An increasing number of hospitals are finding value providing iPads for inpatient use. During the current COVID-19 pandemic, many hospitals are severely limiting visitors. To communicate with their loved ones, iPads can be provided for email, messaging, video conference, and Wi-Fi calling. The same devices can be used for education and entertainment.
These devices are most useful to patients if the iPads have very few restrictions. Allow access to a large catalog of apps. But then, when the patient is finished with the device, use Imprivata Mobile Access Management to completely and securely erase all data, with an absolute minimum of work by IT and users.
Why Mobile Access Management?
Mobile Access Management works with your existing MDM system to add the following features for patient iPads:
- Securely erase all PHI from iPads when plugged into the charging station.
- Without any screen taps, automatically connect your erased iPads to Wi-Fi, enroll iPads into your MDM, and skip all setup screens.
- Monitor the MDM to ensure all apps are loaded.
- Personalize each iPad with your hospital logo and unit name in large font.
- Monitor and log the entire process within a cloud-hosted system.
Prerequisites
You’ll need the following:
- iPads, new or used/donated
- A PC or Mac in each unit
- A Wi-Fi network that does not prompt with a captcha page
- Apple Business Manager to provide apps to devices
- An MDM solution, such as VMware Workspace ONE (formerly AirWatch)
A Smart Hub is not required for this solution. Instead, you can erase iPads one at a time, using your USB port on your Mac or PC. For permanent installation, Imprivata recommends Smart Hubs for simultaneous wiping and charging.
iPads
Mobile Access Management can work with iPads in Apple’s Device Enrollment Program (DEP). It can also work with non-DEP iPads, but the setup is a little different. DEP is recommended because devices become locked into your MDM system. This is a theft deterrent.
If your iPads have been donated, they are probably not in DEP. Apple has outlined a method to add devices into DEP. Imprivata recommends this process only when you have a lot of time and patience.
Computer
Each unit with iPads will need a Mac or Windows computer to run Mobile Access Management’s Launchpad software. Imprivata recommends Macs for this purpose, since Macs can support local caching of your apps. Be sure to test any PCs with your expected number of iPads — some PCs limit the maximum number of USB devices.
Wi-Fi
Mobile Access Management is compatible with open, password protected, and 802.1x networks. Guest Wi-Fi networks in hospitals often include a “Captcha” page to accept a policy before joining the network. Unfortunately, these pages interfere with automation, and are not compatible with the Mobile Access Management process. Instead, use either a Wi-Fi network that does not display this prompt, or allowlist device MAC addresses to bypass these prompts.
Apple Business (or School) Manager
Whether you are using DEP iPads or not, you must use Apple Business Manager’s bulk app purchase feature to provide apps to your devices. ABM removes the need for Apple IDs on your iPads. Imprivata assumes you have already integrated ABM with your MDM, as this process is beyond the scope of this document.
USB Hub
It’s possible to use Mobile Access Management without a USB hub. Just hang one or more USB-to-Lightning cables off your PC or Mac, and plug in one or more devices at a time. What happens if staff plug in their personal phones to charge? Mobile Access Management will not erase their devices. But you do want to keep the cables available for your iPads, of course.
The iPad workflow is a bit easier if you use USB hubs to connect multiple iPads to Mobile Access Management at once. When finished, the iPads will remain connected and start charging.
NOTE: Only a limited number of manufacturers can deliver the proper current to multiple iPads while simultaneously syncing with the Mac or Windows PC.
- Datamation Systems Charge/Sync Hubs (Mac & Windows)
- Bretford PowerSync+ Hubs (Mac Only)
A subset of these Smart Hubs include LEDs that can be controlled by Mobile Access Management to turn green (Datamation) or stop blinking (Bretford) after the iPad has completed its reset process. Our customers have found that this LED control is greatly appreciated by the nursing staff.
Set up your MDM
This use case usually requires Mobile Access Management to send API commands to your MDM to delete/retire the device from MDM as it is being erased. Mobile Access Management can perform this command on the following MDM systems:
- VMware Workspace ONE (formerly AirWatch)
- Ivanti Endpoint Manager Mobile (formerly MobileIron Core)
- Ivanti Neuron (formerly MobileIron Cloud)
You will need to set up at least two things in your MDM.
Set up a DEP Profile (if applicable)
If using DEP, you will want to create a DEP profile specific to your iPads. This profile must be set to skip all setup screens. You can either require authentication — Mobile Access Management can provide the username and password — or skip authentication and assign devices directly to a shared user, which is a little easier. If you are using VMware Workspace ONE/AirWatch, this DEP profile should also direct all iPads into a specific organization group for your devices.
You will need to add MAM’s Supervision Identity to your DEP profile in order to enable full functionality.
Assign Apps
You are welcome to assign as many apps as you wish to the shared user or group you will be using. Some of our customers add 30 apps to these devices, automatically installed at enrollment. Other customers install only a minimum of apps but make others available via an app catalog on the device.
Test MDM
Before you set up Mobile Access Management, you should be able to test an iPad to make sure it enrolls and installs apps as expected. If possible, use the same Wi-Fi network you intend to use for production. You’ll be doing steps manually at this point, but we do want to be sure your MDM is working as expected.
Set up Mobile Access Management
There are a few steps we’ll do next, using Mobile Access Management.
Set up a Launchpad
For more details, see installing your Launchpad.
Create a Workflow
In the MAM admin console, click on the Workflows tab, then click New Workflow. Enter a name for the workflow, for example “Patient iPads”.
Under Workflow Model, select DEP or Non-DEP, as appropriate for your devices. (If you are using both DEP and Non-DEP iPads, you will need one workflow for each.)
Add the following actions to your workflow:
- Erase — the default “Erase supervised and DEP devices” is recommended.
- Add WiFi — create a Wi-Fi profile for your iPad SSID, or select an existing profile if you have already defined one.
- Device Enrollment Program (DEP workflows) — if using DEP, be sure to select Do Not Authenticate if your DEP profile skips authentication, or choose Authenticate As and enter an MDM username and password.
- Enroll/Perform MDM Command — This step installs the MDM enrollment profile on your devices.
- Perform MDM Command — for all workflows, this is recommended to delete (or retire) the device from MDM, so each device refresh is a fresh enrollment in your MDM. You may also want Clear Passcode if your MDM supports it.
- Set Language and Locale — this step is required in order to skip all setup screens. You may keep the default language “en” and locale “en-US” if appropriate.
- Set Timezone — this step will help your iPad display the correct time.
When you have added all the actions to your workflow, click Save.
Test the Workflow
This is a good time to test your workflow, to make sure it is behaving as you expect.
- Erase your test iPad — this is needed only the first time you test.
- Start the Launchpad app on your Mac or Windows PC
- Plug in the iPad into your PC
- In the MAM admin console, in the Workflow page, click Deploy, then select your Launchpad.
It should take between 2 and 5 minutes for the workflow to complete, depending on the speed of your iPad.
Create an Automation Rule
As a final step, set up Mobile Access Management to automatically run your workflow when iPads are plugged in. In the Automation tab, click New Rule.
Give the rule a name, such as “Patient iPads”.
Add a condition, such as Device Model is iPad.
Add your workflow to the actions.
Enable the rule.
Test this automation by unplugging your iPad, then plugging it in again. With no other action, your iPad should erase, enroll in MDM, and begin to download apps.
Optional Refinements
There are a number of refinements you can make to your system if you like.
Smart Hub Support
Mobile Access Management can control the LEDs on certain Smart Hubs. This helps your staff understand when iPads are busy, and when they have completed reset.
Recommended Apps to Hide
Certain apps are not appropriate for shared devices. Many Apple apps require an Apple ID, which you do not want on these devices. These apps can be hidden using either Mobile Access Management or your MDM: App Store, Apple Store, FaceTime, Find My, Find My Friends, Find My iPhone, Game Center, Health, Home, iBooks, iTunes, iTunes U, Mail, Messages, Podcasts, TV, Videos, Wallet, Watch.
Recommended Restrictions
As these iPads are supervised, you are able to apply extensive restrictions. However, you want to maintain a welcome experience, so only apply restrictions that are really needed. Here’s a minimal list:
On Failure
You can improve your Mobile Access Management workflow with the On Failure action. If the workflow fails for any reason, the system can retry as many times as you specify.
Add Wallpaper
Brand your iPads with the Add Wallpaper action. Wallpaper works best if it is 2048 x 2048 pixels, and on a color (not white) background. Mobile Access Management can also add additional text to the lock screen, like the iPad serial number, device name, or unit name.
Scaling the Solution
Once you’ve set up the workflow as expected and have obtained approvals, it’s easy to scale the solution. Each location will need a Mac or PC, a optional USB hub, and of course iPads. Each Launchpad needs a username and password to register with the cloud, but the same credentials can be used everywhere. No other configuration is required; each location inherits the rules you’ve already set up in the cloud.
iPads will need to be erased by hand, the first time they are connected to Mobile Access Management. As an alternative, you can use Recovery Mode to have MAM erase and update devices at the same time.
Macs should be set up with Content Caching (System Preferences > Sharing) to keep a local copy of any apps pushed by your MDM. Although Content Caching is not available on every network, it can speed the iPad setup time considerably while reducing the burden on your WAN. This setting also can use the Mac’s network connection for initial provisioning, installing apps via USB instead of Wi-Fi.