Use ChromeOS devices with Imprivata OneSign

2. Set mandatory policies

Next: 3. (Optional) Switch integration type

For managed ChromeOS devices.

We recommend that first you apply settings to a small number of devices in a test organizational unit. Then, after you verify that devices are working correctly, you can apply them to your entire organization.

How to

ChromeOS offers three different integration types for Imprivata:

For initial default setup, we recommend that you follow the instructions below to set up shared managed guest session. Then, if needed, switch to isolated managed guest session or user session. For details, see Switch integration type.

Open all | Close all

Step 1: Configure managed guest session settings

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesChromeSettingsManaged guest session settings.
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Turn on managed guest sessions for ChromeOS devices:
1. Go to General.
2. Click Managed guest session.
3. Select Allow managed guest sessions.
4. Enter the session name.
5. Click Save.
Turn off idle action:
Note: Use the Imprivata admin console to configure idle handling and timeouts.
1. Go to Power and shutdown.
2. Click Idle settings.
3. For AC idle action, select Do nothing.
4. For Battery idle action, select Do nothing.
5. Click Save.
Turn off automated sign-out dialog:
1. Go to Session settings.
2. Click Display the logout confirmation dialog.
3. Select Do not show logout dialog when the last window is closed.
4. Click Save.
(Optional) Don’t show sign-out button in tray:
Note: Recommended for shared kiosk workstation.
1. Go to Session settings.
2. Click Show logout button in tray.
3. Select Do not show logout button in tray.
4. Click Save.
(Optional) Prevent browser window automatically launching on startup:
1. Go to Startup.
2. Click Browser launch on startup.
3. Select Do not launch the browser on startup.
4. Click Save.
(Optional) Customize the shelf alignment:
Note: Useful if you stream full screen virtual desktops to prevent virtual and native shelf from overlapping.
1. Go to User experience.
2. Click Shelf position.
3. Select Right.
4. Click Save.
(Optional) Configure session language:
1. Go to User experience.
2. Click Allowed ChromeOS languages.
3. Select your preferred languages.
4. Click Save.
5. Click Session locale.
6. Specify the order of languages.
7. Click Save.
  Note: Configuring Session locale impacts the in-session ChromeOS language as well as the in-session language of Imprivata extension notifications.
(Optional) If you configure Citrix Workspace or VMware Horizon Client for Chrome in fullscreen mode, we recommend that you specify URLs that can open without a notification after device unlock:
1. Go to User experience.
2. Click Fullscreen after unlock.
3. Enter URLs as needed. For URL syntax, see URL blocklist filter format.
  - Sample URL: chrome-extension://appId, where appID is the Citrix or VMware app ID.
4. Click Save.

Step 2: Configure device settings

In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Specify device hostname:
1. Go to Other settings.
2. Click Device network hostname template.
3. Enter the hostname template you want to use.
  Devices show up with this hostname in the Imprivata admin console. If no hostname template is specified, the hostname defaults to the device’s serial number.
4. Click Save.
Specify USB devices that apps and extensions can directly access:
1. Go to Other settings.
2. Click USB access.
3. For Allowed USB devices, enter each device USB vendor identifier (VID) and product identifier (PID) as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line.
  Enter the following supported badge readers:
  c27:3bfa
  c27:3b1e
4. Click Save.
(Optional) Prevent devices from going to sleep or shutting down when they're idle:
1. Go to Power and shutdown.
2. Click Power management.
3. Select Do not allow device to sleep/shut down when idle on the sign-in screen.
4. Click Save.
(Optional) Configure device language:
1. Go to Sign-in settings.
2. Select your preferred language.
  Note: The Sign-in language setting impacts the ChromeOS language on the sign-in screen as well as the language of the Imprivata extension on the sign-in screen.
3. Click Save.
  Note: Some strings of the Imprivata extension are directly provided by the Imprivata appliance. Change the corresponding Imprivata computer policies to adapt them to a language of your choice.

Step 3: Configure Imprivata extensions

Sign-in screen extension

In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Imprivata.
Click Imprivata login screen integration.
Select Use the Imprivata extension on the login screen.
Click OK to acknowledge that sensitive data, including passwords, might be shared with Imprivata Inc.
Configure sign-in screen policies:
1. Using a text editor, create an extension policy file, in JavaScript Object Notation (JSON) format. Here is an example JSON file. For details about the policies you can set, see table below.
  Make sure that the JSON code is formatted correctly with the third-party JSON validation tool of your choice.
2. Click Upload.
3. Choose the file you want to upload.
4. Click Open.
For Imprivata login screen version, select Pinned to v4.
Click Save.
(Optional) In your JSON file, if you set agentType as sharedKiosk, configure Imprivata settings:
1. Click Shared kiosk mode.
2. Select Enable shared kiosk mode.
3. Click Save.
4. Click Shared apps & extensions.
5. Enter the extension IDs of apps & extensions that should not be cleared and re-launched between users.
  - Important: Be sure to include the Imprivata version 4 in-session extension ID, pllbepacblmgialkkpcceohmjakafnbb, and the extension IDs, such as Citrix or VMware, that you provided in your extension policy file.
  - Also add your VDI extension IDs here in case you don’t want these extensions to be cleaned up in between users. In case users manually launch resources, the VDI extensions should not be added to the list so that their session will be cleaned up.
6. Click Save.

Sign-in screen policies

Policy	Description
Core settings
agentType	Default is `sharedKiosk` Specify `singleUser` or `sharedKiosk`, depending on how workstations in the organizational unit are used. For faster sign-ins in shared environments, we recommend `sharedKiosk`. See Switch integration type.
dailySessionLogoutTime	Default is `01:00` If the device is idle on the lock screen for the time you specify in dailySessionLogoutRequiredIdleTimeInMinutes, the extension logs out the session at: dailySessionLogoutTime + jitterDurationMaximumSeconds Use in combination with dailySessionLogoutRequiredIdleTimeInMinutes.
dailySessionLogoutRequiredIdleTimeInMinutes	Default is `5` If the device is idle on the lock screen, number of minutes after which the extension triggers the managed guest session. If the device is used before the managed guest session logout, the idle time is reset to 0. As soon as the device reaches the lock screen again, the idle time will start counting again. Use in combination with dailySessionLogoutTime.
serverUrls	Must contain at least one element URLs to your Imprivata appliances. The list should contain all appliances in your site. The client picks one server at random (for load balancing) until the server list (with failover sites) is retrieved as part of the initial device settings update. Use DNS names, not IP addresses.
Additional settings
adfsLoginPagesAllowlist	An optional configuration for enterprises with a mix of clinical workstations that provide seamless access with Imprivata WebSSO, and non-clinical workstations that authenticate to the default AD FS login workflow. In accordance with the Microsoft Active Directory Federation Services: Imprivata Web SSO Setup documentation provided by Imprivata. Note: You'll need to be able to access the Imprivata partner portal. Only supported in-session.
citrixReceiverExtensionId	Default is `haiffjcadagjlijoggckpgfnoeiflnem` Extension ID of the Citrix receiver app.
debugLoggingEnabled	Default is `false` Specify whether debug logs are accessible. We recommend that you set to `true` only for single devices that are in a separate organizational unit that is not a production environment. See Resolve common issues with Imprivata Onesign integration.
debugSessionEnabled	Default is `false` Specify whether the login screen can be closed to launch a debug session. We recommend that you set to `true` only for single devices that are in a separate organizational unit that is not a production environment. See Resolve common issues with Imprivata Onesign integration.
defaultDomain	Default is the alphabetically first domain. The default domain that is selected on the login and lock screen, out of the available domains. The string needs to be a 1:1 match with one of the available domains.
greetingNotificationDurationMs	Default is `8000` Amount of time, in milliseconds, the greeting notification should be displayed. Setting this value to `0` prevents the notification from being shown.
guestSessionOnOutageEnabled	Default is `false` Specify whether users are allowed to log in as guests when the ChromeOS device cannot connect to the Imprivata appliance.
jitterDurationMaximumSeconds	Default is `600` Maximum number of seconds that newly installed Imprivata extensions will wait before reaching out to the Imprivata appliance. This functionality helps to avoid load spikes on Imprivata servers. Setting this value to `0` results in all devices reaching out to the Imprivata appliance instantaneously. Setting this value to `600`, 10 minutes, results in a balanced load for the Imprivata appliance from newly installed extensions over 10 minutes. Users can connect Imprivata appliances at any time and skip the jittering duration.
metricsCollectionEnabled	Default is `true` Specify whether metrics reporting is enabled. See Configure additional features.
pinnedRemoteApp	The name of a VDI app that is pinned to the ChromeOS shelf when the session starts. Users can click the icon to launch the app without having to open the ChromeOS launcher. The string needs to be a 1:1 match with one of the remote apps the user has available.
roamingEnabled	Default is `true` Specify whether users are automatically signed out when the last virtual app or desktop is closed. For example, due to roaming.
showAppsInLauncher	Default is `true` Specify whether shortcuts to launch remote apps are added to the launcher.
showDesktopsInLauncher	Default is `true` Specify whether shortcuts to launch remote desktops are added to the launcher.
showUsernameOnSharedKioskLockScreen	Default is `true` Specify whether the username is displayed on the lock screen of shared kiosk sessions. Note: Applies only if you use managed guest sessions.
skipLoginScreen	Default is `false` If set to `true`, the Imprivata extension skips the login screen and starts a managed guest session. This helps to pre-load the MGS and make sure that devices are ready for users when they approach the device.
smartCardConnectorExtensionId	Default is `khpfeaanjngmcnplbdlpegiifgpfgdco` Extension ID of the Smart card connector app used for PC/SC proximity card readers. See Configure additional features.
ssoProfile	SSO profile ID of the organizational unit that has Web SSO configured with Imprivata as the Identity Provider (IdP). For example, if the Entity ID looks like: https://accounts.google.com/samlrp/metadata?rpid=ABCxyz123 the ssoProfile is ABCxyz123. Used in conjunction with useSamlUserSessionsForSingleUserWorkstation.
useSamlUserSessionsForSingleUserWorkstation	Default is `false` Specify whether the session that starts should be a ChromeOS user session. Can only be used if you set agentType as `singleUser`. Web SSO needs to be configured, and the ssoProfile extension policy needs to be set.
vmwareClientExtensionId	Default is `ppkfnjlimknmjoaemnpidmdlfchhehel` Extension ID of the VMware client app.

In-session extension

In the Admin console, go to Menu DevicesChromeApps & extensionsManaged guest sessions.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Add in-session extension:
1. Click Add Add Chrome app or extension by ID.
2. Enter the in-session extension ID, pllbepacblmgialkkpcceohmjakafnbb.
3. Select From a custom URL.
4. Enter the URL, with no spaces:
  https://storage.googleapis.com/chromeos-mgmt-public-extension/imprivata/v4/update_manifest.xml
5. Click Save.
Configure in-session extension:
1. In the list of apps and extensions, find the Imprivata (in-session) extension, pllbepacblmgialkkpcceohmjakafnbb, that you added.
2. Under Installation policy, select Force install.
3. Click the Imprivata (in-session) extension, pllbepacblmgialkkpcceohmjakafnbb. The options panel opens.
4. Under Certificate management, next to Allow access to keys, click Turn on .
5. Click Save.

Note: The in-session extension does not require an extension policy file.

Step 4: Configure Citrix Workspace or VMware Horizon Client for Chrome

Citrix

Select your version

Citrix provides its stable client app on the Chrome Web Store. Citrix Workspace has extension ID haiffjcadagjlijoggckpgfnoeiflnem.

If you’re not using default Citrix stable release, for example if you’re using Citrix Tech preview or self-hosting:

Update the citrixReceiverExtensionId extension policy for the sign-in screen extension in Step 3: Configure Imprivata extensions.
Allowlist your custom Citrix client app ID in your Citrix back-end. See Citrix documentation.

Install and configure

In the Admin console, go to Menu DevicesChromeApps & extensionsManaged guest sessions.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Add Citrix Workspace:
1. Click Add Add Chrome app or extension by ID.
2. Enter the extension ID and source for the version you want to use.
3. Click Save.
Configure Citrix Workspace:
1. In the list of apps and extensions, find and Citrix Workspace.
2. Under Installation policy, select Force install.
3. Click Citrix Workspace. The options panel opens.
4. Under Policy for extensions, edit or upload the extension policy using valid JSON format. Here is an example JSON file that allows the Imprivata extension to communicate with the Citrix Workspace app.
  For configuration options, such as fullscreen mode, see the Citrix product documentation.
5. Click Save.
(Optional) For increased stability, use extension version pinning to stay on a fixed version.
For details about how to pin ChromeOS updates to a specific version, see Manage updates on ChromeOS devices.

VMware

Select your version

VMware provides its stable client app on the Chrome Web Store. VMware Horizon Client for Chrome has extension ID ppkfnjlimknmjoaemnpidmdlfchhehel.

If you’re not using default VMware stable release, for example if you’re using the beta version or self-hosting, etc:

Update the vmwareClientExtensionId extension policy for the sign-in screen extension in Step 3: Configure Imprivata extensions.
Allowlist your custom VMware client app ID in your VMware back-end.
1. On the Horizon Connection server VM, open the settings.properties file at:
  C:/Program Files/VMware/VMware View/Server/sslgateway/conf
2. Add the lines at the end of the file and fill in your custom VMware client app ID if needed.
  chromeExtension.1=ppkfnjlimknmjoaemnpidmdlfchhehel chromeExtension.2=kenkpdjcfppbccchillfdjkjnejjgand
3. Restart the VMware security gateway component service or the entire Horizon Connection server.

Install and configure

In the Admin console, go to Menu DevicesChromeApps & extensionsManaged guest sessions.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Add the VMware app:
1. Enter the extension ID and source for the version you want to use.
2. Click Save.
Click Add Add Chrome app or extension by ID.
Configure the VMware app:
1. In the list of apps and extensions, find the VMWare app.
2. Under Installation policy, select Force install.
3. Click the VMWare app. The options panel opens.
4. Under Policy for extensions, edit or upload the extension policy using valid JSON format. The Imprivata in-session extension is allowlisted by default, so all configuration options here are optional. See VMware documentation.
5. Click Save.
(Optional) For increased stability, use extension version pinning to stay on a fixed version.
For details about how to pin ChromeOS updates to a specific version, see Manage updates on ChromeOS devices.

Step 5: Configure network settings

Add a certificate

For this step, you will need the root CA certificate used by your Imprivata OneSign appliance. If you are using a self-signed certificate, you can download it from the Imprivata appliance console on the Security and then SSL tab.

In the Admin console, go to Menu DevicesNetworks.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Add the certificate:
1. Click CertificatesUpload Certificate.
2. Enter a name for the certificate.
3. Click Upload.
4. Select your root CA’s certificate file.
5. Click Open.
6. Select Chromebook and Imprivata App on Chromebooks. These are the platforms that the certificate is a Certificate Authority for.
7. Click Add.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?