Consider the following best practices for maintaining your Imprivata Mobile Access Management (formerly GroundControl) environment over time.
Non-production Environment for Testing
- All Imprivata customers have access to a no-fee user acceptance test (UAT) environment for non-production testing of pre-release versions.
- Maintaining a UAT environment can ensure a stable production environment.
- To obtain access to our early release UAT environment, customers can open a ticket at support.imprivata.com. UAT environments are updated ahead of the next release 2-4 weeks before to a Prod release.
- Imprivata also gives access to Locker Apple TestFlight pre-releases for non-production testing, as well as early release Android APKs.
- Customers may join the TestFlight pre-release by opening the following link from an iOS device, when Apple’s TestFlight app is installed: https://testflight.apple.com/join/bU0feGam.
- To obtain access to the early release Android APK, customers can email mobile@imprivata.com.
Launchpad Updates
Launchpad Workstations
Maintaining your Launchpad workstations will ensure all components function correctly. Ensure your organization has a strategy for maintaining all of the below:
Operating System Updates and Security Patches
- Create a strategy to keep the Launchpad computer operating system at a version supported by MAM. For more information, see the system requirements. Ensure that OS update testing includes MAM-specific testing, so that these 24 x 7 workstations are not negatively impacted during an upgrade.
Apple iOS MobileDevice Framework
- Ensure that the Apple MobileDevice Framework on the Launchpad computer is updated before updating to the next generation of iOS on the iOS devices.
- Ensure that the version of Apple MobileDevice Framework is the minimum supported version the iOS device will be upgraded to. For more information, see About MobileDevice.
Apple iOS Mobile Device Drivers
- Device Drivers for iOS (Apple MobileDevice Framework) are released alongside each new release of iOS.
It is imperative to keep this up to date or communication between MAM and the MobileDevice can fail. - Windows Launchpad workstations can unknowingly overwrite Device Drivers for iOS. To prevent this from occurring, see About Apple Mobile Device Driver on Windows and Devices Do Not Appear On Windows 11 Launchpad.
Launchpad Application
- To ensure a healthy environment, the best practice is to stay within one version of the most recent release of the MAM Launchpad software.
- Uptime of the Launchpad is critical to the performance of MAM.
For this reason, Imprivata does not recommend using the Automatic Upgrades setting for Launchpads. This allows you to test a Launchpad upgrade on a single machine before upgrading across your enterprise.
Beginning with MAM 6.5, for net new organizations, the Automatic Upgrades setting is defaulted to off.
In the MAM admin console, go to Admin > Launchpads > Automatic Upgrades and ensure that the setting is OFF. For more information, see Launchpads. - Mac Launchpads require specific settings to ensure that automatic Launchpad upgrade works correctly. For more information, see Launchpad Update and Auto Launch on Mac.
NOTE: If you use an automated installation system, then generally you will use the same system to distribute updates to the Launchpad software and Apple Device app or iTunes components.
Create a plan to update the Launchpad software.
Smart Hubs
Firmware Updates
- Ensure that the Smart Hubs have the most current supported firmware installed, which will ensure that you have support for current mobile devices. For more information, see Update Smart Hub Firmware.
Hardware
Create a strategy to routinely inspect and maintain the Smart Hub hardware, for example, during normal rounds. The inspection should include the following tasks:
- Examine and replace physically damaged cables.
- Ensure proper cable management — with cable ties for the Launchpad, Smart Hub, and proximity card reader — to reduce chances of tampering.
- For Bretford Smart Hubs, ensure that the cable security rails are secured.
- Clean Smart Hubs regularly by following vendor-supported cleaning solutions and chemicals.
For Smart Hub replacement:
- If purchased through Imprivata, or for general questions, contact Imprivata Customer Support.
- If purchased through a different vendor, contact the manufacturer.
Devices
Mobile Device OS Updates
Create a strategy for keeping the mobile device OS (iOS and Android) at a version supported by MAM. For more information on supported device OS versions, see the system requirements.
iOS Updates
- Use MAM automation to perform the iOS updates instead of your MDM’s over-the-air, just in time iOS updates. MDM updates can interrupt Locker checkins. For more information, see Update iOS.
- Do not perform an iOS update as part of a Check In Workflow.
- Use a scheduled automation and the iOS Update Workflow action to update connected iOS devices in target groups at specific times throughout an update window.
- Ensure that you run a Check In Workflow after the update is complete.
- For iOS 17 and higher, ensure iOS updates and provisioning are properly applied by reviewing these custom options.
Certificates
Track the certificates that are in use in your MAM organization. Take special note of the following:
- The expiry date of the certificates.
- Where the certificates are installed or being used.
Expiring and Exporting the Supervision Identity for DEP
The Supervision Identity for DEP, a cryptographic file in .crt format, has an expiry date tied to the date you export it from the MAM admin console. For more information, see About DEP Supervision Identities.
Updating the SAML Certificate
For organizations using SAML to provision and authenticate users against their Identity Provider (IdP), Mobile Access Management takes the role of a Service Provider (SP). During configuration, you created a SAML certificate in the MAM admin console for use with your IdP.
Beginning 60 days before the SAML certificate expires, the MAM admin console displays an alert warning you of the expiration. The banner is only displayed when the active SAML certificate is expiring.
For more information, see Configure SAML.
Utilizing Dashboards
A key feature of implementing MAM is the capability to review device and Smart Hub health across your enterprise. Ensure your enterprise has identified the responsibility people who will review the dashboard daily and, as needed, to identify devices that need following up on, including but not limited to:
- Unpaired devices
- Devices that are overdue for an extended period of time
- Devices without a heartbeat
- Devices that haven’t been connected for an extended period of time
- Check In and Check Out failures
For more information, see Dashboard.
Change History
| Date | Version | Description |
|---|---|---|
| September 2024 | 3.0 | Update "Maintenance" section Add "Certificates" section to Maintenance |
| July 2024 | 2.0 | Add new sections for "Before You Begin — Strategy". Remove the "Audience" section. Update the "User Experience" section to "Settings" Add new section for "Deployment" |
| June 2024 | 1.0 | Initial release of the guide |