Configuring Imprivata Mobile Device Access

Imprivata Mobile Device Access extends Imprivata authentication management and single sign–on to mobile devices and apps. Configuring Imprivata MDA requires you to:

  • Import the Imprivata mobile app profiles.

  • Configure the mobile policy.

  • Configure your MDM to deploy the Imprivata MDA to your devices and configure application specific settings.

NOTE:

Imprivata MDA is a separately licensed feature. For more information, see Imprivata Licensed Features.

Before You Begin

Review the following before deploying Imprivata MDA.

Before you begin:

Imprivata MDA requires that you use an Mobile Device Management (MDM) software suite to deploy the Imprivata MDA app and other apps to your mobile devices.

For more information, see Deploy Imprivata MDA via your MDM

For a list of supported MDMs, see Supported Components.

Imprivata MDA requires specific device settings and permissions. The following table details these requirements:

Setting Requirement
Android Device Settings

Android native lock screen

Disabled, if not using the Imprivata MDA Countdown to Lock feature.
Screen timeout Set the value to the maximum time allowed by the device. Imprivata MDA controls this behavior.
Native Launcher

  • Imprivata has qualified the native Launcher on all supported devices.

  • A custom Launcher may adversely affect Imprivata MDA functionality.
    If you have deployed or are evaluating a custom Launcher, Imprivata recommends testing Imprivata MDA and the custom launcher with your all of your mobile workflows.

  • To use Imprivata MDA with Workspace One Launcher, see Use Omnissa Workspace ONE to Deploy Imprivata MDA.

  • To use Imprivata MDA with Microsoft Intune Launcher, see Using Microsoft Intune to Deploy Imprivata MDA.
Power saving mode Disabled.
Wireless connection

  • Required.

  • An active wireless network must be available, and the network must be able to connect to the Imprivata appliance.
Autofill Service

Required if you plan to use the Google Autofill Framework.

Set the Autofill Service to use Imprivata MDA. For more information, see Configuring Imprivata Mobile Device Access with the Google Autofill Framework
Android Permissions
Access to the Device ID is required.

Required. Imprivata MDA requires access to the device ID to report on individual login and device activity.

Note: If your MDM cannot enable this permission, you can provide access the first time you launch Imprivata MDA on the device.
Draw over (overlay) other apps

Required.

The Draw over (overlay) other apps permission must be enabled manually on each device after the installation.
Activate the Accessibility Service

Required.

The Accessibility Service must be enabled manually on each device after the installation.
Read and access notifications

Required.

Permission to read and access notifications must be enabled manually on each device after the installation.
App must be granted Lock Task Permissions

  • Imprivata recommends that Imprivata MDA be the only app on the device that is running in Lock Task mode.

  • If additional apps are running in Lock Task mode, Imprivata MDA functionality may be adversely affected.

The following Android packages cannot be restricted:

  • com.android.systemui

  • com.android.nfc

  • com.android.settings

 Consider the following:

  • The systemui and settings packages are required for secure user switching.

  • The nfc package is required for proximity card authentication.

  • (Optional) Deploy the Android packages as hidden. Hiding these packages prevents users from accessing the respective functionality on the device.

The app must be configured with the following:

  • An Imprivata appliance domain name

  • Device information

Consider the following:

  • For MDMs that adhere to AppConfig standards, configure the following required AppConfig keys as part of the deployment:

    • The Imprivata appliance address.

    • Device information.

  • If you plan to use certain Imprivata MDA features, see the AppConfig Reference for the optional AppConfig keys.

The following table should be used as a reference for the Mobile Device Management (MDM) AppConfig keys used by Imprivata MDA.

AppConfig Configuration Key AppConfig Value Type

AppConfig Value

 Description Notes
ConfigFlags String lockOnCharge

When Imprivata MDA detects the device is charging, lock the device.

Can be used with logoutOnCharge

Supported by Imprivata MDA 7.17 and later.

See Configure Device Lock and Logout on Charging
ConfigFlags String logoutOnCharge

When Imprivata MDA detects the device is charging, log the user out from the apps.

Can be used with lockOnCharge

Supported by Imprivata MDA 7.17 and later.

See Configure Device Lock and Logout on Charging
ConfigFlags String allowOfflineMode Enables offline mode, allowing authenticated users to Imprivata MDA to unlock the device and have SSO available when in offline mode.

Supported by Imprivata MDA 7.16 and later.

See Offline Authentication.
ConfigFlags String offlineToOnlineReauth

When set, instructs Imprivata MDA to require the user to reauthenticate when it transitions from offline to online, only when the user session was last unlocked in offline. The flag has no effect on online established sessions.

Used in combination with allowOfflineMode.

Supported by Imprivata MDA 7.16 and later.

See Offline Authentication.
ConfigFlags String DefaultAuthDomain Allows you to set the domain selected by default when user authenticates toImprivata MDA with username and password.

Supported by Imprivata MDA 7.16 and later.

See Configure a Default Domain.
ConfigFlags String allowUntrustedEAMCertificate

  • Allows communication with an Imprivata appliance that contains any seIf-signed or expired or invalid certificate.

  • This communication method is considered as not secure, but is for backward compatibility or for administrators to use while they resolve Imprivata appliance certificate issues.

  • If allowUntrustedEAMCertificate is set, then forceTrustedEAMCertificate is ignored.

Enabled by default in Imprivata MDA 7.15

See Trusted Communication to the Imprivata Appliance
ConfigFlags String forceTrustedEAMCertificate

Enables Imprivata MDA to check for Imprivata appliance server certificate validity and allows you to check whether Imprivata appliance certificate is configured correctly.

 

Supported by Imprivata MDA 7.15 and later

See Trusted Communication to the Imprivata Appliance

 
ConfigFlags String deviceSdkLogout

Allows Imprivata MDA to use the Zebra SDK for all SDK based logout methods.

Setting deviceSdkLogout is equivalent to setting the following three values:

  • deviceSdkClearData

  • deviceSdkClearData

  • deviceSdkForceStop

Supported by Imprivata MDA 7.13.3 and later.

See Configure Zebra SDK Based App Logout
ConfigFlags String deviceSdkClearData Allows Imprivata MDA to use the Zebra SDK for clearing data based on the SDK.

Supported by Imprivata MDA 7.13.3 and later.

See Configure Zebra SDK Based App Logout
ConfigFlags String deviceSdkClearData Allows Imprivata MDA to use the Zebra SDK for clearing cache based on the SDK

Supported by Imprivata MDA 7.13.3 and later.

See Configure Zebra SDK Based App Logout
ConfigFlags String deviceSdkForceStop Allows Imprivata MDA to use the Zebra SDK to force stop based on the SDK.

Supported by Imprivata MDA 7.13.3 and later.

See Configure Zebra SDK Based App Logout
ConfigFlags String numericPinOnly Allows Imprivata MDA to set the device's keypad to numeric only

Supported by Imprivata MDA 7.14 and later

If numericPinOnly is not set,the default behavior of Imprivata MDA is to allow the keypad to be alphanumeric
ConfigFlags String preventAccidentalTyping

Allows the Imprivata MDA to prevent users from accidentally typing characters into credentials screens.

Supported by Imprivata MDA 7.13.2 and later.

See Prevent Accidental Typing.
ConfigFlags String autofillOn Allows the Autofill Service to use Imprivata Mobile Device Access.

Supported by Imprivata MDA 7.12 and later.

See Configuring Imprivata Mobile Device Access with the Google Autofill Framework.
MobilePolicyOverride String For the supported values, see the table of supported mobile policy values available for override. Allows Imprivata MDA to override a limited set of properties of the Imprivata OneSign mobile policy using AppConfig.

Supported by Imprivata MDA 7.11 and later.

See Configure Multiple Mobile Policies via MDM
ConfigFlags String com.package.name:forceStop|
clearCache|clearData		 Allows Imprivata MDA to run additional logout actions or different logout methods for the same app.

Supported by Imprivata MDA 7.11 and later.

See Configure App Logout Actions
ConfigFlags String allowScreensaver Allows Imprivata MDA to coexist with device screensavers and not block their use.

Supported by Imprivata MDA 7.9.2 and later.

See Configure Imprivata MDA for Screensaver Tolerance
ConfigFlags String zams

Allows Zebra Access Management System in Imprivata MDA

Works with ZAMS v.2.2.9 or later

Supported by Imprivata MDA 7.9 and later.

See Configure Imprivata MDA with Zebra Access Management System (ZAMS)
ServerIP String IP address The IP address of the Imprivata appliance Depending on your MDM interface, may appear as Server address or OneSign server address.
OneSignServerCertificate String certificate

Allows the Imprivata appliance certificate to be uploaded to the MDM when deploying Imprivata MDA to a device

 Depending on your MDM interface, may appear as OneSign server certificate.
AdminAccessCode String The Admin passcode The passcode for admin access. Requires a minimum of 8 characters.
ExternalDeviceSerial String

{ExternalDeviceSerial}

 Serial number of the device. Imprivata MDA requires access to the device ID to report on individual login and device activity.
LandscapeDevices String Comma-separated list of mobile device model numbers Change the mobile device's orientation from portrait to landscape mode.

Optional.

Device numbers can be found in Android settings, but may depend on the device vendor and Android version.

Example:

Versity 9540, SM-G95OU1, Pixel 4
LockMode String CountdownToLockMode Enable the Countdown to lock mode. Optional.
CountdownToLockMinutes String 240 The number of minutes to count down before locking the device.

Default value is 240 minutes (4 hours).

Minimum value is 20 minutes.
DeviceInfoPattern String Comma-separated list of values

The list of values for identifying the device.

Optional.

  • Variables (obtained from system settings), separated by commas:

    • $AndroidVersion

    • $AndroidShortVersion

    • $DeviceName

  • The variables above can be combined with a customized text string you wish to display to identify the device.

    Example:

    This is $DeviceName, $AndroidShortVersion

    Results:

    This is Galaxy Note 5, A11

Imprivata MDA supports the following authentication methods:

Primary Factor Secondary Factor Description
NFC enabled proximity card (optional) Imprivata PIN or password

This is the default configuration.

In this configuration:

  • The mobile policy is configured to allow the second factor (Turn on Grace Period for Second Authentication Factor).

  • The user policy is configured to allow a proximity card as the primary factor and either an Imprivata PIN or password as the second factor.

For additional details see, Workflow — Proximity Card with a Second Factor
Username and password + (alternative) Imprivata PIN None

This configuration supports deployments where proximity cards are not in use.

In this configuration:

  • The mobile policy is configured to allow an Imprivata PIN (Alternative Login using PIN).

  • The user policy is configured to allow a password as the primary factor.

  • The Imprivata PIN is not treated as a second factor.

    Rather – after a user authenticates for the first time, an Imprivata PIN can be used for subsequent authentications.

For additional details, see Workflow — Username/Password + an Alternative Imprivata PIN
External proximity card reader (optional) Imprivata PIN or password

Certain Android devices don't support NFC; as an alternate method, Imprivata MDA supports the use of certain models of Imprivata-branded rf Ideas external USB proximity card readers.

See External Proximity Card Readers

In this configuration:

  • The mobile policy is configured to allow the second factor (Turn on Grace Period for Second Authentication Factor).

  • The user policy is configured to allow a proximity card as the primary factor and either an Imprivata PIN or password as the second factor.

For additional details see, Workflow — Proximity Card with a Second Factor

Workflow — Proximity Card with a Second Factor

As illustrated in the following diagram:

  • Users authenticate by tapping their proximity card, and optionally, entering their password or an Imprivata PIN as a second factor.

  • During a specified grace period, all subsequent authentications require a badge tap only.

  • Users can enroll a proximity card and an Imprivata PIN from either the mobile device or the Imprivata enrollment utility on a Windows workstation.

    Imprivata MDA steps users through the enrollment when a new proximity card is detected or a PIN is not enrolled.

Click to enlarge.

NOTE: The diagram includes optional functionality, which you configure in the mobile policy.

Workflow — Username/Password + an Alternative Imprivata PIN

As illustrated in the following diagram:

  • Users authenticate by entering their username and password.

  • During a specified grace period, an Imprivata PIN can be used for subsequent authentications.

    The alternative method can be used until another user authenticates to the device or enters Guest mode.

  • Users can enroll an Imprivata PIN from either the mobile device or the Imprivata enrollment utility on a Windows workstation.

    Imprivata MDA steps users through the enrollment if a PIN is not enrolled.

Click to enlarge.

NOTE: The diagram includes optional functionality, which you configure in the mobile policy.

Enabling Imprivata MDA and Deploying Profiles

Complete the following steps to configure Imprivata MDA.

Imprivata MDA requires access to the Imprivata ProveID Web API.

To enable access:

  1. In the Imprivata Admin Console, click the gear icon , and then click API Access.

  2. Select Allow full API access via ProveID Web API and ProveID Embedded and Imprivata Mobile for Android.

  3. Click Save.

Imprivata provides preconfigured mobile app profiles. Deploying the profile enables the app for single sign–on.

To import the profiles:

  1. Log in to the Imprivata Customer Experience Center, click Product Downloads, then select OneSign.

  2. On the OneSign Downloads page, select Imprivata Mobile Device Access. In the Downloads section, click MDA Application Profiles (all versions). The application profiles download.

  3. Extract the profiles to a location that is accessible to the Imprivata Admin Console.

    A single XML file (MDA_AppProfiles_<date>.xml) includes all of the supported profiles.

  4. In the Imprivata Admin Console, open the Applications menu, and click Single sign–on application profiles.

  5. Click Add App Profile> Import from file.

  6. Browse to the XML file, and import it.

    NOTE:

    You can also find the latest profiles in the Imprivata Customer Experience Center. From the Customer Experience Center, open the Product Downloads list, and select Imprivata Mobile Device Access.

The following sections detail how to modify a Web or native mobile app profile.

Web App — Adding the Login URL

Before deploying a Web app, you must configure the login URL.

To configure a web app profile with a login URL:

  1. In the Imprivata Admin Console, open the Applications menu, and click Single sign–on application profiles.

  2. Locate the required web app profile, and click Edit Profile.

  3. Enter the login URL, and save the profile.

Native App — Configuring User Switch and Logout Behavior

(Optional) By default, on user switch or logout a native app is quit. Additional behavior can be enabled.

To configure user switch and logout behavior:

  1. In the Imprivata Admin Console, open the Applications menu, and click Single sign–on application profiles.

  2. Locate the required native app profile, and click Edit Profile.

  3. Select one or more of the following, and save the profile:

    • Force stop — Stops all related app services.

    • Clear cache — Clears all cached images and files.

    • Clear all data — Clears the cache and deletes all data associated with the app.

    • Do nothing

Native and Web App — Enabling a Profile to Automatically Submit User Credentials

(Optional) With the exception a mobile app that is integrated with the Imprivata MDA SDK (partner app), users must manually submit their credentials when the application opens.

You must enable the profile to automatically submit user credentials.

To enable the profile:

  1. In the Imprivata Admin Console, open the Applications menu, and click Single sign–on application profiles.

  2. Locate the required app profile, and click Edit profile.

  3. Select Automatically submit user credentials, and click Save.

NOTE:

No additional app configuration is required. If credentials are not successfully submitted, the app does not support the behavior. In this case, an authentication failure does not occur. The default behavior is enforced, and users must submit their credentials manually.

App Credential Considerations

When you deploy an Imprivata mobile app profile, you specify the type of credentials the app uses. The type of credentials an app can use depends on whether it is a partner app. A partner app is one that has been integrated with Imprivata MDA using the Imprivata MDA SDK:

  • Partner apps can:

    • Use their own credentials

    • Share credentials with the Imprivata domain or another desktop application.

  • All other supported apps can only share credentials with the Imprivata domain or another desktop application only.

NOTE:

If an app is sharing credentials with a desktop application, be sure that the single sign–on profile associated with desktop application has been added to a credential store.

You can view existing credential stores in the Imprivata Admin Console from the OneSign shared credential stores page (Applications menu > Credential stores). For more information about creating and managing a credential store, see Using Shared Credential Stores.

Deploying an App Profile

To deploy an app profile:

  1. In the Imprivata Admin Console, select the app profile, and click Deploy.

  2. Go to the Deployment section, and select Deploy This Application?.

  3. (Optional) To deploy the application to a subset of users, deselect Deploy to All Users and Groups?, and specify the membership.

  4. (Optional) If the app is sharing credentials, go to the Credentials section, select This application shares credentials?, and do one of the following:

    1. To use the Imprivata domain credentials, select with the domain only, and select the required domain username format.

    2. To share credentials with a desktop application, select with other applications, and select the credential store that is configured with the other application.

  5. Click Save.

NOTE:

For more information about either option, see Credential Sharing.

Configure the Mobile Policy and User Authentication

The mobile policy applies to every device enabled for Imprivata MDA.

In Imprivata MDA 7.11 and later, you can override mobile policy device settings by AppConfig using your MDM.

To configure the mobile policy, in the Imprivata Admin Console, open the Computers menu, click Mobile policy, and configure the following sections:

To configure device settings:

  1. Go to the Access Management section.

  2. (Optional) Select Allow guest mode.

    By default, users must authenticate to access the device. When enabled, users can tap Guest to access the device without having to authenticate. When a user access the device in this way, single sign–on is not available.

  3. (Optional) Select Automatically log out a user.

    By default, a user's session remains active until the user logs out or a user switch occurs. You can specify a duration after which time the authenticated user is automatically logged out.

  4. (Optional) Select Inactivity re-authentication.

    By default, a user's session remains active until the user logs out or a user switch occurs. You can specify a duration after which time the device is locked and the user is required to re–authenticate.

  5. (Optional) By default, users authenticate using a proximity card. You can:

    • Add an Imprivata PIN or password as a second factor.

      Select Turn on grace period for second authentication factor, and specify the grace period.

      The grace period is the time during which subsequent authentications do not require the second factor.

    • Enable the policy for a username and password + an Imprivata PIN.

      Select Unlock with Imprivata PIN instead of proximity card, and specify the grace period.

      The grace period is the time during which subsequent authentications require an Imprivata PIN only.

      Use this setting when configuring Countdown to lock mode to renew a session using the Imprivata PIN.

By default, all open Google Chrome and Zebra Web browsers are closed when a user logs out or during a user switch.

To change the default web browser data settings:

  1. Go to the Web Browser Management section.

  2. (Optional) Enable one of the settings:

    • Do nothing

    • Force stop all browsers — Stops all related browser services.

    • Clear cache on all browsers — Clears all cached images and files.

    • Clear data on all browsers — Clears the cache and deletes all data associated with the browser.

By default, the Imprivata appliance does not check if user credentials have been changed outside of Imprivata OneSign (out of band). If a user has updated their password out of band, authentication fails.

When enabled, Imprivata MDA checks for an out of band password change before authentication:

  • If detected, the user is prompted to reenter their credentials.

  • After the user successfully authenticates, the new credentials are saved.

To check for an out of band password change:

  1. Go to the Authentication section.

  2. (Optional) Select Validate stored domain credentials before authenticating.

Customization settings let you:

  • Change the language of end user messaging.

  • Specify which push notifications are allowed to appear on the home screen.

    By default, Imprivata MDA blocks the push notifications from all apps from appearing on the home screen.

To configure customization settings:

  1. Go to the Customization section.

  2. (Optional) Select a language.

    • In Imprivata MDA 7.14 and later, the language is controlled by the device level localization settings, commonly configured in your MDM, and not by the mobile policy.

    • In Imprivata MDA 7.13.4 and earlier, in the Customization section, select a language.

  3. (Optional) Select Allow lock screen notifications, and enter the package name for each application whose push notifications should be allowed.

    IMPORTANT:

    Notifications may contain sensitive information, such as PHI or private data, and can be read while the device is locked.

    Users can interact with notifications based on the following settings:

    • VoIP applications (no authentication required to answer call) — Users can answer or decline a voice call from the Imprivata MDA home screen.

    • VoIP applications — A notification appears on the home screen stating that there is an incoming call. Users must authenticate to the device to answer or decline the voice call.

    • Messaging & other applications — A notification appears on the home screen stating that there is a notification. Users must authenticate to the device to read it.

If you do not know the package name, you may be able to use its Imprivata MDA profile or its Google Play Store app URL to find it:

  • While the profile for a partner app cannot be edited, others can be opened to view settings.

    To use an app profile to identify a package name, go to the OneSign single sign-on application profiles page, locate the required app, and click Edit profile.

  • To identify the package name for a partner app, or any other third-party app on the device, you can use its Google Play Store app URL.

    From the Google Play Store, search for the app, and then open its page.

    The package name forms the end part of the URL after the "?id=".

    For example, https://play.google.com/store/apps/details?id=com.imprivata.Messaging

  1. (Optional) Select Allow floating Home button. Applies to Workspace ONE Launcher configuration.

To configure the User policy, in the Imprivata Admin Console, open the Users menu, click User Policies, and configure the following sections:

As detailed in Imprivata MDA Authentication and Single Sign–on Workflows, the user policy must be configured to support the required authentication workflow.

To configure the user policy:

  1. In the Imprivata Admin Console, open the Users menu, and click User policies.

  2. Open the required user policy, go to the Desktop Authentication section, and do one of the following:

    • If a proximity card is the primary factor, select Proximity Card, and then select Password or Imprivata PIN as the second factor.

    • If a username and password is the primary factor, select Password.

  3. (Optional) If an Imprivata PIN is allowed:

    1. Go to the Authentication method options > Imprivata PIN section.

      NOTE:

      A complex Imprivata PIN is supported.

    2. Configure the required settings.