About the Imprivata Agent

The Imprivata agent is installed on an endpoint computer or virtual machine; it monitors authentication behavior from user workstations and Citrix servers and periodically uploads the information to the Imprivata server.

The Imprivata agent manages:

  • User authentication via finger biometrics, ID tokens, smart cards, proximity cards, and passwords.

  • User and computer policies.

  • Audit data.

  • Application authentication

The agent downloads user and policy information from the appliance at login and then checks for updates again periodically at an interval you set in the Imprivata Admin Console.

The Imprivata agent communicates securely via Imprivata Secure Exchange (ISX) technology with:

  • Imprivata appliances

  • Windows GINA Credential Provider

  • Authentication peripherals (fingerprint readers, proximity card readers, smart cards)

The agent controls the logging of:

  • User enrollment data (all authentication methods).

  • Application enrollment credentials

  • Offline data.

    For more on logging, see Appliance Logs.

Imprivata Agent Types

The Imprivata agent performs different functions based on how it is configured.

The Imprivata single-user computer agent supports single-user computers by extending desktop authentication with an Imprivata login module that provides additional services. When a user logs into the computer, the user logs into the Imprivata application and the Imprivata application in turn logs the user into Windows. Existing login functionality is unchanged. Additionally, a desktop-locking feature is provided to prevent unauthorized users from accessing the network from any computer that has an Imprivata agent installed.

When Using Non-Windows Login Modules

The Imprivata single-user computer agent can be installed on Windows computers that have non-Windows login modules already installed. The agent installer detects the existing login module and replaces it with the appropriate Imprivata application replacement for desktop access.

Automating Imprivata Agent Updates

Computer policies control which computers get automatic updates when Imprivata releases an agent update.

IMPORTANT:

If your enterprise is only licensed for Imprivata Enterprise Access Management with MFA (formerly Imprivata Confirm ID), only the Single-User Computer agent (Type 1) is supported.

When the shared kiosk workstation agent is installed on a shared kiosk workstation, session management is limited to the session. Users log into the workstation and log into an Imprivata application separately. Users can log in and out of the Imprivata application without logging out of the Windows session.

Use the Imprivata shared kiosk workstation agent:

  • To take advantage of fast user-switching and automated application shutdown (SSO only).
  • When you do not need the desktop lockout feature.
  • For Imprivata directory users (Imprivata Directory users are not in your corporate user directory; see Creating Imprivata Accounts for Non-Domain Users)

For more information on managing Imprivata applications in a shared workstation environment, see Enabling Multiple Windows Desktop Workstations in Computer Policies.

When Using Non-Windows Login Modules

The Imprivata shared kiosk workstation agent can be installed on Windows computers that have non-Windows login modules already installed. The agent installer detects the existing login module and replaces it with the appropriate Imprivata application replacement for desktop access.

The Citrix or Terminal Server agent is installed on a Citrix server or a Microsoft Terminal Server; it is never deployed to users. You can only see the agent and access the menu features from the Citrix console session.

Users in a Citrix MetaFrame-only environment do not require a locally installed Imprivata agent to access their Citrix applications. Because the Citrix or Terminal server agent is not installed on client computers, it does not use the agent auto-update feature.

NOTE: Use the Citrix or Terminal Server agent only on Citrix MetaFrame, Citrix XenApp or Microsoft Terminal Services application servers. To install the agent, see Deploying the Imprivata Agent.

The Single Sign-On Test agent can be used on an isolated computer for testing upgrades of application profiles and agent behavior. It cannot secure a computer. It is never deployed to users.

In this configuration, the Imprivata agent never communicates with a production Imprivata appliance; it includes a standalone version of the Imprivata OneSign Application Profile Generator.

See Testing Application Profiles

The Imprivata Agent Icons

The Imprivata agent is represented in the Windows Notification area by an Imprivata icon.

The following table briefly describes each agent status.

Icon Agent Status
The Imprivata agent is online, and Single Sign–On (SSO) is enabled.
The Imprivata agent is online, but SSO is disabled.

The Imprivata agent is not connected to an appliance, but SSO is enabled. This state is known as offline authentication. When the agent is in this state, it uses cached credentials for SSO.

Imprivata client–side audit information is cached, until the agent can reconnect with an appliance.

The Imprivata agent is not connected to an appliance. SSO is disabled.
The Imprivata Application Profile Generator (APG) is open, and the Imprivata agent is profiling an application for SSO.

Imprivata Agent Menus

The agent has features that the user can access from a menu that opens on clicking the icon in the Windows Notification area.

The following options are available for Imprivata Confirm ID users by clicking the Imprivata icon in the Windows Notification area:

Menu Item Function
Enroll Authentication Methods Opens the Imprivata Confirm ID enrollment utility.
Sync with Server Synchronizes the Imprivata Confirm ID agent with the Imprivata appliance immediately, regardless of the next scheduled refresh interval.
About Provides information about the agent type and version.
Exit Allows the user to close the agent on their computer, if it is allowed in their user and computer policies.

Modifying Agent Configuration in Bulk

You can modify in bulk the configuration of your Imprivata agents by two methods:

You may want to modify the configuration of your Imprivata agents in these scenarios:

  • Require Valid SSL Certificate — You can turn the SSL requirement on or off in bulk. If you are adding Imprivata Confirm ID to your enterprise and your users will be e-prescribing controlled substances, the SSL requirement must be turned on for all Imprivata agents where EPCS signing will take place.

  • Changing Imprivata agent types — You can change the Imprivata agent type as needed. For more about agent types, see About the Imprivata Agent.

  • Appliance DNS name or IP address — The agent registry includes the IP address or DNS name of the Imprivata appliance; you can change this value as needed. You must set this value to the DNS address when Require Valid SSL Certificate is enabled.

Language Support

The Imprivata agent is available in eleven languages.

The agent supports US English (default), Arabic, Brazilian Portuguese, Danish, Dutch, Finnish Suomi, French, German, Italian, Spanish, and Swedish.

During startup, the agent will detect the language of the OS that is installed and if that language is one of the languages listed above, the agent will use that language. If the default language is not one of the languages listed above, the agent will use US English.

You can set the language of the MSI InstallShield Wizard when installing the agent at the command line. See Distributing the Imprivata Agent from the Command Line

NOTE: Language support for the Self-Service Password Reset feature is controlled by the browser. See Imprivata OneSign Self-Service Password Reset.

Balloon Tips and Status Messages

Imprivata software offers an array of balloon tips to help new and experienced users be aware of what actions Imprivata is performing. See Configuring Event Notifications.