Imprivata ID for Windows Access

This topic provides an overview of Imprivata ID for Windows Access, what you need to deploy it in your enterprise, and roll it out to users.

Adding Imprivata ID to Windows access is ideal when an extra layer of security is needed for certain users and/or certain computers; for example, administrative accounts or access to virtual desktop servers.

When the user logs into Windows with his username and password, Imprivata ID sends a push notification to his device. He accepts and is granted access.

Number Matching authentication is not available for this workflow.

The user can be prompted to download Imprivata ID and enroll before and/or after the desktop opens.

The user must have a supported iOS or Android device and the Imprivata ID app installed; no additional hardware is required at the endpoint computer to support this workflow.

Licensing Considerations

Unlike other desktop authentication methods that require an Authentication Management license, when you enable Imprivata ID for Windows Access, each user in that policy only counts towards your Confirm ID for Remote Access license total. See Imprivata Licensed Features

Enroll Users

Your users can download and install the Imprivata ID app at any time. They are not prompted to enroll Imprivata ID or use it to authenticate until they are included in a user policy that requires Imprivata ID for authentication.

Based on the required Imprivata ID feature, make sure that the following requirements are met.

NOTE: Unless otherwise noted, a requirement applies to all Imprivata ID features.

iOS Requirements

  • iOS 11 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.
    • Access to Location Services (Always).
    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.
    • An active Internet connection is required for push notifications.

  • Secure Walk Away

    • iPhone 6s or later.

    • Access to Location Services (Always), Bluetooth Sharing, and Motion & Fitness is required.

  • QR code for direct access to the download page on the iTunes App Store:

Android Requirements

  • Android 6 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.

    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.

    • An active Internet connection is required for push notifications.

  • Secure Walk Away:

    • Samsung Galaxy S7 or later.

    • Google Pixel 1 or later.

    • OnePlus 6 or later.

    • Bluetooth enabled.

  • QR code for direct access to the download page on Google Play:

  1. Open the Imprivata ID app on your device.

  2. Log into the Imprivata enrollment utility on a computer: Click the Imprivata icon in the Windows notification area (Imprivata agent menu), and then click Enroll Authentication Methods.

    The authentication methods available for you to enroll are displayed:

  3. Click Get Started! or Enroll your Imprivata ID on the enrollment utility home screen. The Enroll your Imprivata ID screen opens.

  4. Enter the 12 character serial number and six digit token code displayed on the Imprivata ID app screen.

  5. Click Done.

  6. When your Imprivata ID is successfully enrolled, your device's name appears on the Imprivata enrollment utility screen. Click Done.

    NOTE: You can enroll multiple Imprivata IDs. To enroll another Imprivata ID on a different device now, click Enroll another. If you want to enroll later, perform the steps in this section again when you are ready.

  7. If you are enrolling in the presence of an enrollment supervisor, the supervisor authenticates to witness your enrollment.

You can allow users to remotely enroll Imprivata ID after enrolling at least one second factor. After a user replaces their device, they can enroll Imprivata ID on the new device without calling your IT helpdesk first:

  1. In the Imprivata Admin Console, go to Users > Workflow policy.

  2. Go to Remote access workflows > Log In > Self-service and check Allow users to remotely enroll and manage authentication methods

  3. Click Save.

  • When enabled, Self Service Enrollment is an option for all users associated with the Remote Access Log In workflow (if your Log In workflow includes Imprivata ID.)

  • Self Service Enrollment is available only for remote access gateways that use Imprivata cloud-based authentication with the Imprivata graphical user interface. The legacy RADIUS remote access experience does not support Self Service Enrollment.

CAUTION:

When clinicians replace their device with a new model, their EPCS Allowed Imprivata ID enrollment is not carried forward to the new device. Self service enrollment of Imprivata ID does not replace the EPCS Allowed enrollment required for Imprivata ID.

These users can enroll Imprivata ID on their new device for remote access as described below, but before they can use Imprivata ID on their new device for EPCS workflows, they will first need to confirm their email and phone number.

Typical User Workflow

A user has upgraded to a new device. Imprivata ID was restored from a backup automatically to the new device. The user may not realize Imprivata ID must be re-enrolled on the new device.

  1. The user enters his username and password in the Imprivata Enterprise Access Management interface at his remote access gateway.

  2. He clicks Log in. Imprivata Enterprise Access Management sends a push notification to his old device only.

  3. The user sees onscreen that Imprivata ID is waiting for him to approve the notification, but the model of his old device is displayed. This visual cue is designed to prompt the user to take action. (The onscreen model display is a feature improvement for all push notifications.)

  4. The user does not have to call your helpdesk. The user clicks Add new device instead.

    The user must complete a second authentication before they can enroll Imprivata ID.

    BEST PRACTICE:

    When rolling out Imprivata ID to your users, require users to enroll their phone number for SMS authentication. SMS authentication is the easiest method in this case; the user could also authenticate with Imprivata ID on their old device (if he still has it) or call your helpdesk for a temporary code.

  5. The user clicks SMS code. Imprivata Enterprise Access Management sends an SMS code to his device (the user kept his phone number when he upgraded his device, so his SMS enrollment is unchanged.)

  6. The user receives the SMS message on his new device, enters the verification code onscreen, and clicks Confirm your identity.

  7. The Enroll your Imprivata ID screen opens. The user opens the Imprivata ID app on his new device, enters the serial number and token code from the app, and clicks Submit.

    The user's Imprivata ID is enrolled. After he clicks Done his remote access gateway opens as usual. The next time he logs in remotely, Imprivata ID on his new device will receive the push notification by default.

    Imprivata ID on his old device is still enrolled, will continue to receive push notifications, and can continue to be used unless deleted by the user or your Imprivata Enterprise Access Management administrator.

When a clinician replaces her device with a new model, or she restores, replaces, or reinstalls Imprivata ID for any reason, her EPCS-allowed Imprivata ID enrollment is not carried forward to the new device.

For an Institutionally identity proofed provider, the clinician must have at least two EPCS-allowed methods available to self-enroll a new Imprivata ID, if self-enrollment is allowed by their organization. Alternatively, if a provider does not have enough EPCS-allowed methods to self-enroll, or self-enrollment is not enabled, then the provider can enroll a new Imprivata ID with a supervisor who witnesses the enrollment.

For an Individually identity proofed provider, the clinician does not need to repeat identity proofing, but before she can use Imprivata ID on her new device for EPCS workflows, she will need to confirm the same email and phone number as she did during Identity Proofing.

Require Imprivata ID for Windows Access

There are several methods to enable Imprivata ID for Windows Access. You can set up either of these or both:

  • User Requirement — Require all users in a policy complete two-factor authentication with Imprivata ID every time they authenticate at any endpoint computer.
  • Computer Requirement — Require Imprivata ID for Windows Access only at specific desktops.

Configure the User Policy

  1. In the Imprivata Admin Console, go to Users > User Policies.

  2. Add a new user policy, or make a copy of an existing user policy. See Creating and Managing User Policies

  3. Move the required users into this user policy.

  4. On the Authentication tab, go to the Licensed option section and select Imprivata ID for Windows Access.

  5. In the Desktop Access authentication section, select Password for the primary factor, and Imprivata ID for the secondary factor.

  6. Click Save.

Configure the Login and Enrollment Options

  1. In the Authentication method options section, go to Password. If you want to allow a grace period where the user does not need to respond to a push notification from Imprivata ID, make that selection here:

    • Workflow during grace period — To authenticate, user enters username and password only.

    • Workflow after grace period — To authenticate, user enters username and password, then must respond to the push notification from Imprivata ID.

  2. In the Authentication method options section, go to Imprivata ID. Configure your requirements for enrolling Imprivata ID here:

    • You can force the user to enroll Imprivata ID before they can access the desktop, or allow them to skip enrollment for up to 90 days.

    • Before the desktop opens, the user will be prompted to enroll Imprivata ID. You can also prompt the user to enroll Imprivata ID after the desktop opens.

  3. Click Save.

Enable Licensed Option

  1. In the Imprivata Admin Console, go to Users > User Policies.

  2. Select the policy that contains users who will require Imprivata ID for Windows Access.

  3. On the Authentication tab, go to the Licensed option section and select Imprivata ID for Windows Access.

  4. Do not select Imprivata ID in the Desktop Access authentication section.

  5. Click Save.

Disable Password-Only Desktop Access

  1. In the Imprivata Admin Console, go to the gear iconSettings.

  2. In the section Password-only desktop access, deselect Allow password-only desktop access.

    This prevents users without Imprivata ID enrolled from accessing the desktop.

  3. At the top or bottom of the page, click Save.

Set a Computer Policy Override

  1. In the Imprivata Admin Console, go to ComputersComputer Policies.

  2. Add a new computer policy, or make a copy of an existing computer policy. See Creating and Managing Computer Policies

  3. Move the required computers into this computer policy. See Managing Computer Accounts

  4. On the Override and Restrict tab, go to the Desktop Access Authentication Restrictions section and select Restrict user policy.

  5. Select Password for the primary factor and Imprivata ID for the secondary factor.

  6. Click Save.

Configure the Login and Enrollment Options

  1. In the Authentication method options section, go to Password. If you want to allow a grace period where the user does not need to enter their second-factor authentication, make that selection here.

  2. In the Authentication method options section, go to Imprivata ID. Configure your requirements for enrolling Imprivata ID here:

    • You can force the user to enroll Imprivata ID before they can access the desktop, or allow them to skip enrollment for up to 90 days.

    • Before the desktop opens, the user will be prompted to enroll Imprivata ID. You can also prompt the user to enroll Imprivata IDafter the desktop opens.

  4. Click Save.

The Imprivata Credential Provider and Windows Login

If your enterprise is licensed for Imprivata Confirm ID Remote Access but you do not have an Imprivata Authentication Management or Single Sign-On license, the Imprivata credential provider does not appear when logging into Windows workstations. You must override log in and locking of Windows workstations and use the Imprivata credential provider to manage logging into Windows workstations instead:

Configure Workstations to Use the Imprivata Credential Provider

  1. In the Imprivata Admin Console, go to ComputersComputer Policies.
  2. Select a computer policy where the Imprivata credential provider must be used.
  3. Go to the General tab > Desktop experience section.  If the Windows credential provider is in use, Override log in and locking of the Windows workstation is selected here.
  4. Uncheck Override log in and locking of the Windows workstation.
  5. Click Save.

Repeat this process for any other computer policies that will require Imprivata ID for Windows access.

Ensure Access for Non-Imprivata Users

If your enterprise is licensed for Imprivata Confirm ID Remote Access but you do not have an Imprivata Authentication Management or Single Sign-On license, users who are not synchronized with the Imprivata user database or configured to use Imprivata ID for Windows Access can still log into Windows.

When the Imprivata credential provider appears on a Windows desktop and a non-Imprivata user enters their username and password, OneSign authentication fails (because they're not in the Imprivata user database), but if Windows local authentication succeeds, are allowed to log in.

BEST PRACTICE:

To allow non-OneSign users to log in, you can add them to an Active Directory or Local group, and allow this Local group to authenticate to Windows if OneSign authentication fails.

To confirm the default setting in the Imprivata Admin Console:

  1. In the Imprivata Admin Console, go to ComputersComputer policies.

  2. Select a computer policy where Imprivata ID for Windows Access is required.

  3. Go to the General tab > Authentication section.

  4. Verify that If OneSign authentication fails, but Windows authentication succeeds, should the user be allowed to log in to the computer? to Yes.

  5. Click Save.

  6. Repeat this process for any other computer policies where non-Imprivata users must be able to log in.

Troubleshooting

If specific users are experiencing issues with push authentication, make sure the Imprivata ID app is running on the user's device.

If that doesn't resolve the issue, make sure the user's device meets all of the following requirements:

iOS Requirements

  • iOS 11 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.
    • Access to Location Services (Always).
    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.
    • An active Internet connection is required for push notifications.

  • Secure Walk Away

    • iPhone 6s or later.

    • Access to Location Services (Always), Bluetooth Sharing, and Motion & Fitness is required.

  • QR code for direct access to the download page on the iTunes App Store:

Android Requirements

  • Android 6 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.

    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.

    • An active Internet connection is required for push notifications.

  • Secure Walk Away:

    • Samsung Galaxy S7 or later.

    • Google Pixel 1 or later.

    • OnePlus 6 or later.

    • Bluetooth enabled.

  • QR code for direct access to the download page on Google Play:

If the Imprivata database is restored while users are enrolling Imprivata IDs, or after Imprivata IDs have been enrolled, the users must re-enroll their Imprivata IDs. Contact Imprivata Customer Support for assistance.

You can resolve some errors that occur during DigiCert identity proofing. If the error message instructs you to

  • "Delete record and notify user to restart identity proofing", or
  • "Delete identity proofing record and notify user to restart process"

Delete the user's record but do not delete the user:

  1. In the Imprivata Admin Console, go to UsersUsers and find the user in the database.
  2. On the user detail page, go to DigiCert Individual Identity Proofing and click Delete Record. This action is permanent and the user must identity proof again for EPCS.
  3. Notify the user to start identity proofing again.

If you delete the entire user from the Imprivata database, you will have to wait five days for the system to reset before they can use that same email address again for identity proofing.

Clinicians who e-prescribe controlled substances with a Symantec VIP token can continue to use this token with Enterprise Access Management after identity proofing with Digicert. The following workaround is only applicable for:

  • users who have already completed identity proofing with Symantec NSL and

  • enrolled their VIP token for EPCS and

  • completed identity proofing with Digicert and

  • are associated with the Enterprise Access Management EPCS workflow and

  • that workflow allows OTP tokens for authentication.

  1. In the Symantec VIP Manager, remove the user's VIP software token (UsersSearch UserEdit DetailsCredentialRemove)
  2. In the Imprivata Admin Console, remove the user's VIP software token: Go to Users > Symantec VIP Credentials, select the user, and click Remove From This User.
  3. In the Symantec VIP Manager, disable the user's account (UsersSearch User > from the Search Results page, click Disable Credential)
  4. In the Symantec VIP Manager, enable the user's account again (UsersSearch User > from the Search Results page, click Enable Credential).
  5. Advise the user to re-enroll the Symantec VIP token with Enterprise Access Management.

Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

  1. If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
  2. Services will enter your Enterprise ID and cloud provisioning code.
  3. Click Establish trust.
BEST PRACTICE:

The cloud connection must be established by Imprivata Services.

Cloud Connection Status

You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:

  1. In the Imprivata Admin Console, go to the gear iconCloud connection.

  2. Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.