Skip to main content

Just-in-time admin accounts

JIT accounts login mode

Idemeum supports technician login into customer workstations with either individual named accounts or shared accounts.


  • Named account - a named account is bound to an MSP technician and have to be provisioned / de-provisioned whenever a person joins / leaves the organization.
  • Shared account - an account which allows multiple technicians to access customer workstations using a single set of credentials.

Technician login mode is assigned to each customer tenant. For instance, for one customer, you can choose to apply shared account login to all machines, whereas for other customer you can enforce technician login with individual accounts.

Configure login mode

  • Navigate to customer tenant admin portal → customer1-<msp-domain>
  • Access SettingsPAM
  • Configure Technician login mode to leverage individual or shared account

Detailed overview

Named accounts

  • How technicians login?
    • Each technician will access any customer workstation with an individually assigned account.
  • How is named account created?
    • Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician nik will have an account msp-nik, and that account will be used to access any workstation of any customer. Upon the first login, idemeum desktop client will create this local admin account on each workstation.
  • How are passwords managed?
    • Even though each technician has the same individual named account across all customers and workstations, i.e. technician nik has an individual account msp-nik assigned for all workstations, the password on each workstation is randomly assigned, and it is rotated before each login session. Passwords are not exposed to technicians as they login with mobile devices and biometrics.
  • How is offline code obtained?
    • Offline secret (TOTP secret) is unique for each machine. Therefore, a technician needs to login to a workstation in online mode first before the offline code is available in the mobile app. This applies to each workstation.
  • How is access audited?
    • In the audit logs you will see a detailed record for each technician accessing customer workstations with an individual named account. logged into the Desktop W11-L-PASSWORD with account nik-msp

Shared accounts

  • How technicians login?
    • Each technician will access customer workstations with a single shared account.
  • How is shared account created?
    • Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance, customer-1 will have an account msp-2356 assigned, whereas customer-2 will have an account msp-4565 assigned.
  • How are password managed?
    • Shared account is the same for all workstations for one customer, however the password is randomly assigned to each account on each workstation. Moreover, passwords are rotated before each login session.
  • How is offline code obtained?
    • Offline code will be available immediately, and technicians do not have to login into workstation first to obtain the offline code in the mobile application. Offline code / TOTP secret will be shared across all workstations for each customer.
  • How is access audited?
    • In the audit logs you will still see which technicians are accessing what workstations with a shared account. accessed workstaion W10-local with account msp-1234