Skip to main content

Elevated Access to Computers

Named vs. shared accounts

Idemeum supports technician login into customer workstations with either individual named accounts or shared accounts.

Overview

Named account - a named account is bound to an MSP technician and have to be provisioned / de-provisioned whenever a person joins / leaves the organization.

Shared account - an account which allows multiple technicians to access customer workstations using a single set of credentials.

Technician login mode is assigned to each customer tenant. For instance, for one customer, you can choose to apply shared account login to all machines, whereas for other customer you can enforce technician login with individual accounts.

Named account login mode is enabled by default for each customer tenant you create in your MSP portal. If you want to switch to shared account mode, you need to configure it in the customer tenant admin portal.

Named account mode

  • How technicians login?
    • Each technician will access any customer workstation with an individually assigned account.
  • How is named account created?
    • Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician nik will have an account msp-nik, and that account will be used to access any workstation of any customer. Upon the first login, idemeum desktop client will create this local admin account on each workstation.
  • How are passwords managed?
    • Even though each technician has the same individual named account across all customers and workstations, i.e. technician nik has an individual account msp-nik assigned for all workstations, the password on each workstation is randomly assigned, and it is rotated before each login session. Passwords are not exposed to technicians as they login with mobile devices and biometrics.
  • How is offline code obtained?
    • Offline secret (TOTP secret) is unique for each machine. Therefore, a technician needs to login to a workstation in online mode first before the offline code is available in the mobile app. This applies to each workstation.
  • How is access audited?
    • In the audit logs you will see a detailed record for each technician accessing customer workstations with an individual named account.
nik@nikpot.com logged into the Desktop W11-L-PASSWORD with account nik-msp

Shared account mode

  • How technicians login?
    • Each technician will access customer workstations with a single shared account.
  • How is shared account created?
    • Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance, customer-1 will have an account msp-2356 assigned, whereas customer-2 will have an account msp-4565 assigned.
  • How are password managed?
    • Shared account is the same for all workstations for one customer, however the password is randomly assigned to each account on each workstation. Moreover, passwords are rotated before each login session.
  • How is offline code obtained?
    • Offline code will be available immediately, and technicians do not have to login into workstation first to obtain the offline code in the mobile application. Offline code / TOTP secret will be shared across all workstations for each customer.
  • How is access audited?
    • In the audit logs you will still see which technicians are accessing what workstations with a shared account.
nik@nikpot.com accessed workstaion W10-local with account msp-1234

Configure technician login mode

  • Navigate to the admin portal of your customer tenant → customer1-<msp-domain>.idemeum.com/adminportal
  • Access SettingsDesktop login
  • Enable the toggle Login MSP technician with named account if you want named account mode, or disable it if you want shared account mode.
💡
Named account mode is enabled by default for all customer tenants.
  • Save the configuration