This page describes how to use the HYPR Passwordless client with the HYPR Mobile App to escalate admin privileges for a domain user account. In this document we will show a multi-user, multi-device flow (Local Run-as / Helpdesk) and multi-user single device flow (Privilege escalation).
Why is this important?
In enterprises, domain users can go to helpdesk admins to fix any problems associated with their workstation. Helpdesk administrators have to manually enter their admin username/password to get admin access to applications like Regedit, etc., to find the root cause of the problem. Now, any helpdesk admin can use HYPR to login without entering a username/password.
- Login as a domain user and pair a mobile device following the steps in Pairing with the HYPR Mobile App.
- Login as an administrator, and right-click HYPR HYPR Passwordless client to Run as administrator.
- Pair a separate mobile device following the steps in Pairing with the HYPR Mobile App.
At this point you have successfully paired on device 1 - account 1 (domain user) and device 2 - account 2 (domain admin). Now let's see how a domain admin can obtain escalated privilege without entering username/password.
- Login as a domain user.
- Right-click any application and choose Run as administrator.
- Choose the HYPR Mobile App option to login to an admin account.
- Complete HYPR Passwordless authentication using the method you chose earlier.
- The workstation will require administrator credentials; provided the workstation is configured to allow the admin passwordless access, no passwords will be required to access the chosen application as an administrator.
A domain user can get elevated access of a local admin with a single mobile device. These are the steps.
Login with your domain user credentials and follow the instructions for Pairing with the HYPR Mobile App.
- Shift + right-click the HYPR Passwordless client icon and select Run as administrator.
- Enter the local admin credentials to open the HYPR Passwordless application.
- Register with the HYPR Passwordless client application using the same HYPR Mobile App. Once enrollment is finished, you will see a second user account added to the HYPR Mobile App.
- While logged in as a non-admin domain user, attempt to launch a program using Runs as administrator.
- Choose to authenticate with the HYPR Mobile App when a permissions escalation prompt is given.
- Authenticate via HYPR using the method you chose for the local admin earlier. The application passwordlessly opens with administrator permissions.
Run as... a different user can only be used to register/enroll with another account. If the user wants to log in, then please use Run as administrator.
Run as... functionality is demonstrated so that any user account (local admin, domain user, domain admin) can be used to register as the second account. But as explained, it cannot be used for login.
Updated 3 months ago