[Feature] Privileged Access Management (PAM) — agent-side elevation with mobile-app approval #858
Replies: 5 comments
-
|
@bdunncompany — thanks for the depth on this. Direction below, plus a few places where Breeze already has more scaffolding than the public repo reveals. Q1 — Yes, PAM is in scope. Building the full thing, not an MVP carve-out. Both the end-user UAC-interception flow you've scoped and the tech-initiated JIT-admin flow (request temp admin on a device, agent flips group membership, local timer revokes) belong under the same roof. They share schema, audit chain, approval routing, Brain tool integration, and rule engine. Q4 — Architecture confirmed. ETW One thing to recalibrate on effort. Section 5 budgets ~1.5 weeks for "SYSTEM service skeleton" + "user-mode UI dialog process with named-pipe IPC." That work already exists in Breeze for Session 0 remote desktop — and you've personally already touched the relevant binary in #699 and #755:
The PAM flow is the session-broker pattern with new message types: detection in the service, dialog in Q2 — Broker placement: (a) inside Q3 — Mobile path is settled and further along than visible from outside. We have a native Expo app (RN 0.83, React 19) shipping the approval surface end-to-end. The design brief already names PAM elevation as the second consumer of this surface (built first for MCP step-up). The full-screen takeover ships with: So no PWA detour, no Capacitor wrappers, no Phase 3 mobile track. Adding a new approval Application Control integration — already built, by design. The software-policy system (
That covers ~half of your match-criteria list at the policy layer with zero new code, and gives us the ThreatLocker Allowlisting + Elevation Control bundle as a single integrated system rather than two SKUs. The competitive line writes itself: "Approve software once at the org level. Users install and elevate it themselves. Forever." Q5 — Server-side / JEA layer (Halaas Layer 2) is a separate piece of work — the tech audit + constrained-shell story for sysadmins doing infrastructure work. Bookmarked for a future discussion, not blocked by Layer 1. Q6 — Pricing: bundled into the existing tier, not a per-endpoint add-on. "No separate PAM tool needed" is bigger than the SKU revenue, and simpler pricing supports the in-bundle competitive story. Schema — please design
Single audit chain, single Brain tool surface, single expiry path across both flows. Revised effort, full scope (both flows, Windows + macOS + AP successor prototyped in parallel): ~10-12 calendar weeks single-dev, plus EDR-vendor allowlist calendar wait. Concentrated risk is on (a) ETW LUA subscriber semantics, (b) Next step: I'm spinning up a public GitHub Project board now — want to try collaborating there. Tracks will include the schema convergence, Windows broker, macOS broker, software-policy bridge, mobile Status: direction approved on all six questions. Schema convergence + broker prototype is the actual blocking work. |
Beta Was this translation helpful? Give feedback.
-
|
Project board is live: PAM — Privileged Access Management Seeded 15 tracks across Schema, Windows broker, Software-policy bridge, Mobile, macOS broker, AP / Path B, EDR / Ops, Web admin UI, Brain integration, and Docs. Each is tagged with Phase / Surface / Effort / External-blocker so the parallel lanes and calendar-blocked items are filterable. The schema item is the actual gating piece — once @bdunncompany happy to give you write access if you want to push the broker prototype straight to draft items there, or fork-PR flow if you prefer. |
Beta Was this translation helpful? Give feedback.
-
|
Direction agreed across all six questions. Quick close-the-loop: Architecture (Q4) — ETW Microsoft-Windows-LUA + SYSTEM-spawn-onto- Broker placement (Q2) — agreed on (a), inside Mobile (Q3) — settled. Adding a Schema (Q5 gating item) — will hold on the Application Control bridge — the Pricing (Q6) — in-bundle, not per-endpoint, agreed. Layer 2 (Q5b — Halaas server-side) — bookmarked for separate future discussion as you suggested. Project board (projects/3) — happy to comment-claim tracks once I refresh my Thanks for the depth on the disclosure of the existing scaffolding ( |
Beta Was this translation helpful? Give feedback.
-
|
Following up on the schema decision before drafting the migration. Direction: new Tenancy shape is the deciding factor. PAM Extending Cross-flow correlation question. Two viable shapes for single-audit-chain:
(a) is simpler to query ("show me the elevations approved by this user this week" is one JOIN). (b) is cleaner if the long-term plan is for non-mobile approval paths (Brain-only auto-approve, software-policy auto-approve) to dominate volume, because (a) leaves Leaning (a) but won't commit until you weigh in. Status side: approval_requests' Next steps once you confirm the direction:
Any objection to the new-table direction, the audit-chain shape (a vs b), or the separate |
Beta Was this translation helpful? Give feedback.
-
|
Three-thumbs-up across the schema questions, with a couple of additions before you cut the migration. Decision 1 — new Decision 2 — audit chain via (a), nullable FK. Agreed. Decision 3 — separate Two additions before you cut the migration:
Naming reminder (so you don't burn the Status: direction approved on all three; cut the migration. Schema PR can land standalone (no app code wired) so we can ratify the shape before the broker prototype starts depending on it. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
[Feature] Privileged Access Management (PAM), agent-side elevation with mobile-app approval
TL;DR
Build endpoint PAM into Breeze: user hits UAC → custom Breeze dialog → tech taps "approve" on their phone in under 10 seconds → the specific process elevates. Rule engine auto-handles repeats. Audit trail per request.
Closes the one feature gap that today forces every MSP on Breeze to bolt on a separate $300-$700/month tool (CyberFOX AutoElevate, Admin By Request, ThreatLocker Elevation, Idemeum, Evo Security). None of the major RMMs (NinjaOne, Atera, Level, Datto) ship endpoint PAM today. NinjaOne's most recent partner-facing window for their own PAM is "this year or 2027" (per a sales-channel update; the original April 2026 estimate of "2-5 months" has slipped). Breeze can ship first.
Realistic MVP: ~14 weeks single-dev calendar time with optimistic execution. The estimate is honest: ~10 engineering weeks plus ~2 weeks unavoidable external lead time (App Store review, EDR-vendor exclusion entries). Architecture concentrates the engineering risk in one well-isolated component, a Windows SYSTEM-service broker. The recommended interception path is ETW Microsoft-Windows-LUA provider subscription (documented, future-proof against Windows 11 24H2 Administrator Protection) followed by SYSTEM-context spawn onto
WINSTA0\WINLOGONwithSendInputinjection of a rotated dormant-admin password. This matches the architectural pattern AutoElevate uses in production, with a faster and more durable event channel.Open-source starting points are license-compatible (GPL-3 → AGPL-3 forward-compatible) for both Windows (MakeMeAdmin, partial, see Section 13) and macOS (SAP Privileges, integrate cleanly).
Asking for direction before writing code, same way as the watchdog-supervision Discussion #854.
1. Why this matters
Endpoint PAM does one job: keep standard users standard, but make admin approvals fast enough that nobody works around the policy. Without it, the choice is "make everyone a local admin" or "have the helpdesk RDP in every time someone needs to install a printer driver." Both lose.
The MSP-channel PAM market is real and growing. Verified pricing across the top tools (April 2026, MSP-tier, gathered while evaluating PAM for a real ~160-endpoint MSP fleet):
For a Breeze MSP customer with ~160 endpoints, shipping PAM in-box saves them $250-$650/month per tenant and removes one vendor relationship.
This is not abstract. The MSP whose feedback drove this Discussion currently pays for ScreenConnect's bundled Privileged Access ($425/mo) to handle elevation requests; pure-RMM stacks (Atera, NinjaOne, Level, Datto RMM) have no equivalent, so customers stack one of the tools above. NinjaOne is openly telling partners their own PAM has slipped to "this year or 2027" (was "2-5 months out" in April 2026). The window to be first in the category is wide open.
2. What we're building (MVP scope)
End-user experience (Windows endpoint)
Mozilla-Firefox-Installer.exeto run as administrator? A request will be sent to your IT team."Technician experience (mobile-first)
/pam/requestsshows the same queue for techs at desk.Elevation execution (where most of the engineering risk lives)
~breeze_elev(or similar) to local AdministratorsNetUserSetInfoSTARTUPINFO.lpDesktop = "WINSTA0\\WINLOGON"(the secure desktop)SendInputto type the rotated credentials into the still-pending consent.exe promptThis is the same architectural pattern AutoElevate uses in production (documented by their integration partner E-N Computers and inferred from the architectural constraints, see Section 5). The ETW-based detection layer is a documented improvement over the UI-Automation-polling approach commonly assumed.
Rule engine
auto-approve,auto-deny,require-approval,ignore(let native UAC through unchanged).Audit
agent_logsrow with requester, machine, executable details, rule match (if any), approver, latency-to-decision, outcome.agent_logs.fieldscolumn isjsonb, so PAM event rows can be added without schema changes (apps/api/src/db/schema/agentLogs.ts, verified).pam.elevation.deniedorpam.elevation.rate_high.That's the MVP.
3. Why mobile-app approval is non-negotiable
The incumbent product (AutoElevate) markets the mobile-tap approval as the killer feature. The competitive review evidence backs this with a twist: AutoElevate's mobile app is the highest-complaint surface of the product (3.0/5 on iOS App Store, multiple reviews citing forced logouts mid-session, inconsistent push, missing biometric quick-approve, verified May 2026, App Store listing). That's both the bar to clear and the lane to win.
What "mobile-first" means concretely for Breeze:
/pam/requests, same actions, same audit. A tech at their workstation should never need to pick up their phone, but the phone is the default when away from the desk.The path: Progressive Web App (PWA) first, native shells (iOS + Android via Capacitor) immediately after for the lock-screen push reliability. PWA gives us 80% of the mobile UX in week 1. Native shells give us the lock-screen and biometric reliability that turns it from "works" to "feels instantaneous." Both worth doing; PWA in Phase 1, native in Phase 3.
App Store rejection risk is empirically LOW for this category. Three PAM vendors already have approval apps live in the App Store with no documented rejection history:
Evo Security's equivalent is Evo Authenticator (id 1441463618, in store since April 2019 per version history, added end-user elevation in v5.1.0 July 2025).
Apple does not categorically block remote-admin tooling. First-submission review for a security app typically lands one Guideline 5.1.1 (privacy) cycle; budget 1-3 weeks calendar.
4. Architecture overview, what's already in Breeze that we reuse
Breeze's last 60 days of merged work has accidentally pre-built ~60% of the PAM scaffolding. Verified against actual Breeze source files:
breeze_has_org_access()(apps/api/src/db/index.ts); direct fitelevation_rules,elevation_requests) using shape #1 (directorg_idcolumn). No new tenancy patterns.apps/api/src/routes/agentWs.ts:2209(sendCommandToAgent) +apps/api/src/routes/agentWs.ts:2252(broadcastToAgents); browser-sideuseEventStreamhook atapps/web/src/hooks/useEventStream.tsalready subscribes to typed events over WS.pam.request.created. Existing hook reused as-is. ~2 days.apps/api/src/services/scriptSeverity.tsships a tiered match pattern (negative-exit → explicit-map → fallback). The pattern generalizes, but PAM needs multi-criteria matching (signer AND hash AND path AND parent) which is meaningfully more complex than a key lookup.apps/api/src/services/auditEvents.ts:117writeRouteAudit()+apps/api/src/db/schema/agentLogs.ts(thefieldscolumn isjsonb, accepts arbitrary detail shapes)./pam, copy-paste the DNS scaffold + new content. ~1 week.requireMfa()middleware exists across the API (used inapps/api/src/routes/devices/commands.ts:185and many others).agent.yaml(mode 0640) andsecrets.yaml(mode 0600) viaatomicWriteFileatagent/internal/config/config.go:418-454. Not HMAC'd; ACL-based protection.pam-rules.yaml(same pattern) at NTFS ACL'd path. ~half a day..github/workflows/release.ymluses Azure Trusted Signing viaazure/artifact-signing-action@v2.0.0with separate cert profiles for prerelease (AZURE_CERT_PROFILE_PRERELEASE) and production (AZURE_CERT_PROFILE_PROD). Already signsbreeze-agent.exe,breeze-watchdog.exe,breeze-backup.exe,breeze-desktop-helper.exe, plus MSIs.breeze-elevation-broker.exeto the existing sign step. ~2-4 hours of YAML changes. No new cert procurement.notarytool, hardened runtime entitlements atagent/entitlements/agent-macos.entitlements.plist.This is the part that makes shipping PAM realistic, not aspirational. A pure greenfield product would take 6+ months. With Breeze's current scaffolding the work concentrates in one place: the Windows broker binary.
5. The hard part: the Windows broker
This is where 80% of the engineering risk lives. Architectural constraints first, then the recommended architecture, then alternatives.
Architectural constraints (verified from Microsoft docs and reverse-engineering of public PAM behavior)
consent.exeruns at SYSTEM/High IL onWINSTA0\WINLOGON(the secure desktop). Source: Microsoft Learn, How UAC works. Only Windows processes can natively access this desktop.A third-party process reaches the secure desktop via exactly two documented paths:
CreateProcessAsUserwithSTARTUPINFO.lpDesktop = "WINSTA0\\WINLOGON". This works because SYSTEM has theSE_TCB_NAMEprivilege and broad desktop access. Documented in working code by 0xpat (Malware development part 7).uiAccess=true, signed by a cert chained to a Trusted Root CA, installed under%ProgramFiles%. Source: Microsoft Learn, UIAccess in secure locations.SendInputfrom a non-secure-desktop process is silently dropped when targeting the secure desktop (PCReview thread, multiple sources). The credential injection MUST happen from a SYSTEM-context child that is itself onWINSTA0\WINLOGON.UI Automation (UIA) from the user's desktop cannot read controls on the secure desktop. So polling consent.exe via UIA from a non-secure-desktop process, what an earlier draft of this Discussion proposed, does not work. Any UIA-based detection has to run from a process already on the secure desktop, which loses the latency benefit.
PsSetCreateProcessNotifyRoutineExis kernel-mode only. Requires a signed driver. Higher EV-signing burden, attack-surface considerations, HVCI implications.Recommended architecture: ETW + SYSTEM-spawn + SendInput
The cleanest legal third-party path:
Detection: SYSTEM-context broker subscribes in real time to the
Microsoft-Windows-LUAETW provider (GUID{93c05d69-51a3-485e-877f-1806a8731346}, manifest reference). The relevant events:ConsentUI_GetUserDesktopSnapshot(start/stop), fires when consent.exe captures the user's desktop bitmapConsentUI_SwitchDesktop(start/stop), fires when consent.exe switches to the secure desktop. This is the trigger. It fires before consent.exe paints its UI.ConsentUI_ExperienceStart/Stop, fires during the consent prompt lifecycleElevation Approved, 15032Elevation Denied, under Administrator Protection (Win11 24H2+), these replace the older flow. Same provider, future-proof.AppInfoperf-track events withUACElevateFileIDfield, let us correlate the elevation to the originating user-mode process.Display Breeze dialog on the user's normal desktop, on receipt of 15006. The user sees only the Breeze dialog. consent.exe in parallel paints its native dialog on the secure desktop but is idle awaiting credentials.
Request approval over the existing WebSocket + push notification path (Section 4 covers the plumbing).
On approval: SYSTEM-context broker:
~breeze_elevto local Administrators (NetLocalGroupAddMembers)NetUserSetInfo,USER_INFO_1003)STARTUPINFO.lpDesktop = "WINSTA0\\WINLOGON"SendInputto type the rotated credentials into the consent.exe promptOn denial: SYSTEM-context broker spawns a SYSTEM child on
WINSTA0\WINLOGONthat usesSendInputto type Escape into consent.exe, dismissing the prompt. Same pattern.Why this is the right architecture:
Microsoft-Windows-LUAprovider is the documented telemetry channel; future Windows changes that re-architect consent UI (such as Administrator Protection) will keep this provider working, the LUA events 15031/15032 are explicitly added for the AP path__InstanceCreationEventonWin32_Processis too slow (polling, minWITHIN 1, fires AFTER process creation per Microsoft archive). Discard.PsSetCreateProcessNotifyRoutineExpath) is overkill for MVP, AutoElevate ships a driver but only for their Blocker feature, not for elevation detection (CyberFOX - Managing Blocker Rules).Effort estimate for this path
~breeze_elevdormant account creation + password rotation + group membership management%ProgramData%\Breeze\pam-rules.json, NTFS ACL'd to SYSTEM)Alternative paths (for context)
Path B, Bypass consent.exe entirely with
CreateProcessAsUser+ restricted token. Cleaner architecturally; user never sees consent.exe. Risk: requires a different elevation model (token-mixing viaLogonUser+CreateProcessAsUser), which doesn't match the user's mental model of "approve UAC." Most PAM vendors don't do this for end-user elevation; they use it for tech-side JIT admin (Evo Technician Elevation). Skip for MVP; consider for Phase 6 as a per-rule option.Path C, Custom Credential Provider. Replace
CredentialProviderCOM interface, render Breeze UI inside consent.exe's existing flow. Cleanest from a Microsoft-design-intent perspective. Risk: CredentialProviders are gnarly C++ COM work, ~8-10 weeks, AV-scrutiny much higher. Bookmark for Phase 6+, not MVP.Path D, Kernel-mode minifilter driver. What AutoElevate uses for their Blocker feature. Not appropriate for elevation detection, the ETW path is documented, supported, and equivalent latency for this use case. Driver work belongs to a future feature (process behavior monitoring, AV-style hooks), not PAM.
Windows 11 24H2 Administrator Protection compatibility
The biggest forward-looking risk. Administrator Protection (AP) replaces the legacy split-token UAC model with a hidden, profile-separated system-managed admin account that materializes a fresh elevated token per request and destroys it after the process exits. Sources: Microsoft Learn, Administrator protection, Project Zero teardown.
Current state (verified May 2026): AP shipped in KB5067036 (October 2025) but Microsoft pulled the feature flag on December 1, 2025 due to compatibility regressions. It is currently disabled even on machines that toggled it on. Sources: BleepingComputer, Patch My PC, 4sysops. Microsoft's own doc says it "will roll out at a later date."
Implications for our broker:
CredentialUIBroker.exe, there's no consent.exe credential field forSendInputto target, and no third-party-replaceable credential surface.CreateProcessAsUser-based elevation entirely (Path B above).Known interaction: N-able / consent.exe deadlock
Worth knowing because Breeze customers commonly stack other RMM/security agents. There is a documented production-breaking interaction between N-able N-Central agent (Framework.dll versions through 2025.4.0.16 and 2026.1.0.518) and
ConsentUX.exeon idle or locked machines: UAC prompts accept credentials then hang for 4-5 minutes due to a deadlock in N-able's signature-verification hooks. N-able shipped Framework.dll hotfixes through partner support. Source: Microsoft Q&A 5733506. Any UAC-touching code Breeze ships needs to be vetted for similar deadlock potential with the agent stack our customers actually run.CVE-2026-20824, January 2026 Credential UI hardening
Microsoft tightened the rules on which processes can request
UIACCESSand added "input source validation … verifying input originates from physically connected input devices or processes running with specific, highly restricted privileges." This was tracked as CVE-2026-20824 (WindowsNews.ai writeup). Impacted: TeamViewer, AnyDesk, RDP. PAM brokers that injectSendInputfrom a SYSTEM child onWINSTA0\WINLOGONare not explicitly named, but the language suggests the SYSTEM injection path still works while non-SYSTEM UIAccess injection is squeezed. Worth verifying empirically before MVP ships.6. The mobile-app stack
Phase 1, PWA (Week 1)
/pam-mobilewith manifest + service workerPhase 3, Native wrappers (Weeks 11-13)
Why this order
PWA gets us to "techs can approve from their phones" in week 1. Native gets us to "techs can approve from their lock screen in 5 seconds without unlocking" by month 3. PWA unblocks the rest of the product so we can ship Phase 1 to pilot endpoints without waiting on App Store review.
7. Honest effort estimate (single dev, calendar weeks)
breeze-agent, inbreeze-watchdog, or newbreeze-elevation-brokerbinary)/pamReact page (4 tabs), technician approval flow over existing WebSocket, PWA shell with web push. Zero Windows broker changes. Already useful: techs can manually elevate scripts via the existing script-execution path with the new approval gate.CreateProcessAsUser-based elevation; add Windows Hello/PIN integration for APWhat's different from an earlier draft of this estimate
The first internal draft of this Discussion estimated 8-9 weeks single-dev. That estimate was based on a UI-Automation-polling architecture that doesn't actually work against the secure desktop (Section 5 constraint #4 above). The honest revised estimate accounts for:
8. What kills this if you're not careful
Windows 11 Administrator Protection re-rollout. AP is currently reverted but Microsoft has said it "will roll out at a later date." When it does, our
SendInputinjection layer will break. Our ETW detection layer survives unchanged (events 15031/15032 are explicitly for AP). Mitigation: Phase 6 is already planned for the elevation-primitive swap; track Microsoft's AP rollout schedule via the Patch My PC writeup and Windows Insider channels.EDR vendor flagging. A SYSTEM-context binary that does
SendInputfrom a secure-desktop child looks identical to credential theft. Mitigations:SendInputcontinuing to work post CVE-2026-20824. Microsoft is squeezing the input-injection surface. The January 2026 hardening did NOT name SYSTEM-context injection on the secure desktop as impacted, but the trajectory is clear. Mitigation: Phase 6 (Path B / token-based elevation) is the long-term answer.Non-English Windows. ETW event IDs are language-invariant (huge improvement over UI Automation polling). Some risk remains in the user-mode dialog process (it has to identify "the executable that's about to elevate" and that name comes from
UACElevateFileIDfield in event 16001-16011, which is also language-invariant). Net: much lower risk than the UIA-polling architecture.Audit-log volume. A noisy endpoint can fire 50+ UAC prompts/hour. At 10K endpoints that's 500K rows/hour worst-case. PostgreSQL handles it but
agent_logsshould be partitioned from day one. Reuse the existing partitioning pattern if one exists; if not, add it.Liability and approval rubber-stamping. PAM means "the MSP can grant admin." If a tech approves a malicious request, the MSP gets the blame. Mitigations:
notificationThrottlepattern from feat(alerts): per-channel notification throttle with sliding-window cap #796)N-able N-Central deadlock interaction (Section 5). Any customer running N-Central + Breeze PAM concurrently could hit the documented 4-5 minute consent.exe hang. Mitigation: test against N-Central in our integration matrix; document the interaction in the Breeze KB.
Mobile push reliability. AutoElevate's 3.0/5 iOS rating tells the story. Don't ship until push delivery is observed-reliable across both APNs and FCM in real conditions for at least 2 weeks. Include "send test notification" button in tech onboarding.
9. Strategic case for Breeze
10. Open questions for the maintainer
Before code: same as Discussion #854.
Q1. Does endpoint PAM fit Breeze's product scope? Real engineering commitment (~14 calendar weeks), AV-vendor and code-signing exposure, changes the conversation about what Breeze is. If "out of scope," I'd rather know now.
Q2. Where does the Windows broker binary live? Three options:
breeze-agentas another goroutine/package, fast to ship, harder to AV-isolatebreeze-elevation-brokerbinary, separate WiX install, clean separation, cleaner AV story, ~2 hours additional CI work (Azure Trusted Signing handles it)breeze-watchdog, already SYSTEM-context but conflates concernsRecommend (b) for AV isolation; willing to do (a) for speed.
Q3. Mobile app strategy: PWA-only, PWA + Capacitor wrappers, or full native?
Recommend PWA in Phase 1 then Capacitor wrappers in Phase 3.
Q4. Windows broker path: Section 5 lays out the ETW + SYSTEM-spawn + SendInput recommendation. Open questions:
~breeze_elevwith rotated password) vs adding the requesting user to Administrators?Q5. Server-side PAM (Halaas Layer 2, see Section 11), explicit Phase 7 or out of scope?
Q6. Pricing model in mind? Whether this is in-bundle (Pro tier upgrade) or a paid add-on changes how aggressive the marketing investment should be.
11. Two distinct PAM layers worth eventually shipping
Layer 1, Endpoint UAC elevation (this Discussion, MVP)
"Sarah wants to install QuickBooks on her workstation." End users at standard-account workstations who occasionally need admin to do legitimate work. AutoElevate, Admin By Request, Idemeum EPM, ThreatLocker Elevation. Agent on every endpoint intercepts UAC. Day-to-day operational record. High volume.
This is what this Discussion is proposing.
Layer 2, Server-side session brokering (separate, much later)
"An admin needs to RDP into the file server to fix a permission." Sysadmins doing infrastructure work, not end users.
Session gateway (Apache Guacamole) brokers RDP/SSH/VNC, identity federated through the directory + MFA, sessions are recorded, operations on AD are constrained via PowerShell Just Enough Administration (JEA).
Reference: Jacob Halaas, "Open-Source Privileged Access Management: A Reference Architecture for Constrained Administrative Delegation in Small and Mid-Size Enterprise Environments," Zenodo DOI 10.5281/zenodo.19639352, April 2026, CC-BY-4.0. 22-page reference architecture documenting an open-source PAM stack (Apache Guacamole + n8n + nginx + Python + pypsrp + PowerShell JEA + gMSA + Group Policy) that replaced a commercial PAM product at a 50-500 user organization. ~20 architect-hours initial, 2-4 admin-hours/month ongoing.
If Breeze ever expands the PAM story to "secure server administration," the Halaas paper is a near-turnkey blueprint. Layer 1 is scoped to this Discussion; Layer 2 exists and is worth knowing about.
12. Competitive landscape (verified, April-May 2026)
CyberFOX AutoElevate, the incumbent to beat
AEUACAgent.exeper logged-in user; user-context process polls forconsent.exevia UI Automation (or, more likely given the secure-desktop constraint, the LUA ETW provider, CyberFOX doesn't publicly document this). Three elevation modes: dormant local admin account~0000AEAdmin(default, rotated password, milliseconds-window add-to-admin then demote, credential injection into consent.exe by a SYSTEM-context child onWINSTA0\WINLOGON), temporary user-promotion, or SYSTEM-token re-launch. Source: Elevation Types KB, E-N Computers partner writeup.ThreatLocker Elevation Control
Admin By Request
Idemeum
Evo Security
Austin TX-based, independent, founded 2018. $6M Series A led by TechOperators in July 2024 ($15.4M total raised). Sources: PRNewswire, Crunchbase.
Scope broader than AutoElevate. Bundles six IAM/PAM capabilities into one MSP multi-tenant platform: MFA, SSO (SAML), managed RADIUS, Help Desk Verification, Technician Elevation, End User Elevation.
Two specific design choices worth borrowing into Breeze:
Why Breeze wins this category
Bundled with the RMM, no separate vendor relationship, no separate billing, no per-endpoint surcharge for the MSP (if priced as a tier upgrade), the rule engine + audit + mobile-app pieces inherit the polish of the rest of the product. The two big incumbents (AutoElevate and ThreatLocker) sell exclusively to MSPs and the smaller incumbents don't have a strong MSP channel. There's an actual gap.
13. Open-source building blocks (verified)
Surveyed GitHub for components Breeze could adopt or borrow from. The Windows broker work has only partial OSS leverage, most of the hard parts are still greenfield.
Windows (broker)
MakeMeAdmin (pseymour), MEDIUM fit (~3-5 day savings)
NetLocalGroupAddMembers/RemoveMembersP/Invoke wrappers (well-tested in production 15 years), the SYSTEM-service skeleton + ProjectInstaller boilerplate, DPAPI-encrypted state persistence pattern, session-change/logoff revocation handlers.multiOTP Credential Provider, HIGH fit (if Path C ever pursued)
privacyIDEA Credential Provider, HIGH fit (architecturally instructive)
CppClient(REST to backend),CredentialProvider(Windows COM),CredentialProviderFilter. Exactly the right shape for broker-calls-home-for-approval.UACME, explicitly excluded
macOS (broker)
SAP Privileges, HIGH fit, recommended for Phase 5
admingroup on a timer; Touch ID and Smart Card/PIV support; MDM-manageable.Apple EvenBetterAuthorizationSample, architectural reference
Adjacent, design knowledge
Build vs borrow verdict
Net savings from borrowing well-chosen OSS components: ~1 week off the Section 7 estimate. Final MVP estimate stays at ~14 calendar weeks.
14. Confidence assessment (honest, per section)
agent/internal/config/config.go:418-454. WS reverse direction verified atapps/api/src/routes/agentWs.ts:2209,2252+useEventStream.ts.Overall confidence in shipping a working MVP in 14 calendar weeks: ~75%. The remaining 25% risk concentrates on (a)
SendInputinjection working reliably on the secure desktop in 2026's hardened environment, (b) EDR-vendor allowlist negotiation timelines, (c) Admin Protection rollout schedule.15. Prior art
16. What I'm asking
A direction decision before I write code, same as Discussion #854. Specifically:
Happy to prototype on a fork once the direction is set. Estimate to a usable Windows MVP is 14 calendar weeks single-dev with PWA mobile approval working by week 4 and the Windows broker landing in week 12.
Beta Was this translation helpful? Give feedback.
All reactions