Providing Permission to Install/Remove Software to RMM End Users

Providing Permission to Install/Remove Software to RMM End Users

Overview

The purpose of this article is to specify our policies regarding giving RMM end users the ability to perform actions on their workstation that may cause corruption or security breaches. The two main areas of concern are: 

  1. Allowing customers to install, remove or run software that requires admin access
  2. Providing admin passwords to end users

Policies

Admin Passwords

Generally we do not provide our admin passwords to login to customers' services to the customers. In some cases the customer may have their own credentials. While this is still less than ideal from a security standpoint, the separation of credentials allows us to audit who is doing what, so we can track what exactly happened if something goes wrong. 

Running and Installing Software that Requires Admin Access  


Windows
We use AutoElevate to approve software changes and installations on Windows RMM computers. If a user wants to install or run software that we believe can cause damage to the machine or to the network, the Security Authorization contact must approve this change in writing (via email to a team member's inbox or to a ticket as a customer note).  


Macs
For Macs, we use AdminByRequest to approve temporary admin sessions on the machine. ABR requests come in and are approved or denied via the adminbyrequest request channel in Slack. 



Explaining This to Customers

Verbiage to use is here.

Procedure for Exceptions

Because we can temporarily give our permissions via the utilities above (which are installed on every RMM machine), users should never need admin access to their workstations. For any exception, the customer's Security Authorization contact must approve the exception and accept responsibility for any malware, hacking or other security breaches that (in our judgement) result. 

It's very rare that this happens, and it has to be approved by both CEO and Senior IT Specialist. Please document any exceptions using either of the following methods:

1. Upload the email to the customer's IT Glue site summary flexible asset and document the exception in the appropriate site summary field(s).
2. Enter the ticket number on which the customer note appears in the customer's IT Glue site summary flexible asset and document the exception in the appropriate site summary field(s).

    • Related Articles

    • Verbiage for RMM Customers About Providing Passwords or other Admin Permissions

      This is verbiage to use for RMM customers about providing permission to end users to run software requiring admin access. Use all or part of this. Please edit as needed. As a matter of basic cyber security, we strongly discourage giving users blanket ...

    • Remove Contact (User) for RMM Customer

      Use ticket category: Administrative Change/Request. Confirm the ticket contact field is populated Choose ticket template "[Current Customer] Remove Contact/User for Current RMM Customer" Save. Saving the ticket with this template causes an email to ...

    • Response to Privacy Concerns About Our Software on User and Company Devices

      Items in red may require editing.  ScreenConnect Privacy Concerns The software called ScreenConnect was downloaded onto laptops only, enabling GGIT technical support direct access to laptops when needed for updates or troubleshooting.  This software ...

    • Customer is Demanding on End User support but is not a help desk customer

      I scheduled your appointment for today as a courtesy; however, I'd like to remind you that this accommodation is an exception. Generally, we can’t accommodate end user support on such short notice. Your current RMM agreement does not guarantee a ...

    • RMM Workstation Setups, Swaps, and Removals: Workflow

      Adding an RMM Workstation or Swapping Users on an Existing RMM workstation. Start with ticket category: Curr MSA, add/del device/service Use ticket template 072: [Current Customer] RMM New Device Setup Follow instructions in the ticket description to ...