Imprivata Documentation | Imprivata Mobile Access Management (GroundControl) | Topic updated: April 28, 2025

Check Out with Workspace ONE

Like Mobile Access Management, Omnissa Workspace ONE includes features for shared device checkout. This article explains how to link Mobile Access Management with Workspace ONE, so that the checkout features are synchronized between the two systems.

Once linked, a Check Out in Mobile Access Management — via a proximity card tap, for example — assigns the device to the user in your MDM. This will trigger any user-assigned apps or policies for the device.

For example, Alice checks out a device. Here are some things that may then happen:

The MDM lists the device with "Alice" as the device user.
The MDM can send an email configuration personalized for Alice.
The MDM can use SCEP to create an identity certificate for Alice, and send that to the device.
SSO-aware apps on the device, such as Voalte One or Box, can use Alice’s identity certificate to automatically sign in, without prompting for a username or password.

Enroll to a Multi-User Staging User

The device must be initially enrolled into Workspace ONE UEM with the Staging Mode set to "Multi-user device." This enables Mobile Access Management to manage the Workspace ONE checkout and checkin features.

This may be set in your DEP profile.

Click to enlarge

Assign the User During Check Out

This option is not available for Android devices in Mobile Access Management.

Add the action "Perform MDM Command" to your Check Out Workflow.

Set this to assign the staged device to user "[Device User]", the attribute that contains the username of the person checking out the device.

Click to enlarge

Reset the User During Check In

Add the action "Perform MDM Command" to your Check In Workflow. Set this to assign the staged device to the staging user’s user ID.

NOTE:

This is not needed when you erase devices on Check In.

Click to enlarge

At this point, test a check out. If it is working properly, you will be able to look at the device listing in Workspace ONE and see the user name as the device owner.

After the device is checked in, the device owner should revert to the staging user.

Configure Workspace ONE Access

Configure your MDM to fetch and deploy identity certificates, and to configure your identity management software to accept those certificates for authentication. Those steps are beyond the scope of this documentation. For more information, see your Omnissa documentation.