Roaming Epic EHR Delivered via VDI and Application Virtualization to ProveID Embedded Thin Clients

This configuration can be used in most clinical settings:

  • A shared workstation with a roaming virtual desktop lets users move from workstation to workstation and automatically connect to a full Windows desktop that is delivered via VDI.

  • As users authenticate to different shared workstations, they reconnect to their desktop virtualization session, which makes it appear as if the their desktop – and all applications that are running within it – are "roaming" with them.

NOTE:

This configuration is not recommended for settings where patient medical records must remain persistent on the workstation for different users to access. For example — an exam room.

This topic details how each component in the following environment is configured.

Click to enlarge.

In this workflow:

  • The Epic EHR (Epic) is delivered to a shared Imprivata ProveID Embedded thin client (thin client) via an Omnissa Horizon or Citrix DaaS VDI image (virtual desktop).

  • Epic is delivered to the virtual desktop via Citrix DaaS application virtualization.

    The virtual desktop is automatically launched after the user successfully authenticates.

This type of configuration is also known as a double hop. For a summary of this architecture and Imprivata license requirements, see Epic EHR Delivered via VDI and Citrix to Thin Clients.

Before You Begin

Review the following before you begin:

  • Verify that your thin clients are supported. For more information, see " ProveID Embedded" and "Endpoint Device Matrix" in the Imprivata Enterprise Access Management Supported Components guide.

  • If you are using both Citrix Virtual Desktops and Citrix Virtual Apps, at least two Delivery Controllers are required.

    One to manage access to the virtual desktop; and the other to manage the delivery of Epic.

  • The following steps assume that ProveID Embedded has been installed and configured.

    For more information, see "Configuring ProveID Embedded on Linux Thin Clients" in the Imprivata Enterprise Access Management Online Help.

Enterprise Access Management Configuration

In this section you configure the Imprivata user and computers policies:

  • An Imprivata user policy is the means by which you define authentication methods and rules to a specific group of users.

  • An Imprivata computer policy is the means by which you define security parameters to a specific set of workstations. This workflow requires three computer policies:

    • The first policy is assigned to the shared thin clients.

    • The second policy is assigned to the virtual desktops.

    • The third policy is assigned to the Citrix servers that are delivering Epic.

NOTE:

The following steps detail the required settings to achieve this workflow. For complete details on user and computer policies, see the Imprivata Enterprise Access Management Help.

To enable the thin clients:

  1. In the Imprivata Admin Console. open the gear icon menu, and click ProveID.

  2. Select Allow full API access via ProveID Web API and ProveID Embedded.

  3. Select your thin client model, and then click Save.

Configuring a connection to the VDI connection brokers and the Citrix Virtual Apps brokers makes these settings available to your computer and user policies.

Configuring the Connection to Brokers

To configure the connection:

  1. In the Imprivata Admin Console, click Computers > Virtual desktops.

  2. Do one of the following:

    • Citrix — In the Citrix XenDesktop section, enter one or more URLs to the Citrix stores.

    • VMware — In the VMware Horizon section, enter one or more URLs to the Horizon Connection Servers.

  3. In the Citrix XenApp section, do the following:

    • In the first field, enter one or more URLs to the Citrix stores.

    • In the second field, enter the name of the application that is being delivered from this broker. Enter the name with the same spelling, spacing, and capitalization as it appears in Citrix StoreFront.

    For example, "Epic".

  4. Click Save.

Configuring Citrix for Native Connections to Stores

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Imprivata Enterprise Access Management SSO:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

In this workflow, users are enabled to authenticate with a proximity card + a password.

Although users will typically authenticate to Imprivata Enterprise Access Management with a proximity card, enabling password as the second factor is required for as the second factor is required for pass–through authentication for Citrix and Omnissa.

Defining Authentication Methods and Enabling Virtual Desktop Access

To create the user policy:

  1. In the Imprivata Admin Console, click Users > User policies.

  2. Click Add, and enter a policy name.

  3. On the Authentication tab, go to the Desktop Access Authentication section.

  4. Under Primary Factors, select Password, and then Proximity Card.

    A secondary factor is not required.

  5. On the Virtual Desktops tab, select Enable virtual desktop access automation.

  6. Select Automate access to full VDI desktops, and then select with Citrix or VMware.

  7. Under Then, on that desktop, launch the following applications, select the Epic.

  8. Save the user policy.

The following screen captures detail the above settings.

Click to enlarge .

Assigning the User Policy

To apply users to the policy:

  1. In the Imprivata Admin Console, click Users > Users.

  2. Do one of the following:

    • Manually select users, and then click Apply Policy.

    • Click Bulk Actions > Assign User Policies to download a sample CSV file.

  3. Modify this file to map multiple users to the policy, and then import port it.

In this workflow, the thin clients are enabled for Windows authentication and automated virtual desktop access.

Enabling Windows Authentication and Virtual Desktop Access

To create the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  4. On the Virtual Desktops tab, enable virtual desktop access based on your vendor:

    1. Go to the Citrix XenDesktop section, and select Automate access to Citrix XenDesktop.

    2. Under When a XenDesktop endpoint is locked, specify the required behavior when the thin client becomes locked:

      • Keep the XenDesktop client and user session active

        This option preserves the user session; when a user logs back into this endpoint computer (or another endpoint computer with XenDesktop enabled) their desktop and applications are preserved just as they were when this endpoint computer was locked.

      • Shutdown the XenDesktop client and disconnect the user session

        This option helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenDesktop enabled) their desktop will relaunch.

    3. Under Available Citrix servers, select one or more Citrix stores.

    1. Go to the VMware Horizon – Desktop section, and select Automate access to VMware Horizon.

    2. Under When a VMware Horizon endpoint is locked, specify the required behavior when the thin client becomes locked:

      • Keep the VMware Horizon client and user session active

        This option preserves the user session; when a user logs back into this endpoint computer (or another endpoint computer with XenDesktop enabled) their desktop and applications are preserved just as they were when this endpoint computer was locked.

      • Shutdown the VMware Horizon client and disconnect the user session

        This option helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenDesktop enabled) their desktop will relaunch.

    3. Available VMware Horizon Connection Managers, select one or more Horizon Connection Servers.

  5. Save the computer policy.

The following screen captures detail the above settings:

Click to enlarge.

In this workflow, the virtual desktops are configured to deliver Epic.

Enabling Access to Epic

To configure the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. On the Computer policies page, click Add, and then enter a name for the computer policy.

  3. On the Virtual Desktops tab, go to the Citrix XenApp section , and select Automate access to Citrix XenApp.

  4. Under When a XenApp endpoint is locked, specify the required behavior when the endpoint becomes locked:

    • Keep the XenApp client and user session active

      This option preserves the user session; when a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled) their applications are preserved just as they were when this endpoint computer was locked.

    • Shutdown the XenApp client and disconnect the user session

      This option helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled) their application will relaunch.

  5. Select Enable Published Applications.

  6. Under Available Citrix Servers, select one or more Citrix stores.

  7. Save the computer policy.

The following screen capture details the above settings:

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

In this workflow, the Citrix servers that are delivering Epic are enabled for Windows authentication.

Enabling Windows Authentication

To add a computer policy for the Citrix servers:

  1. In the Imprivata Admin Console, click Computers > Computer polices.

  2. On the Computer policies page, click Add, and then enter a name.

  3. On the Citrix or Terminal Server tab, go to the Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions section.

    1. Select XenApp or Terminal Server Windows session user and Imprivata user are always the same.

    2. Leave Always trust the Citrix or Terminal Server selected.

  4. On the Shared Workstation tab, go to the Windows Authentication section, and select Authenticate using Windows.

  5. Save the computer policy.

The following screen captures details the above settings.

Click to enlarge.

Assigning the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

  2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

  3. Click Add New Rule, and name it.

  4. Select one of the following options:

    • Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

    • Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

    • Computer IP address — Enter the range of IP addresses to include in this computer policy

    • Computer host name — A computer matches if its host name contains the text entered in this field

    • Imprivata agent type — Choose an agent type from the list

  5. Select a policy from Apply this computer policy.

  6. Click Save.

Thin Client Configuration

In this section, you:

  • Configure Citrix Workspace app or the Omnissa Horizon client to connect to and deliver the desktop.

  • Import the Citrix or Omnissa SSL certificate into your thin clients to establish trust between both environments.

NOTE:

In addition to the registry settings that are configured on the virtual desktop, USB redirection is managed from the thin client, independent of Enterprise Access Management. Configure devices to support the USB redirection of your proximity card readers, as well as any other required devices.

Thin clients typically ship with a compatible version of Citrix Workspace app or the Omnissa Horizon client, which use the explicit user credentials to connect to and deliver the desktop.

Imprivata supports a number of thin client devices, all of which support native connections to Citrix DaaS and Omnissa Horizon Desktops.

While the exact steps to configure the connection vary by device, you will need the following:

  • The virtual desktop connection settings:

    • The hostname or URL of the Omnissa Horizon server (desktop).

    • The Storefront Web Site or XenApp Services URL of the Citrix server (desktop).

  • The name of the desktop.

NOTE:

For more information on configuring the connection, see your vendor–specific documentation.

Import the Citrix or Omnissa Horizon SSL certificate into your thin clients to establish trust between both environments.

Before you begin, save a copy of the SSL certificate to a USB storage device (thumb drive).

The following material is included as a reference for tasks in the HP Device Manager (HPDM) console. For more information, see your HP documentation.

To import the SSL certificate to one thin client:

  1. Insert the thumb drive into the thin client.

  2. Click the wrench icon > Advanced > Certificate to open the Certificate Manager.

  3. Go to the Local Root Certificate Authorities tab.

  4. Click Import from File, locate the SSL certificate on the thumb drive, and click Open.

    Restarting the thin client is not required.

To create the task:

  1. In the HP Device Manager console, click Templates and Rules.

    The Templates section lists all of the available base templates.

  2. Double-click _File and Registry to open the Template Editor.

  3. On the Content tab, click Add, select Deploy Files, and then click OK.

  4. Click Add from local, and import the SSL certificate.

  5. In the Path on Device field, enter /usr/local/share/ca-certificates, and then click OK.

  6. On the Content tab, click Add, select Command, and then click OK.

  7. In the Command field, enter the following:

    cd /usr/lib/hptc-cert-mgr

  8. Click Add, and in the Command field, enter the following:

    /usr/lib/hptc-cert-mgr/certmgr-apply

    Do not change the default settings for Execute After Reboot (No) and Wait (Yes) for either command.

  9. Click Save as to save the task, name the task, and then click OK
    The Package Description Editor appears.

To edit the package description:

  1. Complete the following fields:

    • Title

    • Installation Space

    • Architecture

    • OS Type

    • Device Models

  2. Click Generate.

The template is created and appears in the Templates section.

To send the task:

  1. In the HP Device Manager Console, click Manage Devices.

  2. Go to the Devices section, and right-click the required group of thin clients to open the Template Chooser.

  3. From the Category List, select File and Registry, and then select the template that will deploy the SSL certificate.

  4. Click Next.

  5. Use the Task Editor to manage how and when the certificates will be sent to the device, and click OK.

The following material is included as a reference for tasks in the IGEL UMS. For more information, see your IGEL documentation.

To import the SSL certificate to one thin client:

  1. Open a terminal window.

  2. Change to the /wfs directory

  3. Enter the following command to create a new subdirectory.

    mkdir ca-certs

  4. Insert the thumb drive into the thin client, and navigate to the location of the SSL certificate.

  5. Copy the SSL certificate file with the following command:

    cp <cert_name>.cer /wfs/ca-certs

  6. Restart the thin client.

To distribute the SSL certificate using the IGEL UMS:

  1. From the UMS console, right-click Files, and then click New File.

  2. Select Upload Local File to UMS server, and then use Local file to browse to the SSL certificate.

  3. In the field Local File, enter the location of the SSL certificate file.

  4. Under File Target:

    • Set Classification to Undefined.

    • In the Device files location field, enter the following path:

      /wfs/ca-certs/<cert_name>.cer

  5. Click OK.

  6. Assign the SSL certificate to your thin clients directly or through the profile that is managing them.

  7. Restart the thin clients.

NOTE: For more information on assigning objects, see the IGEL Knowledge Base.

Virtual Desktop Configuration

In this section, you:

  • Install the Imprivata agent on the virtual desktop.

    Installing the Imprivata agent enables Imprivata to communicate between the virtual environment and the shared workstations.

  • Install Citrix Workspace app on the virtual desktops.

    Citrix Workspace app uses the explicit user credentials to connect to the Citrix server that is delivering Epic.

  • Configure registry settings.

    NOTE:

    If you are using both Citrix Virtual Desktops and Citrix Virtual Apps, at least two Delivery Controllers are required. One to manage access to the virtual desktop; and the other to manage the delivery of Epic.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Enterprise Access Management. If your virtual environment is configured correctly for session persistence, Enterprise Access Management seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

BEST PRACTICE:

Limit the delivery of an application to one instance per user. If the application is distributed across multiple servers in the farm, limiting the instance ensures that the connection broker roams the session that the user was previously using.

For more information about configuring session persistence and application delivery, see your vendor documentation.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Single User Computer agent.

NOTE:

Beginning with 25.2, launching the Imprivata agent installer directly requires you to execute the MSI from an elevated command prompt. You cannot directly run the installer by either double-clicking the MSI or right-clicking the MSI and running it as an administrator.

Using a Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=1

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Imprivata Enterprise Access Management supports Citrix Workspace app for Windows. You can download the installer from the Citrix Support site.

Consider the following:

  • Citrix Workspace app must be installed with a user that has administrator privileges.

  • Single sign-on (pass through) authentication must be enabled during the installation.

  • Do not specify an account (Store URL or XenApp Services URL) as part of the installation. Configuring Citrix support for EAM details how to configure a GPO to automatically connect endpoint computers to the required account when Citrix Workspace app starts.

  • Citrix Workspace app must be configured to start automatically when the Windows workstation boots.

Restart the workstation after completing installation.

The following procedures detail now to configure Citrix support for Imprivata Enterprise Access Management using a group policy object (GPO).

Note Citrix Store URLS

Configuring the GPO with the Citrix store URLs prevents you from having to:

  • Add them when installing Citrix Workspace app

  • Provide them to end users to add them manually to Citrix Workspace app.

Before you begin, use Citrix Studio to note the required URLs.

Enabling the Citrix StoreFront for the Citrix Fast Connect API

The Citrix store must be configured with the following authentication methods to support the Citrix FastConnect API:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

The Citrix store logon method (logonMethod) must be configured for single sign–on to support the Citrix FastConnect API.

To verify the logon method:

  1. From the Citrix StoreFront server, go to the following location:

    C:\inetpub\wwwroot\Citrix\<name_of_store>

  2. Open the web configuration file and find logonMethod.

  3. Verify that the value is set to sson. For example:

    pnaProtocolResources changePasswordAllowed="Never" logonMethod="sson"

Adding the Citrix Administrative Templates to the Active Directory Domain Controller

Configuring Citrix Workspace app with Imprivata Enterprise Access Management requires the following template files:

  • receiver.admx

  • receiver.adml

To make these templates available to the Group Policy Management Editor, add them to the Central Store on the domain controller.

You can locate the templates in the following ways:

  • Citrix makes the templates available separately from the Citrix Workspace app installer. Go to the Citrix Workspace app Windows download page. The ADMX/ADML templates are available in the Admin Tools section.

  • The templates are installed with Citrix Workspace app.

    • The ADMX file is located at "C:\Program Files (x86)\Citrix\ICA Client\Configuration".

    • The ADML file is located at "C:\Program Files (x86)\Citrix\ICA Client\Configuration\en-US".

Managing Group Policy settings requires that all ADMX/ADML files be added to the Central Store on the domain controller. To add the administrative templates:

  1. Log into the domain controller.

  2. Go to C:\Windows\SYSVOL\domain\Policies and create a PolicyDefinitions folder to function as the Central Store.

  3. Go to C:\Windows\PolicyDefinitions and copy all of the contents, including the en-US folder, to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

  4. Add receiver.admx to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions.

  5. Add receiver.adml to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US.

  6. If the Group Policy Management Editor is open, close the console for the changes to take affect.

Creating a Group Policy to Manage the Fast Connect Configuration

Create an organizational unit (OU) and add your endpoint computers to it.

To create the organizational unit:

  1. From the domain controller, open the Active Directory Users and Computers console.

  2. In the console tree, create an organizational unit (OU) for your endpoint computers.

  3. Add or move the required endpoint computers to the OU.

To create the group policy:

  1. From the domain controller, open the Group Policy Management Console.

  2. In the required domain, select Group Policy Objects > New.

  3. In the New GPO window, name the GPO and click OK.

Click to enlarge

To add the Citrix Administrative templates to the group policy object:

  1. Right-click the new GPO and select Edit. The Group Policy Management Editor opens.

  2. Go to Computer Configuration > Policies > Administrative Templates Policy Definitions (ADMX files) retrieved from the central store > Citrix Components > Citrix Workspace app.

Click to enlarge.

Configuring the Group Policy Object

The following procedures detail how to configure the GPO.

NOTE: Citrix Workspace app SelfService must be configured with the Disabled option.

The Disabled option is required, regardless of the desired end user workflow and application session (roaming) requirements.

To configure the required settings:

  1. In Group Policy Management Editor tree, select User authentication.

  2. In the details pane, double-click Local user name and password.

  3. In the Local user name and password window, select Enabled.

  4. In the Options pane:

    • Select Enable pass-through authentication.

    • Select Allow pass-through authentication for all ICA connections.

    • Deselect Use Novell Directory Server credentials.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select FastConnect API Support.

  2. In the details pane, double-click Manage Fast ConnectAPI support.

  3. In the Manage FastConnectAPI support window, select Enabled.

  4. In the Options pane, select:

    • Select Enable Fast Connect API functionality.

    • Select EnableFastConnectTransisitionAPI.

    • Select Integrate Self Service Plugin with FastConnect.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Self Service.

  2. In the details pane, double-click Manage App shortcut.

  3. In the Manage App Shortcut window, select Enabled.

  4. In the Options pane, select:

    • In the Startmenu field: if you want your Citrix apps in a folder on the Start menu, enter a name for that folder here. If this field is left blank, the apps will appear directly on the Start menu.

    • In the Desktop Directory field: if you want your Citrix apps in a folder on the desktop, enter a name for that folder here. If this field is left blank, the apps will appear directly on the desktop.

    • Deselect Disable Startmenu Shortcut.

    • Select Enable Desktop Shortcut.

    • Select Disable Categorypath for startmenu.

      BEST PRACTICE: Use Citrix StoreFront categories in the Start menu instead.

    • Select Enable Categorypath for desktop and Enable to have different category path startmenu.

    • Select Remove apps on Logoff.

    • Select Remove apps on Exit.

    • Select Clear the set of applications shown in the Receiver Window on logoff.

    • Select Prevent Receiver performing a refresh of the application list when opened.

    • Select Ignore self service selection of apps and make all mandatory.

  6. Click OK.

The settings should match the following.

Click to enlarge

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Self Service.

  2. In the details pane, double-click Control When Receiver Attempts to Reconnect to Existing Sessions.

  3. In the Control when Receiver attempts to reconnect to existing sessions window, select Enabled.

  4. In the Options pane, select Refresh, Open (or an equivalent setting) from the Choose the appropriate combination of reconnect conditions list.

  5. Click OK.

The settings should match the following.

Click to enlarge.

To configure the required settings:

  1. In the Group Policy Management Editor tree, select Storefront.

  2. In the details pane, double-click StorefrontAccounts List.

  3. In the Storefront Account List window, select Enabled.

  4. Click Show.

  5. In the Show Contents window, enter the store account (Store URL or XenApp Services URL) details using the following syntax:

    store_name;store_url;store_enabled_state;store_description

    • store_name is the name users see for the store.

    • store_url is the Services URL for the store.

    • store_enabled_state specifies if the store is available to users. Set to On or Off.

    • store_description is the description users see for the store.

XenApp Services example: SalesStore;https://example.com/Citrix/SalesStore/PNAgent/config.xml;On;Store for Sales Staff

Store example: SalesStore;https//example.com/Citrix/SalesStore/;On;Store for Sales Staff

NOTE: The store_enabled_state syntax is case-sensitive.

(Optional) This step is required only if your Citrix environment is using Storefront URLs. Configuring the registry keys requires that you:

  • Add the ConnectionSecurityMode and the ProtocolOrder values to the Citrix AuthManager registry key.

  • Create the Protocols registry key with a httpbasic subkey, which has a value of Enable.

To add the value:

  1. In the Group Policy Management Editor tree, go to Computer Configuration > Preferences > Windows Settings.

  2. Right–click Registry and select New > Registry item.

  3. In the New Registry Properties window, select Create from the Action list.

  4. From the Hive list, select HKEY_LOCAL_Machine.

  5. Enter the following in the Key Path field:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\

    • 32–bit — Software\Citrix\AuthManager\

  6. In the Value name field, enter ConnectionSecurityMode.

  7. From the Value type list, select REG_SZ.

  8. In the Value data field, enter Any. Click OK.

To add the value:

  1. In the Group Policy Management Editor tree, go to Computer Configuration > Preferences > Windows Settings.

  2. Right–click Registry and select New > Registry item.

  3. In the New Registry Properties window, select Create from the Action list.

  4. From the Hive list, select HKEY_LOCAL_Machine.

  5. Enter the following in the Key Path field:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\

    • 32–bit — Software\Citrix\AuthManager\

  6. In the Value name field, enter ProtocolOrder.

  7. From the Value type list, select REG_MULTI_SZ.

  8. In the Value data field, enter httpbasic. Click OK.

To create the key:

  1. In the New Registry Properties window, select Create from the Action list.

  2. From the Hive list, select HKEY_LOCAL_Machine.

  3. Enter one of the following in Key Path:

    • 64–bit — Software\Wow6432Node\Citrix\AuthManager\Protocols\httpbasic

    • 32–bit — Software\Citrix\AuthManager\Protocols\httpbasic

  4. In the Value name field, enter Enabled.

  5. From the Value type list, select REG_SZ.

  6. In Value data field, enter true. Click OK.

Configuring Internet Explorer

Configuring Internet Explorer requires that you:

  • Add the domain of the Services URL as a trusted site.

  • Configure user authentication for automatic logon.

To add a trusted site:

  1. In the Group Policy Management Editor tree, go to Windows Components > Internet Explorer > Internet Control Panel > Security Page.

  2. In the details pane, open Site to Zone Assignment List.

  3. In the Site to Zone Assignment List window, select Enabled.

  4. In the Options section, click Show.

  5. In the Value name field, type the scheme and domain of the Services URL.

    Example: If the URL is https://example.com/Citrix/SalesStore/PNAgent/config.xml, then enter https://example.com.

  6. In the Value field, type 2 and click OK.

  7. Apply the changes to the Site to Zone Assignment List.

To configure user authentication:

  1. In the details pane, open Trusted Sites Zone.

  2. In the details pane, open Login options.

  3. In the Logon options window, select Enabled.

  4. From the Logon options list, select Automatic logon with current username and password.

  5. Click OK.

Linking the Group Policy to the Organizational Unit

To link the GPO to the OU:

  1. In the Group Policy Management window, right-click the new OU you created and select Link an Existing GPO.

  2. In the Select GPO window, select the new GPO and click OK.

Click to enlarge

Configuring Security Filtering

Configure security filtering to make the GPO available to the required workstations.

To configure security filtering:

  1. In the Group Policy Management window, navigate to your new OU, select your new GPO, and click the Scope tab.

  2. In the Scope tab > Security Filtering section, set the filter as necessary. In this example, the filter is set to Everyone to make this policy accessible to everyone:

Click to enlarge.

Verifying the Configuration

All shared workstations in the OU receive the new GPO settings at the next group policy refresh interval. The default interval is 90 minutes.

You can verify the configuration with the following methods.

On any workstation in the OU, you can verify that the GPO settings are applied by viewing the settings in the registry at the following location:

  • 64-bit – HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Policies > Citrix > Dazzle

  • 32-bit – HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Citrix > Dazzle

The following is provided as an example only.

Click to enlarge.

You can create a group policy result report to select a specific workstation to query. The report specifies which GPOs are applied.

To create the report:

  1. In the Group Policy Management window, right-click Group Policy Results > Group Policy Results Wizard...

  2. In the Computer Selection page, select the computer for which you want to display policy settings, and click Next.

  3. In the User Selection page, enter a domain administrator and click Next.

  4. Click Finish to close the wizard.

  5. The report is not actually run yet; in the Group Policy Management window > Group Policy Results section, right-click the report you just created and click Rerun Query.

    NOTE: If the Windows WMI service is disabled or restricted on the endpoint computer, the report will not work.

  6. After the report is generated, select the report from the left navigation. In the example below it is named after the endpoint computer THIRTYTWO.

  7. In the details pane, select the Details tab. Your GPO is listed in the section Applied GPOs.

Configure the following keys to enable the detection of proximity card events on the virtual desktop.

Name Data Type Location Value
RedirectionSupported DWORD

32–bit: HKLM\Software\SSOProvider\DeviceManager

64–bit: HKLM\Software\Wow6432Node\SSOProvider\DeviceManager

Default = 0

Set to = 1
RemoteOnly DWORD

32–bit: HKLM\Software\SSOProvider\DeviceManager

64–bit: HKLM\Software\Wow6432Node\SSOProvider\DeviceManager

Default = 0

Set to = 1

Citrix Server Configuration

In this section, you install the Imprivata agent and the Imprivata Connector for Epic Hyperdrive on the Citrix servers that are delivering the Epic EHR.

  • Installing the Imprivata agent on the Citrix Servers enables Imprivata to communicate between Citrix environment and the shared workstations.

  • Installing the Imprivata Connector for Epic Hyperdrive enables access to Epic Hyperdrive.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Enterprise Access Management. If your virtual environment is configured correctly for session persistence, Enterprise Access Management seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

BEST PRACTICE:

Limit the delivery of an application to one instance per user. If the application is distributed across multiple servers in the farm, limiting the instance ensures that the connection broker roams the session that the user was previously using.

For more information about configuring session persistence and application delivery, see your vendor documentation.

The Imprivata agent is client–side software that is responsible for securing desktop login, authenticating users, providing SSO functions, securely storing application credentials, keeping an audit trail, and exchanging data with the appliance.

Using the Installation Wizard

To install the Imprivata agent:

  1. In the Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Run the installation wizard.

Completing the installation requires you to:

  • Enter the FQDN or IP address of the Imprivata appliance to which it should connect to obtain the enterprise topology.

  • Select the Citrix or Terminal Server agent.

NOTE:

Beginning with 25.2, launching the Imprivata agent installer directly requires you to execute the MSI from an elevated command prompt. You cannot directly run the installer by either double-clicking the MSI or right-clicking the MSI and running it as an administrator.

Using a Software Distribution Tool

To deploy the Imprivata agent using third–party software distribution tool:

  1. In the Imprivata Admin Console, click Computers > Deploy agents.

  2. Download the agent installer from the Deployment Procedure section.

  3. Deploy and run the Imprivata agent installation using the following syntax:

    msiexec.exe /i "<path_to_installer>\ImprivataAgent.msi

    IPTXPRIMSERVER="https://<appliance_FQDN>/sso/servlet/messagerouter"

    AGENTTYPE=3

The IPTXPRIMSEVER value specifies the appliance to which the Imprivata agent should connect to obtain the enterprise topology.

Consider the following:

  • This syntax represents the required installation parameters. For a complete list of supported parameters, see the Imprivata Enterprise Access Management Help.

  • The Imprivata agent installer supports standard msiexec options. For more information on these commands, run msiexec /?.

Install the Imprivata Connector for Epic Hyperdrive on all of the servers that are delivering Epic. Consider the following:

  • The same Imprivata Connector for Epic Hyperdrive installer supports both 32-bit and 64-bit operating systems.

  • The Imprivata Connector for Epic Hyperdrive can only be used with one version of Epic on a given workstation.

NOTE: Before installing the Imprivata Connector for Epic Hyperdrive, be sure that Epic is installed.

Using the Installation Wizard

To install:

  1. Run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The installer automatically detects the version of Hyperspace installed and installs the appropriate Imprivata Connector for Epic Hyperdrive files for that version. If multiple versions of Hyperspace are detected or if Hyperspace is not installed, the Imprivata Connector for Epic Hyperdrive installer prompts you to select one version of Epic.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Using the Command Line

To install:

  1. Standard msiexec commands can be used to run the installer (ImprivataConnectorforEpicHyperspace.msi).

    The Epic version of the Imprivata Connector for Epic Hyperdrive can be specified in the msiexec command line as follows:

    • EPICVERSION = 2014

    • EPICVERSION = 2015

    • EPICVERSION = 2017

    • EPICVERSION = "2018 August"

    • EPICVERSION = "2018 November"

    • EPICVERSION = "2019 February"

    NOTE: If you are using the Imprivata Connector for Epic Hyperdrive version 6.3 or later, including an Epic version is not required.

  2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Configure the following keys to enable the detection of proximity card events on the server that is delivering Epic.

Name Data Type Location Value
RedirectionSupported DWORD

32–bit: HKLM\Software\SSOProvider\DeviceManager

64–bit: HKLM\Software\Wow6432Node\SSOProvider\DeviceManager

Default = 0

Set to = 1
RemoteOnly DWORD

32–bit: HKLM\Software\SSOProvider\DeviceManager

64–bit: HKLM\Software\Wow6432Node\SSOProvider\DeviceManager

Default = 0

Set to = 1

Epic Configuration

In this section, you configure the Imprivata Connector for Epic Hyperdrive.

Imprivata has worked with Epic Systems to develop the Imprivata Connector for Epic Hyperdrive. The Connector leverages Epic's authentication API to provide single sign-on, single sign-off, and fast user switching for Epic Hyperdrive.

Imprivata Enterprise Access Management offers two different configuration options for Epic that can be enabled on a per-workstation basis:

  • SSO for Epic only workflow

    With this workflow, the Windows desktop is always unlocked. Users authenticate to Epic using their fingerprint or proximity card. This workflow is optimized for workstations on which Epic is the most frequently accessed application.

  • SSO for multiple applications including Epic

    With this workflow, the Windows desktop is secured by the Imprivata agent. Users authenticate to EAM using their fingerprint or proximity card. This workflow is optimized for workstations on which Imprivata Single Sign-On is required for multiple applications, including Epic.

EAM can be configured to secure Epic and maintain the patient context or log the user out of Epic with either of these workflows.

NOTE:

In scenarios where EAM performs Fast User Switching into the Epic EMR Hyperdrive client delivered via Citrix, we recommend that the Epic session remain active during times of clinician usage. The utilization of Citrix timeout settings for Epic sessions, or any closure of the Epic session, may impact login times for clinical users because they must wait for the Epic session to reconnect.

Citrix and VDI connection times are unaffected by EAM. When needed, EAM automates the connection to Citrix, but does not reduce the connection time.

When configuring support for Epic, consider the following:

  • Use the endpoint computer policy to manage the settings on the Connector for Epic tab.

    These settings are only honored from the workstation on which users access Epic. The settings are not honored where Epic is installed.

  • The Imprivata Connector for Epic Hyperdrive for Epic supports a number of reference architectures.

    While you can use the Imprivata Connector for Epic Hyperdrive Configuration Guide to complete the steps required of this reference architecture, the guide does include information that is optional.

As such, the table below provides an overview of what must be configured for this specific reference architecture.

Configuration Notes
System definitions

Epic system definitions are configured to support roaming.

For assistance configuring your system definitions, contact Epic.
Authentication devices

Ensure that your authentication devices are configured correctly:

  • Use Chronicles to configure the E0G master file.
  • Set the Login Mode option to SYSTEM LOGIN (EMP 45), otherwise User ID.

For more information, see Chapter 4.
Epic only mode

In this configuration, Epic is the only application that clinicians can access from the shared workstation:

  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 9.
Multi–app mode

In this configuration, clinicians can access other applications in addition to Epic:

  • By default, when Epic is delivered via Citrix Virtual Apps, the Imprivata Connector for Epic Hyperdrive disables the Imprivata SSO engine. To re-enable the SSO engine, configure the following registry settings:
    • ControlISXAgentStartup
    • DontStartAgentHooks
    • DontStartAgentTimer
    • HookInit
  • Import the Epic_dummy.xml profile that is installed with the Imprivata Connector for Epic Hyperdrive.
  • Use the computer policy (Connector for Epic tab) assigned to your thin clients to configure Epic logout/secure, and credential management.

For more information, see Chapter 8.