Local admin rights required in an AD-HOC way

Hi All,

Currently I’m going through the EPM install / onboard process and was wondering if there is a way to give users local admin rights to install applications on the fly. Some installers just have so many commands to whitelist that this isn’t feasible during a 1 time install. I was hoping for like a “just in time” setup to raise full admin however, the on-prem version doesn’t include JIT setup only the cloud does. How have others accomplish this without the need to whitelist every individual command line?

Page 1 / 1

Hello @way2qk4u2c, when onboarding an estate I would highly recommend utilizing our QuickStart template as a starting point for your users, as this has been developed from BeyondTrust’s experiences in implementing across thousands of customers, and is intended to balance security with user freedom.

https://docs.beyondtrust.com/epm-wm/docs/bi-epm-quickstart-templates

These templates are preconfigured with Workstyles, application groups, messages, and custom tokens (configured with Endpoint Privilege Management and Application Control) but, for your specific use case of ad-hoc elevation, I would like to draw your attention to the On-Demand application rules, which allow users to launch applications with specific privileges (usually admin rights), on demand from a right-click Windows context menu.

https://docs.beyondtrust.com/epm-wm/docs/gpo-windows-policies#on-demand-application-rules

Hey @way2qk4u2c

Great question! There’s two path forward here that can be taken with the on-prem solution:

Service Now JIT Integration

The On-Prem version for this matching the JIT capabilities in EPM-SaaS would be the JIT Application Admin connection into ServiceNow.

Documentation: EPM Integration - ServiceNow

KB article with video: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019815

Challenge/Response Messaging

Alternatively, the solution is to use User Messaging that would require a service desk code to contact the service desk to run the application. The rule could allow child processes so it’s inherited from the approved parent to go through.

Documentation: Messages - Add a Challenge/Response authorization

KB article around best practices around challenge/response: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017940

KB article with response code generator with video: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021020

Additional Information

To not leave you complete with links to documentation, I’ll also highlight other areas where similar questions have been asked:

Related query discussing the SNOW integration (yes, cloud, but the JIT Application Admin is the same regardless): EPM & JIT Service Now integration | Community
BT University Success Included: The self-paced online administrative course for EPM is available and goes over a few

Appreciate the reply but i have tried setting it up similar using a reason when prompted to install an executable. The user gets prompted for the reason and enters a reason but then halfway through the install it fails since it doesn’t elevate all the way through. I have tried to set child process to run as well but it still doesn’t allow it. Unless I’m missing something else that would solve this issue in the policy. This is my first time setting up this product so i’m learning every day.

Ah! In that case I would open a ticket with support and they can help narrow down the issue. There could be a few structural items that are causing this in the policy

Whenever you’re following the docs and things aren’t working as expected, please work with support - they’re fabulous!