Implementation – Components

Created: Modified: Implementation Guide

The Imprivata GroundControl solution integrates multiple first-party and related components: The GroundControl Console, your MDM system, the “Launchpad” Mac or Windows PC, smart USB hubs, proximity badge readers, iPhones, iPhone cases (optional), the Imprivata Locker for iOS app, Wi-Fi, and network.

Cloud management
Imprivata GroundControl Console

Imprivata GroundControl is a hybrid system with a cloud-based SaaS management console.

Customers usually choose our multi-tenant cloud, but some opt for a dedicated cloud system. A dedicated cloud is physically isolated from other customers, while still managed by Imprivata. A dedicated cloud also allows your organization to receive Imprivata GroundControl software updates on a delayed release, which means you are assured the most stable version available. Dedicated clouds have the same high-availability infrastructure as our shared cloud. If you are interested in a dedicated cloud, talk with your Imprivata account manager.

By default, Imprivata GroundControl uses a traditional username and password for login. We recommend that you instead opt for SAML login, which reduces risk by keeping no passwords within the Imprivata GroundControl cloud. Your organization is then able to enforce all authentication requirements. SAML is available for both shared and dedicated environments. To set up SAML, open a support ticket at support.imprivata.com.

The Imprivata GroundControl console requires each user to be assigned a role. Review our role documentation to select the most appropriate role for each of your administrators. End users, e.g. nurses, do not need an Imprivata GroundControl account to check out phones; their account in Imprivata OneSign is sufficient.

MDM

A well-configured MDM system is critical to the Check Out workflow. Only the following MDM systems are supported for Check Out:

  • Citrix Endpoint Manager
  • IBM MaaS360
  • JAMF Pro
  • Microsoft Endpoint Manager (formerly Intune)
  • VMware Workspace ONE UEM (formerly AirWatch)
Required MDM Configurations

There are several required items that must be configured in your MDM.

  • You must integrate Imprivata GroundControl with your MDM’s API. Refer to our specific instructions to configure MDM. The API integration is used by Imprivata GroundControl to clear any device passcodes on check in. In addition, the API integration can be used to trigger lost mode, if using Workspace ONE.
  • Your MDM’s DEP profile must include Imprivata GroundControl’s supervision identity. This allows your device to more reliably connect to Imprivata GroundControl.
  • The DEP profile should skip all setup screens. This is probably different than your process for 1:1 devices. If you use Workspace One, Imprivata GroundControl can assign devices to the DEP profile, so you don’t need to collect lists of serial numbers.
  • All devices must be set to Disable USB Restricted Mode. This feature has different names in different MDMs, but is used to keep your phone’s USB connection active even while passcode locked.
  • The MDM should Allow Recovery for Unpaired Devices.
  • All devices must receive a notification profile to allow our Imprivata Locker app to receive notifications. The app ID for Locker is com.imprivata.b2b.locker.
  • Apple permits a maximum of one notification profile on devices. This limitation is usually not enforced by MDM systems, leading to conflicts and unexpected behaviors. To avoid unexpected notification behavior, we strongly recommend using one master notification profile for all iOS devices — both shared and dedicated — in your organization.

If you use Workspace ONE, you have several options to set up API integration.

  • We strongly recommend you use a local Workspace ONE admin account for GroundControl APIs and avoid Active Directory accounts. Active Directory admins slow each API call by two seconds, which will make your check outs slower.
  • We recommend you set up certificate authentication for the local admin user, which will avoid periodic password expirations.
Equipment at each location

As a hybrid solution, Imprivata GroundControl requires equipment at each location where you will store iPhones. This includes a “Launchpad” Mac or Windows PC, a proximity badge reader, and a USB hub.

“LAUNCHPAD” MAC OR WINDOWS PC

The Launchpad is our software for Mac or Windows PC. This software receives instructions from the Imprivata GroundControl Server in the cloud. By installing the Imprivata GroundControl Launchpad software onto your organization’s Windows PCs and Macs, you can create many Launchpads for simultaneous, distributed iOS deployments.

Each location with iPhones will need its own Mac or Windows PC. We do not test with or support virtual or thin-client systems.

We recommend Macs, if that is an option in your organization. The base-model Mac mini is an excellent Launchpad. Although there are cheaper options for Windows, we have observed inconsistencies with USB connections on many PCs, but we have observed none of those on Macs. In addition,

Macs with Apple Silicon “M1” may have some difficulty when connected to many USB devices at once. We have found the following to be successful:

  • The Mac is running macOS 11.3 or greater
  • An Imprivata-branded Bretford PowerSync Pro v2 USB hub is used
  • The Bretford hub is connected to the Mac with the USB-C to USB-B cable provided by Bretford
  • The Bretford hub is running the latest firmware, shipped by Bretford on all units as of August, 2021

Unfortunately, at this time, we see Datamation & Cambrionix USB hubs periodically fail to recognize iOS devices when used with M1 Macs. These companies are aware of the issues. We see no comparable issue when using Intel-based Macs.

If you opt for Windows PCs, we recommend the Intel NUC, which is in use by many Imprivata customers today.

  • If you choose a Windows PC, you must test your workflows extensively with the exact PC model, USB hub, and maximum number (20+) of iPhones before purchasing the PCs in quantity. We have too often seen fatal USB errors on PCs from familiar manufacturers. PCs simply weren’t designed to support dozens of Apple iPhones, so make sure your desired model can handle the work.

Windows PCs have certain additional requirements:

  • Only Windows 10 is supported for Check Out
  • An SSD is required, but only 20 GB of free space is needed for operation
  • You must install the current iTunes or, better, extract DLLs from iTunes for Apple’s MobileDevice components
  • If your PC has trouble connecting to more than 8 or so iPhones at once, try to disable XHCI in the PC’s BIOS

The Launchpad can’t have the Imprivata agent installed, as this will conflict with the proximity badge reader.

Whether you choose Mac or Windows PC, the systems must be set up for unattended use.

  • Imprivata GroundControl runs as a foreground service, so the computer must automatically log in as a user
  • The login user should not have admin privileges
  • A headless system, with no display, is preferred
  • Set the PC to automatically boot in case of an unexpected shutdown
  • Set the Imprivata GroundControl Launchpad application to run at start
  • The PC must be set to never go to sleep
  • The PC should be dedicated for Imprivata GroundControl, and not shared with other apps
  • Some method of VNC or other remote access is required to all stations; you won’t need it often, but you will be glad to have it when you do

To scale to dozens or hundreds of sites, you should prepare your installation process. Imprivata GroundControl supports automated Launchpad installation and registration, using systems such as UEM, SCCM, and Jamf Pro.

  • If you use an automated installation system, then generally you will use the same system to distribute updates to the Launchpad app and iTunes components. Imprivata GroundControl’s cloud-managed Launchpad update system is available only if you carefully manage permissions so the auto-login user has read-write permissions to the Launchpad executable. Create a plan to update Launchpad app and Apple’s MobileDevice components.

The Launchpads must have a stable 24×7 network connection. Ethernet is always preferred, but Imprivata GroundControl can run over Wi-Fi if needed.

SMART USB HUB

The USB hub is a critical infrastructure component. You must take care to select a model that has been proven to support the demands of 24/7 healthcare. If your hardware isn’t up to standard, then your software will perform poorly.

Imprivata has tested, recommends, and resells the Imprivata-branded Bretford Pro v2 hubs with 10 or 20 ports, in Small (iPhone) and Large (iPad) form factors (the 20S is shown above), available globally.

  • Imprivata does not recommend Datamation’s UniLock hardware locking riser. Our customers have reported high failure rates with the mechanical components of this model.
  • As of October 2021, we see Datamation & Cambrionix USB hubs periodically fail to recognize iOS devices when used with “M1” Macs. These companies are aware of the issues. We see no comparable issue when using Intel-based Macs.

This model is Smarter than your average USB hub.

  1. The hubs charge at the iPhone’s maximum power, fully recharging the battery 3x quicker than ordinary hubs
  2. Imprivata GroundControl is able to use special integrations to report the port# of each connected device
  3. Imprivata GroundControl can control the hub’s LEDs to communicate status to your users

Two hubs may be connected to a single Mac or Windows PC, but we recommend avoiding daisy-chaining. Never add additional “dumb” hubs to the USB chain.

Bretford hubs have upgradable firmware. Imprivata GroundControl will report the firmware version within the Launchpad view. We recommend installing the latest current firmware at the time of installation, which will ensure you have support for Apple’s current iPhones. Once deployed, however, there is usually no need to further update the firmware until your next iPhone refresh.

PROXIMITY BADGE READER

You will need to connect a proximity badge reader to the USB port of each Launchpad PC or Mac. You may connect this directly to the PC or use the expansion port on your Smart USB hub. Only certain readers are supported; the badge readers sold by Imprivata are perfect.

Imprivata OneSign requires custom parity settings for the readers. Imprivata GroundControl automatically configures these settings when integrated with Imprivata OneSign. For assistance configuring readers for other Identity providers, contact the support team at support.imprivata.com

Each iPhone

iPhones must be running iOS 14.1 or greater. Both DEP and non-DEP devices are supported. iPads may be used for checkout as well.

CASES

Most of our customers are using simple, thin cases on their phones.

Some customers use battery cases. We’ve seen success with both Apple’s battery cases and Zagg/Mophie’s cases specifically designed for healthcare.

  • Note that some Zagg/Mophie cases have a somewhat concealed power button that can disable USB communication. Be sure you understand the button’s proper use before selecting this case.
CLEANING

Apple has published iPhone cleaning instructions. Most of our customers use purple wipes. We have no experience with any of the autoclave UV cleaning systems on the market today.

IMPRIVATA LOCKER

Imprivata Locker for iOS is our app to manage phone sign in and out. Imprivata distributes the Locker for iOS app through Apple’s Custom App feature within Apple Business Manager. There is no additional cost for this app. Make sure you have “purchased” (at no charge) plenty of licenses for the app. Go ahead, get 10,000 copies.

As of late 2021, Imprivata distributes two versions of its Locker app. We recommend Locker 3, the latest version. “Imprivata Locker 3” has current product branding and support the optional Password AutoFill feature. The legacy “GroundControl Locker 2” is supported through the end of 2021.

Your MDM must install the Locker app on all shared iPhones intended for Check Out.

Locker requires notifications; refer to the previous discussion of MDM to automatically permit notifications.

Locker does a really good job of locking down the phone between users. An unlock PIN is available and recommended for emergencies when the network or other components may be unavailable. See the section discussing the emergency unlock PIN for more info.

WiFi and network

The Imprivata GroundControl Launchpad uses HTTPS port 443 for all communication to our cloud admin console. After an initial connection, the Launchpad software upgrades to Secure WebSockets (also port 443) for asynchronous bi-directional messaging. Some older firewalls have trouble with the WebSockets standard. Imprivata GroundControl will reconnect as needed if firewalls close these long-running connections, but it is better if firewalls leave these connections uninterrupted. Review your plans with your network team to make sure you avoid any issues.

The Launchpads have support for simple, unauthenticated proxies. This must be configured per station. Authenticated proxies and PAC files are not supported, and system proxy settings are ignored.

The Launchpads must have a stable 24×7 network connection. Ethernet is always preferred, but Imprivata GroundControl can run over Wi-Fi if needed.

iPhones also need to communicate with the Imprivata GroundControl cloud, using HTTPS port 443. iPhones also must receive push notifications from Apple’s Push Notification system.

SourceDestinationProtocolUse
Launchpad*.groundctl.comHTTPS/443 and WSS/443Server communication
Launchpadgroundcontrol-prod.s3.amazonaws.comHTTPS/443Asset downloads
Launchpadalbert.apple.com
gs.apple.com
appldnld.apple.com
secure-appldnld.apple.com
HTTPS/443Apple device activation & IPSW downloads
Launchpad*.bugsplatsoftware.comHTTPS/443Crash reporting
LaunchpadImprivata applianceHTTPS/443Identify look up during Checkout (if used)
Devicegroundctl.comHTTPS/443Checkout (if used)
DeviceImprivata applianceHTTPS/443Identify look up during Checkout (if used)
Device*.push.apple.comTCP Ports: 443, 80, 5223, 2197Checkout (if used)
groundctl.com
52.21.126.154
52.20.201.34
Your MDM ServerHTTPS/443MDM API requests (if used)