Implement the following best practices to improve the interaction of end users and their devices.
Settings
The following best practices pertain to configuring settings in the MAM console for various features and functionality.
Check Out
Consider the following best practices when implementing device Check Out Workflows:
Device Passcodes
Imprivata recommends that you use devices passcodes to secure the devices, and that you set device passcodes to four (4) digits. For more information, see Clearing Passcodes.
Display the User’s Name on the Device at Check Out
Imprivata recommends displaying the user’s name on the device at Check Out, which is stored in the built-in Attribute Imprivata Display Name, when you are using Imprivata OneSign.
- In your Check Out Workflow, in the Check Out action, set the text to display to “
Ready for [Imprivata Display Name]“, or something similar.
IMPORTANT: Do not use the [Device Checkout Status] attribute for unlock text.
Lock Screen Display Text
Imprivata recommends setting the device lock screen embedded display text to include:
User: [Device User] Property of <customer> Please return to: [Device Home] before the battery runs out!
For iOS devices, in the MAM admin console, go to Workflows > add an action to Set Wallpaper, and specify the information in the Lock Screen Text & Color section. For more information, see Set Wallpaper.
Lock Screen Display Image
Imprivata recommends using a marketing-approved color or image as the device’s lock screen background, with a resolution appropriate for the specific device type. For more information, see Set Wallpaper.
NOTE: Setting the lock screen display image requires specific Workflows for each device type.
Authentication Method — Network Username and Password
Imprivata recommends selecting the network username and password as an additional available authentication method. Using network username and password as an authentication method allows users to check devices out in the event of a Smart Hub or proximity card reader malfunction, as well as when they forget to bring their badge to work.
When enabled, the Imprivata Locker app lock screen adds a button to unlock the device with a network username and password.
In the MAM admin console, go to Admin > Check Out > Available Authentication Methods. For more information, see Integrate Imprivata OneSign.
Suppress the Blue LED at Check Out
On some Smart Hubs, the standard blue LED may confuse users who try to remove the device before the device is unlocked.
Imprivata recommends that you use one of the following options to suppress the blue LED:
- As part of a Check Out Workflow. The Check Out Workflow, by default, suppresses the blue LED. Imprivata recommends that you keep this setting.
- For all Workflows, at the Launchpad level.
Device Checkout Limit
Imprivata recommends specifying the maximum number of devices allowed to be checked out by a user.
- Set the maximum number allowed to be checked out to the maximum number of devices a user may be required to use concurrently, plus one.
Example
A user requires an iPad for interpreter services, plus an iPhone for other workflows.
In this scenario, set the maximum number of devices to three (3).
Allowing the extra device ensures that devices are checked in, while still allowing a buffer of one device when a user needs to check out a new device mid-shift (this may be due to low battery or technical imperfection).
- Define a process to handle when a user has reached the maximum number of devices, and needs to check out a new device.
In the MAM admin console, go to Admin > Check Out > Number of devices users are allowed to check out.
Overdue Devices
Checked out devices can become overdue when they aren’t returned to the Smart Hub within a certain length of time. You can configure MAM to identify devices that haven’t been returned within the expected timeframe.
- Overdue devices are marked as such in the MAM admin console.
- MAM can trigger Lost Mode to lock down the device over the air, with a message of your choice, when using an MDM that supports it. For more information, see the system requirements.
Imprivata recommends that you use the Overdue devices feature.
- Turn on the Overdue Devices setting.
- Set the device Lending Period to the longest organizational shift hours + 1 hour.
Example
For a 12-hour shift, set the device Lending Period to 13 hours.
This provides a 1-hour grace period for the user to return the device.
In the MAM admin console, go to Admin> Check Out > Overdue Devices. For more information, see Overdue Devices.
MAM automatically removes Lost Mode when the device is returned (checked in) to any Launchpad.
Emergency Unlock PINs
The Imprivata Locker app includes a feature that allows the user to unlock the device during emergencies when the network or other components may be unavailable. Imprivata recommends that you:
- Configure an Emergency Unlock PIN in your MDM via AppConfig.
- Have a documented process for dealing with downtime.
- Identify a process for rotating out the emergency unlock PINs in-use after a downtime event.
For more information, see the Locker App.
Configure Device Home
For every mobile device, designate a Device Home; this is the location the device is expected to connect to on a regular basis.
When a device is returned to a Launchpad other than its assigned Device Home, the device is considered in the wrong location and is counted as such on the Dashboard.
- Ensure the Device Home naming convention follows your organization naming standards.
- The most efficient way to set the Device Home on a large pool of devices is by uploading a CSV file of the devices.
- Set a device’s Device Home once. It should not be changed via automated Workflows.
- In the MAM dashboard, use the Device in Wrong Location tile to identify the devices.
In the MAM admin console, go to Admin > Dashboard > Device Health > Device in wrong location. For more information, see Device Home.
Listing Checked Out Devices
By default, MAM will not show devices within the console as soon as they are unplugged. Imprivata recommends listing checked out devices, in order to identify the users at any given moment.
MAM allows the display of checked out devices in three ways:
- In the MAM console, within the Launchpad detail.
- In the Launchpad display. Add “Device Checkout Status” and “Device User” to the Launchpad Display View.
- For iOS devices, on the device itself, an option enables a bookmark on each checked out device. iOS displays this bookmark as an app named “Checkouts” on the device home screen.
These lists are always grouped by Launchpad. This feature helps each team manage its own pool of devices, without needing to see the entire population of devices at your organization. Each device has a Device Home Launchpad, and devices are expected to return to that Launchpad each day.
App Integration – Sign In and Sign Out
Password Autofill
Imprivata Mobile Access Management supports Enterprise Password AutoFill on iOS devices and Autofill Services on Android devices. This system leverages the power of Imprivata OneSign to autofill passwords into most apps and web sites. In many cases, the system can also fill usernames.
IMPORTANT: Password AutoFill is not single sign-on (SSO). Users still need to sign into multiple apps, even though the sign in process is dramatically easier. The Password AutoFill feature does not make any improvements to app logout.
Signing out of apps
In some cases, your users will need to manually sign out of apps before checking in the device at the end of the day. If they do not sign out:
- Apps may continue to send push notifications to the device.
- Back-end systems may continue to show the user as “available” after they have left.
- The device’s next user may have access to data pertaining to the previous user.
Imprivata is working to improve the sign in and out user experience and has introduced technologies such as Universal Link Callbacks. We encourage you to speak with your app vendors to learn about their plans to support ULCs for logout from shared devices.
Check In
The Check In Device Workflow action launched the Imprivata Locker app and locks the device. To check in devices, your users connect the devices to the Smart Hub.
Check In Workflows for iOS Devices
In your Check In Workflows for iOS devices, Imprivata strongly recommends setting the option to Launch a blank page before Check In.
This action ensures the Imprivata Locker app is not foregrounded at the start of check in, increasing reliability.
Handling Check In / Check Out Workflow Failures
- Configure an On Failure Workflow action for Check In and set the number of attempts to retry the Workflow to 3.
- Do not configure an On Failure action for Check Out.
- Configure a Workflow action to run after the number of failures are exceeded.
For more information, see Basic Check Out Workflow – iOS and Basic Check Out Workflow – Android.
Device Battery Health
Imprivata strongly recommends that you train your end users to return the device to the Smart Hub when the device displays a low battery notification.
CAUTION: If the user returns an iOS device with a dead battery to the Smart Hub, and thus the device cannot be unlocked, the device will need to be recovered in the MAM system. This could also result in the user not being able to check out another device if they are over their device checkout limit.
User Acceptance Testing
Because this is a new workflow for end users, user acceptance testing is a required part of implementation. Successful User Acceptance Testing (UAT) will include:
- User representation, including clinical informatics, if this is a clinical environment
- At least two Smart Hubs with full connectivity and configurations
- At least three (3) mobile devices in each Smart Hub
- Imprivata Enterprise Access Management (Imprivata OneSign) and app level user access for testers
Have end users follow a script to ensure all workflows are in working order and solicit feedback including:
- Initial Badge Check Out
- Initial Manual Check Out
- Creation of passcode
- Autofill of all apps in scope
- Check In
- Badge and Manual Check Out for previously checked out device
- All beep tones (Unenrolled badge, no mobile devices available, check out limit reached)
Change History
| Date | Version | Description |
|---|---|---|
| July 2024 | 2.0 | Add new sections for “Before You Begin — Strategy”. Remove the “Audience” section. Update the “User Experience” section to “Settings” Add new section for “Deployment” |
| June 2024 | 1.0 | Initial release of the guide |