ConnectWise Access Management quick-start guide
Introduction
ConnectWise Access Management gives partners the tools to secure, monitor, and control access across their environment. This solution can handle User Agent Control (UAC) requests, and it also allows an end user to sign into Windows with administrator privileges.
Requirements
ScreenConnect Version 2022.9 or later
Your version of ScreenConnect must be on 2022.9 or later. If you're on an earlier version, learn how to upgrade your installation.
Tip: Make sure to upgrade your access agents, as well!
Windows only
Currently this feature is only for Windows machines.
Access sessions only
This functionality is only available for access agents that are installed on Windows machines.
64-bit machines
Currently only 64-bit Windows machines are supported.
ConnectWise Access Management extension
The ConnectWise Access Management extension should be installed on your instance by default. If it is not, you can download it from the extension marketplace.
Default experience
- By default, only users with the ScreenConnect Administer permission will have the permission needed for the administrator logon feature.
- Only technicians with the RunCommandOutsideOfSession permission can only respond to elevation requests
- End-user-facing features of Access Management only appear on end user machines when an administrator or technician connects to a machine.
To add Access Management permissions to additional technicians, see our article on adding Access Management permissions.
To change the end user experience, edit the settings in the Access Management extension.
Note: Prior to the 2022.9 release, roles that had the Administer permission will automatically gain the RespondToAdministrativeLogonRequest for all sessions. Roles that had the RunCommandOutsideSession permission will automatically gain the RespondToElevationRequest permission for the corresponding sessions.
Send a request for administrative privileges via UAC prompt
When a non-administrator user activates a UAC prompt, they'll see a UAC prompt with a new option and a new icon.
Note: By default, the logo here will be the ScreenConnect logo. However, if you’ve replaced your logos, especially ApplicationIconOpaque192, you’ll see your own logo instead.
They should click Request Elevation or Yes to submit an elevation request.
Handling an elevation request
Host client
If you connect to a machine with a UAC request and you have the RespondToElevationRequest permission, you can approve, deny, or dismiss an elevation request yourself by clicking the banner in the host client.
Host page: Handling an elevation request
You can also approve or deny an elevation request from the Host page. When an elevation request is received, the request appears on the Messages tab. The request includes information such as:
- Program name
- Publisher name
- Certificate thumbprint
- File path
- File SHA-256
- User
- User groups
For each elevation prompt, there are three icons in the upper right hand corner of the block.
- The first icon shows the raw data of the elevation request.
- The second creates a new access management rule for auto approvals, auto elevations, and auto denials of different applications.
- The third is an integration with VirusTotal to help determine if a file is malicious.
Run a VirusTotal scan
Click the icon to link to a VirusTotal report.
The report will open in a separate tab. Review the report.
Approve or deny a request
After reviewing these request details, click Approve or Deny.
For each requested elevation prompt, there are two icons in the upper right hand corner of the block.
- The first creates a new access management rule for auto approvals, auto elevations, and auto denials of different applications.
- The second is an integration with VirusTotal to help determine if a file is malicious.
Using temporary administrator logon accounts
With this feature, no credentials are needed to use an administrative account. The user can simply request administrative privileges for a temporary logon account.
Note: This temporary account is disabled when the maintenance service finds that there aren’t any user processes running on the account. After thirty days, the account is deleted. You can change this default with the Advanced Configuration Editor.
Request a temporary Windows administrator account
1. Select the ScreenConnect logo on the Windows lock or logon screen
From the Windows lock screen or logon screen, select the ScreenConnect logo.
Note: By default, the logo here will be the ScreenConnect logo. However, if you’ve replaced your logos, especially ApplicationIcon32, you’ll see your own logo instead.
2. Submit your request
Click the arrow or press the enter key to submit your request.
3. Wait for approval
Once you’ve submitted your request, your administrator will receive your message and approve or deny the request.
Handling temporary administrator account requests
From the host client
If you’re connected to the machine and you have the two required permissions, you can approve, deny, or dismiss an elevation request yourself by clicking the banner in the host client.
From the Host page
On the Host page, you’ll see a new message in the Messages tab that incudes the request for administrator privileges. Click Approve or Deny to handle the request.
Create auto-approve, auto-elevate, and auto-deny rules
For elevation requests, you can create auto-approve, auto-elevate, and auto-deny rules straight from the elevation prompt alert or the elevation request.
1. Click the second icon in the upper right hand corner of an Encountered Elevation Prompt block or Requested Elevation block.
This opens the Create Access Management Rule window.
2. Select an action
Select an action from the list.
- Auto-elevate – Automatically elevate an application without a user request
- Auto-approve – Automatically approve an elevation request
- Auto-deny – Automatically deny an elevation request
3. Select conditions for the rule
Click a condition to select it. For a full list of conditions, switch the view from Show Popular Conditions to Show All Conditions.
4. Name your rule
Use an automatically-generated name, or switch off the Auto-generate option to type in your own name.
5. Click Create
Click Create to finish your rule. To edit the rule, navigate to the Administration > Triggers page.
New default triggers
By default, Access Management can send emails whenever an administrative logon request or an elevation request is made. Access Management includes two new triggers on the Administration > Triggers page:
- Notify when an administrative logon request is sent
- Notify when an elevation is sent
These two triggers will send an email to the default "To" address on the Administration > Mail page.
Auditing elevation prompts, requests, and responses
From the Audit page, you can view each elevation event and its resulting data.
New session events
New session events are included in the Session Event Filter. Select the Session Event Filter menu and select from these new session events towards the bottom of the menu.
The new session events are:
Session event |
Definition |
Example data |
---|---|---|
EncounteredElevationPrompt |
An elevation prompt appeared for the user |
Data: #command_line="C:\Users\Joe\Desktop\vlc-3.0.17.4-win64.exe" #file_path=C:\Users\Joe\Desktop\vlc-3.0.17.4-win64.exe #file_size=43524776 #file_sha256=fda8cbf2ee876be4eb14d7affca3a0746ef4ae78341dbb589cbdddcf912db85c #signature_valid=true #signature_publisher=VideoLAN #certificate_thumbprint=bcb40c7d23c9db41766c780b5388fb70f3d570bf
Process:Guest
Address:xxx.xx.xx.xx |
RequestedElevation |
The user requested elevation |
Process: Guest Address: xx.xxx.xx.xxx |
RequestedAdministrativeLogon |
The user requested to log in with administrator privileges |
Process: Guest Address: xx.xxx.xx.xxx |
ApprovedRequest |
A ScreenConnect user with the RespondToElevationRequest or RespondToAdministrativeLogonRequest permissions approved the request. |
Host:Cloud Account Administrator
Process:Unknown |
DeniedRequest |
A ScreenConnect user with the RespondToElevationRequest or RespondToAdministrativeLogonRequest permissions denied the request. |
Host:Cloud Account Administrator
Process:Unknown |
AbortedRequest |
The user canceled the elevation request. |
Process: Guest Address: xx.xxx.xx.xxx |
QueuedCredentialProviderProceed |
Automatically take an action without waiting for an elevation request |
|
Edit Access Management settings
To edit Access Management settings, navigate to the Administration > Extensions page in ScreenConnect. Find the Access Management extension, open the ... menu, and select Edit Settings.
Important: For each "CredentialProvider" key, each line within the value of the extension should be either:
- The name of a session group (e.g. ‘Host Connected’); or
- A raw session filter expression prefixed with ‘##’ (e.g. ‘##HostConnectedCount > 0’)
If at least one line evaluates to true for a given session, that session will have this corresponding setting enabled.
Key | Description | Default Value |
---|---|---|
VirusTotalApiKey | Optional API key for an enhanced VirusTotal integration. Without a key, an icon link to a file's VirusTotal report is shown above elevation prompt messages. With a key, a VirusTotal lookup will be automatically performed for each elevation prompt, with the scan results added as fields to the elevation prompt message. | |
CredentialProviderVisibleForElevationSelector | Determines whether the CAM credential provider is visible within UAC dialogs. | ##HostConnectedCount > 0 |
CredentialProviderVisibleForAdministrativeLogonSelector | Determines whether the CAM credential provider is available for administrative login requests on the lock screen. | ##HostConnectedCount > 0 |
CredentialProviderDefaultForElevationSelector | Determines whether the CAM credential provider is the default selected provider within UAC dialogs. | ##HostConnectedCount > 0 |
CredentialProviderDefaultForAdministrativeLogonSelector | Determines whether the CAM credential provider is the default selected provider on the lock screen. | |
CredentialProviderReasonVisibleForElevationSelector | Determines whether the reason input field is available in the CAM credential provider within UAC dialogs. | |
CredentialProviderReasonVisibleForAdministrativeLogonSelector | Determines whether the reason input field is available in the CAM credential provider on the lock screen. | |
CredentialProviderReasonRequiredForElevationSelector | Determines whether a reason is required when requesting UAC elevation through the CAM credential provider. | |
CredentialProviderReasonRequiredForAdministrativeLogonSelector | Determines whether a reason is required when requesting administrative login through the CAM credential provider. |