Configuring Secure Walk Away with Roaming VMware Virtual Desktops

This topic details how to configure Imprivata Secure Walk Away with roaming VMware virtual desktops. This topic:

  • Describes two clinical workflows where Imprivata Secure Walk Away is securing Imprivata ProveID Embedded workstations (thin clients).

  • Explains how to configure your Imprivata polices, VDI environment, and thin client endpoints to support the clinical workflows.

In this configuration, multiple users can share a workstation while maintaining an explicit session to a virtual desktop:

  • A shared workstation with a roaming virtual desktop lets users move from workstation to workstation and automatically connect to a full Windows desktop that is delivered via VDI.

  • As users authenticate to different shared workstations, they reconnect to their desktop virtualization session.

    Reconnecting to the session makes it appear as if the their desktop, and all applications that are running on it, are "roaming" with them.

  • The virtual desktop is automatically launched after the user successfully authenticates.

Public areas where multiple users have access to the same workstation, such as a nursing station on a medical surgery floor, may be suited for locking the workstation only. The following details an example workflow.

User 1 (nurse) has their phone present and taps their proximity card to authenticate to the shared workstation.

  • The virtual desktop is automatically launched for the nurse.

  • The nurse is automatically signed into the desktop. They may choose to open additional applications, which can be configured for SSO.

The nurse walks away.

The Imprivata agent detects that the phone is no longer present:

  • After the specified Secure Walk Away inactivity threshold, an inactivity warning appears, and then the desktop is locked.

  • The virtual desktop, including all of the applications that the nurse was using remain running, but are now secured behind the lock screen.

The nurse continues their rotation, moving to a new floor, and taps their proximity card to authenticate to a different shared workstation.

Imprivata Secure Walk Away detects the phone, and the Imprivata agent begins to monitor it:

  • The roaming virtual desktop is automatically reconnected to the workstation.

  • The desktop and the applications are running in the same state as previously used.
When the nurse is finished, they tap their proximity card to secure the workstation.

User 2 (physician), who has left their phone at home, taps their proximity card to authenticate to the shared workstation.

Because Secure Walk Away cannot detect the phone, it falls back to keyboard and mouse inactivity timeouts.

  • The virtual desktop is automatically launched for the physician.

  • The physician is automatically signed into the desktop. They may choose to open additional applications, which can be configured for SSO.

The physician leaves the workstation without securing it.

After the specified keyboard and mouse inactivity thresholds, an inactivity warning appears, and then the desktop is locked.

Private areas or a setting where the same person is expected to be at the same workstation for an extended period may be suited for locking and unlocking the workstation. The following is an example of this workflow.

User 1 (nurse) has their phone present and taps their proximity card to authenticate to the shared workstation.

  • The virtual desktop is automatically launched for the nurse.

  • The nurse is automatically signed into the desktop. They may choose to open additional applications, which can be configured for SSO.

The nurse walks away.

The Imprivata agent detects that the phone is no longer present:

  • After the specified Secure Walk Away inactivity threshold, an inactivity warning appears, and then the desktop is locked.

  • The virtual desktop, including all of the applications that the nurse was using remain running, but are now secured behind the lock screen.

The nurse returns to the same shared workstation within a specified grace period.

  • No other user has authenticated to the workstation.

  • The Imprivata agent detects the phone and unlocks the workstation automatically.
When the nurse is finished, they tap their proximity card to secure the workstation.

The nurse continues their rotation, moving to a new floor, and taps their proximity card to authenticate to a different shared workstation.

Imprivata Secure Walk Away detects the phone, and the Imprivata agent begins to monitor it:

  • The roaming virtual desktop is automatically reconnected to the workstation.

  • The desktop and the applications are running in the same state as previously used.

While the nurse works, the phone's battery dies.

  • The Imprivata agent can no longer detect the phone.

  • After the specified Secure Walk Away inactivity threshold, an inactivity warning appears, and then the desktop is locked.

The nurse re-authenticates to the workstation.

Because Secure Walk Away cannot detect the phone, it falls back to keyboard and mouse inactivity timeouts.

Before You Begin

Review the following sections before you begin.

While this feature is available as part of your Imprivata Authentication Management (AM) or AM/Single Sign–On (SSO) license, all currently supported BLE devices must be flashed with new firmware before enabling Secure Walk Away.

NOTE: For a list of supported BLE devices, see "Imprivata OneSign Supported Components" in the Imprivata Environment Reference. You can download the required firmware files and instructions for flashing your devices here.

Before you begin:

  • Review the Imprivata Enterprise Access Management with SSO Supported Components in the Imprivata Environment Reference to confirm that your thin client models and firmware versions are supported.

  • The following licenses are required:

    • Authentication Management (AM) or AM/Single Sign–On (SSO).

    • Imprivata Virtual Desktop Access (VDA).

This topic assumes that your VMware Horizon environment is configured and operating normally, independent of Imprivata. Verify that:

  • The VMware Horizon Agent is installed on all virtual desktops Enterprise Access Management users will access.

    The Horizon Agent must be enabled for USB redirection.

  • The VMware Horizon client is installed on all shared thin clients.

Session persistence (roaming) is managed by your VMware virtual environment, not Enterprise Access Management. If your virtual environment is configured correctly for session persistence, Enterprise Access Management seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

BEST PRACTICE: Limit the delivery of an application to one instance per user. If the application is distributed across multiple servers in the farm, limiting the instance ensures that the connection broker roams the session that the user was previously using.

For more information about configuring session persistence and application delivery, see your vendor documentation.

Enterprise Access Management Configuration

The following sections detail the steps to configure your Imprivata OneSign environment, which include:

  • Configuring and assigning a user policy.

  • Configuring the connection to the VMware Horizon View connection brokers.

  • Configuring two computer policies. The first policy is assigned to the thin clients, while the second is assigned to the virtual desktops.

In this configuration you:

  • Enable users to authenticate with a proximity card or a password as a primary factor.

  • Enable virtual desktop access.

Although users will typically authenticate to Enterprise Access Management with a proximity card, enabling password as a primary factor is required for VMware pass–through authentication.

Defining Authentication Methods and Enabling Virtual Desktop Access

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Walk-away security section, and select Allow Secure Walk Away.

  4. Go to the Desktop Access Authentication section. Under Primary Factors, select Password, and then Proximity Card.

    A second factor is not required.

  5. On the Virtual Desktops tab, select Enable virtual desktop access automation.

  6. Select Automate access to full VDI desktops, and then select VMware.

  7. Save the user policy.

Assigning the User Policy

To assign users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import it.

Configuring a connection to the VDI connection brokers makes your virtual desktops available to computer policies.

To configure the connection:

  1. In the Imprivata Admin Console, click Computers > Virtual desktops.

  2. Go to the VMware Horizon–Desktops section, and enter one or more URLs to the Horizon Connection Servers.

  3. Click Save.

In this configuration you:

  • Enable the thin clients for Windows authentication and automated virtual desktop access.

  • Configure Secure Walk Away inactivity thresholds and desktop locking behavior.

Enabling Windows Authentication and Virtual Desktop Access

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  4. On the Virtual Desktops tab, go to the VMware Horizon – Desktop section, and select Automate access to VMware Horizon.

  5. Under When a VMware Horizon endpoint is locked, select Keep the VMware Horizon client and user session active.
  6. Under Available VMware Horizon Connection Managers, select one or more Horizon Connection Servers.

  7. Save the computer policy.

Configuring Secure Walk Away Thresholds

To configure Secure Walk Away thresholds:

  1. In the Imprivata Admin Console, click Computer > Computer policies.

  2. Open the computer policy assigned to the thin clients.

  3. On the Walk-Away Security tab, go to the Secure Walk Away section:

    1. Select a time from Lock workstation after and Show inactivity warning.

      These values manage desktop locking when the phone is no longer detected.

      For example – the phone is detected after the user logs in, but moves out of range when the user leaves the workstation.

    2. (Optional) Select a time from Automatically re–authenticate user.

      This value manages the grace period during which a user can return to the workstation and have it automatically unlocked.

  4. Go to the Inactivity detection section.

    1. If required, adjust the Imprivata ID inactivity and warning thresholds.

      These values manage desktop locking when the phone is detected, but there is no keyboard and mouse activity.

      For example – the phone is detected after the user logs in, but the user leaves the workstation without their phone.

    2. Configure the Keyboard and mouse inactivity and warning thresholds.

      If the phone cannot be detected after the user logs in, Secure Walk Away falls back to these inactivity thresholds.

  5. Save the computer policy.

Configuring Desktop Warning Behavior

Optionally, you can choose the type of warning that notifies the user that the workstation is going to lock.

To configure the behavior:

  1. In the Imprivata Admin Console, click Computer > Computer Policies

  2. Open the computer policy assigned to the thin clients.

  3. On the Walk-Away Security tab, go to the Lock and warning behavior section.

  4. Select the desired behavior, and save the computer policy.

  5. (Optional) To customize the warning message, click Customize the warning and lock display text.

    The Walk-away security section lets you update the message.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    1. Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    2. Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    3. Computer IP address — Enter the range of IP addresses to include in this computer policy

    4. Computer host name — A computer matches if its host name contains the text entered in this field

    5. Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

While there are no required computer policy settings for the virtual desktop, it is best practice to keep policies associated with your virtual desktops and thin clients separate. Consider the following:

  • Secure Walk Away must not be configured on the virtual desktop computer policy. Verify that the all Secure Walk Away settings (Secure Walk-Away tab > Secure Walk Away section) are set to Never.

  • For any settings you require, create a new computer policy and explicitly assign it to your virtual desktops.

Virtual Desktop Configuration

The following sections detail the steps to configure your virtual desktops, which include:

  • Installing the Imprivata agent on the virtual desktops.

  • Enabling the detection of proximity card events on the virtual desktops.

Install the Imprivata single–user computer agent (type 1) on all of the virtual desktop that are accessible to Imprivata users.

Use the Installation Wizard

To install the Imprivata agent:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which the agent must connect to obtain the enterprise topology.

  • Select the Single User Computer agent.

Use a Software Distribution Tool

To deploy the Imprivata agent using a third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=1

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see Imprivata Agent command line reference .

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Configure the following keys to enable the detection of proximity card events on the virtual desktop.

Name Data Type Location Value
RedirectionSupported DWORD

64–bit: HKLM\Software\SSOProvider\DeviceManager

Default = 0

Set to = 1
RemoteOnly DWORD

64–bit: HKLM\Software\SSOProvider\DeviceManager

Default = 0

Set to = 1

Thin Client Configuration

The following sections detail the steps to configure your thin clients, which include:

  • Uploading the broker server domain certificates to the thin clients.

  • Configuring the connection to the virtual desktop.

  • Optionally, enabling the VMware Horizon menu bar.

The domain certificates of the Horizon Connection Server must be uploaded to the same directory as the Imprivata appliance SSL certificates. The following list specifies the required directory:

  • HP—"/usr/local/share/ca-certificates"

  • IGEL—"/wfs/ca-certs"

NOTE: For more information on using the HP Management Console or the IGEL UMS to upload certificates, see your vendor–specific documentation.

Thin clients typically ship with a compatible version of Citrix Workspace app, which uses the explicit user credentials to connect to and deliver the virtual desktop.

Imprivata supports a number of thin client devices, all of which support native connections to and Omnissa Horizon View. The steps to configure Citrix Workspace app vary by device.

For more information, see your vendor–specific documentation.

NOTE: In addition to the registry settings that are configured on the virtual desktop, USB redirection is managed from the thin client, independent of Enterprise Access Management. Configure devices to support the USB redirection of your proximity card readers, as well as any other required devices.

By default, Imprivata ProveID Embedded does not display the VMware desktop menu bar (shade bar). You can use the ProveID Embedded configuration editor to modify the behavior.

To run the configuration editor, open a terminal and enter the following:

/usr/lib/imprivata/runtime/bin/configuration-editor

The following example configures the thin client to display the menu bar:

usr/lib/imprivata/run/bin/configuration-editor menubar

The following example configures thin client to hide the menu bar:

usr/lib/imprivata/run/bin/configuration-editor nomenubar

Reporting

You can use the Computer Peripheral Usage report to identify where BLE enabled devices have been deployed in your enterprise. This report identifies:

  • Endpoints to which a BLE device has been plugged in.

  • The model and vendor of the device.

  • The version of the firmware installed on the device.

To run the report:

  1. In the Imprivata Admin Console, click Reports > Add new report.

  2. Under the Platform column, click Computer Peripheral Usage.

  3. Specify a date range, and click Run.

    The date range indicates when the BLE device was plugged into the endpoint.

    For example, a report with a date range of Today, will not include an endpoint where the BLE device was plugged in two days ago.