IAFI Profile Templates

These profiles are available as templates for assisting with configuration of the different supported workflows.

Before You Begin:

Please refer to these additional articles:

Important:

The profiles are set to use the “Default Version” of IAFI and any of the supported apps.
You can modify them as necessary.
Refer to this article for importing profiles: Exporting and Importing Profiles in the IGEL UMS Web App
For most of the workflow templates, you will have to fill in the details for your environment such as:
- Imprivata Appliance URLs
- Session connection information (ex: Server URL, generic user ID or passwords)
- Lockscreen customizations (if applicable)

Imprivata Workflow Templates

Follow Policies and Workflows

This is for Roaming Sessions Only (Apps or Desktops)

Profile Template

Notes

Please refer to this IAFI KB article for Follow Policies: Configuration of the IGEL Agent for Imprivata on IGEL OS

Virtual Desktops Only (Citrix, Horizon)

IAFI-FollowPolicies-DesktopsOnly.ipm

This configuration is for a workflow with just virtual desktops. If the user only has one, they will get automatically launched to that desktop. If the user has more than one, they will see the IAFI Chooser in Windowed Mode.

NOTE: This should be paired with the Citrix or Horizon Global best practice profiles further below.

Citrix customers may need to enable the NetScaler COOKIEINSERT setting.

Virtual Apps and Desktops (Citrix, Horizon)

IAFI-FollowPolicies-Apps-Desktops.ipm

This configuration is for a workflow with just virtual apps and desktops. The user will see the IAFI Chooser in Windowed Mode with a list of their resources.

NOTE: This should be paired with the Citrix or Horizon Global best practice profiles further below.

Citrix customers may need to enable the NetScaler COOKIEINSERT setting.

Microsoft Remote PC

IAFI-FollowPolicies-MSRemotePC.ipm

Only supports Imprivata VDA for Microsoft Remote PC

Auth Only

Profile Template

Notes

Refer to: IAFI Configuration Guide - Auth Only

Microsoft AVD

IAFI-template-AO-AVD.ipm

For AVD client settings, refer to:

IGEL Azure Virtual Desktop

Microsoft Windows 365

IAFI-template-AO-Win365.ipm

For Windows 365 client settings, refer to:

IGEL Windows 365

Microsoft RDP

Imprivata-RDP-Auth-Only.ipm

This profile connects to a single Windows server.

NOTE: IAFI does not support connecting through RD Web / Gateway.

Citrix Workspace App

IAFI-template-AO-Citrix.ipm

This is configured to automatically reconnect to “active or disconnected sessions” and to auto start a single published app or desktop after successful login.

It does not have any auto launch of a specific app, but that could be configured if desired.

For Citrix Workspace App settings, refer to:

Citrix Workspace App

Omnissa Horizon - Roaming Desktops

IAFI-template-AO-HorizonDesktops.ipm

This is configured to auto launch a desktop after logging into the Horizon client. That can be modified if you’d like.

For Horizon client settings, refer to:

Omnissa Horizon Client

Omnissa Horizon - Roaming Apps

IAFI-template-AO-HorizonApps.ipm

This is configured to not auto launch any Horizon apps. The user will see the native Horizon chooser and can manually pick apps to start. The chooser will also remain available for other apps.

Horizon will automatically reconnect disconnected apps or roam any of the users active or disconnected apps when they log in again.

For Horizon client settings, refer to:

Omnissa Horizon Client

Kiosk Mode

Profile Template

Notes - see this: IAFI Workflow Configuration Options

Citrix Virtual Kiosk

This is not an Imprivata VDA licensed workflow.

IAFI-KioskMode-CitrixType2VirtualKiosk.ipm

Windows 11 Citrix Desktop OS with Imprivata Type 2 agent

Citrix Epic Only

This is not an Imprivata VDA licensed workflow.

The Epic EHR (Epic) is delivered to the thin client via Citrix Virtual Apps application virtualization. Epic is the only application that is available on the thin client. This configuration is known as Epic Only mode.
The thin client establishes a Citrix session using generic user credentials. While Epic remains running under the generic user credentials, users authenticate to the Imprivata Connector for Epic Hyperdrive (Connector), and work under their credentials.
When the Connector detects a user switch, Imprivata Enterprise Access Management keeps Epic open, while switching the user that is logged in.

IAFI-KioskMode-EpicOnly.ipm

Connecting to a Windows Server with the Imprivata Type 3 agent. This config supports the Imprivata Epic Only workflow where a user will log directly into Epic using the Imprivata Windows Agent on the remote server.

BEST PRACTICE: Epic should be the only application launched from the preconfigured Citrix session. If other apps are opened from Citrix, this could break the Imprivata virtual channel and the workflow.

See this: Configuring Epic Only Virtual Kiosks for Citrix XenApp

Horizon Virtual Kiosk

This is not an Imprivata VDA licensed workflow.

IAFI-KioskMode-HorizonType2.ipm

Windows 11 Horizon Desktop OS with Imprivata Type 2 agent

Microsoft AVD Virtual Kiosk

This is not an Imprivata VDA licensed workflow.

IAFI-KioskMode-AVD-VirtualKiosk.ipm

Windows 11 AVD Single Session with Imprivata Type 2 agent

NOTE: This not a Win 11 Multi-Session or Windows Server.

Microsoft RDP Virtual Kiosk

This is not an Imprivata VDA licensed workflow.

IAFI-KioskMode-RDP-VirtualKiosk.ipm

Windows 11 RDP Desktop OS with Imprivata Type 2 agent

Fast User Switching (FUS)

Profile Template

Notes

Citrix Persistent App (Epic)

IMPORTANT: This is an Imprivata VDA licensed workflow.

IAFI-FUS-PersistentApp-VDA-Epic.ipm

IAFI will be in full lockscreen mode and will automatically launch a preconfigured Citrix session for Epic using a generic account.

Each Imprivata user that logs in and has VDA licensing assigned will get access to their own Citrix resources available in the IAFI chooser which is configured in Windowed Mode.

For reference, please see this: Configuring Persistent Applications for Citrix XenApp with Manually Launched Applications

Citrix Epic FUS

This is not an Imprivata VDA workflow like the Persistent App feature noted above.

IAFI-FUS-PersistentAppEpic.ipm

IAFI will be in full lockscreen mode and will automatically launch a preconfigured Citrix session for Epic using a generic account.

Access to a local app like a browser is optional. IAFI also has a FUS feature to run a command script to close a local app on user logout or switch.

BEST PRACTICE: Epic should be the only application launched from the preconfigured Citrix session. If other apps are opened from Citrix, this could break the Imprivata virtual channel and the workflow.

NOTE: This profile contains a post session command. If a user closes Epic, IGEL OS will logoff Citrix and the OS and return the user back to the IAFI lock screen. This will restart the preconfigured Epic session.

Horizon Epic FUS

This is not an Imprivata VDA workflow like the Persistent App feature noted above.

IAFI-FUS-Horizon-Epic.ipm

IAFI will be in full lockscreen mode and will automatically launch a preconfigured Horizon session for Epic using a generic account.

Access to a local app like a browser is optional. IAFI also has a FUS feature to run a command script to close a local app on user logout or switch.

BEST PRACTICE: Epic should be the only application launched from the preconfigured Horizon session. If other apps are opened from Horizon, this could break the Imprivata virtual channel and the workflow.

NOTE: This profile contains a post session command. If a user closes Epic, IGEL OS will logoff and bring the user back to the IAFI lock screen.

Debug Logging Templates:

Debug Profiles	Profile Template	Notes Start with the Base OS debug profile, then add IAFI debug and the client logging profile as needed (AVD, Citrix, Horizon) See this: How to Enable and Export IAFI Debug Logging for Troubleshooting
OS 12 Base Debug, TCPDump	Debug-Base-and-TCPDump-and-Delete-Logs-on-Boot.ipm	Enable Debug Logging for the Base OS. Remote Management Debug logging is disabled, and existing logs are deleted on boot.
IAFI Debug Logging	Debug-IAFI.ipm	Enables IAFI debug logging
AVD Debug Logging	AVD-debuglogging.ipm	Enables AVD debug logging
Citrix Debug Logging	debug-citrix-setlog-verbose-tw-errors.ipm	Enables Citrix debug logging
Horizon Debug Logging	Debug-Horizon.ipm	Enables Horizon debug logging

Non-workflow Templates:

Miscellaneous	Profile Template	Notes
IAFI Restart Agent	Restart-IAFI.ipm	Custom App that restarts IAFI without rebooting IGEL OS. How to Create a Profile to Restart the IGEL Agent for Imprivata
Ignore PCSC Readers	IAFI-ignore-PCSC-readers.ipm	See the Ignore Readers setting in this article Configuration of the IGEL Agent for Imprivata on IGEL OS
Base OS 12 - System Lockdown Settings	lockdown-igel-os-12 1.ipm	This profile applies some best practice security settings for locking down IGEL OS 12 to limit what end users have access to. This is common for shared workstations. For example: Disable access to Setup, App Portal, Shutdown device
Base OS 12 - Disable Suspend (Power Management)	Base-DisableSuspend.ipm	This profile controls Power Management settings and sets the System Suspend / Shutdown on Inactivity to Never. This also disables access to the Power Management Settings.
Logoff Desktop Icon	logoff-desktop-icon.ipm	This puts a Logoff icon on the IGEL desktop. If IAFI gets into a bad state, this can be used to logoff the IGEL device without rebooting which will restart the IAFI app and return to a known good state.