With privilege management, administrators can assign and regulate user privileges based on roles, responsibilities, and specific requirements. The privilege management feature supports privilege elevation, allowing temporary elevated access when needed, and privilege delegation, enabling non-admin users to perform delegated tasks without full administrative privileges. By enabling privilege policies and auditing capabilities, organizations can enforce access controls, track privileged operations, and ensure compliance with security policies and regulations. By implementing this feature in Endpoint Central, organizations can minimize security risks, prevent unauthorized actions, and maintain a secure and well-controlled IT environment. One important aspect of privilege management in Endpoint Central is the ability to remove or restrict administrator rights for specific users or groups. By removing excessive administrator privileges, organizations can minimize the potential security risks associated with unrestricted access to critical systems and resources.
Administrators have the option to allow users to elevate their user privileges by providing a justification. The provided justification will be logged, and this capability can be configured for specific applications or all allowlisted applications.
Removing admin rights in Endpoint Central helps to revoke or restrict administrative privileges for certain users or groups when it comes to managing applications on the endpoint devices. By doing so, you can enhance security and prevent unauthorized or malicious applications from being installed or executed. When you remove admin rights for a user or a group, it means they will no longer have the authority to install, modify, or remove applications on the endpoint devices. This restriction helps in reducing the risk of malware infections, unauthorized software installations, and other security vulnerabilities that may arise from unrestricted access to application management. By selecting a computer and clicking on Remove Local Admin, all Local Admin Accounts in it will be removed except for the ones retained in the Exclusion Policy. To remove admin rights, you have to configure an exclusion policy first. Policies to retain certain admin accounts globally can be created from the Exclusion Policy tab. These admin accounts are retained in all the computers that they are present in. The sysadmin can choose to retain only their account, the built-in administrators account, or any other account depending on their needs.
Once the exclusion policy is finalized, the sysadmin can remove the remaining unnecessary accounts either manually or automatically. Checking the Enable Automatic Removal box will immediately remove all other admin accounts from the computer groups selected. To delete these accounts manually, return to the Admin Rights Summary tab, select the computers that you wish to modify, and click on the Remove Local Admin option. All local admin accounts in the specified computers will be removed, except for the ones retained using the exclusion policy, if any. Once all unnecessary local admin accounts are removed, the sysadmin can proceed to create a Privileged Application List. This list can then be associated with custom groups of users devices that will then enable select users to run these applications as administrators, even if they are granted only standard user privileges.
Note: If you are unable to access this module in Endpoint Central Cloud, kindly contact Endpoint Central Cloud Support.