Support for 'Run as Administrator'
Windows
USE VERSION 2.8.0+
Run as feature is only available in HYPR Workforce Access Client 2.8.0 and above.
Overview
This article describes how to use the HYPR Workforce Access Client with the HYPR mobile app to escalate admin privileges for a domain user account. In this document we will show a multi-user, multi-device flow (Local Run-as / Helpdesk) and multi-user single device flow (Privilege escalation).
Prerequisite
- Download HYPR mobile app
- Install HYPR Workfoce Access Client on the Domain machine
Use Cases
- Localized Run as - multi user multi device flow
- Multi user account - multi user single device
Use Case 1: Localized Run As
Why is this important?
In enterprises, domain users can go to helpdesk admins to fix any problems associated with their workstation. Helpdesk administrators have to manually enter their admin username/password to get admin access to applications like Regedit, etc. to find out the root cause of the problem. Now, any helpdesk admin can use HYPR to log in without entering a username/password.
To begin, a domain user must first register their mobile device.
Step 1: Log in with your Domain user credentials
Step 2: Register a domain user account with the HYPR mobile app.
Complete registration by scanning the QR code with the HYPR mobile app and enrolling the authenticator. After pairing, the mobile device will show a success screen.
Until this point, this has been the domain user section. From here on, we will show how a domain admin can pair with a mobile device. Start at the screen shown below.
Step 3: Log in as a domain/local admin
Note
You can only do the below steps if you have admin privileges.
Step 4: Register domain admin account with the HYPR mobile app.
Complete registration by scanning the QR code with the HYPR mobile app and enrolling the authenticator. After pairing, there will be a success screen on the mobile device.
At this point, we have successfully registered on device 1 - account 1 (domain user) and device 2 - account 2 (domain admin). Now let's see how a domain admin can obtain escalated privilege without entering username/password.
Step 5: Login as domain user
Step 6: Right-click on 'Regedit' and click on 'Run as administrator'.
Step 7: Use the HYPR mobile app to log into the admin account
Use Case 2: Multi-User Single Device (Privilege Escalation)
A Domain user can get elevated access of local admin with a single mobile device. These are the steps.
Step 1: Log in with your Domain user credentials.
Step 2: Register a domain user account with the HYPR mobile app.
Complete registration by scanning the QR code with the HYPR mobile app and enrolling the authenticator. After pairing, there will be a success screen on the mobile device.
Step 3: Register a local admin account with the HYPR mobile app. Shift + Right-click on the HYPR app in the desktop and select "Run as administrator".
Step 4: Enter the Local Admin credentials to open the Workforce Access client application.
Step 5: Register with the Workforce Access client application with the same mobile app. Complete enrollment as usual, and you will see a second user account added to your mobile app.
Step 6: Escalate user privileges by authenticating with the HYPR mobile app.
Attempt to perform the action, which requires admin privileges.
Authenticate with the HYPR mobile app when a permissions escalation prompt is shown.
Note
Run as a different user can only be used to register/enroll with another account. If the user wants to log in, then please use "Run as an Administrator".
"Run as different user" functionality is demonstrated so that any user account (local admin, domain user, domain admin) can be used to register as the second account. But as explained, it cannot be used for login.
Updated about 1 year ago