Setting Custom Application Profile Deployment Options

For each APG application profile, you can customize five deployment options. The application record stores deployment options and deployment options are application profile-specific.

NOTE: Your Imprivata OneSign version and the type of application profiled determine whether you should open the Imprivata Admin Console and the Imprivata OneSign APG using Google Chrome or Microsoft Edge Chromium, or whether you must open them using Microsoft Internet Explorer. To use Chrome or Edge Chromium, a Chrome extension must be enabled. For some applications, you must log into the Imprivata Admin Console and open the Imprivata OneSign APG with Internet Explorer, even when applications were profiled in Chrome or Edge Chromium. For details, see Application Profile Generator Support for Chrome and Edge Chromium.

To customize deployment options for an application profile:

  1. Click the application profile name from the applications list.

  2. Select Deploy This Application? to display the deployment options.

This topic describes deployment properties. You can deploy the application profile to all users and user groups or you can limit the deployment to specific groups and/or organization units (OUs) and/or users. You can limit the deployment to specific versions of the Imprivata agent.

Other deployment options are described in other topics:

  • The application can use a specific set of credentials, or it can share credentials with other applications or with a domain. See Credential Sharing.

  • You can permit specific users, groups, and organization units to have multiple accounts for an application. See Multiple Accounts.

  • In the Multiple Accounts or Imprivata OneSign Credential Enrollment screens, users have the option to cancel out of the operation, bypassing OneSign. However, you can prohibit users from bypassing OneSign. See Single Sign-On Security Settings.

  • If you have profiled the change password screen or screens, you can use an Imprivata OneSign Password Policy to respond to application password change requests. See Implementing a Password Policy.

NOTES:

  • For web applications when you are using Internet Explorer to access the Imprivata Admin Console and Imprivata OneSign APG, the browser must have third-party browser extensions enabled. Set this in Tools > Internet Options > Advanced Tab > Browsing Folder > Enable third-party browser extensions (requires a restart of Internet Explorer).
  • Deployment options are not stored in AppProfiles.XML.

Selecting Deploy This Application? opens the deployment options. If the application is deployed, then you see all the deployment options currently set for the application.

To see the list of the deployed users for an application, click Find Deployed Users on the application record. Each application profile can have a variety of deployment properties associated with it, as described in the following sections.

You can deploy the profile to all users or you can limit deployment to specific organization units, groups, or users. To deploy to all users, select the domain that contains the target users, select For All Users, and then click Save at the bottom of the page.

To deploy to a specific OUs:

  1. Select the domain that contains the target OUs.

  2. Select These OUs, groups, and users. Two links appear. One for OUs and one for groups.

  3. Click Select OUs....

  4. Select the OUs to which you need to deploy, and then click Done.

  5. At the bottom of the application profile page, click Save.

You can deploy the profile to all users or you can limit deployment to specific organization units, groups, or users. To deploy to all users, select the domain that contains the target users, select For All Users, and then click Save at the bottom of the page.

To deploy to a specific groups:

  1. Select the domain the contains the target groups.

  2. Select the These OUs, groups, and users option. Two links appear. One for OUs and one for groups.

  3. Click Select groups....

  4. Select the groups to which you need to deploy. A check mark appears next to each selection.

  5. Click Close.

    Note: Imprivata OneSign saves the selected groups automatically. There is no Save button.

  7. At the bottom of the application profile page, click Save.

You can deploy the profile to all users or you can limit deployment to specific organization units, groups, or users. To deploy to all users, select the domain that contains the target users, select For All Users, and then click Save at the bottom of the page.

To deploy to specific users:

  1. Select the domain the contains the target users.

  2. Select These OUs, groups, and users. A field for specific users appears.

  3. Enter one or more user names in the Specify users field. If you enter multiple names, separate each name with semicolon.

  4. At the bottom of the profile page, click Save.

Imprivata OneSign keeps track of the version of Imprivata OneSign on which you created the application profile. The version of the Imprivata agent determines whether the agent can use the profile. By default, you cannot deploy a profile to an agent of an older version than the Imprivata OneSign version on which you first profiled the application. If a profile works for the current version of the agent, but not for an older deployed version, you can create two application profiles to accommodate the different Imprivata agents.

You can deploy a new profile to Imprivata agents of the same or a more recent version, and deploy an edited version of an existing profile to all agents that match the original version or later. However, the updated version may use features that the older agents do not support.

BEST PRACTICE: It is rarely necessary to use this feature. Upgrade to the most recent version of the Imprivata agent on all endpoint computers.

To deploy a profile to two populations of Imprivata agents:

  1. Deploy the old version to the old agents.

  2. Under a different profile name, profile the application for the newer agent.

  3. Deploy the old profile to the restricted set, and deploy the new profile normally. In the application profile > Deployment section, go to Deploy to All Agents with a version of... and make your selections as needed.

In the application profile > Deployment section, you can restrict deployment rights for this application profile by selecting Let all Administrators deploy this application.

Permission to Edit the Profile

Even if all Administrators can deploy this application profile, only users in the Administrator role that created this application profile and superior roles can edit the profile. Those roles must also have the Edit Application operation included in the operations that the Administrator role can perform.