Implement Imprivata Mobile Device Access

What Imprivata MDA Does

Imprivata Mobile Device Access (MDA) extends Imprivata authentication management and SSO to supported mobile devices and supported mobile applications.

Recommended Rollout (Fastest Path to Success)

1. Lab evaluation (compatibility + baseline configuration).

2. POC / Pilot (5–20 devices) with real end users.

3. Scale to production after acceptance criteria are met.

Requirements

Verify the following hard requirements before you begin:

• Devices / OS

  • Android 12 and later is supported

• Badges / NFC

  • NFC badge/read compatibility requires 13.56 MHz MIFARE frequency.

  • If existing badges don’t meet this, consider dual-frequency badges (125 kHz + 13.56 MHz) or stickers/pucks.

• MDMs

  • Use an MDM and deployment mode that is supported/qualified for MDA

  • Qualified examples referenced in the guide include:

    • Workspace ONE UEM

    • Microsoft Intune

    • SOTI MobiControl

• Apps

  • Deploy only apps whose integrations are certified with Imprivata and its partners.

  • MDA supports Android-standard notifications but not custom/overlay notifications.

Who Needs to be Involved

The team should include at least the following stakeholders:

• IT PM / project owner

• MDM admin - for enrollment, profiles and app deployment.

• EAM and MDA administrators - for managing Imprivata Admin Console policies.

• Clinical champions / pilot users - for workflow validation.

Implementation Steps

Perform these implementation tasks in order.

1. Validate prerequisites: Supported Android devices, supported EAM release, Imprivata Admin Console access, supported MDM/mode, badge compatibility, and supported apps.

2. Enroll pilot devices in the MDM and apply baseline security + network settings.

3. Deploy Imprivata MDA and required components via managed app deployment.

4. Configure Imprivata MDA policies in the Imprivata Admin Console (Computers > Mobile Policy).

5. Deploy AppConfig and app settings via your MDM and ensure that supported apps are correctly configured.

6. Test the "golden path" workflows on a small subset before expanding the pilot.

Pilot Acceptance Checklist (Pass/Fail)

Your pilot is ready to scale when you can consistently confirm the following:

• Device enrollment + Imprivata MDA + AppConfig deployed correctly.

• Badge reads reliably and lock/unlock/session works.

• App SSO works for in-scope certified apps.

• Notifications and alerts behave as required for the workflow.

• User switch works (logout and login between users).

• Inactivity and logout timers behave as expected.

Additional Resources

• Imprivata MDA documentation: https://docs.imprivata.com/mda

• Supported devices/apps/workflows: https://www.imprivata.com/applications-supporting-mda

• Support: support@imprivata.com

Who This Guide is For

This document is intended for an IT team in a healthcare setting. A successful rollout requires partnership between two groups (IT leadership and Clinical leadership).

The team should include at least the following:

• IT project manager

• Imprivata MDA Implementation Engineer

• Mobile device administrator to perform MDM configuration

• Imprivata Enterprise Access Management administrator

• Clinical staff leadership, to ensure boots-on-the-ground success

Success with Mobile Device Access

As you plan your implementation of Imprivata MDA, it is critical to the success of the deployment to think through the balance of security with accessibility to these shared devices and the impact on the daily work of end users and clinician staff.

The most important recommendation that this guide can give is to consult with your clinical end users and understand how these shared devices are being used.

Implementation Strategy

Often what works perfectly in a lab IT environment does not perform well in a real world, clinical environment. A well planned POC will help ensure success that scales across your organization.

Based on Imprivata's experience, the recommended rollout approach is:

1. Complete a lab evaluation to validate technical compatibility (device models, badges, MDM configuration, app integrations).

2. Run a POC with 5-20 representative devices and end users. Collect acceptance criteria results and iterate, if needed.

3. Scale to production following best practices.

Configuring Imprivata MDA

Imprivata MDA extends Imprivata authentication management and single sign–on to mobile devices and apps.

Before touching consoles or devices, confirm the following:

• Devices and OS version: Verify that the devices and the Android OS are supported with Imprivata MDA.

• Imprivata Enterprise Access Management: Verify that your EAM release is supported and you have Imprivata Admin Console access (Computers > Mobile Policy).

• MDM: Select and confirm the MDM and deployment mode you will use is supported.

  Identify whether you will use a launcher.

• Badges/NFC: Ensure badges support 13.56 MHz MIFARE NFC or order dual-frequency badges / pucks.

  Test a sample badge on the target device before enrolling many devices.

• Apps: Verify that the apps you will deploy (EHR, messaging) are supported by Imprivata MDA.

Configuring Imprivata MDA requires you to:

• Review the required Android device settings and permissions.

• Review the AppConfig reference.

• Enable Imprivata MDA in your Imprivata enterprise.

• Import and deploy the Imprivata mobile app profiles.

• Configure the mobile policy and user authentication.

• Configure your call, alarm, and notification apps to display alerts and notifications properly.

• Configure the Imprivata user policy authentication methods.

• Configure your MDM to deploy the Imprivata MDA app to your devices and configure application specific settings.

About MDMs

A well-configured MDM system is required for the success of your implementation. Imprivata MDA is available in the Google Play Store and can be downloaded and distributed to your mobile devices using Mobile Device Management (MDM) software. Your implementation of Imprivata MDA must be configured for the MDM that you are using.

Currently, the following MDMs and their configurations have been qualified for integration with Imprivata MDA:

• Omnissa Workspace ONE UEM

  • Shared Mode Configuration with Workspace ONE Launcher

  • Dedicated Mode Configuration with Workspace ONE Launcher

• Microsoft Intune

  • Fully Managed Configuration with Microsoft Launcher

  • Corporate Owned Dedicated Device with Managed Home Screen Launcher

    NOTE:

    To avoid badge/NFC compatibility issues, ensure that devices are running Android 13 and later when using Managed Home Screen.

• SOTI MobiControl

  • Shared devices with Soti Lockdown

About Badges

If you are an existing Imprivata Enterprise Access Management customer, the badges currently deployed may not support the necessary NFC frequency required by the mobile devices. Mobile devices leverage NFC Technology which is 13.56 MHz MIFARE NFC Frequency. If your current badges do not support this frequency, there are two options available:

• Replace existing badges with new badges that support dual frequency (both 125 kHz and 13.56 MHz).

• Use stickers (sometimes called “pucks”) which can be attached to a badge to allow for 13.56 MHz frequency to be read.

Beginning with MDA 8.1, FIDO security keys are supported for authentication and new badge enrollment workflows.

About Apps

Imprivata MDA helps users access their apps quickly and seamlessly, making it easy to get their work done. It is vital for your Imprivata MDA implementation to ensure that the apps you intend to deploy on your mobile devices support an integration with Imprivata MDA.

After a user has authenticated to the device with their Imprivata Enterprise Access Management credentials, Imprivata MDA leverages the user's EAM credentials (username/password) to access the provisioned apps.

There are three key use cases that Imprivata MDA supports with app vendors:

• Login – sign in the user into the app

• Logout – sign the user out of the app

• Notifications (including voice) – allow notifications to be displayed on the phone

For your implementation of Imprivata MDA, only deploy apps whose integrations have been certified with Imprivata and our app development partners.

About Phone Calls and Dialers

Imprivata MDA can be configured appropriately depending on the communication apps that you may choose to deploy. Some device makers have specific communication apps that interact with specific buttons or hot keys; one example is Zebra Workforce Connect. Other communication apps are agnostic to the device itself.

As mentioned above, review the list of supported applications to ensure that the communication or phone app is supported.

Additionally, Imprivata MDA 8.1 and later supports a feature that enables a user to make a phone call directly from the MDA lock screen without having to authenticate. This feature is useful when using the native Android dialer. For more information, see Emergency Calls.

Testing Checklist for Imprivata MDA

Acceptance checklist (pass/fail)

• Device enrolls and receives Imprivata MDA and AppConfig.

• Badge reads reliably: the user is authenticated successfully, user is able to unlock session or lock session.

• App SSO: certified apps sign in/out as expected and accept Imprivata credentials.

• Notifications: clinical call/alert notifications are received while locked and during app use.

• User switch performs as expected: user 1 is successfully logged out of device and apps, user 2 is successfully logged in to device and apps.

• Timers: Imprivata MDA inactivity, logout, and optional Countdown behave as expected.

• Users confirm that workflows are acceptable.

Additional Resources

• Imprivata MDA documentation: https://docs.imprivata.com/mda

• Supported devices/apps/workflows: https://www.imprivata.com/applications-supporting-mda

• Support: support@imprivata.com