> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Quickstart - Endpoint Privilege Management

> Set up elevation control on Windows and macOS.

## What is Endpoint Privilege Management?

Endpoint Privilege Management (EPM) is all about implementing least privilege security on your Windows and macOS workstations. It is a cloud solution that allows you to remove local admin rights on your workstations to protect your organization. A user without local admin rights can’t make changes to system folders, kill processes, remove security software, and more. This makes your organization more secure, but the weakness is that users still need admin rights from time to time to install, update, or use business software. With idemeum EPM you can apply rules to automatically elevate certain apps or system actions without giving users permanent admin permissions.

<Card title="Endpoint Privilege Management overview" icon="page" horizontal href="/endpoint-privilege-management-overview">
  Full documentation section for EPM.
</Card>

## Get started with EPM

In this guide we will install idemeum agent, enable EPM, and test the elevation approval flow.

<Steps>
  <Step title="Sign up for idemeum tenant">
    Sign up for free idemeum IT or MSP tenant on our website → [idemeum.com](https://idemeum.com)
  </Step>

  <Step title="(MSP) - Create child tenant">
    If you are an MSP, please create a child tenant / organization. 

    * Login to your MSP admin portal
    * Navigate to `Tenants` → click `Add tenant` and choose manually
    * Provide subdomain and display names and save the configuration

          <img src="https://mintcdn.com/idemeum/NHk_znfdxs-hO07k/images/CleanShot-2026-05-27-at-10.40.29@2x.png?fit=max&auto=format&n=NHk_znfdxs-hO07k&q=85&s=f67c477bb503262d86f18103b092280c" alt="Clean Shot 2026 05 27 At 10 40 29@2x" width="3244" height="2142" data-path="images/CleanShot-2026-05-27-at-10.40.29@2x.png" />
  </Step>

  <Step title="Enable EPM for your tenant">
    * Navigate to your idemeum tenant admin portal
    * Click `Control settings` → `EPM`
    * Make sure EPM is enabled for your tenant

          <img src="https://mintcdn.com/idemeum/wB8BYftC6JmZjCCa/images/CleanShot-2026-05-27-at-12.07.50@2x.png?fit=max&auto=format&n=wB8BYftC6JmZjCCa&q=85&s=97cd1b4ff831c920c74a19a28ce7fed4" alt="Clean Shot 2026 05 27 At 12 07 50@2x" width="3244" height="2142" data-path="images/CleanShot-2026-05-27-at-12.07.50@2x.png" />
  </Step>

  <Step title="Grab installation command to deploy agents">
    <Warning>
      macOS agent deployment requires privacy and security permissions so it is recommended to deploy the agent with an MDM profile. 
    </Warning>

    Click on the `Install agent` → choose `Control agent` and copy the installation command for Windows or macOS. 

    <img src="https://mintcdn.com/idemeum/NHk_znfdxs-hO07k/images/CleanShot-2026-05-27-at-10.46.44@2x.png?fit=max&auto=format&n=NHk_znfdxs-hO07k&q=85&s=375b42ec485b444929631c2a2567620c" alt="Clean Shot 2026 05 27 At 10 46 44@2x" width="3244" height="2142" data-path="images/CleanShot-2026-05-27-at-10.46.44@2x.png" />
  </Step>

  <Step title="Turn elevation mode to rules">
    Once the agent is installed it will appear in the `Devices` table and the default mode for elevation will be turned off. Click on `...` and turn the elevation mode to `Rules`.

    <img src="https://mintcdn.com/idemeum/nQywgqubfn4A6GcZ/images/CleanShot-2026-05-27-at-12.13.41@2x.png?fit=max&auto=format&n=nQywgqubfn4A6GcZ&q=85&s=804916d82c159f3c186efba2ac24239d" alt="Clean Shot 2026 05 27 At 12 13 41@2x" width="3244" height="2142" data-path="images/CleanShot-2026-05-27-at-12.13.41@2x.png" />
  </Step>

  <Step title="Test request elevation flow">
    <Tip>
      Make sure you login to your workstation with a `standard` account to test elevation flow.
    </Tip>

    * Login to your workstation with a standard account

    * Launch some application the requires admin privileges

    * You will see the idemeum request window. When there are no rules present, the default behavior is to offer the request option to the user.

          <img src="https://mintcdn.com/idemeum/nQywgqubfn4A6GcZ/images/CleanShot-2026-05-27-at-12.17.07@2x.png?fit=max&auto=format&n=nQywgqubfn4A6GcZ&q=85&s=943adfc1c23fd1494dd0a66da5f14c8f" alt="Clean Shot 2026 05 27 At 12 17 07@2x" width="2676" height="1980" data-path="images/CleanShot-2026-05-27-at-12.17.07@2x.png" />

    * In idemeum portal navigate to `Activity` → `Requests` and approve the elevation request

          <img src="https://mintcdn.com/idemeum/nQywgqubfn4A6GcZ/images/CleanShot-2026-05-27-at-12.19.05@2x.png?fit=max&auto=format&n=nQywgqubfn4A6GcZ&q=85&s=14d422a1dc6c1a51c69e2176777bfc15" alt="Clean Shot 2026 05 27 At 12 19 05@2x" width="3244" height="2142" data-path="images/CleanShot-2026-05-27-at-12.19.05@2x.png" />

    * You can now relaunch the application on your workstation, and it will be automatically elevated.
  </Step>

  <Step title="Create elevation rules">
    If you want to create rules to automatically elevate or deny applications, please follow the steps [here](https://docs.idemeum.com/epm/elevation-rules).
  </Step>
</Steps>

<Tip>
  Endpoint Privilege Management has many more features that we can cover in this guide. Please consult our [documentation](https://docs.idemeum.com/endpoint-privilege-management-overview) to learn about all features EPM has to offer.
</Tip>