Named vs. shared accounts
Idemeum supports technician login into customer workstations with either individual named accounts or shared accounts.
Overview
Named account - a named account is bound to an MSP technician and have to be provisioned / de-provisioned whenever a person joins / leaves the organization.
Shared account - an account which allows multiple technicians to access customer workstations using a single set of credentials.
Technician login mode is assigned to each customer tenant. For instance, for one customer, you can choose to apply shared account login to all machines, whereas for other customer you can enforce technician login with individual accounts.
❗
Named account login mode is enabled by default for each customer tenant you create in your MSP portal. If you want to switch to shared account mode, you need to configure it in the customer tenant admin portal.
Named account mode
- How technicians login?
- Each technician will access any customer workstation with an individually assigned account.
- How is named account created?
- Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician
nik
will have an accountmsp-nik
, and that account will be used to access any workstation of any customer. Upon the first login, idemeum desktop client will create this local admin account on each workstation.
- Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician
- How are passwords managed?
- Even though each technician has the same individual named account across all customers and workstations, i.e. technician
nik
has an individual accountmsp-nik
assigned for all workstations, the password on each workstation is randomly assigned, and it is rotated before each login session. Passwords are not exposed to technicians as they login with mobile devices and biometrics.
- Even though each technician has the same individual named account across all customers and workstations, i.e. technician
- How is offline code obtained?
- Offline secret (TOTP secret) is unique for each machine. Therefore, a technician needs to login to a workstation in online mode first before the offline code is available in the mobile app. This applies to each workstation.
- How is access audited?
- In the audit logs you will see a detailed record for each technician accessing customer workstations with an individual named account.
nik@nikpot.com logged into the Desktop W11-L-PASSWORD with account nik-msp
Shared account mode
- How technicians login?
- Each technician will access customer workstations with a single shared account.
- How is shared account created?
- Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance,
customer-1
will have an accountmsp-2356
assigned, whereascustomer-2
will have an accountmsp-4565
assigned.
- Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance,
- How are password managed?
- Shared account is the same for all workstations for one customer, however the password is randomly assigned to each account on each workstation. Moreover, passwords are rotated before each login session.
- How is offline code obtained?
- Offline code will be available immediately, and technicians do not have to login into workstation first to obtain the offline code in the mobile application. Offline code / TOTP secret will be shared across all workstations for each customer.
- How is access audited?
- In the audit logs you will still see which technicians are accessing what workstations with a shared account.
nik@nikpot.com accessed workstaion W10-local with account msp-1234
Configure technician login mode
- Navigate to the admin portal of your customer tenant →
customer1-<msp-domain>.idemeum.com/adminportal
- Access
Settings
→Desktop login
- Enable the toggle
Login MSP technician with named account
if you want named account mode, or disable it if you want shared account mode.
💡
Named account mode is enabled by default for all customer tenants.
Save
the configuration