With the default installation of Windows client we no longer require restart. Once the installation is complete, the sign out is required to load the idemeum credential provider.
Enhanced offline detection, especially for virtual environments
When idemeum desktop client is installed we are leveraging Advanced Installer, and the installation PowerShell scripts are no longer run from the temp folder. Instead, these scripts are executed as part of silent installation process by idemeum app. This enhancement makes it easier to use idemeum with security tools such as ThreatLocker.
Windows Desktop Client 1.5.6
Fix for RDS applications launch when idemeum desktop client is installed
On the login screen in JIT mode we no longer show MSP admin accounts for local workstations
Support to consider remote domain name for domain-joined workstation when RFID Single Sign-On is used
For technician mode the issue of QR-code timing out after 3 seconds is fixed
Enhanced how accounts are synced for Account Discovery (not pushing built-in and idemeum managed accounts)
macOS desktop client 1.0.5
Account discovery and management support
Fixed lock screen issue where the screen was turning black after sleep
Support added to work with default security agent like Xcreds
Windows Desktop Client 1.5.5
Support for privileged account management discovery
Support the use case when the workstation type is changed from local to domain-joined after the idemeum desktop client installation
Domain controller check optimized & managed users having passwordnotrequired property set as false
Major August Release
We are excited to announce the release of several new features that we have been working on for the last several weeks.
LAPS for Entra ID accounts
You can now secure Entra ID emergency accounts - automatically create up to two break-glass accounts for any customer Entra ID tenant, upload credentials to zero-knowledge password vault, rotate passwords automatically every 24 hours. Idemeum now offers unified LAPS - for computer accounts as well as Entra ID accounts.
Group-based LAPS access control
You can now control who has access to emergency LAPS credentials. Create groups in your MSP tenant, assign technicians to various groups, and then decide which groups of techs can view Entra ID or computer LAPS credentials.
Role-based JIT Entra ID accounts
You can now configure what roles are assigned to technicians when they request Entra ID accounts. For instance, Techs Level 1 will get Global admin role, whereas Techs Level 2 will get User admin role. Simply create groups in your MSP tenant and leverage these groups when configuring Entra JIT accounts.
Read-only admin role for technicians
There are several ways you can allow your technicians to access customer tenants - you can make a technician a Global admin to access all customer tenants, or delegate admin access to only specific customer tenants. We are now introducing a Read-only administrator role so that technician can access the customer tenant, view the settings, but not make any configurations or changes.
MSP portal enhancements
We enhanced our MSP portal navigation. Now you can see how many technicians have access to each customer tenant as well as the role that each technician was assigned.
macOS desktop client 1.0.4
Enhanced MSP logins irrespective of secure token status
Enhanced notification to perform operations in the background i.e., when user session is not established
macOS desktop client 1.0.3
Added listener to perform auto-upgrade from the cloud dashboard
Enhanced LAPS account password policy to support password length
Elevation support for additional menus (Fingerprint, Profile Add/Remove, Passwords)
Windows Desktop Client 1.5.4
Introduced the elevation control for admin users logged into the workstation. When admin user needs to perform privileged action, idemeum will also intercept UAC in rules mode and will prompt the user to request execution. Check the updated Windows behavior for EPM below.
Enhanced notification service to auto restart when stopped due to unforeseen cases
macOS desktop client 1.0.2
Support for LAPS account creation and password rotation
Endpoint Privilege Management for macOS
We are excited to announce that idemeum now supports Endpoint Privilege Management / Elevation Control for macOS workstations.
You can now remove local admin rights on macOS computers, manage user elevation requests with mobile app, and create rules for what software is allowed to execute with admin privileges.
Not only do we provide parity with our Windows offering, but we implemented integration with Apple Endpoint Security API, so that our offering meets modern security standards.
File, publisher, and certificate rules for elevation
and more...
Windows Desktop Agent 1.5.3
Enhanced clearing of password field during negative scenarios for RFID Single Sign-On
Using correct domain during RDP login when Prompt to choose is enabled for a Tenant under PAM settings
RFID Single Sign-On for Entra ID workstations
We now support RFID Single Sign-On for Entra ID joined workstations. Idemeum offers seamless experience for users to enroll their badges with Entra credentials and access any shared workstation with a badge tap.
Check our quick start guide below to see how you can configure RFID SSO for Entra ID computers.
Windows Desktop Client 1.5.2
RFID Single Sign-On for Entra ID joined workstations
Optimized elevated user creation to avoid multiple profile creation
Modified display messages by removing idemeum context, to keep it aligned with the organization policies
Power button display on logon screen will be based on whether branding is enabled or not
Cloud desktop agent update
You can trigger desktop agent update from the idemeum admin dashboard. By navigating to Devices and then selecting the device you want to update, you can send a notification to idemeum agent to perform automatic update.
Check our documentation page to see how cloud update works.
Windows Desktop Agent 1.5.1
Removed idemeum branding icon from the Windows login screen
Improved utilization of resources by loading QR-code once. On expiry added a link to re-generate the QR-code
Windows Desktop Agent 1.5.0
Enhanced password change detection for desktop client in RFID mode - when desktop agent is installed on local machine with domain line of sight, we can now also verify if password changed at each login, and the user will be prompted to enter new credentials.
Password length mismatch error message - when the desktop agent is installed on domain controller, and we try to generate service account password, we can now show the proper message that password generated by idemeum does not meet the DC policy requirements. Admin can go and change the password length to the required option in admin portal.
RFID autofill state management - when autofilling user credentials into Windows native applications in the RFID login mode, idemeum desktop agent can now effectively manage autofill state even when users login with native credential provider.
Desktop icon removal - when idemeum Windows desktop agent is installed, we no longer create a desktop shortcut.
JIT Entra ID accounts
Entra ID account TOTP support
When technicians request JIT Entra ID accounts, idemeum will automatically create Entra ID account with username and password. You can now also save MFA TOTP secret in idemeum for your Entra ID JIT account, so that techs access customer Entra tenants with MFA.
When account is requested from the admin portal, click on ... and choose Configure TOTP key
You can now add and save your TOTP key for this account
Extension auto fill
Extension now supports autofill of credentials and TOTP for JIT Entra accounts. Once you request the account, you can click on the application icon, the new tab will open, and idemeum will autofill credentials and TOTP.
Admin portal UI
In the devices section we now show the identified for Domain controller. Before we were only detecting Local workstation and Domain workstation.
Added the capability to search through groups when assigning a group restriction for shared accounts.
HaloPSA and idemeum JIT integration
We now support integration with HaloPSA where technicians can request and manage just-in-time Entra ID admin accounts right from the PSA tickets. Simply navigate to a ticket, click on idemeum custom tab, get redirected to the exact customer tenant, and then you will be able to request JIT account and view the credentials. Idemeum will automatically disable the account after a specified period of time.
MSP portal and RFID Single Sign-On
We have now fully integrated our RFID Single Sign-On solution under the umbrella of MSP tenant management. Create a customer tenant and with a click of a button enable the RFID tap and go for customer workstations, web, and native Windows applications. If you have healthcare customers, you can now manage RFID Single Sign-On from your MSP portal.
Windows Desktop Agent 1.4.9
Enhanced support for OTP login when workstation is in shared account mode
Windows Desktop Agent 1.4.8
Enhanced the silent installation script:
Added the property to avoid restart when C++ prerequisites are installed
When the desktop client installs but the pairing with the cloud is not successful, you can now re-run the script to fix the agent state. The script will check if the client is installed but no paired, will uninstall the client and will the retry installation.
Tenant creation with CSV files
You can now create customer tenants by uploading a CSV file. Moreover, for all your existing tenants you can download a CSV file with all installer PowerShell commands.
Technician login with OTP
When techs login into workstations with JIT accounts, there are multiple methods available - scan QR-code, or trigger mobile app notification. We introduced another option to login with one-time code. Enable this option in Settings, and you will be able to retrieve OTP code from mobile app and login into any customer workstation.
Selective account login
For domain workstations we now offer an option to choose what account you want to log in as - domain admin account or local admin account. This feature is useful when you want to have certain workstations where domain admin account shall not be exposed. You can configure this setting for each customer tenant.
Configurable password length
You can now define the length of passwords that idemeum will be using for just-in-time accounts, LAPS credentials, and service accounts. Previously we were relying on 12-character random passwords. Now you can configure the length of passwords for each customer tenant.
Navigate to your customer tenant
Access Settings → PAM
Choose password length from the dropdown - 12, 16, or 24 characters
You can enforce least privilege on your Windows endpoints by removing local admin rights. Moreover, you can manage user elevation requests with idemeum mobile app without impacting user productivity.
Capture all elevation events across Windows endpoints
Manage user requests with mobile app or web portal
Create elevation rules (file attributes, publisher, or certificate attributes)
Automatically create rules from idemeum mobile app
We made changes to our admin portal to make sure it is easier to navigate.
We reorganized the Settings section. Right now Settings are grouped by the product category, so it is easier to set up idemeum exactly as you need. Right now settings are grouped into:
Global - this is where you configure tenant-wide settings, including how technicians onboard, and how they authenticate to portals
Desktop agent - configure how desktop agent behaves
RFID - configure RFID Single Sign-On features
PAM - set up Just-in-time (JIT) accounts and LAPS
More information about settings below:
Agent installation UI refresh
We also moved devices installation script to Devices section and made things simpler. You can now choose the OS of the workstation, grab the command, and execute it on workstation to install idemeum agent.
Silent installation enhancement
Enhanced PowerShell installer command to include Set-ExecutionPolicy RemoteSigned -Scope Process -Force;, so that there is no need to do this manually when executing the PowerShell script
Windows Desktop Client 1.4.1
When using PowerShell silent installer and passing the -restartAfterInstall 'false' we made sure that there is no pop up asking the user to restart the system.
Changed default Windows configuration after desktop client installation to show last signed user, so that users do not have to type their username every time.
Security enhancements
Enhanced the Android OS attestation logic to make sure we properly assess the latest Samsung phones, as some models were not passing the checks.
Bug fixes
Fixed the bug when after mobile recovery not all devices were available to the user. All device access is now recovered - devices that user created and devices that were shared with the user.
MacOS Desktop Client 1.0.0
We are excited to share the release of our idemeum macOS desktop client. As part of the first release we offer a number of features:
Just-in-time local admin access to macOS workstation
Jus-in-time elevation for protected menus, sudo commands, and application installation
User login with idemeum cloud credentials of Passwordless MFA
Windows Desktop Client 1.4.0
Fixed the bug when the new RFID user is logged in with a shared local account when the domain shared account is configured. This condition only happened once during the new user enrollment period.
Clear badge id for Google Workspace onboarded users
For customers using Google Workspace connector to automatically onboard users with RFID badges, we made an enhancement that allows to remove / edit badge IDs for onboarded users. You can now navigate to Users → User management, find the user record, click on ... and choose Clear badge id.
Windows Desktop Client 1.3.9
Windows desktop client now supports the use case where Passwordless MFA can be used with Azure AD as a user source. When user is onboarded with Passwordless MFA, and the QR-code is scanned at the local workstation, idemeum desktop client will automatically create local user.