Skip to main content

Knowledgebase

Changelog

What's new in idemeum

For the summary of desktop agent changes check this link.

August 18, 2025

Application allowlisting for Windows ARM

Excited to share that we polished and now support application allowlisting for Windows ARM architecture. Check out the end-to-end flow for application and elevation control.

On-demand delegation for JIT access

We have released a set of APIs to perform technician delegation to tenants. You can simply delegate and remove delegation by passing a customer / environment name and an email address.

Let's say you do not want to delegate technician access to a customer tenant on a permanent basis. You want to allow JIT login to servers and O365 cloud only when the ticket is open and technician is assigned to that ticket. Right from the ticket you can leverage a custom action / button that will call idemeum APIs to delegate access so that technician can perform JIT login, and when the ticket is closed, PSA will call idemeum to remove access delegation.

Fixes and improvements

  • Ensure the user fast switch is enabled during agent installation and update
  • Fix the issue of special characters in tenant display name - no longer allowing to save the display name with special characters

August 12, 2025

Approve elevation tickets in HaloPSA with a single click

We have enhanced our HaloPSA integration. You can now approve / deny elevation requests with a single click without the need to navigate to idemeum portal.

Halo PSA - idemeum integration
Integrate idemeum with HaloPSA to create tickets for elevation requests, requests JIT accounts, and more.
idemeum docsNik Pot

APIs to manage rules

We now expose a set of API endpoints to manage elevation and allowlisting rules. You can manage rules for your parent tenant, or for any child organization / customer you have created in idemeum. You can create rules as a unified JSON by passing any variable that you can configure in the UI. Now you can simply migrate any rules if you are migrating to idemeum from any other PAM vendor.

Idemeum public APIs documentation
Endpoint Protection Platform for Windows and macOS
Idemeum public APIs

Auto user elevation for Windows apps

Most Windows apps need to be elevated with user elevation (meaning the user needs to be temporarily elevated to launch the application). Idemeum agent will now automatically detect Windows app and perform user elevation even if admin elevation is configured. This addresses the issue of right clicking on the Windows button and choosing to run terminal as admin along with other apps. We now support all types of launches and elevations with Windows apps.

Bulk rule deletion

You can now delete rules in bulk in the UI. Select several rules, the button will appear to perform bulk actions on the selected rule records.

Caching of publisher data

Idemeum now caches publisher data locally on the workstation in order to perform elevation and allowlisting. This significantly increases the speed of application launches once the cache is created after first launch.

Process tree generation

Now each event that involves child process launch includes the icon to view the process chain. You can clearly see what process is responsible for initiating the chain and you can get the context for what is launched and why.

Improvements and fixes

  • Fixed the elevation installation command for the macOS installer generation in the UI
  • Allow to share desktop for shared and dedicated mode
  • Fixed the rule generation in the UI to add verified element only if more than one subject elements exist

July 30, 2025

Very exciting release for us after a long period of development and testing. Happy to share that allowlisting for Windows is publicly available!

Windows allowlisting - public release

With idemeum Windows allowlisting you can control what applications run on your Windows workstations and block malware and ransomware. Our goal was to make allowlisting simple and light on maintenance, so that you do not have to track every executable on every machine.

Here is what we are releasing:

  • Control applications at the process execution level - nothing is allowed to run unless you explicitly allow it.
  • Preconfigured catalog to allow common applications (Chrome, Zoom, Adobe, etc) with a single click. Idemeum will track all dependencies so that you do not have to worry about applications breaking.
  • Integrated elevation control. We unified elevation and execution rules so that you can simply allow and elevate applications at the same time.
  • Application fencing to control application interactions. You can block notepad from opening command prompt, or Word document launching PowerShell. You can control what applications can do on the workstation.
  • Control applications downloaded from Windows store
  • Real time updates, offline rules, and many more things

Here is the quick-start guide to explore allowlisting.

June 23, 2025

UI improvements and fixes

  • Updated terminology from customer to tenant everywhere in admin and user portals
  • Improved tenant switcher to pull all tenants on customer tenant creation, no need to refresh the page for tenant switcher to display all tenants when new child tenant is created
  • Provide search options for all drop down lists
  • Fixed menu and close icons
  • Fixed audit chart scrolling
  • Fixed clipboard copy for DID
  • Close notification drawer on outside click
  • Added additional test cases

June 27, 2025

Allowlisting coming soon

We have been working hard on our Windows kernel driver to control what applications can run on Windows workstations, and block execution of untrusted files and ransomware. Our goal - make allowlisting simple, yet effective. Stay tuned, we will share an update soon.

Real-time settings

We have enhanced our tenant settings to be real time. Now if you change something for the customer tenant (i.e. change JIT login mode, update elevation message, etc.), we push notification to all affected devices and the changes are applied immediately. If for whatever reason the notification is missed, the desktop agent will pull the updated settings during the next 6 hour sync interval as a fallback.

Enhancements and fixes

  • Updated our APIs to return parametrized installation command in addition to returning the whole command as a string.
  • Fixed the issue of bulk elevation mode change in the UI.
  • Enhanced Windows JIT login by avoiding automatic user switch on lock. No longer messing up with VPNs or user desktop settings.
  • Enhanced how we tag devices in the admin portal. Now when agent is installed with properly show servers, domain controllers, or workstations. We also properly reflect domain, local, or Entra-joined status.
  • Made an enhancement to ensure the JIT account always belongs to Administrator group. Even if membership is removed, idemeum will reassign it during next login.
  • Enhanced RFID tap-out flow to ensure card data is cleared, i.e., card hold data time elapses before disconnecting or signing out of the session.
  • Enhanced JIT flow to avoid WMI query which at times takes longer to complete.
  • Enhanced UAC capture flow to handle unverified events properly.
  • Fixed offline transition when DNS does not resolve the idemeum domain.
  • Improved log clean up.
  • Google has discontinued support for the authorization flow in Internet Explorer, so changed to a Chromium-based browser instead of the default Internet Explorer for RFID SSO.
  • Managing version.txt for RMM tools that cannot read from the registry.
  • Optimized token fetch calls by leveraging the cached token in the Update Settings flow.
  • Ensuring metadata is synced to the cloud once a day, if not updated
  • Domain JIT account login: do not fail if one or more DC is not reachable during account verification.

April 24, 2025

Idemeum at MSPGeekCon 2025

We are very excited to be sponsoring MSPGeekCon this year. If you are planning to attend, please stop by our booth, and we would be happy to hear more product feedback and talk about our new big upcoming launches.

Updated Immy.bot integration

Big thanks to Elastic IT and Anthony Birone for guiding and helping us to improve the Immy Bot integration. We now added a new catalog integration in Immy that is very simple to set up, and comes preconfigured out of the box. It relies on API integration between Immy and idemeum, allows to map customer tenants, and shows the idemeum badge for each computer where the agent is installed.

Immy.bot - integration with idemeum
Unified idemeum agent deployment with Immy.bot
idemeum docsNik Pot

Device agent status

Idemeum now keeps track of each device agent by recording the last check-in time to display the agent health status. Every time idemeum desktop agent checks in with the cloud, the time stamp is captured and the health status is updated. You can now clearly see in the Devices section what agents are healthy and which ones have not communicated with idemeum for a while.

Device agent status
Idemeum cloud keeps track of each device agent by recording the last check-in time to display the agent health status.
idemeum docsNik Pot

Bug fixes and improvements

  • Add an option to set up tap out mode per device for RFID SSO devices
  • Enhanced Entra JIT flows to prevent circular login issue by adding prompt=login query param to OIDC launch URL
  • Show Invited status for newly added users when local directory is used
  • Fixed the bug in the MSP tenant switcher when multiple tenants were selected at once
  • Uninstall notification is now sent to device agent when the record is deleted from the cloud portal
  • We now reload credential provider settings every time you switch between default and idemeum credential providers

April 3, 2025

Windows ARM support

We now support workstations with Windows ARM processors. There is nothing to do from your end, simply install idemeum agent with Windows PowerShell command, it will automatically detect the architecture, and will install required pre-requisites and idemeum executable.

API changes

Made a number of changes to our existing public API endpoints, as well as enhanced the existing ones. Check our API docs page.

  • New Devices endpoint to return information about devices along with metadata and installation commands
  • New Groups endpoint to get information about all idemeum groups
  • Enhanced Customer endpoints to return installation commands for customer tenants

Enhancements

  • Display name change - added option to change the display name for a customer tenant. Access admin portal → Customers → select customer → click on ... and choose Edit. Now when editing you can change the display name for a customer tenant.
  • Desktop agent ID - now when the desktop agent is installed on Windows, there is a unique agentId that is created in the registry. You can obtain this agentId for each device from idemeum API, and then correlate with each endpoint to see if the agent is installed.
  • Welcome email enhancements - updated the text and instructions in the welcome email that is received when you add / invite a new user to idemeum MSP tenant.
  • Shared domain account support when Google used as user source - when in RFID mode and Google directory is used as a user source, we now support logins with domain shared account, in case machine is domain-joined.
  • Delete user when Entra ID is user source - we now support the option to delete the user from idemeum MSP tenant when the user source is Entra. Simply click on ... next to the user record and delete the user.

Bug fixes

  • Fixed the issue for Entra ID admin accounts not being downgraded when Auto downgrade feature is enabled.
  • Enhanced processing the UAC events when the last logged in user is preselected.
  • Fixed the credential submission loop when auto filling credentials for Entra ID in incognito mode.
  • Fixed the issue of auto filling credentials in RFID mode when native credential provider was used.
  • Fixed macOS issue when pkg files were not properly processed in Technician mode for automatic elevation

March 3, 2025

Unified script deployment

Big exciting update for us! We have now unified the deployment for Windows agents (macOS will be added soon). You can now use one installation script and pass it the desired customer name with the -customerName attribute. The agent will automatically associate with the appropriate customer tenant, and if the customer does not exist in idemeum, it will be automatically created. Installation is now migrated from EXE to MSI in order to improve reliability of integrations with deployment tools. We automatically handle required prerequisites when installing with command-line script.

Updated integrations

As we now have the simpler way to deploy idemeum agent and automatically create customer tenants, we tested and verified the following integrations with RMMs. Most of these integrations are using the built-in customer name variables that get automatically passed to idemeum script for installation.

Proxy configuration from command-line script

We have added the option to configure proxy for idemeum agent when Windows agent is installed with PowerShell script. You can simply pass the -proxyHost and -proxyPort attributes to the PowerShell installation command. The documentation for proxy configuration is below.

Version selection from command line script

Starting from this current version (Windows 1.8.0) you will be able to install the desired version of idemeum desktop agent by passing it the -version attribute.

Duo integration - auto registry changes

Previously when idemeum agent was installed on the workstations with Duo, manual registry modifications were necessary to make both products work together. What is more, Duo would often update the registry keys and idemeum credential provider would not be display.

We have now simplified the integration and there is nothing you need to do when idemeum is installed on machines with Duo. We manage registry keys automatically.

Duo Security - idemeum agent integration
JIT computer access When Duo Security agent is installed on a Windows workstation, it disables all credential providers except the native Windows password credential provider. However, there is a way to enable excluded credential providers via the registry. When idemeum agent is installed, it automatically makes the necessary changes to
idemeum docsNik Pot

Account discovery enhancements

  • We now support removing manually added domain user accounts from local administrator group on domain-joined workstations. When these accounts are added manually, idemeum discovers them and can downgrade from the cloud.
  • We updated the UI for account discovery page and we now show the workstation type for convenience (local, domain-joined, domain-controller)

Spanish locale support

We have started the support for various languages to make sure JIT and elevation work correctly on machines with different languages. We have now added support for Spanish language. For this feature to work properly the workstation needs to have Spanish set up as locale.

Additional enhancements

  • Improved the Groups page to show group types (local, built-in, external) and consolidated actions under .... Now it is very easy to view group members by choosing one of the actions from ....
  • Improved the Customers page to show the separate column for groups that are delegated to each customer tenant. By clicking on the counter you can access the delegation window.
  • QR-code expiry in Technician mode made independent of client time i.e., when client time is not in sync.

February 19, 2025

Tenant switcher

We have significantly simplified the navigation between customer environments. No need to manage multiple tabs anymore - everything opens in the same windows, and we no offer the tenant switcher at the top left of the window to search for any customer environment and navigate there. Tenant switcher is available for both user and admin portal.

February 12, 2025

Hybrid Entra ID JIT support

Idemeum now supports just-in-time access to Hybrid Entra ID deployments. We can now automatically handle the cases where JIT MSP accounts that get created on domain-controllers get synced to Entra ID. When requesting JIT account for Entra ID and there is an account that got synced from on-premises, idemeum will automatically handle this case and create a cloud only account. There are no changes and configuration required - everything is handled automatically.

Global elevation requests on mobile

Now you can see all elevation requests on mobile across all your customers aggregated in one place. This feature is available to users who are MSP admins. Open idemeum mobile app → navigate to MSP dashboard and you will see the requests menu at the bottom. It aggregates all requests across all customers.

Configurable OU for JIT computer accounts

You can now configure where you would like to create JIT computer accounts for Windows domain environments. You can specify an OU or a set of nested OUs where you would like idemeum to create JIT MSP accounts. If the OU is not present, idemeum will create one for you.

January 24, 2025

Co-managed JIT login

With idemeum you can now onboard your customer admins and allow them to login to company workstations with JIT co-managed account, manage elevation requests from users, and access LAPS credentials. Simply onboard the user into a customer tenant with a mobile app, and the rest will be handled automatically. What is more, this feature does not use any technician JIT licenses, feel free to onboard as many co-managed users as necessary.

Device sharing

You can now control what users and groups can access what customer workstations. For instance, when you onboard a new tech and delegate access to a customer tenant, you might limit the JIT access to only customer workstations and not domain controllers. You can configure workstation access control with groups or direct user assignments.

macOS improvements

  • Auto update - macOS agent now supports auto-update. The agent will periodically check if there is a new version available and will silently update the dekstop agent.
  • Timer bug fix - fixed the issue where when time was set to 0, it was going into the endless loop.

Improvements and fixes

  • Key management improvements - we improved how encryption keys are managed and passed when you login between customer tenants, and use various surfaces including iFrame for PSA integration, browser and extension.
  • Allow EPM approvals in read-only delegation mode - now when technician is delegated to customer tenants with read-only mode, we also allow technician to approve elevation requests.
  • Technician mode audit logging - we now capture the technician mode event and generate an audit log record when one of your techs initiates Technician mode on the workstation. We generate the following record:
    • nik@nikpot.com initiated technician session (Technician mode) on the Desktop JIT-W11-LOCAL for the user account mike.
  • Bug fix: group delegation after user disabled - fixed the issue where the user was not properly delegated to customer tenants as part of group, when the user record was first disabled and then enabled back.
  • Cosmetic UI clean up - cleaned up the UI to create more clear titles, fixed broken documentation links, and reorganized menus for easier navigation.

January 13, 2025

ConnectWise PSA integration

Excited to announce idemeum integration with ConnectWise PSA. When users request elevations on Windows and MacOS workstations, idemeum can now open tickets in your ConnectWise PSA. The ticket contains all request metadata along with the option to approve or deny the request.

ConnectWise PSA - idemeum integration
ConnectWise configuration In order to allow 3rd party applications (like idemeum) to make calls on behalf of a user we need to create a Member API and an API key in ConnectWise. Add an API member * From the ConnectWise admin console navigate to: System → Members → API Members * Click the + sign
idemeum docsNik Pot

Windows auto upgrade

We now provide the option for each desktop agent to auto update when the new version is available. You can configure this feature for your MSP tenant.

Login page refresh

We made some cosmetic updates to our login page to make it cleaner.

January 6, 2025

Technician mode

With the latest Windows and MacOS agent release we are introducing the Technician mode. Long-awaited feature that has been asked by a lot of our customers. You can now troubleshoot customer workstations without the need to be logged in with admin account. Simply launch Technician mode application, scan the QR-code with idemeum app and approve with biometrics. The default 10-minute timer will start and you will be able to bypass any elevation rules.

Technician mode
Technician mode allows IT team to bypass any elevation rules to perform administrative work on the workstation.
idemeum docsNik Pot

Public APIs

We are excited to release the first iteration of our public APIs. We spent the last several weeks working on exposing our platform programmatically while still maintaining our cloud to be zero-knowledge. When you create an API key, that API key is not only used for authentication, but also to perform crypto operations. Even when interacting with idemeum platform over API you get the strong level of security where your data is encrypted with your own key.

We have documented our initial set of endpoints here → api.idemeum.com

Windows Desktop Agent 1.7.2

  • Support for -credentialProviderEnabled flag in PowerShell command. If you prefer to install idemeum agent without credential provider, use this flag with True variable. Idemeum will install without credential provider, and you will be able to use the following features:
    • LAPS
    • Account discovery and management

MacOS Desktop Agent 1.1.2

We have released a number of improvement for MacOS:

  • Fixed the issues related to black screen appearing when in sleep mode. Now we handle the user / technician switching in a more reliable way.
  • We now support the application installations when they are performed by moving the app to the application folder. Before the elevation prompt would come up only when you launch the app directly. Right now, even if you move an app to the app folder, idemeum will trigger the elevation request.
  • Fixed the metadata that was captured for executables on MacOS, including publisher certificates and certificate attributes.

December 12, 2024

Integration with Hudu

We are now releasing LAPS integration with Hudu. Idemeum agent can create break-glass accounts on Windows and MacOS workstations and rotate passwords every 24 hours. These credentials are available in the cloud portal and mobile app. Now with this integration, idemeum can push credentials to Hudu. Integration is very easy to set up, idemeum will map customers automatically, and will start uploading the credentials. Hudu integration requires the latest idemeum clients.

Hudu - idemeum LAPS integration
Push LAPS break-glass credentials for all computers and Entra ID tenants to Hudu documentation platform.
idemeum docsNik Pot

Automatic account downgrade

With idemeum you can automatically downgrade local admin accounts on workstations. When this feature is enabled at the customer tenant level, idemeum desktop agent will enumerate all local admin accounts on workstation and downgrade the ones that are not on the exclusion list.

Public roadmap

We now publish our public roadmap. Not only can you see what we are currently working on, but you can also create feature requests and tell us how we can make our platform better.

Fixes and improvements

  • Windows Desktop Agent 1.6.9
    • JIT account enable/disable handled from RDP sessions
    • UAC settings enabled to prompt credentials on secure desktop
    • Enhanced elevate as Admin to ignore AD bind errors during elevation
  • Windows Desktop Agent 1.7.0
    • Support to configure http client timeouts for workstations connected to slow network (applicable during fresh install)
    • UAC path resolution fix for exe files launching from folders having CLSID as part of the folder name
    • Support to skip session disconnect (behind a knob) to avoid discrepancies wrt Sleep events
  • Windows Desktop Agent 1.7.1
    • Enhanced offline mode for MSP technicians
  • MacOS Desktop Agent 1.1.1
    • Enhanced application of elevation rules for sudo (Terminal)
  • Other fixes
    • Fixed the resizing issue on the Devices screen

November 20, 2024

Windows Desktop Agent 1.6.7

  • Fixed the issue of desktop not being removed from the cloud when uninstalled
  • Show the proper message to technician when domain login mode is enabled, but the idemeum agent is not installed on domain controller
  • Enhanced log collector to capture events when log fetching is denied by the Group Policy

November 18, 2024

Remote Desktop (RDP) with JIT accounts

When idemeum desktop agent is installed on domain-joined workstations, technicians can RDP from one machine to the other without the need to use any passwords - simply scan the QR-code and approve with biometrics. Just-in-time accounts will be used behind the scenes - accounts will be enabled / disabled on-demand, and passwords will be rotated after each login.

RDP with JIT accounts
Technicians can RDP from one domain-joined customer workstation to another using domain JIT accounts.
idemeum docsNik Pot

November 11, 2024

Halo PSA ticketing integration

You can now connect HaloPSA instance to idemeum, and idemeum will be able to create and close tickets when users are requesting elevated privileges on endpoints. The integration is very simple to set up, and when connected, idemeum can automatically map customers in HaloPSA to idemeum customers, or you can do this manually. When the ticket is created, all elevation metadata is attached in the tickets details along with the link for tech to quickly approve or deny the request.

Halo PSA - idemeum integrations
Integrate idemeum with HaloPSA to create tickets for elevation requests, requests JIT accounts, and more.
idemeum docsNik Pot

November 6, 2024

User / admin elevation

With the latest cloud and idemeum mobile application release you can now choose what type of elevation to use when approving user requests - admin or user elevation. With admin elevation you approve the request with the idemeum admin account, whereas with user elevation you temporarily elevate user account to run the program in the user context.

Admin / user elevation
How various idemeum elevation types work.
idemeum docsNik Pot

Fixes and improvements

  • Reorganized and simplified the UI for both admin and user portals in order to improve the ease of navigation
  • Enhanced the Entra ID authorization connector to handle refresh token correctly when the password changes for the account that was used for authorization
  • Enhanced Entra ID LAPS feature to always provision LAPS accounts on onmicrosoft domain based on Microsoft best practices

October 17, 2024

Global elevation rules

You can now create global rules that will control elevation requests across all your customers.

Global elevation requests

We now aggregate all elevation requests across all customers in your MSP tenant. You can now approve / deny all these requests from one central location.

Configurable elevation timer and message

You can now start customizing how Endpoint Privilege Management (EPM) works:

  • You can configure the timer for live elevation approval. You can set it from 0 to 120 seconds
  • You can configure the message that is shown to users when they try to carry out privileged actions on workstations

Default agent elevation mode

When you install idemeum agent you can now pass an additional parameter to automatically set up elevation mode right after installation - offline, audit, or rules.

RFID Single Sign-On keystroking readers

We now removed the dependency on RFID readers from rfIDEAS, and we can now support pretty much any key stroking reader. This significantly expands the options and lowers the cost of initial hardware investment.

Additional enhancements

  • MacOS 1.0.9 - Ability to upload logs to idemeum cloud when requested from the admin portal
  • MacOS 1.0.9 - Block QR code access with the message for non Technicians during elevation
  • MacOS 1.0.9 - Timezone correction in logs

October 15, 2024

MacOS Desktop Client 1.0.9

  • Support for user elevation vs. admin elevation
  • Configurable elevation timer and elevation message

October 4, 2024

MacOS Desktop Client 1.0.8

  • Elevation mode can be set as part of installation command
  • Show a relevant error message when non-technician scans the QR-code during elevation request
  • Ability to upload logs to the cloud when requested from admin portal
  • Timezone correction in logs

October 15, 2024

Windows Desktop Client 1.6.1

  • Added option to approve elevation and elevate as user vs. admin. Now you can choose how to elevate the user request. Supported for local and domain-joined workstations only (No Azure AD users).
  • Support for configurable elevation timer and elevation message.

October 2, 2024

Windows Desktop Client 1.5.9

  • For new installation you can set the elevation mode with the PowerShell script option - elevationMode
  • RFID Single Sign-On - we can now support any keystroking reader

September 23, 2024

Windows Dekstop Client 1.5.8

  • Resolved all the incidents related to Windows Defender
  • RFID Single Sign-On - credentials mode set as default. No longer supporting ADCS.
  • RFID Single Sign-On - feature added to disable same card tap out controlled by a knob
  • RFID Single Sign-On - enhanced tap-over from lock screen when logged in using default credential provider

September 19, 2024

Group-based delegation to customer tenants

We introduced the feature to control access to customer tenants with user groups. You can now create groups, assign techs to these groups, and delegate access to customer tenants with user groups.

Parametrized deployment with RMM

We now provide an option to deploy idemeum agent across your customers with one RMM script. We allow to download all customer tenant deployment variables with CSV file, you can then assign these variables to customers in your RMM, and use one script for deployment. The script will pull the variables from the organization and deploy appropriate agent configuration.

Centralized audit logs

You can now view all aggregated audit logs in your MSP tenant. In addition to seeing all activity in your MSP tenant, you can view all activity across your customers.

LAPS credentials on mobile

LAPS credentials are also pushed to idemeum mobile application and can be viewed by any technician who has access to LAPS credentials.

API to disable Entra ID JIT account

We now expose an API to disable Entra ID JIT accounts on demand. This is helpful when you want to automate Entra ID account enable / disable when your PSA tickets are closed.

Fixes and improvements

  • Fixed the issue when idemeum agent was interfering with RDS application launch
  • Launch Entra ID JIT accounts in incognito mode when idemeum is integrated with PSA using iFrame
  • Enhanced handling JIT account management errors on Windows

September 16, 2024

macOS desktop client 1.0.7

Wanted to share an update on the new MacOS agent that we released:

  • We now support silent installation of idemeum desktop agent with MDM profiles. If you manage your Macs with MDM, you can silently push idemeum agent and also silently enable privacy & security settings (Full disk access, and Accessibility) so that manual intervention is not needed. 

Fixes

  • Properly display long names in the elevation pop up
  • Clean up old logs from the logs folder
  • Improved stability of elevation mode configuration from the cloud. It no longer relies on notifications.

September 11, 2024

Windows Desktop Client 1.5.7

  • With the default installation of Windows client we no longer require restart. Once the installation is complete, the sign out is required to load the idemeum credential provider.
  • Enhanced offline detection, especially for virtual environments
  • When idemeum desktop client is installed we are leveraging Advanced Installer, and the installation PowerShell scripts are no longer run from the temp folder. Instead, these scripts are executed as part of silent installation process by idemeum app. This enhancement makes it easier to use idemeum with security tools such as ThreatLocker.

August 28, 2024

Windows Desktop Client 1.5.6

  • Fix for RDS applications launch when idemeum desktop client is installed
  • On the login screen in JIT mode we no longer show MSP admin accounts for local workstations
  • Support to consider remote domain name for domain-joined workstation when RFID Single Sign-On is used
  • For technician mode the issue of QR-code timing out after 3 seconds is fixed
  • Enhanced how accounts are synced for Account Discovery (not pushing built-in and idemeum managed accounts)

August 21, 2024

macOS desktop client 1.0.5

  • Account discovery and management support
  • Fixed lock screen issue where the screen was turning black after sleep
  • Support added to work with default security agent like Xcreds

Windows Desktop Client 1.5.5

  • Support for privileged account management discovery
  • Support the use case when the workstation type is changed from local to domain-joined after the idemeum desktop client installation
  • Domain controller check optimized & managed users having passwordnotrequired property set as false

August 14, 2024

LAPS for Entra ID accounts

You can now secure Entra ID emergency accounts - automatically create up to two break-glass accounts for any customer Entra ID tenant, upload credentials to zero-knowledge password vault, rotate passwords automatically every 24 hours. Idemeum now offers unified LAPS - for computer accounts as well as Entra ID accounts.

Group-based LAPS access control

You can now control who has access to emergency LAPS credentials. Create groups in your MSP tenant, assign technicians to various groups, and then decide which groups of techs can view Entra ID or computer LAPS credentials.

Role-based JIT Entra ID accounts

You can now configure what roles are assigned to technicians when they request Entra ID accounts. For instance, Techs Level 1 will get Global admin role, whereas Techs Level 2 will get User admin role. Simply create groups in your MSP tenant and leverage these groups when configuring Entra JIT accounts.

Read-only admin role for technicians

There are several ways you can allow your technicians to access customer tenants - you can make a technician a Global admin to access all customer tenants, or delegate admin access to only specific customer tenants. We are now introducing a Read-only administrator role so that technician can access the customer tenant, view the settings, but not make any configurations or changes.

MSP portal enhancements

We enhanced our MSP portal navigation. Now you can see how many technicians have access to each customer tenant as well as the role that each technician was assigned.

August 9, 2024

macOS desktop client 1.0.4

  • Enhanced MSP logins irrespective of secure token status
  • Enhanced notification to perform operations in the background i.e., when user session is not established

August 2, 2024

macOS desktop client 1.0.3

  • Added listener to perform auto-upgrade from the cloud dashboard
  • Enhanced LAPS account password policy to support password length
  • Elevation support for additional menus (Fingerprint, Profile Add/Remove, Passwords)

July 26, 2024

Windows Desktop Client 1.5.4

  • Introduced the elevation control for admin users logged into the workstation. When admin user needs to perform privileged action, idemeum will also intercept UAC in rules mode and will prompt the user to request execution. Check the updated Windows behavior for EPM below.
  • Enhanced notification service to auto restart when stopped due to unforeseen cases

July 24, 2024

macOS desktop client 1.0.2

  • Support for LAPS account creation and password rotation

July 23, 2024

Endpoint Privilege Management for macOS

We are excited to announce that idemeum now supports Endpoint Privilege Management / Elevation Control for macOS workstations.

You can now remove local admin rights on macOS computers, manage user elevation requests with mobile app, and create rules for what software is allowed to execute with admin privileges.

Not only do we provide parity with our Windows offering, but we implemented integration with Apple Endpoint Security API, so that our offering meets modern security standards.

We are releasing the following features:

  • macOS agent command-line installation with a script
  • JIT MSP technician elevation with QR-code
  • audit and rules elevation modes
  • Elevation requests approval with mobile app
  • File, publisher, and certificate rules for elevation
  • and more...

July 22, 2024

Windows Desktop Agent 1.5.3

  • Enhanced clearing of password field during negative scenarios for RFID Single Sign-On
  • Using correct domain during RDP login when Prompt to choose is enabled for a Tenant under PAM settings

July 19, 2024

RFID Single Sign-On for Entra ID workstations

We now support RFID Single Sign-On for Entra ID joined workstations. Idemeum offers seamless experience for users to enroll their badges with Entra credentials and access any shared workstation with a badge tap.

Windows Desktop Client 1.5.2

  • RFID Single Sign-On for Entra ID joined workstations
  • Optimized elevated user creation to avoid multiple profile creation
  • Modified display messages by removing idemeum context, to keep it aligned with the organization policies
  • Power button display on logon screen will be based on whether branding is enabled or not

July 15, 2024

Cloud desktop agent update

You can trigger desktop agent update from the idemeum admin dashboard. By navigating to Devices and then selecting the device you want to update, you can send a notification to idemeum agent to perform automatic update.

July 8, 2024

Windows Desktop Agent 1.5.1

  • Removed idemeum branding icon from the Windows login screen
  • Improved utilization of resources by loading QR-code once. On expiry added a link to re-generate the QR-code

June 28, 2024

Windows Desktop Agent 1.5.0

  • Enhanced password change detection for desktop client in RFID mode - when desktop agent is installed on local machine with domain line of sight, we can now also verify if password changed at each login, and the user will be prompted to enter new credentials.
  • Password length mismatch error message - when the desktop agent is installed on domain controller, and we try to generate service account password, we can now show the proper message that password generated by idemeum does not meet the DC policy requirements. Admin can go and change the password length to the required option in admin portal.
  • RFID autofill state management - when autofilling user credentials into Windows native applications in the RFID login mode, idemeum desktop agent can now effectively manage autofill state even when users login with native credential provider.
  • Desktop icon removal - when idemeum Windows desktop agent is installed, we no longer create a desktop shortcut.

Entra ID account TOTP support

When technicians request JIT Entra ID accounts, idemeum will automatically create Entra ID account with username and password. You can now also save MFA TOTP secret in idemeum for your Entra ID JIT account, so that techs access customer Entra tenants with MFA.

Extension auto fill

Extension now supports autofill of credentials and TOTP for JIT Entra accounts. Once you request the account, you can click on the application icon, the new tab will open, and idemeum will autofill credentials and TOTP.

June 22, 2024

Admin portal UI

  • In the devices section we now show the identified for Domain controller. Before we were only detecting Local workstation and Domain workstation.
  • Added the capability to search through groups when assigning a group restriction for shared accounts.

June 21, 2024

HaloPSA and idemeum JIT integration

We now support integration with HaloPSA where technicians can request and manage just-in-time Entra ID admin accounts right from the PSA tickets. Simply navigate to a ticket, click on idemeum custom tab, get redirected to the exact customer tenant, and then you will be able to request JIT account and view the credentials. Idemeum will automatically disable the account after a specified period of time.

MSP portal and RFID Single Sign-On

We have now fully integrated our RFID Single Sign-On solution under the umbrella of MSP tenant management. Create a customer tenant and with a click of a button enable the RFID tap and go for customer workstations, web, and native Windows applications. If you have healthcare customers, you can now manage RFID Single Sign-On from your MSP portal.

June 20, 2024

Windows Desktop Agent 1.4.9

  • Enhanced support for OTP login when workstation is in shared account mode

June 19, 2024

Windows Desktop Agent 1.4.8

  • Enhanced the silent installation script:
    • Added the property to avoid restart when C++ prerequisites are installed
    • When the desktop client installs but the pairing with the cloud is not successful, you can now re-run the script to fix the agent state. The script will check if the client is installed but no paired, will uninstall the client and will the retry installation.

June 4, 2024

Tenant creation with CSV files

You can now create customer tenants by uploading a CSV file. Moreover, for all your existing tenants you can download a CSV file with all installer PowerShell commands.

Technician login with OTP

When techs login into workstations with JIT accounts, there are multiple methods available - scan QR-code, or trigger mobile app notification. We introduced another option to login with one-time code. Enable this option in Settings, and you will be able to retrieve OTP code from mobile app and login into any customer workstation.

Selective account login

For domain workstations we now offer an option to choose what account you want to log in as - domain admin account or local admin account. This feature is useful when you want to have certain workstations where domain admin account shall not be exposed. You can configure this setting for each customer tenant.

May 30, 2024

Configurable password length

You can now define the length of passwords that idemeum will be using for just-in-time accounts, LAPS credentials, and service accounts. Previously we were relying on 12-character random passwords. Now you can configure the length of passwords for each customer tenant.

May 21, 2024

Endpoint Privilege Management (EPM) for Windows

You can enforce least privilege on your Windows endpoints by removing local admin rights. Moreover, you can manage user elevation requests with idemeum mobile app without impacting user productivity.