Imprivata GroundControl uses several visual and audible clues to let the user know what it is doing.
The “happy path” for Check Out is the following sequence, which should happen within 5-8 seconds:
|Ideal Check Out||Smart Hub standard LED||Smart Hub without Blue|
|1. User taps badge||Green||Green|
|2. Badge reader beeps once to indicate a successful scan||Blue||Green|
|3. A device unlocks and illuminates, and shows the user’s name on the screen.||Flashing white||Flashing white|
|4. User removes the device from the dock||Off||Off|
The correct indication that the device is ready is that the device’s screen illuminates and displays the name of the user. On some hubs, the standard blue LED may confuse users who remove the phone at step 2, before the device is unlocked. We recommend an option to suppress the blue LED in the admin console’s Launchpad options.
We recommend displaying the user’s name on the device at check out, which is stored in the built-in Attribute “Imprivata Display Name” if you are using Imprivata OneSign. In your Check Out workflow, in the Check Out action, set the text to display to “Ready for [Imprivata Display Name]” or something similar.
IMPORTANT: Do not use the [Device Checkout Status] attribute for unlock text.
Any check out errors are indicated by audible beeps.
|1 Beep||Good Scan|
...then 2 Beeps
|User Error: Badge was not found in the IdP|
...then 3 Beeps
|Device Error: No devices available, or automation error|
...then 4 Beeps
|Already Has Device: Admin > Check Out limits devices per user, and the username is already associated with a device.|
Imprivata GroundControl will also display a corresponding error in the admin console’s Launchpad view, or in the Launchpad UI if a display is connected.
To check in devices, your users connect the devices to the dock. When connected correctly, the dock should illuminate the corresponding LED. Ask the users to wait to confirm the LED lights up before walking away.
In your Check In Workflows, Imprivata strongly recommends including a Launch App action, to launch (for example) “com.apple.Preferences” (i.e. Settings). This action ensures that the Imprivata Locker app is not foregrounded at the start of check in, increasing reliability. Imprivata has reported this bug to Apple.
ENTERPRISE PASSWORD AUTOFILL
GroundControl supports Enterprise Password AutoFill on iOS devices and Autofill Services on Android devices. This system leverages the power of Imprivata OneSign to autofill passwords into most apps and web sites. In many cases, the system can also fill usernames.
IMPORTANT: Password AutoFill is not SSO. Users still need to sign into multiple apps, even though the sign in process is dramatically easier. And AutoFill on its own does not make any improvement to app logout.
AutoFill has several prerequisites:
- A maintained release of Imprivata OneSign.
- Imprivata OneSign Authentication Management and SSO licenses for each of your users.
- Your MDM must not restrict autofill features.
- For iOS devices:
- Imprivata Locker for iOS 3.0 or later.
- Devices must be using iOS 14.1 or later.
- Each device must be set up — manually — to enable Locker’s Password AutoFill extension. Unfortunately, Apple has provided no way to enable AutoFill extensions with MDM. The manual setting will persist from user to user. But if the phone is erased or recovered, our extension will need to be enabled again. At Check Out, Locker will display a message to the user if the extension is unintentionally disabled.
- For Android devices:
- Imprivata Locker for Android 1.1 or later
- Devices must be on Android 9 or later.
Use Imprivata OneSign’s standard profile system to deploy app/user credentials to phones.
In theory, you could create separate profiles for each of your apps and web sites. However, this would result in a long list of apps on each device. Since most apps use federated authentication with common credentials, you can instead add one “app” called “Network Login” (or similar title) that uses the user’s AD credentials.
VMWARE WORKSPACE ONE ACCESS
If you use Workspace ONE UEM and Workspace One Access, you can also enable SSO to apps that are compatible with Workspace One’s SSO.
- User taps a badge, and Imprivata GroundControl looks up the user.
- Imprivata GroundControl sends an API to Workspace ONE to check out the device to this user.
- Workspace ONE installs a MobileSSO certificate onto the device.
- A user launches an app configured to use Workspace One Access as the identity provider.
- Access confirms the certificate installed in step 3, and authenticates the user without a prompt.
In the above example, apps need to be compatible with VMware Workspace One Access – not with Imprivata GroundControl.
In most cases, your staff will need to manually sign out of apps before checking in the device at the end of the day. If they do not sign out:
- Apps may continue to send push notifications to the device
- Back-end systems may continue to show the user as “available” after they have left
- The phone’s next user may have access to data pertaining to the previous user
Imprivata is working to improve the sign in and out user experience, and has introduced technologies such as Universal Link Callbacks. We encourage you to speak with your app vendors to learn about their plans to support ULCs for logout from shared iOS devices.
Imprivata GroundControl usually hides devices as soon as they are unplugged. But you may wish to list checked out devices, in order to identify the users at any given moment.
Imprivata GroundControl allows the display of checked out devices in three ways:
- In the Admin console, within the Launchpad detail
- In the Launchpad display
- On the device itself, using a Safari bookmark
These lists are always grouped by Launchpad. This feature helps each team manage its own pool of devices, without needing to see the entire population of iOS devices at your organization. The idea is that each device has a “home” Launchpad, and devices are expected to return to that home each day. NOTE: By default, Imprivata GroundControl does not enforce this rule, and devices moved between Launchpads will adopt the new Launchpad as their new home.
For more information, see showing checked out devices.
Like library books, checked-out devices that aren’t returned by a certain date can become overdue, and notify you or the user that a device hasn’t been returned yet.
Overdue devices are marked as such in the admin console. Additionally, you can trigger an email to any group of email addresses or even an attribute you set for the “home” Launchpad. Also, if desired, Imprivata GroundControl can trigger “Lost Mode” (if using Workspace ONE, Jamf Pro, or Microsoft Intune) to lock down the device over the air, with a message of your choice.
Imprivata GroundControl automatically removes lost mode when the device is returned to any Launchpad.