IGEL OS 12 features an agent for Imprivata that has been developed in-house. The IGEL Agent for Imprivata supports various Imprivata-related workflows. In the default configuration, the agent docks into the system tray and is controllable via its context menu. In contrast to Imprivata's PIE agent in IGEL OS 11, which operated in appliance mode, the IGEL Agent for Imprivata still allows full access to the IGEL desktop.

Currently, a special add-on license is required to use the IGEL Agent for Imprivata. To participate in the program and get the license, please fill in the request form at https://www.igel.com/imprivata-agent

Requirements

  • If you want to use a card reader, make sure that it is supported by the IGEL Agent for Imprivata. The following card readers are supported:
    • RFIDeas USB Reader
  • Base System: IGEL OS 12.01.140 or higher
  • Add-on license that can be acquired via the request form at https://www.igel.com/imprivata-agent/


You have the following options to edit the configuration of your IGEL OS 12 device:

  • via the IGEL UMS Web App:
    • Configuration > Create new profile (Use the App Selector to select one or several apps which will be configured by the profile.)
    • Apps > [name of the app] > Create new profile (used to quickly configure a profile for the selected app. It is also possible to add other apps which will be configured by this profile)
    • Devices > [name of the device] > Edit Configuration (In the device configurator, all installed apps are displayed under the tab Apps.)
  • via IGEL Setup locally on the device (shows all installed apps. Apps are displayed under the tab Apps)

The best practice to configure your devices is via profiles. For details on how to create profiles, see How to Create and Assign Profiles in the IGEL UMS Web App.

Configuring Basic Settings

  1. In the profile configurator, go to Apps > IGEL Agent for Imprivata.


  2. Edit the settings according to your needs. The parameters are described in the following.


IGEL Imprivata Agent

The IGEL Agent for Imprivata is enabled.

The IGEL Agent for Imprivata is disabled. (Default)


Set the URL to the server

URL address of the Imprivata single sign-on server


Path to certificate

Absolute path to the certificate that was issued by your Imprivata Appliance or Certification Authority, or the complete path of your certificate folder. (Default: /wfs/ca-certs/)


Allow tap-over of running session

Another user can take over the device even when a user is still logged in. The session of the previous user will be disconnected, or the previous user will be logged off. (Default)

There is no possibility for another user to log in while a user is logged in.


Hide agent window when idle

As long as the user is logged in, the agent window is not displayed.

The agent window is always displayed, regardless of whether the user is logged in. (Default)


Lockscreen

If no user is logged in, the screen is locked. Only the Imprivata agent window and a background image are displayed. The IGEL desktop is not accessible. 

The IGEL desktop is shown if no user is logged in. (Default)


Follow Imprivata policies and workflows

The policies that are defined on the Imprivata appliance will be applied. This includes the automatic startup of Citrix or Horizon sessions on login. (Default)

The Imprivata appliance is only used as an identity provider. No further automation will be evaluated or executed. Instead, the credentials that are passed on from the Imprivata appliance will be stuffed into the session that is defined under Auth only preconfigured session. This mode is can be used for connecting to AVD or Horizon sessions, or for a browser session. 


Default on how to leave a follow policies session

Only available if Follow Imprivata policies and workflows is enabled.

Defines the behavior of the IGEL Agent for Imprivata when users tap their cards to leave the session.

Possible options:

  • disconnect: The user is disconnected from the session. (Default)
  • logoff: The user is logged out of the session.


Auth only preconfigured session

Only available if Follow Imprivata policies and workflows is disabled.

The name of the resource that is to be started when the user has logged in. 


Stuff credentials supplied by the appliance into the preconfigured session

Only available if Follow Imprivata policies and workflows is disabled.

The credentials passed on from the Imprivata appliance will be stuffed into the session defined under Auth only preconfigured session. (Default)

To make this possible, the credentials must not be predefined for the preconfigured session. Therefore set the relevant parameters to inactive so that they are not controlled by the UMS profile.

For a Horizon Client session, for instance, the settings under Apps > Horizon Client > Horizon Client Sessions > [session name] > Connection Settings should look like this:

The user will be prompted for the credentials by the session itself.


Query for Kerberos ticket

Only available if Follow Imprivata policies and workflows is disabled.

After successful authentication with the IGEL Agent for Imprivata, the agent requests a ticket from the local Active Directory (AD).

Generally, this option can be recommended for a Chromium session in an on-premises environment. When Azure Active Directory (AAD) is used, this might result in a delay due to a timeout.

No Kerberos ticket will be requested. 


Default on how to leave an AuthOnly session

Only available if Follow Imprivata policies and workflows is disabled.

Defines the behavior on Tapout or Tapover. 

Possible options:

  • logoff: The user is logged out of the session. (Default)
  • disconnect: The user is disconnected from the session. 


Preselect the Citrix resource if there are multiple

Only available if Follow Imprivata policies and workflows is enabled.

The name of the resource that should be started. Examples: "Calculator", "Notepad". If this field is blank, and there are multiple Citrix resources, a selection menu of resources is shown to the user. 


Preselect the Horizon resource if there are multiple

Only available if Follow Imprivata policies and workflows is enabled.

The name of the resource that should be started. Examples: "Calculator", "Notepad". If this field is blank, and there are multiple Horizon resources, a selection menu of resources is shown to the user.


Preselect the Microsoft resource if there are multiple

Only available if Follow Imprivata policies and workflows is enabled.

The name of the resource that should be started. Examples: "Calculator", "Notepad". If this field is blank, and there are multiple Microsoft Azure Virtual Desktop (AVD) resources, a selection menu of resources is shown to the user..


Configuring Virtual Channels for the Session That Is to Be Controlled by Imprivata 

  1. In the profile configurator, go to Apps > IGEL Agent for Imprivata > Virtual Channel.


  2. Edit the settings according to your needs. The parameters are described in the following.


Virtual Channel for Citrix

Imprivata's virtual channel is used for the Citrix session. (Default)

Imprivata's virtual channel is disabled for the Citrix session.


Virtual Channel for Horizon

Imprivata's virtual channel is used for the Horizon session. (Default)

Imprivata's virtual channel is disabled for the Horizon session.


Virtual Channel for AVD, RDP and CPC

Imprivata's virtual channel is used for the AVD, RDP, or CPC session. (Default)

Imprivata's virtual channel is disabled for the AVD, RDP, or CPC session.


Configuring Fast User Switching (FUS)

  1. In the profile configurator, go to Apps > IGEL Agent for Imprivata > Fast User Switching.


  2. Edit the settings according to your needs. The parameters are described in the following.


FUS user

The username of the generic user. Various types of data can be used.

Possible options:

  • Username (to be typed or pasted in)
  • Hostname
  • MAC address
  • Serial of the board


FUS user's domain

The domain the generic user belongs to. 


FUS user's password

The password of the generic user. 


Citrix Storeweb URL

URL for the generic session. 


FUS resource

The resource, i.e. the desktop or application, that is assigned to the generic user.

Troubleshooting: Use the Card Reader's Former Configuration

By default, the card reader is configured by the IGEL Agent for Imprivata. In case this configuration causes problems, you have the option to prevent the use of the IGEL Agent for Imprivata from configuring the card reader. Thus. the card reader's former configuration can be used.

To use the card reader's former configuration:

In the profile configurator, go to Registry > app > iia > rfideas > write_rfideas_cfg, deactivate Allow writing configs to RFIDease readers, and save your settings