We have released a new version of our Cloud RADIUS service. You can now protect Wi-Fi and VPN access without managing any servers. Idemeum Cloud RADIUS supports modern TLS protocols, and allows user authentication with cloud credentials or Passwordless MFA.
Every cyber security framework requires admin access to be performed with individual admin accounts. Up until now idemeum only supported shared account login. Right now idemeum will automatically create unique / named admin account for each MSP technician, will use that account for workstation login, will enable / disable this account when not in use, and will automatically rotate passwords for these accounts.
Idemeum Cloud
IDEM-3618: On username change for a local user, ensure offline secret is cleared
IDEM-3644: Filter off boarded user before sending sign-in challenge via email
IDEM-3627: Present azure authorize scope for privileged user to admin app authorize flow only
IDEM-3642: Do not return the credentials for expired OIDC account
IDEM-3640 : Add audit events for OIDC user account access and disable
IDEM-3604 : Background job to disable OIDC user account
Idemeum cloud
IDEM-3636: Fix local user disable action for user who was onboarded with badge
IDEM-3611: Implement OIDC privileged user for Entra ID
IDEM-3633: Fix share / un-share of desktop entitlements functionality
IDEM-3605: Enhance existing authorize polling API to return the OIDC tokens
IDEM-3629: Audit changes for desktop login
IDEM-3635: Remove user claims for all customers on update of technician user in MSP tenant
IDEM-3632: Enable named account login by default for new customer tenants
IDEM-3631: Fix active user count during off boarding
IDEM-3620: Public API to download Apple WiFi profile for RADIUS
IDEM-3626: Support admin roles for OIDC credentials
IDEM-3603: Create user account in target user source configured in admin managed app
IDEM-3599: Add new credential type OIDC support for admin managed password app
Admin and user portals
IDEM-3637: Provide select all option for actors in the audit section
IDEM-3638: Only show Login as MSP technician to MSP tenants
IDEM-3628: UI - Show username field for MSP tenant
IDEM-3634: Devices: Use fixed role for sharing
IDEM-3613: Fix: Icon alignment when text is large
IDEM-3601: Settings: Hide Secure remote access
Idemeum cloud
IDEM-3617: Entitlement response changes with regards to named accounts
IDEM-3616: Configuration settings to enable various RADIUS auth flows
IDEM-3615: RADIUS application to support auth mode for auth requests
IDEM-3619: Show RADIUS app only for MSP and MSP customer tenants
IDEM-3596: Enhance SigninStart API to consider email request type
IDEM-3597: Fix bug related to Azure AD serialization
Admin and user portals
IDEM-3625: Fix the bug of allowing to promote badge user to admin
IDEM-3614: Add credentials auth mode for RADIUS
IDEM-3613: Hide shared account configuration when login as MSP named account flag is set to true
IDEM-3593: Add settings to enable login with named accounts for MSPs
IDEM-3592: Portal - show status “MSP technician” for the tenant
IDEM-3488: Bug: Re-fetch the user source config if failed to update existing config
RFID Single Sign On
Application automation
Released a new feature that allows to automatically launch an application once the users signs in into a Windows desktop with an RFID badge. We support launching any type of application - web, native, RDP clients, etc.
Introduce ability to put the tap over on the lock screen behind the feature flag for RFID mode. For some customers that are using keystroke rfIDEAS readers, this feature was conflicting with the keystroke output.
Fix the bug of automatic switch over to native credential provider when keystroke RFID readers are used
We have now moved the device management plane to the admin portal. You can now manage all desktop clients, assign shared accounts, configure sharing options and other functions right from the admin portal. Navigate to your tenant admin portal and access Devices tab on the left.
Computer name change
Desktop client now supports updating the computer name in the admin portal. Once you change the Windows computer name on the workstation, and restart the system, computer name will be updated in the cloud.
Lock and log off audit events
For RFID mode idemeum now supports audit events for locking the screen and logging off. When the user taps the badge to lock the screen or log out, the event will be captured in the audit trail, along with the username and computer name.
Windows Desktop Client 1.2.7
Non TPM-based password login
Before version 1.2.7 we only supported virtual smart cards when logging the users into domain workstations with RFID badge or mobile device. This required us to leverage TPM module on Windows workstations. We have now moved to supporting username / password for logging the user in instead of virtual smart card. For example, when user first taps the badge, we request the user to provide domain credentials, then these credentials are captured and encrypted with a master key, and then user to log the user into any domain workstation. When password changes, idemeum automatically will request the user to enter new credentials. This way we no longer require the TPM module to be used with idemeum client. Credentials mode is enabled by default. In case you still require TPM based / smart card login, you can request our team to configure this for your tenant.
Managed Engine desktop client installation
We certified and documented the way to roll out idemeum desktop client with Endpoint Central / Managed Engine.
We now automatically switch user on the lock screen when RFID badge is used. User A logs into the workstation. User A locks the screen. idemeum automatically switches the user when preserving the session for User A. User B taps the badge and can successfully log in. Before this feature, User B would get the message that another user has locked the screen.
Automatic creation of shared account for RFID mode
When shared account is assigned to a workstation in RFID mode, idemeum will automatically create this account if it is not present on the system. Before this feature we required administrators to create these accounts before assigning them.
Error message for shared account not assigned for local workstation
To support local Windows workstations in RFID mode, we require admins to assign a shared account to that workstation. When the account is not assigned, we now properly show the error message informing admins and users of what needs to be done.
Error logs are fixed
Fixed the bug where duplicate logs files were created on the Windows workstation.
Windows Desktop Client 1.2.6
Bug fixes
Fix the bug where shared account was disabled when desktop app was not installed for MSP tenant
In the previous model we needed you to create local admin accounts manually, and then when the desktop client was installed, you were required to specify a local admin account for each workstation.
Now we automatically create shared local admin accounts when technicians access customer workstations. What is more, we automatically disable them, and rotate passwords when technicians log out. This way we reduce the attack surface and only enable local admin accounts when necessary.
To make this new model possible, we have released the new desktop client, updated our cloud service, and released new iOS and Android mobile applications. Please make sure you update to the latest software to try new features.
While we automatically create, enable, and disable local admin accounts, we have heard from you that sometimes it might be beneficial to leverage existing domain accounts for elevated access (for domain-joined workstations).
For this purpose we allow to override the automatic local admin account creating with domain account of your choosing. For example, if I have domain-joined Windows workstation, and I want my technicians to login into this workstation with existing domain account, I can configure that.
Passwordless MFA
Ability to disable native Windows login
We now allow you to disable native Windows login with username / password so that idemeum login is enforced. For example, if you set up idemeum Passwordless MFA for local workstations, you can now disable the native login so that login with mobile device is enforced.
Windows Desktop Client 1.2.5
Support for automatic account creation for elevated access
Ability to automatically enable and disable local admin shared accounts
Ability to manually assign shared domain admin account for elevated access
We introduced the option to automatically send the username and password to new user over email. This is optional feature, and it is disabled by default. When the new user is created, and the password and username are specified, you can choose to send the credentials to user's email address.
Windows Desktop Client 1.2.1
New features
Local account takeover for MSP elevated access to workstations
Support for desktop username password login using our cloud directory (local and domain workstations)
Support for Passwordless MFA desktop login (local and domain workstations)
Handle auto recovery request after recovery prompt
Add SSM parameters for UI deployment to store hashes
Transition the auto recovery status for admin controlled recovery
Fixed the NPE in the google hrms adapter
Initiate Auto Recovery when user is already onboarded
Support Reserved custom attributes in HRMS
Evict user claims cache on update of Local user
Bulk update API for autofill settings
New features
Support google workspace for RFID badge onboarding. Now you can connect Google Workspace and onboard users by looking up a RFID badge ID in your Google directory.
Fixes
Optimize user desktop entitlement evaluation logic
Fixes
Bug: Entitled Apps API not setting shared
Publish entitlement request when user onboarded via badge
use webauthn4j-core 0.13.0.RELEASE
MSP customer tests to validate desktop entitlements
Upgrade bouncy castle lib to jdk 1.8
New features
Support to configure autolaunch app on startup. Now when you login into desktop with RFID badge, idemeum client can automatically launch desired application.
Add built-in groups for customer MSP tenants
Fixes
Entitlement evaluation service fixes for desktop
Part2 suppress CVE for tomcat-embed-core lib
Publish entitlement request message on desktop changes
Implement onUserChange onUserDelete and onDesktopChange for
Fixed tenant user item concurrent update issue
Represent customer as web app in user entitlements
upgrade jackson-databind to 2.15.3
fixed org.json vulnerability
upgrade tomcat to 9.0.82 to fix CVE-2023-42794
Bug: TenantNameId cache isn't getting cleared on Tenant deletion
Fixed NPE when signing in to expired tenant
MSP user status change in customer tenant should trigger entitlement evaluation
Add All Admin group during Desktop app creation wrt knob settings
Handle the case where the signin has expired
Validate the inputs for the user auto-enroll REST API and throw proper error IDEM-3322: Entitlements response to return shared account configured state
New features
Ability to assign a service account information to multiple workstations. We built a new bulk edit capability for assigning a service account to a set of workstations.
Ability to assign a local or domain service account to a workstation. Domain account is assigned as a logon name, and local service account is assigned as a logon name and password.
Return DC name if configured when request to enroll
Return master keys as part of customer by id api
Enhance userroleassigner api for customer
Added the audit event entries for admin managed password apps
Fixes
Fixed an issue where entitlements fetch reporting duplicate key
If cannot find the stack name, then do not throw an exception
Fix swagger docs
Fix Schema name typo for DesktopLoginAppSharedAccountMedia
Windows Desktop Client 1.1.9
New features
Enhancement for how offline mode functions for a workstation where a service account is assigned. When the workstation is offline, idemeum desktop client will prompt for credentials. Once user enters personal credentials idemeum desktop application will still log the user into workstation with a service account.