IGEL Agent for Imprivata (IAFI) Feature Comparison Matrix
Updated:
General Recommendations
Use the latest IAFI OS 12 app version as it will contain the newest features, updates, and fixes.
You can access the latest IAFI version and release notes on the IGEL App Portal.
IGEL OS 11 - as of November 2024, no new IAFI features have been included in OS 11. All new features are with OS 12 only.
For Imprivata Windows or ProveID Embedded Agent (PIE), always refer to the latest Imprivata Enterprise Access Management - SSO Supported Components Guide.
NOTE: For any blank features, please contact your IGEL account team to inquire about any future roadmap items.
Imprivata EAM General Features and Workflows
General Features and Workflows | Windows Agent | PIE Agent (OS 11 only) | IAFI OS12 | IAFI Notes |
|---|---|---|---|---|
Appliance Failover |
|
|
| |
Offline Mode |
|
|
| |
Self-Service Password Reset (Agent Dialogs) |
|
|
| For IAFI agents 1.1.1 and lower, use the Imprivata EAM 24.1 branch or older versions. If using the 24.2 branch, use hotfix 2 or higher |
NEW - Self-Service Password Reset Web App |
|
|
| The new SSPR Web App experience was introduced in EAM 24.2. IAFI 1.2.0 and higher will use this new SSPR Web App experience and not the Agent Dialogs from prior IAFI versions. |
Third-party Self-Service Password Reset |
|
|
| Supported with IAFI 1.2.0 and higher |
Non-OneSign User Workflow |
|
|
| |
Spine Combined Workflow (NHS) |
|
|
| |
Smartcard as Proximity Card Workflow |
|
|
| |
Customization Objects (Computer Policy) |
|
|
| |
Multi-Monitor support |
|
|
| Two monitors only, same resolution and size |
Default Domain Setting for Agent login |
|
|
| |
Configurable Setting for Lock Screen Toggle |
| An optional hotkey that can be configured to toggle the IAFI full lock screen to a compact mode. The default setting is empty. Some example hotkeys: [Esc] or [Esc] + [i] |
Primary Authentication Methods (Including Enrollment)
These additional Imprivata Licensed Options for Primary Authentication are NOT supported by IAFI
Fingerprint Identification (one-to-many match) - Configuring Fingerprint Identification in Enterprise Access Management
NOTE: Fingerprint enrollments must occur with a Imprivata Windows agent
Imprivata ID for Windows access - Imprivata ID for Windows Access
VASCO OTP token authentication - Managing OneSpan (VASCO) OTP Tokens
Primary Authentication Methods | Windows Agent | PIE Agent OS 11 Only | IAFI OS 12 | IAFI Notes |
|---|---|---|---|---|
Password |
|
|
| |
Face recognition |
| Imprivata Windows Agent feature only. Face Recognition Authentication | ||
Imprivata PIN (Device-bound Passkey) |
| Imprivata Windows Agent feature only. Passwordless Authentication with Device-Bound Passkey | ||
Fingerprint Biometrics |
|
NOTE: Authentication only, not enrollment | NOTE: Authentication only, not enrollment | IAFI 1.4.0 and higher Supported readers: Imprivata IMP-1C |
Proximity Card |
|
|
| Supported Prox readers:
|
Security Key (FIDO) |
|
|
| IAFI 1.3.0 and higher Supported FIDO readers:
|
Smart Card using Active Directory Certificate |
|
|
| |
Smart Card using external certificate |
| |||
External ID Token |
| |||
VASCO OTP Token |
| |||
Question and Answer |
|
|
Primary + Second Factor Authentication Workflows
IAFI supports the grace period settings for the Imprivata second factor in the user policy
Second-Factor Authentication Workflows | Windows Agent | PIE Agent (OS 11 only) | IAFI OS 12 | IAFI Notes |
|---|---|---|---|---|
Password + Imprivata ID |
|
| Additional Second factor policy options are not supported. | |
Fingerprint + Password |
|
|
| IAFI 1.4.0 and higher |
Fingerprint + Imprivata PIN |
|
|
| IAFI 1.4.0 and higher |
Proximity Card + Password |
|
|
| |
Proximity Card + Imprivata PIN |
|
|
| |
Proximity Card + Fingerprint |
|
|
| IAFI 1.4.0 and higher |
Proximity Card + Fingerprint or Password |
|
| ||
Proximity Card + Fingerprint or Imprivata PIN |
|
| ||
FIDO Security Key + Password |
|
| IAFI 1.3.0 and higher | |
FIDO Security Key + Imprivata PIN |
|
| IAFI 1.3.0 and higher | |
FIDO Security Key + Fingerprint |
|
| IAFI 1.4.0 and higher | |
FIDO Security Key + Fingerprint or Password |
| |||
FIDO Security Key + Fingerprint or Imprivata PIN |
|
Authentication / Reauthentication Methods via Imprivata Virtual Channel
This is to support Imprivata EAM (Confirm ID) reauthentication workflows for EPCS and Clinical Workflows
Authentication / Reauthentication Methods via Virtual Channel | Windows Agent | PIE Agent (OS 11 Only) | IAFI OS 12 | IAFI Notes |
|---|---|---|---|---|
Proximity Card |
|
|
| |
Smart Card |
|
|
| |
Security Key (FIDO) |
|
|
| |
Fingerprint Biometrics |
|
|
| For order signing workflows, you can use USB redirection of a Fingerprint reader until we update IAFI with virtual channel support. |
Imprivata Hands Free Authentication |
|
|
| |
Imprivata ID (Push Notification) |
|
|
Walk-Away Security
This is for support of the Imprivata Computer Policy > Walk-Away Security settings.
Walk-Away Security | Windows Agent | PIE Agent (OS 11 only) | IAFI OS 12 | IAFI Notes |
|---|---|---|---|---|
Honors Lock Command (Hotkey in User Policy Challenges tab) |
|
|
| These are the current supported Hotkey combinations:
|
Fade to Lock Screensaver |
|
|
| Black screensaver only - no fade to lock |
Notification Balloon |
|
|
| |
Secure Walk-Away (via Imprivata BLE Dongle) |
|
|
|
Microsoft Workflows
For OS 12, IGEL recommends using the latest IAFI version and the latest Microsoft app versions for AVD, Win 365 Cloud PC, or Remote Desktop
IAFI versions will specify the minimum required Microsoft companion app.
Microsoft Workflows | Windows Agent | PIE Agent (OS 11 only) | IAFI OS 12 | IGEL Agent for Imprivata Configuration Mode | IAFI Notes | |||
|---|---|---|---|---|---|---|---|---|
Auth Only | Follow Policies | Kiosk | Fast User Switching | |||||
AVD Desktops (Roaming) |
|
|
|
| Manual or auto-launch | |||
AVD Remote Apps (Roaming) |
|
|
| Manual or auto-launch | ||||
Win365 Cloud PCs Enterprise or Frontline (Roaming) |
|
|
| OS 12 only Manual or auto-launch | ||||
Virtual Kiosk for AVD/Win365 Cloud PC - (Non-Roaming) |
(AVD only) |
|
|
| Imprivata Type 2 agent installed on Windows virtual kiosk | |||
RDS/Remote PC Desktops (Roaming) |
|
|
|
| Only one Remote PC desktop connection is supported in Follow Policies mode. | |||
RDS Applications (Roaming) |
|
|
|
| ||||
Virtual Kiosk for RDS/Remote PC Desktops (Non-Roaming) |
|
|
|
| Imprivata Type 2 agent installed on Windows virtual kiosk | |||
Virtual Kiosk for RDS Published Apps (Non-Roaming) |
|
|
|
| ||||
Citrix Workflows
For OS 12, IAFI has specific Citrix version requirements for these workflows.
NOTE: IAFI app versions will specify the minimum Citrix companion app.
Citrix Workflows | Windows Agent | PIE Agent (OS 11 only) | IAFI OS 12 | IGEL Agent for Imprivata Configuration Mode | IAFI Notes | |||
|---|---|---|---|---|---|---|---|---|
Auth Only | Follow Policies | Kiosk | Fast User Switching | |||||
Virtual Desktops (Roaming) |
|
|
|
|
| Manual or auto-launch | ||
Virtual Apps (Roaming) |
|
|
|
|
| Manual or auto-launch | ||
Virtual Kiosk for Citrix Desktops (Non-Roaming) |
|
|
|
| Imprivata Type 2 agent installed on virtual kiosk | |||
Virtual Kiosk for Published Applications (Non-Roaming) |
| Epic Only workflow with Type 3 agent on Microsoft Server OS | ||||||
Citrix Connection Configuration Details (All IAFI configuration modes - Auth Only, Follow Policies, Kiosk, Fast User Switching):
Storefront Authentication (Store and Storeweb)
HTTPS required
The Citrix Store must be configured with the following authentication methods to support connections from IAFI.
User name and Password
Domain pass-through
HTTP Basic
When using IAFI in Follow Policies and Fast User Switching (Persistent App workflow), the Imprivata VDA Citrix URL must be the Citrix Storeweb URL. The legacy PNAgent URL is not supported with IAFI.
ex: https://citrix.igeldemolab.org/Citrix/StoreWeb
When using IAFI in Auth Only or Kiosk Mode, the Citrix Workspace App URL must be the Citrix Store URL
ex: https://citrix.igeldemolab.org/Citrix/Store
Troubleshooting Tip for Citrix Storefront connections
If you see a double-prompt to reauthenticate after initially logging into the Citrix Workspace App (i.e. IAFI Auth Only mode), check to make sure the Trusted Domain information is consistent across the Citrix environment.
IGEL recommends using the FQDN across all of the Citrix environment. The FQDN should also match the domain information that the Imprivata appliance is synching with against Active Directory.
ex: Trusted Domain = igeldemolab.org
Omnissa Horizon Workflows
For OS 12, IGEL recommends using the latest IAFI version and the latest Omnissa Horizon app version.
NOTE: IAFI app versions will specify the minimum Omnissa Horizon companion app.
** If using the Horizon NextGen v2 broker, only Workspace ONE is supported as the Horizon IdP. Please review the Omnissa Horizon documentation.
Horizon Workflows | Windows Agent | PIE Agent (OS 11 only) | IAFI OS 12 | IGEL Agent for Imprivata Configuration Mode | IAFI Notes | |||
|---|---|---|---|---|---|---|---|---|
Auth Only | Follow Policies | Kiosk | Fast User Switching | |||||
Virtual Desktops / on-prem (Roaming) |
|
|
|
|
| Manual or auto-launch | ||
Virtual Published Applications / on-prem (Roaming) |
|
|
|
|
| Manual or auto-launch | ||
Virtual Desktops (Cloud) |
|
|
|
| ||||
Virtual Published Apps (Cloud) |
|
|
|
| ||||
Horizon Cloud Entitlement On-Ramp Broker (Roaming Desktops or Apps) |
|
| Requires IAFI Auth Only mode | |||||
Horizon Cloud Entitlement On-Ramp Broker (Virtual Kiosk) |
| |||||||
Horizon Cloud Service / v2 NextGen Broker** |
|
|
|
| Desktops or apps and virtual kiosk with Imprivata Type 2 agent | |||
Virtual Kiosk for Horizon Desktops (Non-Roaming) |
|
|
|
| Imprivata Type 2 agent installed on virtual kiosk | |||
Virtual Kiosk for Horizon Apps (Non-Roaming) |
|
|
| Epic Only workflow with Type 3 agent on Microsoft Server OS | ||||