A Recast Proxy is a service that runs under a service account. Different Configuration Manager and Active Directory permissions are required depending on which tasks you're using the Recast Proxy for. See Proxy Service Account Permissions.
Proxy Uses
- Elevate permissions using a service account
- Populate web dashboards in Recast Management Server
- Populate scopes (required for fast channel/cloud management gateway and RMS permissions)
- Collect warranty information for Endpoint Insights
- Run actions against devices in a different domain
- Schedule Builder actions and Kiosk Manager deployments
User Proxies are automatically installed with your standard Right Click Tools installation. The user proxy ensures that actions run in Right Click Tools will run as the logged in user with the logged in user's permissions. User proxies do not appear on the Recast Proxies page in the Recast Management Server interface.
Service Account Proxies are useful when you want to run actions as a service account. These can also be used to run actions against untrusted domains. Install these proxies using the Recast Proxy MSI available in the Recast Portal. Service account proxies are listed on the Recast Proxies page in RMS.
Service account proxies installed in another domain than the Recast Management Server must be manually authorized on the Recast Proxies page before they can be used to run actions. You can also edit RMS settings to automatically approve all proxies.
A service account proxy can be installed on the same server as the Recast Management Server, either during or after Recast Management Server installation.
If the proxy is being installed in a different domain than the Recast Management Server, the Recast Proxy must be deployed separately after Recast Management Server installation. See Install Recast Proxy Separately.
To access web dashboards and trends
This permission set also allows scheduling for Builder actions and kiosk profile application in Right Click Tools.
- Local admin on the server where the proxy is being installed
- Read permissions in Active Directory
- db_datareader in Configuration Manager SQL server database
- Read-only access to Configuration Manager console (Read-only Analyst security role in ConfigMgr)
NOTE: Some actions won't work, such as adding to or removing from collection
To elevate permissions
- Local administrator access on all devices managed by Right Click Tools or Privilege Manager
NOTE: Some actions won't work, such as adding to or removing from collection
To add or remove from collections
- Permission to modify a collection in Configuration Manager: configmgr collection > modify permission
To run actions as a service account
- Local admin on any device that actions will be run against
- Read/Write permissions in Active Directory (Write is only required to delete devices from AD)
- Appropriate ConfigMgr Security Role for intended actions in the Configuration Manager console (Full Administrator for all actions)
- Permission to MBAM, if applicable
For Fast Channel support
- Permission to run scripts in Configuration Manager
If using Read-only Analyst in ConfigMgr as your base security role, also grant the following privileges:
To collect warranty information with Endpoint Insights
- If your Recast Management Server is installed on a server other than your Configuration Manager SQL database, the proxy account will need to be added to the SMS_SiteSystemToSiteServerConnection_MP_<YourSiteCode> local group on that server. This will allow it to read/write to your inboxes\auth\ddm.box, which is required to gather warranty data.
By default, the Recast Management Server automatically authorizes any proxy installed in the same domain as the Recast Management Server. Proxies installed in other domains must be approved manually, unless you've edited the default setting to approve all proxies automatically.
Approve a Proxy Manually
If a proxy is installed separately in another domain, you must approve it manually.
To approve a proxy manually:
1. In your Recast Management Server, select Proxies in the navigation panel.
On the Recast Proxies page, your newly installed proxy should be visible but not Authorized.
2. Click the Edit icon to the right of the proxy.
3. In the Edit Recast Proxy window, enable the Authorized checkbox and click Save.
Un-approve a Proxy
You can manually remove authorization from any Recast Proxy.
To remove proxy authorization:
1. On the Recast Proxies page, click the Edit icon to the right of the proxy.
2. In the Edit Recast Proxy window, disable the Authorized checkbox and click Save.
Approve All Proxies Automatically
You can choose to have your Recast Management Server automatically authorize all proxies regardless of the domain where they're installed.
To approve all proxies automatically:
1. In your Recast Management Server, navigate to Administration > Settings.
2. Under Recast Management Server, click the Edit icon to the right of Recast Proxy Approval.
3. In the Change Setting window, choose Automatically Approve All Agents from the Value drop-down menu.
A Recast Proxy can be used to run Right Click Tools actions under a Service Account. Setting up a proxy to run actions involves authorizing the proxy in the Recast Management Server (if necessary), creating a proxy route, and reordering the routes to ensure that actions are run through the service account proxy.
To view the permissions required for different proxy uses, see Proxy Service Account Permissions.
For installation steps, see Install Recast Proxy Separately.
Authorize the Proxy
By default, the Recast Management Server will automatically authorize proxies installed in the same domain as the Recast Management Server. If a proxy is installed in another domain, you must approve it manually.
To approve the proxy manually:
1. Open the Configure Recast Management Server application or open the Recast Management Server web interface.
2. Click Proxies.
On the Recast Proxies page, your new proxy should be visible with Authorized disabled.
3. Click the Edit icon to authorize the proxy.
Create a Route
A route determines the proxy to which your Recast actions are sent. In order for the Recast Management Server to run actions through the Service Account Proxy, create a route that uses the Service Account.
To create a route for the Recast Proxy:
1. In your Recast Management Server, navigate to Administration > Routes.
2. In the main window, click Create.
3. Set route Type to Service Account.
4. As Recast Proxy, select your service account.
5. Set Role to Administrators.
6. Click Create.
7. On the Routes page, click Save.
Reorder Routes
New routes appear at the bottom of the Routes table.
To make all actions run through the service account proxy, you must move the new route above the Right Click Tools route in the table.
When you're done reordering the proxy route list, click Save to finalize the changes.
A Recast Proxy can be used to manage many tasks, such as:
- Reading from Active Directory to populate scopes
- Allowing access to web dashboards and dashboard trends
- Scheduling Builder actions and Kiosk Manager actions
NOTE: A proxy is also required for collecting warranty information with Endpoint Insights.
Setting up a proxy to manage tasks involves authorizing the proxy in the Recast Management Server, creating a proxy route, and reordering the routes to match your priorities.
For the permissions required for different proxy uses, see Proxy Service Account Permissions.
For proxy installation steps, see Install Recast Proxy Separately.
Authorize a Proxy
By default, the Recast Management Server will automatically authorize proxies installed in the same domain as the Recast Management Server. If a proxy is installed in another domain, you must approve it manually.
To approve the proxy manually:
1. Open the Configure Recast Management Server application or open the Recast Management Server web interface.
2. Click Proxies.
On the Recast Proxies page, your new proxy should be visible with Authorized disabled.
3. Click the Edit icon to authorize the proxy.
Create a Route
A route determines the proxy to which your Recast actions are sent. In order for the Recast Management Server to run actions through the Service Account Proxy, create a route that uses the Service Account.
To create a route:
1. In your Recast Management Server, click on Routes in the navigation panel.
2. On the Routes page, click Create.
3. After creating the route, click Save.
Reorder Routes
New routes appear at the bottom of the Routes table. You can move a route up in the order to run actions using this route, or you can configure the routes to only populate the proxy. You can also reorder routes in the Routes table to set their priority as the first route to be successfully matched will be used.
If you only need your proxy to populate scopes, and you don't want to run any actions using that proxy, you can change the order of your routes to reflect this desire.
When you're done reordering the proxy route list, click Save to finalize the changes.