Imprivata Documentation | Imprivata Enterprise Access Management (Confirm ID) 24.2 | Topic updated: May 02, 2024

Deploy the Imprivata Agent via Active Directory Group Policy

You can use Microsoft Active Directory’s Group Policy tools to install the Imprivata agent in bulk on endpoint computers.

There are three steps:

Prepare the Files
Create the Package
Add the BAT Script

Requirements

A shared folder to which all endpoint computers have access.
All the computers must be in one Active Directory Organizational Unit (OU).

NOTES:

The user’s computer must have Windows Installer 3.1 or later.
If you want to install the agent from the command line, see Distributing the Imprivata Agent from the Command Line.
For standard msiexec options, you may want to run "msiexec /?" on the target operating system. Options vary by Windows Installer version. If that is not an option, see https://msdn.microsoft.com/en-us/library/cc185688(VS.85).aspx.
If you want to install the agent on thin clients on Microsoft Windows Embedded thin clients, see Installing the Imprivata Agent on Thin Clients With Microsoft Windows Embedded Operating Systems

CAUTION:

When installing the Imprivata agent, an Internet connection is not needed. However, the endpoint computer must have an Internet connection for the Chrome browser to acquire the Imprivata OneSign extension from the Chrome Web store. Without it, Imprivata OneSign will not work for Chrome profiled applications. Also, an Internet connection will be necessary when any updates or upgrades are applied to the extension through the Chrome Web store. To confirm the Imprivata OneSign extension was installed, use the "Customize and control Google Chrome" tab to the right of the search bar. Click More tools > Extensions to view the Imprivata OneSign extension.

Distributing the Imprivata Agent via MS Active Directory Group Policy

Prepare the Files

To install the Imprivata agent in bulk via an MSI push, you need the correct MSI files:

NOTE: When you only need to modify Imprivata agents in bulk, do not prepare an MSI file. Create the registry.bat file and edit the registry.reg file as needed.

In the Imprivata Admin Console, go to the Computers menu > Deploy agents option and click Distribute the Agent...
Select the agent MSI file. A download link is displayed.
To prepare the files:
Copy the MSI file (ImprivataAgent.msi or ImprivataAgentx64.msi) into a shared folder to which all endpoint computers have access.
In the same folder create a batch file with the line:
regedit.exe /s \\<computer name>\<shared folder name>\ registry.reg
This procedure refers to its filename as registry.bat

Create a new REG file to point the Imprivata agent to the Imprivata appliance. In the same folder as the MSI file, create a new REG file with the lines:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent]
"IPTXPrimServer"="https://<Imprivata appliance fully-qualified domain name>/sso/servlet/messagerouter"

In addition to these lines, create additional lines to modify. This procedure refers to its filename as registry.reg

Create the Package

Now create the package and tell the endpoint computers where to find it. In Active Directory, create a new group policy:

Right-click the OU that contains the target endpoint computers, and select Properties > Group Policy > New.
Give the policy a descriptive name.
Select the new Group Policy and click Edit.
In the Group Policy window, under Computer Configuration, select Software Settings > Software installation.
In the right-hand pane, right-click in the empty space and select New Package. A dialog box opens.
Enter the UNC path to the shared folder that you created earlier.
CAUTION: Use the Uniform Naming Convention (UNC) path. Do not use mapped drives or client computers with different mappings will be unable to find the files.
Select Assign.
Click OK to save the changes and close the window.

Add the BAT Script

After you make the package, use registry.bat to tell the installed Imprivata agents the location of the Imprivata appliance:

In Active Directory, under Computer Configuration, select Windows settings > Scripts (StartUp/Shutdown)
On the right pane double-click on the Startup option. This opens a new Startup Properties dialog.
Click Add.
Enter the UNC path to registry.bat in the shared folder that you created earlier.
In Add Script, click OK. The script is displayed in the Scripts list in the Startup Properties dialog.
After adding registry.bat, click Apply.
Click OK to close the dialog.

Your push is now configured within Active Directory Group Policy. Each computer in the OU will receive the Imprivata agent the next time it restarts.

Modify Imprivata Agent Registries in Bulk via MS Active Directory Group Policy

You can use Microsoft Active Directory’s Group Policy tools to modify the Imprivata agent registry values in bulk. You may need to modify the agent registry values to:

Change the Imprivata agent type.
Require an SSL certificate for e-prescribing controlled substances.
Change the IP address or DNS name where the agent looks for the Imprivata appliance.

There are three steps:

Prepare the Files
Create the Package
Add the BAT Script

Requirements

A shared folder to which all endpoint computers have access.
All the computers must be in one Active Directory Organizational Unit (OU).

Prepare the Files

Create a registry.bat file a registry.reg file :

In the shared folder to which all endpoint computers have access, create a batch file with the line:
regedit.exe /s \\<computer name>\<shared folder name>\ registry.reg
This procedure refers to this file as registry.bat

Create a new REG file with any changes you need to make to the agents. In the same folder, create a new REG file with the lines:

Windows Registry Editor Version 5.00
64—bit endpoint computers: [HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent]
"IPTXPrimServer"="https://<Imprivata appliance fully-qualified domain name>/sso/servlet/messagerouter"

To set the agent type, set the Type registry value with a Data Type of DWORD and a Value of 1 for single-user computers, 2 for shared kiosk workstations, and 3 for Citrix or Terminal Servers.

IMPORTANT:

If your enterprise is only licensed for Imprivata Enterprise Access Management with MFA (formerly Imprivata Confirm ID), only the Single-User Computer agent (Type 1) is supported.

To require SSL, set the SSLValidation registry value with a Data Type of DWORD and a Value of 1.

This procedure refers to this file as registry.reg

Create the Package

Now create the package and tell the endpoint computers where to find it. In Active Directory, create a new group policy:

Right-click the OU that contains the target endpoint computers, and select Properties > Group Policy > New.
Give the policy a descriptive name.
Select the new Group Policy and click Edit.
In the Group Policy window, under Computer Configuration, select Software Settings > Software installation.
In the right-hand pane, right-click in the empty space and select New Package. A dialog box opens.
Enter the UNC path to the shared folder that you created earlier.

CAUTION: Use the Uniform Naming Convention (UNC) path. Do not use mapped drives or client computers with different mappings will be unable to find the files.
Select Assign.
Click OK to save the changes and close the window.

Add the BAT Script

After you make the package, use registry.bat to tell the installed Imprivata agents the location of the Imprivata appliance:

In Active Directory, under Computer Configuration, select Windows settings > Scripts (StartUp/Shutdown)
On the right pane double-click on the Startup option. This opens a new Startup Properties dialog.
Click Add.
Enter the UNC path to registry.bat in the shared folder that you created earlier.
In Add Script, click OK. The script is displayed in the Scripts list in the Startup Properties dialog.
After adding registry.bat, click Apply.
Click OK to close the dialog.

Your push is now configured within Active Directory Group Policy. Each computer in the OU will receive the registry changes the next time it restarts.