Overview
The purpose of this article is to specify our policies regarding giving RMM end users the ability to perform actions on their workstation that may cause corruption or security breaches. The two main areas of concern are:
- Allowing customers to install, remove or run software that requires admin access
- Providing admin passwords to end users
Policies
Admin Passwords
Generally we do not provide admin passwords to users. We can send the Security Authorization account contact the credentials once onboarding is close to completion.
Running and Installing Software that Requires Admin Access
Windows
We use AutoElevate to approve software changes and installations on Windows RMM computers. If a user wants to install or run software that we believe can cause damage to the machine or to the network, the Security Authorization contact must approve in writing (via email to a team member's inbox or to a ticket as a customer note).
Whenever possible, reach out to the appropriate customer contact via the ticket generated by Auto-Elevate. (If necessary, add the Security Authorization contact to the AE ticket.)
Macs
For Macs, we use AdminByRequest to approve temporary admin sessions on the machine.
Procedure for Exceptions
Because we can temporarily give our permissions via the utilities above (which are installed on every RMM machine), users should never need admin access to their workstations. For any exception, the customer's Security Authorization contact must approve the exception and accept responsibility for any malware, hacking or other security breaches that (in our judgement) result.
Please document any exceptions by either of the following methods:
1. Upload the email to the customer's IT Glue site summary flexible asset and document the exception in the appropriate site summary field(s).
2. Enter the ticket number on which the customer note appears in the customer's IT Glue site summary flexible asset and document the exception in the appropriate site summary field(s).