Roaming Epic EHR Delivered via Application Virtualization to Windows Workstations

This configuration can be used in most clinical settings:

  • A shared workstation with roaming applications lets users move from workstation to workstation and automatically connect to one or more applications, including the Epic EHR (Epic).
  • As users authenticate to different shared workstations, they reconnect to their virtualization session, which makes it appear as if their applications are "roaming" with them.
NOTE:

This configuration is not recommended for settings where patient medical records must remain persistent on the workstation for different users to access. For example — an exam room.

This topic details how each component in the following environment is configured.

Click to enlarge.

In this workflow, the Epic EHR (Epic) is delivered to a shared Windows workstations via Citrix DaaS application virtualization. For a summary of this architecture and Imprivata license requirements, see Epic EHR Delivered via Citrix to Windows Workstations.

Imprivata Enterprise Access Management Configuration

In this section you configure the Imprivata user and computers policies:

  • An Imprivata user policy is the means by which you define authentication methods and rules to a specific group of users.

  • An Imprivata computer policy is the means by which you define security parameters to a specific set of workstations. This workflow requires two computer policies:

    • The first policy is assigned to the shared windows workstations.

    • The second policy is assigned to the Citrix servers that are delivering Epic.

NOTE:

The following steps detail the required settings to achieve this workflow. For complete details on user and computer policies, see the Imprivata Enterprise Access Management Help.

In this workflow, users are enabled to authenticate with a proximity card + a password.

Although users will typically authenticate to Imprivata Enterprise Access Management with a proximity card, enabling password as the second factor is required for Citrix pass–through authentication.

Defining Authentication Methods and Enabling Virtual Desktop Access

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Desktop Access Authentication section.

  4. Under Primary Factors, select Password, and then Proximity Card.

    A secondary factor is not required.

  5. On the Virtual Desktops tab, select Enable virtual desktop access automation.

  6. Select Automate access to applications or published desktops, and then select Roam open applications.

  7. Save the user policy.

NOTE: If Citrix published applications or desktops appear in the pane, do not select them. This workflow does not require you to automatically launch an application. Citrix Workspace app manages application access.

The following screen captures detail the above settings.

Click to enlarge .

Assigning the User Policy

To apply users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import port it.

Configuring a connection to the Citrix connection broker makes the Epic application available to computer policies.

Configuring the Connection to Brokers

To configure the connection:

  1. In the Imprivata Admin Console, click Computers > Virtual desktops.

  2. In the Citrix XenApp section, enter one or more URLs to the Citrix stores.

  3. Click Save.

Configuring Citrix for Native Connections to Stores

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Imprivata Enterprise Access Management SSO:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

In this workflow, the Windows workstations are enabled for Windows authentication and automated application access.

Enabling Windows Authentication and Application Access

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  4. On the Virtual Desktops tab, go to the Citrix XenApp section , and select Automate access to Citrix XenApp.

  5. Under When a XenApp endpoint is locked, specify the required behavior when the endpoint becomes locked:

    • Keep the XenApp client and user session active

      This option preserves the user session; when a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled) their applications are preserved just as they were when this endpoint computer was locked.

    • Shutdown the XenApp client and disconnect the user session

      This option helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled) their application will relaunch.

  6. Optional – If you are deploying ProveID Embedded workstations, select Enable Published Applications.

  7. Under Available Citrix Servers, select one or more Citrix stores.

  8. Save the computer policy.

The following screen capture details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

In this workflow, the Citrix servers that are delivering the Epic are enabled for Windows authentication.

Enabling Windows Authentication

To add a computer policy for the Citrix servers:

  1. In the Imprivata Admin Console, click Computers > Computer polices.

  2. On the Computer policies page, click Add, and then enter a name.

  3. On the Citrix or Terminal Server tab, go to the Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions section.

    1. Select XenApp or Terminal Server Windows session user and Imprivata user are always the same.

    2. Leave Always trust the Citrix or Terminal Server selected.

  4. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  5. Save the computer policy.

The following screen captures details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

Shared Windows Workstations Configuration

In this section, you configure your shared workstations to automatically boot and authenticate to Windows with generic workstation–based credentials:

  • The generic credentials are only used to log into the workstation.

  • When the Imprivata agent detects the user switch, the Imprivata user is logged into the Epic EHR.

A generic user account is required to log into the workstation. When adding the generic user to your user directory, be sure that the account is not enrolled in Imprivata Enterprise Access Management.

Imprivata Enterprise Access Management supports Citrix Workspace app for Windows. You can download the installer from the Citrix Support site.

Consider the following:

  • Citrix Workspace app must be installed with a user that has administrator privileges.

  • Single sign-on (pass through) authentication must be enabled during the installation.

  • Do not specify an account (Store URL or XenApp Services URL) as part of the installation. Configuring Citrix support for EAM details how to configure a GPO to automatically connect endpoint computers to the required account when Citrix Workspace app starts.

  • Citrix Workspace app must be configured to start automatically when the Windows workstation boots.

Restart the workstation after completing installation.

The following procedures detail now to configure Citrix support for EAM using a group policy object (GPO).

Note Citrix Store URLS

Configuring the GPO with the Citrix store URLs prevents you from having to:

  • Add them when installing Citrix Workspace app

  • Provide them to end users to add them manually to Citrix Workspace app.

Before you begin, use Citrix Studio to note the required URLs.

Enabling the Citrix StoreFront for the Citrix Fast Connect API

The Citrix store must be configured with the following authentication methods to support the Citrix FastConnect API:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

The Citrix store logon method (logonMethod) must be configured for single sign–on to support the Citrix FastConnect API.

To verify the logon method:

  1. From the Citrix StoreFront server, go to the following location:

    C:\inetpub\wwwroot\Citrix\<name_of_store>

  2. Open the web configuration file and find logonMethod.

  3. Verify that the value is set to sson. For example:

    pnaProtocolResources changePasswordAllowed="Never" logonMethod="sson"

Adding the Citrix Administrative Templates to the Active Directory Domain Controller

Configuring Citrix Workspace app with Imprivata Enterprise Access Management requires the following template files:

  • receiver.admx

  • receiver.adml

To make these templates available to the Group Policy Management Editor, add them to the Central Store on the domain controller.

You can locate the templates in the following ways:

  • Citrix makes the templates available separately from the Citrix Workspace app installer. Go to the Citrix Workspace app Windows download page. The ADMX/ADML templates are available in the Admin Tools section.

  • The templates are installed with Citrix Workspace app.

    • The ADMX file is located at "C:\Program Files (x86)\Citrix\ICA Client\Configuration".

    • The ADML file is located at "C:\Program Files (x86)\Citrix\ICA Client\Configuration\en-US".

Managing Group Policy settings requires that all ADMX/ADML files be added to the Central Store on the domain controller. To add the administrative templates:

  1. Log into the domain controller.

  2. Go to C:\Windows\SYSVOL\domain\Policies and create a PolicyDefinitions folder to function as the Central Store.

  3. Go to C:\Windows\PolicyDefinitions and copy all of the contents, including the en-US folder, to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

  4. Add receiver.admx to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

  5. Add receiver.adml to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US.

  6. If the Group Policy Management Editor is open, close the console for the changes to take affect.

Creating a Group Policy to Manage the Fast Connect Configuration

Create an organizational unit (OU) and add your endpoint computers to it.

To create the organizational unit:

  1. From the domain controller, open the Active Directory Users and Computers console.

  2. In the console tree, create an organizational unit (OU) for your endpoint computers.

  3. Add or move the required endpoint computers to the OU.

To create the group policy:

  1. From the domain controller, open the Group Policy Management Console.

  2. In the required domain, select Group Policy Objects > New.

  3. In the New GPO window, name the GPO and click OK.

Click to enlarge

To add the Citrix Administrative templates to the group policy object:

  1. Right-click the new GPO and select Edit. The Group Policy Management Editor opens.

  2. Go to Computer Configuration > Policies > Administrative Templates Policy Definitions (ADMX files) retrieved from the central store > Citrix Components > Citrix Workspace app.

Click to enlarge.

Configuring the Group Policy Object

The following procedures detail how to configure the GPO.

NOTE: Citrix Workspace app SelfService must be configured with the Disabled option.

The Disabled option is required, regardless of the desired end user workflow and application session (roaming) requirements.

To configure the required settings:

  1. In Group Policy Management Editor tree, select User authentication.

  2. In the details pane, double-click Local user name and password.

  3. In the Local user name and password window, select Enabled.

  4. In the Options pane:

    • Select Enable pass-through authentication.

    • Select Allow pass-through authentication for all ICA connections.

    • Deselect Use Novell Directory Server credentials.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select FastConnect API Support.

  2. In the details pane, double-click Manage Fast ConnectAPI support.

  3. In the Manage FastConnectAPI support window, select Enabled.

  4. In the Options pane, select:

    • Select Enable Fast Connect API functionality.

    • Select EnableFastConnectTransisitionAPI.

    • Select Integrate Self Service Plugin with FastConnect.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Self Service.

  2. In the details pane, double-click Manage App shortcut.

  3. In the Manage App Shortcut window, select Enabled.

  4. In the Options pane, select:

    • In the Startmenu field: if you want your Citrix apps in a folder on the Start menu, enter a name for that folder here. If this field is left blank, the apps will appear directly on the Start menu.

    • In the Desktop Directory field: if you want your Citrix apps in a folder on the desktop, enter a name for that folder here. If this field is left blank, the apps will appear directly on the desktop.

    • Deselect Disable Startmenu Shortcut.

    • Select Enable Desktop Shortcut.

    • Select Disable Categorypath for startmenu.

      BEST PRACTICE: Use Citrix StoreFront categories in the Start menu instead.

    • Select Enable Categorypath for desktop and Enable to have different category path startmenu.

    • Select Remove apps on Logoff.

    • Select Remove apps on Exit.

    • Select Clear the set of applications shown in the Receiver Window on logoff.

    • Select Prevent Receiver performing a refresh of the application list when opened.

    • Select Ignore self service selection of apps and make all mandatory.

  6. Click OK.

The settings should match the following.

Click to enlarge

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Self Service.

  2. In the details pane, double-click Control When Receiver Attempts to Reconnect to Existing Sessions.

  3. In the Control when Receiver attempts to reconnect to existing sessions window, select Enabled.

  4. In the Options pane, select Refresh, Open (or an equivalent setting) from the Choose the appropriate combination of reconnect conditions list.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Storefront.

  2. In the details pane, double-click StorefrontAccounts List.

  3. In the Storefront Account List window, select Enabled.

  4. Click Show.

  5. In the Show Contents window, enter the store account (Store URL or XenApp Services URL) details using the following syntax:

    store_name;store_url;store_enabled_state;store_description

    • store_name is the name users see for the store.

    • store_url is the Services URL for the store.

    • store_enabled_state specifies if the store is available to users. Set to On or Off.

    • store_description is the description users see for the store.

XenApp Services example: SalesStore;https://example.com/Citrix/SalesStore/PNAgent/config.xml;On;Store for Sales Staff

Store example: SalesStore;https//example.com/Citrix/SalesStore/;On;Store for Sales Staff

NOTE: The store_enabled_state syntax is case-sensitive.

(Optional) This step is required only if your Citrix environment is using Storefront URLs. Configuring the registry keys requires that you:

  • Add the ConnectionSecurityMode and the ProtocolOrder values to the Citrix AuthManager registry key.

  • Create the Protocols registry key with a httpbasic subkey, which has a value of Enable.

To add the value:

  1. In the Group Policy Management Editor tree, go to Computer Configuration > Preferences > Windows Settings.

  2. Right–click Registry and select New > Registry item.

  3. In the New Registry Properties window, select Create from the Action list.

  4. From the Hive list, select HKEY_LOCAL_Machine.

  5. Enter the following in the Key Path field:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\

    • 32–bit — Software\Citrix\AuthManager\

  6. In the Value name field, enter ConnectionSecurityMode.

  7. From the Value type list, select REG_SZ.

  8. In the Value data field, enter Any. Click OK.

To add the value:

  1. In the Group Policy Management Editor tree, go to Computer Configuration > Preferences > Windows Settings.

  2. Right–click Registry and select New > Registry item.

  3. In the New Registry Properties window, select Create from the Action list.

  4. From the Hive list, select HKEY_LOCAL_Machine.

  5. Enter the following in the Key Path field:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\

    • 32–bit — Software\Citrix\AuthManager\

  6. In the Value name field, enter ProtocolOrder.

  7. From the Value type list, select REG_MULTI_SZ.

  8. In the Value data field, enter httpbasic. Click OK.

To create the key:

  1. In the New Registry Properties window, select Create from the Action list.

  2. From the Hive list, select HKEY_LOCAL_Machine.

  3. Enter one of the following in Key Path:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\Protocols\httpbasic

    • 32–bit — Software\Citrix\AuthManager\Protocols\httpbasic

  4. In the Value name field, enter Enabled.

  5. From the Value type list, select REG_SZ.

  6. In Value data field, enter true. Click OK.

Configuring Internet Explorer

Configuring Internet Explorer requires that you:

  • Add the domain of the Services URL as a trusted site.

  • Configure user authentication for automatic logon.

To add a trusted site:

  1. In the Group Policy Management Editor tree, go to Windows Components > Internet Explorer > Internet Control Panel > Security Page.

  2. In the details pane, open Site to Zone Assignment List.

  3. In the Site to Zone Assignment List window, select Enabled.

  4. In the Options section, click Show.

  5. In the Value name field, type the scheme and domain of the Services URL.

    Example: If the URL is https://example.com/Citrix/SalesStore/PNAgent/config.xml, then enter https://example.com.

  6. In the Value field, type 2 and click OK.

  7. Apply the changes to the Site to Zone Assignment List.

To configure user authentication:

  1. In the details pane, open Trusted Sites Zone.

  2. In the details pane, open Login options.

  3. In the Logon options window, select Enabled.

  4. From the Logon options list, select Automatic logon with current username and password.

  5. Click OK.

Linking the Group Policy to the Organizational Unit

To link the GPO to the OU:

  1. In the Group Policy Management window, right-click the new OU you created and select Link an Existing GPO.

  2. In the Select GPO window, select the new GPO and click OK.

Click to enlarge

Configuring Security Filtering

Configure security filtering to make the GPO available to the required workstations.

To configure security filtering:

  1. In the Group Policy Management window, navigate to your new OU, select your new GPO, and click the Scope tab.

  2. In the Scope tab > Security Filtering section, set the filter as necessary. In this example, the filter is set to Everyone to make this policy accessible to everyone:

Click to enlarge.

Verifying the Configuration

All shared workstations in the OU receive the new GPO settings at the next group policy refresh interval. The default interval is 90 minutes.

You can verify the configuration with the following methods.

On any workstation in the OU, you can verify that the GPO settings are applied by viewing the settings in the registry at the following location:

  • 64-bit – HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Policies > Citrix > Dazzle

  • 32-bit – HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Citrix > Dazzle

The following is provided as an example only.

Click to enlarge.

You can create a group policy result report to select a specific workstation to query. The report specifies which GPOs are applied.

To create the report:

  1. In the Group Policy Management window, right-click Group Policy Results > Group Policy Results Wizard...

  2. In the Computer Selection page, select the computer for which you want to display policy settings, and click Next.

  3. In the User Selection page, enter a domain administrator and click Next.

  4. Click Finish to close the wizard.

  5. The report is not actually run yet; in the Group Policy Management window > Group Policy Results section, right-click the report you just created and click Rerun Query.

    NOTE: If the Windows WMI service is disabled or restricted on the endpoint computer, the report will not work.

  6. After the report is generated, select the report from the left navigation. In the example below it is named after the endpoint computer THIRTYTWO.

  7. In the details pane, select the Details tab. Your GPO is listed in the section Applied GPOs.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Installing with the MSI

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Shared Kiosk Workstation agent.

Deploying with Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=2

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Configure the following registry settings to configure your shared workstations to automatically boot and authenticate to Windows using generic workstation-based credentials.

These keys must be configured in the 32–bit location, even if the workstation OS is 64–bit.

Name Data Type Location Value Required?
AutoAdminLogon STRING HKLM\Software\Microsoft\Windows NT\Winlogon

Default value = 0

Required value = 1

 Yes
DefaultUserName STRING HKLM\Software\Microsoft\Windows NT\Winlogon The name of the generic user account. Yes
DefaultPassword STRING HKLM\Software\Microsoft\Windows NT\Winlogon The password for the generic user account. Yes
DefaultDomainName STRING HKLM\Software\Microsoft\Windows NT\Winlogon If using a domain user, set to desired domain. No

Citrix Server Configuration

In this section, you install the Imprivata agent and the Imprivata Connector for Epic Hyperdrive on the Citrix servers that are delivering the Epic EHR.

  • Installing the Imprivata agent on the Citrix Servers enables Imprivata to communicate between Citrix environment and the private workstations.

  • Installing the Imprivata Connector for Epic Hyperdrive enables access to Epic Hyperdrive.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Enterprise Access Management. If your virtual environment is configured correctly for session persistence, Enterprise Access Management seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

BEST PRACTICE:

Limit the delivery of an application to one instance per user. If the application is distributed across multiple servers in the farm, limiting the instance ensures that the connection broker roams the session that the user was previously using.

For more information about configuring session persistence and application delivery, see your vendor documentation.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Citrix or Terminal Server agent.

Using a Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=3

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Install the Imprivata Connector for Epic Hyperdrive on all of the servers that are delivering Epic. Consider the following:

  • The same Imprivata Connector for Epic Hyperdrive installer supports both 32-bit and 64-bit operating systems.

  • The Imprivata Connector for Epic Hyperdrive can only be used with one version of Epic on a given workstation.

NOTE: Before installing the Imprivata Connector for Epic Hyperdrive, be sure that Epic is installed.

Using the Installation Wizard

To install:

  1. Run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The installer automatically detects the version of Hyperspace installed and installs the appropriate Imprivata Connector for Epic Hyperdrive files for that version. If multiple versions of Hyperspace are detected or if Hyperspace is not installed, the Imprivata Connector for Epic Hyperdrive installer prompts you to select one version of Epic.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Using the Command Line

To install:

  1. Standard msiexec commands can be used to run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The Epic version of the Imprivata Connector for Epic Hyperdrive can be specified in the msiexec command line as follows:

    • EPICVERSION = 2014

    • EPICVERSION = 2015

    • EPICVERSION = 2017

    • EPICVERSION = "2018 August"

    • EPICVERSION = "2018 November"

    • EPICVERSION = "2019 February"

    NOTE: If you are using the Imprivata Connector for Epic Hyperdrive version 6.3 or later, including an Epic version is not required.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Epic Configuration

In this section, you configure the Imprivata Connector for Epic Hyperdrive.

Imprivata has worked with Epic Systems to develop the Imprivata Connector for Epic Hyperdrive. The Connector leverages Epic's authentication API to provide single sign-on, single sign-off, and fast user switching for Epic Hyperdrive.

Imprivata Enterprise Access Management offers two different configuration options for Epic that can be enabled on a per-workstation basis:

  • SSO for Epic only workflow

    With this workflow, the Windows desktop is always unlocked. Users authenticate to Epic using their fingerprint or proximity card. This workflow is optimized for workstations on which Epic is the most frequently accessed application.

  • SSO for multiple applications including Epic

    With this workflow, the Windows desktop is secured by the Imprivata agent. Users authenticate to EAM using their fingerprint or proximity card. This workflow is optimized for workstations on which Imprivata Single Sign-On is required for multiple applications, including Epic.

EAM can be configured to secure Epic and maintain the patient context or log the user out of Epic with either of these workflows.

NOTE:

In scenarios where EAM performs Fast User Switching into the Epic EMR Hyperdrive client delivered via Citrix, we recommend that the Epic session remain active during times of clinician usage. The utilization of Citrix timeout settings for Epic sessions, or any closure of the Epic session, may impact login times for clinical users because they must wait for the Epic session to reconnect.

Citrix and VDI connection times are unaffected by EAM. When needed, EAM automates the connection to Citrix, but does not reduce the connection time.

When configuring support for Epic, consider the following:

  • Use the endpoint computer policy to manage the settings on the Connector for Epic tab.

    These settings are only honored from the workstation on which users access Epic. The settings are not honored where Epic is installed.

  • The Imprivata Connector for Epic Hyperdrive for Epic supports a number of reference architectures.

    While you can use the Imprivata Connector for Epic Hyperdrive Configuration Guide to complete the steps required of this reference architecture, the guide does include information that is optional.

As such, the table below provides an overview of what must be configured for this specific reference architecture.

Configuration Notes
System definitions

Epic system definitions are configured to support roaming.

For assistance configuring your system definitions, contact Epic.
Authentication devices

Ensure that your authentication devices are configured correctly:

  • Use Chronicles to configure the E0G master file.
  • Set the Login Mode option to SYSTEM LOGIN (EMP 45), otherwise User ID.

For more information, see Chapter 4.
Epic only mode

In this configuration, Epic is the only application that clinicians can access from the shared workstation:

  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 9.
Multi–app mode

In this configuration, clinicians can access other applications in addition to Epic:

  • By default, when Epic is delivered via Citrix Virtual Apps, the Imprivata Connector for Epic Hyperdrive disables the Imprivata SSO engine. To re-enable the SSO engine, configure the following registry settings:
    • ControlISXAgentStartup
    • DontStartAgentHooks
    • DontStartAgentTimer
    • HookInit
  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 8.