How it works
High-level overview of how idemeum implemented JIT computer accounts
Product components
Idemeum cloud
- idemeum cloud serves as a management plane. You use your MSP admin portal to set up all settings and customers for your tenant. When you create a customer tenant, you can choose what settings to apply, i.e. desktop branding, how users login, how technicians login, who has access to customer workstations, etc. The settings are periodically pulled and applied by the desktop clients registered for the specific customer tenant.Idemeum desktop client
- idemeum desktop client is installed on each customer workstation to manage user and technician login. Desktop client enables various services, including credential provider, offline login, account creation, and more. Dekstop client is associated with a customer tenant, and will periodically pull the settings that are configured for that tenant.Passwordless MFA
- each technician does not use passwords to access customer workstations. What is more, technicians are not even exposed to local admin accounts passwords. Every login is performed with a mobile application by scanning a QR-code or triggering a push notification. This way every login is protected by Passwordless MFA, and two factors are used - biometrics (something you are), and certificates (something you have). More about Passwordless MFA security.
JIT computer accounts login flow
Below you can see a high-level flow for a technician accessing a customer workstation with idemeum mobile application.
- When idemeum desktop client is installed, it is registered with a chosen customer tenant (idemeum offers cloud MSP portal). Desktop client can be installed manually or using a variety of silent installation methods. Once installed, desktop client will register a new credential provider that will handle MSP technician logins.
- Idemeum desktop client will periodically reach out to idemeum cloud in order to retrieve the settings. Idemeum cloud is a management plane where you set up all configurations, including how technicians login, who has access to what computers, and more.
- When a new technician is hired, he is simply onboarded with Passwordless MFA. A user record is created in the MSP tenant with an associated email address. Technician installs idemeum mobile application, verifies his email, navigates to MSP tenant URL, scans the QR-code and onboards. Once technician is onboarded, he can be promoted to an
admin
role (access to all customer tenants and workstations), or he can be delegated access to certain customer tenants only. - Technician can navigate to a workstation now, scan the QR-code and log in with individual local admin account. Technicians can login using various methods, including QR-code scanning, or triggering a push notification.
- Desktop client will handle all necessary things automatically: it will create a local admin account if necessary, will assign random 12-digit secure password, enable the account for the duration of the session, rotate the password after log out, and disable the account when not in use. All features are described below.