Skip to main content

Quick-start guides

Quick-start - LAPS

In this guide we will set up cloud LAPS so that you can protect your break-glass local and domain admin accounts with automated password rotation.

Quick-start - LAPS

Sign up for idemeum MSP tenant

If you have not created your idemeum cloud tenant yet, please follow the steps below to create a trial tenant for your organization.

How to create idemeum trial tenant
Idemeum offers free 14-day trial to test various use cases and features
idemeum documentationNik Pot

Enable cloud directory for your MSP tenant

To manage identities of your MSP technicians we will leverage idemeum local directory. To enable local directory:

  • Navigate to https://<your-msp-domain>.idemeum.com/adminportal
  • Access Users → User source and choose Local
  • Save the configuration

Onboard other MSP technicians

You can now create accounts for other technicians, so that they can also be onboarded with mobile devices.

  • Navigate to your MSP tenant admin portal at https://<your-msp-domain>.idemeum.com/adminportal
  • Access UsersUser management and click Add user
  • Enter the following details to create a technician:
    • First name and Last name
    • Corporate email address
    • Username will be automatically generated. This username will be used to create unique admin account for each technician on the workstations that they access. You can change this username if you want.
    • Optionally specify personal email address
📪
Your technicians will need to install idemeum mobile application, verify one of the emails you specified in the user record, navigate to your MSP tenant URL, scan the QR-code, and they will be onboarded.

Create a customer tenant that you will manage

Idemeum offers Multi-Tenant MSP Portal to manage all your customer tenants from a single dashboard. To create a tenant for your customer:

  • Navigate to your MSP tenant admin portal at https://your-domain.idemeum.com/adminportal
  • Access Customers on the left and click Create customer
  • Enter Name (will be used to create a subdomain for your MSP tenant, for example customer-<your MSP domain>.idemeum.com) and Display name (will be used as a display name / title for your customer tenant)

Once the customer tenant is created, click on the name of the customer tenant, and you will be automatically logged in there. More about the MSP portal below.

Overview
idemeum MSP portal centralizes the control and management of multiple organizations from one dashboard. MSP admins can view top-level data for their managed organizations at-a-glance, or can access and directly manage each customer organization.
idemeum documentationNik Pot

Promote technicians to admins

For this set up we will promote technicians who need access to LAPS credentials to MSP tenant admins. To assign an Admin role to a technician so that he can view LAPS credential, please follow these steps:

  • Navigate to your MSP tenant admin portal at https://<your-msp-domain>.idemeum.com/adminportal
  • Access Users
  • Find the user record, click on ... and then choose Make admin

Configure customer tenant

Now access the customer tenant you created in the previous step. You can directly navigate to a customer tenant URL at customer-<your msp domain>.idemeum.com or navigate to your MSP postal, Customers section and click on the link from there.

Enable local directory for customer tenant

  • Navigate to UsersUser source
  • Choose Local from the dropdown and Save the configuration

Set up desktop client branding

You can configure the look and feel for the desktop client by configuring background, logo, and text for your users. You can follow the guide below.

Branding
When you install idemeum desktop application it takes over the login screen. In order for the application to reflect your branding images and logo, idemeum allows you to customize the login screen.
idemeum documentationNik Pot

Enable LAPS for the tenant

Follow the steps below to configure LAPS for customer tenant.

Configure cloud LAPS
In this guide we will take a look at how you can enable LAPS for local and domain admin accounts.
idemeum documentationNik Pot

Install idemeum desktop application

If you want to rotate local admin accounts on local and domain-joined workstations only, then install idemeum desktop client only on these workstations.

If you want to also rotate domain admin account, install idemeum desktop client on domain controller.

There are various installation methods, but the easiest option is to leverage PowerShell installation.

  • Navigate to your customer tenant admin dashboard
  • Access Settings -> Desktop installation
  • Navigate to PowerShell section and copy the PowerShell command
  • On the target workstation open PowerShell as AdministratorYou can now use this command to execute on the target workstation and perform the silent installation

View LAPS credentials

You can now view LAPS credentials for workstations.

View LAPS credentials
Who can view LAPS credentials Today only MSP tenant admins have access to LAPS credentials: * If you onboard a technician and promote him to MSP tenant admin, he will have access to all LAPS credentials of all customers * If you onboard a technician, and delegate access to customer tenant directly,
idemeum documentationNik Pot

Questions?

If you have any questions please join our Discord chat, and we will help.