Easily Implement ‘Least Privilege’ Internally And At Your Client Sites

It’s time to get your house in order and have your Engineers and Clients adhere to the principal of ‘least privilege’

Following the principle of least privilege is essential for MSPs because both you and your clients are prime targets! The principle of ‘least privilege’ dictates that you should only allow elevated privileges, or Admin rights, when those privileges are specifically and absolutely necessary to accomplish the required task. Allowing users to operate with local Admin privileges essentially gives them unlimited Admin privilege and breaks the principle of least privilege. AutoElevate improves operational security by allowing users to run common tasks (such as browsing the internet or viewing emails) with standard privileges while selectively elevating only the things required. global and multi-tenant rules to control ‘least privilege’ can be done quickly and easily from the AutoElevate Admin portal or in real-time when elevated privileges are requested. both internally with your own staff and at your client sites.

AutoElevate shares your common goal of keeping your client’s environment more secure and creating a better user experience.

Enforcing the principle of least privilege by fine-tuning user privileges will drastically reduce the attack surface of your own network along with your managed environments and should be on your ‘short-list’ of items to put into practice immediately.

See What Your MSP Peers are Saying About AutoElevate

How much does it cost and where do I get it?

AutoElevate is sold exclusively through our Manage Service Provider partners. Use the following links if you would like a partner to contact you with additional details, demo, pricing, or a free trial.

Is AutoElevate hard to deploy?

No. We’ve made it super easy so that it can deployed across your MSP practice in minutes. We’re here to help you every step of the way. AutoElevate is deployed by installing the AEAgent onto workstations. The AEAgent is a small lightweight MSI file which can be deployed silently with just about any RMM tool, System Policies, or manually by your administrators. For your convenience we have published a full set of ConnectWise™ Automate, Kaseya VSA™, Datto RMM™, SyncroMSP™, or PowerShell scripts which can help you deploy the agents throughout your environment within minutes.

How much memory and disk space does the AutoElevate Agent require?

The AutoElevate Agent is very lightweight, consisting of 3 processes that run once a user is logged in. The processes collectively use approximately 40MB of memory and 820KB of disk space. We have not experienced the agent causing any slowness or resource issues and have tested it on machines running with as little as 2GB of memory.

 

What outbound ports need to be opened on the firewall at our MSP and/or at our client sites?

443 outbound is all that should be required. So if you’re able to go to secure websites you should be OK.

What happens if my technicians don’t respond to a client request before the timer is up?

When the end user has made a request and the timer expires, an additional dialog box will appear that states that the technician is evaluating the request, a ticket has been opened and that they will be notified as soon as a technician responds. When a technician does respond, a new notification appears for the user telling them their request has been approved or denied and allowing them to continue the installation or with additional ticket information.

Does AutoElevate enter in my admin password for end users?

No. AutoElevate does not store, use, or modify your Admin credentials. AutoElevate gives you the choice on any rule or elevation request to use either an ‘over-the-shoulder’ style Admin elevation or to elevate with the context of the currently logged in user. AutoElevate interacts with the UAC directly when an elevation of an approved process is required, allowing for compatibility and elevation of complex applications. Credentials are not stored in a database or transmitted over the network making security tighter, faster, and easier to manage.

 

How does AutoElevate work?

AutoElevate automates Windows UAC prompts for MSPs. Our software Agent service works in the background to apply proactive elevation rules to each UAC event or to notify a technician through one of our PSA ticketing integrations, Windows notifications, or via our AutoElevate Mobile App (or all 3). Technicians can quickly and easily evaluate the request and build rules to either accept or deny the requested installer, application, update, or system action which can be allowed just one time,  for just this single computer,  for a group of computers, a whole client, or for all of the computers under your management. For more detailed information on how the AutoElevate system works please sign-up and visit our support site.

Are approvals app based or version based?

Approvals can be done based on either MD5 hash or a combination of information from the verified publisher certificate, name, and path. By identifying the file in these various ways, approvals or denials can successfully take place regardless of where the file originates and for a wide range of scenarios and requirements. Core applications and/or updates for applications such as Quickbooks™, Zoom™, or UPS WorldShip™ (or countless others) can be approved. With PAM automation you now have options.

Will adjustments need to be made to our installed antivirus?

None. AutoElevate works well with other solutions in your solution stack.

Am I charged for extra technicians?

With the release of the Enhanced Technician Mode features in 2020 each agent tier includes a corresponding number of technician user licenses with some licensing tiers including unlimited technician users. Currently, to have additional user licenses requires moving into a higher tier which includes the desired number of User (technician) licenses.

Who receives the notifications from end users?

All technicians that have the Mobile Notification app installed will receive notifications from your clients. They can quiet the notifications by adjusting notifications on their phones.

MSPs that use PSA ticketing integration (Autotask PSA, ConnectWise Manage, Kaseya BMS, & Syncro) can view notifications and approve or deny elevation requests directly in their PSA tickets. Tickets generated by AutoElevate have custom statuses which can be used to build customized notifications from within the ticketing systems. Requests can also be viewed and responded to from within the Admin Portal.

By enabling browser notifications technicians have easy 1-click access to approve or deny requests and receive notifications on their macOS or Windows computer desktops directly.

Do I have to have my own on-premise server?

No. AutoElevate is a cloud based service and software platform. All you have to have to get started is a license key and instructions. We maintain the server, the mobile apps, security, updates, and web portals.