VMware Horizon Community
epa80
Hot Shot
Hot Shot
‎04-18-2016 04:54 AM
Jump to solution

Imprivata With View?

We are in the early stages of a POC utilizing Imprivata on Wyse ThinOS terminals, with Horizon View 6.2. Reading through Imprivata's documentation, they mention Citrix a lot more than they do View, so I'm curious if many people are utilizing this setup.

We're looking to leverage the terminals in Kiosk mode 99% of the time. IE a generic account pulls a Windows session from View, then the users tap their badge to provide Imprivata with their account info, and quickly be presented with the desktop from the generic account. User taps again, it locks, next user walks up, rinse and repeat, all on the same desktop. So far we've seen mixed results in our early testing. Generic user gets the desktop, user 1 taps in, gets their session with their creds, taps and locks. 2nd user walks up, taps, and get the session, but Imprivata still believes it's user 1 on the desktop.

I'm leaning towards it being our Wyse terminals config, which I'm looking into further today. Anyone who's utilizing perhaps a similar setup, I'd love to hear about it.

Thanks in advance.

Reply
0 Kudos
1 Solution

Accepted Solutions
agalliasistju
Enthusiast
Enthusiast
‎06-16-2016 06:27 AM
Jump to solution

Here's what we epa80 ended up doing:

On the This OS terminal add the required line to the INI to enable Imprivata OneSign:

OneSignServer=https://FQDN KioskMode=yes TapToLock=0 AutoAccess=VMW EnableFUS=yes

For the Imprivata Agent install on View Parent Image for Kiosk Mode (Type 1)

1. Install the Imprivata Agent choosing the "Shared Kiosk Workstation" option
2. Install the Epic Connector (If using Epic and if needed)
3. Add/Configure the following registry keys:

Disable Control + Alt + Del:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Microsoft\Windows\CurrentVersion\Policies\System\Disablecad = '1' [DWORD]

This forces the privacy screen to a specific time after the tap
HKLM\SOFTWARE\[Wow6432Node]\SSOProvider\ISXAgent\PrivacyScreenExtraDelayInMilliseconds = "5376" [DWORD] (Hex 1500)

HKLM\Software\[Wow6432Node]\SSOProvider\DeviceManager\RedirectionSupported = '1' [DWORD]

HKLM\Software\[Wow6432Node]\SSOProvider\DeviceManager\RemoteOnly = '1' [DWORD]

HKLM\Software\[Wow6432Node]\SSOProvider\ISXAgent\LockRemoteSessionWithAgentOnClient = '1' [DWORD]

View solution in original post

Reply
0 Kudos
14 Replies
CA_Chris
Contributor
Contributor
‎04-18-2016 09:11 PM
Jump to solution

What workflow are you looking to have? Are you wanting to roam View sessions from device to device (Typical Config with Imprivata+View) or something more to the Citrix FUS workflows but with View ie what you mentioned below.

Are you trying to run a specific EMR within the workflow?

Reply
0 Kudos
FishadrTMS
Contributor
Contributor
‎04-19-2016 03:48 AM
Jump to solution

We deployed this last year and it works seamlessly. Clients are thick running Windows 7 in kiosk mode as per Microsoft suggestions. However what we do is use smart cards for tap-on/tap-off or within the smart card readers. The Imprivata software identifies the user and the machines and logs them in locally and then launches a new VDI session or reconnects to an existing one. Again tap off disconnects the VDI session and logs off the local machine.

I haven't tried it with the thin clients yet but Imprivata didn't believe there would be any problems

Imprivata support and recommend Citrix or View.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎04-19-2016 05:40 AM
Jump to solution

Initially we wanted to mimic the Citrix FUS workflow, but, it sounds like we misunderstood and that isn't a possibility. Are we mistaken? We'd like to NON roam sessions from device to device. We are running Epic on these VMs, the Epic go live will coincide with this Imprivata implementation.

Open to all suggestions though. As we are literally in day 4 of our POC for Imprivata, we'll evaluate anything.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎04-19-2016 05:43 AM
Jump to solution

What type of endpoints are you using in your scenario? We have linked clones, and in our plans we would not be roaming, each Wyse terminal would sign on with a generic account to grab a VM from a floating pool. User tabs in and their credentials lay over top of the acquired floating VM, they utilize the apps we profile, log out, begin anew somewhere else on the floor. Open to suggestions though, we are basically in week 1 of our Imprivata POC.

Edit: ignore my question about endpoints. Re-read your reply and saw you said you're not using thin clients.

Reply
0 Kudos
CA_Chris
Contributor
Contributor
‎04-19-2016 08:34 AM
Jump to solution

I would recommend looking at EPIC User Web and review their config doc for View. It will give you some good reference info.

You can do some workflows similar to CITRIX, but you'll have to do some additional tweaks to the VM and Imprivata Reg Keys.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎04-20-2016 05:50 AM
Jump to solution

We have a conference call with Imprvata today. Should be able to see what we're missing, and what we can or can't do. I checked the EPIC User Web, and maybe my search skills need to improve there, but I didn't find a whole lot that seemed like it could help me. Might take another stab today.

Reply
0 Kudos
grossag
VMware Employee
VMware Employee
‎04-26-2016 05:36 AM
Jump to solution

I saw this thread and also asked Imprivata about this and it sounds like you all got everything resolved.

Can you post a summary of the resolution in case others find this thread in the future?  Thanks!

Reply
0 Kudos
VMMalley
Enthusiast
Enthusiast
‎05-11-2016 09:01 PM
Jump to solution

Samsung Zero clients have the firmware to integrate with an Imprivata solution.

I use quite a few Samsung Zero clients, would like to put in Imprivata someday, but some $$$ right now.

actually, the teradici 2 chipset supports Imprivata integration, so a wide range of zero clients.

Reply
0 Kudos
agalliasistju
Enthusiast
Enthusiast
‎06-16-2016 06:27 AM
Jump to solution

Here's what we epa80 ended up doing:

On the This OS terminal add the required line to the INI to enable Imprivata OneSign:

OneSignServer=https://FQDN KioskMode=yes TapToLock=0 AutoAccess=VMW EnableFUS=yes

For the Imprivata Agent install on View Parent Image for Kiosk Mode (Type 1)

1. Install the Imprivata Agent choosing the "Shared Kiosk Workstation" option
2. Install the Epic Connector (If using Epic and if needed)
3. Add/Configure the following registry keys:

Disable Control + Alt + Del:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Microsoft\Windows\CurrentVersion\Policies\System\Disablecad = '1' [DWORD]

This forces the privacy screen to a specific time after the tap
HKLM\SOFTWARE\[Wow6432Node]\SSOProvider\ISXAgent\PrivacyScreenExtraDelayInMilliseconds = "5376" [DWORD] (Hex 1500)

HKLM\Software\[Wow6432Node]\SSOProvider\DeviceManager\RedirectionSupported = '1' [DWORD]

HKLM\Software\[Wow6432Node]\SSOProvider\DeviceManager\RemoteOnly = '1' [DWORD]

HKLM\Software\[Wow6432Node]\SSOProvider\ISXAgent\LockRemoteSessionWithAgentOnClient = '1' [DWORD]

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎06-16-2016 06:46 AM
Jump to solution

Thanks very much for the reply. We have finally gotten going with our POC for Imprivata, and by and large, things are working well. We are running into a bit of a hiccup though with VMs getting hung up, on what seems to be the iexplore.exe process. We utilize IE8 for now due to app requirements. Anyway. Our Imprivata admin has a script going where, any time a new user comes in and taps in, he has a script running to kill all sorts of running processes, in case a previous user has these open. IE, calculator, Chrome, what have you. We're verifying that it's running, but, indications are it isn't. Our users are coming in the morning, finding the terminals slow and hung up. When we go into task manager, there's consistently an instance of iexplore.exe running, and typically very high the memory.

Anyway. Besides this one hiccup, we seem to be running pretty well. Not sure if we're missing a best practice somewhere along the way, but, all things considered we're in decent shape.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎06-16-2016 06:53 AM
Jump to solution

We just validated that the script we have running is indeed closing tasks as users tap over previous users' sessions, as we expect. We're going to leave apps up and running for a few hours, see if we can bog down the system again. All apps we're using today are web based. We have 2 vCPU and 2GB of memory on the VMs.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎08-01-2016 06:52 AM
Jump to solution

Is anyone utilizing Imprivata in a linked clone pool as we discussed, and seeing an issue where after an undefined amount of time idle, the system becomes unresponsive? Basically a user taps in, gets their session and then tries to launch an app or 2 and they just sit. If it's IE it'll spin and spin and never load the app/site. A logoff seems to fix it, causing the user to get a new session of course. Does this have anything to do with the write-caching done on a linked clone pool?

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎08-09-2016 04:04 AM
Jump to solution

Update on this:

we made one change inside of our VMs that we hope makes a positive impact. Well, 2 changes to be honest.

The first was we upgraded from IE8 to IE11. However, I think the more impactful change for us, is that we moved a screensaver we had running in our VM sessions, and instead are running it via the Wyse terminal instead. We're hoping that freeing up that process (it was a slideshow screensaver) could reveal itself as our possible culprit.

We have had 0 assistance on troubleshooting this from Imprivata support, so, still any input from people using it, I'd love to hear it.

Thanks.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot
‎08-09-2016 06:17 AM
Jump to solution

and Unfortunately we just saw it. Trying to repeat it is a pain, seems so random. We tapped into the VM, went to launch one of the IE shortcuts profile with imprivata, and it comes up with a blank IE window and spins. At that point IE seems hung, whether trying to go to another profiled IE page or a non profiled page. If we open Chrome, which isn't profile at all, it goes just fine. This tells me SOMETHING about the Imprivata profiling has hung it up. Within a minute, maybe 2, things clear up and we can start going to the pages again. So odd.

Reply
0 Kudos