Skip to main content

Knowledgebase

Quick-start - Just-in-time admin accounts for computers

In this guide you will set up Just-in-time (JIT) admin accounts for Windows and MacOS. Technicians will be able to login into any customer workstation by scanning a QR-code and approving with biometrics.

Quick-start - Just-in-time admin accounts for computers

1. Prepare your MSP tenant

First and foremost sign up for idemeum cloud tenant and make sure you orient yourself with basic set up, such as adding technicians, creating customer tenants for your MSP, setting up branding and more. We have created a basic MSP tenant set up guide.

Quick-start - MSP tenant set up guide
In this guide we will configure your MSP tenant with basic settings - technicians onboarding, user management, branding, customer tenant creation, and more.
idemeum documentationNik Pot

2. Configure your customer tenant

Enable local directory for customer tenant

  • Navigate to Users → User source
  • Choose Local from the dropdown and Save the configuration

Choose technician login mode

By default idemeum will automatically create named / individual admin account for each technician. If you want to change this behavior and use shared accounts, you can follow the guide below, otherwise proceed to the next step.

Named vs. shared accounts
Idemeum supports technician login into customer workstations with either individual named accounts or shared accounts.
idemeum documentationNik Pot

Enable domain JIT accounts (optional)

By default idemeum utilizes local admin accounts everywhere.

If you scan a QR-code on local Windows or domain-joined Windows computer - local admin account is used. However, idemeum supports domain accounts also. When scanning a QR-code on domain-joined computer, idemeum can automatically create domain account for each technician.

To use Just-in-time (JIT) domain accounts for your domain-joined computers, you need to install idemeum desktop client on domain-controller first. Idemeum will interact with domain controller when creating domain accounts and enabling / disabling them on the fly.

Follow the steps below to enable JIT domain admin accounts.

Enable domain JIT accounts
In this post we will explore how to enable domain JIT accounts, so that technicians can access any domain-joined workstation with on-demand domain accounts.
idemeum documentationNik Pot

3. Install idemeum desktop application

Now you can install idemeum desktop application to a customer workstation.

If you decided to use domain JIT accounts for Windows domain-joined computers, make sure you also install idemeum agent on domain controller.

Follow the steps below to install idemeum desktop client with command line.

Command-line installation
This guide demonstrates how you can install idemeum desktop client with a command line command.
idemeum documentationNik Pot

4. Test technician login

Once the desktop client is installed, it creates a credential provider that will allow technicians to access the workstation with a mobile device. You can simply scan a QR-code as a technician and access customer workstation without passwords. More details on different ways to access customer workstations below.

Technician login methods
Technicians can access customer workstations by scanning a QR-code, triggering a push notification, or using an offline one-time code.
idemeum documentationNik Pot

Questions?

If you have any questions please join our Discord chat, and we will help.