New updates and improvements to idemeum
You can now define the length of passwords that idemeum will be using for just-in-time accounts, LAPS credentials, and service accounts. Previously we were relying on 12-character random passwords. Now you can configure the length of passwords for each customer tenant.
Settings → PAM12, 16, or 24 characters
We are excited to share that our Endpoint Privilege Management solution goes live!
You can enforce least privilege on your Windows endpoints by removing local admin rights. Moreover, you can manage user elevation requests with idemeum mobile app without impacting user productivity.
You can try EPM with our quick-start guide.
We made changes to our admin portal to make sure it is easier to navigate.
Settings section. Right now Settings are grouped by the product category, so it is easier to set up idemeum exactly as you need. Right now settings are grouped into:Global - this is where you configure tenant-wide settings, including how technicians onboard, and how they authenticate to portalsDesktop agent - configure how desktop agent behavesRFID - configure RFID Single Sign-On featuresPAM - set up Just-in-time (JIT) accounts and LAPS
More information about settings below:
Nik Pot
We also moved devices installation script to Devices section and made things simpler. You can now choose the OS of the workstation, grab the command, and execute it on workstation to install idemeum agent.
Set-ExecutionPolicy RemoteSigned -Scope Process -Force;, so that there is no need to do this manually when executing the PowerShell script-restartAfterInstall 'false' we made sure that there is no pop up asking the user to restart the system.We are excited to share the release of our idemeum macOS desktop client. As part of the first release we offer a number of features:
For customers using Google Workspace connector to automatically onboard users with RFID badges, we made an enhancement that allows to remove / edit badge IDs for onboarded users. You can now navigate to Users → User management, find the user record, click on ... and choose Clear badge id.
Idemeum Windows Desktop Client now supports automatic RFID user onboarding with Google Workspace credentials. When users tap the badge, there is a pop up on Windows desktop to enter Google credentials. Upon successful authentication, user is onboarded and idemeum record is created in local cloud directory with an associated badge ID.
You can now control access to Windows workstations with Google Workspace Groups. When users tap the badge, idemeum will check what Google Groups the user belongs to, and based on configured access controls for the workstation, will allow access or not.
When JIT domain admin accounts are created, idemeum desktop client assigns them to Domain admins group by default. We have enhanced the capability to allow MSP admins to choose what groups to assign these domain admin accounts to. You can now configure groups to be assigned when JIT account is used to login to domain controller, and groups to be assigned when JIT account is used to login to any other domain workstation.
When the desktop client is installed on Windows workstation, we are installing idemeum credential provider. By default the link to choose idemeum credential provider had a name assigned idemeum passwordless user. We changed that link to display the idemeum tenant display name instead.
Idemeum desktop client now supports creating just-in-time domain admin accounts. First, you install idemeum desktop client on domain-controller, second you enable Domain admin accounts settings in the admin portal, and as a result, your technicians will be able to access customer workstation with on-demand domain admin accounts. Idemeum will maintain zero-standing privilege by automatically enabling / disabling these accounts and rotating passwords after every login.
Idemeum RFID Single Sign-On supports login into Windows workstations, web applications, and native desktop applications. With the enhancement when native desktop application is configured, idemeum will automatically submit credentials when they are auto-filled for native application.
We have released a new version of our Cloud RADIUS service. You can now protect Wi-Fi and VPN access without managing any servers. Idemeum Cloud RADIUS supports modern TLS protocols, and allows user authentication with cloud credentials or Passwordless MFA.
Reach out to us in the Discord chat.
Every cyber security framework requires admin access to be performed with individual admin accounts. Up until now idemeum only supported shared account login. Right now idemeum will automatically create unique / named admin account for each MSP technician, will use that account for workstation login, will enable / disable this account when not in use, and will automatically rotate passwords for these accounts.
select all option for actors in the audit sectionReleased a new feature that allows to automatically launch an application once the users signs in into a Windows desktop with an RFID badge. We support launching any type of application - web, native, RDP clients, etc.
Nik Pot
Nik PotWe have now moved the device management plane to the admin portal. You can now manage all desktop clients, assign shared accounts, configure sharing options and other functions right from the admin portal. Navigate to your tenant admin portal and access Devices tab on the left.
Desktop client now supports updating the computer name in the admin portal. Once you change the Windows computer name on the workstation, and restart the system, computer name will be updated in the cloud.
For RFID mode idemeum now supports audit events for locking the screen and logging off. When the user taps the badge to lock the screen or log out, the event will be captured in the audit trail, along with the username and computer name.
Before version 1.2.7 we only supported virtual smart cards when logging the users into domain workstations with RFID badge or mobile device. This required us to leverage TPM module on Windows workstations. We have now moved to supporting username / password for logging the user in instead of virtual smart card. For example, when user first taps the badge, we request the user to provide domain credentials, then these credentials are captured and encrypted with a master key, and then user to log the user into any domain workstation. When password changes, idemeum automatically will request the user to enter new credentials. This way we no longer require the TPM module to be used with idemeum client. Credentials mode is enabled by default. In case you still require TPM based / smart card login, you can request our team to configure this for your tenant.
We certified and documented the way to roll out idemeum desktop client with Endpoint Central / Managed Engine.
Nik PotWe now automatically switch user on the lock screen when RFID badge is used. User A logs into the workstation. User A locks the screen. idemeum automatically switches the user when preserving the session for User A. User B taps the badge and can successfully log in. Before this feature, User B would get the message that another user has locked the screen.
When shared account is assigned to a workstation in RFID mode, idemeum will automatically create this account if it is not present on the system. Before this feature we required administrators to create these accounts before assigning them.
To support local Windows workstations in RFID mode, we require admins to assign a shared account to that workstation. When the account is not assigned, we now properly show the error message informing admins and users of what needs to be done.
Fixed the bug where duplicate logs files were created on the Windows workstation.