Enroll Badges in Imprivata Enterprise Access Management on Device Checkout

Created: Modified: Checkout, Documentation

Applies to iOS and Android devices.

The integration with Imprivata Enterprise Access Management (formerly Imprivata OneSign) enables users to enroll new proximity badges when checking out devices from Mobile Access Management Launchpads.

Using the Locker app (iOS and Android), users can enroll a new badge, manually authenticate and register the badge, and enroll their Imprivata PIN without being required to tap into an EAM desktop workstation.

Prerequisites

Take note of the following prerequisites:

  • In the Imprivata Admin Console, configure Imprivata Enterprise Access Management as the Identity Provider (IdP):
    • Configure the API access to Imprivata Enterprise Access Management.
    • Configure the EAM computer policy for proximity cards.
  • In MAM, configure the integration with Imprivata OneSign. For more information, see Integrate Imprivata Enterprise Access Management.
  • Users must have an Imprivata Enterprise Access Management user account.
  • Imprivata Locker iOS 3.11 and later or Locker Android 1.3 and later on the devices.
Expected Behavior

The following assumes a user has not yet enrolled their proximity badge when checking out a device.

Devices are locked and charging in the Smart Hub.

The user taps their badge on the card reader attached to the Launchpad.
If the user’s proximity badge was not previously enrolled, the locked device displays a message of “Unenrolled badge” and prompts the user to enter credentials to enroll the badge.

Until the device has been removed, the Launchpad disables all badge scans, so that multiple users can’t check out devices at the same time.
If multifactor authentication is enabled and set to Imprivata PIN, the user is prompted to enroll their Imprivata PIN according to the PIN length and character requirements set in Imprivata Enterprise Access Management.
iOS:

Android:

 The badge and Imprivata PIN enrollment succeeds.

  • For iOS devices: After the enrollment is completed, the user must return the device to the docking station and then check out a new device.
  • For Android devices: The device is unlocked and checked out to the user.
If the badge enrollment or Imprivata PIN enrollment fails, the user must return the device to the Smart Hub to be checked in.

If the device is rebooted during enrollment, the user must return the device to the docking station to be checked in.
Mobile Access Management Configuration

To allow new badge enrollments:

  1. In the MAM admin console, navigate to Admin > Check Out > Available Authentication Methods section and select Proximity Badges as the authentication method.
  2. Switch the Allow users to enroll new badges to Enterprise Access Management from Lock app setting to ON.
    NOTE: This setting is only available when Imprivata Enterprise Access Management (OneSign) is set as the Identity Provider (IdP) and is not supported for other custom web services.
    You do not need to enable checkout via network username and password for badge enrollment to work.

  3. To enable a second factor of authentication, switch the Password AutoFill setting to ON and select the authentication method:
    1. Imprivata PIN with numeric keyboard.
    2. Imprivata PIN with alphanumeric keyboard.
    3. Domain password.
  4. Specify other settings, as needed.
  5. When prompted, restart the Launchpads.