Updated:
General Recommendations
-
Use the latest IAFI OS 12 app version as it will contain the newest features, updates, and fixes.
-
You can access the latest IAFI version and release notes on the IGEL App Portal.
-
-
IGEL OS 11 - as of November 2024, no new IAFI features have been included in OS 11. All new features are with OS 12 only.
-
For Imprivata Windows or ProveID Embedded Agent (PIE), always refer to the latest Imprivata Enterprise Access Management - SSO Supported Components Guide.
NOTE: For any blank features, please contact your IGEL account team to inquire about any future roadmap items.
Imprivata EAM General Features and Workflows
|
General Features and Workflows |
Windows Agent |
PIE Agent (OS 11 only) |
IAFI OS12 |
IAFI Notes Please refer to the Configuring IAFI KB article |
|---|---|---|---|---|
|
Appliance Failover |
|
|
|
|
|
Offline Mode |
|
|
|
|
|
Self-Service Password Reset (Legacy Agent Dialogs) |
|
|
|
For IAFI agents 1.1.1 and lower, use the Imprivata EAM 24.1 branch or older versions. If using the 24.2 branch, use hotfix 2 or higher |
|
Self-Service Password Reset Web App |
|
|
|
The new SSPR Web App experience was introduced in EAM 24.2. IAFI 1.2.0 and higher will use this new SSPR Web App experience and not the Agent Dialogs from prior IAFI versions. |
|
Third-party Self-Service Password Reset |
|
|
|
Supported with IAFI 1.2.0 and higher |
|
Non-OneSign User Workflow |
|
|
|
|
|
Guest Login |
|
|
|
For IAFI 1.3.0 agents or higher |
|
Spine Combined Workflow (NHS) |
|
|
|
|
|
Smartcard as Proximity Card Workflow |
|
|
|
|
|
Customization Objects (Computer Policy) |
|
|
|
|
|
Multi-Monitor support |
|
|
|
Refer to this KB Article |
|
Default Domain Setting for Agent login |
|
|
|
|
|
Configurable Setting for Lock Screen Toggle |
|
|
|
An optional hotkey that can be configured to toggle the IAFI full lock screen to a compact mode. The default setting is empty. Some example hotkeys: [Esc] or [Esc] + [i] |
|
Entra ID Directory Users |
|
|
|
|
|
Enforce MFA for PIN Enrollment |
|
|
|
|
Primary Authentication Methods (Including Enrollment)
These additional Imprivata Licensed Options for Primary Authentication are NOT supported by IAFI
-
Fingerprint Identification (one-to-many match) - Configuring Fingerprint Identification in Enterprise Access Management
-
NOTE: Fingerprint enrollments must occur with a Imprivata Windows agent. Enrolling Fingerprints via the Imprivata Virtual Channel from an IAFI endpoint is not yet supported.
-
-
Imprivata ID for Windows access - Imprivata ID for Windows Access
-
VASCO OTP token authentication - Managing OneSpan (VASCO) OTP Tokens
|
Primary Authentication Methods |
Windows Agent |
PIE Agent OS 11 Only |
IAFI OS 12 |
IAFI Notes |
|---|---|---|---|---|
|
Password |
|
|
|
|
|
Face recognition |
|
|
|
Imprivata Windows Agent feature only. Face Recognition Authentication |
|
Imprivata PIN (Device-bound Passkey) |
|
|
|
Imprivata Windows Agent feature only. Passwordless Authentication with Device-Bound Passkey |
|
Fingerprint Biometrics |
|
NOTE: Authentication only, not enrollment |
NOTE: Authentication only, not enrollment |
IAFI 1.4.0 and higher Supported readers: Imprivata IMP-1C UPEK ET700 / ET710 |
|
Proximity Card |
|
|
|
Supported Prox readers:
|
|
FIDO Security Key |
|
|
|
IAFI 1.3.0 and higher Supported FIDO readers:
|
|
Smart Card using Active Directory Certificate |
|
|
|
|
|
Smart Card using external certificate |
|
|
|
|
|
Question and Answer |
|
|
|
|
|
Windows Hello for Business |
|
|
|
Windows Agent Only feature |
Primary + Second Factor Authentication Workflows
IAFI supports the grace period settings for the Imprivata second factor in the user policy
|
Second-Factor Authentication Workflows |
Windows Agent |
PIE Agent (OS 11 only) |
IAFI OS 12 |
IAFI Notes |
|---|---|---|---|---|
|
Password + Imprivata ID |
|
|
|
PW + Imprivata ID is a Windows agent only feature. Additional Second factor policy options for password are not supported. |
|
Fingerprint + Password |
|
|
|
IAFI 1.4.0 and higher |
|
Fingerprint + Imprivata PIN |
|
|
|
IAFI 1.4.0 and higher |
|
Proximity Card + Password |
|
|
|
|
|
Proximity Card + Imprivata PIN |
|
|
|
|
|
Proximity Card + Fingerprint |
|
|
|
IAFI 1.4.0 and higher |
|
Proximity Card + Fingerprint or Password |
|
|
|
IAFI 1.5.0 and higher |
|
Proximity Card + Fingerprint or Imprivata PIN |
|
|
|
IAFI 1.5.0 and higher |
|
FIDO Security Key + Password |
|
|
|
IAFI 1.3.0 and higher |
|
FIDO Security Key + Imprivata PIN |
|
|
|
IAFI 1.3.0 and higher |
|
FIDO Security Key + Fingerprint |
|
|
|
IAFI 1.4.0 and higher |
|
FIDO Security Key + Fingerprint or Password |
|
|
|
IAFI 1.5.0 and higher |
|
FIDO Security Key + Fingerprint or Imprivata PIN |
|
|
|
IAFI 1.5.0 and higher |
Authentication / Reauthentication Methods via Imprivata Virtual Channel
This is to support Imprivata EAM (Confirm ID) reauthentication workflows for EPCS and Clinical Workflows
|
Authentication / Reauthentication Methods via Virtual Channel |
Windows Agent |
PIE Agent (OS 11 Only) |
IAFI OS 12 |
IAFI Notes |
|---|---|---|---|---|
|
Proximity Card |
|
|
|
|
|
Smart Card |
|
|
|
|
|
FIDO Security Key |
|
|
|
|
|
Fingerprint Biometrics |
|
|
|
IAFI 1.5.1 and higher Older IAFI versions can use USB redirection of a Fingerprint reader. |
|
Imprivata Hands Free Authentication |
|
|
|
|
|
Imprivata ID (Push Notification) |
|
|
|
IAFI 1.5.1 and higher |
Walk-Away Security
This is for support of the Imprivata Computer Policy > Walk-Away Security settings.
|
Walk-Away Security |
Windows Agent |
PIE Agent (OS 11 only) |
IAFI OS 12 |
IAFI Notes |
|---|---|---|---|---|
|
Honors Lock Command (Hotkey in User Policy Challenges tab) |
|
|
|
With IAFI 1.5.0 and higher, we now support the full Imprivata Hotkey Glossary options. Older IAFI versions support these Hotkey combinations:
|
|
Fade to Lock Screensaver |
|
|
|
Black screensaver only - no fade to lock |
|
Notification Balloon |
|
|
|
|
|
Secure Walk-Away (via Imprivata BLE Dongle) |
|
|
|
|
|
Transparent Screen lock |
|
|
|
Imprivata Windows Agent Only feature |
For the following workflow configurations, please refer to this IAFI KB Article - IAFI Profile Templates
Microsoft Workflows
For OS 12, IGEL recommends using the latest IAFI version and the latest Microsoft app versions for AVD, Win 365 Cloud PC, or Remote Desktop
IAFI versions will specify the minimum required Microsoft companion app.
|
Microsoft Workflows |
Windows Agent |
PIE Agent (OS 11 only) |
IAFI OS 12 |
IGEL Agent for Imprivata Configuration Mode |
IAFI Notes |
|||
|---|---|---|---|---|---|---|---|---|
|
Auth Only |
Follow Policies |
Kiosk |
Fast User Switching |
|||||
|
AVD Desktops (Roaming) |
|
|
|
|
|
|
|
Manual or auto-launch |
|
AVD Remote Apps (Roaming) |
|
|
|
|
|
|
|
Manual or auto-launch |
|
Win365 Cloud PCs Enterprise or Frontline (Roaming) |
|
|
|
|
|
|
|
OS 12 only Manual or auto-launch |
|
Virtual Kiosk for AVD/Win365 Cloud PC - (Non-Roaming) |
(AVD only) |
|
|
|
|
|
|
Imprivata Type 2 agent installed on Windows virtual kiosk |
|
RDS/Remote PC Desktops (Roaming) |
|
|
|
|
|
|
|
Only one Remote PC desktop connection is supported in Follow Policies mode. |
|
RDS Applications (Roaming) |
|
|
|
|
|
|
|
|
|
Virtual Kiosk for RDS/Remote PC Desktops (Non-Roaming) |
|
|
|
|
|
|
|
Imprivata Type 2 agent installed on Windows virtual kiosk |
|
Virtual Kiosk for RDS Published Apps (Non-Roaming) |
|
|
|
|
|
|
|
|
Citrix Workflows
For OS 12, IAFI has specific Citrix version requirements for these workflows.
NOTE: IAFI app versions will specify the minimum Citrix companion app.
|
Citrix Workflows |
Windows Agent |
PIE Agent (OS 11 only) |
IAFI OS 12 |
IGEL Agent for Imprivata Configuration Mode |
IAFI Notes |
|||
|---|---|---|---|---|---|---|---|---|
|
Auth Only |
Follow Policies |
Kiosk |
Fast User Switching |
|||||
|
Virtual Desktops (Roaming) |
|
|
|
|
|
|
|
Manual or auto-launch |
|
Virtual Apps (Roaming) |
|
|
|
|
|
|
|
Manual or auto-launch |
|
Virtual Kiosk for Citrix Desktops (Non-Roaming) |
|
|
|
|
|
|
|
Imprivata Type 2 agent installed on virtual kiosk |
|
Virtual Kiosk for Published Applications (Non-Roaming) |
|
|
|
|
|
|
|
Epic Only workflow with Type 3 agent on Microsoft Server OS |
Citrix Connection Configuration Details (All IAFI configuration modes - Auth Only, Follow Policies, Kiosk, Fast User Switching):
-
Storefront Authentication (Store and Storeweb)
-
HTTPS required
-
The Citrix Store must be configured with the following authentication methods to support connections from IAFI.
-
User name and Password
-
Domain pass-through
-
HTTP Basic
-
-
-
When using IAFI in Follow Policies and Fast User Switching (Persistent App workflow), the Imprivata VDA Citrix URL must be the Citrix Storeweb URL. The legacy PNAgent URL is not supported with IAFI.
-
ex: https://citrix.igeldemolab.org/Citrix/StoreWeb
-
-
When using IAFI in Auth Only or Kiosk Mode, the Citrix Workspace App URL must be the Citrix Store URL
-
ex: https://citrix.igeldemolab.org/Citrix/Store
-
Troubleshooting Tip for Citrix Storefront connections
-
If you see a double-prompt to reauthenticate after initially logging into the Citrix Workspace App (i.e. IAFI Auth Only mode), check to make sure the Trusted Domain information is consistent across the Citrix environment.
-
IGEL recommends using the FQDN across all of the Citrix environment. The FQDN should also match the domain information that the Imprivata appliance is synching with against Active Directory.
-
ex: Trusted Domain = igeldemolab.org
-
Omnissa Horizon Workflows
For OS 12, IGEL recommends using the latest IAFI version and the latest Omnissa Horizon app version.
NOTE: IAFI app versions will specify the minimum Omnissa Horizon companion app.
** If using the Horizon NextGen v2 broker, only Workspace ONE is supported as the Horizon IdP. Please review the Omnissa Horizon documentation.
|
Horizon Workflows |
Windows Agent |
PIE Agent (OS 11 only) |
IAFI OS 12 |
IGEL Agent for Imprivata Configuration Mode |
IAFI Notes |
|||
|---|---|---|---|---|---|---|---|---|
|
Auth Only |
Follow Policies |
Kiosk |
Fast User Switching |
|||||
|
Virtual Desktops / on-prem (Roaming) |
|
|
|
|
|
|
|
Manual or auto-launch |
|
Virtual Published Applications / on-prem (Roaming) |
|
|
|
|
|
|
|
Manual or auto-launch |
|
Virtual Desktops (Cloud) |
|
|
|
|
|
|
|
|
|
Virtual Published Apps (Cloud) |
|
|
|
|
|
|
|
|
|
Horizon Cloud Entitlement On-Ramp Broker (Roaming Desktops or Apps) |
|
|
|
|
|
|
|
Requires IAFI Auth Only mode |
|
Horizon Cloud Entitlement On-Ramp Broker (Virtual Kiosk) |
|
|
|
|
|
|
|
|
|
Horizon Cloud Service / v2 NextGen Broker** |
|
|
|
|
|
|
|
Desktops or apps and virtual kiosk with Imprivata Type 2 agent |
|
Virtual Kiosk for Horizon Desktops (Non-Roaming) |
|
|
|
|
|
|
|
Imprivata Type 2 agent installed on virtual kiosk |
|
Virtual Kiosk for Horizon Apps (Non-Roaming) |
|
|
|
|
|
|
|
Epic Only workflow with Type 3 agent on Microsoft Server OS |