Support Approved is a new feature within Endpoint Privilege Management (EPM), this will be a big feature to allow users to elevate a software installation and a support engineer can approve it.
Endpoint Privilege Management
Endpoint Privilege Management (EPM) is a security solution that allows users to run applications and tasks requiring elevated privileges without administrator rights on their devices. EPM helps organizations reduce the risk of cyberattacks by implementing the principle of least privilege, which means giving users only the minimum level of access they need to perform their duties. EPM also enables users to be more productive and self-reliant, as they can complete common tasks such as installing software or updating drivers without waiting for IT support.
EPM defines policies and rules that specify which applications and tasks can be run with elevated privileges, and by whom. EPM also monitors and audits the privileged activities of users, providing visibility and accountability for security and compliance purposes. How to configure EPM can be found here
A new feature update will bring Support Approved to the game below we will take you through the steps and tell a little more about the feature
Storyline of Support Approved
John is a software developer who works remotely for a large corporation. He needs to install a new version of Visual Studio on his Windows laptop, which requires administrator rights. However, he does not have the password for the local administrator account, and he does not want to bother the IT department with a ticket request.
Fortunately, his company has implemented Endpoint Privilege Management (EPM). This security solution allows him to run applications and tasks requiring elevated privileges without administrator rights on his device. He right-clicks on the Visual Studio installer and selects “Run with elevated access” A pop-up window asks him to provide a business justification for the elevation request. He types in the reason for the installation.
Now a support engineer can see the elevation request with a status and the justification where he can approve or deny the application. John will get a notification that he can run the application. Now John can run the application installation for 24 hours.
The first steps for Support Approved
The first thing we need to check is if the settings are correct in EPM to get things working, we need to go to Endpoint security | Endpoint Privilege Management and click our Elevation settings policy
In this policy, we need to check if the Default elevation response is set to Require support approval (Which means every user will have to get his application approved, every application where a rule is in place it will follow that rule)
After checking the configuration we can go head to a device and try and get a support approved request
How Support Approved works
In the next step we will go through how support approved will work from a user perspective and a support engineer perspective.
User perspective step 1
When on the device we want to elevate an application, when we download Visual Studio we right-click on the downloaded file, here we can run it with elevated access.
Now a new screen pops up to give a business justification
Support Engineer perspective
A support engineer will go to Endpoint security | Endpoint Privilege Management | Elevation Requests, here we will see a screen with all files with their publisher, requester username, status, and modified date.
In this screen, we see the just created elevation request in a pending state
After clicking on the Filename we will see an extra coming up with more info, Compliancy, Status, User justification, and Hash Value
Here we can take the appropriate action by approving or denying the elevated exe file, in this case, we will approve it, click on approve, there will be an extra notice of the reason why the support engineer approves it, click Yes
Pay attention to the fact when a denial is given the user will not be notified.
User perspective step 2
After approving the exe file the user will receive a notification that the request is approved and that the exe file can be run as an administrator.
The user has to go to the file and run with elevated access now the user can run it for 24 hours.
How does it work in the backend?
Support approve will send the request to Intune, after approving it there will be a scheduled task created which will trigger the declared config(mmp-c) to run.
Now a notification will be sent and a registry is created under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EPMAgent\RuleLookup\FileName, this will be there for 24 hours
If you need a deepdive how support approves works we have to go to the blog post of my friend Rudy Ooms https://call4cloud.nl/2024/03/do-not-try-and-bend-the-epm-thats-impossible-instead-only-try-to-use-support-approved/
Conclusion
EPM Support Approve will be a feature that will add extra value to the EPM product, easy to use for a user and support engineer/admin. The user will be notified very quickly after the application is approved. overall, it is a feature that we needed.
[…] Support Approved in Endpoint Privilege Management […]