Enroll Badges in Imprivata OneSign on Device Checkout

Created: Modified: Checkout, Documentation

Applies to iOS and Android devices.

The GroundControl integration with Imprivata OneSign enables users to enroll new proximity badges when checking out devices from GroundControl Launchpads.

Using the Locker app (iOS and Android), users can enroll a new badge, manually authenticate and register the badge, and enroll their Imprivata PIN without being required to tap into an Imprivata OneSign desktop workstation.


Take note of the following prerequisites:

  • In the Imprivata Admin Console, configure Imprivata OneSign as the Identity Provider (IdP):
    • Configure the API access to Imprivata OneSign.
    • Configure the OneSign computer policy for proximity cards.
  • In GroundControl, configure the integration with Imprivata OneSign. For more information, see Integrate Imprivata OneSign.
  • Users must have an Imprivata OneSign user account.
  • Imprivata Locker iOS 3.11 and later or Locker Android 1.3 and later.
Expected Behavior

The following assumes a user has not yet enrolled their proximity badge when checking out a device.

Devices are locked and charging in the docking station.

The user taps their badge on the card reader attached to the Launchpad.

If the user’s proximity badge was not previously enrolled, the locked device displays a message of “Unenrolled badge” and prompts the user to enter credentials to enroll the badge.

During the badge enrollment, the Launchpad disables all badge scans, so that multiple users can’t check out devices at the same time.

If multifactor authentication is enabled and set to Imprivata PIN, the user is prompted to enroll their Imprivata PIN according to the PIN length and character requirements set in Imprivata OneSign.


The badge and Imprivata PIN enrollment succeeds.

  • For iOS devices: After the enrollment is completed, the user must return the device to the docking station and then check out a new device.
  • For Android devices: The device is unlocked and checked out to the user.
If the badge enrollment or Imprivata PIN enrollment fails, the user must return the device to the docking station to be checked in.

If the device is rebooted during enrollment, the user must return the device to the docking station to be checked in.

GroundControl Configuration

To allow new badge enrollments:

  1. In the GroundControl admin console, navigate to Admin > Check Out > Available Authentication Methods section and select Proximity Badges as the authentication method.
  2. Switch the Allow users to enroll new badges to OneSign from Lock app setting to ON. NOTE: This setting is only available when Imprivata OneSign is set as the Identity Provider (IdP), and is not supported for other custom web services. You do not need to enable checkout via network username and password for badge enrollment to work.

  3. To enable a second factor of authentication, switch the Password AutoFill setting to ON and select the authentication method:
    1. Imprivata PIN with numeric keyboard.
    2. Imprivata PIN with alphanumeric keyboard.
    3. Domain password.
  4. Specify other settings, as needed.
  5. When prompted, restart the Launchpads.