The whole platform

Everything baanjai does.

Elevation is the heart of it — one-click admin, approved and gone in seconds. Around it sits a full toolkit for running every machine your team touches: remote help, hardening, software and patching, automation, and a complete record of it all. Here’s the whole thing, on one page.

On Windows today — macOS and Linux on the way. Everything below is live unless a tag says otherwise.

The heart of it

Just-in-time admin

Every admin moment becomes a request you can see, decide, and trust — granted for one action, then gone the moment it’s used.

Live approval queue

Every request lands the instant it’s made — who asked, which machine, and the exact app, down to its publisher, full path, and version. Approve, deny, or pull it back, and the answer reaches them in real time.

One click, right at the Windows prompt

When Windows asks for an admin password, your people click “Request access” instead — they never see a password, or need one. The normal Yes/No keeps working the whole time.

Approved once, then automatic

When a tech or a rule has already blessed an app, the next prompt fills itself in and the app simply opens — zero clicks, no waiting.

Trust by fingerprint, not by folder

Bless an app a single time and it’s trusted on every machine, for everyone — matched to the file itself, so it’s trusted wherever it lives and a look-alike never sneaks through.

Zero standing admin

No always-on local admins, no shared password making the rounds. The managed admin account sits powerless until the moment of the action, with a fresh random password every single time.

Watch before you enforce

Start in record-only mode and baanjai changes nothing on day one — it simply shows you every admin moment across the fleet, so you shape your rules from what really happens before you ever enforce.

Set the mode at any level

Choose how each part of the fleet behaves — quietly recording every admin moment so you can build rules, or stepping in only when someone asks — set for a whole company, a group, or a single machine, with the closest choice always winning. It takes hold in seconds, with nothing to reinstall.

Malware stopped at the gate

Every request is checked against known-bad software. A malicious verdict denies on the spot and overrides any approve-rule — yet an unknown file never gets in the way of real work.

Identity that can’t be faked

Each request carries a requester identity the machine itself vouches for, so no one can pose as someone else and the record can’t be forged.

Flood protection

Built-in rate limits — per machine and per source — keep a storm of requests from ever overwhelming the queue.

Backstage

A live toolkit on every machine

Open a real session on any computer and put things right in place — without ever taking over someone’s screen. It stays off until you open it, asks for a fresh security check to unlock, and records everything you do.

Interactive PowerShell

A live terminal with streamed output — run a command and watch it work, in real time.

File manager

Browse the machine, and upload or download files — even multi-gigabyte ones — with integrity checking along the way. Delete a stray file, too.

Registry editor

Read, create, change, and remove registry keys and values without leaving the console.

Event viewer

Query the Windows event logs to see exactly what happened, and when — straight from your browser.

System services

Start, stop, and restart Windows services. It refuses to touch its own service, so you can never cut your own connection.

Device manager & drivers

Enable, disable, or remove devices, inspect the installed driver, and push a driver package you upload — grouped just like Device Manager.

Network & firewall

Change DNS, IP, and firewall rules behind a ~60-second safety net — if a change cuts the box off, it rolls itself back instead of stranding it.

Programs & silent install

List and uninstall installed software — and push the click-Next installers that aren’t in any package manager, run silently in the background as the system.

Local users & admins

See every local account on the box — admin or not, enabled or not — and act on each in place: enable or disable, reset the password, delete, or flip admin rights on and off. It refuses any change that would leave the machine with no way in.

Hands-on help

Reach the machine, and the person at it

Everything you need to step in — see the screen, fix the device, talk to whoever’s there, and get a locked-out user back in.

Remote control

Drop onto any machine to see what they see and take the keyboard — over a private connection that’s yours alone, with a password that rotates itself away minutes after you use it.

On-demand screen peek

Pull a quick, deliberately-pixelated snapshot of a screen to confirm what someone’s looking at — without starting a full remote session.

Chat with whoever’s there

Message the person at the keyboard straight from the console — a friendly window slides up on their screen, nothing for them to install — with delivered and read receipts.

Open a device’s admin pageRolling out

Pull up the web settings of a firewall, router, printer, or NAS that only the customer’s network can reach — right inside your own browser, tunneled safely through the agent.

Sign in with a scan

No password for the machine in front of you? A code appears on its lock screen — scan it with your phone, approve, and the computer signs itself in. Nothing typed, nothing shared.

Break-glass recovery

A sealed way back into any machine — the way-in secret sealed to that one box, never sent across the wire in the clear, kept invisible while the box is online and surfacing on its own the moment it drops off the network — revealed only to an admin who passes a fresh check, with every reveal on the record.

USB key to get back in

Hand a technician a one-time USB key — a plain file or a mountable image — that signs into a totally offline Windows box at the lock screen, with a passphrase you can reveal only after a fresh check. The way in when there’s no network at all.

Lock it down

Endpoint hardening, at your pace

A full set of protections you can set for the whole org or a single machine — and switch on by watching first, then enforcing when you’re ready.

Application control

Decide exactly what’s allowed to run. Watch in audit mode to see what would be blocked, then allow or reject each app by its true fingerprint — for one machine, a group, a company, or the whole org. Approved apps run, everything else doesn’t.

Go-Live Review

Before you enforce anything on a company, one screen shows every app, elevation, and install your audit mode has seen — grouped, risk-ranked, and named down to the machine — so you allow or reject each at the right level and the cutover is invisible to the people using the computers.

Ransomware folder shield

Protect the folders that matter so only trusted apps can write to them — and the apps you’ve already approved are trusted automatically.

Credential-theft defense

Switch on Windows’ protection for stored credentials so attackers can’t scrape them — with a clear read on what’s configured versus actually running.

Firewall isolation

Close the lateral-movement doors a machine doesn’t need — and force any single rule open or closed, for the whole org or one computer.

One-click containment

Cut a suspect machine off from everything but you, instantly — and release it just as fast. Your own connection to it never drops.

Backup-wipe defense

Spot — and stop — the move ransomware makes to delete a machine’s shadow copies before it can destroy the backups.

Tamper-proof agent

The agent guards its own files, restarts itself if it’s ever killed, and notices if it has been tampered with.

Signed, top to bottom

Every piece baanjai puts on a machine — the agent, the sign-in tiles, the helper apps — is code-signed, and each one is signature-checked before it’s allowed to install. Application control can trust the baanjai publisher outright, so its own tools are never what an allow-list has to fight.

Enrollment can’t be hijacked

A stolen setup token isn’t enough to take over a machine. Re-enrolling a computer that’s already known requires proof it really is that same machine — so no one can point a token at a name they know and quietly re-key someone else’s box. Watch it first: every unproven attempt is logged and flagged before you ever enforce.

Recovery keys, kept safe

Store BitLocker recovery keys and Windows product keys sealed away, shown only when you ask — with every reveal on the record.

One pane for every control

Set every security control from one screen, at any level, always showing the value in effect and your override — staged and saved on your say-so.

Security checklist

A shared, audited to-do of hardening steps so the whole team can see what’s done and what’s left.

Detection & response feed

The moments that matter — a blocked program, a folder-shield hit, a wiped backup, a firewall drift, a file caught running dirty — surface as one clean feed, each collapsed to a single row that counts repeats instead of spamming. Acknowledge it, or cut the machine off in a click, right from there.

No standing local admins, enforced

Hold a machine to zero standing customer admins, so break-glass becomes the only way in. Watch first to see exactly who’d be removed, then enforce — and it only ever de-admins a box once it can see a working way back in, so no one gets locked out.

Software & patching

Every app and update, under control

See what’s installed everywhere, push what’s missing, and let machines keep themselves patched on your terms.

Software inventory

See the software on every machine at a glance — across the common package managers and the Windows uninstall list.

Approved-app lists

Curate exactly what’s allowed, pin to a version or the latest, and set when and how updates land — by company, group, or one machine.

Install, update, remove — now

Queue a change on one machine, or push it to thousands by site or group at once, with retries and clear results.

Protected packages

Guard the apps that must never be removed so a bulk action can’t take them out.

Update safety brake

If an update starts failing across the fleet, it’s automatically held back — and rolls out a few machines first when it’s healthy again.

Fleet software dashboard

Counts, what’s missing versus outdated, install success rates, and the packages giving you trouble — all in one view.

Windows Update, hands-off

Decide once how each kind of update is handled — critical fixes flow through, risky ones wait for your nod, the one that always breaks never installs — and machines patch themselves overnight on your schedule.

Printers, finally painless

Set a company’s printers up once, then auto-deploy them — to every machine in the company, only the ones carrying a tag, or one at a time with a switch — and leave the driver hunt behind for good.

Run the fleet

Every machine, in one place

The whole fleet on one screen — current, organized, and yours to manage end to end.

Live fleet view

Online or offline, who’s signed in right now, by team and place, with what’s inside each machine — refreshed every few seconds, never a manual reload.

Groups that keep themselves current

Tag your fleet by rules instead of by hand — a machine tags itself from what it is and where it sits: its subnet, model, operating system, who’s signed in, even how long it’s been up or idle. Move a laptop to a new network and its location tags catch up on their own, in seconds. Every policy, install, and approval can target a tag, so the right rule follows the machine.

Uptime & last boot

See how long each machine has been up and when it last restarted, at a glance.

Restart or shut down, remotely

Reboot or power off any Windows machine from its page — behind a confirmation, with a 60-second grace so anyone signed in gets Windows’ own warning first. Admins only. A shutdown is one-way, and the console says so: there’s no remote wake, so the box stays off until someone turns it back on.

Self-updating, self-healing

The fleet patches itself with verified updates, and a bad one rolls itself back — so a machine is never left broken.

Version pinning

Hold a customer on a known-good build, stage a rollout, or roll a single site back — your call, per company or per machine.

Isolate, uninstall, reinstall

Contain, remove, or reinstall the agent on any machine — locked to admins and protected against tampering.

Clean handoff on the way out

Every machine keeps a usable local admin when baanjai comes off — one handoff credential per company you reveal once and pass to the new owners. It never tears a box down without first confirming a real way back in.

Clean reinstall, from scratch

Roll a machine all the way back — every security change undone, every baanjai account removed, every trace wiped — then lay the agent down fresh on the same computer, its history kept. Built so a wipe can never strand a box without an admin.

A 30-day safety net

Remove a machine and it lands in Trash for 30 days — recoverable, with its recovery key held — so a wrong click is never the end of it.

Clone a company’s setup

Stand up a new company from a known-good one in a click — hardening, firewall, software lists, branding, and version pins all copied over. Break-glass keys are never cloned, so a new company starts sealed.

Make it yours

White-label what your people see — your name and logo on the chat window, the approval pop-up, the tray, the desktop icon, and the sign-in tiles — per company or across the org.

Commands & automation

Run anything, anywhere, on a schedule

From a one-off fix to a job that runs itself every night.

Ad-hoc commands

Fire a command at one machine or thousands, with live output and exit codes — behind a safety gate.

Saved command library

Keep your go-to commands a click away.

Bulk fan-out

Target a whole company, a group, or the entire org in one go.

Scheduled tasks

Run jobs on a schedule — hourly, daily, weekly, or every few minutes — with a history of every run.

Access & teams

Who can do what, locked down

Sign-in built for security-minded teams, and a structure that scales from one office to many customers.

Passwordless passkeys

Sign in with a fingerprint, face, or security key — no password to phish, and more than one key per person.

2FA, with safe recovery

Authenticator codes plus one-time recovery codes, every secret sealed at rest.

Enforceable MFA

Require two-factor for the whole team, with recovery paths so no one ever gets locked out.

Step-up for sensitive moves

Ask for a fresh factor — an authenticator code or a tap of a security key — before the riskier actions, like opening a remote session.

Org, company, group, machine

A clean hierarchy that keeps every customer fully separated and every policy exactly as broad as you want.

Roles that fit

Platform admin, org admin, and site-scoped technician — who only ever sees and touches the customers you grant them.

Search everything

One search across machines, companies, people, policies, tasks, requests, commands, groups, and orgs — and deep inside each machine: the person signed in, its IPs and MAC, serial, model, CPU, and OS build. It even tells you which detail matched.

Proof & records

A complete record of everything

Every decision, on the record and easy to find.

Searchable audit log

Every login, decision, command, change, reveal, and elevation — who, what, when, and from where — filterable and kept.

Nothing slips through

Even failed sign-ins and the like are captured, so the trail is whole.

Retention on your terms

Keep history exactly as long as you want, with separate windows for records, commands, and elevations.

Secrets sealed at rest

Keys, passwords, and two-factor secrets are encrypted everywhere they’re stored.

Live & alerts

It moves in real time

New machines, requests, and changes appear on their own — and the alert that matters finds you.

Live console

A fast, information-dense view where requests and status changes surface the instant they happen — no refresh.

Notifications, in hand

A bell that catches what needs you, clearable the moment you’re caught up.

Push to your phone

Pending approvals and offline alerts reach you on mobile and on the web, wherever you are.

On the go

In your pocketIn beta

A clean, fast app for the work that can’t wait for a desk.

Approve with a thumbprint

The live approval queue on your phone — approve or deny with a touch.

Catch what matters

Push alerts the second a request comes in or a machine drops offline.

Unlock from anywhere

Scan to get a colleague back into a locked machine, right from the app.

On the horizon

What’s coming next.

baanjai ships fast. Here’s what’s already on the way — beyond the everyday platform above. Each of these is planned, not yet live.

Planned

macOS & Linux agents

The same one-click elevation — request, approve, audit — coming to macOS and Linux, so baanjai works everywhere your team does.

Planned

Smart alert routing

Send the right alert to the right person, on the channel they actually watch — so what needs eyes reaches the human who can act on it.

Planned

Guided installer wizard

Step a stubborn click-Next installer through remotely — no screen-sharing — for the apps that ship with no silent install option at all.

Planned

A scripting library

Saved, scheduled scripts your team builds up over time — a fuller library beyond today’s one-off commands and recurring tasks.

Planned

Mobile in the app stores

The iPhone and Android apps graduating from beta into the App Store and Google Play.

Trust by design

Security that’s on from the first click.

Granting admin is a security decision — so baanjai treats it like one, for the people asking and the people approving.

  • No one holds standing admin — not even your technicians.
  • Passwordless passkeys plus authenticator 2FA, enforceable for everyone.
  • A complete, searchable record of every request, decision, and elevation.
  • Revoke any trust instantly — the next prompt asks again.
  • Approvals are single-use and tied to the real person who asked.
  • Decide who can approve what — by team and role, down to each machine.

One console for the whole job.

The admin prompt, the remote fix, the patch, the audit — every machine your team touches, in one place.

60-day money-back guarantee · cancel anytime.