Configuring Secure Walk Away with Virtual Kiosks for Citrix Published Applications

This topic details how to configure Imprivata Secure Walk Away with ProveID Embedded workstations that are delivering a Citrix Virtual Apps published desktop.

About Virtual Kiosks for Citrix Published Applications

In this workflow, multiple users share a workstation and can use the same applications under the correct credentials:

  • When the workstation starts, the thin client establishes a Citrix session using generic user credentials and launches the Citrix Virtual Apps published desktop.

  • While the published desktop remains running under the generic credentials, users authenticate to the Imprivata agent, and can work with the available applications.

  • When the Imprivata agent detects a user switch, Imprivata Enterprise Access Management can either:

    • Shut down the open applications on the published desktop from the previous user.

    • Keep the application open, while switching the user that is logged into the application.

Clinical Workflow with Secure Walk Away

Monitoring a user's presence helps to provide for a better balance between security and user convenience. You can:

  • Increase inactivity timeouts because you know the user is nearby.

  • Fallback to keyboard and mouse inactivity timeouts for a user who does not have their phone or if the phone cannot be detected.

  • Optionally, automatically unlock the workstation when the user returns to the workstation.

Example Workflow

The following describes an example workflow where Secure Walk Away is configured to lock and unlock the workstation:

  1. User 1 (nurse) has their phone present and taps their proximity card to authenticate to the shared workstation.

    Imprivata Secure Walk Away detects the phone, and the Imprivata agent begins to monitor it:

    • The published desktop is delivered.

    • The nurse may choose to open additional applications, which can be configured for SSO, if required.

  2. User 1 walks away.

    The Imprivata agent detects that the phone is no longer present:

    • After a specified inactivity threshold, an inactivity warning appears, and then the desktop is locked.

    • The published desktop, including all of the applications that were in use by the nurse remain running, but are now secured behind the lock screen.

  3. User 1 returns to the same shared workstation within a specified grace period.

    • No other user has authenticated to the workstation.

    • The Imprivata agent detects the phone and unlocks the workstation automatically.

  4. User 1 walks away, and as previously detailed, the desktop is locked.

  5. User 2 (physician) has their phone present and taps their proximity card to authenticate to the shared workstation.

    Imprivata Secure Walk Away detects the phone. The Imprivata agent detects the user switch and begins to monitor the new phone:

    • All of the nurse’s applications are closed.

    • The published desktop remains running.

    • The physician may choose to open additional applications, which can be configured for SSO, if required.

  6. While user 2 works, the phone's battery dies.

    • The Imprivata agent can no longer detect the phone.

    • After a specified inactivity threshold, an inactivity warning appears, and then the desktop is locked.
  7. User 2 re-authenticates to the workstation.

    • The Imprivata agent cannot detect the phone.
    • Secure Walk Away falls back to keyboard and mouse inactivity timeouts.

Before You Begin

Thin Client Configuration

In this section, you configure your thin clients to automatically connect to the published desktop with generic workstation–based credentials.

Citrix Configuration

In this section, you:

  • Install the Imprivata agent on the Citrix server that is delivering the published desktop.

  • Configure a series of registry keys to enable the Citrix server for FUS.

Enterprise Access ManagementConfiguration

In this section you configure:

  • A user policy.

  • Two computer policies. One policy for your thin client workstations, and another for the Citrix server that is delivering the published desktop.

Reporting

You can use the Computer Peripheral Usage report to identify where BLE enabled devices have been deployed in your enterprise. This report identifies:

  • Endpoints to which a BLE device has been plugged in.

  • The model and vendor of the device.

  • The version of the firmware installed on the device.

To run the report:

  1. In the Imprivata Admin Console, click Reports > Add new report.

  2. Under the Platform column, click Computer Peripheral Usage.

  3. Specify a date range, and click Run.

    The date range indicates when the BLE device was plugged into the endpoint.

    For example, a report with a date range of Today, will not include an endpoint where the BLE device was plugged in two days ago.

Next Steps

The following sections detail additional areas of configuration and reference the respective Enterprise Access Management documentation.