What's New in Imprivata Enterprise Access Management 24.2
Imprivata Enterprise Access Management with SSO 24.2 contains the following new features and technology updates.
New Features
We have a new name!
Imprivata has announced the introduction of new, descriptive product names, across our portfolio of products, that will soon become synonymous with Imprivata excellence across our platforms and products. These new names make it easier to understand what each product offers by aligning closely with well-understood industry terms. Our transition to these new descriptive names will be a journey throughout the year and beyond.
You will continue to see our former branded names used side by side their new names (i.e. Imprivata Enterprise Access Management
Some interfaces in the Imprivata Admin Console, Imprivata Appliance Console, and documentation may retain the older Imprivata OneSign and Imprivata Confirm ID product names. Older releases of Imprivata OneSign will retain their former product names.
Microsoft Entra ID Only Support
Imprivata OneSign and Confirm ID now support enterprises with all users and devices in Microsoft Entra ID.
Restrict Administrator Access to Computer Policy Assignment Rules
A new control has been added in Administrator Roles to allow the Superadministrator to restrict the ability of Administrators from running computer policy assignment rules.
Imprivata Virtual Desktop Access and Microsoft Azure Virtual Desktop
Imprivata Virtual Desktop Access now supports Azure Virtual Desktop. With this expanded support, you may now configure Imprivata Virtual Desktop Access to deliver a virtual desktop to single-user Windows endpoints only.
Two-Factor Authentication for Imprivata OneSign SSPR
Imprivata OneSign Self-Service Password Reset is enhanced to support two-factor authentication. In addition to answering security questions, you can require that users respond to an Imprivata ID push notification to verify their identity.
When Imprivata ID is required, the self-service web application uses number matching. The user is prompted to enter a 2-digit code on their phone when authenticating for a domain password reset.
Streamlined Access to Virtual Desktops
By default, when a user is entitled to multiple virtual desktops, they are prompted to choose which one to launch. You may configure the DesktopToAutoLaunch registry key to specify which desktop should automatically launch for the user on the endpoint.
Imprivata Virtual Desktop Access supports the registry key on single-user Microsoft Windows endpoints for the following virtual desktop offerings:
-
Citrix XenDesktop
-
Microsoft Azure Virtual Desktop
-
Microsoft Remote Desktop Services
-
VMware Horizon
Non-LDAP Self-Enrollment for SAML-Only Configuration Support
Non-LDAP self-enrollment for SAML-only configuration requires the use of the Imprivata Connector for Epic Hyperdrive version 24.8 or later.
Imprivata Login Screen Enhancements
The Imprivata login screen for Microsoft Windows endpoints is enhanced to display the following Windows controls:
-
Date and time
-
The network menu
No additional EAM configuration is required to enable this functionality. By default EAM honors the following:
-
The Windows system locale date, time, language, and regional settings that are configured on the endpoint.
-
The Windows group policy setting (Do not display network selection UI) that is configured on the endpoint. When this policy setting is disabled (not configured), users are able to access the network menu without having to log in.
Technology Updates
Qualifications and Certifications
Microsoft 2020 LDAP Channel Binding and LDAP Signing Updates
While Microsoft has not announced a release date for their planned update to LDAP channel binding and LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata directory (domain) connections are configured for SSL. When the update is applied, any directory connection that is not configured for SSL may fail.
To verify the connection settings, go to the Directories page (Users menu > Directories) and open the required domain. Verify that Use TLS for secure communication is selected.
TLS Support
As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release, Imprivata disables the use of older TLS versions 1.0 and 1.1 for all appliance communications.
For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.
Imprivata Google Chrome Extension
The Imprivata agent continues to install the Chrome extension for SSO, but no longer enables it.
If you plan on installing Imprivata agents on new endpoints or upgrading existing Imprivata agents, you must enable/allow the extension using a Microsoft Active Directory GPO. Per the Chrome Safe Browsing Policy, a GPO is the only supported way to enable extensions silently.
NOTE: For complete details on enabling the Chrome extension, see "Support for Applications that Run in Google Chrome" in the Imprivata OneSign help
Microsoft Deprecation of VBScript
Microsoft has announced the deprecation of VBScript, but has not announced a release date on which VBScript will be retired.
Per Microsoft, VBScript will be available as a feature on demand before being retired in a future Windows release. While Imprivata procedure code extension objects continue to support VBScript, it is recommenced that Imprivata administrators create new event triggers using another supported scripting language, such as JavaScript, while planning for the retirement of VBScript.
Upgrade Considerations
Imprivata Platform Update - G4 Appliances
An upgrade to 24.2 requires that you install the Imprivata platform update (virtual-applianceG4-IMPRIVATA-2024-2-1.ipm) before upgrading the G4 appliance.
The platform update provides infrastructure, communication, and security improvements which must be in place before you upgrade.
Take note of the following considerations:
-
This platform update is supported on Imprivata OneSign 7.10 and later as part of the upgrade process or as a standalone update. If desired, you can install and distribute this platform update to your appliances without having to upgrade.
Use one of the following methods for uploading:
-
Upload the platform update files from a file server connected to the appliance. This is the preferred method for updating the appliances.
-
If you cannot use a file server, and need to upload the IPM from your local computer, using the Imprivata Appliance Console > Packages tab.
-
The upgrade from 7.8 or 7.9 to 24.2 requires that you must first upload the provided increasePHPmaxPOST-2022-3-1.ipm. This small platform update temporarily increases the maximum PHP file upload size, allowing you to then upload the virtual-applianceG4-IMPRIVATA-2024-2-1.ipm file.
-
The upgrade from 7.10 through 24.1 to 24.2 does not require the increasePHPmaxPOST-2022-3-1.ipm be uploaded first. You can simply upload the virtual-applianceG4-IMPRIVATA-2024-2-1.ipm platform update file
-
For more information about upgrading to 24.2, see the Imprivata Upgrade Help.
Considerations
The following sections describe changes in behavior in
New Appliances on Non-DHCP Networks Get Prepopulated Host and Domain Names
When you set up a new G4 appliance on a network that does not use DHCP, then in the Appliance Setup Wizard process, under System Information, the Host Name and Domain Name fields get prepopulated with values localhost and localdomain. Previously, in
Secure Walk Away – Imprivata ID Sensitivity Control May Need Adjustment for Nordic BLE Receiver
Imprivata's Secure Walk Away added support for a Nordic Bluetooth Low Energy (BLE) receiver in Imprivata OneSign and Imprivata Confirm ID 7.11. The Bluetooth receiver sensitivity may vary for different mobile devices. If your users report that their workstations lock because Secure Walk Away does not detect their mobile devices, adjust the Secure Walk Away – Imprivata ID Sensitivity slider control in the computer policy assigned to those workstations. For more information, see topic
