Skip to main content

Endpoint Privilege Management

Elevation control mode

Idemeum desktop agent supports various elevation control modes - offline, audit, and rules.

Overview

  • Offline mode - idemeum desktop agent is not capturing elevation events and is not enforcing any rules. This is the default mode when the idemeum desktop agent is installed.
  • Audit mode - idemeum is capturing all elevation events for any user type and is uploading them to the cloud. Rules are not enforced and standard OS windows is presented for authentication.
  • Rules mode - idemeum is intercepting all elevation requests and applying allow / deny rules. If there are no rules for the elevation action, user is presented with the dialog to request approval.

Check out Windows and macOS EPM pages to understand how EPM works on each platform.

Configure elevation mode

When the device is online and you change the elevation mode, the change is applied immediately, as we send a notification to a device. When the device is offline, the notification can not be processed, and the device will get the elevation mode change during the next cloud sync window. Device agents sync with cloud every 6 hours.

Elevation mode can be configured for each device individually, or it can be applied to a set of devices in bulk

  • Access you customer tenant admin dashboard
  • Navigate to Devices section
  • You will see the elevation mode that is set for each device
  • To change the elevation mode click on ... next to a device and choose Set elevation mode. Then you can choose what elevation mode to apply.
  • If you want to set elevation mode to a bulk of devices, select the devices with a checkbox and click on the bulk action button to assign elevation mode.