Implementation — User Experience

Created: Modified: Implementation Guide

Visual and audible feedback

Imprivata GroundControl uses several visual and audible clues to let the user know what it is doing.


The basic Check Out sequence, which should happen within 5-8 seconds:

Ideal Check OutSmart Hub standard LED
Smart Hub without Blue
1. User taps badgeGreenGreen
2. Badge reader beeps once to indicate a successful scanBlueGreen
3. A device unlocks and illuminates, and shows the user’s name on the screen.Flashing whiteFlashing white
4. User removes the device from the dock OffOff

The correct indication that the device is ready is that the device’s screen illuminates and displays the name of the user. On some hubs, the standard blue LED may confuse users who remove the phone at step 2, before the device is unlocked. Imprivata recommends an option to suppress the blue LED in the admin console’s Launchpad options.

BEST PRACTICE: Use one of the following options to suppress the blue LED:

Display the user’s name on the device at check out

BEST PRACTICE: Imprivata recommends displaying the user’s name on the device at check out, which is stored in the built-in Attribute “Imprivata Display Name”, if you are using Imprivata OneSign. In your Check Out workflow, in the Check Out action, set the text to display to “Ready for [Imprivata Display Name]” or something similar.

IMPORTANT: Do not use the [Device Checkout Status] attribute for unlock text.

Any check out errors are indicated by audible beeps.

Audible AlertDefinition
1 BeepGood Scan
1 BeepWhen badge enrollment is enabled via the GroundControl console, the badge is detected to be unenrolled, and the user is prompted to step through the badge enrollment on the device.
1 Beep
...then 3 Beeps
Device Error: No devices available, or automation error
1 Beep
...then 4 Beeps
Already Has Device: Admin > Check Out limits devices per user, and the username is already associated with a device.

Imprivata GroundControl will also display a corresponding error in the admin console’s Launchpad view, or in the Launchpad UI if a display is connected.


To check in devices, your users connect the devices to the docking station. When connected correctly, the docking station should illuminate the corresponding LED.

Train the users to wait to confirm the LED lights up before walking away.

BEST PRACTICE: In your Check In Workflows for iOS devices, Imprivata strongly recommends including a Launch App action, to launch (for example) “” (i.e. Settings). This action ensures that the Imprivata Locker app is not foregrounded at the start of check in, increasing reliability. Imprivata has reported this bug to Apple.

Signing into apps

GroundControl supports Enterprise Password AutoFill on iOS devices and Autofill Services on Android devices. This system leverages the power of Imprivata OneSign to autofill passwords into most apps and web sites. In many cases, the system can also fill usernames.

IMPORTANT: Password AutoFill is not single sign-on (SSO). Users still need to sign into multiple apps, even though the sign-in process is dramatically easier. AutoFill does not make any improvement to app logout.

AutoFill has several prerequisites:

  • A maintained release of Imprivata OneSign.
  • Imprivata OneSign Authentication Management and SSO licenses for each of your users.
  • Your MDM must not restrict autofill features.
  • For iOS devices:
    • Imprivata Locker for iOS 3.0 or later.
    • Devices must be using iOS 15 or later.
    • Each device must be set up — manually — to enable Locker’s Password AutoFill extension. Unfortunately, Apple has provided no way to enable AutoFill extensions with MDM. The manual setting will persist from user to user. But if the phone is erased or recovered, our extension will need to be enabled again. At Check Out, Locker will display a message to the user if the extension is unintentionally disabled.
  • For Android devices:
    • Imprivata Locker for Android 1.1 or later
    • Devices must be on Android 9 or later.

Use Imprivata OneSign’s standard profile system to deploy app/user credentials to phones.

In theory, you could create separate profiles for each of your apps and web sites. However, this would result in a long list of apps on each device. Since most apps use federated authentication with common credentials, you can instead add one “app” called “Network Login” (or similar title) that uses the user’s AD credentials.


If you use Workspace ONE UEM and Workspace One Access, you can also enable SSO to apps that are compatible with Workspace One’s SSO.

  1. User taps a badge, and Imprivata GroundControl looks up the user.
  2. Imprivata GroundControl sends an API to Workspace ONE to check out the device to this user.
  3. Workspace ONE installs a MobileSSO certificate onto the device.
  4. A user launches an app configured to use Workspace One Access as the identity provider.
  5. Access confirms the certificate installed in step 3, and authenticates the user without a prompt.

In the above example, apps need to be compatible with VMware Workspace One Access – not with Imprivata GroundControl.

Signing out of apps

In most cases, your staff will need to manually sign out of apps before checking in the device at the end of the day. If they do not sign out:

  • Apps may continue to send push notifications to the device
  • Back-end systems may continue to show the user as “available” after they have left
  • The phone’s next user may have access to data pertaining to the previous user

Imprivata is working to improve the sign in and out user experience, and has introduced technologies such as Universal Link Callbacks. We encourage you to speak with your app vendors to learn about their plans to support ULCs for logout from shared iOS devices.

Listing checked out devices

Imprivata GroundControl usually hides devices as soon as they are unplugged. But you may wish to list checked out devices, in order to identify the users at any given moment.

Imprivata GroundControl allows the display of checked out devices in three ways:

  • In the Admin console, within the Launchpad detail
  • In the Launchpad display
  • On the device itself, using a Safari bookmark

These lists are always grouped by Launchpad. This feature helps each team manage its own pool of devices, without needing to see the entire population of iOS devices at your organization. The idea is that each device has a “home” Launchpad, and devices are expected to return to that home each day. NOTE: By default, Imprivata GroundControl does not enforce this rule, and devices moved between Launchpads will adopt the new Launchpad as their new home.

For more information, see showing checked out devices.

Overdue devices

Like library books, checked-out devices that aren’t returned by a certain date can become overdue, and notify you or the user that a device hasn’t been returned yet.

Overdue devices are marked as such in the admin console. Additionally, you can trigger an email to any group of email addresses or even an attribute you set for the “home” Launchpad. Also, if desired, Imprivata GroundControl can trigger “Lost Mode” (if using Workspace ONE, Jamf Pro, or Microsoft Intune) to lock down the device over the air, with a message of your choice.

Imprivata GroundControl automatically removes lost mode when the device is returned to any Launchpad.