Configuring Secure Walk Away with Virtual Kiosks for Citrix Published Applications

This topic details how to configure Imprivata Secure Walk Away with ProveID Embedded workstations that are delivering a Citrix Virtual Apps published desktop.

About Virtual Kiosks for Citrix Published Applications

In this workflow, multiple users share a workstation and can use the same applications under the correct credentials:

  • When the workstation starts, the thin client establishes a Citrix session using generic user credentials and launches the Citrix Virtual Apps published desktop.

  • While the published desktop remains running under the generic credentials, users authenticate to the Imprivata agent, and can work with the available applications.

  • When the Imprivata agent detects a user switch, Imprivata Enterprise Access Management can either:

    • Shut down the open applications on the published desktop from the previous user.

    • Keep the application open, while switching the user that is logged into the application.

Clinical Workflow with Secure Walk Away

Monitoring a user's presence helps to provide for a better balance between security and user convenience. You can:

  • Increase inactivity timeouts because you know the user is nearby.

  • Fallback to keyboard and mouse inactivity timeouts for a user who does not have their phone or if the phone cannot be detected.

  • Optionally, automatically unlock the workstation when the user returns to the workstation.

Example Workflow

The following describes an example workflow where Secure Walk Away is configured to lock and unlock the workstation:

  1. User 1 (nurse) has their phone present and taps their proximity card to authenticate to the shared workstation.

    Imprivata Secure Walk Away detects the phone, and the Imprivata agent begins to monitor it:

    • The published desktop is delivered.

    • The nurse may choose to open additional applications, which can be configured for SSO, if required.

  2. User 1 walks away.

    The Imprivata agent detects that the phone is no longer present:

    • After a specified inactivity threshold, an inactivity warning appears, and then the desktop is locked.

    • The published desktop, including all of the applications that were in use by the nurse remain running, but are now secured behind the lock screen.

  3. User 1 returns to the same shared workstation within a specified grace period.

    • No other user has authenticated to the workstation.

    • The Imprivata agent detects the phone and unlocks the workstation automatically.

  4. User 1 walks away, and as previously detailed, the desktop is locked.

  5. User 2 (physician) has their phone present and taps their proximity card to authenticate to the shared workstation.

    Imprivata Secure Walk Away detects the phone. The Imprivata agent detects the user switch and begins to monitor the new phone:

    • All of the nurse’s applications are closed.

    • The published desktop remains running.

    • The physician may choose to open additional applications, which can be configured for SSO, if required.

  6. While user 2 works, the phone's battery dies.

    • The Imprivata agent can no longer detect the phone.

    • After a specified inactivity threshold, an inactivity warning appears, and then the desktop is locked.

  7. User 2 re-authenticates to the workstation.

    • The Imprivata agent cannot detect the phone.

    • Secure Walk Away falls back to keyboard and mouse inactivity timeouts.

Before You Begin

While this feature is available as part of your Imprivata Authentication Management (AM) or AM/Single Sign–On (SSO) license, all currently supported BLE devices must be flashed with new firmware before enabling Secure Walk Away.

NOTE: For a list of supported BLE devices, see "Imprivata OneSign Supported Components" in the Imprivata Environment Reference. You can download the required firmware files and instructions for flashing your devices here.

Before you begin:

  • Review the Imprivata Enterprise Access Management - SSO Supported Components in the Imprivata Environment Reference to confirm that your thin client models and firmware versions are supported.

  • An Enterprise Access Management with SSO Authentication Management (AM) or AM/Single Sign–On (SSO) license is required for this workflow.

The URL required to configure the thin client connection to Citrix depends on how users are to access the Citrix store:

  • Storefront Web Site URL – If the store is configured with a Web Site Store URL, the thin client communicates with Citrix using the respective URL.

    Example: If the store is configured with https//example.com/Citrix/SalesStore, then configure the thin client connection with https//example.com/Citrix/SalesStoreWeb.

  • XenApp Services URL – If the store is configured with a XenApp Services URL, the thin client communicates with Citrix using the respective URL.

    Example: If store is configured with https://example.com/Citrix/SalesStore/PNAgent/config.xml, then configure the thin client connection with https://example.com/Citrix/SalesStore/PNAgent/config.xml.

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Enterprise Access Management:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

A Citrix license is consumed when the thin client establishes a Citrix session and launches the resource. The procedures in this guide detail how to configure the computer policy to determine when the thin client establishes the session, thereby controlling license usage, but affecting the end user workflow.

You can configure the computer policy to enforce one of the following:

  • Automatically reconnect to a session when a session ends.

  • Wait for a user to manually start a session.

The Automatically reconnect on session end setting, which is located on the Shared Workstation tab of the computer policy, controls this behavior. Review the following and identify which workflow best fits the needs of your organization. Use this information when configuring the computer policy.

If Automatically reconnect on session end is enabled, the thin client keeps a Citrix session established, even when the endpoint is not in use. For example, the thin client automatically establishes a Citrix session and launches the published desktop when the thin client starts, a user logs off, or the Citrix session times out.

Although keeping a session established streamlines the end user workflow, the thin client always consumes a Citrix license, as detailed by the following:

  1. The kiosk workstation starts.

    • The thin client establishes a Citrix session using generic user credentials and launches the published desktop.

    • The desktop runs under the generic credentials. Establishing a Citrix session consumes a license.

  2. The Imprivata login window appears. While the published desktop remains running under the generic credentials, a Citrix license remains consumed.

  3. User 1 (Nurse) authenticates to Enterprise Access Management.

    • The kiosk workstation is unlocked.

    • The same Citrix license remains consumed.

  4. User 1 clicks icons on the desktop to open applications:

    • Application A has been configured to remain open after a user logs off.

      Epic Hyperspace configured with the Imprivata Connector for Epic Hyperdriveis an example of this configuration.

    • Application B has been profiled with the Imprivata Application Profile Generator (APG) to shut down automatically after a user logs off.

  5. The Imprivata Citrix or Terminal Server agent manages SSO for these applications.

  6. User 1 also opens Application C, which has not been profiled with the APG.

  7. User 1 completes their work. The workstation becomes locked through their action/inaction.

    For example, a proximity card tap-out or an Enterprise Access Management inactivity timeout. The user does not shut down any of their applications.

    • The Citrix session remains open.

    • User 1's Enterprise Access Management session is locked but not logged off.

  9. User 2 (Doctor) authenticates to the kiosk workstation.

    • Application A: The Imprivata Citrix or Terminal Server agent executes the logoff sequence to switch users within Application A.

      User 2 is logged into Enterprise Access Management. Depending on the application settings, the same screen User 1 was viewing opens. For example, the same patient chart is revealed.

    • Application B shuts down.

    • Application C remains open in the exact same state as User 1 left it.

  10. NOTE: Some applications offer configuration options to control whether the same application screen opens after Citrix FUS. Other applications' login and logout behavior is not configurable.

  11. User 2 completes their work. The workstation becomes locked through their action/inaction.

    For example, a proximity card tap-out or an Enterprise Access Management inactivity timeout.

  12. If the user logs out of the desktop, or a Citrix inactivity timeout causes the desktop to log off, the Citrix license is released.

  13. The thin client automatically establishes another Citrix session using the generic user credentials and launches the published desktop.

    A Citrix license is consumed, while the published desktop remains running under the generic user credentials.

If Automatically reconnect on session end is disabled, the thin client does not establish a Citrix session when it starts or the user session ends. Instead, the endpoint prompts the user to start the session.

Although re-establishing the Citrix session to launch the published desktop can take longer than launching it from an established connection, a Citrix license is only consumed when the endpoint is in use, as detailed by the following:

  1. The kiosk workstation starts.

    • The thin client prompts users to start a session.

    • A Citrix license is not consumed while the workstation remains unused.

  2. User 1 (Nurse) clicks OK. The thin client establishes a Citrix session using generic user credentials and launches the published desktop.

    • The desktop runs under the generic credentials.

    • Establishing a Citrix session consumes a license.

  3. The Imprivata login window appears. While the published desktop remains running under the generic credentials, a Citrix license remains consumed.

  4. User 1 authenticates to Enterprise Access Management.

    • The kiosk workstation is unlocked.

    • The same Citrix license remains consumed.

  5. User 1 clicks icons on the desktop to open the following applications:

    • Application A has been configured to remain open after a user logs off.

      Epic Hyperspace configured with the Imprivata Connector for Epic Hyperdriveis an example of this configuration.

    • Application B has been profiled with the APG to shut down automatically after a user logs off.

  6. The Imprivata Citrix or Terminal Server agent manages SSO for these applications.

  7. User 1 also opens Application C, which has not been profiled with the APG.

  8. User 1 completes their work. The workstation becomes locked through their action/inaction.

    For example, a proximity card tap-out or an Enterprise Access Management inactivity timeout. She does not shut down any of her applications.

    • The Citrix session remains open.

    • User 1's Enterprise Access Management session is locked but not logged off.

  10. User 2 (Doctor) authenticates to the kiosk workstation.

    • Application A: The Imprivata Citrix or Terminal Server agent executes the logoff sequence to switch users within Application A.

      User 2 is logged into Enterprise Access Management. Depending on the application settings, the same screen User 1 was viewing opens. For example, the same patient chart is revealed.

    • Application B shuts down.

    • Application C remains open in the exact same state as User 1 left it.

  11. NOTE: Some applications offer configuration options to control whether the same application screen opens after Citrix FUS. Other applications' login and logout behavior is not configurable.

  12. User 2 completes their work. The workstation becomes locked through their action/inaction.

    For example, a proximity card tap-out or an Enterprise Access Management inactivity timeout.

  13. If the user logs out of the desktop, or a Citrix inactivity timeout causes the desktop to log off, the Citrix license is released.

  14. The thin client prompts users to start a session.

    A Citrix license is not consumed while the workstation remains unused.

Thin Client Configuration

In this section, you configure your thin clients to automatically connect to the published desktop with generic workstation–based credentials.

Session persistence (roaming) can result in users obtaining an incorrect session when moving from one shared workstation to another.

To prevent roaming, you can take one of the following actions:

  • Create a unique generic user for each shared workstation in the environment.

  • Disable session roaming in Citrix workspace control.

NOTE: For more information about disabling session roaming in workspace control, see the Citrix documentation.

A generic user account is required to log into the thin client and establish a session with the published desktop. When adding the generic user to your user directory, consider the following:

  • These credentials are only used to automatically log in and deliver the published desktop.

  • The generic user account must have access to the Citrix Delivery group that references the machine catalog of the desktop.

  • To support Citrix SAML connections for fast user switching, the generic user account must be enrolled in Enterprise Access Management.

Configure the thin client to connect to the published desktop using the generic user credentials.

NOTE: Unlike previous Enterprise Access Management versions, the following procedure applies to all supported thin/zero clients. It is not necessary to configure the connection using the native administrative utilities of the device.

To configure the connection:

  1. Connect to the device through an SSH session.

  2. Type the following command:

    /usr/lib/imprivata/bin/python /usr/lib/imprivata/runtime/bin/fus-storage citrix -u <GenericUser> -d <GenericUserDomain> -p '<GenericUserPassword>' -s https://<CitrixStoreURL> -r PublishedDesktopName [--saml]

    Note regarding the optional --saml argument:

    • To enable SAML connections for fast user switching (FUS) for this thin client, include the --saml argument. Otherwise, omit that argument.

    • Citrix SAML connections for fast user switching for a thin client can also be enabled in the Agent VDI section of the ProveID Embedded configuration for that thin client, as described in ProveID Embedded Configuration Editor.

    Examples:

    • Storefront Website URL

      /usr/lib/imprivata/bin/python /usr/lib/imprivata/runtime/bin/fus-storage citrix -u exampleuser -d imprivatainc -p 'Pa$$word' -s https//example.com/Citrix/SalesStoreWeb -r desktop

    • XenApp Services URL

      /usr/lib/imprivata/bin/python /usr/lib/imprivata/runtime/bin/fus-storage citrix -u exampleuser -d imprivatainc -p 'Pa$$word' -s https://example.com/Citrix/SalesStore/PNAgent/config.xml -r desktop

  3. Press Enter.

Citrix Configuration

In this section, you:

  • Install the Imprivata agent on the Citrix server that is delivering the published desktop.

  • Configure a series of registry keys to enable the Citrix server for FUS.

Install the Imprivata Citrix or Terminal Server agent (type 3) on the Citrix server that is delivering the published desktop.

For more information on installing the Imprivata agent, see Deploying the Imprivata Agent.

On the published desktop, configure the following registry keys:

Name/Type Location Value

DisableCAD

DWORD

32-bit

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

64-bit

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System 

Default "0"

Set to "1"

DisableCAD

DWORD

32-bit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

64-bit

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon

Default "0"

Set to "1"

LockRemoteSessionWithAgentOnClient

DWORD

64-bit

HKLM\SOFTWARE\SSOProvider\ISXAgent

Default "0"

Set to "1"

LockVirtualSessionWithHotKey

DWORD

64-bit

HKLM\SOFTWARESSOProvider\ISXAgent

Default "0"

Set to "1"

RedirectionSupported

DWORD

64-bit

HKLM\SOFTWARE\SSOProvider\DeviceManager

Default "0"

Set to "1"

RemoteOnly

DWORD

64-bit

HKLM\SOFTWARE\SSOProvider\DeviceManager

Default "0"

Set to "1"

Enterprise Access ManagementConfiguration

In this section you configure:

  • A user policy.

  • Two computer policies. One policy for your thin client workstations, and another for the Citrix server that is delivering the published desktop.

Create the User Policy

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Walk-away security section, and select Allow Secure Walk Away.

  4. Go to the Desktop Authentication section, and select the allowed authentication methods.

    NOTE: The additional Imprivata ID settings that are available in the Authentication method options section do not apply to Secure Walk Away.

  5. Save the policy.

Assign the User Policy

To assign users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import it.

Create the Computer Policy

To create a computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer Policies page.

  2. Click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Kiosk Workstations section.

  4. Select Allow Fast User Switching with Citrix or Terminal Servers.

  5. Do one of the following:

  6. Select one of the following in the Windows Authentication section:

    • Authenticate using Windows

    • Authenticate using Imprivata

      This setting skips Windows authentication, and is useful if the kiosk workstation is not in a trusted domain.

  7. Click Save.

Assign the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    1. Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    2. Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    3. Computer IP address — Enter the range of IP addresses to include in this computer policy

    4. Computer host name — A computer matches if its host name contains the text entered in this field

    5. Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

You configure the Citrix server computer policy to allow FUS and to control how the workstation is to respond to:

  • The proximity of the phone throughout the shift.

  • Keyboard and mouse inactivity when the phone is detected.

  • Keyboard and mouse inactivity when the phone is not detected.

Configure FUS and Secure Walk Away Thresholds

To create the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

  2. Click Add and name the policy.

  3. On the Citrix or Terminal Server tab, go to the Fast User Switching section.

    4. NOTE: The settings in the section Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions are not used in a ProveID Embedded environment.

  4. Under Endpoints with an installed ProveID Embedded agent, select Allow Fast User Switching with the remote server if allowed in computer policy.

  5. On the Walk-Away Security tab, go to the Secure Walk Away section:

    1. Select a time from Lock workstation after and Show inactivity warning.

      These values manage desktop locking when the phone is no longer detected.

      For example – the phone is detected after the user logs in, but moves out of range when the user leaves the workstation.

    2. (Optional) Select a time from Automatically re–authenticate user.

      This value manages the grace period during which a user can return to the workstation and have it automatically unlocked.

  6. Go to the Inactivity detection section.

    1. If required, adjust the Imprivata ID inactivity and warning thresholds.

      These values manage desktop locking when the phone is detected, but there is no keyboard and mouse activity.

      For example – the phone is detected after the user logs in, but the user leaves the workstation without their phone.

    2. Configure the Keyboard and mouse inactivity and warning thresholds.

      If the phone cannot be detected after the user logs in, Secure Walk Away falls back to these inactivity thresholds.

  7. Save the policy and assign it to the Citrix server.

Reporting

You can use the Computer Peripheral Usage report to identify where BLE enabled devices have been deployed in your enterprise. This report identifies:

  • Endpoints to which a BLE device has been plugged in.

  • The model and vendor of the device.

  • The version of the firmware installed on the device.

To run the report:

  1. In the Imprivata Admin Console, click Reports > Add new report.

  2. Under the Platform column, click Computer Peripheral Usage.

  3. Specify a date range, and click Run.

    The date range indicates when the BLE device was plugged into the endpoint.

    For example, a report with a date range of Today, will not include an endpoint where the BLE device was plugged in two days ago.

Next Steps

The following sections detail additional areas of configuration and reference the respective Enterprise Access Management documentation.

If you have not already, install Imprivata ProveID Embedded on your thin client devices.

To install and configure ProveID Embedded thin clients, see Installing and Configuring ProveID Embedded on Linux Thin Clients.

You can configure one or more Imprivata APG profiles to manage the application SSO and logoff sequences that are detailed in Citrix License Usage and Expected End User Workflow.

Consider the following:

  • If you are configuring Enterprise Access Management with Epic Hyperspace, an application profile is not required. The Imprivata Connector for Epic Hyperspace manages the logout behavior.

  • For complete details on how to profile an application, see Generating an Application Profile.

When configuring a logoff sequence, be sure to set the values under Execute the logoff sequence as follows:

  • Select During fast user switching on a kiosk workstation.

  • Deselect Shut down the application during fast user switching on a kiosk workstation?.

  • Deselect Before the application is shut down by OneSign.