Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt

Use this file to discover all available pages before exploring further.

JIT computer elevation

When you login as technician with mobile device, you might need to perform certain actions that require elevation. When the elevation screen comes up, you can simply scan the QR-code to elevate the application. For instance, on Windows simply click More options, then enlarge idemeum QR-code, and scan with your mobile app. The action will be elevated and UAC will be handled by idemeum agent behind the scenes. Similar experience is offered on macOS workstations. Jit Elevation

JIT for computers login methods

QR-code login

Navigate to workstation where idemeum agent is installed, click on the QR-code at the bottom of the screen, and then scan the QR-code with idemeum mobile app.Qrlogin

Push notification login

You need to enable this option in JIT settings first.
Navigate to workstation where idemeum agent is installed, click on the QR-code icon at the bottom left to load idemeum login option, click on Send notification link. Now you are able to enter your email address (the one you registered with in idemeum) and you will receive a login notification.Pushlogin

OTP login

You can use this method when computer is offline. When computer is offline, idemeum agent can not render a QR-code and automatically switches to OTP login mode. Or you can enable this option to login with OTP even when computer is not offline. Navigate to workstation, click on QR-code at the bottom left to load idemeum login options, click on Login via OTP. Now you can retrieve username and OTP for the workstation from your idemeum mobile app.Otplogin

Offline computer access

When the computer is offline, idemeum credential provider will automatically switch to offline mode. Instead of displaying the QR-code for admin access, it will show the username and offline secret fields. Offline To retrieve username and your offline OTP code, open idemeum mobile application, switch to appropriate organization / customer, then search for workstation, click on ... and retrieve username and OTP code. Offlinecode

Selective computer JIT login

You need to enable this feature for the tenant. More about configuration here.
For domain-joined workstations where idemeum desktop client is installed, you can choose what account to use for technician login on the fly at login time. When you scan the QR-code you will be presented with the option to use domain account or local. This feature is useful if you want to control on which workstations you want to expose your domain admin account. Select

RDP with JIT accounts

RDP with JIT accounts works between domain-joined workstations. You need to make sure idemeum agent is installed on domain controller, source, and destination Windows workstation.

RDP access with JIT accounts

Quick demo for how to RDP with JIT accounts.
When idemeum desktop agent is installed on domain-joined workstations, technicians can RDP from one machine to the other without the need to use any passwords - simply scan the QR-code and approve with biometrics. Just-in-time accounts will be used behind the scenes, accounts will be enabled / disabled on-demand, and passwords will be rotated after each login.

RDP JIT prerequisites

  • Supported on domain-joined workstations only
  • Desktop agent installed on source and target machine
  • Domain accounts login enabled for the customer tenant
  • Domain controller is reachable from the RDP source workstation
  • Agent is installed on domain controller

How to RDP with JIT account

  • Login to source domain-joined workstation
  • Open Windows Remote Desktop Client and connect to the target domain-joined machine
  • You will then be prompted to authenticate. Click More options and then select idemeum credential provider to scan the QR-code.
  • You can enlarge the QR-code so that it is easier to scan by clicking on Click here to expand QR code
  • Scan the QR-code with idemeum mobile application and approve with biometrics
  • You will be logged in to the target workstation
Enlarge

Computer access control

You can control what technicians have access to what workstations. Important to note that if technician is a Global admin, she can access and edit everything everywhere. If you want to apply access control you first need to delegate technician access to certain customer / organization with read-only permissions, and then edit workstation access control settings.
  • Navigate to admin portal of customer / organization
  • Access Devices, then click on ... for the device you want to edit, and choose Share device
  • By default All admins and All users will be there
  • To control technician access, remove All admins role and only add technicians that need to access this workstation
Access

JIT domain account auto removal

When technicians use JIT access for computers in domain environments, individual domain admin accounts are created every time new technician logs in for the first time. When these accounts are not in use, they are in disabled state. In order to make the number of accounts manageable, idemeum agent that is installed on domain controller will periodically inventory all technicain JIT accounts. And if the account has not been used for the last 30 days, it will be deleted.
Let’s look at the example. Technician alex logs into the domain controller and the account msp-alex is created. Once alex logs out, the JIT account is disabled. For 30 days alex does not login to this domain environment. As a result, the account is deleted after 30 days. If alex tries to login after a period of 30 days the account msp-alex will be recreated.