Implementation – Components

Created: Modified: Implementation Guide

NOTE: Information in this implementation guide should be used in conjunction with GroundControl’s system requirements.

The Imprivata GroundControl solution integrates multiple first-party and related components:

  • the GroundControl Console
  • your MDM system
  • the GroundControl Launchpad Mac or Windows PC
  • smart USB hubs
  • proximity card readers
  • iOS and Android devices
  • device cases (cases are optional)
  • the Imprivata Locker app (iOS and Android)
  • Wi-Fi and network
Cloud management
Imprivata GroundControl Console

Imprivata GroundControl is a hybrid system with a cloud-based SaaS management console.

Customers usually choose our multi-tenant cloud, but some opt for a dedicated cloud system. A dedicated cloud is physically isolated from other customers, while still managed by Imprivata. A dedicated cloud also allows your organization to receive Imprivata GroundControl software updates on a delayed release, which means you are assured the most stable version available. Dedicated clouds have the same high-availability infrastructure as our shared cloud. If you are interested in a dedicated cloud, talk with your Imprivata account manager.

By default, Imprivata GroundControl uses a traditional username and password for login. Imprivata recommends that you instead opt for SAML login, which reduces risk by keeping no passwords within the Imprivata GroundControl cloud. Your organization is then able to enforce all authentication requirements. SAML is available for both shared and dedicated environments. To set up SAML, see Configure SAML.

The Imprivata GroundControl console requires each user to be assigned a role. Review our role documentation to select the most appropriate role for each of your administrators. End users, e.g. nurses, do not need an Imprivata GroundControl account to check out devices; their account in Imprivata OneSign is sufficient.

MDM system

A well-configured MDM system is critical to the Check Out workflow. The following MDM systems are supported for Check Out:

  • Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
  • Ivanti Neuron (formerly MobileIron Cloud)
  • JAMF Pro
  • Microsoft Intune
  • Samsung Knox Manage
  • SOTI MobiControl
  • VMware Workspace ONE UEM
Required MDM Configurations

There are several required items that must be configured in your MDM.

  • You must integrate Imprivata GroundControl with your MDM’s API. See the specific instructions to configure MDM.
    • The API integration is used by Imprivata GroundControl to clear any device passcodes on check in.
    • The API integration can be used to trigger Lost Mode.
  • For iOS devices:
    • Your MDM’s DEP profile must include Imprivata GroundControl’s supervision identity. This allows your device to more reliably connect to Imprivata GroundControl.
    • The DEP profile should skip all setup screens. This is probably different than your process for 1:1 devices.
    • For VMware Workspace ONE, Imprivata GroundControl can assign devices to the DEP profile, so you don’t need to collect lists of serial numbers.
    • All devices must be set to Disable USB Restricted Mode. This feature has different names in different MDMs, but is used to keep your device’s USB connection active even while passcode locked.
    • The MDM should Allow Recovery for Unpaired Devices.
    • All devices must receive a notification profile to allow our Imprivata Locker app to receive notifications.
      • The app ID for Imprivata Locker (iOS) is
  • Apple permits a maximum of one notification profile on devices. This limitation is usually not enforced by MDM systems, leading to conflicts and unexpected behaviors.
    • To avoid unexpected notification behavior, Imprivata strongly recommends using one master notification profile for all iOS devices — both shared and dedicated — in your organization.

For VMware Workspace ONE, you have several options to set up an API integration:

  • Imprivata strongly recommends you use a local VMware Workspace ONE admin account for GroundControl APIs and avoid Active Directory accounts. Active Directory admins slow each API call by two seconds, which will make your check outs slower.
  • Imprivata recommends that you set up certificate authentication for the local admin user, which will avoid periodic password expirations.
Equipment at Each Location

As a hybrid solution, Imprivata GroundControl requires equipment at each location where you will store devices. This includes a Launchpad Mac or Windows PC, a proximity badge reader, and a USB hub.


The Launchpad is the GroundControl software for Mac or Windows PC. This software receives instructions from the Imprivata GroundControl Server in the cloud. By installing the Imprivata GroundControl Launchpad software onto your organization’s Windows PCs and Macs, you can create many Launchpads for simultaneous, distributed mobile device deployments.

BEST PRACTICE: Test your Launchpad (Mac or Windows) extensively with your device Workflows before deployment.

  • Each location with devices will need its own Mac or Windows PC. Imprivata does not test with or support virtual or thin-client systems.
  • GroundControl Launchpads only support concurrent connections to smart hubs of the same manufacturer.
  • The Launchpads must have a stable 24 × 7 network connection. Ethernet is always preferred, but Imprivata GroundControl can run over Wi-Fi if needed.
  • To scale to dozens or hundreds of sites, you should prepare your installation process. Imprivata GroundControl supports automated Launchpad installation and registration, using systems such as UEM, SCCM, and Jamf Pro.

NOTE: If you use an automated installation system, then generally you will use the same system to distribute updates to the Launchpad app and iTunes components. Imprivata GroundControl’s cloud-managed Launchpad update system is available only if you carefully manage permissions so the auto-login user has read-write permissions to the Launchpad executable. Create a plan to update Launchpad app and Apple’s MobileDevice components.

Set Up Launchpad PC for Unattended Use

Whether you choose Mac or Windows PC, the systems must be set up for unattended use.

  • Imprivata GroundControl runs as a foreground application, so the computer must automatically log in as a user.
  • The login user should not have admin privileges.
  • A headless system, with no display, is preferred.
  • Set the PC to automatically boot in case of an unexpected shutdown.
  • Set the Imprivata GroundControl Launchpad application to run at start.
  • The PC must be set to never go to sleep.
  • The PC should be dedicated for Imprivata GroundControl, and not shared with other apps.
  • Some method of VNC or other remote access is required to all stations; you won’t need it often, but you will be glad to have it when you do.

Mac Launchpad Requirements

Launchpads on Mac CPs have certain additional requirements:

  • The installation of the Launchpad must be performed by Mac user account which will be running the Launchpad, to ensure that Launchpad Auto update and update console works.

Windows Launchpad Requirements

Launchpads on Windows PCs have certain additional requirements:

  • Windows 10 and Windows 11 are supported for Check Out.
  • You must install the current iTunes or, better, extract DLLs from iTunes for Apple’s MobileDevice components.
  • If your PC has trouble connecting to more than 8 or so devices at once, try to disable XHCI in the PC’s BIOS.
  • The Launchpad can’t have the Imprivata agent (for Imprivata OneSign) installed, as this will conflict with the proximity card reader.

Mac Launchpad Known Issues

Macs with Apple Silicon may have some difficulty when connected to many USB devices at once. Imprivata has found the following to be successful:

  • The Mac is running macOS 13 or later.
  • An Imprivata-branded Bretford PowerSync Pro v2 USB hub
    • The Bretford hub is connected to the Mac with the USB-C to USB-B cable provided by Bretford.
    • The Bretford hub is running the latest firmware.

At this time, Imprivata sees Datamation & Cambrionix USB hubs periodically fail to recognize iOS devices when used with M1 Macs. These companies are aware of the issues. There is no comparable issue when using Intel-based Macs.


The USB hub is a critical infrastructure component. You must take care to select a model that has been proven to support the demands of 24/7 healthcare. If your hardware isn’t up to standard, then your software will perform poorly.

Imprivata has tested, recommends, and resells the Imprivata-branded Bretford Pro v2 hubs with 10 or 20 ports, in Small (iPhone) and Large (iPad) form factors, available globally.

These Smart Hub models are smarter than your average USB hub and have the following advantages:

  • The hubs charge at the device’s maximum power, fully recharging the battery 3 times quicker than ordinary hubs.
  • Imprivata GroundControl is able to use special integrations to report the port # of each connected device.
  • Imprivata GroundControl can control the hub’s LEDs to communicate status to your users.

BEST PRACTICE: Bretford and Cambrionix hubs have upgradable firmware. Install the most current firmware, which will ensure you have support for current mobile devices. Once deployed, however, there is usually no need to further update the firmware until your next device refresh. GroundControl reports the firmware version in the Launchpad view.

Limitations and Known Issues

  • Imprivata does not recommend using Datamation Unilock’s locking risers, because they delay access to the devices.
  • Imprivata has encountered issues with “M1” and “M2” Macs failing to recognize iOS devices when used with smart USB hubs The smart hub vendors are aware of the issues. Imprivata sees no comparable issue when using Intel-based Macs.
  • GroundControl does not support the daisy-chaining of hubs.

Connect a proximity card reader to the USB port of each Launchpad PC or Mac. You may connect this directly to the PC or use the expansion port on your Smart USB hub.

  • Only certain proximity card readers are supported. For more information, see the system requirements.
  • Imprivata OneSign requires custom parity settings for the readers. For assistance configuring readers for other Identity providers, contact the support team at
Each Mobile Device

Mobile devices must be running a compatible operating system version. See the system requirements.

iPhones and iPads are supported as DEP and non-DEP devices.


There are a variety of case manufacturers and models available to meet the unique needs of different industries, many of which fit the form factors of GroundControl’s supported Smart Hubs.

  • Basic protective cases are supported.
  • Imprivata does not recommend using supplemental battery cases with data passthroughs for iOS devices. For additional information, see this article.

For device cleaning recommendations, see your device manufacturer’s recommendations and consult your organization’s infection prevention department best practices.

Imprivata Locker App for iOS and Android

The Imprivata Locker app manages device sign in and out. Your MDM must install the Imprivata Locker app on all shared devices intended for Check Out.

The Imprivata Locker app locks down the device between users. An unlock PIN is available and recommended for emergencies when the network or other components may be unavailable.

For more information, see this article.

The Imprivata Locker app is required for Check In / Check Out customers. If you are not a Check In / Check Out customer, you do not need the Imprivata Locker app.

Wi-Fi and Network

For information on Wi-Fi and network requirements, see the GroundControl system requirements.