New updates and improvements to idemeum
select all option for actors in the audit sectionReleased a new feature that allows to automatically launch an application once the users signs in into a Windows desktop with an RFID badge. We support launching any type of application - web, native, RDP clients, etc.
Nik Pot
Nik PotWe have now moved the device management plane to the admin portal. You can now manage all desktop clients, assign shared accounts, configure sharing options and other functions right from the admin portal. Navigate to your tenant admin portal and access Devices tab on the left.
Desktop client now supports updating the computer name in the admin portal. Once you change the Windows computer name on the workstation, and restart the system, computer name will be updated in the cloud.
For RFID mode idemeum now supports audit events for locking the screen and logging off. When the user taps the badge to lock the screen or log out, the event will be captured in the audit trail, along with the username and computer name.
Before version 1.2.7 we only supported virtual smart cards when logging the users into domain workstations with RFID badge or mobile device. This required us to leverage TPM module on Windows workstations. We have now moved to supporting username / password for logging the user in instead of virtual smart card. For example, when user first taps the badge, we request the user to provide domain credentials, then these credentials are captured and encrypted with a master key, and then user to log the user into any domain workstation. When password changes, idemeum automatically will request the user to enter new credentials. This way we no longer require the TPM module to be used with idemeum client. Credentials mode is enabled by default. In case you still require TPM based / smart card login, you can request our team to configure this for your tenant.
We certified and documented the way to roll out idemeum desktop client with Endpoint Central / Managed Engine.
Nik PotWe now automatically switch user on the lock screen when RFID badge is used. User A logs into the workstation. User A locks the screen. idemeum automatically switches the user when preserving the session for User A. User B taps the badge and can successfully log in. Before this feature, User B would get the message that another user has locked the screen.
When shared account is assigned to a workstation in RFID mode, idemeum will automatically create this account if it is not present on the system. Before this feature we required administrators to create these accounts before assigning them.
To support local Windows workstations in RFID mode, we require admins to assign a shared account to that workstation. When the account is not assigned, we now properly show the error message informing admins and users of what needs to be done.
Fixed the bug where duplicate logs files were created on the Windows workstation.
Nik PotIn the previous model we needed you to create local admin accounts manually, and then when the desktop client was installed, you were required to specify a local admin account for each workstation.
Now we automatically create shared local admin accounts when technicians access customer workstations. What is more, we automatically disable them, and rotate passwords when technicians log out. This way we reduce the attack surface and only enable local admin accounts when necessary.
To make this new model possible, we have released the new desktop client, updated our cloud service, and released new iOS and Android mobile applications. Please make sure you update to the latest software to try new features.
Nik Pot
While we automatically create, enable, and disable local admin accounts, we have heard from you that sometimes it might be beneficial to leverage existing domain accounts for elevated access (for domain-joined workstations).
For this purpose we allow to override the automatic local admin account creating with domain account of your choosing. For example, if I have domain-joined Windows workstation, and I want my technicians to login into this workstation with existing domain account, I can configure that.
We now allow you to disable native Windows login with username / password so that idemeum login is enforced. For example, if you set up idemeum Passwordless MFA for local workstations, you can now disable the native login so that login with mobile device is enforced.
Nik PotNik PotNik PotNik PotWe introduced the option to automatically send the username and password to new user over email. This is optional feature, and it is disabled by default. When the new user is created, and the password and username are specified, you can choose to send the credentials to user's email address.
Nik PotNik PotYou can learn more about shared account configuration in our documentation portal.
userroleassigner api for customerpersonal credentials idemeum desktop application will still log the user into workstation with a service account. Nik PotNik PotAll Users groupAll Users group that is manually added to the groups listed to the security policyNik PotNik PotNik PotNik Pot