Epic EHR Delivered via VDI and Application Virtualization to Thin/Zero Clients

This configuration is used in settings where there is direct interaction between the patient and the provider. It gives users fast access to the workstation and the Epic EHR:

  • The EHR is not closed on user switch.

  • Other applications, such as web browsers and email, are closed on user switch.

This topic details how each component in the following environment is configured.

Click to enlarge.

In this workflow:

  • The Epic EHR (Epic) is delivered to a shared thin or zero client endpoint (thin client) via an Omnissa Horizon or Citrix DaaS VDI image (virtual desktop).

  • Epic is delivered to the virtual desktop via Citrix DaaS application virtualization.

This type of configuration is also known as a double hop. For a summary of this architecture and Imprivata license requirements, see Epic EHR Delivered via VDI and Citrix to Thin Clients.

Before You Begin

Review the following before you begin:

  • Verify that your thin clients are supported. For more information, see "Endpoint Device Matrix" in the Imprivata Enterprise Access Management Supported Components guide.

  • If you are using both Citrix Virtual Desktops and Citrix Virtual Apps, at least two Delivery Controllers are required.

    One to manage access to the virtual desktop; and the other to manage the delivery of Epic.

Imprivata Enterprise Access Management Configuration

In this section you configure the Imprivata user and computers policies:

  • An Imprivata user policy is the means by which you define authentication methods and rules to a specific group of users.

  • An Imprivata computer policy is the means by which you define security parameters to a specific set of workstations. This workflow requires three computer policies:

    • The first policy is assigned to the shared thin clients.

    • The second policy is assigned to the virtual desktops.

    • The third policy is assigned to the Citrix servers that are delivering Epic.

NOTE:

The following steps detail the required settings to achieve this workflow. For complete details on user and computer policies, see the Imprivata Enterprise Access Management Help.

In this workflow, users are enabled to authenticate with a proximity card + a password.

Although users will typically authenticate to Imprivata Enterprise Access Management with a proximity card, enabling password as the second factor is required for as the second factor is required for pass–through authentication for Citrix and Omnissa.

Defining Authentication Methods

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Desktop Access Authentication section.

  4. Under Primary Factors, select Password, and then Proximity Card.

    A secondary factor is not required.

  5. On the Virtual Desktops tab, verify that Enable virtual desktop access automation is not selected.

  6. Save the user policy.

The following screen captures detail the above settings.

Click to enlarge .

Assigning the User Policy

To apply users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import port it.

In this workflow, the thin clients are enabled for Windows authentication.

Enabling Windows Authentication

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  4. Save the computer policy.

The following screen capture details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

In this workflow, the virtual desktops are enabled for Fast User Switching (FUS).

Enabling Fast User Switching

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Kiosk Workstations section, and select Allow Fast User Switching with Citrix or Terminal Servers.

  4. Go to the Windows Authentication section, and select Authenticate using Windows.

  5. Save the computer policy.

The following screen capture details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

In this workflow, the Citrix servers that are delivering Epic are configured for FUS.

Enabling Fast User Switching

To add a computer policy for the Citrix servers:

  1. In the Imprivata Admin Console, click Computers > Computer polices.

  2. On the Computer policies page, click Add, and then enter a name.

  3. On the Citrix or Terminal Server tab, go to the Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions section.

    1. Select XenApp or Terminal Server Windows session user and Imprivata user are not always the same, and select a workflow that applies to your environment.

    2. Leave Always trust the Citrix or Terminal Server selected.

  4. Go to the Fast User Switching section.

    Under Endpoints without an Agent, select Allow remote Fast User Switching for the specified users, and then select the required domain.

  5. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  6. Save the computer policy.

The following screen capture details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

Thin Client Configuration

In this section, you configure your shared thin client workstations to automatically log into and connect to a persistent virtual desktop using generic workstation–based credentials.

The generic user credentials are only used to log into the workstation.

Session persistence (roaming) can result in users obtaining an incorrect session when moving from one shared workstation to another.

To prevent roaming, you can take one of the following actions:

  • Create a unique generic user for each shared workstation in the environment.

  • Disable session roaming in your Citrix or Omnissa Horizon environment.

NOTE:

For more information about disabling session roaming, see the Citrix or Omnissa Horizon documentation.

A generic user account is required to log into and connect to a persistent virtual desktop. When adding the generic user to your user directory, consider the following:

  • The generic user account must not be enrolled in Imprivata Enterprise Access Management.

  • Citrix — The generic user account must have access to the delivery group that references the machine catalog of the virtual desktops.

  • Omnissa (VMware) — The generic user account must have access to the desktop pool that is delivering the virtual desktops.

Supported thin clients typically ship with a compatible version of Citrix Workspace app or the Omnissa Horizon client, which support native connections to Citrix Virtual Desktops and Omnissa Horizon Desktops.

While the exact steps to configure each vary from device to device, you will need the following information:

  • The credentials of the generic user account that should be used to automatically log in.

  • The virtual desktop connection settings:

    • The hostname or URL of the Omnissa Horizon server (desktop).

    • The Storefront Web Site or XenApp Services URL of the Citrix server (desktop).

  • The name of the desktop.

NOTE:

For more information on configuring the connection, see your vendor–specific documentation.

Virtual Desktop Configuration

In this section, you install the Imprivata agent and configure your virtual desktops to automatically boot and authenticate to Windows using generic workstation–based credentials:

  • The generic credentials are only used to log into the workstation.

    Use the same credentials that were used to configure the thin client connection to the virtual desktop.

  • Citrix Workspace app uses the generic credentials to connect to the Citrix server that is delivering Epic.

  • When the Imprivata agent detects the user switch, the Imprivata user is logged into Epic.

NOTE:

If you are using both Citrix Virtual Desktops and Citrix Virtual Apps, at least two Delivery Controllers are required. One to manage access to the virtual desktop; and the other to manage the delivery of Epic.

Imprivata Enterprise Access Management supports Citrix Workspace app for Windows. You can download the installer from the Citrix Support site.

Consider the following:

  • Citrix Workspace app must be installed with a user that has administrator privileges.

  • Single sign-on (pass through) authentication must be enabled during the installation.

  • Do not specify an account (Store URL or XenApp Services URL) as part of the installation. Configuring Citrix support for EAM details how to configure a GPO to automatically connect endpoint computers to the required account when Citrix Workspace app starts.

  • Citrix Workspace app must be configured to start automatically when the Windows workstation boots.

Restart the workstation after completing installation.

The following procedures detail now to configure Citrix support for EAM using a group policy object (GPO).

Note Citrix Store URLS

Configuring the GPO with the Citrix store URLs prevents you from having to:

  • Add them when installing Citrix Workspace app

  • Provide them to end users to add them manually to Citrix Workspace app.

Before you begin, use Citrix Studio to note the required URLs.

Enabling the Citrix StoreFront for the Citrix Fast Connect API

The Citrix store must be configured with the following authentication methods to support the Citrix FastConnect API:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

The Citrix store logon method (logonMethod) must be configured for single sign–on to support the Citrix FastConnect API.

To verify the logon method:

  1. From the Citrix StoreFront server, go to the following location:

    C:\inetpub\wwwroot\Citrix\<name_of_store>

  2. Open the web configuration file and find logonMethod.

  3. Verify that the value is set to sson. For example:

    pnaProtocolResources changePasswordAllowed="Never" logonMethod="sson"

Adding the Citrix Administrative Templates to the Active Directory Domain Controller

Configuring Citrix Workspace app with Imprivata Enterprise Access Management requires the following template files:

  • receiver.admx

  • receiver.adml

To make these templates available to the Group Policy Management Editor, add them to the Central Store on the domain controller.

You can locate the templates in the following ways:

  • Citrix makes the templates available separately from the Citrix Workspace app installer. Go to the Citrix Workspace app Windows download page. The ADMX/ADML templates are available in the Admin Tools section.

  • The templates are installed with Citrix Workspace app.

    • The ADMX file is located at "C:\Program Files (x86)\Citrix\ICA Client\Configuration".

    • The ADML file is located at "C:\Program Files (x86)\Citrix\ICA Client\Configuration\en-US".

Managing Group Policy settings requires that all ADMX/ADML files be added to the Central Store on the domain controller. To add the administrative templates:

  1. Log into the domain controller.

  2. Go to C:\Windows\SYSVOL\domain\Policies and create a PolicyDefinitions folder to function as the Central Store.

  3. Go to C:\Windows\PolicyDefinitions and copy all of the contents, including the en-US folder, to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

  4. Add receiver.admx to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

  5. Add receiver.adml to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US.

  6. If the Group Policy Management Editor is open, close the console for the changes to take affect.

Creating a Group Policy to Manage the Fast Connect Configuration

Create an organizational unit (OU) and add your endpoint computers to it.

To create the organizational unit:

  1. From the domain controller, open the Active Directory Users and Computers console.

  2. In the console tree, create an organizational unit (OU) for your endpoint computers.

  3. Add or move the required endpoint computers to the OU.

To create the group policy:

  1. From the domain controller, open the Group Policy Management Console.

  2. In the required domain, select Group Policy Objects > New.

  3. In the New GPO window, name the GPO and click OK.

Click to enlarge

To add the Citrix Administrative templates to the group policy object:

  1. Right-click the new GPO and select Edit. The Group Policy Management Editor opens.

  2. Go to Computer Configuration > Policies > Administrative Templates Policy Definitions (ADMX files) retrieved from the central store > Citrix Components > Citrix Workspace app.

Click to enlarge.

Configuring the Group Policy Object

The following procedures detail how to configure the GPO.

NOTE: Citrix Workspace app SelfService must be configured with the Disabled option.

The Disabled option is required, regardless of the desired end user workflow and application session (roaming) requirements.

To configure the required settings:

  1. In Group Policy Management Editor tree, select User authentication.

  2. In the details pane, double-click Local user name and password.

  3. In the Local user name and password window, select Enabled.

  4. In the Options pane:

    • Select Enable pass-through authentication.

    • Select Allow pass-through authentication for all ICA connections.

    • Deselect Use Novell Directory Server credentials.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select FastConnect API Support.

  2. In the details pane, double-click Manage Fast ConnectAPI support.

  3. In the Manage FastConnectAPI support window, select Enabled.

  4. In the Options pane, select:

    • Select Enable Fast Connect API functionality.

    • Select EnableFastConnectTransisitionAPI.

    • Select Leave Apps Running On Logoff.

    • Select Integrate Self Service Plugin with FastConnect.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Self Service.

  2. In the details pane, double-click Manage App shortcut.

  3. In the Manage App Shortcut window, select Enabled.

  4. In the Options pane, select:

    • In the Startmenu field: if you want your Citrix apps in a folder on the Start menu, enter a name for that folder here. If this field is left blank, the apps will appear directly on the Start menu.

    • In the Desktop Directory field: if you want your Citrix apps in a folder on the desktop, enter a name for that folder here. If this field is left blank, the apps will appear directly on the desktop.

    • Deselect Disable Startmenu Shortcut.

    • Select Enable Desktop Shortcut.

    • Select Disable Categorypath for startmenu.

      BEST PRACTICE: Use Citrix StoreFront categories in the Start menu instead.

    • Select Enable Categorypath for desktop and Enable to have different category path startmenu.

    • Select Remove apps on Logoff.

    • Select Remove apps on Exit.

    • Select Clear the set of applications shown in the Receiver Window on logoff.

    • Select Prevent Receiver performing a refresh of the application list when opened.

    • Select Ignore self service selection of apps and make all mandatory.

  6. Click OK.

The settings should match the following.

Click to enlarge

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Self Service.

  2. In the details pane, double-click Control When Receiver Attempts to Reconnect to Existing Sessions.

  3. In the Control when Receiver attempts to reconnect to existing sessions window, select Enabled.

  4. In the Options pane, select Disabled from the Choose the appropriate combination of reconnect conditions list.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Storefront.

  2. In the details pane, double-click StorefrontAccounts List.

  3. In the Storefront Account List window, select Enabled.

  4. Click Show.

  5. In the Show Contents window, enter the store account (Store URL or XenApp Services URL) details using the following syntax:

    store_name;store_url;store_enabled_state;store_description

    • store_name is the name users see for the store.

    • store_url is the Services URL for the store.

    • store_enabled_state specifies if the store is available to users. Set to On or Off.

    • store_description is the description users see for the store.

XenApp Services example: SalesStore;https://example.com/Citrix/SalesStore/PNAgent/config.xml;On;Store for Sales Staff

Store example: SalesStore;https//example.com/Citrix/SalesStore/;On;Store for Sales Staff

NOTE: The store_enabled_state syntax is case-sensitive.

(Optional) This step is required only if your Citrix environment is using Storefront URLs. Configuring the registry keys requires that you:

  • Add the ConnectionSecurityMode and the ProtocolOrder values to the Citrix AuthManager registry key.

  • Create the Protocols registry key with a httpbasic subkey, which has a value of Enable.

To add the value:

  1. In the Group Policy Management Editor tree, go to Computer Configuration > Preferences > Windows Settings.

  2. Right–click Registry and select New > Registry item.

  3. In the New Registry Properties window, select Create from the Action list.

  4. From the Hive list, select HKEY_LOCAL_Machine.

  5. Enter the following in the Key Path field:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\

    • 32–bit — Software\Citrix\AuthManager\

  6. In the Value name field, enter ConnectionSecurityMode.

  7. From the Value type list, select REG_SZ.

  8. In the Value data field, enter Any. Click OK.

To add the value:

  1. In the Group Policy Management Editor tree, go to Computer Configuration > Preferences > Windows Settings.

  2. Right–click Registry and select New > Registry item.

  3. In the New Registry Properties window, select Create from the Action list.

  4. From the Hive list, select HKEY_LOCAL_Machine.

  5. Enter the following in the Key Path field:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\

    • 32–bit — Software\Citrix\AuthManager\

  6. In the Value name field, enter ProtocolOrder.

  7. From the Value type list, select REG_MULTI_SZ.

  8. In the Value data field, enter httpbasic. Click OK.

To create the key:

  1. In the New Registry Properties window, select Create from the Action list.

  2. From the Hive list, select HKEY_LOCAL_Machine.

  3. Enter one of the following in Key Path:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\Protocols\httpbasic

    • 32–bit — Software\Citrix\AuthManager\Protocols\httpbasic

  4. In the Value name field, enter Enabled.

  5. From the Value type list, select REG_SZ.

  6. In Value data field, enter true. Click OK.

Configuring Internet Explorer

Configuring Internet Explorer requires that you:

  • Add the domain of the Services URL as a trusted site.

  • Configure user authentication for automatic logon.

To add a trusted site:

  1. In the Group Policy Management Editor tree, go to Windows Components > Internet Explorer > Internet Control Panel > Security Page.

  2. In the details pane, open Site to Zone Assignment List.

  3. In the Site to Zone Assignment List window, select Enabled.

  4. In the Options section, click Show.

  5. In the Value name field, type the scheme and domain of the Services URL.

    Example: If the URL is https://example.com/Citrix/SalesStore/PNAgent/config.xml, then enter https://example.com.

  6. In the Value field, type 2 and click OK.

  7. Apply the changes to the Site to Zone Assignment List.

To configure user authentication:

  1. In the details pane, open Trusted Sites Zone.

  2. In the details pane, open Login options.

  3. In the Logon options window, select Enabled.

  4. From the Logon options list, select Automatic logon with current username and password.

  5. Click OK.

Linking the Group Policy to the Organizational Unit

To link the GPO to the OU:

  1. In the Group Policy Management window, right-click the new OU you created and select Link an Existing GPO.

  2. In the Select GPO window, select the new GPO and click OK.

Click to enlarge

Configuring Security Filtering

Configure security filtering to make the GPO available to the required workstations.

To configure security filtering:

  1. In the Group Policy Management window, navigate to your new OU, select your new GPO, and click the Scope tab.

  2. In the Scope tab > Security Filtering section, set the filter as necessary. In this example, the filter is set to Everyone to make this policy accessible to everyone:

Click to enlarge.

Verifying the Configuration

All shared workstations in the OU receive the new GPO settings at the next group policy refresh interval. The default interval is 90 minutes.

You can verify the configuration with the following methods.

On any workstation in the OU, you can verify that the GPO settings are applied by viewing the settings in the registry at the following location:

  • 64-bit – HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Policies > Citrix > Dazzle

  • 32-bit – HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Citrix > Dazzle

The following is provided as an example only.

Click to enlarge.

You can create a group policy result report to select a specific workstation to query. The report specifies which GPOs are applied.

To create the report:

  1. In the Group Policy Management window, right-click Group Policy Results > Group Policy Results Wizard...

  2. In the Computer Selection page, select the computer for which you want to display policy settings, and click Next.

  3. In the User Selection page, enter a domain administrator and click Next.

  4. Click Finish to close the wizard.

  5. The report is not actually run yet; in the Group Policy Management window > Group Policy Results section, right-click the report you just created and click Rerun Query.

    NOTE: If the Windows WMI service is disabled or restricted on the endpoint computer, the report will not work.

  6. After the report is generated, select the report from the left navigation. In the example below it is named after the endpoint computer THIRTYTWO.

  7. In the details pane, select the Details tab. Your GPO is listed in the section Applied GPOs.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Shared Kiosk Workstation agent.

Using a Third–Party Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=2

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Configure the following registry settings to enable the following:

  • Proximity card "tap–to–lock" .

  • The detection of proximity card events on the virtual desktop.

Name Data Type Location Value
DisableCAD DWORD

32-bit: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

64-bit: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System 

Default = 0

Set to = 1
DisableCAD DWORD

32-bit: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

64-bit: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon

Default = 0

Set to = 1
LockRemoteSessionWithAgentOnClient DWORD

32–bit: HKLM\Software\SSOProvider\ISXAgent

64–bit: HKLM\Software\Wow6432Node\SSOProvider\ISXAgent

Default = 0

Set to = 1
LockVirtualSessionWithHotKey DWORD

32–bit: HKLM\Software\SSOProvider\ISXAgent

64–bit: HKLM\Software\Wow6432Node\SSOProvider\ISXAgent

Default = 0

Set to = 1

Citrix Server Configuration

In this section, you:

  • Install the Imprivata agent on the Citrix servers that are delivering Epic.

    Installing the Imprivata agent enables Imprivata to communicate between the virtual environment and the shared workstations.

  • Install the Imprivata Connector for Epic Hyperdrive.

    Installing the Connector enables Fast User Switching for Epic Hyperdrive.

NOTE:

If you are using both Citrix Virtual Desktops and Citrix Virtual Apps, at least two Delivery Controllers are required. One to manage access to the virtual desktop; and the other to manage the delivery of Epic.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Citrix or Terminal Server agent.

Using a Third-Party Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=3

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Install the Imprivata Connector for Epic Hyperdrive on all of the servers that are delivering Epic. Consider the following:

  • The same Imprivata Connector for Epic Hyperdrive installer supports both 32-bit and 64-bit operating systems.

  • The Imprivata Connector for Epic Hyperdrive can only be used with one version of Epic on a given workstation.

NOTE: Before installing the Imprivata Connector for Epic Hyperdrive, be sure that Epic is installed.

Using the Installation Wizard

To install:

  1. Run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The installer automatically detects the version of Hyperspace installed and installs the appropriate Imprivata Connector for Epic Hyperdrive files for that version. If multiple versions of Hyperspace are detected or if Hyperspace is not installed, the Imprivata Connector for Epic Hyperdrive installer prompts you to select one version of Epic.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Using the Command Line

To install:

  1. Standard msiexec commands can be used to run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The Epic version of the Imprivata Connector for Epic Hyperdrive can be specified in the msiexec command line as follows:

    • EPICVERSION = 2014

    • EPICVERSION = 2015

    • EPICVERSION = 2017

    • EPICVERSION = "2018 August"

    • EPICVERSION = "2018 November"

    • EPICVERSION = "2019 February"

    NOTE: If you are using the Imprivata Connector for Epic Hyperdrive version 6.3 or later, including an Epic version is not required.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Configure the following keys to enable the detection of proximity card events on the server that is delivering Epic.

Name Data Type Location Value
RedirectionSupported DWORD

32–bit: HKLM\Software\SSOProvider\DeviceManager

64–bit: HKLM\Software\Wow6432Node\SSOProvider\DeviceManager

Default = 0

Set to = 1
RemoteOnly DWORD

32–bit: HKLM\Software\SSOProvider\DeviceManager

64–bit: HKLM\Software\Wow6432Node\SSOProvider\DeviceManager

Default = 0

Set to = 1

Epic Configuration

In this section, you configure the Imprivata Connector for Epic Hyperdrive.

Imprivata has worked with Epic Systems to develop the Imprivata Connector for Epic Hyperdrive. The Connector leverages Epic's authentication API to provide single sign-on, single sign-off, and fast user switching for Epic Hyperdrive.

Imprivata Enterprise Access Management offers two different configuration options for Epic that can be enabled on a per-workstation basis:

  • SSO for Epic only workflow

    With this workflow, the Windows desktop is always unlocked. Users authenticate to Epic using their fingerprint or proximity card. This workflow is optimized for workstations on which Epic is the most frequently accessed application.

  • SSO for multiple applications including Epic

    With this workflow, the Windows desktop is secured by the Imprivata agent. Users authenticate to EAM using their fingerprint or proximity card. This workflow is optimized for workstations on which Imprivata Single Sign-On is required for multiple applications, including Epic.

EAM can be configured to secure Epic and maintain the patient context or log the user out of Epic with either of these workflows.

NOTE:

In scenarios where EAM performs Fast User Switching into the Epic EMR Hyperdrive client delivered via Citrix, we recommend that the Epic session remain active during times of clinician usage. The utilization of Citrix timeout settings for Epic sessions, or any closure of the Epic session, may impact login times for clinical users because they must wait for the Epic session to reconnect.

Citrix and VDI connection times are unaffected by EAM. When needed, EAM automates the connection to Citrix, but does not reduce the connection time.

When configuring support for Epic, consider the following:

  • Use the endpoint computer policy to manage the settings on the Connector for Epic tab.

    These settings are only honored from the workstation on which users access Epic. The settings are not honored where Epic is installed.

  • The Imprivata Connector for Epic Hyperdrive for Epic supports a number of reference architectures.

    While you can use the Imprivata Connector for Epic Hyperdrive Configuration Guide to complete the steps required of this reference architecture, the guide does include information that is optional.

As such, the table below provides an overview of what must be configured for this specific reference architecture.

Configuration Notes
Authentication devices

Ensure that your authentication devices are configured correctly:

  • Use Chronicles to configure the E0G master file.
  • Set the Login Mode option to SYSTEM LOGIN (EMP 45), otherwise User ID.

For more information, see Chapter 4.
Epic only mode

In this configuration, Epic is the only application that clinicians can access from the shared workstation:

  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 9.
Multi–app mode

In this configuration, clinicians can access other applications in addition to Epic:

  • By default, when Epic is delivered via Citrix Virtual Apps, the Imprivata Connector for Epic Hyperdrive disables the Imprivata SSO engine. To re-enable the SSO engine, configure the following registry settings:
    • ControlISXAgentStartup
    • DontStartAgentHooks
    • DontStartAgentTimer
    • HookInit
  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 8.