Ask AI
All Categories
Product Information
Getting Started: End User Elevation

Getting Started: End User Elevation

Evo End User Elevation enables users to send requests for administrative privileges to execute applications or installers even if their accounts do not have standing administrative rights. Upon submission, the request is forwarded to a technician for review, where it can be either approved or denied.

To simplify usage and administration, rules can be defined within the Evo Partner Portal to automatically approve or deny requests based on criteria about the application being requested and also be scoped to specific users, groups, endpoints, and tenants so that just the right people can do just the right things.

Evo Portal Setup

These instructions assume that you already have access to your Evo Partner Portal and have completed the basic steps to setup your MSP with Evo.

If not, head over to our MSP Onboarding Guide and compete the steps there first!

Note: In particular, these directions assume that the technicians that will respond to elevation requests already have access to the Evo Partner Portal and have the Evo Authenticator app installed. We recommend completing those steps before proceeding.

Agents & Licenses

Enable Training Mode

Training Mode allows the Evo Agent to be put into the field with End User Elevation enabled but prevents users from having to make requests for elevation via Evo. When deployed this way, users continue operating with the permissions they have always had but with the system recording each action that was undertaken using admin privileges.

After running for a period of time, those observations can then easily be turned into elevation rules in Evo for actions that you want to continue to allow, minimizing the user impact once Training Mode is disabled and admin rights are withdrawn from those users' accounts.

Note: If the Evo Agent is deployed with EUE turned on but without Training Mode enabled for that Tenant, users will immediately be required to send requests for elevation via Evo. If you don’t want that to happen until after you have built rules and prepared your users, we recommend starting with Training Mode turned on.

Note: With the Evo Agent deployed even in Training Mode, users will begin to see our custom UAC prompt. They will be able to just click through it as they have always been able to click through standard Windows UAC, this is just a small aesthetic change that users may notice even before EUE is fully enabled.

Note: When a user is running an application for the first time they will be prompted to enter their credentials. This is needed so we can run the applications as them and proceed with the Training Mode.

  1. Navigate to Elevation > Training.
      2. Notion image
  1. Select Training Setup and check the box next to the Tenant(s) to which you will be deploying Evo Agents (or for which you will starting the EUE rollout, if the Agent is already deployed for other Evo products.)
  1. Select Save to commit the changes.

Deploy Agents

The Evo Endpoint Agent needs to be deployed to each endpoint on which Technician Elevation will be available as it facilitates the authentication of an Evo user into an administrator account on the target machine.

Refer to our Windows Agent Deployment article to complete that process.

Assign Licenses

End User Elevation is licensed per endpoint, so each endpoint that has the Evo Agent on it for purposes of facilitating EUE requests will need to have a license.

  1. In your Evo Partner Portal, navigate to Endpoints > Computers.
    1. Note: You can do this in either the Global scope if you are assigning to multiple tenants, or you can pick a particular tenant from the dropdown menu at the top of the left nav to scope your view to just that tenant.
  1. Select the machines to which you would like to assign an End User Elevation license using the checkboxes at the left and then click Assign EUE License from the menu at the bottom of the table.

Note: Refer to our full article on managing user licenses for fuller details of how to manage Evo licenses.

Configure Custom Branding (optional)

The Evo Agent can be configured to display your MSP’s logo and other custom branding on the request and approval screens that users will see on their endpoints.

See our article on Custom EUE Branding for details on how to configure. This process can be completed at any time, so it may be something that you want to come back to later if you’re just getting started with testing EUE.

Preparation & Rules

Determine Deployment Strategy

There are three ways to approach rolling out End User Elevation. The right path depends on your users and whether or not they currently have administrative rights and how you are currently managing elevation requests.

If Your Users Do Not Have Admin Rights

If your users already do not have administrative rights and are requesting assistance each time they need it, we recommend enabling End User Elevation without any pre-made rules. The users' experience will improve right away by automating the request experience, and you can build a rule set over time to gain more efficiency in serving those requests.

If Your Users Do Have Admin Rights

If your users do have administrative rights, then rolling out Evo End User Elevation will be a part of your overall project plan for reducing those users' administrative rights.

The overall process is to build rules that will automatically approve the most common things that users can and should be allowed to do using elevated permissions. Think about things like software updaters, installers for approved programs, and other common actions.

The data from Training Mode gives you visibility into what actions users are currently taking with admin privileges before removing any admin privileges. You can then use that visibility to build rules to permit or deny actions before actually changing anything for the users.

If You Are Replacing An Existing Elevation Solution

If you are replacing an existing admin elevation solution and want to duplicate your existing rules, we recommend duplicating your existing rules in Evo before migrating endpoints to Evo End User Elevation.

We do not currently support the automated migration of rules from other solutions (and it is typically difficult to do so because that rule data is typically not readily available from other vendors.) But please contact Evo Support if you have specific questions about the migration process or are interested in working with us to develop an automated migration path.

Note: We do not recommend deploying Evo until the previous elevation solution has been removed from the endpoints as having multiple solutions trying to simultaneously manage processes like Windows User Access Control may cause unpredictable behaviors.

Build Rules

To configure automatic approval for specific applications when a user requests End User Elevation, rules can be created in one of two ways.

Creating A Rule From A Request or From Training Data

  1. Navigate to Elevation > Requests or Elevation > Training as appropriate.
  1. Select an entry from the table from which you would like to create a rule. Scroll down and select Create Rule From This Request.
  1. Proceed through defining the rule according to your preferences. The file criteria will be automatically filled in for you to pick from based on the request, but you will pick which criteria for the rule to actually use for matching future requests.
    1. Note: We recommend including robust criteria such as certificate details or file hashes to ensure that weaker criteria like deceptive file names cannot bypass proper review.
Notion image
  1. Then pick the Execution Mode and the scope to which the rule will apply. Rules can be assigned to specific Users, Groups, and Endpoints to ensure controlled and automated elevation approvals.
Notion image

Creating A Manual Rule

You can also create rules by dragging-and-dropping files directly into the Evo Portal. Navigate to the Rules tab and select “Create Rule.”

Here, you can upload executable files such as .exe, .dll, .scr, or .msi, and the system will automatically extract and populate the application details. Based on the extracted information, you can select the relevant attributes for rule creation by checking the corresponding boxes.

  1. Navigate to Elevation > Rules and select Create Rule.
  1. Drag-and-drop a file into the upload box to populate the rule criteria into your rule automatically. Much as in the request-based rule creation flow, you will pick matching criteria and the scope for your rule.
Notion image
Notion image
Notion image

Approvals & Notifications

Configure Permissions for Technicians

Technicians will need permissions for Elevation Requests as well as to particular Tenants in order to field EUE requests from those tenants.

We recommend adding the Elevation Requests set of permissions (or a sub-set according to your preferences and security policies) to an appropriate Role already defined for technician users who will manage elevation requests.

  1. Navigate to Evo Admin > Permissions > Roles.
  1. Either Edit an existing Role or click New and create a new Role with a name like “End User Elevation Approvers”.
  1. Add the “Elevation Requests” permission to the Role.
    1. Note: Adding the entire “Elevation Requests” permissions set will allow users to do everything related to EUE requests and rules including making changes to rules for your entire MSP Environment (i.e., all Tenants) and allowing SYSTEM-level elevation via rules.
      1. This may be desirable for small teams where a handful of people will be managing all aspects of requests and rules.
      2. For larger teams or those with more segmented security policies, just adding the Manage Elevation Requests and Mobile Technician Elevation permissions are the minimum for approving requests and using the Evo Authenticator mobile app to handle requests.
          3. Notion image
  1. Navigate to Evo Admin > Permissions > Tenant Access and verify that the relevant technicians have access to the relevant Tenants.

Configure Notifications

There are two methods of technician notification for new EUE requests: push notifications to the Evo Authenticator app and email.

Mobile Push Notifications

All technicians configured with the permissions described above who have the Evo Authenticator app running in Technician Mode will receive push notifications of new EUE requests.

Notifications can be managed or disabled from the Evo Authenticator app under Settings > Notification Settings.

Email Notifications

Email notifications are managed from the Evo Partner Portal.

  1. Navigate to Elevation > Email Notifications.
  1. Click New and enter the source Tenant(s) and destination email addresses.

Deployment

Enable Elevation Enforcement

To fully enable End User Elevation, we will just turn off Training Mode for the relevant Tenant(s). Once this is done, your users will begin to see Evo prompts to request admin actions and provide a reason for the request for your team to review.

Notion image
  1. Navigate to Elevation > Training. Select Training Setup from the top right.
  1. Find the Tenant(s) (or Users, Groups, etc. if you initially configured Training Mode differently) in the Training Mode Configuration table and uncheck the box next to them.
  1. Select Save to commit the changes.

🎉 Congratulations! Evo End User Elevation is now enabled! 🎉

Remove Local Admin Permissions

The final step in improving your MSP’s security is to remove the administrator permissions from standard user accounts.

  1. Navigate to Vault > Local Accounts in the Evo Partner Portal.
  1. Select the accounts that you would like to modify from the checkboxes at the left, then select either Demote or Delete depending on how you would like to handle them.

You have now dramatically improved the security posture of your MSP and customers - and also improved your users’ experience by providing a clean, delightful way to request permissions when needed without having to submit a ticket.

Please reach out to Evo Support with any questions!

 
Did this answer your question?
😞
😐
🤩
Web Accounts Usage Guide: End User Elevation