it still doesn’t allow it. Unless I’m missing something else that would solve this issue in the policy. This is my first time setting up this product so i’m learning every day.
Ah! In that case I would open a ticket with support and they can help narrow down the issue. There could be a few structural items that are causing this in the policy 
Whenever you’re following the docs and things aren’t working as expected, please work with support - they’re fabulous!
