Enterprise Access Management Troubleshooting

If specific users are experiencing issues with push authentication, make sure the Imprivata ID app is running on the user's device.

If that doesn't resolve the issue, make sure the user's device meets all of the following requirements:

iOS Requirements

  • iOS 11 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.
    • Access to Location Services (Always).
    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.
    • An active Internet connection is required for push notifications.

  • Secure Walk Away

    • iPhone 6s or later.

    • Access to Location Services (Always), Bluetooth Sharing, and Motion & Fitness is required.

  • QR code for direct access to the download page on the iTunes App Store:

Android Requirements

  • Android 6 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.

    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.

    • An active Internet connection is required for push notifications.

  • Secure Walk Away:

    • Samsung Galaxy S7 or later.

    • Google Pixel 1 or later.

    • OnePlus 6 or later.

    • Bluetooth enabled.

  • QR code for direct access to the download page on Google Play:

If the Imprivata database is restored while users are enrolling Imprivata IDs, or after Imprivata IDs have been enrolled, the users must re-enroll their Imprivata IDs. Contact Imprivata Customer Support for assistance.

You can resolve some errors that occur during DigiCert identity proofing. If the error message instructs you to

  • "Delete record and notify user to restart identity proofing", or
  • "Delete identity proofing record and notify user to restart process"

Delete the user's record but do not delete the user:

  1. In the Imprivata Admin Console, go to UsersUsers and find the user in the database.
  2. On the user detail page, go to DigiCert Individual Identity Proofing and click Delete Record. This action is permanent and the user must identity proof again for EPCS.
  3. Notify the user to start identity proofing again.

If you delete the entire user from the Imprivata database, you will have to wait five days for the system to reset before they can use that same email address again for identity proofing.

Clinicians who e-prescribe controlled substances with a Symantec VIP token can continue to use this token with Enterprise Access Management after identity proofing with Digicert. The following workaround is only applicable for:

  • users who have already completed identity proofing with Symantec NSL and

  • enrolled their VIP token for EPCS and

  • completed identity proofing with Digicert and

  • are associated with the Enterprise Access Management EPCS workflow and

  • that workflow allows OTP tokens for authentication.

  1. In the Symantec VIP Manager, remove the user's VIP software token (UsersSearch UserEdit DetailsCredentialRemove)
  2. In the Imprivata Admin Console, remove the user's VIP software token: Go to Users > Symantec VIP Credentials, select the user, and click Remove From This User.
  3. In the Symantec VIP Manager, disable the user's account (UsersSearch User > from the Search Results page, click Disable Credential)
  4. In the Symantec VIP Manager, enable the user's account again (UsersSearch User > from the Search Results page, click Enable Credential).
  5. Advise the user to re-enroll the Symantec VIP token with Enterprise Access Management.

Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

  1. If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
  2. Services will enter your Enterprise ID and cloud provisioning code.
  3. Click Establish trust.
BEST PRACTICE:

The cloud connection must be established by Imprivata Services.

Cloud Connection Status

You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:

  1. In the Imprivata Admin Console, go to the gear iconCloud connection.

  2. Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.

The Apache web server makes performance metrics available through a native server status page. Information includes, but is not limited to:

  • Client throughput and latency

  • Resource utilization

  • Activity metrics

While you can access these metrics at anytime from the Imprivata Appliance Console, Imprivata Support will typically request that you enable this functionality to determine if long–lived client connections are adversely effecting your enterprise.

By default, the ability to access the Apache server status page is disabled, as enabling it adds server load.

To enable access to the Apache server status page:

  1. In the Imprivata Appliance Console, go to the System page > Operations tab.

  2. On the Activate Apache Status Page row, click Configure.

  3. On the Apache Status Page dialog, select Show Apache Status Page.

    • Leave Show Extended status selected. This setting is required to view the client connection metrics.

    • If you want to view basic Apache performance metrics only, deselect Show Extended status.

  4. By default, anyone can access the status page.

    To limit access to one or more clients, enter the respective IP addresses or ranges.

  5. Click Save and restart the Imprivata server.

    The Imprivata server is restarted. A message appears when the operation is complete.

To identify long–lived client connections:

  1. From a client that has access to the page, open a web browser.

  2. Enter the following URL:

    https://<ApplianceIPAddress>/server-status?refresh=5

    The refresh interval is measured in seconds and is used to display updated statistics.

The following screen capture illustrates a sample status page and highlights the information that is relevant to long–lived client connections:

  • The M column displays an "R", and the Request column displays "reading..."

    These values indicate that Apache is stuck in a reading state.

  • The SS column specifies the time (in seconds) since the beginning of most recent request.

    As the page refreshes, this value increases until the request timeouts, indicating that the connection has failed.

    While not illustrated, the row is removed at the next refresh interval.

Click to enlarge

You should disable access to the Apache server status page when you are finished troubleshooting, as leaving it enabled adds server load.

To disable access to the Apache server status page:

  1. In the Imprivata Appliance Console, go to the System page > Operations tab.

  2. On the Activate Apache Status Page row, click Configure.

  3. On the Apache Status Page dialog, deselect Show Apache Status Page.

  4. Click Save and restart the Imprivata server.

    The Imprivata server is restarted. A message appears when the operation is complete.

To create and run reports regarding Enrollment, Signing Activity, and Suspicious Activity, in the Imprivata Admin Console, go to Reports > Add new report.