Computer JIT login mode
Idemeum supports technician login into customer workstations with either individual named accounts or shared accounts
Overview
You can decide how you want your technicians to login to customer computers - using shared MSP account or named accounts.
Named account- a named account is bound to an MSP technician and have to be provisioned / de-provisioned whenever a person joins / leaves the organization.Shared account- an account which allows multiple technicians to access customer workstations using a single set of credentials.
💡
Technician login mode is assigned to each customer tenant. For instance, for one customer, you can choose to apply shared account login to all machines, whereas for other customer you can enforce technician login with individual accounts.
Configure JIT login mode
- Navigate to customer tenant admin portal →
customer1-<msp-domain>.idemeum.com/adminportal - Access
Settings→PAM - Configure
Technician login modeto leverage individual or shared account
Detailed overview
Named accounts
- How technicians login?
- Each technician will access any customer workstation with an individually assigned account.
- How is named account created?
- Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician
nikwill have an accountmsp-nik, and that account will be used to access any workstation of any customer. Upon the first login, idemeum desktop client will create this local admin account on each workstation.
- Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician
- How are passwords managed?
- Even though each technician has the same individual named account across all customers and workstations, i.e. technician
nikhas an individual accountmsp-nikassigned for all workstations, the password on each workstation is randomly assigned, and it is rotated before each login session. Passwords are not exposed to technicians as they login with mobile devices and biometrics.
- Even though each technician has the same individual named account across all customers and workstations, i.e. technician
- How is offline code obtained?
- Offline secret (TOTP secret) is unique for each machine and user and will be available in the user portal or mobile application.
- How is access audited?
- In the audit logs you will see a detailed record for each technician accessing customer workstations with an individual named account.
nik@nikpot.com logged into the Desktop W11-L-PASSWORD with account nik-mspShared accounts
- How technicians login?
- Each technician will access customer workstations with a single shared account.
- How is shared account created?
- Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance,
customer-1will have an accountmsp-2356assigned, whereascustomer-2will have an accountmsp-4565assigned.
- Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance,
- How are password managed?
- Shared account is the same for all workstations for one customer, however the password is randomly assigned to each account on each workstation. Moreover, passwords are rotated before each login session.
- How is offline code obtained?
- Offline secret (TOTP secret) is shared across users and will be available in the user portal or mobile application.
- How is access audited?
- In the audit logs you will still see which technicians are accessing what workstations with a shared account.
nik@nikpot.com accessed workstaion W10-local with account msp-1234