This topic describes the hardware and software requirements for Imprivata Mobile Access Management (formerly Imprivata GroundControl). Any limitations are noted in the support details and notes section for each component.
Cloud Administrator Console
- The MAM Administrator Console supports any modern web browser on Mac and Windows.
- Imprivata tests with Safari, Google Chrome, Firefox, and Microsoft Edge.
Launchpad Mac or Windows Computer
Both Mac and Windows may be used to run the client-side Launchpad software.
Item | Mac | Windows |
---|---|---|
Form Factor - Testing | Desktop or laptop | Desktop or laptop |
Form Factor - Production | Headless desktop mini-PC: - Mac Mini 2 - Mac Mini 3 | Headless desktop mini-PC |
OS | macOS within the last 2 years | Windows 10 or Windows 11 version within the last 2 years |
RAM | 8 GB | 8 GB |
Drive Capacity | 20 GB or greater SSD | 20 GB or greater SSD |
Permission: Allow accessory to connect (see note below table) | Required for Mac Launchpads running MacOS 13 (Ventura) and later. | n/a |
Unattended Use | Launchpad systems must be configured for unattended use. For more information, see this article. |
|
Dedicated system | The PC should be dedicated for Mobile Access Management (MAM) and not shared with other apps. | The PC should be dedicated for Mobile Access Management (MAM) and not shared with other apps. On Windows Launchpads, do not install the Imprivata agent (for Imprivata Enterprise Access Mangement/OneSign) on the Launchpad, because it will conflict with the proximity card reader. |
VNC or other remote access | Some method of VNC or other remote access is required to all stations. | |
iTunes app Apple Devices app for Windows | n/a | Install the current Apple Devices apps or iTunes app or extract DLLS from iTunes for Apple's MobileDevice components. |
GroundControl.app installed in a directory local user has full file permissions to | On Mac Launchpads, the GroundControl.app must be installed in a directory the local user has full file permissions over, or the local Mac user must be a macOS local admin. For more information, see this article. | n/a |
Network connection | Imprivata requires that Launchpads use an Ethernet network connection to ensure stable 24 × 7 availability. |
NOTES:
- “Allow accessory to connect” setting is required for Mac launchpads running MacOS 13 (Ventura) and later. For more information, see this article.
- Imprivata does not test with or support virtual or thin-client systems.
Test your model thoroughly before selecting a computer to be used as a Launchpad. If your computer has trouble connecting to more than 8 or so iPhones at once, disable XHCI in the PC’s BIOS to determine if this solves the issue.
Network
Imprivata Mobile Access Management (MAM) uses HTTPS (port 443) for all communication between the Launchpad and the Cloud Administrator Console. After initial registration, the Launchpad switches to Secure WebSockets (also port 443) for asynchronous bi-directional messaging.
Firewalls must support Secure WebSockets. A common firewall feature is to force close any sockets that remain open for a long period of time, but this will cause MAM to lose the client-server connection.
Source | Destination | Protocol | Use |
---|---|---|---|
Launchpad | US: us.groundctl.com / 52.202.156.90, 54.197.149.48 UK: uk.groundctl.com / 18.168.161.122, 13.41.242.92 | HTTPS/443 and WSS/443 | Server communication |
Launchpad | US: groundcontrol-prod.s3.amazonaws.com UK: c16-assets-groundctl-com.s3.amazonaws.com | HTTPS/443 | Asset downloads |
Launchpad | *.bugsplatsoftware.com | HTTPS/443 | Crash reporting |
Launchpad (iOS only) | albert.apple.com gs.apple.com appldnld.apple.com secure-appldnld.apple.com | HTTPS/443 | Apple device activation & IPSW downloads |
Launchpad | Your Imprivata OneSign appliance | HTTPS/443 | Identify look up during Checkout (if used) |
Launchpad Locker app (iOS and Android) | ctlful.imprivata.com | HTTPS/443 | Log submission |
Device | US: groundcontrol-prod.s3.amazonaws.com UK: c16-assets-groundctl-com.s3.amazonaws.com | HTTPS/443 | Checkout (if used) |
Device | Your Imprivata OneSign appliance | HTTPS/443 | Identity look up during Checkout (if used) |
Device (iOS only) | *.push.apple.com | TCP Ports: 443, 80, 5223, 2197 | Apple push notifications |
Device (Android only) | See Firebase Documentation | TCP ports: 443, 5228, 5229, 5230 | Firebase push notifications |
GroundControl Server US: 52.21.126.154, 52.20.201.34 UK: 18.169.178.173 35.177.97.127 | Your MDM Server | HTTPS/443 | MDM API requests (if used) |
Apple products on enterprise networks typically require specific hosts and ports to be open. For more information, see Apple’s documentation on the use of Apple products on enterprise networks.
Android products on enterprise networks require specific hosts and ports to be open for Firebase push notifications. For more information, see Google documentation.
MDMs
The following MDM systems are supported for Check Out. For more information, see the MDMs article.
Feature | Ivanti EMM | Ivanti Neuron | Jamf Pro | Samsung Knox Manage | Microsoft Intune | Soti MobiControl | VMware Workspace ONE |
---|---|---|---|---|---|---|---|
Check In / Check Out (iOS) | |||||||
Personal Passcodes | |||||||
Set Labels/Tags/Org Groups | |||||||
Assign to User | |||||||
Enable Lost Mode | |||||||
Check In / Check Out (Android) | |||||||
Personal Passcodes | |||||||
Set Labels/Tags/Org Group | |||||||
Assign to User | |||||||
Enable Lost Mode | |||||||
Provisioning (iOS) | |||||||
DEP Provisioning | |||||||
Non-DEP Provisioning | |||||||
Assign DEP Profile | |||||||
Delete / Retire |
Required MDM Configurations
You must integrate Imprivata Mobile Access Management with your MDM’s APIs.
- The API integration is used by MAM to clear any device passcodes on check in.
- The API integration can trigger Lost Mode for overdue devices.
MDM Requirements for iOS Devices
The following items are required in your MDM system for iOS devices.
Item | Description |
---|---|
DEP profile | Must include Imprivata Mobile Access Management’s supervision identity. This allows your device to more reliably connect to MAM. |
Disable USB Restricted Mode | All devices must be set to Disable USB Restricted Mode. This feature has different names in different MDMs, but is used to keep your device’s USB connection active even when it is passcode locked. For more information, see this article. |
Allow Recovery for Unpaired Devices | The MDM should Allow Recovery for Unpaired Devices. For more information, see this article. |
Notification profile allowing Imprivata Locker app to receive notifications | All devices must receive a notificiation profile to allow the Imprivata Locker app to recieve notifications. The app ID for the Locker app for iOS is com.imprivata.b2b.locker. - Apple permits a maximum of one notification profile on devices. This limitation is usually not enforced by MDM systems, leading to conflicts and unexpected behaviors. - To avoid unexpected notification behavior, Imprivata strongly recommends using one master notification profile for all iOS devices - both shared and dedicated - in your organization. For more information, see Recommended settings for clinical devices |
Proxy Support
Imprivata Mobile Access Management has limited support for proxies:
- Proxies must be configured in the Launchpad app during initial registration
- Only unauthenticated proxies are supported
- Authenticated proxies and PAC files are not supported
- System proxy settings are ignored
USB Hubs and Carts
Imprivata requires and only supports Smart Hubs from these manufacturers.
NOTE: While these manufacturers do sell other variations of hardware, only the items listed below are tested and supported by Imprivata.
Vendor | Model |
---|---|
Bretford | 20 port (Large) PowerSync Pro Gen 2 w/Lightning Cables 10 port (Large) PowerSync Pro Gen 2 w/Lightning Cables 20 port (Small) PowerSync Pro Gen 2 w/Lightning Cables 10 port (Small) PowerSync Pro Gen 2 w/Lightning Cables 20 port (Large) PowerSync Pro Gen 2 w/USB-C Cables 10 port (Large) PowerSync Pro Gen 2 w/USB-C Cables 20 port (Small) PowerSync Pro Gen 2 w/USB-C Cables 10 port (Small) PowerSync Pro Gen 2 w/USB-C Cables |
Datamation | 24 Port (Phone) Unidock w/Lightning Connection 24 Port (Phone) Unidock w/USB-C Connection 16 Port (Phone) Unidock w/Lightning Connection 16 Port (Phone) Unidock w/USB-C Connection 8 Port (Phone) Unidock w/Lightning Connection 8 Port (Phone) Unidock w/USB-C Connection 8 Port (Tablet) w/Lightning Connection 16 Port (Tablet) Unidock Tray w/Lightning Cables 24 Port (Phone) Unidock Tray w/USB-C Cables |
For Smart Hub pricing and accessories, contact your account manager.
For best performance, MAM requires a 1 to 1 connection between the Launchpad and Smart Hub.
- MAM does not support the daisy-chaining of hubs.
- MAM does not support connecting more than one Smart Hub to a single Launchpad. For more information on Smart Hubs, see the Implementation, Maintenance, and Best Practices Guide.
Proximity Card Readers
Imprivata Mobile Access Management supports USB-connected proximity card readers manufactured by rf IDEAS. Many brands resell the rf IDEAS reader, including Imprivata.
Imprivata models
- IMP-75
- IMP-80
- IMP-60
- IMP-82
- IMP-80-mini
Devices
Imprivata Mobile Access Management supports Apple iOS and Android devices.
Apple Devices
Apple device support is based on iOS version support. Imprivata Mobile Access Management supports iOS 18, and 17.
MAM 6.4 (and Imprivata Locker 3.12) was the last release to support iOS 15 and 16.
Only factory-reset devices are supported.
Android Devices
Imprivata Mobile Access Management 6.0 and later supports Android devices, running Android 9 and above.
Item | Support |
---|---|
Operating system | |
Android OS | Android 9 or later |
Devices | |
Cisco devices | CP 860 |
Google Pixel 7 Google Pixel 7a Google Pixel 8 Google Pixel 8 Pro |
|
Honeywell devices | CT30 (non-healthcare) |
Samsung devices | Samsung S22 Samsung A14 Samsung A15 5G Samsung xCover 6 Pro |
Spectralink devices | Versity 95 Versity 96 Versity 97XX |
Zebra devices | Zebra TC5 series - TC52, TC57 Zebra TC2 series - TC21, TC26 Zebra HC50 Zebra ET40 tablet |
Mobile browsers | MAM supports clearing browser cache as part of Check In action: - Google Chrome - Microsoft Edge |
Device settings and permissions | The Imprivata Locker app for Android devices requires the following device settings and permissions: - Draw over (overlay) other apps. - Accessibility Service. |
MDMs | Android devices must be enrolled in an MDM system: - Workspace ONE (AirWatch) - Microsoft Intune - SOTI MobiControl |
Device Cases & Batteries
Imprivata Mobile Access Management does not support all device cases. For more information, see this article.
Supported Applications
For more information on supported applications, see Imprivata apps support page.