Using SOTI MobiControl to Deploy Imprivata MDA

Use SOTI MobiControl to deploy Imprivata MDA.

The following sections detail how to:

  • Set up SOTI MobiControl

  • Add Imprivata MDA to SOTI MobiControl

  • Configure SOTI Lockdown mode

  • Enroll devices

NOTE:

See the Imprivata MDA AppConfig Reference for supported MDM AppConfig keys.

Limitations

Consider the following limitations:

  • Imprivata MDA Countdown to Lock mode is not supported with SOTI's lockdown mode configuration.

  • When the SOTI MobiControl client app is installed on Zebra devices, it cannot be deleted by a simple factory device reset, as it fails to delete SOTI from the device. It requires a special factory reset file from the Zebra support site, or to reset the device using the Zebra StageNow app.

Critical Alarm Sending Apps and Lock Task Mode

It is recommended that Imprivata MDA be the only app on the device that is running in Lock Task mode. However, when the Imprivata MDA app is configured to run with Lock Task mode, other apps that send Critical Alarms will not be able to show a Critical Alarm over the Imprivata MDA lock screen.

The apps that send Critical Alarm notifications should be added to the allowlist in the following places:

  • In the Imprivata Admin Console, by adding the app packages to the Allow lock screen notifications list in Mobile Policy.

  • In your MDM configuration, by allowing the apps for Lock Task mode.

Set Up SOTI

To configure enterprise bindings:

  1. In the SOTI MobiControl console, navigate to Global Settings > Enterprise Bindings.

  2. In the Managed Enterprise section, click + and then Continue to add the Google Enterprise account to the enterprise bindings.

To add a device group for the Imprivata MDA devices:

  1. In the SOTI MobiControl console, navigate to Devices and click New Group.

  2. Select New Root Group.

  3. In the Create Group dialog, type a group name. Click Create.

Deploy Imprivata MDA with an App Policy

  1. In the SOTI console, navigate to Policies > Apps and click New App Policy.

  2. In the Create App Policy dialog, select Android > Android Enterprise.

  3. On the General tab, type a name in the App Policy Name box.

  4. On the Apps tab, click + to add apps to the policy.

    1. On the Select Apps page, in the Apps section, select the Google Managed Enterprise account added in Step 1: Configure Enterprise Bindings.

    2. Click Managed Google Play.

    3. Add the Imprivata MDA app from the Managed Google Play Store.

    4. Add any other applications, as needed.

To configure the Imprivata MDA app:

  1. In the SOTI MobiControl console, click the gear icon for the Imprivata MDA app.

  2. Click the Enable Managed App Config toggle.

  3. Enter AppConfig values:

    NOTE:

    See the Imprivata MDA AppConfig Reference for supported MDM AppConfig keys.

    1. OneSign server address. Type the IP address of the Imprivata appliance.

    2. Device Serial Number. Use %SERIALNUM% macros to allow Imprivata MDA to receive device serial from app config.

    3. Admin Access code.

    4. LockMode

    5. CountdownToLockMinutes

    6. Device Info pattern

    7. Configuration Flags

    8. Mobile Policy Override

  4. Click Save.

Assign the Imprivata MDA App policy to the proper device group, device, or user.

Configure SOTI Lockdown Mode

SOTI's Lockdown mode replaces the standard device home screen with a customizable interface that provides the user access to authorized applications and device features only.

SOTI Lockdown Mode and Imprivata MDA

When you configure SOTI lockdown mode with Imprivata MDA, MDA will use the lock task from SOTI lockdown and will lock the device with Imprivata MDA.

SOTI Lockdown Mode Requirements

To support SOTI's lockdown mode, Imprivata MDA requires the following items to be allowed for opening by other apps but not available to a user:

App package name Description

com.android.settings

 Allows Imprivata MDA to open the Settings app for Force Stop, Clear cache, and Clear all data logout methods, as well as granting permissions to Imprivata MDA at initial configuration.

com.android.systemui

 Required to allow system alerts for instance permission alert during initial Imprivata MDA configuration.

com.android.nfc

 Required to allow handling of NFC taps when Imprivata MDA's Lock Screen is not foregrounded.

com.samsung.accessibility

Allow Imprivata MDA to open MDA Accessibility settings on Samsung devices.

Required only for Samsung devices.

IMPORTANT:

If an app is not explicitly included in the SOTI lockdown mode, there will be restrictions when trying to access or invoke that app while the lockdown is in place.

To configure SOTI Lockdown mode:

  1. In the SOTI MobiControl console, navigate to Profiles. You can either create a new profile, or edit an existing profile for Lockdown mode.

  2. On the Configurations page of the profile, click + to add a configuration to the profile.

    1. In the Security section, click Authentication.

      1. In the Device Administrator section, in the Password box, type a password for the administrator. This allows the administrator the ability to exit from SOTI Lockdown.

      2. Click Save.

    2. In the Restrictions section, click Lockdown.

      1. On the Device Control tab, in the Custom Home Screen section, click Add Home Screen Items.

        1. To add the Imprivata MDA app:

          1. On the Add Home Screen Item dialog, type MDA in the Display Name box.

          2. In the Item box, type com.imprivata.imda. Click Add.

        2. To add the Managed Passwords app:

          1. On the Add Home Screen Item dialog, type Managed Passwords in the Display Name box.

          2. In the Item box, type com.imprivata.imda/.managepasswords.ui.ManagePasswordsActivity. Click Add.

        3. Add the remaining required app package names - com.android.settings; com.android.systemui; com.android.nfc, and com.samsung.accessibility (optional).

        4. Add any other apps to the Custom Home Screen.

Enroll Devices

Create an enrollment policy for the devices.

  1. In the SOTI MobiControl console, navigate to Policies > Enrollment > All Policies.

  2. Click + New Enrollment Policy and select Android Enterprise.

  3. On the General page, enter the following information:

    1. Type a name for the policy

    2. Optional, type a meaningful description

    3. In the Enterprise Bindings section, select Managed as the Google Account Type.

    4. Select the Managed Enterprise Account created in the previous task.

  4. On the Device Type page, select the management type for this Enrollment policy.

    1. Select Work Managed.

  5. On the Groups page, in the Device Group section, select the device group destination for the devices.

  6. On the Settings page, click Finish.

  7. Take note of the Enrollment URL for later use when enrolling a device. You will use the URL in Step 2: Enroll a Device.

SOTI device enrollment begins with a factory reset of the device.

To enroll a device:

  1. Wipe the device by using the full factory reset.

  2. Turn on the newly reset device.

  3. On the Welcome screen, select your language.

  4. Connect to the Wi-Fi, and then choose NEXT.

  5. Accept the Google Terms and conditions, and then choose NEXT.

  6. On the Google sign-in screen, enter afw#mobilecontrol instead of a Gmail account, and then choose NEXT

  7. Choose INSTALL for the MobiControl client app.

  8. Enter the Enrollment URL you saved in step 7 of the Step 1: Create an Enrollment Policy task.

  9. Complete the enrollment.