What's New in Imprivata Enterprise Access Management 26.1

The Imprivata ID app for iOS and Android now supports French.

Beginning with 26.1, the Classic Windows login has reached end of life and is no longer supported. The Classic Windows login provides desktop access on Windows endpoints.

After upgrading the Imprivata appliance to 26.1, the Windows desktop authentication experience automatically transitions from the Classic Windows login to the Imprivata login. Consider the following:

• This behavior occurs the first time the Imprivata agent syncs with an upgraded appliance.

• This behavior occurs regardless of the version of the Imprivata agent. For example, the first time a 25.4 agent syncs with a 26.1 appliance, users will see the Imprivata login when authenticating to Windows desktops.

• You cannot revert to the Classic Windows login. Choosing which login experience to use is no longer configurable using computer policy customization (Computer policy > Customization tab).

The Imprivata Application Profile Generator (Imprivata APG) and Single Sign-On (SSO) feature lets your enterprise identify authentication-related screens within third-party applications. EAM logs into those applications based on the user's EAM desktop session. The application logins are based on credentials of that desktop session's user.

The APG now extends EAM Clinical Workflows to Windows application authentication within the APG workflow.

The screens can be an initial application login screen, or re-authentication screens within the application (for additional authentication before sensitive actions).

For complete details, see APG - Login Behavior.

Imprivata Enterprise Access Management supports desktop EPCS authentication with mobile authenticator apps such as Microsoft Authenticator and Google Authenticator. For more information, see Mobile Authenticator App Support.

In response to Microsoft announcing the deprecation of basic authentication in Exchange Online (SMTP AUTH), you can now configure an SMTP server connection over OAuth to send email notifications to administrators and end users.

For more information, see Setting the Mail Server and Standard Messages.

The License page in the Imprivata Admin Console has been updated to include a toggle allowing the display of either the legacy EAM license page or the EAM new modules in the Access Intelligence dashboard.

Risk-Based Access for Remote Access Cloud integrations are available for Learning Mode only for this release. In Learning Mode, all authentications for Remote Access are sent to Imprivata ITDR for evaluation, but not enforced. ITDR Learning Mode provides the opportunity to assess the outcomes of rule sets, and revise them, before enabling them in a future release. See Risk-Based Access.

For more information on new 26.1 qualifications and certifications, see Imprivata Enterprise Access Management with MFA Supported Components.

The Imprivata EAM Self-Service Password Reset application has been updated with a design that aligns with the interface users are familiar with from Web SSO authentications. The authentication methods required before resetting a user password can include face biometric, SMS, email, Imprivata ID, and Imprivata PIN. This updated feature is not available for the Imprivata agent on thin clients. The legacy application that enables self-service password reset with security questions is still available when the new feature is not enabled. See Self-Service Password Reset.

This is a reminder that Internet Explorer is not supported. Any functionality related to Internet Explorer or IE mode will be deprecated as of December 2026.

While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.

To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.

As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all appliance communications.

For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

As part of Imprivata's continuing effort to increase our security posture, this release includes two modes of API access through the Confirm ID and ProveID API:

• Full

  Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:

  • Clinical Workflows

  • EPCS

  • Imprivata Connector for Epic Hyperdrive

  • When Imprivata Confirm ID needs a password.

• Restricted

  In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest that includes an attribute id of Password or UserAppCreds returns a response with a message stating that access is restricted and status code 403.

By default, Confirm ID access is disabled and ProveID API access is set to restricted. The settings to manage API access are on the API access page in the Imprivata Admin Console.

Enterprises who have clinicians' faces enrolled for authentication in Mobile EPCS must migrate those enrollments to the new Imprivata Cloud Platform (ICP) Face Recognition support. This is accomplished with a custom migration tool. For more information, see the Imprivata Upgrade portal.

Does not apply to customers whose end-users have faces enrolled only for Desktop Authentication.

Face authentication is a new modality and is supported on Windows.

• If your enterprise uses mixed endpoints (thin clients, medical devices, etc.), test to verify that they continue to work after enabling Face recognition.

• If you encounter issues on non-Windows platforms, disable multiple second factors using computer policy overrides and reach out to your vendor and Imprivata representative.

Imprivata has identified limited cases where Imprivata agents running on non-Windows platforms are unable to authenticate depending on user policy configuration. Limiting the second factor options in your environment is recommended to resolve this.

Beginning with 25.2, you can no longer directly run the Imprivata agent installer. This includes:

• Double-clicking the MSI.

• Right-clicking the MSI and running as an administrator.

Launching the installer directly requires you to execute the MSI from an elevated command prompt. Directly running the MSI results in an error message stating that you do not have the required permissions. This behavior occurs even if you are logged into the Windows endpoint with administrator credentials.

Imprivata's Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in Imprivata OneSign and Imprivata Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations.

For more information, see Configuring Imprivata Secure Walk Away