Skip to main content

Endpoint privilege management

Endpoint privilege management overview

Enforce least privilege on endpoints, protect against ransomware and malware, and manage elevation requests without compromising user productivity.


Endpoint Privilege Management (EPM) is a cloud solution that allows you to remove local admin rights on user endpoints. By removing local admin rights you can implement least privilege, protect your customers against malware, and effectively manage user requests with mobile and web approval flows.

Get started

Quick-start guides
Follow product guides that we created to test idemeum platform use cases.

Support matrix

Operating system Versions
Windows 10, 11

Product components

Endpoint Privilege Management (EPM) is a cloud-based product that can be deployed by installing workstation agents and managing rules and elevation requests from the cloud dashboard.

  • Desktop agent - desktop agent is installed on each user workstation. It processes all elevation events by capturing them, and sending them to idemeum cloud to match against defined allow or block rules. Desktop agent also offers user interface to request privileged actions for users.
  • Admin portal - admin portal is used to manage your EPM deployment. You can manage agent elevation modes, create elevation rules, approve or deny elevation requests, and view the audit trail for your deployment activity.
  • Mobile application - when users request privileged action (such as installation of new software, or accessing protected settings), all technicians receive mobile notification with the request details. Technicians can approve privileged action from a mobile device for specific user and application, or create a rule that will apply to all similar requests going forward.

Features overview

Feature Description
Elevation events capture Desktop agent captures all privileged action events, including application installs, settings modification, and protected menus. All events and metadata are captured and displayed in the cloud admin portal.
Elevation control modes Desktop agent can operate in various modes - offline (no events captured and no rules applied), audit (all events captured but rules are not enforced), and rules (all events captured and rules are applied).
Elevation requests When the elevation event is captured, and there is no rule to be applied, user is given an option to request privilege action approval from the IT team. All requests are captured in the cloud along with associated metadata.
Mobile and web approvals When the request from the user is received, technicians can review the metadata and approve or deny the request from the web portal or from idemeum mobile application.
Rule engine Technicians can create allow or deny rules for user elevation events. Idemeum allows to create file, publisher, or certificate attributes rules.
Auto rule creation Idemeum portal provides convenient UI to create rules automatically from captured elevation events.
Audit events Admin portal captures all events related to how you manage your User Elevation Control deployment.