System Requirements

Created: Modified: Documentation

This topic describes the hardware and software requirements for Imprivata Mobile Access Management (formerly Imprivata GroundControl). Any limitations are noted in the support details and notes section for each component.

Cloud Administrator Console
  • The MAM Administrator Console supports any modern web browser on Mac and Windows.
  • Imprivata tests with Safari, Google Chrome, Firefox, and Microsoft Edge.
Launchpad Mac or Windows Computer

Both Mac and Windows may be used to run the client-side Launchpad software.

ItemMacWindows
Form FactorTesting: Desktop or laptop
Production: Headless desktop-mini-PC
Testing: Desktop or laptop
Production: Headless desktop-mini-PC
OSmacOS within the last 2 years
Windows 10 or Windows 11 version within the last 2 years
RAM8 GB 8 GB
Drive Capacity20 GB or greater SSD20 GB or greater SSD
Permission: Allow accessory to connect (see note below table)Required for Mac Launchpads running MacOS 13 (Ventura) and later.n/a
Unattended UseLaunchpad systems must be configured for unattended use.
For more information, see this article.
Dedicated systemThe PC should be dedicated for Mobile Access Management (MAM) and not shared with other apps.The PC should be dedicated for Mobile Access Management (MAM) and not shared with other apps.
On Windows Launchpads, do not install the Imprivata agent (for Imprivata Enterprise Access Mangement/OneSign) on the Launchpad, because it will conflict with the proximity card reader.
VNC or other remote accessSome method of VNC or other remote access is required to all stations.
iTunes app
Apple Devices app for Windows
n/aInstall the current Apple Devices apps or iTunes app or extract DLLS from iTunes for Apple's MobileDevice
components.
GroundControl.app installed in a
directory local user has full file
permissions to
On Mac Launchpads, the GroundControl.app must be installed in a directory the local user has full file
permissions over, or the local Mac user must be a macOS local admin. For more information, see this article.
n/a
Network connectionImprivata requires that Launchpads use an Ethernet network connection to ensure stable 24 × 7 availability.

NOTES:

  • “Allow accessory to connect” setting is required for Mac launchpads running MacOS 13 (Ventura) and later. For more information, see this article.
  • Imprivata does not test with or support virtual or thin-client systems.

Test your model thoroughly before selecting a computer to be used as a Launchpad. If your computer has trouble connecting to more than 8 or so iPhones at once, disable XHCI in the PC’s BIOS to determine if this solves the issue.

Network

Imprivata Mobile Access Management (MAM) uses HTTPS (port 443) for all communication between the Launchpad and the Cloud Administrator Console. After initial registration, the Launchpad switches to Secure WebSockets (also port 443) for asynchronous bi-directional messaging.

Firewalls must support Secure WebSockets. A common firewall feature is to force close any sockets that remain open for a long period of time, but this will cause MAM to lose the client-server connection.

SourceDestinationProtocolUse
LaunchpadUS: us.groundctl.com / 52.202.156.90, 54.197.149.48
UK: uk.groundctl.com / 18.168.161.122, 13.41.242.92
HTTPS/443 and WSS/443Server communication
LaunchpadUS: groundcontrol-prod.s3.amazonaws.com
UK: c16-assets-groundctl-com.s3.amazonaws.com
HTTPS/443Asset downloads
Launchpad*.bugsplatsoftware.comHTTPS/443Crash reporting
Launchpad (iOS only)albert.apple.com
gs.apple.com
appldnld.apple.com
secure-appldnld.apple.com
HTTPS/443Apple device activation & IPSW downloads
LaunchpadYour Imprivata OneSign applianceHTTPS/443Identify look up during Checkout (if used)
Launchpad
Locker app (iOS and Android)
ctlful.imprivata.comHTTPS/443Log submission
DeviceUS: groundcontrol-prod.s3.amazonaws.com
UK: c16-assets-groundctl-com.s3.amazonaws.com
HTTPS/443Checkout (if used)
DeviceYour Imprivata OneSign applianceHTTPS/443Identity look up during Checkout (if used)
Device (iOS only)*.push.apple.comTCP Ports: 443, 80, 5223, 2197Apple push notifications
Device (Android only)See Firebase DocumentationTCP ports: 443, 5228, 5229, 5230
Firebase push notifications
GroundControl Server
US: 52.21.126.154, 52.20.201.34
UK: 18.169.178.173 35.177.97.127
Your MDM ServerHTTPS/443MDM API requests (if used)

Apple products on enterprise networks typically require specific hosts and ports to be open. For more information, see Apple’s documentation on the use of Apple products on enterprise networks.

Android products on enterprise networks require specific hosts and ports to be open for Firebase push notifications. For more information, see Google documentation.

MDMs

The following MDM systems are supported for Check Out. For more information, see the MDMs article.

FeatureIvanti EMMIvanti NeuronJamf ProSamsung Knox ManageMicrosoft IntuneSoti MobiControlVMware Workspace ONE
Check In / Check Out (iOS)
Personal Passcodes
Set Labels/Tags/Org Groups
Assign to User
Enable Lost Mode
Check In / Check Out (Android)
Personal Passcodes
Set Labels/Tags/Org Group
Assign to User
Enable Lost Mode
Provisioning (iOS)
DEP Provisioning
Non-DEP Provisioning
Assign DEP Profile
Delete / Retire
Required MDM Configurations

You must integrate Imprivata Mobile Access Management with your MDM’s APIs.

  • The API integration is used by MAM to clear any device passcodes on check in.
  • The API integration can trigger Lost Mode for overdue devices.
MDM Requirements for iOS Devices

The following items are required in your MDM system for iOS devices.

ItemDescription
DEP profile Must include Imprivata Mobile Access Management’s supervision identity. This allows your device to more reliably connect to MAM.
Disable USB Restricted ModeAll devices must be set to Disable USB Restricted Mode.
This feature has different names in different MDMs, but is used to keep your device’s USB connection active even when it is passcode locked. For more information, see this article.
Allow Recovery for Unpaired DevicesThe MDM should Allow Recovery for Unpaired Devices. For more information, see this article.
Notification profile allowing Imprivata Locker app to receive notificationsAll devices must receive a notificiation profile to allow the Imprivata Locker app to recieve notifications. The app ID for the Locker app for iOS is com.imprivata.b2b.locker.
- Apple permits a maximum of one notification profile on devices. This limitation is usually not enforced by MDM systems, leading to conflicts and unexpected behaviors.
- To avoid unexpected notification behavior, Imprivata strongly recommends using one master notification profile for all iOS devices - both shared and dedicated - in your organization.
For more information, see
Recommended settings for clinical devices
Proxy Support

Imprivata Mobile Access Management has limited support for proxies:

  • Proxies must be configured in the Launchpad app during initial registration
  • Only unauthenticated proxies are supported
  • Authenticated proxies and PAC files are not supported
  • System proxy settings are ignored
USB Hubs and Carts

Imprivata requires and only supports Smart Hubs from these manufacturers.

NOTE: While these manufacturers do sell other variations of hardware, only the items listed below are tested and supported by Imprivata.

VendorModel
Bretford20 port (Large) PowerSync Pro Gen 2 w/Lightning Cables
10 port (Large) PowerSync Pro Gen 2 w/Lightning Cables
20 port (Small) PowerSync Pro Gen 2 w/Lightning Cables
10 port (Small) PowerSync Pro Gen 2 w/Lightning Cables
20 port (Large) PowerSync Pro Gen 2 w/USB-C Cables
10 port (Large) PowerSync Pro Gen 2 w/USB-C Cables
20 port (Small) PowerSync Pro Gen 2 w/USB-C Cables
10 port (Small) PowerSync Pro Gen 2 w/USB-C Cables
Datamation24 Port (Phone) Unidock w/Lightning Connection
24 Port (Phone) Unidock w/USB-C Connection
16 Port (Phone) Unidock w/Lightning Connection
16 Port (Phone) Unidock w/USB-C Connection
8 Port (Phone) Unidock w/Lightning Connection
8 Port (Phone) Unidock w/USB-C Connection
8 Port (Tablet) w/Lightning Connection
16 Port (Tablet) Unidock Tray w/Lightning Cables
24 Port (Phone) Unidock Tray w/USB-C Cables

For Smart Hub pricing and accessories, contact your account manager.

For best performance, MAM requires a 1 to 1 connection between the Launchpad and Smart Hub.

Proximity Card Readers

Imprivata Mobile Access Management supports USB-connected proximity card readers manufactured by rf IDEAS. Many brands resell the rf IDEAS reader, including Imprivata.

Imprivata models
  • IMP-75
  • IMP-80
  • IMP-60
  • IMP-82
  • IMP-80-mini
Devices

Imprivata Mobile Access Management supports Apple iOS and Android devices.

Apple Devices

Apple device support is based on iOS version support. Imprivata Mobile Access Management supports iOS 17, 16, and 15.

MAM 6.4 (and Imprivata Locker 3.12) was the last release to support iOS 15 and 16.

Only factory-reset devices are supported.

Android Devices

Imprivata Mobile Access Management 6.0 and later supports Android devices, running Android 9 and above.

ItemSupport
Operating system
Android OSAndroid 9 or later
Devices
Cisco devicesCP 860
GoogleGoogle Pixel 7
Google Pixel 7a
Google Pixel 8
Google Pixel 8 Pro
Honeywell devicesCT30 (non-healthcare)
Samsung devicesSamsung S22
Samsung A14
Samsung A15 5G
Samsung xCover 6 Pro
Spectralink devicesVersity 95
Versity 96
Versity 97XX
Zebra devicesZebra TC5 series - TC52, TC57
Zebra TC2 series - TC21, TC26
Zebra HC50
Zebra ET40 tablet
Mobile browsersMAM supports clearing browser cache as part of Check In action:
- Google Chrome
- Microsoft Edge
Device settings and permissionsThe Imprivata Locker app for Android devices requires the following device settings and permissions:
- Draw over (overlay) other apps.
- Accessibility Service.
MDMsAndroid devices must be enrolled in an MDM system:
- Workspace ONE (AirWatch)
- Microsoft Intune
- SOTI MobiControl
Device Cases & Batteries

Imprivata Mobile Access Management does not support all device cases. For more information, see this article.

Supported Applications

For more information on supported applications, see Imprivata apps support page.