Skip to main content

📁 EPM

Overview (EPM)

Enforce least privilege on Windows and macOS, remove local admin rights, manage elevation requests, and automatically elevate required applications.

Overview

Endpoint Privilege Management (EPM) is all about implementing least privilege security on your Windows and macOS workstations. It is a cloud solution that allows you to remove local admin rights on your workstations to protect your organization. A user without local admin rights can't make changes to system folders, kill processes, remove security software, and more. This makes your organization more secure, but the weakness is that users still need admin rights from time to time to install, update, or use business software. With idemeum EPM you can apply rules to automatically elevate certain apps or system actions without giving users permanent admin permissions.

Supported platforms

Operating system Versions
Windows 10, 11, IoT
macOS 14 and above

Features

  • Rule engine - flexible rule engine to determine how elevation requests need to be handled. You can match applications with file attributes, publishers, or certificate elements, and then define what applications need to be elevated automatically or blocked.
  • App control modes - idemeum agent can operate in audit mode to discover applications that users are elevating without enforcing any rules. After you identify the applications you need, you can enforce the rules mode.
  • Request / approval flows - idemeum offers the option for users to request elevated actions. Once the request is submitted, IT team will receive a notification / ticket will be created in the ticketing system.
  • Integrations with ticketing systems - idemeum integrates with various ticketing systems (HaloPSA, ConnectWise, etc.) to be able to create tickets when users request elevated actions.
  • Multi-tenant portal - idemeum is designed to be multi-tenant so that you can create multiple customers or organizations. You can create global / local rules, manage events from a single dashboard and more.
  • Integration with allowlisting - idemeum EPM integrates seamlessly with allowlisting so that you can combine application control with elevation management.
  • Technician mode - idemeum agent offers protected mode for IT technicians to bypass any enforcement rules when they need to troubleshoot the workstation. Authenticate with mobile application to access the technician mode on any workstation.
  • Auto account downgrade - for compliance requirements you can enforce standard user accounts across your workstations. Idemeum agent will periodically check the local Administrators group and downgrade all accounts there, except the exclusion list that you specify.
  • Account discovery and management - idemeum agent automatically discovers all local admin and domain admin accounts across your workstations and offers an option to downgrade or remove these accounts.