All compliance frameworks require administrative access to be performed with individual admin accounts that can be audited.
Named admin accounts
Named accounts is the default option.
When technicians login, an individual account for their assigned username is create on the workstation (or domain controller). Each account is enabled only for the duration of the session and the password is rotated to a random value after each log out. In the audit logs you will see information about who logged in where and what individual account was used.
Shared admin account
We offer this option to reduce the number of accounts created, however this option does not pass security and compliance requirements. One individual account is used to login all technicians. This account is enabled only for the duration of the session, and password is rotated behind the scenes for after every log out. Agent automatically generates in the account in the form msp-XXXX (i.e msp-1234) for each customer / organization. In the logs you still have visibility into show logged in where with the shared account.
Regardless of the computer state (local, domain, or Entra joined) idemeum will create local admin account for each technician. For the case there is no need to install idemeum agent on domain controller. Simply install on user workstations.
Domain admin accounts
You need to install idemeum agent on all domain controllers to be able to create and use JIT domain accounts.
When technician tries to login by scanning a QR-code on user workstation, idemeum agent reaches out to DC to provision and enable domain account. After the session domain account is disabled and the password is rotated.
