4. (Optional) Configure additional features

Fast User Switching (FUS) at the application level keeps electronic health records (EHRs) connected across users. Here, the user switch is realized in-app via the EHR.

Requirements

• Workstation configured as shared managed guest session
• EHR supports in-app user switching

Set up

Make sure the virtualized EHR app is set to automatically launch at the start of a managed guest session with a generic user account. For details, see V-Launcher deployment guide.

Read Imprivata's documentation about Fast User Switching.

The following PC/SC readers require the Smart Card Connector app to be installed and configured:

• IMP-MFR-75
• IMP-MFR-75A
• HID OMNIKEY 5022
• HID OMNIKEY 5023
• HID OMNIKEY 5025 CL
• HID OMNIKEY 5427 CK
• HID OMNIKEY 5422

Before you begin

Create a JSON file using this template and fill in your extension IDs as force_allowed_client_app_ids.

Step 1: Install the app on the sign-in screen

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  DevicesChromeSettingsDevice settings.
3. Under Sign-in settings, follow the link to the login screen apps page.
4. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
5. In the list of apps and extensions, find Smart Card Connector.
6. Under Installation policy, select Installed.
7. In the panel on the right, under Policy for extensions:
   1. Click Upload.
   2. Select the JSON file that you already created.
   3. Click Open.
8. Click Save.

Step 2: Install the app for managed guest sessions

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  DevicesChromeApps & extensionsManaged guest sessions.
3. Click Add Add Chrome app or extension by ID.
4. Enter the Smart Card Connector app ID, khpfeaanjngmcnplbdlpegiifgpfgdco.
5. Select From the Chrome Web Store.
6. Click Save.
7. In the list of apps and extensions, find Smart Card Connector.
8. Under Installation policy, select Force install.
9. In the panel on the right, under Policy for extensions:
   1. Click Upload.
   2. Select the JSON file that you already created.
   3. Click Open.
10. Click Save.

Imprivata Web SSO allows for a seamless authentication to SAML-based web services in the built-in Chrome browser on ChromeOS devices.

You can use Imprivata Web SSO for shared and isolated managed guest sessions on ChromeOS devices to provide an SSO experience to web services for your users.

Note: User sessions support Web SSO by default. So, there is no need to configure Web SSO for user sessions.

Set up Web SSO for managed guest sessions

Step 1: Set up Google Workspace as Service Provider (SP)

Step 2: Set up Imprivata as Identity Provider

(Optional) ADFS redirection

Enterprises with a mix of clinical workstations with Imprivata WebSSO, and non-clinical workstations that authenticate to the default AD FS login workflow can configure a seamless access by following the Microsoft Active Directory Federation Services: Imprivata Web SSO Setup instructions and setting the adfsLoginPagesAllowlist extension policy.

• Read the Microsoft Active Directory Federation Services: Imprivata Web SSO Setup documentation provided by Imprivata. You'll need to be able to access the Imprivata partner portal.
• Set the adfsLoginPagesAllowlist policy. See Step 3: Configure Imprivata extensions.

Imprivata SPINE support requires in-session access to smartcards. The following configuration assures that the Smart Card Connector app supports the Spine workflows.

Note: The use of smartcards on the login screen for user authentication is not supported. We recommend badge-based authentication instead.

First, in the Imprivata admin console:

1. On the User policies settings page, set up Two-Factor Authentication.
2. Configure the persistence of the Spine Combined Workflow sessions.
3. See NHS Spine Support for Imprivata ProveID Embeddeddocumentation provided by Imprivata. You'll need to be able to access the Imprivata partner portal.

Then, in your Google Admin console:

1. Install the Smart Card Connector app. Follow the steps in PC/SC proximity card readers.
2. Using a text editor, in your JSON file , fill in your extension IDs as scard_disconnect_fallback_client_app_ids.

Sample code that you'll add:

{

   "scard_disconnect_fallback_client_app_ids":{

      "Value":[

         "CITRIX_EXTENSION_ID",

         "VMWARE_EXTENSION_ID"

      ]

   }

}

To help increase stability, you can pin your ChromeOS version and prevent auto-updates. For security reasons and to get the latest features and fixes, we recommend that you pin to the latest ChromeOS version after you verify it on a smaller test set.

Read Pin ChromeOS updates to a specific version.

To help increase stability, you can pin apps and extensions, including Citrix or VMware client apps, to a specific version and prevent auto-updates. For security reasons and to get the latest features and fixes, we still recommend you to pin to the latest extension version after verifying it on a smaller test set.

To pin an extension to a specific version:

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  DevicesChromeApps & extensionsManaged guest sessions.
3. Select the app or extension that you want to pin.
4. Under Version pinning, select the version you want to pin to.
5. Click Save.

By default, the Imprivata extensions reports non-PII metrics to Google to facilitate error diagnostics and analyze performance. Metrics do not contain user identification data. They use randomly generated unique device identifiers. Google retains data for 14 months.

These are some samples of metrics we collect to help us analyze and improve the Imprivata integration on ChromeOS:

Occurring errors

• Unhandled exceptions
• VDI launch failures
• Failed web API requests, such as network errors and unexpected responses
• USB device errors, such as badge or fingerprint readers

Performance

• Time to launch, unlock, lock, and sign out of an OS session
• Time to perform a user switch
• Time to launch a VDI session
• Time to make a web API request to the Imprivata appliance
• Time until other apps are installed, such as Citrix, VMware, and Smart Card Connector
• Time for key operations used during authorization, such as sign operation

Usage patterns

• How often specific flows are triggered and completed, such as badge enrollment
• Which type of modalities were used to sign in, such as badge, credentials, PIN
• How many sessions were started
• How many devices run Imprivata OneSign
• How often certain features are used, such as Web SSO
• Source of lock and sign-out events, such as idle event or tap-out
• How many virtual desktop/apps were launched, including automatically launched
• Which virtual desktop or app client app was used, Citrix or VMWare
• How long OS sessions last
• How long VDI sessions last

Metadata

• ChromeOS or ChromeOS Flex version
• Extension version
• Badge reader model & firmware version
• Agent type

Turn off metrics reporting

By default, metrics reporting is turned on. To opt out, set the optional extension policy value metricsCollectionEnabled to false for the sign-in screen extension. For details, see Step 3: Configure Imprivata extensions.