Navigation auf uzh.ch

Suche

Central IT

Admin by Request

"Admin By Request" is an innovative solution specifically designed to provide more security and control over administrative access to our IT systems. With this software, we can make the management of access rights for administrators at the University of Zurich more efficient and secure.

With "Admin By Request", we can ensure that only authorized users are granted administrative rights and can access sensitive systems. This reduces the risk of unauthorized access and protects company data from misuse or misconduct.

Our solution is based on the principle of just-in-time access, which means that administrative rights are only granted when they are really needed. This ensures that administrators only receive temporary access rights for specific tasks or projects and do not retain these rights permanently.

Another important function of "Admin By Request" is comprehensive logging. This makes it easier to adhere to compliance regulations and ensures that you meet the requirements of your industry.

We offer two variants, whereby variant 1 is already available on all managed devices from ZI:

"Run as administrator" means that a user executes a file that activates User Account Control (UAC). The program can be executed within a protected environment (sandbox) without the user having to be logged in locally as an administrator. In this case, only the process (not the user himself) has administrator rights. If the user attempts to run a software installation, the program is automatically interrupted. A request with a reason must be specified for each application. All actions and reasons are recorded in the audit log. This variant is available on all devices managed by Central IT.

For Windows devices

For managed Windows devices, an application is installed as follows:

  1. Download the relevant application.
  2. Open Windows Explorer and navigate to the application directory.
  3. Right-click on the application and select "Run as administrator".
  4. It is then essential to enter a reason, as the request must be checked and approved. (This step can also take several days).
  5. As soon as we have approved the application, it can be installed once. It is important that the installation file is executed as administrator (Right-click on installation file > Run as administrator).

For macOS devices

Admin by Request supports both package files (.pkg) and application files (.app).

The following steps are required to install an application on a managed macOS device:

  1. Download the appropriate application.
  2. Launch the application from the Dock or the corresponding folder.
  3. An "Admin by Request" pop-up window appears.It is mandatory to enter a reason as the request must be reviewed and approved.(This step can also take several days).
  4. After approval, the application can be installed once. It is important that the installation file is executed as an administrator.

There is also the option to request administrator rights for a period of 10 minutes, which do not require authorization. This option is intended for users who require local admin rights more frequently or on a daily basis. If this option is required, fill out the following form. The 10-minute administrator rights can then be requested at any time without a check taking place. 

Form (This should be done first)

For Windows devices:

  1. Right-click on the "Admin By Request" icon in the taskbar (bottom right of your screen).

  2. Select "Request administrator access" in the context menu.Admin Session Windows

  3. Confirm with "Yes" that you want administrator rights for 10 minutes.

  4. The countdown begins and is displayed at the bottom right. You can cancel it at any time.

    Klicken Sie mit der rechten Maustaste auf das "Admin By Request"-Symbol in der Taskleiste (unten rechts auf Ihrem Bildschirm).

For macOS devices:

  1. Click on the "Admin By Request" icon in the menu bar at the top right of your screen.

  2. Select "Request administrator access" in the context menu.

    Admin Session macOS
  3. Confirm with "Yes" that you want administrator rights for 10 minutes

  4. The countdown begins and is displayed at the bottom right. You can cancel it at any time.

With this option 2, however, it is still not possible to execute system tools such as PowerShell or commands with "sudo" on macOS. This authorization requires an exception approval, which is granted by the operations team and IT security. The authorization is only valid for a period of one year.