Skip to main content


Unified Privilege and Identity Management for MSPs

February 20, 2024

Idemeum cloud

  • IDEM-3660: Add REST API to list domains and role definitions for Elevated Access to Entra ID
  • IDEM-3667: API to upload desktop client logs to S3
  • IDEM-3674: Add expiry in seconds to challege API response
  • IDEM-3671 : OIDC privileged user to use username from directory

February 16, 2024

Idemeum cloud

  • IDEM-3658: Change Service layer method of finding user by corp email to consider filtering off boarding user
  • IDEM-3586: Remove fetching location co-ordinates
  • IDEM-3653: MSP technician recovery should move the user to off-boarded state in customer tenant
  • IDEM-3655: Onboarding user should clear the user source type
  • IDEM-3673: Support Radius Auth to accept username as email



We have released a new version of our Cloud RADIUS service. You can now protect Wi-Fi and VPN access without managing any servers. Idemeum Cloud RADIUS supports modern TLS protocols, and allows user authentication with cloud credentials or Passwordless MFA. 

Quick demo video

Documentation portal

We have updated the documentation section for idemeum Cloud RADIUS.

Fully-managed cloud-hosted RADIUS infrastructure for Wi-Fi and VPN user authentication. Supports credentials, MFA, and certificates.

Certified integrations

We have tested and certified integrations, including Ubiquiti and Meraki. We will keep adding more integrations in our integrations portal.

Cloud RADIUS Integrations - idemeum documentation
idemeum is a single place to manage access to applications, desktops, and infrastructure without passwords. Leverage RFID badges or Passwordless MFA.


Reach out to us in the Discord chat.

February 12, 2024

Idemeum cloud

  • IDEM-3658: Add tenant alias for idemeum tenants
  • IDEM-2108: Add force login for authorizing idemeum app
  • IDEM-3652: Add tags and alarm for OIDC user cleanup queue
  • IDEM-3649: Add admin user details as part of OIDC configuration
  • IDEM-3645: Fixes related to updating technician local user
  • IDEM-3648: Azure credentials restrict to managed domains only

 Admin and user portals

  • IDEM-3646: Settings: Provide information dialog when sensitive data being updated related to desktop settings
  • IDEM-3647: Portals: Remove last good hash folder
  • IDEM-3650: Do not allow to update domain name if managed app already configured
  • IDEM-3650: Update message when request access for managed app
  • IDEM-3647: Portals: Remove last good hash folder

February 11, 2024

Idemeum cloud

  • IDEM-3642: Do not populate username when the OIDC credentials expired
  • IDEM-3604: Add message group id for user clean up FIFO queue

Admin and cloud portals

  • IDEM-3612: Create admin managed app with OIDC credentials
  • IDEM-3622: UI - Admin Managed password app : OIDC credentials Request Access

February 9, 2024

Idemeum Cloud

  • IDEM-3618: On username change for a local user, ensure offline secret is cleared
  • IDEM-3644: Filter off boarded user before sending sign-in challenge via email
  • IDEM-3627: Present azure authorize scope for privileged user to admin app authorize flow only
  • IDEM-3642: Do not return the credentials for expired OIDC account
  • IDEM-3640 : Add audit events for OIDC user account access and disable
  • IDEM-3604 : Background job to disable OIDC user account

February 6, 2024

Idemeum cloud

  • IDEM-3636: Fix local user disable action for user who was onboarded with badge
  • IDEM-3611: Implement OIDC privileged user for Entra ID
  • IDEM-3633: Fix share / un-share of desktop entitlements functionality
  • IDEM-3605: Enhance existing authorize polling API to return the OIDC tokens
  • IDEM-3629: Audit changes for desktop login
  • IDEM-3635: Remove user claims for all customers on update of technician user in MSP tenant
  • IDEM-3632: Enable named account login by default for new customer tenants
  • IDEM-3631: Fix active user count during off boarding
  • IDEM-3620: Public API to download Apple WiFi profile for RADIUS
  • IDEM-3626: Support admin roles for OIDC credentials
  • IDEM-3603: Create user account in target user source configured in admin managed app
  • IDEM-3599: Add new credential type OIDC support for admin managed password app

Admin and user portals

  • IDEM-3637: Provide select all option for actors in the audit section
  • IDEM-3638: Only show Login as MSP technician to MSP tenants
  • IDEM-3639: Desktop MFA settings: hide desktop installer section
  • IDEM-3641: Modify TEMP path to support 8dot3names
  • IDEM-3628: UI - Show username field for MSP tenant
  • IDEM-3634: Devices: Use fixed role for sharing
  • IDEM-3613: Fix: Icon alignment when text is large
  • IDEM-3601: Settings: Hide Secure remote access

February 3, 2024

Idemeum cloud

  • IDEM-3617: Entitlement response changes with regards to named accounts
  • IDEM-3616: Configuration settings to enable various RADIUS auth flows
  • IDEM-3615: RADIUS application to support auth mode for auth requests
  • IDEM-3619: Show RADIUS app only for MSP and MSP customer tenants
  • IDEM-3596: Enhance SigninStart API to consider email request type
  • IDEM-3597: Fix bug related to Azure AD serialization

Admin and user portals

  • IDEM-3625: Fix the bug of allowing to promote badge user to admin
  • IDEM-3614: Add credentials auth mode for RADIUS
  • IDEM-3613: Hide shared account configuration when login as MSP named account flag is set to true
  • IDEM-3593: Add settings to enable login with named accounts for MSPs
  • IDEM-3592: Portal - show status “MSP technician” for the tenant
  • IDEM-3488: Bug: Re-fetch the user source config if failed to update existing config

January 31, 2024

RFID Single Sign On

Application automation

Released a new feature that allows to automatically launch an application once the users signs in into a Windows desktop with an RFID badge. We support launching any type of application - web, native, RDP clients, etc.

Application automation
idemeum offers a feature to automatically launch an application once the user signs into the workstation with an RFID badge. You can launch any application, including RDP shortcuts, browsers, native applications, etc.

January 30, 2024

Windows Desktop Client 1.2.8

Bug fixes

  • Introduce ability to put the tap over on the lock screen behind the feature flag for RFID mode. For some customers that are using keystroke rfIDEAS readers, this feature was conflicting with the keystroke output.
  • Fix the bug of automatic switch over to native credential provider when keystroke RFID readers are used
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

January 15, 2024

Cloud portals

New devices tab

We have now moved the device management plane to the admin portal. You can now manage all desktop clients, assign shared accounts, configure sharing options and other functions right from the admin portal. Navigate to your tenant admin portal and access Devices tab on the left.

Computer name change

Desktop client now supports updating the computer name in the admin portal. Once you change the Windows computer name on the workstation, and restart the system, computer name will be updated in the cloud.

Lock and log off audit events

For RFID mode idemeum now supports audit events for locking the screen and logging off. When the user taps the badge to lock the screen or log out, the event will be captured in the audit trail, along with the username and computer name.

Windows Desktop Client 1.2.7

Non TPM-based password login

Before version 1.2.7 we only supported virtual smart cards when logging the users into domain workstations with RFID badge or mobile device. This required us to leverage TPM module on Windows workstations. We have now moved to supporting username / password for logging the user in instead of virtual smart card. For example, when user first taps the badge, we request the user to provide domain credentials, then these credentials are captured and encrypted with a master key, and then user to log the user into any domain workstation. When password changes, idemeum automatically will request the user to enter new credentials. This way we no longer require the TPM module to be used with idemeum client. Credentials mode is enabled by default. In case you still require TPM based / smart card login, you can request our team to configure this for your tenant.

Managed Engine desktop client installation

We certified and documented the way to roll out idemeum desktop client with Endpoint Central / Managed Engine.

Desktop client Managed Engine installation
This guide describes how to deploy idemeum desktop client to a fleet of Windows workstations with Endpoint Central.

Tap out on lock screen

We now automatically switch user on the lock screen when RFID badge is used. User A logs into the workstation. User A locks the screen. idemeum automatically switches the user when preserving the session for User A. User B taps the badge and can successfully log in. Before this feature, User B would get the message that another user has locked the screen.

Automatic creation of shared account for RFID mode

When shared account is assigned to a workstation in RFID mode, idemeum will automatically create this account if it is not present on the system. Before this feature we required administrators to create these accounts before assigning them.

Error message for shared account not assigned for local workstation

To support local Windows workstations in RFID mode, we require admins to assign a shared account to that workstation. When the account is not assigned, we now properly show the error message informing admins and users of what needs to be done.

Error logs are fixed

Fixed the bug where duplicate logs files were created on the Windows workstation.

January 3, 2024

December 27, 2023

Elevated access to computers

Automatic admin account creation

In the previous model we needed you to create local admin accounts manually, and then when the desktop client was installed, you were required to specify a local admin account for each workstation.

Now we automatically create shared local admin accounts when technicians access customer workstations. What is more, we automatically disable them, and rotate passwords when technicians log out. This way we reduce the attack surface and only enable local admin accounts when necessary.

To make this new model possible, we have released the new desktop client, updated our cloud service, and released new iOS and Android mobile applications. Please make sure you update to the latest software to try new features.

Updated quick-start guide

Quick-start for MSPs - Passwordless Elevated Access for MSPs
In this guide we will set up Passwordless Elevated Access for MSPs. Technicians can access any customer workstation or elevate with admin account without passwords.

Assign domain shared account for elevated access

While we automatically create, enable, and disable local admin accounts, we have heard from you that sometimes it might be beneficial to leverage existing domain accounts for elevated access (for domain-joined workstations).

For this purpose we allow to override the automatic local admin account creating with domain account of your choosing. For example, if I have domain-joined Windows workstation, and I want my technicians to login into this workstation with existing domain account, I can configure that.

Passwordless MFA

Ability to disable native Windows login

We now allow you to disable native Windows login with username / password so that idemeum login is enforced. For example, if you set up idemeum Passwordless MFA for local workstations, you can now disable the native login so that login with mobile device is enforced.

Windows Desktop Client 1.2.5

  • Support for automatic account creation for elevated access
  • Ability to automatically enable and disable local admin shared accounts
  • Ability to manually assign shared domain admin account for elevated access
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

December 20, 2023

December 19, 2023

Windows Desktop Client 1.2.3

Bug fixes

  • Keystroke reader auto submit on sign-in screen before process complete is fixed
  • Effective utilization of system resources wrt reader polling when display is off/when system in sleep
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

December 12, 2023

Windows Desktop Client 1.2.2

Bug fixes

  • Fixed username / password login screen related to auto logon feature
  • Fixed offline access issues for users and technicians

New features

  • Support for elevated technician access from lock screen
  • Support for certificate distribution to desktop client
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

December 4, 2023

Cloud portals

Send credentials over email

We introduced the option to automatically send the username and password to new user over email. This is optional feature, and it is disabled by default. When the new user is created, and the password and username are specified, you can choose to send the credentials to user's email address.

November 26, 2023

Windows Desktop Client 1.2.1

New features

  • Local account takeover for MSP elevated access to workstations
  • Support for desktop username password login using our cloud directory (local and domain workstations)
  • Support for Passwordless MFA desktop login (local and domain workstations)
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

November 15, 2023

Windows Desktop Client 1.2.0

New features

  • RFID: Autofill domain credentials in RDP and native app clients
  • RFID: User Enrollment supported from local workstation by validating domain credentials connecting to remote domain
  • RFID: Local workstation - support to login to local shared account
  • Master encryption key is made mandatory during install / upgrade
  • Advanced settings added to enable/disable credential provider and autofill features
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

November 6, 2023

Bug fixes

  • Handle auto recovery request after recovery prompt
  • Add SSM parameters for UI deployment to store hashes
  • Transition the auto recovery status for admin controlled recovery
  • Fixed the NPE in the google hrms adapter
  • Initiate Auto Recovery when user is already onboarded
  • Support Reserved custom attributes in HRMS
  • Evict user claims cache on update of Local user
  • Bulk update API for autofill settings

October 27, 2023

New features

  • Support google workspace for RFID badge onboarding. Now you can connect Google Workspace and onboard users by looking up a RFID badge ID in your Google directory.


  • Optimize user desktop entitlement evaluation logic

October 24, 2023


  • Bug: Entitled Apps API not setting shared
  • Publish entitlement request when user onboarded via badge
  • use webauthn4j-core 0.13.0.RELEASE
  • MSP customer tests to validate desktop entitlements
  • Upgrade bouncy castle lib to jdk 1.8

October 23, 2023

New features

  • Support to configure autolaunch app on startup. Now when you login into desktop with RFID badge, idemeum client can automatically launch desired application.
  • Add built-in groups for customer MSP tenants


  • Entitlement evaluation service fixes for desktop
  • Part2 suppress CVE for tomcat-embed-core lib
  • Publish entitlement request message on desktop changes
  • Implement onUserChange onUserDelete and onDesktopChange for
  • Fixed tenant user item concurrent update issue
  • Represent customer as web app in user entitlements
  • upgrade jackson-databind to 2.15.3
  • fixed org.json vulnerability
  • upgrade tomcat to 9.0.82 to fix CVE-2023-42794
  • Bug: TenantNameId cache isn't getting cleared on Tenant deletion
  • Fixed NPE when signing in to expired tenant
  • MSP user status change in customer tenant should trigger entitlement evaluation
  • Add All Admin group during Desktop app creation wrt knob settings
  • Handle the case where the signin has expired
  • Validate the inputs for the user auto-enroll REST API and throw proper error
    IDEM-3322: Entitlements response to return shared account configured state

October 3, 2023

New features

  • Ability to assign a service account information to multiple workstations. We built a new bulk edit capability for assigning a service account to a set of workstations.
  • Ability to assign a local or domain service account to a workstation. Domain account is assigned as a logon name, and local service account is assigned as a logon name and password.

You can learn more about shared account configuration in our documentation portal.

September 22, 2023

New features

  • Return DC name if configured when request to enroll
  • Return master keys as part of customer by id api
  • Enhance userroleassigner api for customer
  • Added the audit event entries for admin managed password apps


  • Fixed an issue where entitlements fetch reporting duplicate key
  • If cannot find the stack name, then do not throw an exception
  • Fix swagger docs
  • Fix Schema name typo for DesktopLoginAppSharedAccountMedia

September 15, 2023

Windows Desktop Client 1.1.9

New features

  • Enhancement for how offline mode functions for a workstation where a service account is assigned. When the workstation is offline, idemeum desktop client will prompt for credentials. Once user enters personal credentials idemeum desktop application will still log the user into workstation with a service account.
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

September 13, 2023

New features

  • Added a devops API to trigger entitlement calculation on demand
  • Tenant master key share with users API
  • Add MSP elevated access enabled state to settings response
  • Clear encrypted dek of master key for admin controlled recovery
  • Clear encrypted dek of master key during recovery complete
  • Remove server side encryption and have a domain model support
  • Rest api to get encrypted master keys
  • Added rest api to add tenant master key
  • Added the autofill attributes to the admin managed apps entitlements
  • Added the autofill attributes for admin managed apps
  • Add support for All admins built-in group


  • Prevent the deletion of the built in group
  • Return local admin account credentials as part of Lookup
  • Update role assigner api to save encrypted DEK of master key
  • Remove radius references from app management yaml file

September 8, 2023


  • Filter out Radius applications if feature is not enabled
  • Associate AppId to the session token and remove implicit old token
  • Added an API to search entitlements by the windows identifier id
  • Rest API for user source connector metadata crud
  • Exposed mspElevatedAccessEnabled flag in user info
  • Added an api to get the user's credentials
  • Provide an API to save rotated credentials for local admin accounts
  • Enhance desktop entitlement fetch API to return
  • Return DC name if configured as part of RFID lookup API
  • Enhance the existing Shared Account Configuration
  • Support to configure Domain controller name
  • Move hrm-rest api to rest module
  • Add another attribute to the managed pass app to save native windows app id
  • Enhance user token API to return user session
  • Group edit functionality is broken when custom attribute is no longer exists
  • Remove the check for feature flags as all of them are enabled
  • Clean up the previous entitlement api call for admin managed password apps
  • Fixed typo in schema name
  • Enhance existing API to search only entitlements for the app types
  • Rename built in all users group
  • Added a feature flag for desktop native autofill
  • Rename all users group
  • Fix TenantSettings save RFID properties
  • Remove the /promote API
  • Apply default flags for Desktop on Tenant creation
  • Enhanced customer resource to honor the mspElevatedAccess

September 4, 2023

Browser Extension - 2.9.4


  • In case of admin managed app, if a browser tab is open for more than expiry of the token, token isn't refreshed
Download idemeum software
Desktop client iOS mobile application Android mobile application Safari browser extension Chrome browser extension

September 1, 2023

New features

  • Do not display the edit and delete actions in the group list for All Users group
  • Filter out the All Users group that is manually added to the groups listed to the security policy
  • If only one user (the admin) is onboarded allow the changing of the user source
  • Provide chips of non existing groups


  • upgrade tslib from 2.5.0 to 2.5.3
  • upgrade ng-apexcharts from 1.7.4 to 1.7.6
  • upgrade ua-parser-js from 1.0.33 to 1.0.35
  • upgrade apexcharts from 3.37.3 to 3.41.0
  • upgrade tslib from 2.5.0 to 2.5.3
  • Username not visible for admin managed apps