Imprivata ID for Windows Access

This topic provides an overview of Imprivata ID for Windows Access, what you need to deploy it in your enterprise, and roll it out to users.

Adding Imprivata ID to Windows access is ideal when an extra layer of security is needed for certain users and/or certain computers; for example, administrative accounts or access to virtual desktop servers.

When the user logs into Windows with his username and password, Imprivata ID sends a push notification to his device. He accepts and is granted access.

The user can be prompted to download Imprivata ID and enroll before and/or after the desktop opens.

The user must have a supported iOS or Android device and the Imprivata ID app installed; no additional hardware is required at the endpoint computer to support this workflow.

Licensing Considerations

Unlike other desktop authentication methods that require an Authentication Management license, when you enable Imprivata ID for Windows Access, each user in that policy only counts towards your Confirm ID for Remote Access license total. See Imprivata Licensed Features

Enroll Users

Your users can download and install the Imprivata ID app at any time. They are not prompted to enroll Imprivata ID or use it to authenticate until they are included in a user policy that requires Imprivata ID for authentication.

Require Imprivata ID for Windows Access

There are several methods to enable Imprivata ID for Windows Access. You can set up either of these or both:

  • User Requirement — Require all users in a policy complete two-factor authentication with Imprivata ID every time they authenticate at any endpoint computer.
  • Computer Requirement — Require Imprivata ID for Windows Access only at specific desktops.

Configure the User Policy

  1. In the Imprivata Admin Console, go to Users > User Policies.

  2. Add a new user policy, or make a copy of an existing user policy. See Creating and Managing User Policies

  3. Move the required users into this user policy.

  4. On the Authentication tab, go to the Licensed option section and select Imprivata ID for Windows Access.

  5. In the Desktop Access authentication section, select Password for the primary factor, and Imprivata ID for the secondary factor.

  6. Click Save.

Configure the Login and Enrollment Options

  1. In the Authentication method options section, go to Password. If you want to allow a grace period where the user does not need to respond to a push notification from Imprivata ID, make that selection here:

    • Workflow during grace period — To authenticate, user enters username and password only.

    • Workflow after grace period — To authenticate, user enters username and password, then must respond to the push notification from Imprivata ID.

  2. In the Authentication method options section, go to Imprivata ID. Configure your requirements for enrolling Imprivata ID here:

    • You can force the user to enroll Imprivata ID before they can access the desktop, or allow them to skip enrollment for up to 90 days.

    • Before the desktop opens, the user will be prompted to enroll Imprivata ID. You can also prompt the user to enroll Imprivata ID after the desktop opens.

  3. Click Save.

Enable Licensed Option

  1. In the Imprivata Admin Console, go to Users > User Policies.

  2. Select the policy that contains users who will require Imprivata ID for Windows Access.

  3. On the Authentication tab, go to the Licensed option section and select Imprivata ID for Windows Access.

  4. Do not select Imprivata ID in the Desktop Access authentication section.

  5. Click Save.

Set a Computer Policy Override

  1. In the Imprivata Admin Console, go to ComputersComputer Policies.

  2. Add a new computer policy, or make a copy of an existing computer policy. See Creating and Managing Computer Policies

  3. Move the required computers into this computer policy. See Managing Computer Accounts

  4. On the Override and Restrict tab, go to the Desktop Access Authentication Restrictions section and select Restrict user policy.

  5. Select Password for the primary factor and Imprivata ID for the secondary factor.

  6. Click Save.

Configure the Login and Enrollment Options

  1. In the Authentication method options section, go to Password. If you want to allow a grace period where the user does not need to enter their second-factor authentication, make that selection here.

  2. In the Authentication method options section, go to Imprivata ID. Configure your requirements for enrolling Imprivata ID here:

    • You can force the user to enroll Imprivata ID before they can access the desktop, or allow them to skip enrollment for up to 90 days.

    • Before the desktop opens, the user will be prompted to enroll Imprivata ID. You can also prompt the user to enroll Imprivata IDafter the desktop opens.

  4. Click Save.

The Imprivata Credential Provider and Windows Login

If your enterprise is licensed for Imprivata Confirm ID Remote Access but you do not have an Imprivata Authentication Management or Single Sign-On license, the Imprivata credential provider does not appear when logging into Windows workstations. You must override log in and locking of Windows workstations and use the Imprivata credential provider to manage logging into Windows workstations instead:

Configure Workstations to Use the Imprivata Credential Provider

  1. In the Imprivata Admin Console, go to ComputersComputer Policies.
  2. Select a computer policy where the Imprivata credential provider must be used.
  3. Go to the General tab > Desktop experience section.  If the Windows credential provider is in use, Override log in and locking of the Windows workstation is selected here.
  4. Uncheck Override log in and locking of the Windows workstation.
  5. Click Save.

Repeat this process for any other computer policies that will require Imprivata ID for Windows access.

Ensure Access for Non-Imprivata Users

If your enterprise is licensed for Imprivata Confirm ID Remote Access but you do not have an Imprivata Authentication Management or Single Sign-On license, users who are not synchronized with the Imprivata user database or configured to use Imprivata ID for Windows Access can still log into Windows.

When the Imprivata credential provider appears on a Windows desktop and a non-Imprivata user enters their username and password, OneSign authentication fails (because they're not in the Imprivata user database), but if Windows local authentication succeeds, are allowed to log in.

BEST PRACTICE:

To allow non-OneSign users to log in, you can add them to an Active Directory or Local group, and allow this Local group to authenticate to Windows if OneSign authentication fails.

To confirm the default setting in the Imprivata Admin Console:

  1. In the Imprivata Admin Console, go to ComputersComputer policies.

  2. Select a computer policy where Imprivata ID for Windows Access is required.

  3. Go to the General tab > Authentication section.

  4. Verify that If OneSign authentication fails, but Windows authentication succeeds, should the user be allowed to log in to the computer? to Yes.

  5. Click Save.

  6. Repeat this process for any other computer policies where non-Imprivata users must be able to log in.

Troubleshooting

If specific users are experiencing issues with push authentication, make sure the Imprivata ID app is running on the user's device.

If that doesn't resolve the issue, make sure the user's device meets all of the following requirements:

iOS Requirements

  • iOS 11 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.
    • Access to Location Services (Always).
    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.
    • An active Internet connection is required for push notifications.

  • Secure Walk Away

    • iPhone 6s or later.

    • Access to Location Services (Always), Bluetooth Sharing, and Motion & Fitness is required.

  • QR code for direct access to the download page on the iTunes App Store:

Android Requirements

  • Android 6 or later installed.

  • An active Internet connection is required to enroll Imprivata ID, as well as to send log files to Imprivata.

  • Hands Free Authentication:

    • Bluetooth enabled.

    • An active Internet connection is not required for Hands Free Authentication or manual token code entry.

  • Remote Access:

    • Notifications enabled.

    • An active Internet connection is required for push notifications.

  • Secure Walk Away:

    • Samsung Galaxy S7 or later.

    • Google Pixel 1 or later.

    • OnePlus 6 or later.

    • Bluetooth enabled.

  • QR code for direct access to the download page on Google Play:

If the Imprivata database is restored while users are enrolling Imprivata IDs, or after Imprivata IDs have been enrolled, the users must re-enroll their Imprivata IDs. Contact Imprivata Customer Support for assistance.

You can resolve some errors that occur during DigiCert identity proofing. If the error message instructs you to

  • "Delete record and notify user to restart identity proofing", or
  • "Delete identity proofing record and notify user to restart process"

Delete the user's record but do not delete the user:

  1. In the Imprivata Admin Console, go to UsersUsers and find the user in the database.
  2. On the user detail page, go to DigiCert Individual Identity Proofing and click Delete Record. This action is permanent and the user must identity proof again for EPCS.
  3. Notify the user to start identity proofing again.

If you delete the entire user from the Imprivata Confirm ID database, you will have to wait five days for the system to reset before they can use that same email address again for identity proofing.

Clinicians who e-prescribe controlled substances with a Symantec VIP token can continue to use this token with Imprivata Confirm ID after identity proofing with Digicert. The following workaround is only applicable for:

  • users who have already completed identity proofing with Symantec NSL and
  • enrolled their VIP token for EPCS and
  • completed identity proofing with Digicert and
  • are associated with the Imprivata Confirm ID EPCS workflow and
  • that workflow allows OTP tokens for authentication.
  1. In the Symantec VIP Manager, remove the user's VIP software token (UsersSearch UserEdit DetailsCredentialRemove)
  2. In the Imprivata Admin Console, remove the user's VIP software token: Go to Users > Symantec VIP Credentials, select the user, and click Remove From This User.
  3. In the Symantec VIP Manager, disable the user's account (UsersSearch User > from the Search Results page, click Disable Credential)
  4. In the Symantec VIP Manager, enable the user's account again (UsersSearch User > from the Search Results page, click Enable Credential).
  5. Advise the user to re-enroll the Symantec VIP token with Imprivata Confirm ID.

Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

  1. If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
  2. Services will enter your Enterprise ID and cloud provisioning code.
  3. Click Establish trust.
BEST PRACTICE:

The cloud connection must be established by Imprivata Services.

Cloud Connection Status

You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:

  1. In the Imprivata Admin Console, go to the gear iconCloud connection.

  2. Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.