> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Guide - LAPS for computers

> Set up break-glass account management for your customer tenant workstations. 

## What is LAPS for computers?

In this guide we will set up the Cloud LAPS feature that is part of the [Privileged Access Management (PAM)](/pam-for-msps-overview) offering for MSPs.

Cloud LAPS allows you to create break-glass / emergency accounts on all customer workstations (including domain controllers), automatically rotate passwords for these accounts every `24 hours`, and store the credentials in idemeum zero-knowledge cloud vault.

<Note>
  Idemeum cloud is end-to-end encrypted, meaning our team does not see the passwords of your customers.
</Note>

## Set up LAPS for computers

<Info>
  We are assuming you already have your MSP idemeum cloud tenant provisioned. If not, reach out to our [support](/support) team for help.
</Info>

<Steps>
  <Step title="Create idemeum child tenant">
    As a first step you need to create a child organization in your parent MSP tenant.

    * Login to MSP admin portal
    * Navigate to `Tenants` and create a child organization

    <Info>
      More information about how to [create](/multi-tenant-portal/multi-tenant-portal-overview) a child organization.
    </Info>
  </Step>

  <Step title="Configure LAPS settings">
    In this step we will enable LAPS settings for child tenant organization.

    * Navigate to your child tenant admin portal
    * Access `Settings` → `JIT access` and the look for `LAPS for computers` section
    * Enable LAPS for `local` machines and `domain controllers` using the toggles
    * Specify the account name for idemeum to use

    <Tip>
      You can use any account name you like, i.e. `emergency`. You can use built in `Administrator` account as well. Please note, that if the account exists, idemeum will take over and will start rotating passwords. If account does not exist, idemeum will create it.
    </Tip>

    <img src="https://mintcdn.com/idemeum/d98qijAT8YKZcsNZ/images/lapsc.png?fit=max&auto=format&n=d98qijAT8YKZcsNZ&q=85&s=0187f51feedd3384d09d2328d9e50b9a" alt="Lapsc" width="3002" height="2090" data-path="images/lapsc.png" />
  </Step>

  <Step title="Grab installation command and deploy agents">
    Now you need to access the child organization, click `Install new agent`, grab the installation command for Windows or macOS and install idemeum agent.

    <Info>
      More about how to [install idemeum agent](/desktop-agent/agent-install).
    </Info>
  </Step>

  <Step title="View LAPS credentials">
    Once the agents are successfully installed, and the devices show up in the `Devices` section, you can start viewing LAPS credentials.

    <AccordionGroup>
      <Accordion title="View LAPS in the portal" icon="browser">
        Switch to the user portal of your child organization (at the top right of the screen) and you will see the list of devices. Click on the device and choose `View LAPS credentials`. 

        <img src="https://mintcdn.com/idemeum/BXXUWrNcDet3Aaq1/images/lapskk.png?fit=max&auto=format&n=BXXUWrNcDet3Aaq1&q=85&s=8418e7d87ee5b012a6bb5bd6aa8718dd" alt="Lapskk" width="3002" height="2090" data-path="images/lapskk.png" />
      </Accordion>

      <Accordion title="View LAPS in the mobile" icon="mobile">
        You can also view LAPS credentials in the idemeum mobile app. Switch to the customer tenant you create, search for the device, and click on `...`
      </Accordion>
    </AccordionGroup>
  </Step>
</Steps>