Skip to main content


Tenant cloud settings

With idemeum cloud you can make platform configurations right from the cloud admin portal. All desktop clients will retrieve and apply these settings automatically.

Access tenant settings

To access your tenant cloud settings navigate to your admin portal and access Settings menu on the left.

How settings are updated

When you adjust some of these settings (i.e RFID series or branding), they will not take immediate effect. Here is how idemeum desktop application will retrieve these settings:

  1. Automatically - every 6 hours idemeum desktop client will contact idemeum cloud and pull the settings that have been updated.
  2. Manually - you can force idemeum client to update the settings right away. Access each desktop client on the workstation, launch it, and click Update settings at the top right corner.

Global settings

Global tenant settings are represented under the Global settings tab at the top menu. Here is the list of available configurations.

Onboarding settings

Onboarding settings determine how users onboard into organization with mobile identity. You can configure what information your employees need to verify in the mobile device, before they can access company resources with a mobile device. The most common use case is to choose email address. That means you will need to verify your email address before you can start accessing company portal with your mobile device.

Login settings

Login settings allow you to leverage built-in biometric sensors such as Face ID or Touch ID to access company portal. When this feature is enabled, users can enroll their local biometrics sensors from the idemeum portal.

You can also configure Session expiration that will define how often your users will need to re-authenticate with a mobile device. For example, if you choose 30 days, you can login into idemeum portal with local biometrics during the 30 day period. After that you will need to login with a mobile device to restart the session.

Secure remote access

idemeum offers secure remote access capabilities, so that your users can access on-premises applications and servers without VPN. Before you can configure integrations with web, SSH, and RDP applications you need to enable this functionality in settings. Once secure remote access is enabled, cloud proxy infrastructure will be provisioned for your tenant.

Desktop login settings

Desktop login settings define the configurations that idemeum desktop client retrieves to enable certain features.

Admin controlled app installation

If this setting is enabled, only workstation admins can install idemeum desktop client. If a user does not have admin permissions, she will not be able to install idemeum desktop client.

Enable EJBCA

We support integration with external CA for virtual smart card generation. This option allows for integration with EJBCA for certificate enrollment.

Enable sharing

When this option is not enabled, only the user who installed the desktop client will be able to access the workstation (with a mobile device or RFID badge). If the sharing is enabled, use can decide who to share the workstation with.

Assign access to all users

When the desktop sharing is enabled, this option allows any user to access any workstation. For example, you install idemeum dekstop client on a domain-joined Windows workstation, and when you enable this option, any domain user can access the workstation with a valid RFID badge.

Assign ownership to all admins

When this option is enabled, all admins will be able to manage all desktop clients on workstations. Otherwise, only the admin who installed the application will be able to manage the idemeum desktop client.

Password onboarding

Password onboarding allows users to onboard / register their RFID badges using their domain credentials. New employee taps the badge that idemeum does not know about, idemeum desktop client will prompt the user for domain credentials, once the credentials are entered and verified, user will be onboarded and the badge id will be registered in idemeum.

Daily password prompt

idemeum allows you to configure additional security mechanism by prompting employee for a password once per day in the morning. When the employee comes to the office and taps the badge, idemeum will prompt the user for a password, before allowing employee to access any domain-joined workstation with an RFID badge.

Tap out mode

idemeum allows you to configure what happens when the employee taps out. The first option is to Sign out the employee from the workstaion. Another option is to Lock the computer so that the session is preserved.

Badge starting series

This option allows to specify comma-separated badge starting series to allow for login.

For example, say you specify 30,4, then if you tap the badge that starts with 5, that login request will be ignored.

Desktop master key

Desktop master key is generated in your user portal, so that it can be used by idemeum desktop clients to encrypt your employees' passwords and credentials. This way idemeum achieves an encryption where the key is only known to you. Even if idemeum cloud is compromised, the attackers will never know your master key, and they will not be able to decrypt your passwords.

🔗 Learn more about master key.

Desktop installer credentials

You can generate oAuth client id and secret to use silent installation of idemeum desktop client. For example, you can use PDQ deploy to push idemeum client to all Windows domain-joined machines. These client credentials are used to allow idemeum desktop client to register with your cloud tenant.

🔗 Learn more about silent installation.

Branding settings

When you install idemeum desktop application it takes over the login screen. In order for the application to reflect your branding images and logo, idemeum allows you to customize the login screen.

🔗 Learn more about branding.