Configure Offline Authentication

Offline authentication allows a user to access their mobile device and apps when the device loses network connection or loses connection to the Imprivata appliance. This mode works only after an initial authentication with Imprivata MDA while the device is online and connected to the network and Imprivata appliance. At the time the device loses network connection, the Imprivata MDA app uses cached encrypted credentials until it can contact the server again.

When offline, Imprivata MDA accepts the last validated user credentials, including proximity card, Imprivata PIN (as a second factor), and username + password.

While offline, the Imprivata MDA app displays a message banner indicating that it is in Offline mode. The banner persists until the connection to the Imprivata appliance is restored.

Offline authentication is supported by Imprivata MDA 7.16 and later.

Behavior

By default, offline authentication for Imprivata MDA is not enabled.

After enabling offline authentication for Imprivata MDA, the user will need to authenticate at least once to Imprivata MDA while online.

For Imprivata MDA to unlock an authenticated user session while offline and to continue providing SSO functionality, Imprivata MDA persists two types of user credentials: those for the Imprivata appliance and those for third party apps.

• For username and password, the user will need to enter their username and password at least once while in online mode. Imprivata MDA persists the user password that can then be used for offline authentication. When used with either proximity card or Imprivata PIN as the second authentication factor, Imprivata MDA additionally retrieves the user password and stores it for potential offline authentication.

• For proximity cards, the user will need to tap at least once in online mode.

• For Imprivata PIN, user will need to enter their PIN as a second factor at least once in online mode.

• For Guest and Admin Access, the Imprivata MDA workflows work similarly to Imprivata MDA online, including device unlock and device lock and logout after Guest or Admin session.

• Imprivata MDA transitions back to online as soon as the Imprivata appliances become available again.

When the Imprivata MDA app cannot connect to any Imprivata appliance in your Imprivata enterprise, the service will continue in offline mode when offline authentication is allowed. This is rarely needed when two appliances are located at the same site. The Imprivata MDA app will also go into offline mode when:

• There is a loss of network connection

• There is only one appliance at a site; and

• The appliance goes offline during an upgrade; and

• Failover between sites is not enabled.

Limitations

Offline authentication cannot be used with:

• User switches

• Out of band password changes

• Third party app credentials changes

• Authentication to Manage Passwords tool

• Proximity card enrollments

• Imprivata PIN expiration and renewals.

Planning for Expected Network Outages

When you expect some network outages, such as devices being used in places without network connectivity or during an upgrade of the Imprivata appliances, you should plan in advance to configure offline authentication for Imprivata MDA.

Appliance Upgrades and Enterprise Migrations

As part of the regular maintenance of your Imprivata enterprise, you will need to upgrade the software on the Imprivata appliances in your enterprise. Because the Imprivata appliances will not be available for a time during their software upgrade or during an enterprise migration, it is important to plan accordingly for these scheduled outages.

Configuring Imprivata MDA for offline mode helps to ensure uninterrupted service when the Imprivata MDA app is unable to communicate with any appliance in the enterprise. Although offline mode is rarely needed when two or more appliances are located in the same site, it is best practice to allow offline mode during an expected appliance upgrade or enterprise migration.

For more information on upgrading the appliance software or migrating the enterprise, see the Imprivata Upgrade help.

Assumptions

• This procedure assumes that you have already configured Imprivata MDA, deployed the mobile app profiles, and configured the mobile policy and user authentication.

• For more information, see Enabling Imprivata MDA and Deploying Profiles and Configure the Mobile Policy and User Authentication.

• Imprivata MDA relies on the User Lockout settings in Imprivata Enterprise Access Management's User Policy to have MDA lockout functionality in offline work the same way as it does in online. For more information on the User Lockout settings in EAM, see the Imprivata help.

Configure Imprivata MDA for Offline Authentication

To configure the offline authentication, add the following key to AppConfig:

• The AppConfig Configuration Key field for this feature is "ConfigFlags".

• The AppConfig Value Type for this feature is "String".

• The AppConfig Value is allowOfflineMode - Enables offline mode, allowing authenticated users to Imprivata MDA to unlock the device and have SSO available when in offline mode.

Require Reauthentication When Transitioning Offline to Online

To configure Imprivata MDA to require users to reauthenticate when transitioning from offline to online, add the following key to AppConfig:

• The AppConfig Configuration Key field for this feature is "ConfigFlags".

• The AppConfig Value Type for this feature is "String".

• The AppConfig Value is offlineToOnlineReAuth - When set, instructs Imprivata MDA to require the user to reauthenticate when it transitions from offline to online, only when the user session was last unlocked in offline. The flag has no effect on online established sessions. Used in combination with allowOfflineMode.