Upgrade from GroundControl Locker 2 to Imprivata Locker 3

Created: Modified: Knowledge Base


Imprivata GroundControl 5 includes a completely rewritten Locker app for iOS, with a new, modern UI. Most importantly, when paired with Imprivata OneSign’s access management system, Locker 3 can AutoFill passwords into many iPhone and iPad apps.

This guide for GroundControl admins documents how to upgrade from Locker 2 to Locker 3, how to downgrade if needed, and how to enable Password AutoFill. Note: You do not need to erase devices to perform the upgrade.

  • We encourage all customers to upgrade to Locker 3, even if you do not use Password AutoFill. Imprivata will support Locker 2 through January, 2022.
Locker versions

GroundControl Locker 2 and Imprivata Locker 3 are distinct apps. You can have both installed on your devices at once. This is recommended for an orderly transition.

IconApp NameCurrent VersionApp ID
GroundControl Locker2.3.3com.groundctl.b2b.locker
Imprivata Locker3.0.1com.imprivata.b2b.locker
Obtain the App from ABM/ASM

Like Locker 2, Locker 3 is distributed through Apple Business Manager (ABM) and Apple School Manager (ASM) as Custom Apps. You must “purchase” Locker 3 from ABM/ASM, even if you have already obtained Locker 2.

Once purchased, you will use your MDM to sync with ABM/ASM, and assign the app to your device groups. Again, this is a repeat of the procedure you used for Locker 2.

  • IMPORTANT: Do not unassign Locker 2 from any devices at this time.

You can assign Locker 3 to the same groups as you assign Locker 2. Alternatively, you can assign Locker 3 to a test group, and later expand to all your devices.

Additionally, copy any AppConfig settings you use to personalize Locker 2 to Locker 3, for example UnlockPIN.

Update your notification profile

Just as with Locker 2, it is critical to have Locker 3 in your MDM’s notification profile. Edit the notification profile to set notifications for Locker 3 — com.imprivata.b2b.locker. Use defaults. Do not create multiple notification profiles in your MDM, as iOS devices limit you to a maximum of one profile. It is OK to set the notification for Locker 3 even if Locker 3 is not installed on some devices.

Update your home screen app arrangement

Optionally, add Locker 3 — com.imprivata.b2b.locker — to you home screen app arrangement. Some organizations set the app arrangement in GroundControl, and others in MDM. You should keep both Locker 2 and Locker 3 in your app arrangement through the transition process.

Confirm both Locker 2 and Locker 3 are installed on devices

Check out one of your devices, and verify that both the Locker 2 app and Locker 3 app are installed.

  • Do not open the Locker 3 app at this time. You haven’t configured it yet.
Clone your “Check In” workflow

We have added an option to GroundControl’s Check In action to switch between Locker 2 and Locker 3. This affects only LOCKING the phone. For convenience, the Check Out action unlocks both versions of the app.

In GroundControl, open the workflow you use for Check In (often called “Check In” or “Return”) and click the Clone button. Name the cloned workflow “Check In (Locker 3)” or similar.

Edit the workflow. The Check In action includes a new control to specify the Locker app version. Change this to “Locker 3 VPP” in your newly-created workflow.

Save the workflow.

We will now set up a special automation rule to test the new workflow on one Launchpad. In the Automation tab, click “New Rule”, and select Checked In as the trigger. Name the rule “Check In (Locker 3)” or similar.

  • Add condition specifying a Launchpad is important, so we limit the test.

Set the automation rule to run the new workflow you created “Check In (Locker 3)”, and Save the automation rule. Do not enable the rule yet.

Using your mouse, drag the triple-lined “hamburger” icon to move the new rule to the TOP of your list of rules. This increases the priority of the rule, so it is evaluated before the generic “Check In” rule.

  • Do not enable the automation rule at this time.
Test the old and new “Check In Locker 3” workflow

Follow these steps to test your setup:

  1. Remove all phones but one from your test Launchpad.
  2. Check Out 1: Tap your badge to check out an iPhone. The phone should unlock with the familiar “Locker 2” Unlock screen.

  1. Disconnect the unlocked phone from USB.
  2. Check In 1: Return the phone to the Launchpad. This should lock with the familiar “Locker 2” lock screen.

  1. Now enable the new automation rule you created previously.
  2. Check Out 2: Tap your badge to check out another phone. You will again see the Locker 2 unlock screen.
  3. Check In 2: Again return the phone to the Launchpad.
  4. Confirm that the new automation rule and “Locker 3” workflow run
  5. Confirm the phone locks with the new Locker 3 lock screen.

  1. Check Out 3: Tap your badge to check out the phone
  2. Confirm the phone unlocks with the new Locker 3 unlock screen.

To test downgrading from Locker 3 to Locker 2, disable the automation rule, and test again. The phone should end up first locking, then unlocking, using the Locker 2 app.

Prepare documentation for your clinical team

As the screen in Locker 3 are different, we recommend you communicate the change to your staff.

Locker 2
Locker 3

If you are implementing AutoFill at the same time, include those instructions as well. See below for more info.

Migrate your fleet to Locker 3

To migrate your fleet, you need only to change the “App Version” in the Check In workflow action from Locker 2 VPP to Locker 3 VPP.

If you wish to migrate only some of your fleet, you may use Launchpad attributes or Device attributes to add conditions to the automation rule, just as we did during the test above.

AutoFill: Requirements

Locker 3 can use Apple’s Password AutoFill to easily fill in passwords to most apps and web sites. User credentials are retrieved from Imprivata OneSign.

  • AutoFill works on iOS 14.1 and newer.
  • Imprivata OneSign 6.3 or greater must be in use at your organization.
  • OneSign SSO licenses for AutoFill users
  • OneSign profiles need to be uploaded and deployed for each iOS app and website. See this article for more information.
  • Devices using AutoFill require access to the OneSign appliance over the network
  • Check your MDM profiles to make sure you are not restricting password autofill.
  • In GroundControl, Admin > Check Out > Authentication method must be Proximity Cards.
  • In GroundControl, Admin > Check Out > Identity Web Service must be set to Imprivata OneSign (not “Custom”) and any prox-related custom Launchpad attributes must be removed (see below).
  • In GroundControl, Admin > Password AutoFill must be enabled, and options set for second factor authentication to match your OneSign configuration.
  • Each device will need to be set up by hand to use the Imprivata’s AutoFill extension — unfortunately there is no way to do this automatically using MDM or GroundControl. See instructions below:

To enable Password AutoFill on the device, navigate to Settings> Passwords> AutoFill Passwords> Turn ON.  Allow filling from Locker, and make sure Keychain is not be checked.

AutoFill: Switch from “Custom” to “Imprivata OneSign” as the Identity Provider

In GroundControl, check Admin > Check Out > Identity Web Service. If your system is set to “Custom” perform the following steps.

  • Important: We strongly recommend testing the change on a GroundControl UAT system prior to changing production. An incorrect setting will disable badge taps for GroundControl.
  1. Confirm OneSign is set up with the correct API access: “Imprivata Mobile on iOS” for OneSign 7.2+ or “Future 1” for OneSign 7.1 and earlier. Some customers may have enabled “Future 9” at some point; Future 9 should remain enabled until you have switched production GroundControl to use the new IdP settings.
  2. After this is done, in GroundControl change Admin > Check Out > Identity Web Service to OneSign.
  3. Add the hostname of your Imprivata appliance in the dialog.
  4. If your organization uses a root certificate authority, upload that CA certificate to this dialog, in PEM, CER, CRT, or DER format. Otherwise leave “Disable SSL checks” selected.
  5. Save the dialog.
  6. Edit Admin > Launchpads > Custom Options to delete any references to ProxCardWebFormat, ProxCardImprivataProductID, and ProxCardWebCA.
  7. Restart any Launchpads as prompted.

To test this configuration, in the GroundControl console click the Launchpads tab, then open one of your Launchpads. In Launchpad Actions choose “Test Identity Web Service.”