Configuring Imprivata Secure Walk Away

 

Imprivata Secure Walk Away enables automatic walk–away security based on the proximity of your users' mobile phones. Imprivata Enterprise Access Management monitors enrolled phones and:

  • Locks the endpoint when the phone is no longer detected.

  • Optionally, unlocks the endpoint when the phone is detected during a grace period.

Secure Walk Away can be used in combination with, and falls back to, existing keyboard and mouse inactivity timers.

Requirements

Review the following requirements:

While this feature is available as part of your Imprivata Authentication Management (AM) or AM/Single Sign–On (SSO) license, all currently supported BLE devices must be flashed with new firmware before enabling Secure Walk Away.

NOTE: For a list of supported BLE devices, see "Imprivata OneSign Supported Components" in the Imprivata Environment Reference. You can download the required firmware files and instructions for flashing your devices here.

The Imprivata ID app is required to monitor the proximity of the phone. Users must install the Imprivata ID app and enable Automatic Signout.

Consider the following:

  • Imprivata ID is available from either the Apple app store or Google Play.

  • New users are prompted to enable Automatic Signout as part of the setup process.

  • Existing users who upgrade can locate and enable Automatic Signout in the Features menu.

Consider the following:

  • Secure Walk Away supports both the iOS and Android operating systems.

  • A BLE receiver is required to recognize the phone:

    • It is not necessary to pair the BLE enabled hardware with the phone.

    • Secure Walk Away supports one BLE device per workstation.

    • BLE enabled devices are available as a standalone dongle, combination proximity card reader, multi-function keyboard, and multi-function pod.

NOTE: For a list of supported phones and BLE devices, see " Enterprise Access Management - SSO Supported Components" in the Imprivata Environment Reference.

Supported User Workflows

Monitoring a user's presence helps to provide for a better balance between security and user convenience. You can:

  • Increase inactivity timeouts because you know the user is nearby.

  • Fallback to existing inactivity timeouts for a user who does not have their phone or if the phone cannot be detected.

  • Optionally, automatically unlock the workstation when the user returns to the workstation.

The following factors can help you decide whether automatically unlocking the workstation is right for the environment:

  • The physical location of the workstations.

  • The number of clinicians that use the workstation during a particular time.

Public areas where multiple users have access to the same workstation, such as a nursing station on a medical surgery floor, may be suited for locking the workstation only.

The following is an example of this workflow:

  1. User 1 has their phone present and logs intoEnterprise Access Management.

    Secure Walk Away detects the phone, and the Imprivata agent begins to monitor it.

  2. User 1 walks away from the workstation.

    The Imprivata agent detects that the phone is no longer present.

  3. After the specified Imprivata ID thresholds, an inactivity warning appears, and then the desktop is locked.

  4. User 2, who has left their phone at home, logs into Enterprise Access Management.

    Secure Walk Away falls back to existing inactivity timeouts.

  5. User 2 leaves the workstation without securing it.

  6. After the specified keyboard and mouse inactivity thresholds, an inactivity warning appears, and then the desktop is locked.

Private areas, such as a physicians office, or a setting where the same person is expected to be at the same workstation for an extended period, such as a radiology lab, may be suited for locking and unlocking the workstation.

The following is an example of this workflow:

  1. A user has their phone present and logs into Enterprise Access Management.

    Secure Walk Away detects the phone, and the Imprivata agent begins to monitor it.

  2. The user walks away from the workstation.

    The Imprivata agent detects that the phone is no longer present

  3. After the specified Imprivata ID thresholds, an inactivity warning appears, and then the desktop is locked.

  4. The user returns to the workstation within the specified Secure Walk Away grace period.

    The Imprivata agent detects the phone and unlocks the workstation automatically.

  5. While the users works, the phone's battery dies.

    • The Imprivata agent can no longer detect the phone.

    • After a specified inactivity threshold, an inactivity warning appears, and then the desktop is locked.

  6. The user re-authenticates to the workstation.

    • The Imprivata agent cannot detect the phone.

    • Secure Walk Away falls back to keyboard and mouse inactivity timeouts.

Prepare the Environment

Complete the following to prepare the environment for Secure Walk Away.

Consider the following:

  • New users are prompted to enroll Imprivata ID, as well as any other authentication methods assigned to them in the user policy.

  • Although the Imprivata enrollment utility always includes the option to enroll Imprivata ID, existing users are not prompted to do so after authenticating.

To help facilitate enrollment, the Imprivata ID User Rollout Kit contains resources that you can use to introduce Imprivata ID and Secure Walk Away to your users.

The kit includes the following:

  • Introducing Imprivata ID for Secure Walk Away — This email template includes links to the iTunes App Store and Google Play.

    You can customize this template to meet your organization's needs.

  • Imprivata ID Readiness — This handout illustrates how to enable Automatic Signout after installing the app.

  • Enrollment Guide for Secure Walk Away — This quick start guide provides instructions for enrolling Imprivata ID.

BEST PRACTICE: After enrollment, it is recommended that users leave Imprivata ID running.

Apple has officially stated that closing apps does not generally extend battery life. Further, Imprivata testing has also confirmed that leaving Imprivata ID running should not adversely affect battery life.

If not already disabled, disable Ctrl+Alt+Delete.

Use the Command Line

To disable the functionality:

  1. Open the command line, and type the following to open the User accounts window:

    control userpasswords2

  2. On the User Accounts window, open the Advanced tab.

  3. Go to the Secure logon section, deselect Require users to press Ctrl+Alt+Delete, and then click OK.

Use the Registry Editor

To disable the functionality:

  1. In the Registry Editor, go to the following location:

    HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

  2. Find or create the following DWORD value:

    DisableCAD

  3. Give DisableCAD a value of 1.

NOTE: Using the 32–bit system path on a 64–bit system is correct. Using the Wow6432Node system path does not set the value correctly.

A BLE receiver is required to recognize the phone.

  • Imprivata Secure Walk Away supports one BLE enabled device per workstation.

  • It is not necessary to pair the BLE enabled hardware with the phone.

NOTE: For a list of supported BLE devices, see "Enterprise Access Management - SSO Supported Components" in the Imprivata Environment Reference.

Configure Imprivata Secure Walk Away

Secure Walk Away is a separately licensed feature. When you enable Secure Walk Away in a user policy, each user in that policy counts towards your Imprivata ID for Secure Walk Away license total.

To configure the user policy:

  1. In the Imprivata Admin Console, click Users > User Policies.

  2. Edit an existing user policy or create a new one.

  3. On the Authentication tab, go to the Walk-away security section, and select Allow Secure Walk Away.

    NOTE: The additional Imprivata ID settings that are available in the Authentication method options section do not apply to Secure Walk Away.

  4. Save the user policy.

    All of the users assigned to the policy are enabled for Secure Walk Away.

NOTE: For more information about working with user policies, see Creating and Managing User Policies.

You configure the computer policy to control how the workstation is to respond to:

  • The proximity of the phone through out the shift.

  • Keyboard and mouse inactivity when the phone is detected.

  • Keyboard and mouse inactivity when the phone is not detected.

To configure the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer Policies.

  2. Edit an existing computer policy or create a new one.

  3. Open the Walk-Away Security tab, and go to the Secure Walk Away section.

    1. Select a time from Lock workstation after and Show inactivity warning.

      These values manage desktop locking when the phone is no longer detected.

      For example – the phone is detected after the user logs in, but moves out of range when the user leaves the workstation.

    2. (Optional) Select a time from the Automatically re-authenticate user.

      This value manage the grace period during which a user can return to the workstation and have it automatically unlocked.

  4. Go to the Inactivity Detection section:

    1. If required, adjust the Imprivata ID inactivity and warning thresholds.

      These values manage desktop locking when the phone is detected, but there is no keyboard and mouse activity.

    2. Configure the Keyboard and mouse inactivity and warning thresholds.

      If the phone cannot be detected after logging in, Secure Walk Away falls back to these inactivity thresholds.

  5. Save the computer policy.

    All of the computers assigned to the policy are configured for Secure Walk Away.

NOTE: For more information about working with computer policies, see Creating and Managing Computer Policies and Assigning Computer Policies.

(Optional) You can choose the type of warning that notifies the user that the workstation is going to lock.

To configure the behavior:

  1. In the Imprivata Admin Console, click Computers > Computer Policies.

  2. Go to the Lock and Warning section, and select the type of warning to display.

  3. Save the computer policy.

  4. (Optional) To customize the warning message, click Customize the warning and lock display text. The Walk–away security section lets you update the message.

The Secure Walk Away–Imprivata ID Sensitivity slider controls the distance at which the Imprivata agent determines when the phone is present or has left the area.

Each position represents a relative distance to the workstation, not a specific unit of measurement. As a result, the ideal distance differs by environment:

  • Use the default position to start.

    The default position represents a distance that is optimized for most environments.

  • Adjust the position to troubleshoot device detection problems with workstations.

To adjust the value:

  1. In the Imprivata Admin Console, click Computers > Computer Policies.

  2. Open the Walk-Away Security tab, and go to the Advanced section.

What to Expect on the Workstation

The following sections detail what users can expect to see on the workstation.

The Imprivata agent menu includes a link to view Secure Walk Away. This link opens the Imprivata Secure Walk Awaydialog.

This is the primary way to view the phone's signal strength. The following illustrates the user experience.

Click to enlarge the image.

NOTE: Although not illustrated, signal strength also appears on the Imprivata OneSign login screen.

Signal strength is displayed in one of five states. Each state is represented by a different color.

When the phone is close to the endpoint, the BLE icon changes from gray to green, as illustrated below.

The following table details each state.

BLE Icon Description

  • The Imprivata agent is monitoring the phone.

  • The signal strength is strong.

  • The desktop will remain unlocked.

  • The Imprivata agent is monitoring the phone.

  • The signal strength is weakening.

  • The desktop will remain unlocked.

  • The Imprivata agent is monitoring the phone.

  • The signal strength is very weak.

  • The desktop will begin an internal countdown.

  • The user will first see a warning message. If the signal does not improve, the desktop locks.

  • The Imprivata agent is not monitoring the phone.

    or

  • The phone is not in range.

  • The BLE enabled hardware is not present.

    or

  • The BLE enabled hardware is not detected.

Reporting

You can use the Computer Peripheral Usage report to identify where BLE enabled devices have been deployed in your enterprise. This report identifies:

  • Endpoints to which a BLE device has been plugged in.

  • The model and vendor of the device.

  • The version of the firmware installed on the device.

To run the report:

  1. In the Imprivata Admin Console, click Reports > Add new report.

  2. Under the Platform column, click Computer Peripheral Usage.

  3. Specify a date range, and click Run.

    The date range indicates when the BLE device was plugged into the endpoint.

    For example, a report with a date range of Today, will not include an endpoint where the BLE device was plugged in two days ago.

Troubleshooting

Symptom

When I return to my workstation, the Imprivata agent does not recognize my phone. The BLE icon is gray.

Solution

This may be the result of:

  • Closing Imprivata ID.

  • (iOS only) The iPhone restarting.

Opening Imprivata ID after an iPhone restarts resolves the issue. However, the time it takes to recognize the phone varies.

During this time, log in as you normally would.

Symptom

When I return to my workstation, there is an X through the BLE icon on the lock screen.

Solution

  1. Is the BLE–enabled hardware plugged into the workstation?

  2. This may be indicative of a problem with Windows recognizing the BLE hardware.

    Although Imprivata Secure Walk Away is disabled, you can login as normal to continue working.