Imprivata Documentation | Imprivata Enterprise Access Management (OneSign) 25.1 | Topic updated: June 09, 2025

Exported Policy Elements

When you export a user or computer policy, the XML file contains the listed elements. Common and Base fields are present in both user and computer policies. For unique fields, see the User Policy Fields or Computer Policy Fields tables in this topic.

General Fields

Element Name	Definition
<generalInfo>	General information about the exported file
<applianceName>	Appliance host name
<creationDate>	Date and time of the policy export
<exportedBy>	ID of policy exporter
<oneSignBuildVersion>	OneSign build version
<oneSignServerVersion>	Short server version
<userPolicies number="X"> or <computerPolicies number="X">	This node contains all policies - “number” specifies how many policies were exported
<policyData numberOfAssignedUsers="X" policyName="exportTestUserPolicy">	Contains policy information - “numberOfAssignedUsers” specifies the number of users assigned to this policy - “policyName” is name of the exported policy
<defaultType>	Policy type

Base Fields

Element Name	Definition
<basePolicyFields>	Holds the fields common to user and computer policies
<allowAccountsManager>	Displays Manage Passwords command in the agent tray menu (User policy/ Single Sign-on tab)
<allowIDTokenOffline>	Allows Offline Authentication with OneSpan (VASCO) OTP token (User policy/ Authentication tab/ Authentication method options section)
<allowIDTokenSelfEnroll>	Allows users to enroll OneSpane (VASCO) OTP tokens (User policy/ Authentication tab/ Authentication method options section)
<allowPauseSSO>	Allows users to bypass single sign-on to access applications (User policy/ Single Sign-on tab)
<allowResetCreds>	Allows users to modify and delete application single sign-on credentials (User policy/ Single Sign-on tab)
<authCombinationsSet>	Authentication combinations for Desktop Access authentication 0 – none selected 1 – PWD 2 – FP 3 – FP + PWD 4 – VASCO OTP token 5 – VASCO OTP + Require password for tokens that do not have a PIN 8 – ProxCard (and for build-in proximity card if Smart Card selected) 9 – ProxCard + PWD (and for build-in proximity card if Smart Card selected) 10 – ProxCard + FP (and for build-in proximity card if Smart Card selected) 9 and 10 – ProxCard + (FP or PWD) (and for build-in proximity card if Smart Card selected) 10 and 264 - ProxCard + (FP or Imprivata PIN) (and for build-in proximity card if Smart Card selected) 16 – Smart Card or USB token using Active Directory certificate 32 – Answer security questions 64 – Smart Card or USB token using external certificate 128 – ID token 258 – FP + Imprivata PIN 264 – ProxCard + Imprivata PIN (and for build-in proximity card if Smart Card selected)
<authCombinationsRemoteSet>	Authentication combinations for Remote access authentication (requires RADIUS server) 0 – none selected 1 – PWD 4 – VASCO OTP token 5 – VASCO OTP + Require password for tokens that do not have a PIN 128 – ID token 512 – Symantec VIP Credential token
<challengeDurationLimitDays>, <challengeDurationLimitHours>	Don't challenge users when transitioning from offline to online if it is within N days and M hours since their last successful online authentication (User policy/ Challenges tab)
<challengeInterval>	Time interval between challenges (User policy/ Challenges tab)
<creationDate>	Date and time when policy was created
<delegateMode>	0 - let all administrators apply this policy 1 – only administrator who created this policy can apply it (User policy/ Authentication tab)
<fingerAttempts>	Number of sequential failed fingerprint authentication attempts before authentication failure (User policy/ Authentication tab/ Authentication method options section)
<forceIDTokenEnrollment>	Locks computer if user cancels enrollment (User policy/ Authentication tab/ Authentication method options section)
<gracePeriodSettingsArray>	Contains information about grace period for second authentication factor. Currently EAM has grace periods for only: Fingerprint (second element in the array) ProxCard (fourth element in the array) All other elements describe modalities without grace periods for second authentication factor: Password, VASCO OTP token, Smart Card or USB token using Active Directory certificate, Q&A, Smart Card or USB token using external certificate, External ID token, PIN, Symantec token, HFOTP token, OOB (SMS) Attribute ‘xsi:nil="true"’ – grace period does not exist for this modality <enabled> - grace period enabled <duration> - duration of grace period (User policy/ Authentication tab/ Authentication method options section)
<hotKey>	Hot key to lock workstation or log off user (User policy/ Challenges tab)
<idTokenOfflineLifeSpan>	Offline data lifespan for VASCO OTP token (User policy/ Authentication tab/ Authentication method options section)
<isChallengeOfflineToOnline>	Always challenge users when transitioning from offline to online (User policy/ Challenges tab)
<isDefault>	Defines whether this is a default policy
<lastModifiedDate>	Last date and time the policy was changed
<nonWinSmartCardAlternateModes>	Allows temporary use of conditional primary methods (with optional second factor) after initial certificate-based authentication for Smart Card or USB token using external certificate - Possible values: 0 – none 1 – password 2 – build-in proximity card 3 – password, prox card with second factor (User policy/ Authentication tab/ Desktop Access authentication section)
<nonWinSmartCardValidateCertDates>	Allows smart card enrollment and authentication only while certificate is valid (User policy/ Authentication tab/ Authentication method options section)
<offlineAMAllowed>	Allows offline authentication (User policy/ Authentication tab/ Desktop Access authentication section)
<offlineSSOAllowed>	Allows offline single sign-on to applications (User policy/ Single Sign-on tab)
<offlineSSOLifeSpan>	Limits offline single sign-on data lifespan in days (User policy/ Single Sign-on tab)
<offlineSSOLifeSpanLimitEnforced>	Is offline single sign-on data lifespan allowed (User policy/ Single Sign-on tab)
<policyName>	Name of the policy
<proxEnabledAsPrimary>	Set prox card authentication as primary factor (User policy/ Authentication tab/ Desktop Access authentication section)
<suspendAction>	Controls the result of inactivity challenge or on pressing hot key: 0 – Lock Workstation/Suspend OneSign Session 1 – Log off User/Terminate OneSign Session (User policy/ Challenges tab)
<ticket>	Ticket
<winSmartCardAlternateModes>	Allows temporary use of conditional primary methods (with optional second factor) after initial certificate-based authentication for Smart Card or USB token using Active Directory certificate - Possible values: 0 – none 1 – password 2 – build-in proximity card 3 – password, prox card with second factor (User policy/ Authentication tab/ Desktop Access authentication section)

User Policy Fields

Element Name	Definition
<userPolicyFields>	Contains user policy related information
<addMoreFingerprints>	Allows users to manage fingerprints (User policy/ Authentication tab/ Authentication method options section)
<allowProxCardReenrollment>	Allows users to enroll a replacement card (User policy/ Authentication tab/ Authentication method options section)
<allowSSPasswordReminder>	Allows users to reveal application passwords (User policy/ Single Sign-on tab)
<allowSSPasswordReset>	Allows users to reset their primary authentication password (User policy/ Self-service password reset tab)
<allowSSPinReset>	Allows users to reset their Imprivata PIN (User policy/ Self-service password reset tab)
<allowedAuthMethodsSet>	Licensed options: FINGER_ID – Fingerprint Identification DIGIPASS – VASCO OTP Token Authentication SYMANTEC_TOKEN– Symantec VIP Credential Authentication HFOTP – Hands Free Authentication (User policy/ Authentication tab/ Licensed options section)
<allowedNumOfFingers>	Maximum allowed enrolled fingers (User policy/ Authentication tab/ Authentication method options section)
<authQandAModeMonthlyLimit>	Maximum security question logins per month (User policy/ Authentication tab/ Authentication method options section)
<challengeSSPasswordReminder>	Require users to answer security questions to reveal application credentials (User policy/ Single Sign-on tab)
<clientInactiveInterval>	Period of inactivity allowed before challenge (User policy/ Challenges tab)
<failureCount>	Locks a user account after N of consecutive authentication failures (User policy/ Authentication tab/ Lockout section)
<failureCountInterval>	Number of minutes within which <failureCount> must occur to trigger user lockout (User policy/ Authentication tab/ Lockout section)
<forceEnrollment>	Requires users to enroll security questions at login (User policy/ Self-service password reset tab)
<lockoutInterval>	Locks account for N minutes when triggered
<maxEnrollmentDeferrals>	Maximum enrollment deferrals
<nonWinSmartProxGracePeriod>	Allows use of conditional primary methods for specified period of time with Smart Card or USB token using external certificate (User policy/ Authentication tab/ Desktop Access authentication section)
<numQuestionsAuthenticate>	Number of questions that must be answered to authenticate (User policy/ Authentication tab/ Authentication method options section)
<numQuestionsEnroll>	Number of questions required to enroll (User policy/ Authentication tab/ Authentication method options section)
<pinDaysValid>	PIN expiration in days (User policy/ Authentication tab/ Authentication method options section)
<pinEnforceHistoryLimit>	Prohibits PIN that matches the last N PINs created, as set bv <pinHistoryLimit> (User policy/ Authentication tab/ Authentication method options section)
<pinExtendedAllowed>	Allows the use of letters and special characters in PINs (User policy/ Authentication tab/ Authentication method options section)
<pinForceEnrollment>	Requires users to enroll Imprivata PIN (User policy/ Authentication tab/ Authentication method options section)
<pinForceExpiration>	Requires Imprivata PIN change on expiration (User policy/ Authentication tab/ Authentication method options section)
<pinForceNoRepeatingNumbers>	Prohibits repeated digits (1111, 888888) (User policy/ Authentication tab/ Authentication method options section)
<pinForceNoSequentialNumbers>	Prohibits consecutive numbers (1234, 987654) (User policy/ Authentication tab/ Authentication method options section)
<pinHistoryLimit>	Number of last created PINs that are not allowed to match a new PIN (User policy/ Authentication tab/ Authentication method options section)
< pinMaxLength >	Maximum PIN length (User policy/ Authentication tab/ Authentication method options section)
<pinMinLength>	Minimum PIN length (User policy/ Authentication tab/ Authentication method options section)
<proxCardLimit>	The number of cards a user is allowed to enroll (User policy/ Authentication tab/ Authentication method options section)
<showPassManagerTips>	Show information about managing passwords in notification area balloon tips (User policy/ Single Sign-on tab)
<showTeaser>	Show greeting notification balloon when users log in (User policy/ Authentication tab/ Desktop Access authentication section)
<sspwForceReauth>	Requires users to re-authenticate after resetting their password (User policy/ Self-service password reset tab)
<tokenToProvision>	Specifies the token your users will receive when enrolling Imprivata ID: IMPR (User policy/ Authentication tab/ Imprivata ID section)
<vdiSettings>	Virtual desktops settings: 0 – disabled virtual desktop access automation 1 – Automate access to full VDI desktops for VMware 2 – Automate access to full VDI desktops for Citrix 3 – Automate access to applications or published desktops 4 – Automate access to full VDI desktops for Microsoft 5 – Automate access to Remote PC (User policy/ Virtual desktops tab)
<winSmartProxGracePeriod>	Allows use of conditional primary methods for specified period of time with Smart Card or USB token using Active Directory certificate (User policy/ Authentication tab/ Desktop Access authentication section)
<virtualDesktops>	Information about different virtual desktop types. (User policy/ Virtual desktops tab)
<rdsAppAutolaunchApplicationsArray>	Contains information about Microsoft Remote Desktop Services session- based and virtual desktops and remote apps
<rdsAppAutolaunchDirectPCsArray>	Contains information about Microsoft Remote Desktop Services - Remote PC
<vmWareAppAutolaunchApplicationsArray>	Contains information about Omnissa Horizon – Desktops and Apps
<xenAppAutolaunchApplicationsArray>	Contains information about Citrix XenDesktop and Apps

Computer Policy Fields

Element Name	Definition
<computerPolicyFields>	Contains computer policy related information
<RFIDeasConfig1>	Card reader configuration 1 (Computer policy/ General tab/ Card readers section)
<RFIDeasConfig2>	Card reader configuration 2 (Computer policy/ General tab/ Card readers section)
<agentAllowLocalOverride>	Under the control that specifies whether a user is allowed to log in if OneSign authentication fails, but Windows authentication succeeds - set to ‘True’ if ‘These local users or local groups’ is selected (Computer policy/ General tab/ Authentication section)
<agentAutoUpdateType>	When an agent upgrade is available: 0 – Do nothing 1 – Prompt the user to download and install upgrade (Computer policy/ General tab/ Agent upgrades section)
<agentEnableAgentLogging>	Enable agent logging (Computer policy/ General tab/ Agent logging section)
<agentEnableAgentTodoFUS>	Endpoints with an installed agent: false – Do not allow remote Fast User Switching true – Allow Fast User Switching with the remote server if allowed in computer policy (Computer policy/ Citrix or Terminal Server tab/ Fast User Switching section)
<agentEnablePRiDETodoFUS>	Endpoints with an installed ProveID Embedded agent: false - Do not allow remote Fast User Switching true – Allow Fast User Switching with the remote server if allowed in computer policy (Computer policy/ Citrix or Terminal Server tab/ Fast User Switching section)
<agentExitAllowed>	Allows users to exit and disable agent (Computer policy/ General tab/ Authentication section)
<agentFUSForRemoteApp>	Allow Fast User Switching with Citrix or Terminal Servers (Computer policy/ Shared Workstation tab/ Kiosk Workstations section)
<agentForceTicketAuthenticationOnCitrixAgent>
<agentInactivityNoticeInterval>	Displays a notification of the current signed-in user after N seconds of inactivity (Computer policy/ Walk-Away Security tab)
<agentLogMaxFileSize>	Maximum file size for agent log (Computer policy/ General tab/ Agent Logging section)
<agentLoginWithoutOneSignAllowed>	Controls whether a user is allowed to log in if EAM authentication fails, but Windows authentication succeeds (Computer policy/ General tab/ Authentication section)
<agentShutdownCitrixClientAllowed>	Controls whether Citrix clients automatically shut down when switching users on this workstation (Computer policy/ Shared Workstation tab/ Kiosk Workstations section)
<agentTestLocalLogonAllowed>	true – Authenticate using Windows false – Authenticate using Imprivata (Computer policy/ Shared Workstation tab/ Windows Authentications section)
<agentThinClient>	Endpoints without an agent: false – Do not allow remote Fast User Switching true – Allow remote Fast User Switching for the specified users (Computer policy/ Citrix or Terminal Server tab/ Fast User Switching section)
<allowGinaShutdown>	Allows users to shut down and restart workstation from the lock screen (Computer policy/ General tab)
<app1StateLockCondition>,<app2StateLockCondition>	Application profiles condition for Walk-Away Security: 0 – User is logged off 1 – Application is not running 2 – User is logged off or Application is not running (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<app1StateLockEnabled>, <app2StateLockEnabled>	Enable application 1 or application 2 as alternate warning and lock times (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<app1StateLockUuid>, <app2StateLockUuid>	UUID of selected application (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<appStateLockEnabled>	Use alternate inactivity warning and lock times in addition to keyboard and mouse inactivity (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<appStateLockTime>	Lock workstation with selected application state (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<appStateWarningTime>	Show lock warning with selected application state (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<authDialogTimeout>	Close the Imprivata authentication dialog (the desktop will remain visible) if there is no user activity for N seconds (Computer policy/ Walk-Away Security tab/ Lock screen section)
<autoSessionReconnect>	Automatically reconnect on session end (Computer policy/ Shared Workstation tab/ Kiosk Workstations section)
<automaticKeyProvisioningEnabled>	Always trust the Citrix or Terminal Server (Computer policy/ Citrix or Terminal Server tab/ Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions section)
<countdownIndicatorType>	Type of workstation lock warning: 0 – none 1 – Notification balloon 2 – Fade to Lock (screensaver) (Computer policy/ Walk-Away Security tab/ Warning section)
<displayGreeting>	Displays a temporary greeting to the signed-in user at log-in (Computer policy/ Shared Workstation tab/ Notifications section)
<enableReaderBeep>	Beep card reader when user taps card (Computer policy/ General tab/ Card readers section)
<fpidFailureCountBeforeLock>	Sets the number of fingerprint ID failures allowed in the interval specified in <fpidFailureCountInterval> before the workstation is locked. (Computer policy/ Fingerprint tab/ Fingerprint Identification section)
<fpidFailureCountInterval>	Sets the interval during which the number of fingerprint ID failures specified in <fpidFailureCountBeforeLock> must occur before the workstation is locked. (Computer policy/ Fingerprint tab/ Fingerprint Identification section)
<fpidLockoutInterval>	Sets the lockout period for the fingerprint ID failure conditions specified in <fpidFailureCountBeforeLock> and <fpidFailureCountInterval>
<greetingDuration>	Greeting duration in seconds (Computer policy/ Shared Workstation tab/ Notifications section
<imprivataIDRange>	Controls workstation Bluetooth sensitivity range for Imprivata ID (Computer policy/ General tab/ Imprivata ID section)
<inactivityFadeDuration>	Inactivity fade duration for Fade to Lock (screensaver) (Computer policy/ Walk-Away Security tab/ Warning section)
<inactivityLockEnabled>	Automatically locks workstation after a period of keyboard or mouse inactivity (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<inactivityLockInterval>	Locks workstation after the specified period of inactivity (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<inactivityWarningMessage>	Text of the inactivity warning message (Computer policy/ Walk-Away Security tab/ Warning section)
<inactivityWarningTime>	Shows a warning after the specified period of inactivity (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<isRdsRemotePCAutomateAccessEnabled>	Automate access to remote PC (Computer policy/ Virtual Desktops tab/ Microsoft section)
<isRdsRemotePCCloseSessionEnabled>	When a remote desktop endpoint is locked: false – Keep the remote desktop and user session active true – Shutdown the remote desktop and disconnect the user session (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<kerberosAllowed>	Allows Kerberos authentication in place of OneSign authentication (Computer policy/ General tab/ Authentication section)
<legacyATRMode>	Enable legacy mode for HID card readers (Computer policy/ General tab/ Card readers section)
<localAccounts>, contains <localAdminEnabled>, <localGroupsEnabled>, <localUsersEnabled>	Local admin, users and local groups which are allowed to login to the computer
<lowLoad>	Number of Desktops with no inactivity Log-off (Computer policy/ Shared Workstation tab/ Multiple Windows Desktops Workstations section)
<messagePosition>	Position of the on-screen workstation lock indicator: bottom top off (Computer policy/ Walk-Away Security tab/ Lock screen section)
<multiWinSession>	Enable multiple Windows desktops (Computer policy/ Shared Workstation tab/ Multiple Windows Desktops Workstations section)
<nonOneSignUserVdiSettings>	Select the virtual desktop environment for thin client users who are not enabled in Imprivata: 2 – Citrix XenDesktop 3 – Citrix XenApp 7 – Microsoft remote PC (Computer policy/ Virtual Desktops tab/ Users not enabled in Imprivata section)
<normalLoad>	Number of Desktops during Normal Load (Computer policy/ Shared Workstation tab/ Multiple Windows Desktops Workstations section)
<opaqueScreenLock>	Obscures the desktop when the workstation is locked (Computer policy/ Walk-Away Security tab/ Lock screen section)
<overrideAuthenticationSettings>	Allows the computer policy to override user policy authentication settings (Computer policy/ Override and Restrict tab/ Desktop Access Authentication Restrictions section)
<overrideChallengesSettings>	Allows the computer policy to override user policy challenge settings (Computer policy/ Override and Restrict tab/ Desktop Access Authentication Restrictions section)
<overrideSingleSignOnSettings>	Allows the computer policy to override user policy sing sign-on settings (Computer policy/ Override and Restrict tab/ Desktop Access Authentication Restrictions section)
<prideUpgradeScheduledOnIdle>	When an agent upgrade is available: false – Install the upgrade only on reboot true – Install the upgrade when idle or on reboot (Computer policy/ General tab/ ProveID Embedded agent version section)
<programHid5x27Config>	Program HID 5x27 card reader configurations (Computer policy/ General tab/ Card readers section)
<proxCardPassiveCardLockAllowed>	Locking workstation via proximity card: 0 – None 1 –Tap to lock 2 – Switch user (tap over) (Computer policy/ Walk-Away Security tab/ Passive proximity cards section)
<rdsAppOnLockOptions>	Automates access to RemoteApps - When a Remote Desktop endpoint is locked: 0 – Shutdown the remote applications and disconnect the user session 1 – Keep the remote applications and user session active (Computer policy/ Virtual Desktops tab/ Microsoft section)
<rdsAppStartupOptions>	Automates access to RemoteApps: 1 – Not selected 3 – Selected (Computer policy/ Virtual Desktops tab/ Microsoft section)
<rdsDesktopOnLockOptions>	Automates access to session-based and virtual desktops - when a Remote Desktop endpoint is locked: 0 - Shutdown the remote desktop and disconnect the user session 1 - Keep the remote desktop and user session active (Computer policy/ Virtual Desktops tab/ Microsoft section)
<rdsDesktopStartupOptions>	Automates access to session-based and virtual desktops: 1 – No automatic access when ‘Always prompt the user to choose their desktop’ is selected 5 – No automatic access when ‘Prompt the user only if they have multiple desktops’ is selected 9 – No automatic access when ‘Always display all user desktops’ is selected 17 – Always prompt the user to choose their desktop 21 – Prompt the user only if they have multiple desktops 25 – Always display all user desktops (Computer policy/ Virtual Desktops tab/ Microsoft section)
<screenLockApplicationName>, <stateLockApplicationName1>, <stateLockApplicationName2>	Names of applications or states which can be specified for unique Secure Walk-Away settings (Computer policy/ Walk-Away Security tab/ Inactivity-based presence detection section)
<securePrintingEnabled>	Enable Imprivata Print Connector (Computer policy/ Shared Workstations tab/ Print Connector section)
<sessionLimit>	Maximum number of concurrent Windows desktops (Computer policy/ Shared Workstations tab/ Multiple Windows Desktops Workstations section)
<showBackgroundApplication>	Make application visible when the workstation is locked (Computer policy/ Walk-Away Security tab/ Lock screen section)
<smartCardTreatedAsProxCardAllowed>	Treat smart card authentications as proximity card authentications (Computer policy/ General tab/ Smart card readers section)
<swaFadeDuration>	Secure Walk-Away fade duration for Fade to Lock (screensaver) (Computer policy/ Walk-Away Security tab/ Warning section)
<ticketAuthOption>	Authenticates a XenApp or Terminal Server Windows session user based on the identity of the Imprivata user on the client computer (OneSign Ticket Authentication): 0 – The XenApp or Terminal Server Windows session user and Imprivata user are always the same 1 – Anonymous XenApp or Terminal Server sessions or OneSign Fast User Switching sessions 2 – OneSign Fast User Switching sessions (generic user or anonymous XenApp or Terminal Server sessions) 3 – Anonymous XenApp or Terminal Server sessions 4 – All XenApp or Terminal Server sessions (Computer policy/ Citrix or Terminal Server tab/ Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions section)
<timeoutAboveNormalLoad>	Period of desktop inactivity before Windows log off in Above Normal Load conditions (Computer policy/ Shared Workstations tab/ Multiple Windows Desktops Workstations section)
<timeoutUnderNormalLoad>	Period of desktop inactivity before Windows log off in At or Below Normal Load conditions (Computer policy/ Shared Workstations tab/ Multiple Windows Desktops Workstations section)
<transLockMessage>	When the workstation is locked, displays an on-screen indicator with text (Computer policy/ Walk-Away Security tab/ Lock screen section)
<transLockOnMouseMove>	Ignore mouse movement when the workstation is locked (Computer policy/ Walk-Away Security tab/ Lock screen section)
<transLockedAppUuid>	UUID of selected application for lock screen (Computer policy/ Walk-Away Security tab/ Lock screen section)
<usernameDisplayOption>	Applies to inactivity notifications, warnings and locked computers: 0 – First and last names 1 – First name, last initial 2 – First name only 3 – Username only (Computer policy/ General tab/ Display name format section)
<vmwareAppOnLockOptions>	Controls access to Omnissa Horizon Apps - when a Omnissa Horizon endpoint is locked: 0 – Shutdown the Omnissa Horizon client and disconnect the user session 1 – Keep the Omnissa Horizon client and user session active (Computer policy/ Virtual Desktops tab/ VMware section)
<vmwareAppStartupOptions>	Automates access to Omnissa Horizon Apps: 0 – No automatic access when ‘User must start VMware Horizon client’ is selected 1 – No automatic access when ‘Automatically start VMware Horizon client’ is selected 32 – User must start Omnissa Horizon client 33 – Automatically start Omnissa Horizon client (Computer policy/ Virtual Desktops tab/ VMware section)
<vmwareViewOnLockOptions>	Controls access to Omnissa Horizon desktops - when a Omnissa Horizon endpoint is locked: 0 – Shutdown the Omnissa Horizon client and disconnect the user session 1 – Keep the Omnissa Horizon client and user session active (Computer policy/ Virtual Desktops tab/ VMware section)
<vmwareViewStartupOptions>	Automates access to Omnissa Horizon Desktop: 0 – No automatic access when ‘User must start VMware Horizon client’ is selected 1 – No automatic access when ‘Automatically start VMware Horizon client’ is selected 9 – Automatically start Omnissa Horizon client with additional options: Prompt for user credentials Always prompt the user to choose their desktop 11 – Automatically start Omnissa Horizon client with additional options: Automatically log in Always prompt the user to choose their desktop 13 – Automatically start Omnissa Horizon client with additional options: Prompt for user credentials Prompt the user only if they have multiple desktops 14 – User must start Omnissa Horizon client 15 – Automatically start Omnissa Horizon client with additional options: Automatically log in Prompt the user only if they have multiple desktops (Computer policy/ Virtual Desktops tab/ VMware section)
<xenAppOnLockOptions>	When a Citrix XenApp endpoint is locked: 0 – Shutdown the XenApp client and disconnect the user session 1 – Keep the XenApp client and user session active (Computer policy/ Virtual Desktops tab/ Citrix section)
<xenAppStartupOptions>	Automates access to Citrix XenApps: 0 – No automatic access when ‘User must start XenApps client’ is selected 1 – No automatic access when ‘Automatically start XenApps client’ is selected 2 – User must start XenApps client 3 – Automatically start XenApps client (Computer policy/ Virtual Desktops tab/ Citrix section)
<xenDesktopOnLockOptions>	When a Citrix XenDesktop endpoint is locked: 0 – Shut down the XenDesktop client and disconnect the user session 1 – Keep the XenDesktop client and user session active (Computer policy/ Virtual Desktops tab/ Citrix section)
<epicExtension>	This node contains different configurations for ‘Connector for Epic’ ‘epicWorkflowName’ attribute, which is the name of Confirm ID signing workflow (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<displayPrivacyScreen>	Obscure Epic application windows when switching users (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epcsErrorMessage>	Display this message when the attempted authentication method for e-prescribing controlled substances is not allowed (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<epicDomain>	Epic domain (Computer policy/ Connector for Epic tab/ User Accounts section)
<epicEnforcesEPCSWorkflow>	Epic Hyperspace enforces a second-factor authentication method (password or challenge question) for e-prescribing controlled substances (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<epicLockType1>, <epicLockTriggerEvent1>	Locks workstation single sign-on when Users are sharing the same Epic session: 0, 0– Log out Epic when the endpoint desktop is locked if <epicLockType1>=0 0,1 - Log out Epic only when a different user accesses the desktop if <epicLockType1>=0 1,0 - Secure Epic when the endpoint desktop is locked if <epicLockType1>=1 1, 1- Secure Epic only when a different user accesses the desktop if <epicLockType1>=1 (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epicLockType2>, <epicLockTriggerEvent2>	Locks workstation single sign-on when each user has their own Epic session: -1,0 – Never lock Epic 1,0 – Secure Epic when the endpoint desktop is locked 0,0 – Log out Epic when the endpoint desktop is locked (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epicLockType3>, <epicLockTriggerEvent3>	Locks workstation single sign-on on Epic only: 0,2 – Log out of Epic 1,2 – Secure Epic 2,2 – Log out of Epic and switch Epic user (tap over) 3,2 – Secure Epic and switch Epic user (tap over) -1,2 – Never lock Epic (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epicNetworkConf>	Defines Epic and Imprivata username relations: 0 – Epic and Imprivata usernames are the same (non-LDAP Epic) 1 – Epic and Imprivata usernames are different (non-LDAP Epic) 2 – Epic and Imprivata usernames and passwords are the same (LDAP Epic) (Computer policy/ Connector for Epic tab/ User Accounts section)
<epicPrivacyScreenTimeout>	Force close Epic if application window is still obscured after N seconds (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epicRequiresPassword>	Credentials provided during sign-on to Epic: false – Epic username only true – Epic username and password (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epicWindowCaption>	Epic window caption text (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<epicWorkflowUuid>	UUID in Confirm ID signing workflow database (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<multiApp>	Workstation single sign-on: true – Multi-App false – Epic only (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<orderSigningAllowedModalities>	Allowed ProveID authentication methods (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<orderSigningErrorMessage>	Message displayed when the attempted authentication method is not allowed (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<ownEpicSession>	false – Users are sharing the same Epic session true – Each user has their own Epic session (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<proxyEpicCredentialsOnlyOnce>	On Epic user manual log out, desktop secure, or Epic timeout: false – Automatically log in same user true – Do nothing (until the next Imprivata desktop login) (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<timeoutToRedisplayProveIDAuthDialog>	Redisplay the Epic authentication ProveID dialog, in the specified time after it is closed (Computer policy/ Connector for Epic tab/ Epic single sign-on workflows section)
<useConfirmIdForEpicSigningWorkflows>	Use Confirm ID for e-prescribing controlled substances (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<useOneSignSecondFactorGracePeriodForOrderSigning>	Honor second factor grace period (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<useProveIdForDualSignOffWorkflow>	Use ProveID for Epic 'Different user authentication' workflow (Computer policy/ Connector for Epic tab/ Epic signing workflows section)
<uuid>	UUID of Epic extension in data base
<extensionsAndCalloutScripts>	Contain information about extensions and callout scripts (Computer policy/ Extensions tab)
<calloutScripts>, <extensions>	Configured callout scripts and extensions
<lastModifiedBy>	User who made most recent callout script change
<lastModifiedDate>	Date of most recent change
<scriptName>	Name of callout script
<extObjectName>	Name of extension object