cancel
Showing results for 
Search instead for 
Did you mean: 

User to Admin Elevation

pamlefkowitz
JumpCloud Alumni
JumpCloud Alumni

We’ve been having a discussion in my circle about whether or not to give users admin permissions. In my consulting days, I was regularly asked to do that for the owners of my client companies. They wanted to be able to install their own choices of apps and updates when *they* chose to, rather than when we scheduled it. It became quite a dilemma.

Invariably, one client’s email would get hacked or they’d end up with some spyware on their computer.  But they didn't want to give up the control.

So here’s my question: Do you allow users to be admins? How do you handle it when your users need to do things that require admin access? Do you handle it differently for Macs than for PC's?

12 REPLIES 12

BScott
Community Manager Community Manager
Community Manager

I have many thoughts on this (more from the end user perspective), but will wait for others to chime in.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

dbollen
Novitiate I

I'm a fan of a tiered approach, but it requires having a good data/access classification structure in place.

In a well thought out deployment most users shouldn't need standing admin, and with a tool like JumpCloud you can elevate the user permission while on a support call or in a time boxed window depending on your security requirements. For those users who make a strong business case for needing standing admin for their day to day operations, identify the access that would be highest risk if spyware were installed and restrict standing access to those systems for those users who have standing admin.

If the policy is well thought out and clearly documented so that users know a) they need to make a business case, not just say it is annoying to put in a ticket a couple of times a year, and b) what their responsibilities and trade offs are for taking on the responsibility of admin permissions, then many users will self identify as not really needing admin.

As with most IT requests, getting at what the user is really struggling with, rather than taking on their perceived solution can often diffuse the situation. If they don't like waiting for updates, can you make a self-service portal for updates? If there is a piece of software that they see as essential for their work but isn't installed, can you add it to the approved software list?  Admin is a blunt tool, get them the scalpel that will address their real pain point.

resonantenergy
Novitiate III

Depending on the environment you are in it can sometimes be possible to set things up such that a program that requires admin permission to run does not need an admin account to run. For example with an active directory structure you can use security groups to assign the program to run with admin permissions. Minimizing the scope of the administrative access to that specific program, which does not allow the installation of new software, etc. We have some software that runs this way that does not require admin elevation to run since the security groups permit it to run with administrative permissions.

In our company, which is not fortune 500 level, even our C levels do not have admin accounts. We will remote into their workstation to install applications at will though. In the end the top levels have full say, even to the CTO. The most you can do in these circumstances is use soft skills to convince them away from having an admin account. If they must have one then it would be better to set them up with a second domain account that is an admin account rather than having them use their main account as an admin account.

To touch on a prior conversation that's been brought up in the community, soft skills are really the best way to enforce secure practices. In the end, though, you are really are at the decision CEO makes. In those cases its important to just minimize the risks as much as possible.

daemoch
Novitiate III

In an employer-employee relationship that can be a challenge.  I've found 2 approaches that generally work, especially together: 1) send an email (CYA) outlining the request/need for admin rights and the security implications of your granting it requesting they acknowledge that its been explained to them, they understand, and they accept responsibility. 2) create a second account for them that can run things like installs but has no normal functional access (like printing, user sign on, most network shares, WAN access, etc) to discourage using it 'as' the user.

In my own company's contracts I took a different approach and I write in that I have final say on all relative security decisions.  If they don't like it, go with another vendor.  There's enough people willing to play by those rules it's not an issue finding work.  I also carry a pile of insurance and make sure my client does as well.  Since most of what I end up doing is triage and clean up from either no IT or bad IT, I don't usually get any complaints.  Pair that with a couple past bouts of ransomware and they are usually only too happy to give up the reigns.  Then sweeten the medicine by being very responsive and accommodating in general (those softskills you mentioned) and it makes the workweek run pretty smooth.  Want Pandora, like to watch Disney+ in the background, or play Steam games on the weekend on your work laptop?  Sure, just ask.  Unless I have a good reason to say no, I'm not in charge of policing your productivity.  That's between your boss, HR, and you.  And at the end of the month, most of the employees are basically self-reporting so I don't have to scrub my data streams to figure out where the bandwidth is going or why your HD is full.

JBV
Novitiate II
  1. No. We do not allow users to be admins. This makes compliance easy as there are no exceptions. It may add extra work for IT, but it's also an opportunity to learn what MDM, bash and Powershell can do. This ultimately strengthens the ability of the IT team.
  2. We mostly use JumpCloud commands to handle things which require admin. If we don't have a command for something and it is a common enough task, we write one. For unique admin needs, we RMM to the device for direct assistance. Any software that can be configured to install and update in Software Management should be!
  3. No. All are equal under the eyes of the law. 😆

BScott
Community Manager Community Manager
Community Manager

#3 🤣🤣

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

I manage over 200 client employees in 17 companies and no one is an admin.  Even a CISO who is know nationally is not an admin.  If someone needs to update some app, they submit a ticket that has a 2 hour SLA.  I promote their account and let them know through the ticket they are good to go, and ask them politely to let me know when they are done.  I remove their admin privileges when the let me know, or the next day if I have not heard back.

If find that if I explain the risks to clients when I onboard them, most say the 2 hour SLA is OK.  Others grumble, but none has fought back.

rlyons
Rising Star III

NO Admins! No Soup! And clients shall be beat with the Stick of Enlightenment until they understand THE ONLY TRUE WAY.

Then Apple and companies make stupid decisions that essentially makes this impossible at times (looking at you ShipStatation Connect and basically EVERYTHING Apple has done since Monterey.)

BScott
Community Manager Community Manager
Community Manager
I’m one of those annoying users who hates NOT having admin … let me install minor things whenever I want to, like the desktop version of Asana or Descript. But I’m also a tester for my stuff (community) and frequently need to download, install, and configure things, so I kinda have to have it, too.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

rlyons
Rising Star III

This is where Apple really has dropped the ball. Why they can't let us whitelist apps that users can approve installs without admin rights. The fact that helper apps can't be allowed via policy is just...... RAWWRWWWRR!

bwitzig_Zen
Novitiate III

When I worked in the financial sector, they started getting more and more strict with LAR. so most users did not have admin rights, we had a process flow for requesting applications if needed. LAR was also restricted by group policies on what it could do. (Setting lockdown or application whitelisting as examples)

In another role We simply gave no one (aside from IT) LAR. was the easiest way to do things. 

I'm hoping to try an "admin on demand" solution to see how that works. I would LOVE if JC would have a solution for this *wink wink*

JC-ChrisTate
Rising Star III
Rising Star III

Never, Never, Ever...