What's New in Imprivata Enterprise Access Management 25.4

Imprivata Enterprise Access Management with MFA 25.4 contains the following new features and technology updates.

New Features

  • EPCS — Users can now enroll their face to authenticate for EPCS in multi-factor authentication on Windows desktops.

  • Web SSO — Face Recognition is now a supported authentication method for Web SSO.

  • Remote Access — Face Recognition is now a supported authentication method for cloud-based Remote Access with F5 BIG-IP VPN and Citrix Netscaler Gateway.

Imprivata WebSSO now supports using ACR values to assign specific Clinical Workflows with OpenID Connect.

As part of Imprivata's continuing effort to increase our security posture, this release includes the ability to set the public key length to 4096 bits for the following certificates:

  • Appliance

    • Appliance SSL Cert

  • Imprivata Admin Console

    • Web SSO IDP Cert - App vouchers

    • Confirm ID Self-signed Cert - App vouchers

    • ProveID Web Serer Cert

    • SSH Enterprise Key Cert

    • Epic certs

      • Self signed subspace prd

      • Self signed subspace non-prd

      • Self signed epic same

CAUTION:

The action of changing the key length for the above cannot be undone. Take care when setting the key length in your environment, as this affects communication between Imprivata components and any third-party services that consume them.

It is a best practice to back up your enterprise database before updating certificates to 4096 bits.

The Imprivata Appliance Console and Imprivata Admin Console settings have been updated to allow you to update certificates to 4096 bits.

This release includes the ability to configure the reply-to address for appliance email notifications from the Imprivata Appliance Console.

Imprivata recommends that each appliance should have its own unique reply-to address, so that administrators can more easily identify the correct appliance when it sends error or warning notifications.

Imprivata ProveID Embedded now supports secure MIFARE DESFire proximity card authentication, including the French national CPS smart card, meeting eIDAS Substantial requirements.

This update enables clinicians in France to use their existing CPS cards for secure Enterprise Access Management tap-and-go workflows, avoiding the need to purchase replacement cards.

Enterprise Access Management collects and reports user IP addresses for remote access authentications performed through Citrix Application Delivery Controller (ADC) (formerly NetScaler) VPN gateways using RADIUS.

The Login Activity report in the Imprivata Admin Console displays this information.

IMPORTANT:

Enable the Send Calling Station ID option on the Citrix ADC gateway. This is required for IP addresses to appear in the Login Activity report.

When an administrator logs out of the Imprivata Access Management portal, the admin is also logged out of all consoles managed through the portal.

Users are locked out after excessive failed login attempts with Face recognition.

Technology Updates

For more information on new 25.4 qualifications and certifications, see Imprivata Enterprise Access Management with MFA Supported Components.

This is a reminder that Internet Explorer is not supported. Any functionality related to Internet Explorer or IE mode will be deprecated as of December 2026.

The Classic Windows login is deprecated and will no longer be supported after Q1 2026.

Imprivata is committed to innovation and is focusing efforts on the Imprivata login. It is recommended that you begin planning a migration to the Imprivata login. For more information about the Imprivata login and next steps, see the FAQ.

While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.

To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.

As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all appliance communications.

For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

As part of Imprivata's continuing effort to increase our security posture, this release includes two modes of API access through the Confirm ID and ProveID API:

  • Full

    Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:

    • Clinical Workflows

    • EPCS

    • Imprivata Connector for Epic Hyperdrive

    • When Imprivata Confirm ID needs a password.

  • Restricted

    In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest that includes an attribute id of Password or UserAppCreds returns a response with a message stating that access is restricted and status code 403.

By default, Confirm ID access is disabled and ProveID API access is set to restricted. The settings to manage API access are on the API access page in the Imprivata Admin Console.

Considerations

The following sections describe changes in behavior in Imprivata Enterprise Access Management  for recent releases.

Enterprises who have clinicians' faces enrolled for authentication in Mobile EPCS must migrate those enrollments to the new Imprivata Cloud Platform (ICP) Face Recognition support. This is accomplished with a custom migration tool. For more information, see the Imprivata Upgrade portal.

Does not apply to customers whose end-users have faces enrolled only for Desktop Authentication.

Face authentication is a new modality and is supported on Windows.

  • If your enterprise uses mixed endpoints (thin clients, medical devices, etc.), test to verify that they continue to work after enabling Face recognition.

  • If you encounter issues on non-Windows platforms, disable multiple second factors using computer policy overrides and reach out to your vendor and Imprivata representative.

Imprivata has identified limited cases where Imprivata agents running on non-Windows platforms are unable to authenticate depending on user policy configuration. Limiting the second factor options in your environment is recommended to resolve this.

Beginning with 25.2, you can no longer directly run the Imprivata agent installer. This includes:

  • Double-clicking the MSI.

  • Right-clicking the MSI and running as an administrator.

Launching the installer directly requires you to execute the MSI from an elevated command prompt. Directly running the MSI results in an error message stating that you do not have the required permissions. This behavior occurs even if you are logged into the Windows endpoint with administrator credentials.

NOTE:

This requirement does not affect deployments performed through Microsoft Endpoint Configuration Manager (SCCM) or any other third-party software deployment tool.

Imprivata's Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in Imprivata OneSign and Imprivata Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations.

For more information, see Configuring Imprivata Secure Walk Away

Upgrade Considerations

For more information on upgrading Enterprise Access Management, see the Imprivata Upgrade portal.