Skip to main content


New updates and improvements to idemeum.


Admin portal updates

Settings refresh

We made changes to our admin portal to make sure it is easier to navigate.

  • We reorganized the Settings section. Right now Settings are grouped by the product category, so it is easier to set up idemeum exactly as you need. Right now settings are grouped into:
    • Global - this is where you configure tenant-wide settings, including how technicians onboard, and how they authenticate to portals
    • Desktop agent - configure how desktop agent behaves
    • RFID - configure RFID Single Sign-On features
    • PAM - set up Just-in-time (JIT) accounts and LAPS

More information about settings below:

Tenant cloud settings
High-level overview of idemeum admin portal settings.

Agent installation UI refresh

We also moved devices installation script to Devices section and made things simpler. You can now choose the OS of the workstation, grab the command, and execute it on workstation to install idemeum agent.


Cloud updates


  • Enhanced PowerShell installer command to include Set-ExecutionPolicy RemoteSigned -Scope Process -Force;, so that there is no need to do this manually when executing the PowerShell script

Windows 1.4.1

Windows Desktop Client 1.4.1


  • When using PowerShell silent installer and passing the -restartAfterInstall 'false' we made sure that there is no pop up asking the user to restart the system.
  • Changed default Windows configuration after desktop client installation to show last signed user, so that users do not have to type their username every time.


Cloud updates


  • Enhanced the Android OS attestation logic to make sure we properly assess the latest Samsung phones, as some models were not passing the checks.


Cloud updates

Bug fixes

  • Fixed the bug when after mobile recovery not all devices were available to the user. All device access is now recovered - devices that user created and devices that were shared with the user.

macOS 1.0.0

macOS Desktop Client 1.0.0

We are excited to share the release of our idemeum macOS desktop client. As part of the first release we offer a number of features:

  • Just-in-time local admin access to macOS workstation
  • Jus-in-time elevation for protected menus, sudo commands, and application installation
  • User login with idemeum cloud credentials of Passwordless MFA

Windows 1.4.0

Windows Desktop Client 1.4.0

Big fixes

  • Fixed the bug when the new RFID user is logged in with a shared local account when the domain shared account is configured. This condition only happened once during the new user enrollment period.


Cloud updates

Clear badge id for Google Workspace onboarded users

For customers using Google Workspace connector to automatically onboard users with RFID badges, we made an enhancement that allows to remove / edit badge IDs for onboarded users. You can now navigate to UsersUser management, find the user record, click on ... and choose Clear badge id.

Windows 1.3.9

Windows Desktop Client 1.3.9

Local account creation for Passwordless MFA with Azure AD

Windows desktop client now supports the use case where Passwordless MFA can be used with Azure AD as a user source. When user is onboarded with Passwordless MFA, and the QR-code is scanned at the local workstation, idemeum desktop client will automatically create local user.

Windows 1.3.8

Windows Desktop Client 1.3.8

RFID badge onboarding with Google Workspace

Idemeum Windows Desktop Client now supports automatic RFID user onboarding with Google Workspace credentials. When users tap the badge, there is a pop up on Windows desktop to enter Google credentials. Upon successful authentication, user is onboarded and idemeum record is created in local cloud directory with an associated badge ID.

RFID Access Control with Google Workspace Groups

You can now control access to Windows workstations with Google Workspace Groups. When users tap the badge, idemeum will check what Google Groups the user belongs to, and based on configured access controls for the workstation, will allow access or not.

Windows 1.3.7

Windows Desktop Client 1.3.7

Group assignment for JIT admin accounts

When JIT domain admin accounts are created, idemeum desktop client assigns them to Domain admins group by default. We have enhanced the capability to allow MSP admins to choose what groups to assign these domain admin accounts to. You can now configure groups to be assigned when JIT account is used to login to domain controller, and groups to be assigned when JIT account is used to login to any other domain workstation.

Windows 1.3.6

Windows Desktop Client 1.3.6

Tenant display name on the login screen

When the desktop client is installed on Windows workstation, we are installing idemeum credential provider. By default the link to choose idemeum credential provider had a name assigned idemeum passwordless user. We changed that link to display the idemeum tenant display name instead.

Windows 1.3.5

Windows Desktop Client 1.3.5


  • During the silent installation idemeum desktop client was creating an MSA account on domain controller. In case the MSA object is not available, idemeum desktop client will now fall back to creating a standard account instead of failing installation.
  • When the desktop client silent installation fails, idemeum desktop client now ensures that desktop record is removed from idemeum cloud.
  • Ensure LAPS configuration is retrieved and LAPS account details are updated during the manual settings update.

Windows 1.3.4

Windows Desktop Client 1.3.4

Bug fixes

  • Fixed bugs during user enrollment flow when shared account is assigned,

Windows 1.3.3

Windows Desktop Client 1.3.3

Bug fixes

  • Fixes for silent desktop client installation

Windows 1.3.2

Windows Desktop Client 1.3.2

JIT domain admin accounts

Idemeum desktop client now supports creating just-in-time domain admin accounts. First, you install idemeum desktop client on domain-controller, second you enable Domain admin accounts settings in the admin portal, and as a result, your technicians will be able to access customer workstation with on-demand domain admin accounts. Idemeum will maintain zero-standing privilege by automatically enabling / disabling these accounts and rotating passwords after every login.

Windows 1.3.1

Windows Desktop Client 1.3.1

Auto submit for native applications

Idemeum RFID Single Sign-On supports login into Windows workstations, web applications, and native desktop applications. With the enhancement when native desktop application is configured, idemeum will automatically submit credentials when they are auto-filled for native application.

Windows 1.3.0

Windows Desktop Client 1.3.0

Improvements and bug fixes

  • Improved QR-code refresh interval to make sure it does not break when the machine time is out of sync
  • Link added at the desktop client installation page to upload logs to the cloud
  • Fixed the bug when the user was prompted to password several times when Password Prompt Once Per Day feature was enabled


Cloud updates

JIT accounts improvements

  • JIT accounts for Entra ID configuration now supports listing available roles. When you configure Entra ID integration, you can now leverage role drop down and choose what roles to assign to provisioned just-in-time Entra ID accounts.


Cloud updates

Improvements and bug fixes

  • Remove location coordinate fetching from the portal to speed up login process
  • During the mobile recovery process, the user record is now removed from a customer tenant
  • RADIUS authentication now supports username as email



We have released a new version of our Cloud RADIUS service. You can now protect Wi-Fi and VPN access without managing any servers. Idemeum Cloud RADIUS supports modern TLS protocols, and allows user authentication with cloud credentials or Passwordless MFA. 

Reach out to us in the Discord chat.


Cloud updates

Admin and user portal improvements

  • Provide information dialog when sensitive data is updated related to desktop settings
  • Do not allow to update domain name if managed application is already configured

Improvements and bug fixes

  • Add tenant alias for idemeum tenants
  • Add force login for authorizing idemeum app
  • Add tags and alarm for OIDC user cleanup queue
  • Add admin user details as part of OIDC configuration
  • Fixes related to updating technician local user
  • Azure credentials restrict to managed domains only

February 11, 2024

Idemeum cloud

  • IDEM-3642: Do not populate username when the OIDC credentials expired
  • IDEM-3604: Add message group id for user clean up FIFO queue

Admin and cloud portals

  • IDEM-3612: Create admin managed app with OIDC credentials
  • IDEM-3622: UI - Admin Managed password app : OIDC credentials Request Access

Windows 1.2.9

Windows Desktop Client 1.2.9

Named JIT admin accounts

Every cyber security framework requires admin access to be performed with individual admin accounts. Up until now idemeum only supported shared account login. Right now idemeum will automatically create unique / named admin account for each MSP technician, will use that account for workstation login, will enable / disable this account when not in use, and will automatically rotate passwords for these accounts.

February 9, 2024

Idemeum Cloud

  • IDEM-3618: On username change for a local user, ensure offline secret is cleared
  • IDEM-3644: Filter off boarded user before sending sign-in challenge via email
  • IDEM-3627: Present azure authorize scope for privileged user to admin app authorize flow only
  • IDEM-3642: Do not return the credentials for expired OIDC account
  • IDEM-3640 : Add audit events for OIDC user account access and disable
  • IDEM-3604 : Background job to disable OIDC user account

February 6, 2024

Idemeum cloud

  • IDEM-3636: Fix local user disable action for user who was onboarded with badge
  • IDEM-3611: Implement OIDC privileged user for Entra ID
  • IDEM-3633: Fix share / un-share of desktop entitlements functionality
  • IDEM-3605: Enhance existing authorize polling API to return the OIDC tokens
  • IDEM-3629: Audit changes for desktop login
  • IDEM-3635: Remove user claims for all customers on update of technician user in MSP tenant
  • IDEM-3632: Enable named account login by default for new customer tenants
  • IDEM-3631: Fix active user count during off boarding
  • IDEM-3620: Public API to download Apple WiFi profile for RADIUS
  • IDEM-3626: Support admin roles for OIDC credentials
  • IDEM-3603: Create user account in target user source configured in admin managed app
  • IDEM-3599: Add new credential type OIDC support for admin managed password app

Admin and user portals

  • IDEM-3637: Provide select all option for actors in the audit section
  • IDEM-3638: Only show Login as MSP technician to MSP tenants
  • IDEM-3639: Desktop MFA settings: hide desktop installer section
  • IDEM-3641: Modify TEMP path to support 8dot3names
  • IDEM-3628: UI - Show username field for MSP tenant
  • IDEM-3634: Devices: Use fixed role for sharing
  • IDEM-3613: Fix: Icon alignment when text is large
  • IDEM-3601: Settings: Hide Secure remote access

February 3, 2024

Idemeum cloud

  • IDEM-3617: Entitlement response changes with regards to named accounts
  • IDEM-3616: Configuration settings to enable various RADIUS auth flows
  • IDEM-3615: RADIUS application to support auth mode for auth requests
  • IDEM-3619: Show RADIUS app only for MSP and MSP customer tenants
  • IDEM-3596: Enhance SigninStart API to consider email request type
  • IDEM-3597: Fix bug related to Azure AD serialization

Admin and user portals

  • IDEM-3625: Fix the bug of allowing to promote badge user to admin
  • IDEM-3614: Add credentials auth mode for RADIUS
  • IDEM-3613: Hide shared account configuration when login as MSP named account flag is set to true
  • IDEM-3593: Add settings to enable login with named accounts for MSPs
  • IDEM-3592: Portal - show status “MSP technician” for the tenant
  • IDEM-3488: Bug: Re-fetch the user source config if failed to update existing config

January 31, 2024

RFID Single Sign On

Application automation

Released a new feature that allows to automatically launch an application once the users signs in into a Windows desktop with an RFID badge. We support launching any type of application - web, native, RDP clients, etc.

Application automation
idemeum offers a feature to automatically launch an application once the user signs into the workstation with an RFID badge. You can launch any application, including RDP shortcuts, browsers, native applications, etc.

January 30, 2024

Windows Desktop Client 1.2.8

Bug fixes

  • Introduce ability to put the tap over on the lock screen behind the feature flag for RFID mode. For some customers that are using keystroke rfIDEAS readers, this feature was conflicting with the keystroke output.
  • Fix the bug of automatic switch over to native credential provider when keystroke RFID readers are used
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

January 15, 2024

Cloud portals

New devices tab

We have now moved the device management plane to the admin portal. You can now manage all desktop clients, assign shared accounts, configure sharing options and other functions right from the admin portal. Navigate to your tenant admin portal and access Devices tab on the left.

Computer name change

Desktop client now supports updating the computer name in the admin portal. Once you change the Windows computer name on the workstation, and restart the system, computer name will be updated in the cloud.

Lock and log off audit events

For RFID mode idemeum now supports audit events for locking the screen and logging off. When the user taps the badge to lock the screen or log out, the event will be captured in the audit trail, along with the username and computer name.

Windows Desktop Client 1.2.7

Non TPM-based password login

Before version 1.2.7 we only supported virtual smart cards when logging the users into domain workstations with RFID badge or mobile device. This required us to leverage TPM module on Windows workstations. We have now moved to supporting username / password for logging the user in instead of virtual smart card. For example, when user first taps the badge, we request the user to provide domain credentials, then these credentials are captured and encrypted with a master key, and then user to log the user into any domain workstation. When password changes, idemeum automatically will request the user to enter new credentials. This way we no longer require the TPM module to be used with idemeum client. Credentials mode is enabled by default. In case you still require TPM based / smart card login, you can request our team to configure this for your tenant.

Managed Engine desktop client installation

We certified and documented the way to roll out idemeum desktop client with Endpoint Central / Managed Engine.

Desktop client Managed Engine installation
This guide describes how to deploy idemeum desktop client to a fleet of Windows workstations with Endpoint Central.

Tap out on lock screen

We now automatically switch user on the lock screen when RFID badge is used. User A logs into the workstation. User A locks the screen. idemeum automatically switches the user when preserving the session for User A. User B taps the badge and can successfully log in. Before this feature, User B would get the message that another user has locked the screen.

Automatic creation of shared account for RFID mode

When shared account is assigned to a workstation in RFID mode, idemeum will automatically create this account if it is not present on the system. Before this feature we required administrators to create these accounts before assigning them.

Error message for shared account not assigned for local workstation

To support local Windows workstations in RFID mode, we require admins to assign a shared account to that workstation. When the account is not assigned, we now properly show the error message informing admins and users of what needs to be done.

Error logs are fixed

Fixed the bug where duplicate logs files were created on the Windows workstation.