Skip to main content

Changelog

New updates and improvements to idemeum

Integration with Hudu

We are now releasing LAPS integration with Hudu. Idemeum agent can create break-glass accounts on Windows and MacOS workstations and rotate passwords every 24 hours. These credentials are available in the cloud portal and mobile app. Now with this integration, idemeum can push credentials to Hudu. Integration is very easy to set up, idemeum will map customers automatically, and will start uploading the credentials. Hudu integration requires the latest idemeum clients.

Hudu - idemeum LAPS integration
Push LAPS break-glass credentials for all computers and Entra ID tenants to Hudu documentation platform.

Automatic account downgrade

With idemeum you can automatically downgrade local admin accounts on workstations. When this feature is enabled at the customer tenant level, idemeum desktop agent will enumerate all local admin accounts on workstation and downgrade the ones that are not on the exclusion list.

Automatic account downgrade
Automatically remove admin rights from computer accounts.

Public roadmap

We now publish our public roadmap. Not only can you see what we are currently working on, but you can also create feature requests and tell us how we can make our platform better.

Fixes and improvements

  • Windows Desktop Agent 1.6.9
    • JIT account enable/disable handled from RDP sessions
    • UAC settings enabled to prompt credentials on secure desktop
    • Enhanced elevate as Admin to ignore AD bind errors during elevation
  • Windows Desktop Agent 1.7.0
    • Support to configure http client timeouts for workstations connected to slow network (applicable during fresh install)
    • UAC path resolution fix for exe files launching from folders having CLSID as part of the folder name
    • Support to skip session disconnect (behind a knob) to avoid discrepancies wrt Sleep events
  • Windows Desktop Agent 1.7.1
    • Enhanced offline mode for MSP technicians
  • MacOS Desktop Agent 1.1.1
    • Enhanced application of elevation rules for sudo (Terminal)
  • Other fixes
    • Fixed the resizing issue on the Devices screen

Windows Desktop Agent 1.6.8

  • Hudu integration support for LAPS credentials

Windows Desktop Agent 1.6.7

  • Fixed the issue of desktop not being removed from the cloud when uninstalled
  • Show the proper message to technician when domain login mode is enabled, but the idemeum agent is not installed on domain controller
  • Enhanced log collector to capture events when log fetching is denied by the Group Policy

Remote Desktop (RDP) with JIT accounts

When idemeum desktop agent is installed on domain-joined workstations, technicians can RDP from one machine to the other without the need to use any passwords - simply scan the QR-code and approve with biometrics.

Just-in-time accounts will be used behind the scenes - accounts will be enabled / disabled on-demand, and passwords will be rotated after each login.

Check the documentation below:

Remote Desktop (RDP) with JIT accounts
Technicians can RDP from one domain-joined customer workstation to another using domain JIT accounts.

Halo PSA ticketing integration

You can now connect HaloPSA instance to idemeum, and idemeum will be able to create and close tickets when users are requesting elevated privileges on endpoints. The integration is very simple to set up, and when connected, idemeum can automatically map customers in HaloPSA to idemeum customers, or you can do this manually.

When the ticket is created, all elevation metadata is attached in the tickets details along with the link for tech to quickly approve or deny the request.

To set up this integration, please check the documentation guide below.

Halo PSA - Create tickets for user elevation requests
Idemeum can create and manage tickets in HaloPSA when users are requesting elevated privileges on workstations.

User / admin elevation

With the latest cloud and idemeum mobile application release you can now choose what type of elevation to use when approving user requests - admin or user elevation. With admin elevation you approve the request with the idemeum admin account, whereas with user elevation you temporarily elevate user account to run the program in the user context.

You can learn more about elevation types below.

Admin / user elevation
How various idemeum elevation types work.

Fixes and improvements

  • Reorganized and simplified the UI for both admin and user portals in order to improve the ease of navigation
  • Enhanced the Entra ID authorization connector to handle refresh token correctly when the password changes for the account that was used for authorization
  • Enhanced Entra ID LAPS feature to always provision LAPS accounts on onmicrosoft domain based on Microsoft best practices

Global elevation rules

You can now create global rules that will control elevation requests across all your customers. There are several ways you can create these rules:

  1. Manually in your MSP tenant
  2. Automatically generate global rule from elevation event or user request in your customer tenant
  3. On the mobile app when you approve the request you can automatically generate a global rule
Elevation rules
Create rules to define what privileged actions are allowed on workstations.

Global elevation requests

We now aggregate all elevation requests across all customers in your MSP tenant. You can now approve / deny all these requests from one central location.

Elevation requests
Elevation requests come from users when they carry out privileged actions.

Configurable elevation timer and message

You can now start customizing how Endpoint Privilege Management (EPM) works:

  • You can configure the timer for live elevation approval. You can set it from 0 to 120 seconds
  • You can configure the message that is shown to users when they try to carry out privileged actions on workstations
Customization
Customize how Endpoint Privilege Management works.

Default agent elevation mode

When you install idemeum agent you can now pass an additional parameter to automatically set up elevation mode right after installation - offline, audit, or rules.

Command-line installation
Install idemeum agent with a simple command line script.

RFID Single Sign-On keystroking readers

We now removed the dependency on RFID readers from rfIDEAS, and we can now support pretty much any key stroking reader. This significantly expands the options and lowers the cost of initial hardware investment.

Additional enhancements

  • MacOS 1.0.9 - Ability to upload logs to idemeum cloud when requested from the admin portal
  • MacOS 1.0.9 - Block QR code access with the message for non Technicians during elevation
  • MacOS 1.0.9 - Timezone correction in logs

MacOS Desktop Client 1.0.9

  • Support for user elevation vs. admin elevation
  • Configurable elevation timer and elevation message

MacOS Desktop Client 1.0.8

  • Elevation mode can be set as part of installation command
  • Show a relevant error message when non-technician scans the QR-code during elevation request
  • Ability to upload logs to the cloud when requested from admin portal
  • Timezone correction in logs

Windows Desktop Client 1.6.1

  • Added option to approve elevation and elevate as user vs. admin. Now you can choose how to elevate the user request. Supported for local and domain-joined workstations only (No Azure AD users).
  • Support for configurable elevation timer and elevation message.

Windows Desktop Client 1.5.9

  • For new installation you can set the elevation mode with the PowerShell script option - elevationMode
  • RFID Single Sign-On - we can now support any keystroking reader

Windows Dekstop Client 1.5.8

  • Resolved all the incidents related to Windows Defender
  • RFID Single Sign-On - credentials mode set as default. No longer supporting ADCS.
  • RFID Single Sign-On - feature added to disable same card tap out controlled by a knob
  • RFID Single Sign-On - enhanced tap-over from lock screen when logged in using default credential provider

Major September Release

Group-based delegation to customer tenants

We introduced the feature to control access to customer tenants with user groups. You can now create groups, assign techs to these groups, and delegate access to customer tenants with user groups. You can read more about the feature here:

Delegate access to tenants
Delegate technician admin access to customer tenants

Parametrized deployment with RMM

We now provide an option to deploy idemeum agent across your customers with one RMM script. We allow to download all customer tenant deployment variables with CSV file, you can then assign these variables to customers in your RMM, and use one script for deployment. The script will pull the variables from the organization and deploy appropriate agent configuration.

As an example, here is how to deploy windows agent with Ninja RMM.

Ninja RMM idemeum agent installation
This guide describes how to mass deploy idemeum agent with Ninja One RMM.

Centralized audit logs

You can now view all aggregated audit logs in your MSP tenant. In addition to seeing all activity in your MSP tenant, you can view all activity across your customers.

LAPS credentials on mobile

LAPS credentials are also pushed to idemeum mobile application and can be viewed by any technician who has access to LAPS credentials.

LAPS credentials on mobile
Overview LAPS credentials are also pushed to idemeum mobile application and can be viewed by any technician who has access to LAPS credentials. * Even if you mobile phone is on offline mode, you can still view LAPS credentials in the idemeum app. However, if the credentials were successfully rotated by

API to disable Entra ID JIT account

We now expose an API to disable Entra ID JIT accounts on demand. This is helpful when you want to automate Entra ID account enable / disable when your PSA tickets are closed.

Disable JIT account from HaloPSA with API call
Leverage idemeum APIs to disable Entra JIT accounts.

Fixes and improvements

  • Fixed the issue when idemeum agent was interfering with RDS application launch
  • Launch Entra ID JIT accounts in incognito mode when idemeum is integrated with PSA using iFrame
  • Enhanced handling JIT account management errors on Windows

macOS desktop client 1.0.7

Wanted to share an update on the new MacOS agent that we released:

  • We now support silent installation of idemeum desktop agent with MDM profiles. If you manage your Macs with MDM, you can silently push idemeum agent and also silently enable privacy & security settings (Full disk access, and Accessibility) so that manual intervention is not needed. 

As an example we documented how to deploy idemeum desktop agent with Intune.

Microsoft Intune - MacOS agent installation
In this post we will take a look at how to silently deploy MacOS idemeum agent with Microsoft Intune.

Fixes

  • Properly display long names in the elevation pop up
  • Clean up old logs from the logs folder
  • Improved stability of elevation mode configuration from the cloud. It no longer relies on notifications.

Windows Desktop Client 1.5.7

  • With the default installation of Windows client we no longer require restart. Once the installation is complete, the sign out is required to load the idemeum credential provider.
  • Enhanced offline detection, especially for virtual environments
  • When idemeum desktop client is installed we are leveraging Advanced Installer, and the installation PowerShell scripts are no longer run from the temp folder. Instead, these scripts are executed as part of silent installation process by idemeum app. This enhancement makes it easier to use idemeum with security tools such as ThreatLocker.

Windows Desktop Client 1.5.6

  • Fix for RDS applications launch when idemeum desktop client is installed
  • On the login screen in JIT mode we no longer show MSP admin accounts for local workstations
  • Support to consider remote domain name for domain-joined workstation when RFID Single Sign-On is used
  • For technician mode the issue of QR-code timing out after 3 seconds is fixed
  • Enhanced how accounts are synced for Account Discovery (not pushing built-in and idemeum managed accounts)

macOS desktop client 1.0.5

  • Account discovery and management support
  • Fixed lock screen issue where the screen was turning black after sleep
  • Support added to work with default security agent like Xcreds

Windows Desktop Client 1.5.5

  • Support for privileged account management discovery
  • Support the use case when the workstation type is changed from local to domain-joined after the idemeum desktop client installation
  • Domain controller check optimized & managed users having passwordnotrequired property set as false

Major August Release

We are excited to announce the release of several new features that we have been working on for the last several weeks.

LAPS for Entra ID accounts

You can now secure Entra ID emergency accounts - automatically create up to two break-glass accounts for any customer Entra ID tenant, upload credentials to zero-knowledge password vault, rotate passwords automatically every 24 hours. Idemeum now offers unified LAPS - for computer accounts as well as Entra ID accounts.

LAPS for Entra ID
Secure emergency Entra ID global admin accounts for each Entra ID customer tenant

Group-based LAPS access control

You can now control who has access to emergency LAPS credentials. Create groups in your MSP tenant, assign technicians to various groups, and then decide which groups of techs can view Entra ID or computer LAPS credentials.

Group management
Combine users into groups with direct assignments or attribute mapping

Role-based JIT Entra ID accounts

You can now configure what roles are assigned to technicians when they request Entra ID accounts. For instance, Techs Level 1 will get Global admin role, whereas Techs Level 2 will get User admin role. Simply create groups in your MSP tenant and leverage these groups when configuring Entra JIT accounts.

Connect Entra ID tenant
In this post we will see how you can connect Entra ID tenant to your idemeum customer tenant.

Read-only admin role for technicians

There are several ways you can allow your technicians to access customer tenants - you can make a technician a Global admin to access all customer tenants, or delegate admin access to only specific customer tenants. We are now introducing a Read-only administrator role so that technician can access the customer tenant, view the settings, but not make any configurations or changes.

Delegate access to tenants
Delegate technician admin access to customer tenants

MSP portal enhancements

We enhanced our MSP portal navigation. Now you can see how many technicians have access to each customer tenant as well as the role that each technician was assigned.

MSP portal overview
Idemeum allows you to control and manage multiple organizations from one central MSP portal

macOS desktop client 1.0.4

  • Enhanced MSP logins irrespective of secure token status
  • Enhanced notification to perform operations in the background i.e., when user session is not established

macOS desktop client 1.0.3

  • Added listener to perform auto-upgrade from the cloud dashboard
  • Enhanced LAPS account password policy to support password length
  • Elevation support for additional menus (Fingerprint, Profile Add/Remove, Passwords)

Windows Desktop Client 1.5.4

  • Introduced the elevation control for admin users logged into the workstation. When admin user needs to perform privileged action, idemeum will also intercept UAC in rules mode and will prompt the user to request execution. Check the updated Windows behavior for EPM below.
EPM for Windows
In this post we define in detail how EPM functions on a Windows workstation
  • Enhanced notification service to auto restart when stopped due to unforeseen cases

macOS desktop client 1.0.2

  • Support for LAPS account creation and password rotation

Endpoint Privilege Management for macOS

We are excited to announce that idemeum now supports Endpoint Privilege Management / Elevation Control for macOS workstations.

You can now remove local admin rights on macOS computers, manage user elevation requests with mobile app, and create rules for what software is allowed to execute with admin privileges.

Not only do we provide parity with our Windows offering, but we implemented integration with Apple Endpoint Security API, so that our offering meets modern security standards.

We are releasing the following features:

  • macOS agent command-line installation with a script
  • JIT MSP technician elevation with QR-code
  • audit and rules elevation modes
  • Elevation requests approval with mobile app
  • File, publisher, and certificate rules for elevation
  • and more...

Windows Desktop Agent 1.5.3

  • Enhanced clearing of password field during negative scenarios for RFID Single Sign-On
  • Using correct domain during RDP login when Prompt to choose is enabled for a Tenant under PAM settings

RFID Single Sign-On for Entra ID workstations

We now support RFID Single Sign-On for Entra ID joined workstations. Idemeum offers seamless experience for users to enroll their badges with Entra credentials and access any shared workstation with a badge tap.

Check our quick start guide below to see how you can configure RFID SSO for Entra ID computers.

Quick-start - RFID Single Sign-On for Entra ID joined computers
In this guide we will set up idemeum RFID Single Sign-On for Entra-joined Windows workstations.

Windows Desktop Client 1.5.2

  • RFID Single Sign-On for Entra ID joined workstations
  • Optimized elevated user creation to avoid multiple profile creation
  • Modified display messages by removing idemeum context, to keep it aligned with the organization policies
  • Power button display on logon screen will be based on whether branding is enabled or not

Cloud desktop agent update

You can trigger desktop agent update from the idemeum admin dashboard. By navigating to Devices and then selecting the device you want to update, you can send a notification to idemeum agent to perform automatic update.

Check our documentation page to see how cloud update works.

Update desktop agent
There are several ways to update idemeum desktop agent on Windows and macOS

Windows Desktop Agent 1.5.1

  • Removed idemeum branding icon from the Windows login screen
  • Improved utilization of resources by loading QR-code once. On expiry added a link to re-generate the QR-code

Windows Desktop Agent 1.5.0

  • Enhanced password change detection for desktop client in RFID mode - when desktop agent is installed on local machine with domain line of sight, we can now also verify if password changed at each login, and the user will be prompted to enter new credentials.
  • Password length mismatch error message - when the desktop agent is installed on domain controller, and we try to generate service account password, we can now show the proper message that password generated by idemeum does not meet the DC policy requirements. Admin can go and change the password length to the required option in admin portal.
  • RFID autofill state management - when autofilling user credentials into Windows native applications in the RFID login mode, idemeum desktop agent can now effectively manage autofill state even when users login with native credential provider.
  • Desktop icon removal - when idemeum Windows desktop agent is installed, we no longer create a desktop shortcut.

JIT Entra ID accounts

Entra ID account TOTP support

When technicians request JIT Entra ID accounts, idemeum will automatically create Entra ID account with username and password. You can now also save MFA TOTP secret in idemeum for your Entra ID JIT account, so that techs access customer Entra tenants with MFA.

  • When account is requested from the admin portal, click on ... and choose Configure TOTP key
  • You can now add and save your TOTP key for this account

Extension auto fill

Extension now supports autofill of credentials and TOTP for JIT Entra accounts. Once you request the account, you can click on the application icon, the new tab will open, and idemeum will autofill credentials and TOTP.

Admin portal UI

  • In the devices section we now show the identified for Domain controller. Before we were only detecting Local workstation and Domain workstation.
  • Added the capability to search through groups when assigning a group restriction for shared accounts.