Skip to main content

JIT computer accounts

Computer JIT login mode

Idemeum supports technician login into customer workstations with either individual named accounts or shared accounts

Overview

You can decide how you want your technicians to login to customer computers - using shared MSP account or named accounts.

  • Named account - a named account is bound to an MSP technician and have to be provisioned / de-provisioned whenever a person joins / leaves the organization.
  • Shared account - an account which allows multiple technicians to access customer workstations using a single set of credentials.
💡
Technician login mode is assigned to each customer tenant. For instance, for one customer, you can choose to apply shared account login to all machines, whereas for other customer you can enforce technician login with individual accounts.

Configure JIT login mode

  • Navigate to customer tenant admin portal → customer1-<msp-domain>.idemeum.com/adminportal
  • Access SettingsPAM
  • Configure Technician login mode to leverage individual or shared account

Detailed overview

Named accounts

  • How technicians login?
    • Each technician will access any customer workstation with an individually assigned account.
  • How is named account created?
    • Named accounts are based on the usernames of technicians in your MSP portal. For instance, technician nik will have an account msp-nik, and that account will be used to access any workstation of any customer. Upon the first login, idemeum desktop client will create this local admin account on each workstation.
  • How are passwords managed?
    • Even though each technician has the same individual named account across all customers and workstations, i.e. technician nik has an individual account msp-nik assigned for all workstations, the password on each workstation is randomly assigned, and it is rotated before each login session. Passwords are not exposed to technicians as they login with mobile devices and biometrics.
  • How is offline code obtained?
  • How is access audited?
    • In the audit logs you will see a detailed record for each technician accessing customer workstations with an individual named account.
nik@nikpot.com logged into the Desktop W11-L-PASSWORD with account nik-msp

Shared accounts

  • How technicians login?
    • Each technician will access customer workstations with a single shared account.
  • How is shared account created?
    • Shared account is generated per customer tenant, and is applied to all workstations and will be used by all technicians. For instance, customer-1 will have an account msp-2356 assigned, whereas customer-2 will have an account msp-4565 assigned.
  • How are password managed?
    • Shared account is the same for all workstations for one customer, however the password is randomly assigned to each account on each workstation. Moreover, passwords are rotated before each login session.
  • How is offline code obtained?
  • How is access audited?
    • In the audit logs you will still see which technicians are accessing what workstations with a shared account.
nik@nikpot.com accessed workstaion W10-local with account msp-1234