What's New in Imprivata Confirm ID 23.2

Imprivata Confirm ID23.2 contains the following new features and technology updates.

NOTE: Confirm ID 7.12 was the last Confirm ID release in the #.# naming format. Thereafter, Confirm ID release numbers are in format YY.#, where YY specifies the last two digits of the year and # specifies the release number of that year.

New Features

Facial Biometric for Mobile EPCS Authentication Controlled Availability Release

Confirm ID 7.12 and 23.2 support the Controlled Availability (CA) release of facial biometric (facial image) as the first or second authentication method for Mobile Electronic Prescription of Controlled Substances (EPCS). This capability also requires an Epic Systems software update. If you are interested in participating in this Controlled Availability feature release, please contact your Imprivata account representative.

Enterprise Migrations to G4 on Azure

OneSign 23.2 adds support for the following enterprise migrations:

  • G3 (third generation) on premises to G4 (fourth generation) on Azure

  • G3 on Azure to G4 on Azure

  • G4 on premises to G4 on Azure

  • Hybrid G3 to hybrid G4. A hybrid G3 enterprise has some G3 appliances on premises and some on Azure, and usually supports a disaster recovery configuration. A hybrid G3 enterprise can be migrated to a hybrid G4 enterprise with G4 appliances on premises and on Azure.

For the procedure for all migrations to a G4 enterprise, see "Migrating to a G4 Enterprise" in the Upgrade Portal. For migrations to G4 on Azure and for migrations of hybrid enterprises to G4, help topic Deploy G4 Appliances on Azure becomes part of the migration procedures.

G4 Service Appliances and Larger G4 Appliances and Enterprises on Azure

OneSign 23.2 adds support for G4 service appliances on Azure and removes the previous limit of two total (database) appliances for a G4 enterprise on Azure. The largest standard G4 deployment has six total appliances in an Azure enterprise: two database appliances and four service appliances. Larger enterprises on Azure are supported, but may yield only marginal performance improvements. Larger capacity appliances are also now supported on Azure. For more information and guidance, see sections "G4 Appliance Basic Specifications on Azure" and "Number of G4 Appliances to Deploy on Azure" in help topic Deploy G4 Appliances on Azure.

You establish a G4 enterprise on Azure using a separate private product in the Azure Marketplace. (The G3 private product in the Azure Marketplace remains available.)

NOTE:

Both G4 and G3 products are moved in the Azure Marketplace from their previous location in "Private offers" to a new location in a "Private product" category.

Imprivata recommends that you deploy G4 appliances on Azure rather than G3 appliances, if possible. You cannot have G4 and G3 appliances on the same enterprise, so if needed, consider migrating your enterprise to G4.

Imprivata Single Sign-On Test Agent Supported on Chrome and Edge Chromium

The Imprivata single sign-on test agent is now supported on Google Chrome and Edge Chromium browsers.

OneSign and Confirm ID 7.11 and Later Releases Run Only on G4 Appliances

OneSign 7.11, Confirm ID 7.11, and later releases of those products run only on G4 (fourth generation) appliances in a G4 enterprise. If you’re running G3 (third generation) appliances in a G3 enterprise, or G2 (second generation) appliances in a G2 enterprise, and you want to upgrade to 7.11 or later, you must instead migrate to a G4 enterprise. You can install 7.11 or later as part of the migration process. For procedures to migrate from a G3 or G2 enterprise to a G4 enterprise, see "Migrating to a G4 Enterprise" in the Upgrade Portal.

Note that there are significant differences between G3 (or G2) and G4 appliances and sites. For information on G4 appliances, see G4 Appliance Types and Number of Appliances to Deploy. For a G4 enterprise, only one or two sites are used, and Imprivata recommends a maximum of two sites. For information on G4 sites, see Imprivata Sites for G4 Enterprises.

Rollback from a G4 enterprise to a G3 or G2 enterprise is not supported.

Technology Updates

FIDO Security Key Authentication

Fix for FIDO security key authentication on IGEL devices, version 11.09 and later.

Qualifications and Certifications

For more information on new 23.2 qualifications and certifications, see Imprivata Confirm ID Supported Components.

Microsoft 2020 LDAP Channel Binding and LDAP Signing Updates

While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.

To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.

TLS Support

As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all G3 appliance communications.

For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

Support for ForceAuthN Attribute in OneSign WebSSO Integrations

ForceAuthN would typically be used when designing a SAML-enabled app to integrate with Imprivata OneSign WebSSO. Use the ForceAuthN attribute when a clinician must authenticate during a clinical workflow, while preserving their browser login.

 

Confirm ID API Access

As part of Imprivata's continuing effort to increase our security posture, this release includes two modes of API access through the Confirm ID and ProveID API:

  • Full

    Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:

    • Clinical Workflows

    • EPCS

    • Imprivata Connector for Epic Hyperspace

    • Imprivata Connector for Epic Hyperdrive

    • When Imprivata Confirm ID needs a password.

  • Restricted

    In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest that includes an attribute id of Password or UserAppCreds returns a response with a message stating that access is restricted and status code 403.

By default, Confirm API access is disabled. The settings to manage API access are on the API access page in the Imprivata Admin Console.

End Of Life: Imprivata ID Symantec Token (IMSY)

The ability to enroll Imprivata ID with an IMSY token has been removed.

All phones already enrolled with Imprivata ID and the IMSY token will still work, but when those users replace their phone and/or reinstall Imprivata ID, they will receive the IMPR token instead.

Symantec VIP tokens are not affected.

End Of Life: Symantec NSL 

As of August 1, 2019, Symantec ceased providing any and all levels of service and support for Norton Secure Login. NSL has shut down, you are no longer able to login. All customer data was purged after this date. There are no exceptions for service, support or contract extensions.

If you have any questions regarding this notice, please contact your Symantec partner or your Symantec Account Manager.

Upgrade Considerations

Imprivata Platform Update - G4 Appliances

An upgrade to 23.2 requires that you install the Imprivata platform update (virtual-applianceG4-IMPRIVATA-2023-2-1.ipm) before upgrading the G4 appliance.

The platform update provides infrastructure, communication, and security improvements which must be in place before you upgrade.

Take note of the following considerations:

  • This platform update is supported on Imprivata Confirm ID 7.10 and later as part of the upgrade process or as a standalone update. If desired, you can install and distribute this platform update to your appliances without having to upgrade.

Use one of the following methods for uploading:

  • Upload the platform update files from a file server connected to the appliance. This is the preferred method for updating the appliances.

  • If you cannot use a file server, and need to upload the IPM from your local computer, using the Imprivata Appliance Console > Packages tab.

    • The upgrade from 7.8 or 7.9 to 23.2 requires that you must first upload the provided increasePHPmaxPOST-2022-3-1.ipm. This small platform update temporarily increases the maximum PHP file upload size, allowing you to then upload the virtual-applianceG4-IMPRIVATA-2023-2-1.ipm file.

    • The upgrade from 7.10 through 7.12 to 23.2 does not require the increasePHPmaxPOST-2022-3-1.ipm be uploaded first. You can simply upload the virtual-applianceG4-IMPRIVATA-2023-2-1.ipm platform update file

For more information about upgrading to 23.2, see the Imprivata Upgrade Help.

Considerations

The following sections describe changes in behavior in Imprivata Confirm ID for recent releases.

Database Replication Status Icon and Text are Improved for G4 Service Appliances

An icon used to show database replication status in the Status box on the Imprivata home page is improved. For G4 service appliances, that icon is now a gray circle with a white interior. The icon indicates that a G4 service appliance does not have a database and therefore database replication status is not applicable to that appliance. In contrast, the icon of a green circle containing a white check mark still indicates that database replication is occurring normally for a G4 database appliance.

On the Sites page of the Imprivata Admin Console, the former Status column is now relabeled as database Replication Status to improve clarity. For a site having only a G4 service appliance, the database replication status value is now displayed as "Not applicable".

G4 Appliances Ship with Four CPUs by Default in OneSign 7.11 and Later Releases

For OneSign 7.11 and later releases, G4 (fourth generation) appliances ship with four CPUs by default. When deploying new G4 service appliances on 7.11 or later, manually remove two CPUs. For related information, see "Appliance System Requirements and Guidance" in the Imprivata online help system.

Previously, for OneSign 7.8 through 7.10, G4 appliances shipped with two CPUs by default. For those earlier releases, when deploying new G4 database appliances, you had to manually add two CPUs to meet the requirements.

These defaults and requirements do not apply to G4 appliances on Azure. For information on G4 appliances on Azure, see topic “Deploy a G4 Appliance on Azure” in the Imprivata online help system.

New Appliances on Non-DHCP Networks Get Prepopulated Host and Domain Names

When you set up a new G3 or G4 appliance on a network that does not use DHCP, then in the Appliance Setup Wizard process, under System Information, the Host Name and Domain Name fields get prepopulated with values localhost and localdomain. Previously, in Imprivata Confirm ID 7.8 and earlier, these fields were left blank. You must replace the prepopulated values with values for the permanent host name and domain name of the appliance.

Secure Walk AwayImprivata ID Sensitivity Control May Need Adjustment for Nordic BLE Receiver

Imprivata Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in OneSign and Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations. For more information, see topic Configuring Imprivata Secure Walk Away, section “Adjust Secure Walk Away – Imprivata ID Sensitivity”.