New updates and improvements to idemeum
rules mode and will prompt the user to request execution. Check the updated Windows behavior for EPM below. 
Nik Pot
We are excited to announce that idemeum now supports Endpoint Privilege Management / Elevation Control for macOS workstations.
You can now remove local admin rights on macOS computers, manage user elevation requests with mobile app, and create rules for what software is allowed to execute with admin privileges.
Not only do we provide parity with our Windows offering, but we implemented integration with Apple Endpoint Security API, so that our offering meets modern security standards.
We are releasing the following features:
audit and rules elevation modesPrompt to choose is enabled for a Tenant under PAM settingsWe now support RFID Single Sign-On for Entra ID joined workstations. Idemeum offers seamless experience for users to enroll their badges with Entra credentials and access any shared workstation with a badge tap.
Check our quick start guide below to see how you can configure RFID SSO for Entra ID computers.
Nik Pot
You can trigger desktop agent update from the idemeum admin dashboard. By navigating to Devices and then selecting the device you want to update, you can send a notification to idemeum agent to perform automatic update.
Check our documentation page to see how cloud update works.
Nik PotWhen technicians request JIT Entra ID accounts, idemeum will automatically create Entra ID account with username and password. You can now also save MFA TOTP secret in idemeum for your Entra ID JIT account, so that techs access customer Entra tenants with MFA.
... and choose Configure TOTP key
Extension now supports autofill of credentials and TOTP for JIT Entra accounts. Once you request the account, you can click on the application icon, the new tab will open, and idemeum will autofill credentials and TOTP.
Domain controller. Before we were only detecting Local workstation and Domain workstation.We now support integration with HaloPSA where technicians can request and manage just-in-time Entra ID admin accounts right from the PSA tickets. Simply navigate to a ticket, click on idemeum custom tab, get redirected to the exact customer tenant, and then you will be able to request JIT account and view the credentials. Idemeum will automatically disable the account after a specified period of time.
Nik Pot
We have now fully integrated our RFID Single Sign-On solution under the umbrella of MSP tenant management. Create a customer tenant and with a click of a button enable the RFID tap and go for customer workstations, web, and native Windows applications. If you have healthcare customers, you can now manage RFID Single Sign-On from your MSP portal.
You can now create customer tenants by uploading a CSV file. Moreover, for all your existing tenants you can download a CSV file with all installer PowerShell commands.
Nik Pot
When techs login into workstations with JIT accounts, there are multiple methods available - scan QR-code, or trigger mobile app notification. We introduced another option to login with one-time code. Enable this option in Settings, and you will be able to retrieve OTP code from mobile app and login into any customer workstation.
Nik Pot
For domain workstations we now offer an option to choose what account you want to log in as - domain admin account or local admin account. This feature is useful when you want to have certain workstations where domain admin account shall not be exposed. You can configure this setting for each customer tenant.
Nik Pot
You can now define the length of passwords that idemeum will be using for just-in-time accounts, LAPS credentials, and service accounts. Previously we were relying on 12-character random passwords. Now you can configure the length of passwords for each customer tenant.
Settings → PAM12, 16, or 24 characters
We are excited to share that our Endpoint Privilege Management solution goes live!
You can enforce least privilege on your Windows endpoints by removing local admin rights. Moreover, you can manage user elevation requests with idemeum mobile app without impacting user productivity.
You can try EPM with our quick-start guide.
We made changes to our admin portal to make sure it is easier to navigate.
Settings section. Right now Settings are grouped by the product category, so it is easier to set up idemeum exactly as you need. Right now settings are grouped into:Global - this is where you configure tenant-wide settings, including how technicians onboard, and how they authenticate to portalsDesktop agent - configure how desktop agent behavesRFID - configure RFID Single Sign-On featuresPAM - set up Just-in-time (JIT) accounts and LAPS
More information about settings below:
Nik PotWe also moved devices installation script to Devices section and made things simpler. You can now choose the OS of the workstation, grab the command, and execute it on workstation to install idemeum agent.
Set-ExecutionPolicy RemoteSigned -Scope Process -Force;, so that there is no need to do this manually when executing the PowerShell script-restartAfterInstall 'false' we made sure that there is no pop up asking the user to restart the system.We are excited to share the release of our idemeum macOS desktop client. As part of the first release we offer a number of features:
For customers using Google Workspace connector to automatically onboard users with RFID badges, we made an enhancement that allows to remove / edit badge IDs for onboarded users. You can now navigate to Users → User management, find the user record, click on ... and choose Clear badge id.
Idemeum Windows Desktop Client now supports automatic RFID user onboarding with Google Workspace credentials. When users tap the badge, there is a pop up on Windows desktop to enter Google credentials. Upon successful authentication, user is onboarded and idemeum record is created in local cloud directory with an associated badge ID.
You can now control access to Windows workstations with Google Workspace Groups. When users tap the badge, idemeum will check what Google Groups the user belongs to, and based on configured access controls for the workstation, will allow access or not.
When JIT domain admin accounts are created, idemeum desktop client assigns them to Domain admins group by default. We have enhanced the capability to allow MSP admins to choose what groups to assign these domain admin accounts to. You can now configure groups to be assigned when JIT account is used to login to domain controller, and groups to be assigned when JIT account is used to login to any other domain workstation.
When the desktop client is installed on Windows workstation, we are installing idemeum credential provider. By default the link to choose idemeum credential provider had a name assigned idemeum passwordless user. We changed that link to display the idemeum tenant display name instead.
Idemeum desktop client now supports creating just-in-time domain admin accounts. First, you install idemeum desktop client on domain-controller, second you enable Domain admin accounts settings in the admin portal, and as a result, your technicians will be able to access customer workstation with on-demand domain admin accounts. Idemeum will maintain zero-standing privilege by automatically enabling / disabling these accounts and rotating passwords after every login.