Configure Enterprise Password AutoFill on iOS Devices

NOTE: This article applies to iOS devices only.

After you’ve set up, tested and automated your Check Out Workflows and also validated your environment supports Password AutoFill, you’re ready to get started.

Password AutoFill is available only when Admin > Check Out > Identity Web Service is set to Imprivata Enterprise Access Management.

Configure Password AutoFill in Mobile Access Management

Two Factor Authentication (2FA) is needed for Password AutoFill, but not for device Check Out.

Users are prompted to enter 2FA directly after Check Out. If they accidently skip the prompt, they will also be prompted to use the Password AutoFill extension when logging into an app.

  1. Navigate to Admin > Check Out > Password AutoFill enable Password AutoFill.

  2. Set the option for Second factor authentication to match your Imprivata Enterprise Access Management (formerly Imprivata OneSign) configuration.

    Click to enlarge

Disable the iOS Keychain

You can disable the iOS keychain from the password autofill selection on the devices by one of the following methods:

  • Set Restrictions action in the Workflow — you can set a Mobile Access Management restriction to disable Safari autofill. It disables Keychain as an option, while still allowing Autofill to be on and the Locker app to be select. If you apply the restriction via a Workflow, ensure that you add it to either the Provisioning (Prep) or Check In Workflow.

  • MDM restriction — each MDM labels the ability to disable or remove Keychain from password autofill selection differently and ends up with different results.

    For more information, see your MDM's documentation.

In Mobile Access Management, adding a Set Restrictions action with the Disable Safari Auto-fill option selected disables the built-in iOS keychain, but should allow for Locker iOS to still be selected.

Best Practice

Add this restriction setting into your Provisioning (Prep) Workflows to ensure the device never has the option to use iOS Keychain.

If you have already deployed devices without this setting, you have three primary options:

  • Add this setting into your Check In Workflow.

  • Create a Workflow that specifically includes just this setting and deploy it to connected devices either manually or via a scheduled automation rule, until you’re confident it has applied to all devices in use.

  • Utilize an MDM Restrictions payload to disable the keychain. See below.

Expected Results

The device will have the Keychain option in Autofill/Password options greyed out, making it unable to be selected. Despite the name of the restriction, password autofill will still be available on Safari web pages when using Imprivata Locker as the autofill source.

IMPORTANT:

A device can have multiple Restrictions profiles. However, only one Mobile Access Management-delivered Restriction Profile will be present at a time.

So if Mobile Access Management has sent a restrictions profile to a device that you’re now using this method to deploy the Disable Safari Auto-fill setting to, you will want your previous restriction profile settings to also be selected. Otherwise, they will be overwritten by this new restrictions profile.

To add a Set Restrictions action to the Workflow:

  1. In the MAM admin console, edit the Workflow. Ensure that you add the Set restrictions action to either the Provisioning or Check In Workflow.

  2. From the Add action menu, select Set Restrictions.

  3. On the Other Restrictions tab, select Disable Safari Auto-fill and click Save.

    Click to enlarge

  1. In Microsoft Intune, navigate to Devices > iOS/iPadOS > iOS/iPad OS > Configuration Profiles > General Restrictions > Device restrictions.

  2. Make sure Block password Autofill is set to Not configured.

  3. Under General Restrictions > Built-in Apps, set Block Safari Autofill to Yes.

Best Practice

Ensure the setting for Enable Autofill is not selected in your currently deployed restrictions profile.

Expected Result

The device will have the Keychain option in Autofill/Password options greyed out, making it unable to be selected. Despite the name of the restriction, password autofill will still be available in general on the device.

The Force authentication before autofilling passwords setting has no impact on the Imprivata Locker Password Autofill experience.

  1. In the Workspace ONE UEM, use a Restrictions payload profile.

  2. For the Allow auto filling of passwords, switch the setting to enabled.

  3. Ensure the Enable Autofill setting is not enabled.

  1. In the Jamf Pro admin console, edit the configuration profile for your iOS devices.

  2. For Password Autofill, set to Allow.

  3. In the Use of Safari section, for Autofill, set to Disable.

Enable AutoFill on the Device

Each iOS device must be manually configured to use the Imprivata AutoFill extension — unfortunately there is no way to do this automatically using your MDM or Mobile Access Management.

To enable Password AutoFill on the iOS device:

  1. Navigate to Settings > Passwords > AutoFill Passwords > Turn ON.

  2. Turn on Autofill from Locker. When Autofill is enabled, credentials from the Locker app will be suggested for filling in apps.

  3. In iOS 17.x or earlier, make sure Keychain is not selected.

    In iOS 18, the setting is named Passwords. Ensure that it is not toggled on.

BEST PRACTICE:

If you're not erasing the device, the Autofill Passwords setting will persist between checkouts.

Imprivata strongly recommends not erasing devices between checkouts for this reason.

If AutoFill is enabled on the Mobile Access Management server, but a device does not have Password AutoFill set in Settings, the device will show the following reminder screen on Check Out.

Click to enlarge

Create Upload and Deploy Imprivata Enterprise Access Management Profiles

For detailed instructions on creating application profiles for Imprivata Enterprise Access Management, see this article.

Questions?

Check out our Password AutoFill FAQ.

Next

Custom Identity Web Services