Upgrading Enterprise Access Management with MFA 25.2 to 25.3 on G4 Appliances

The following sections detail how to upgrade Imprivata G4 appliances from 25.2 to 25.3.

This topic applies to upgrading the fourth generation (G4) appliances.

BEST PRACTICE:

Upgrade to the latest available HF of 25.2 before upgrading to 25.3.

If your appliances are running 25.2 (25-2-0), you must first upgrade to the latest 25.2 appliance hotfix before upgrading to 25.3. If you do not, the upgrade will stall.

For more information, see Upgrading 25.2 to the Latest Available Hotfix.

When you apply hotfixes to appliances, always apply the same hotfix to all appliances in the enterprise. Imprivata does not support enterprises with appliances running different releases or hotfixes.

Known Issues and Upgrade Considerations

Review the following before you upgrade:

  • A known issue that is listed here represents something that can result in downtime during or after the upgrade to 25.3.

  • An upgrade consideration that is listed here represents a change in either product behavior or configuration from the 25.2 enterprise to 25.3.

Known Issues

There are no known issues that affect this upgrade.

Upgrade Considerations

The following considerations apply to this upgrade:

Each stage of the upgrade of your Imprivata appliances from 25.2 to 25.3 will take a certain amount of time, depending on the size of the update needed.

Consider the following time estimates:

  • Appliance operating system updates - typically takes 20 to 40 minutes.

  • Database updates - typically takes 45 to 120 minutes, or possibly longer, based on the size of the database.

IMPORTANT:

The Imprivata Appliance Console will not be reachable during the database update process.

Before You Start the Upgrade

Familiarize yourself with the requirements, new features and enhancements, and other information associated with the release to which you are upgrading:

An upgrade from 25.2 to 25.3 requires that the installed version of the Imprivata G4 Platform Update (platform update) be applianceG4-2025-3-1 or later.

If this platform update is not Installed to all appliances, download and install it before upgrading G4 appliances.

Due to the file size of the platform update file, use one of the following methods for uploading:

  • Upload the platform update files from a file server connected to the appliance.

  • If you cannot use a file server, upload the IPM from your local computer, using the Imprivata Appliance Console > Packages tab.

An upgrade from 25.2 to 25.3 supports a zero–downtime upgrade. During a zero–downtime upgrade, you can upgrade every appliance in the enterprise at the same time:

  • The Imprivata server remains up throughout the entire upgrade.

  • The Imprivata quarterly platform update is applied manually by the administrator to one appliance at a time. If the administrator chooses to upgrade the Imprivata quarterly platform on all appliances at the same time, there will be downtime while the updates are running.

  • Appliances do not have to be rebooted after an upgrade.

  • Scheduled jobs are skipped until their next scheduled time. Skipped jobs include audit record maintenance, automated domain password changes, automated domain synchronization, and scheduled reports.

The upgrade requires at least 10 MBps of available bandwith. If your network has fewer than 10MBps available, then agent authentication failures or upgrade failure may occur.

BEST PRACTICE:

Perform the upgrade during off-peak network utilization hours to provide as much bandwidth as possible for the upgrade.

Before you upgrade, review the Release Notes and the Supported Components, to familiarize yourself with:

  • New features, enhancements, and qualifications.

  • The supported configurations and endpoint types for your environment.

To download these documents, see the Imprivata Enterprise Access Management with MFA release documentation page.

Consider the following:

  • Audit records are retained during the upgrade.

  • As part of the appliance upgrade, the Imprivata database is synchronized. The enterprise remains online during the synchronization, which can result in infrequent data loss.

Although unlikely, data that is collected while the database is being synchronized may be lost. As a result, some users may be required to re–enter credentials that were captured during the upgrade. Examples of lost data include:

  • User credentials captured during user authentication

  • Passwords that are reset

  • Changes made through Imprivata's provisioning interface

This type of data loss may occur only when the Imprivata database is being synchronized as part of the upgrade. It does not occur when synchronizing the Imprivata database outside of the upgrade process.

BEST PRACTICE:

Suspend provisioning to the Imprivata database during the Imprivata upgrade.

Download the Imprivata Package Manager Files

Before you begin the upgrade, download the Imprivata Package Manager (IPM) files.

The Imprivata G4 Platform Update (platform update) includes updates to third-party software, infrastructure, communication, and security improvements.

To determine if a platform update is required, and when to install each version, see "Imprivata Platform Update Requirements" above.

To download the required platform IPM:

Downloads:

The following item represents the minimum required platform IPM for upgrading from 25.2 to 25.3.
Platform updates are released on a regular basis, and a more recent platform IPM may be available on the product downloads page for the release to which you are upgrading.

applianceG4-IMPRIVATA-2025-3-1 - the virtual G4 appliance.

The G4 Imprivata Update IPM (Imprivata Update) includes the new business logic, features, enhancements, and bug fixes for the release.

IMPORTANT:

When updating the Imprivata update IPM, all appliances in the enterprise must be at the same hotfix release.

To download the Imprivata update IPM:

  1. From the product downloads page, select the Enterprise Access Management release to which you are upgrading.

  2. Download the G4 Imprivata Update.

Prepare for the Upgrade

The following sections detail how to prepare for the upgrade.

Archive and Delete Audit Records

Archiving and deleting audit records reduces the time it takes to back up the Imprivata database and complete the upgrade.

Archiving audit records requires an FTP server, network share, or SCP server on which to store the records.

If you have not yet configured a file server, see "Configuring a File Server for Storing Audit Records and Reports" in the Imprivata Online Help.

Consider the following before you archive and delete audit records:

  • Limit the number of records on the appliance to 10 million or fewer to reduce the amount of time the Imprivata database backup takes.

  • Audit records for an entire enterprise are logged from a database appliance in the site. Record maintenance consumes bandwidth, so select a site that can accommodate the additional traffic or run the job during off-peak hours.

  • Administrator activity is not stored in audit logs and cannot be deleted.

  • Reports cannot be created from deleted data. When specifying the age of files to be deleted, consider the period of time for which you need reporting.

NOTE:

For more information on reporting using archived data, see "Running Reports on Archived Data" in the Imprivata Online Help.

To archive and delete audit records:

  1. In the Imprivata Admin Console, go to the gear icon menu > Settings page.

  2. Go to the Audit Records section.

  3. Click Manage audit records, then select Show record counts for all time to identify how many audit records are being stored on the appliance.

  4. Go to the Record Maintenance section, select Archive and Delete, and specify the minimum age of records to be archived.

    NOTE:

    Although all audit records are archived, regulated audit records that must be retained for a specific period of time are not deleted from the appliance.

  5. In Save location, enter the relative path of the location on the file server.

    NOTE:

    If the path is blank for an SCP server, the archived records are saved to the home folder of the account. For example: /home/<user>.

  6. Do one of the following:

    • Click Perform now.

    • Use the Frequency options to schedule the job, and click Save.

  7. After the job is complete, click Manage audit records, then select Show record counts for all time to identify how many audit records are being stored on the appliance.

IMPORTANT:

Ensure that the record maintenance job has completed before proceeding to the next step.

Back up the Imprivata Database

Back up the Imprivata database before beginning the upgrade. A backup file can be used to restore the database if it becomes compromised.

Backing up the Imprivata database can take ten minutes or longer, depending on its size. During the backup, users experience no interruption in service. The backup file:

  • Contains the Imprivata database for the entire enterprise — not just a single site.

  • Does not contain configuration data for the enterprise, site, or appliance.

  • Is a compressed file that can be encrypted for increased security. The file name includes a date-time stamp. For example, a file named 20250801_132506.IBU is a backup that was created in the year 2025, on August 1, at 1:25:06 pm.

It is best practice to store the Imprivata database backup file in a secure location off the appliance:

  • If you have configured a default file server for the appliance, the backup process automatically saves the backup file to the location.

  • If you have not configured a default file server, the backup process saves the backup file to the appliance. In that case, you should download it to a secure location.

NOTE:

For more information on using the Imprivata Appliance Console to configure a file server, see "Imprivata Network Settings" in the Imprivata Enterprise Access Management Online Help.

Create the Imprivata database backup file from an Imprivata database appliance.

NOTE: An Administrator or Super Administrator can create the backup file.

To create the backup file:

  1. In the Imprivata Appliance Console, go to the System page > Operations tab.

  2. Click Start Backup.

  3. (Optional)—To encrypt the backup file, select Encryption Enabled.

    CAUTION: Take note of the password. If you forget the password, you are unable to use this file to restore the database.

  4. Click OK. The backup is complete when the Operations page lists the status as SUCCESS.

    If you have configured a file server, the backup process saves the file to this location.

  5. If you have not configured a file server, click Save to download the file. Store it in a secure location.

Configure Failover

By default, Imprivata agents communicate with appliances in their home site. Configuring appliances for failover between sites let agents communicate with appliances across the enterprise, helping to ensure uninterrupted service during the upgrade.

To configure site failover:

  1. In the Imprivata Admin Console, go to the gear icon menu > Sites.

  2. Select a site from the list.

  3. Go to the IP Addresses and Failover section, and select Allow computers belonging to this site to failover to other sites?

  4. Select the primary failover site. Select failover sites with sufficient capacity to support both failed-over and regular users.

    NOTE:

    For fourth generation (G4) enterprises, Imprivata discourages the use of secondary failover sites, because Imprivata recommends having at most two sites in a G4 enterprise.

  5. Click Save.

  6. Repeat steps 2-5 for each site in the enterprise.

Upgrade the Imprivata Appliance

The following sections detail how to upgrade an Imprivata appliance.

Before You Upgrade

Before you upgrade, complete the following steps.

Confirm that there are no issues with the enterprise database replication for each database appliance in the enterprise.

To confirm the enterprise database replication status of an appliance:

  1. In the Imprivata Appliance Console, go to the System page > Operations tab.

  2. In the Synchronize Enterprise Database row, verify that the status displays as Success.

    Click to enlarge

    IMPORTANT:

    If the row displays a status of Failed, do not proceed with the upgrade.

    • Take note of the status, the date and time stamp of the failure, and any error messages.

    • Collect the appliance logs and contact Imprivata Technical Support to resolve the issue and complete your upgrade.

In the event of an appliance failure, collect the appliance logs for Imprivata Technical Support.

To enable one-click collection and upload of appliance logs to Imprivata:

  1. In the Imprivata Appliance Console, go to System > Logs > Log data export > Log data to include.

  2. Select all available data.

  3. To automate the delivery of logs to Imprivata, select Send a copy to Imprivata Technical Support; when selected, enter the case number provided by Imprivata Customer Support.

  4. Click Start Export. The appliance will copy logs from various system directories and create an archive file. Clicking Start Export overwrites the previous log report.

    A progress indicator is displayed while the logs are collected and exported; you can click Stop Export to cancel.

  5. After the export is complete, click View Files to open the archive.

  6. Repeat this process for additional appliances, if needed.

It is best practice to restart all appliances in the enterprise before the upgrade. To start a rolling reboot:

  1. In the Imprivata Appliance Console, go to the System page > Operations tab.

  2. Click Reboot/shutdown options.

  3. Select Reboot all appliances, and click Go.

Confirm that the Imprivata server is running for each appliance in the enterprise. To confirm that the Imprivata server is running:

  1. In the Imprivata Appliance Console, go to the System page > Operations tab.

  2. Verify that the Imprivata server status is Running.

Confirm that there are no issues with the system services for each appliance in the enterprise.

To confirm the system status of an appliance:

  1. In the Imprivata Appliance Console, go to the System page > Health Agents tab.

  2. Verify that the status of each service is OK.

To confirm that the sites are running:

  1. In the Imprivata Admin Console, go to the gear icon menu > Sites page.

  2. Verify that the status of each site is Up.

    NOTE:

    Sites that contain database appliances will display a status for the site. Any site which only contains service-only appliances will be empty.

Upgrade Your Imprivata Appliances

Complete the following steps to upgrade Imprivata appliances:

An upgrade from 25.2 to 25.3 requires that the installed version of the Imprivata G4 Platform Update (platform update) be applianceG4-2025-3-1 or later.

A more recent platform IPM may be available on the product downloads page for the release to which you are upgrading.

If this platform update is not installed to all appliances, install it before upgrading appliances.

Use one of the following methods for uploading:

  • Upload the platform update files from a file server connected to the G4 appliance.

    NOTE:

    For more information on using the Imprivata Appliance Console to configure a file server, see "Imprivata Appliance Settings" in the Imprivata Online Help.

  • If you cannot use a file server, upload the IPM from your local computer, using the Imprivata Appliance Console > Packages tab, do the following:

    1. Upload the applianceG4-2025-3-1 (or later) platform update file.

    2. Distribute the platform update to your G4 appliances.

    3. Install the platform update.

      IMPORTANT:

      Do not select the option to install on all appliances at once. Due to the time required to install the platform update, Imprivata recommends you to only install this update on each appliance in the enterprise manually.

Upgrade to the latest available version of 25.3.

This upgrade supports a zero–downtime upgrade. All appliances are upgraded at the same time.

IMPORTANT:

When updating the G4 Imprivata update IPM, all appliances in the enterprise must be at the same hotfix release.

To distribute and install the appliance update:

  1. Log into the Imprivata Appliance Console. Go to the Packages tab.

  2. Click Upload Imprivata Package, specify the file, and then click Upload.

  3. Click Distribute, and then Send, to copy the IPM to all appliances in the enterprise.

  4. Click Done when the distribution is finished.

  5. From the Imprivata Appliance Console, select the IPM and click Install. The IPM Information page appears and Install IPM on all appliances is selected.

  6. Click Install.

    IMPORTANT:

    The appliance upgrade may take 45 to 90 minutes, or possibly longer, to complete. While all appliances are being upgraded, the Imprivata Admin Console locks, and all administrative functionality is unavailable.

CAUTION:

Even if the Imprivata Admin Console is available after you start the upgrade, do not use it.

Changes you make using the Imprivata Admin Console may be lost during the upgrade.

Upgrade Failures

If the upgrade fails for any reason, error messages are displayed on the Imprivata Appliance Console.

  • Do not attempt to run the upgrade again.

  • Do not remove any of the appliances from the enterprise, as doing so would leave the enterprise in a corrupted state.

  • Do not attempt to upload other IPMs of a lower or higher version to attempt another upgrade, as doing so would leave the enterprise in a corrupted state.

  • Do not initiate a reboot or restart of the server or VM if you are not certain whether the upgrade is still in progress.

IMPORTANT:

Collect the appliance logs and contact Imprivata Technical Support to resolve the issue and complete your upgrade.

In the event of an appliance failure, collect the appliance logs for Imprivata Technical Support.

To enable one-click collection and upload of appliance logs to Imprivata:

  1. In the Imprivata Appliance Console, go to System > Logs > Log data export > Log data to include.

  2. Select all available data.

  3. To automate the delivery of logs to Imprivata, select Send a copy to Imprivata Technical Support; when selected, enter the case number provided by Imprivata Customer Support.

  4. Click Start Export. The appliance will copy logs from various system directories and create an archive file. Clicking Start Export overwrites the previous log report.

    A progress indicator is displayed while the logs are collected and exported; you can click Stop Export to cancel.

  5. After the export is complete, click View Files to open the archive.

  6. Repeat this process for additional appliances, if needed.

Next Steps and Best Practices

After your Imprivata enterprise is upgraded, complete the following steps:

Appliance failover was configured to help ensure uninterrupted service during the upgrade. If you enabled appliance failover for the upgrade only, you may want to disable it now.

Back up the Imprivata database immediately:

  • If the database becomes corrupted or compromised, you can use the backup file to restore the environment. For more information, see Create the Imprivata Backup File.

  • If you have not scheduled an automatic daily backup, consider configuring it now.

NOTE: For more information, see "Backing Up the Imprivata Database" in the Imprivata Online Help.

Scheduling audit record maintenance helps to ensure that audit records are regularly archived and deleted.

If you have not scheduled recurring audit record maintenance, consider configuring it now.

To archive and delete audit records:

  1. In the Imprivata Admin Console, go to the gear icon menu > Settings page.

  2. Go to the Audit Records section.

  3. Click Manage audit records, then select Show record counts for all time to identify how many audit records are being stored on the appliance.

  4. Go to the Record Maintenance section, select Archive and Delete, and specify the minimum age of records to be archived.

    NOTE:

    Although all audit records are archived, regulated audit records that must be retained for a specific period of time are not deleted from the appliance.

  5. In Save location, enter the relative path of the location on the file server.

    NOTE:

    If the path is blank for an SCP server, the archived records are saved to the home folder of the account. For example: /home/<user>.

  6. Do one of the following:

    • Click Perform now.

    • Use the Frequency options to schedule the job, and click Save.

  7. After the job is complete, click Manage audit records, then select Show record counts for all time to identify how many audit records are being stored on the appliance.

After your Imprivata enterprise is upgraded, you can upgrade the Imprivata agents.

Review Supporting Documentation

When determining whether to upgrade the Imprivata agents, review the following documentation available on the Product Downloads page for the Enterprise Access Management with MFA release:

  • Release Notes — for new and improved features and technology updates.

  • Fixed Issues List — for the latest hotfix in the release. Includes information on server and client fixes.

  • Supported Components - for the supported configurations and endpoint types for your environment. For Imprivata Enterprise Access Management, see the Imprivata Environment Reference portal.

Familiarize yourself with the requirements, new features and enhancements, and other information associated with the release to which you are upgrading.

Appliance and Agent Compatibility

  • The Imprivata appliance release is backwards compatible with older agent releases. An agent can be of the same release as the appliance, or downlevel.

  • For configurations that include endpoints connecting to a Citrix server, the following agent compatibility is expected:

    • Citrix server agents are backward compatible with older endpoint agents.

    • When upgrading an environment containing Citrix, the required upgrade order is:

      1. Appliances

      2. Citrix agent

      3. Endpoint agents

NOTE:

Run a report to identify the Imprivata agent releases installed on your endpoints.

To run the report, in the Imprivata Admin Console, click Reports > Agent deployment report.

What to Expect

Consider the following information when upgrading Imprivata agents:

  • Endpoints require a restart after upgrading the Imprivata agent software.

    IMPORTANT:

    Depending on your environment, you may need to carefully schedule Imprivata agent upgrades, because of the requirement to restart the endpoints.

Next Steps

There are two ways to update Imprivata agents:

  • If Imprivata agents are set to automatically update, they do so at the next refresh interval after the appliance is upgraded.

    To verify this setting in the Imprivata Admin Console, go to the Agent Upgrades section on the General tab of the computer policy (Computers > Computer policies).

  • If Imprivata agents are not set to automatically update, you must push the appropriate MSI file.

    To locate the agent MSI files in the Imprivata Admin Console, go to the Deploy agents page (Computers > Deploy agents).

Test and Validate EMR-Specific Workflows

Before upgrading all of the Imprivata agents in your enterprise, conduct testing with a subset of upgraded Imprivata agents.

Test and validate your EMR-specific workflows with a small set of upgraded Imprivata agents. Depending on your organization, these might include the following workflows:

  • Application profiles, using the Imprivata APG.

  • Single sign-on into your EMRs

  • MFA for clinical workflows

  • MFA for EPCS