Introduction

ConnectWise Access Management gives partners the tools to secure, monitor, and control access across their environment. This solution can handle User Agent Control (UAC) requests, and it also allows an end user to sign into Windows with administrator privileges.

Requirements

ScreenConnect Version 2022.9 or later

Your version of ScreenConnect must be on 2022.9 or later. If you're on an earlier version, learn how to upgrade your installation.

Tip: Make sure to upgrade your access agents, as well!

Windows only

Currently this feature is only for Windows machines.

Access sessions only

This functionality is only available for access agents that are installed on Windows machines.

64-bit machines

Currently only 64-bit Windows machines are supported.

ConnectWise Access Management extension

The ConnectWise Access Management extension should be installed on your instance by default. If it is not, you can download it from the extension marketplace.

Default experience

By default, only users with the ScreenConnect Administer permission will have the permission needed for the administrator logon feature.
Only technicians with the RunCommandOutsideOfSession permission can only respond to elevation requests
End-user-facing features of Access Management only appear on end user machines when an administrator or technician connects to a machine.

To add Access Management permissions to additional technicians, see our article on adding Access Management permissions.

To change the end user experience, edit the settings in the Access Management extension.

Note: Prior to the 2022.9 release, roles that had the Administer permission will automatically gain the RespondToAdministrativeLogonRequest for all sessions. Roles that had the RunCommandOutsideSession permission will automatically gain the RespondToElevationRequest permission for the corresponding sessions.

Send a request for administrative privileges via UAC prompt

When a non-administrator user activates a UAC prompt, they'll see a UAC prompt with a new option and a new icon.

Note: By default, the logo here will be the ScreenConnect logo. However, if you’ve replaced your logos, especially ApplicationIconOpaque192, you’ll see your own logo instead.

They should click Request Elevation or Yes to submit an elevation request.

Handling an elevation request

Host client

If you connect to a machine with a UAC request and you have the RespondToElevationRequest permission, you can approve, deny, or dismiss an elevation request yourself by clicking the banner in the host client.

Host page: Handling an elevation request

You can also approve or deny an elevation request from the Host page. When an elevation request is received, the request appears on the Messages tab. The request includes information such as:

Program name
Publisher name
Certificate thumbprint
File path
File SHA-256
User
User groups

For each elevation prompt, there are three icons in the upper right hand corner of the block.

The first icon shows the raw data of the elevation request.
The second creates a new access management rule for auto approvals, auto elevations, and auto denials of different applications.
The third is an integration with VirusTotal to help determine if a file is malicious.

Run a VirusTotal scan

Click the icon to link to a VirusTotal report.

The report will open in a separate tab. Review the report.

CAMVirusTotalScanlight

Approve or deny a request

After reviewing these request details, click Approve or Deny.

For each requested elevation prompt, there are two icons in the upper right hand corner of the block.

The first creates a new access management rule for auto approvals, auto elevations, and auto denials of different applications.
The second is an integration with VirusTotal to help determine if a file is malicious.

Using temporary administrator logon accounts

With this feature, no credentials are needed to use an administrative account. The user can simply request administrative privileges for a temporary logon account.

Note: This temporary account is disabled when the maintenance service finds that there aren’t any user processes running on the account. After thirty days, the account is deleted. You can change this default with the Advanced Configuration Editor.

Request a temporary Windows administrator account

1. Select the ScreenConnect logo on the Windows lock or logon screen

From the Windows lock screen or logon screen, select the ScreenConnect logo.

Note: By default, the logo here will be the ScreenConnect logo. However, if you’ve replaced your logos, especially ApplicationIcon32, you’ll see your own logo instead.

2. Submit your request

Click the arrow or press the enter key to submit your request.

3. Wait for approval

Once you’ve submitted your request, your administrator will receive your message and approve or deny the request.

Handling temporary administrator account requests

From the host client

If you’re connected to the machine and you have the two required permissions, you can approve, deny, or dismiss an elevation request yourself by clicking the banner in the host client.

From the Host page

On the Host page, you’ll see a new message in the Messages tab that incudes the request for administrator privileges. Click Approve or Deny to handle the request.

Create auto-approve, auto-elevate, and auto-deny rules

For elevation requests, you can create auto-approve, auto-elevate, and auto-deny rules straight from the elevation prompt alert or the elevation request.

1. Click the second icon in the upper right hand corner of an Encountered Elevation Prompt block or Requested Elevation block.

This opens the Create Access Management Rule window.

2. Select an action

Select an action from the list.

Auto-elevate – Automatically elevate an application without a user request
Auto-approve – Automatically approve an elevation request
Auto-deny – Automatically deny an elevation request

3. Select conditions for the rule

Click a condition to select it. For a full list of conditions, switch the view from Show Popular Conditions to Show All Conditions.

4. Name your rule

Use an automatically-generated name, or switch off the Auto-generate option to type in your own name.

5. Click Create

Click Create to finish your rule. To edit the rule, navigate to the Administration > Triggers page.

New default triggers

By default, Access Management can send emails whenever an administrative logon request or an elevation request is made. Access Management includes two new triggers on the Administration > Triggers page:

Notify when an administrative logon request is sent
Notify when an elevation is sent

These two triggers will send an email to the default "To" address on the Administration > Mail page.

Auditing elevation prompts, requests, and responses

From the Audit page, you can view each elevation event and its resulting data.

New session events

New session events are included in the Session Event Filter. Select the Session Event Filter menu and select from these new session events towards the bottom of the menu.

The new session events are:

Session event	Definition	Example data
EncounteredElevationPrompt	An elevation prompt appeared for the user	Data: #command_line="C:\Users\Joe\Desktop\vlc-3.0.17.4-win64.exe" #file_path=C:\Users\Joe\Desktop\vlc-3.0.17.4-win64.exe #file_size=43524776 #file_sha256=fda8cbf2ee876be4eb14d7affca3a0746ef4ae78341dbb589cbdddcf912db85c #signature_valid=true #signature_publisher=VideoLAN #certificate_thumbprint=bcb40c7d23c9db41766c780b5388fb70f3d570bf Process:Guest Address:xxx.xx.xx.xx
RequestedElevation	The user requested elevation	Process: Guest Address: xx.xxx.xx.xxx
RequestedAdministrativeLogon	The user requested to log in with administrator privileges	Process: Guest Address: xx.xxx.xx.xxx
ApprovedRequest	A ScreenConnect user with the RespondToElevationRequest or RespondToAdministrativeLogonRequest permissions approved the request.	Host:Cloud Account Administrator Process:Unknown
DeniedRequest	A ScreenConnect user with the RespondToElevationRequest or RespondToAdministrativeLogonRequest permissions denied the request.	Host:Cloud Account Administrator Process:Unknown
AbortedRequest	The user canceled the elevation request.	Process: Guest Address: xx.xxx.xx.xxx
QueuedCredentialProviderProceed	Automatically take an action without waiting for an elevation request

Edit Access Management settings

To edit Access Management settings, navigate to the Administration > Extensions page in ScreenConnect. Find the Access Management extension, open the ... menu, and select Edit Settings.

Important: For each "CredentialProvider" key, each line within the value of the extension should be either:

The name of a session group (e.g. ‘Host Connected’); or
A raw session filter expression prefixed with ‘##’ (e.g. ‘##HostConnectedCount > 0’)

If at least one line evaluates to true for a given session, that session will have this corresponding setting enabled.

Key	Description	Default Value
VirusTotalApiKey	Optional API key for an enhanced VirusTotal integration. Without a key, an icon link to a file's VirusTotal report is shown above elevation prompt messages. With a key, a VirusTotal lookup will be automatically performed for each elevation prompt, with the scan results added as fields to the elevation prompt message.
CredentialProviderVisibleForElevationSelector	Determines whether the CAM credential provider is visible within UAC dialogs.	##HostConnectedCount > 0
CredentialProviderVisibleForAdministrativeLogonSelector	Determines whether the CAM credential provider is available for administrative login requests on the lock screen.	##HostConnectedCount > 0
CredentialProviderDefaultForElevationSelector	Determines whether the CAM credential provider is the default selected provider within UAC dialogs.	##HostConnectedCount > 0
CredentialProviderDefaultForAdministrativeLogonSelector	Determines whether the CAM credential provider is the default selected provider on the lock screen.
CredentialProviderReasonVisibleForElevationSelector	Determines whether the reason input field is available in the CAM credential provider within UAC dialogs.
CredentialProviderReasonVisibleForAdministrativeLogonSelector	Determines whether the reason input field is available in the CAM credential provider on the lock screen.
CredentialProviderReasonRequiredForElevationSelector	Determines whether a reason is required when requesting UAC elevation through the CAM credential provider.
CredentialProviderReasonRequiredForAdministrativeLogonSelector	Determines whether a reason is required when requesting administrative login through the CAM credential provider.