Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Why can I not install or update particular applications without intervention?

Some applications require "administrative" access to install or update, which is typically restricted in corporate environments.

Since the delineation between "standard users" and "administrators" was created, it has been the accepted corporate security best practice to regularly utilize devices as a standard user. This is not due to a lack of trust between employer and employee, but simply as a way to mitigate the risk of data loss due to unintentional or intentional actions taken by the user, in order to protect the business.

Some applications make changes to the system that require an administrator's approval. Here are some examples of those things that might stop a standard user from installing or updating an application:

  • An application is being installed for all users on the system instead of just a single user
  • An application wants to alter a system setting, such as which applications run on startup or how the network firewall is configured
  • An application wants to install or update a driver

Because these settings affect the security of the overall system, an administrator's approval is required to continue forward.

Malicious applications ("malware") very often perform one or more of these system-level actions in order to weaken the system's defenses and attain persistence by running itself on startup. In this way, the malicious application can remain running in the background, collecting data from your device and sending it off for analysis without the user ever knowing.

Corporate data security also involves the configuration of many device settings by policy, in order to ensure the security of the device. An administrator is able to circumvent or disable these policies, possibly bringing the machine out of compliance with the company's data security policy. This introduces increased risk to the company.

Here are some examples of controls that could be disabled by an administrator:

  • Antivirus could be disabled or removed entirely
  • Antivirus updates could be disabled, rendering it ineffective against newer attacks
  • The network firewall could be disabled, allowing a doorway for attacks from outside of the machine
  • More comprehensive security software, such as Endpoint Detection and Response (EDR) software could be disabled or removed
  • Regularly scheduled updates to the operating system or applications which are necessary to close security holes could be delayed or removed

Ultimately, limiting administrative access to devices benefits the company and the user by greatly reducing the overall risk to both.

Tridium limits device administrative access by default, as part of our security best practices. Clients must specifically request if they want to allow their users to have administrative access to their devices and must sign a waiver acknowledging the risk that it introduces to their corporate data security posture.