Quick-start - Passwordless MFA for domain Windows workstations

Sign up for idemeum MSP tenant

If you have not created your idemeum cloud tenant yet, please follow the steps below to create a trial tenant for your organization.

How to create idemeum cloud tenant

Create idemeum cloud tenant for your organization so that you can test various idemeum services.

idemeum documentationNik Pot

Enable cloud directory for your MSP tenant

To manage identities of your MSP technicians we will leverage idemeum local directory. To enable local directory:

• Navigate to https://<your-msp-domain>.idemeum.com/adminportal
• Access Users → User source and choose Local
• Save the configuration

Create accounts for your technicians

Now you can add your technicians to your tenant local directory. Once onboarded they will be able to login to your MSP tenant and also customer tenants with a mobile device.

• Navigate to your MSP tenant admin portal at https://<your-msp-domain>.idemeum.com/adminportal
• Access Users → User management and click Add user
• Enter the email address that the user will verify in the mobile application to be onboarded into your tenant, and save the user record

Create a customer tenant that you will manage

idemeum offers Multi-Tenant MSP Portal to manage all your customer tenants from a single dashboard. To create a tenant for your customer:

• Navigate to your MSP tenant admin portal at https://your-domain.idemeum.com/adminportal
• Access Customers on the left and click Create customer
• Enter Name (will be used to create a subdomain for your MSP tenant, for example customer-<your MSP domain>.idemeum.com) and Display name (will be used as a display name / title for your customer tenant)

Once the customer tenant is created, you can navigate to its URL and login with a mobile device. More on how to access customer tenants below.

Overview

idemeum MSP portal centralizes the control and management of multiple organizations from one dashboard. MSP admins can view top-level data for their managed organizations at-a-glance, or can access and directly manage each customer organization.

idemeum documentationNik Pot

Delegate technician access to customer tenant

You have two options:

1. You can make every technician an Admin in your MSP tenant and as a result, technicians will have access to all created customers tenants by default.
2. You do not assign an Admin role to a technician, but delegate access to each customer tenant directly.

To assign an Admin role to a technician, please follow these steps.

• Navigate to your MSP tenant admin portal at https://<your-msp-domain>.idemeum.com/adminportal
• Access Users
• Find the user record, click on ... and then choose Make admin

To delegate access to each customer tenant directly, please follow these steps.

Overview

idemeum MSP portal centralizes the control and management of multiple organizations from one dashboard. MSP admins can view top-level data for their managed organizations at-a-glance, or can access and directly manage each customer organization.

idemeum documentationNik Pot

Configure customer tenant

Now we will configure customer tenant for authentication leveraging Passwordless MFA.

• Access your customer tenant with a mobile device. You can directly navigate to a customer tenant URL at customer-<your msp domain>.idemeum.com or navigate to your MSP postal, Customers section and click on the link from there. You will need to login with your mobile device.

Enable cloud directory for customer tenant

• Navigate to your customer tenant admin dashboard and enable cloud directory
• Access Users → User source and choose Local
• Save the configuration

Enable user authentication with Passwordless MFA

• Navigate to Settings and then Desktop login
• Click Enable desktop login for users
• Then choose Passwordless MFA from the drop down list
• Click Save

Create your customer users

Now you will create users for your customers so that they can onboard with a mobile device. For example, here I create a new user record for Mike:

• Provide First name and Last name
• Enter Company email address / UPN

• idemeum username and password will be automatically populated. For domain-joined computers you should not care about these values as they are used for local workstations.
• Optionally enter the Personal email address

Set up desktop client branding

You can configure the look and feel for the desktop client by configuring background, logo, and text for your users. You can follow the guide below.

Branding

When you install idemeum desktop application it takes over the login screen. In order for the application to reflect your branding images and logo, idemeum allows you to customize the login screen.

idemeum documentationNik Pot

Install idemeum desktop application

Now you can install idemeum desktop application to a customer workstation. There are various installation methods, but the easiest option is to leverage PowerShell installation.

• Navigate to your customer tenant admin dashboard
• Access Settings -> Desktop installation
• Navigate to PowerShell section and copy the PowerShell command
• You can now use this command to execute on the target workstation and perform the silent installation

Test user login

Users can now login to their workstations with idemeum Passwordless MFA.

• User scans the QR-code
• Idemeum will prompt the user for domain credentials
• Once successfully authenticated, user can access any domain workstation with a mobile device

Passwordless elevated access for technicians

Your MSP technicians can access customer workstations with a mobile device also. There are no passwords needed, and there is really nothing for you to set up. As long as a technician is onboarded into MSP tenant, she can access any customer workstation with a mobile device.

More about passwordless elevated access below.

Overview

Eliminate admin credentials, MFA codes and mobile pushes - access any customer workstation with biometrics.

idemeum documentationNik Pot

Questions?

If you have any questions, join our Discord chat and we can help you.