Imprivata Documentation | Imprivata Enterprise Access Management (OneSign) 24.1 | Topic updated: June 04, 2024

What's New in Imprivata OneSign 24.1

Imprivata OneSign 24.1 contains the following new features and technology updates.

New Features

Number Matching Authentication

You may configure Imprivata Confirm ID to require users enter a 2-digit code into Imprivata ID when authenticating for Imprivata WebSSO and Remote Access. Number Matching provides a greater level of protection against MFA fatigue attacks, keeping your digital assets out of the hands of bad actors.

This functionality is now available for all Imprivata Confirm ID Remote Access deployments, not only Remote Access Cloud users.

Virtual Smartcard Support for Care Identity Service (CIS) Passcode

Support for CIS Passcode increases the security bar for national authentication and access in the NHS. CIS Passcode provides an additional, highly distributed, layer of security for customers using Virtual Smartcard. When enabled, all newly created Virtual Smartcards are further encrypted using the end user's supplied CIS Passcode. There are significant implications to consider before enabling CIS Passcode encryption. See "Enable CIS Passcode" in the OneSign Help for further information.

Virtual Smartcard Creation

Support for generating Virtual Smartcards using the new NHS Care Identity Management (CIM) as well as the Care Identity Service (CIS) has now been validated by Imprivata.

Technology Updates

Qualifications and Certifications

For more information on new 24.1 qualifications and certifications, see Imprivata OneSign Supported Components.

Microsoft 2020 LDAP Channel Binding and LDAP Signing Updates

While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.

To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.

TLS Support

As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all appliance communications.

For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

Imprivata Google Chrome Extension

The Imprivata agent continues to install the Chrome extension for SSO, but no longer enables it.

If you plan on installing Imprivata agents on new endpoints or upgrading existing Imprivata agents, you must enable/allow the extension using a Microsoft Active Directory GPO. Per the Chrome Safe Browsing Policy, a GPO is the only supported way to enable extensions silently.

NOTE: For complete details on enabling the Chrome extension, see "Support for Applications that Run in Google Chrome" in the Imprivata OneSign help.

G4 Appliances Support VMware vMotion for OneSign 23.2 and Later

Imprivata G4 (fourth generation) appliances support VMware vMotion for OneSign 23.2, 23.3, and later releases. vMotion support enables the seamless and live migration of G4 appliances (ESX virtual machines) across physical hardware servers for purposes such as traditional server maintenance operations, hardware refreshes, and workload re-balancing.

OneSign and Confirm ID 7.11 and Later Releases Run Only on G4 Appliances

OneSign and Confirm ID 7.11 and later releases run only on G4 (fourth generation) appliances in a G4 enterprise.

If you’re running G3 (third generation) appliances in a G3 enterprise, or G2 (second generation) appliances in a G2 enterprise, and you want to upgrade to 7.11 or later, you must instead migrate to a G4 enterprise. You install 7.11 or later as part of the migration process. For procedures to migrate from a G3 or G2 enterprise to a G4 enterprise, see "Migrating to a G4 Enterprise" in the Imprivata Upgrade Portal.

IMPORTANT:

There are significant differences between G3 (or G2) and G4 appliances and sites. For information on G4 appliances, see G4 Appliance Types and Number of Appliances to Deploy. For a G4 enterprise, only one or two sites are used, and Imprivata recommends a maximum of two sites. For information on G4 sites, see Imprivata Sites for G4 Enterprises.

Rollback from a G4 enterprise to a G3 or G2 enterprise is not supported.

Imprivata OneSign 23.3 was Last Release to Support Direct Migrations from G2 to G4 Enterprises

Imprivata OneSign 23.3 was the last major release that supported direct migrations from G2 (second generation) to G4 (fourth generation) enterprises. For procedures to migrate from a G2 to a G4 enterprise, see "Migrating to a G4 Enterprise" in the Upgrade Portal.

Rollback from a G4 enterprise to a G2 enterprise is not supported.

Upgrade Considerations

Imprivata Platform Update - G4 Appliances

An upgrade to 24.1 requires that you install the Imprivata platform update (virtual-applianceG4-IMPRIVATA-2024-1-1.ipm) before upgrading the G4 appliance.

The platform update provides infrastructure, communication, and security improvements which must be in place before you upgrade.

Take note of the following considerations:

This platform update is supported on Imprivata OneSign 7.10 and later as part of the upgrade process or as a standalone update. If desired, you can install and distribute this platform update to your appliances without having to upgrade.

Use one of the following methods for uploading:

Upload the platform update files from a file server connected to the appliance. This is the preferred method for updating the appliances.
If you cannot use a file server, and need to upload the IPM from your local computer, using the Imprivata Appliance Console > Packages tab.
- The upgrade from 7.8 or 7.9 to 24.1 requires that you must first upload the provided increasePHPmaxPOST-2022-3-1.ipm. This small platform update temporarily increases the maximum PHP file upload size, allowing you to then upload the virtual-applianceG4-IMPRIVATA-2024-1-1.ipm file.
- The upgrade from 7.10 through 23.3 to 24.1 does not require the increasePHPmaxPOST-2022-3-1.ipm be uploaded first. You can simply upload the virtual-applianceG4-IMPRIVATA-2024-1-1.ipm platform update file

For more information about upgrading to 24.1, see the Imprivata Upgrade Help.

Considerations

The following sections describe changes in behavior in Imprivata OneSign for recent releases.

New Appliances on Non-DHCP Networks Get Prepopulated Host and Domain Names

When you set up a new G4 appliance on a network that does not use DHCP, then in the Appliance Setup Wizard process, under System Information, the Host Name and Domain Name fields get prepopulated with values localhost and localdomain. Previously, in Imprivata OneSign 7.8 and earlier, these fields were left blank. You must replace the prepopulated values with values for the permanent host name and domain name of the appliance.

Secure Walk Away – Imprivata ID Sensitivity Control May Need Adjustment for Nordic BLE Receiver

Imprivata's Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in Imprivata OneSign and Imprivata Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations. For more information, see topic Configuring Imprivata Secure Walk Away, section “Adjust Secure Walk Away – Imprivata ID Sensitivity”.