tightened or controlled over time to enhance overall endpoint security. This kind of strategy addresses a common concern with removing privileges, which is how users will react to the change.
We tend to recommend that organisations initially shift formerly administrative users into a high flex group, enabling them with similar privileges on the system while establishing and mapping out their usage patterns into a baseline. Then, as you mature in your understanding of what’s happening in your environment, user permissions can be tightened, signified by users being stepped backwards into medium flex and ultimately low flex categorisations over time. Following this method you can remove admin privileges and enhance security quickly and efficiently whilst avoiding negative friction with user groups.
It is worth explaining what each flexibility level looks like from a user and IT service desk perspective.
Users in the high flex group may be allowed to run trusted and approved applications with admin rights, and may also have permission to run unknown applications on-demand - and with admin rights once they confirm that the application should be elevated. In addition they can perform elevated tasks within the operating system such as control panel applets or the modification of system settings.
A moderately flexible policy set would apply the ability to run known business applications and operating system functions, and to have admin rights on trusted applications. They can still also run unknown applications when they want to, but unlike their high flex group counterparts, they may be prompted to provide a reason before they can run an unknown application with admin rights. In addition, some operating system functions that require admin rights may also be prevented and require support interaction.
The low flex group has a tighter set of rules. It will still allow known and approved business applications and operating system functions to run, but prompts users to contact support if a trusted or untrusted application requests admin rights or, if an unknown application tries to run. The practical reality for this group, however, is they may only be impacted if trying to install or run applications with questionable business use or value, such as media streaming services.