Changelog

Windows Desktop Agent 1.5.0

• Enhanced password change detection for desktop client in RFID mode - when desktop agent is installed on local machine with domain line of sight, we can now also verify if password changed at each login, and the user will be prompted to enter new credentials.
• Password length mismatch error message - when the desktop agent is installed on domain controller, and we try to generate service account password, we can now show the proper message that password generated by idemeum does not meet the DC policy requirements. Admin can go and change the password length to the required option in admin portal.
• RFID autofill state management - when autofilling user credentials into Windows native applications in the RFID login mode, idemeum desktop agent can now effectively manage autofill state even when users login with native credential provider.
• Desktop icon removal - when idemeum Windows desktop agent is installed, we no longer create a desktop shortcut.

JIT Entra ID accounts

Entra ID account TOTP support

When technicians request JIT Entra ID accounts, idemeum will automatically create Entra ID account with username and password. You can now also save MFA TOTP secret in idemeum for your Entra ID JIT account, so that techs access customer Entra tenants with MFA.

• When account is requested from the admin portal, click on ... and choose Configure TOTP key

• You can now add and save your TOTP key for this account

Extension auto fill

Extension now supports autofill of credentials and TOTP for JIT Entra accounts. Once you request the account, you can click on the application icon, the new tab will open, and idemeum will autofill credentials and TOTP.

Admin portal UI

• In the devices section we now show the identified for Domain controller. Before we were only detecting Local workstation and Domain workstation.
• Added the capability to search through groups when assigning a group restriction for shared accounts.

HaloPSA and idemeum JIT integration

We now support integration with HaloPSA where technicians can request and manage just-in-time Entra ID admin accounts right from the PSA tickets. Simply navigate to a ticket, click on idemeum custom tab, get redirected to the exact customer tenant, and then you will be able to request JIT account and view the credentials. Idemeum will automatically disable the account after a specified period of time.

HaloPSA idemeum JIT accounts

In this guide we will integrate idemeum just-in-time accounts for Entra ID with Halo PSA. Right from a customer ticket in HaloPSA technicians will be able to request JIT Entra ID accounts and view credentials.

idemeum documentationNik Pot

MSP portal and RFID Single Sign-On

We have now fully integrated our RFID Single Sign-On solution under the umbrella of MSP tenant management. Create a customer tenant and with a click of a button enable the RFID tap and go for customer workstations, web, and native Windows applications. If you have healthcare customers, you can now manage RFID Single Sign-On from your MSP portal.

Windows Desktop Agent 1.4.9

• Enhanced support for OTP login when workstation is in shared account mode

Windows Desktop Agent 1.4.8

• Enhanced the silent installation script:
  • Added the property to avoid restart when C++ prerequisites are installed
  • When the desktop client installs but the pairing with the cloud is not successful, you can now re-run the script to fix the agent state. The script will check if the client is installed but no paired, will uninstall the client and will the retry installation.

Tenant creation with CSV files

You can now create customer tenants by uploading a CSV file. Moreover, for all your existing tenants you can download a CSV file with all installer PowerShell commands.

Bulk tenant creation

Create multiple tenants by uploading the CSV file with tenant data.

idemeum documentationNik Pot

Technician login with OTP

When techs login into workstations with JIT accounts, there are multiple methods available - scan QR-code, or trigger mobile app notification. We introduced another option to login with one-time code. Enable this option in Settings, and you will be able to retrieve OTP code from mobile app and login into any customer workstation.

Technician login methods

Technicians can access customer workstations by scanning a QR-code, triggering a push notification, or using an offline one-time code.

idemeum documentationNik Pot

Selective account login

For domain workstations we now offer an option to choose what account you want to log in as - domain admin account or local admin account. This feature is useful when you want to have certain workstations where domain admin account shall not be exposed. You can configure this setting for each customer tenant.

Selective JIT login

Overview For domain-joined workstations where idemeum desktop client is installed, you can choose what account to use for technician login - domain or local. This feature is useful if you want to control on which workstations you want to expose your domain admin account. Configuration * Navigate to your customer tenant

idemeum documentationNik Pot

Configurable password length

You can now define the length of passwords that idemeum will be using for just-in-time accounts, LAPS credentials, and service accounts. Previously we were relying on 12-character random passwords. Now you can configure the length of passwords for each customer tenant.

• Navigate to your customer tenant
• Access Settings → PAM
• Choose password length from the dropdown - 12, 16, or 24 characters

Endpoint Privilege Management (EPM) for Windows

We are excited to share that our Endpoint Privilege Management solution goes live!

You can enforce least privilege on your Windows endpoints by removing local admin rights. Moreover, you can manage user elevation requests with idemeum mobile app without impacting user productivity.

• Capture all elevation events across Windows endpoints
• Manage user requests with mobile app or web portal
• Create elevation rules (file attributes, publisher, or certificate attributes)
• Automatically create rules from idemeum mobile app
• and more...

You can try EPM with our quick-start guide.

Settings UI refresh

We made changes to our admin portal to make sure it is easier to navigate.

• We reorganized the Settings section. Right now Settings are grouped by the product category, so it is easier to set up idemeum exactly as you need. Right now settings are grouped into:
  • Global - this is where you configure tenant-wide settings, including how technicians onboard, and how they authenticate to portals
  • Desktop agent - configure how desktop agent behaves
  • RFID - configure RFID Single Sign-On features
  • PAM - set up Just-in-time (JIT) accounts and LAPS

More information about settings below:

Tenant cloud settings

High-level overview of idemeum admin portal settings.

idemeum documentationNik Pot

Agent installation UI refresh

We also moved devices installation script to Devices section and made things simpler. You can now choose the OS of the workstation, grab the command, and execute it on workstation to install idemeum agent.

Silent installation enhancement

• Enhanced PowerShell installer command to include Set-ExecutionPolicy RemoteSigned -Scope Process -Force;, so that there is no need to do this manually when executing the PowerShell script

Windows Desktop Client 1.4.1

• When using PowerShell silent installer and passing the -restartAfterInstall 'false' we made sure that there is no pop up asking the user to restart the system.
• Changed default Windows configuration after desktop client installation to show last signed user, so that users do not have to type their username every time.

Security enhancements

• Enhanced the Android OS attestation logic to make sure we properly assess the latest Samsung phones, as some models were not passing the checks.

Bug fixes

• Fixed the bug when after mobile recovery not all devices were available to the user. All device access is now recovered - devices that user created and devices that were shared with the user.

MacOS Desktop Client 1.0.0

We are excited to share the release of our idemeum macOS desktop client. As part of the first release we offer a number of features:

• Just-in-time local admin access to macOS workstation
• Jus-in-time elevation for protected menus, sudo commands, and application installation
• User login with idemeum cloud credentials of Passwordless MFA

Windows Desktop Client 1.4.0

• Fixed the bug when the new RFID user is logged in with a shared local account when the domain shared account is configured. This condition only happened once during the new user enrollment period.

Clear badge id for Google Workspace onboarded users

For customers using Google Workspace connector to automatically onboard users with RFID badges, we made an enhancement that allows to remove / edit badge IDs for onboarded users. You can now navigate to Users → User management, find the user record, click on ... and choose Clear badge id.

Windows Desktop Client 1.3.9

• Windows desktop client now supports the use case where Passwordless MFA can be used with Azure AD as a user source. When user is onboarded with Passwordless MFA, and the QR-code is scanned at the local workstation, idemeum desktop client will automatically create local user.

Windows Desktop Client 1.3.8

RFID badge onboarding with Google Workspace

Idemeum Windows Desktop Client now supports automatic RFID user onboarding with Google Workspace credentials. When users tap the badge, there is a pop up on Windows desktop to enter Google credentials. Upon successful authentication, user is onboarded and idemeum record is created in local cloud directory with an associated badge ID.

RFID Access Control with Google Workspace Groups

You can now control access to Windows workstations with Google Workspace Groups. When users tap the badge, idemeum will check what Google Groups the user belongs to, and based on configured access controls for the workstation, will allow access or not.

Windows Desktop Client 1.3.7

Group assignment for JIT admin accounts

When JIT domain admin accounts are created, idemeum desktop client assigns them to Domain admins group by default. We have enhanced the capability to allow MSP admins to choose what groups to assign these domain admin accounts to. You can now configure groups to be assigned when JIT account is used to login to domain controller, and groups to be assigned when JIT account is used to login to any other domain workstation.

Windows Desktop Client 1.3.6

Tenant display name on the login screen

When the desktop client is installed on Windows workstation, we are installing idemeum credential provider. By default the link to choose idemeum credential provider had a name assigned idemeum passwordless user. We changed that link to display the idemeum tenant display name instead.

Windows Desktop Client 1.3.5

• During the silent installation idemeum desktop client was creating an MSA account on domain controller. In case the MSA object is not available, idemeum desktop client will now fall back to creating a standard account instead of failing installation.
• When the desktop client silent installation fails, idemeum desktop client now ensures that desktop record is removed from idemeum cloud.
• Ensure LAPS configuration is retrieved and LAPS account details are updated during the manual settings update.

Windows Desktop Client 1.3.4

• Fixed bugs during user enrollment flow when shared account is assigned,

Windows Desktop Client 1.3.3

• Fixes for silent desktop client installation

Windows Desktop Client 1.3.2

JIT domain admin accounts

Idemeum desktop client now supports creating just-in-time domain admin accounts. First, you install idemeum desktop client on domain-controller, second you enable Domain admin accounts settings in the admin portal, and as a result, your technicians will be able to access customer workstation with on-demand domain admin accounts. Idemeum will maintain zero-standing privilege by automatically enabling / disabling these accounts and rotating passwords after every login.

Windows Desktop Client 1.3.1

Auto submit for native applications

Idemeum RFID Single Sign-On supports login into Windows workstations, web applications, and native desktop applications. With the enhancement when native desktop application is configured, idemeum will automatically submit credentials when they are auto-filled for native application.

Windows Desktop Client 1.3.0

• Improved QR-code refresh interval to make sure it does not break when the machine time is out of sync
• Link added at the desktop client installation page to upload logs to the cloud
• Fixed the bug when the user was prompted to password several times when Password Prompt Once Per Day feature was enabled

Cloud updates

• JIT accounts for Entra ID configuration now supports listing available roles. When you configure Entra ID integration, you can now leverage role drop down and choose what roles to assign to provisioned just-in-time Entra ID accounts.

Bug fixes

• Remove location coordinate fetching from the portal to speed up login process
• During the mobile recovery process, the user record is now removed from a customer tenant
• RADIUS authentication now supports username as email

Cloud RADIUS

We have released a new version of our Cloud RADIUS service. You can now protect Wi-Fi and VPN access without managing any servers. Idemeum Cloud RADIUS supports modern TLS protocols, and allows user authentication with cloud credentials or Passwordless MFA. 

• Documentation
• Certified integrations
  

Reach out to us in the Discord chat.

Admin and user portal improvements

• Provide information dialog when sensitive data is updated related to desktop settings
• Do not allow to update domain name if managed application is already configured

Improvements and bug fixes

• Add tenant alias for idemeum tenants
• Add force login for authorizing idemeum app
• Add tags and alarm for OIDC user cleanup queue
• Add admin user details as part of OIDC configuration
• Fixes related to updating technician local user
• Azure credentials restrict to managed domains only

Cloud fixes

• IDEM-3642: Do not populate username when the OIDC credentials expired
• IDEM-3604: Add message group id for user clean up FIFO queue

Admin and cloud portals

• IDEM-3612: Create admin managed app with OIDC credentials
• IDEM-3622: UI - Admin Managed password app : OIDC credentials Request Access

Windows Desktop Client 1.2.9

Named JIT admin accounts

Every cyber security framework requires admin access to be performed with individual admin accounts. Up until now idemeum only supported shared account login. Right now idemeum will automatically create unique / named admin account for each MSP technician, will use that account for workstation login, will enable / disable this account when not in use, and will automatically rotate passwords for these accounts.