Installing and Configuring ProveID Embedded on Linux Thin Clients

This topic includes information about installing and configuring Imprivata ProveID Embedded on Linux thin clients. Imprivata ProveID Embedded lets thin clients access virtual desktops, applications, and Imprivata Enterprise Access Management authentication services.

Before You Begin

Review the Imprivata Enterprise Access Management - SSO Supported Components in the Imprivata Environment Reference to:

  • Confirm your models and firmware versions are supported. An Imprivata Virtual Desktop Access license is required.

  • Verify the primary authentication methods that are supported.

    Desktop authentication with username and password is supported in all Imprivata environments. All other methods are only available if your Imprivata enterprise has an Authentication Management license.

Imprivata ProveID Embedded offers two-factor authentication that strengthens IT security by requiring users to provide a second form of identification for authentication. Imprivata ProveID Embedded supports the following first and second factors for authentication. For some first factors, you can allow a limited user choice for the second factor. For example, if proximity card is the first factor, you can allow fingerprint or network password as the second factor.

First Factor Second Factor
Network Password
  • None
  • Imprivata ID*
Fingerprint Authentication
  • None
  • Network password
  • Imprivata PIN
Passive Proximity Cards
  • None
  • Network password
  • Imprivata PIN
  • Fingerprint

Smart Card, but only if Imprivata Computer Policy option "Treat smart card authentications as proximity card authentications" is enabled, in which case the smart card acts as a passive proximity card.

If that option is not enabled in the Computer Policy that is applied to Imprivata ProveID Embedded endpoints, a smart card is not supported.

For more information on that option, see Configuring Smart Card Proximity Cards.
  • None
  • Network password
  • Imprivata PIN
  • Fingerprint
Security Questions (Q&A) None

* The Ohio State Board of Pharmacy does not currently allow Imprivata ID as an authentication method for non-EPCS workflows.

NOTE: In Imprivata offline mode, Imprivata ProveID Embedded primary authentication methods are limited to only password or proximity card, and two-factor authentication methods are limited to proximity card plus password.

Configuring Imprivata ProveID Embedded requires that you upload a signed SSL certificate from the appliance to the thin clients. The certificate must either be:

  • Signed by an Intermediate Certificate Authority (or root CA equivalent).

  • Self-signed by the appliance CA that was created when the Imprivata enterprise was deployed.

For more information about creating a Certificate Signing Request (CSR) on the appliance, see Imprivata Appliance Security Settings.

Imprivata ProveID Embedded thin and zero clients support multiple monitors.

Consider the following:

  • It is a best practice to power off the endpoint and connect the monitors before installing Imprivata ProveID Embedded.

  • If you want to connect monitors after ProveID Embedded is installed, exit the Imprivata agent and power off the endpoint. Connect the monitors and restart the endpoint.

  • Upgrading the Imprivata agent typically does not require that you restart the endpoint. However, if more than one monitor was connected to the endpoint during an upgrade, restarting the endpoint is required.

Installation Sequence

Before you begin:

  • Download the correct Imprivata IPM file from Imprivata.

    • Log in to the Imprivata Customer Experience Center, select OneSign from the Products menu and then select the product download for the release of Imprivata Enterprise Access Management you require.

  • In the Imprivata Admin Console, go to the gear icon menu > Sites page, and confirm all sites are in Up status; contact your Imprivata Support representative if it shows a different state.

  • Verify that Imprivata is in a Running state on all appliances in the enterprise.

To upload the Imprivata ProveID Embedded IPM file to the Imprivata appliance:

  1. In the Imprivata Appliance Console, go to the Packages tab. The following IPM files may be listed:

    • The currently installed Imprivata IPM file

    • The currently installed appliance IPM file

    • One or more ProveID Embedded IPM files

    • Other previously uploaded IPM files

  2. Click Upload Imprivata Package.

  3. Upload the IPM file to one of the appliances in the enterprise.

  4. Click Distribute and then Send to copy the IPM to all appliances in the enterprise.

  5. When the distribution is finished, click Done.

  6. Click Install. The Imprivata ProveID Embedded agent is installed on all appliances in the enterprise. The appliances do not need to restart to complete the installation.

  1. In the Imprivata Admin Console, go to the gear icon menu > API Access page.

  2. Select Allow full API access via ProveID Web API and ProveID Embedded.

  3. Select your thin client models.

  4. Click Save.

Configure a computer policy for your thin client environment.

Step 3a: Create a New Computer Policy

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

  2. Create a new computer policy or edit an existing one.

Step 3b: Configure Agent Upgrade Settings

  1. Go to the General tab > ProveID Embedded agent version section.

  2. Select When an agent upgrade is available: Install the upgrade when idle or on reboot. For details, see Upgrades and Downgrades.

  3. Select a specific version to install from the list. If only one IPM file is uploaded to the appliance, this version is selected by default.

  4. Save and assign the computer policy to your thin clients.

BEST PRACTICE: If Latest version available is selected, all thin clients assigned to this policy will immediately upgrade to the latest version each time you upload and install a new version to the appliance. You can configure a separate computer policy with this setting and apply it to a small group of thin clients for testing purposes.

NOTE: The Agent Upgrades section on the General tab is for configuring an upgrade policy for Windows computers. Make no selection here when configuring a computer policy for thin clients.

The steps for installing Imprivata ProveID Embedded on the thin clients depends on your device type, as each have different interfaces.

Select the device type you are configuring:

Upload the signed SSL certificate from the Imprivata appliance to the thin clients. The certificate must either be:

  • Signed by an Intermediate Certificate Authority (or root CA equivalent).

  • Self-signed by the appliance CA that was created when the Imprivata enterprise was deployed.

If the SSL certificate expires or is removed after Imprivata ProveID Embedded is installed, access to the virtual desktop fails.

NOTE: You can set the registry key disable-certificate-checking to yes in the Imprivata.conf file to enable access to the virtual desktop even when the SSL certificate is expired or removed. This key has no effect on agent upgrades and downgrades. However the SSL certificate must be present on thin clients when upgrading or downgrading the Imprivata agent. See Expected Behavior Without a Valid Certificate

The DEA requires a valid root CA certificate for secure communication with the Imprivata appliance when e-prescribing controlled substances with Imprivata Confirm ID.

After you download the certificate from the Imprivata appliance, you can import it directly to one thin client or configure the wlx.ini file to include the certificate.

CAUTION: If your appliance uses certificates signed by a third-party certificate authority:

  • Save a copy of the third-party root CA to a USB storage device (thumb drive)

  • Skip the section "Download the Certificate from the Appliance" and proceed to the Upload the SSL Certificate section for your thin client device.

NOTE: If you need to change the Imprivata appliance (for example, when migrating from a test environment to your production environment), repeat all of Step 5 with the new appliance.

Download the Certificate from the Appliance

Make a copy of your SSL certificate to a USB storage device.

If you are using an Enterprise Access Management self-signed certificate, download a copy of the certificate as follows:

  1. Go to the Imprivata Appliance Console > Security page > SSL tab.

  2. Select Click here to download the certificate of this CA. The default certificate filename is ssoCA.cer

  3. Save a copy of the SSL certificate file to a USB storage device (thumb drive).

  • NOTE: IGEL thin clients do not recognize USB storage devices by default. See Troubleshooting.

    • Upload the SSL Certificate to the Thin Client Device

    The steps for uploading the SSL certificate to the thin clients depends on your device type, as each have different interfaces.

    Select the device type you are configuring:

    After the thin clients are restarted, the Imprivata ProveID Embedded agent installation is completed, and the Imprivata login screen opens.

    After the first installation, you can upgrade, downgrade, or install a new Imprivata agent version without restarting the thin clients.

    Configure access to your virtual desktop environment. For configuration details, see the following: