Skip to main content

➡️ JIT Admin Access

JIT for computers

Login with Windows and macOS workstations with on-demand admin accounts protected by passwordless MFA.

Overview

When idemeum agent is installed it registers as an additional credential provider offering you an option to perform admin login without passwords. You can perform passwordless login (by scanning a login QR-code) or passwordless elevation when you are assisting a user that does not have admin rights.

Named vs shared accounts

Idemeum agent allows you to login either with named / individual or shared account that is assigned to a customer tenant.

  • Named accounts - this is the default option. When technicians login, an individual account for their assigned username is create on the workstation (or domain controller). Each account is enabled only for the duration of the session and the password is rotated to a random value after each log out. In the audit logs you will see information about who logged in where and what individual account was used.
  • Shared account - we offer this option to reduce the number of accounts created, however this option does not pass security and compliance requirements. One individual account is used to login all technicians. This account is enabled only for the duration of the session, and password is rotated behind the scenes for after every log out. Agent automatically generates in the account in the form msp-XXXX (i.e msp-1234) for each customer / organization. In the logs you still have visibility into show logged in where with the shared account.
Configuration
How to configure JIT admin access for your customer / organization tenant.
idemeum docsNik Pot

Domain vs local accounts

You can also choose how you want to login to domain computers - with domain accounts or local admin accounts.

  • Local admin accounts - this is the default option. Regardless of the computer state (local, domain, or Entra joined) idemeum will create local admin account for each technician. For the case there is no need to install idemeum agent on domain controller. Simply install on user workstations.
  • Domain admin accounts - in this case you need to install idemeum agent on both domain controller and user workstation. When technician tries to login by scanning a QR-code on user workstation, idemeum agent reaches out to DC to provision and enable domain account. After the session domain account is disabled and the password is rotated.
Configuration
How to configure JIT admin access for your customer / organization tenant.
idemeum docsNik Pot

JIT computer elevation

Idemeum also allows you to elevate the user session by scanning a QR-code. Let's say you are helping the user when logged into the computer with RMM. The user does not have admin permissions, and then she tries to perform admin action, the UAC prompt comes up that requires admin credentials. There is no need to use any credentials, simply click More options, then enlarge idemeum QR-code, and scan with your mobile app. The action will be elevated and UAC will be handled by idemeum agent behind the scenes.

Login methods

Technicians can access customer workstations by scanning a QR-code, triggering a push notification, or using an one-time code (OTP).

  • QR-code login - navigate to workstation where idemeum agent is installed, click on the QR-code at the bottom of the screen, and then scan the QR-code with idemeum mobile app.
  • Push notification login - you need to enable this option in JIT settings first. Navigate to workstation where idemeum agent is installed, click on the QR-code icon at the bottom left to load idemeum login option, click on Send notification link. Now you are able to enter your email address (the one you registered with in idemeum) and you will receive a login notification.
  • OTP login - you can use this method when computer is offline. When computer is offline, idemeum agent can not render a QR-code and automatically switches to OTP login mode. Or you can enable this option to login with OTP even when computer is not offline. Navigate to workstation, click on QR-code at the bottom left to load idemeum login options, click on Login via OTP. Now you can retrieve username and OTP for the workstation from your idemeum mobile app.

Workstation access control

You can control what technicians have access to what workstations. Important to note that if technician is a Global admin, she can access and edit everything everywhere. If you want to apply access control you first need to delegate technician access to certain customer / organization with read-only permissions, and then edit workstation access control settings.

  • Navigate to admin portal of customer / organization
  • Access Devices, then click on ... for the device you want to edit, and choose Share device
  • By default All admins and All users will be there
  • To control technician access, remove All admins role and only add technicians that need to access this workstation
  • If technician does not have access to the workstation and tries to login with idemeum, she will see the following message.

Offline access to computers

When the computer is offline, idemeum credential provider will automatically switch to offline mode. Instead of displaying the QR-code for admin access, it will show the username and offline secret fields.

To retrieve username and your offline OTP code, open idemeum mobile application, switch to appropriate organization / customer, then search for workstation, click on ... and retrieve username and OTP code.

Selective JIT login

For domain-joined workstations where idemeum desktop client is installed, you can choose what account to use for technician login on the fly at login time. When you scan the QR-code you will be presented with the option to use domain account or local. This feature is useful if you want to control on which workstations you want to expose your domain admin account.

To configure this option please navigate to the page below.

Configuration
How to configure JIT admin access for your customer / organization tenant.
idemeum docsNik Pot