Configure Multiple Mobile Policies via MDM
Imprivata MDA supports the ability to create more than one mobile policy through your MDM.
Requirements
Take note of the following prerequisites:
-
Requires Imprivata MDA to be deployed via an MDM.
-
Not all of the Mobile policy properties can be overridden; see Unsupported Mobile Policy Properties.
Take note of the following requirements for the handling of the policy values.
-
Values are comma delimited.
-
Empty app packages array equals the 'off' value.
-
Repeated keys will be ignored.
Configure the MDM AppConfig
This feature requires that only specific AppConfig values to be set up. There is no need to put all possible values in the AppConfig, just those that you need to override.
For additional information on configuring apps via AppConfig, see your MDM documentation. See the Imprivata MDA AppConfig Reference for supported MDM AppConfig keys.
Add the following key:
- MobilePolicyOverride - Allows Imprivata MDA to override a limited set of properties of the Imprivata Enterprise Access Management Mobile Policy using AppConfig.
The AppConfig Configuration Key field for this feature is "MobilePolicyOverride".
The AppConfig Value Type for this feature is "String".
The values are in the Supported Mobile Policy Values table below.
Example 1
This example demonstrates the override to turn off Guest Mode:
GuestMode=offExample 2
This example demonstrates the override of multiple mobile policy values. The values are separated by commas.
AutoLogout=off, AutoLock=10, CallAppsNoAuth=[com.microsoft.teams:skipSound]Example 3
This example demonstrates the override of all possible mobile policy values. The values are separated by commas.
GuestMode=on, AutoLogout=200, AutoLock=269, BrowserLogoutMethod=clearData, Language=en, CallAppsNoAuth=[com.microsoft.teams:skipSound, com.imprivata.notify, com.imprivata.notify.doubler, org.telegram.messenger], CallAppWithAuth=[com.slack, com.imprivata.Messaging], NotificationApps=[com.slack, com.microsoft.teams:skipSound, com.imprivata.notify, com.imprivata.notify.doubler, org.telegram.messenger, com.imprivata.Messaging], FloatingHomeButton=onExample 4
This example turns off all notifications:
..., CallAppsNoAuth=off, CallAppWithAuth=off, NotificationApps=off, ...
OR
..., CallAppsNoAuth=[], CallAppWithAuth=[], NotificationApps=[], ...Supported Mobile Policy Values
The following items are Imprivata Enterprise Access Management mobile policy settings that can be overridden by configuring them in your MDM.
For more information on the mobile policy, see Configuring the Mobile Policy.
| Mobile Policy in Imprivata appliance | Policy Key | Supported Value |
|---|---|---|
| Allow guest mode | GuestMode | on, off |
| Automatically log out a user (on/off, timeout minutes) | AutoLogout | off, 1...n |
| Inactivity re-authentication (on/off, timeout minutes) | AutoLock | off, 1...n |
| Web Browser Management: Logout method | BrowserLogoutMethod | off, clearData, forceStop, clearCache |
| Language | Language |
en, da, de, es, fi, fr, it, nl, sv NOTE:
The supported Mobile policy values for Language apply to Imprivata MDA 7.13.4 and earlier. In Imprivata MDA 7.14 and later, the language is controlled by the device level localization settings, commonly set in your MDM, not by the Imprivata mobile policy. |
| Voice call (VoIP) apps (authentication not required to answer call) | CallAppsNoAuth | off, [com.app1, com.app2, ...] |
| Voice call (VoIP) apps (authentication required to answer call) | CallAppWithAuth | off, [com.app1, com.app2, ...] |
| Messaging and other apps | Notification | off, [com.app1, com.app2, ...] |
| Allow floating Home button | FloatingHomeButton | off, on |
Unsupported Mobile Policy Properties
The following Mobile policy settings cannot be overridden:
-
Turn on grace period for second authentication factor (on/off, timeout minutes)
-
Unlock with Imprivata PIN instead of proximity card (on/off, timeout minutes)
-
Authentication: Validate stored domain credentials before authenticating
