This topic describes the hardware and software requirements for Imprivata Mobile Access Management (formerly Imprivata GroundControl). Any limitations are noted in the support details and notes section for each component.
Cloud Administrator Console
- The MAM Administrator Console supports any modern web browser on Mac and Windows.
- Imprivata tests with Safari, Google Chrome, Firefox, and Microsoft Edge.
Launchpad Mac or Windows Computer
Both Mac and Windows may be used to run the client-side Launchpad software.
| Item | Testing | Production |
|---|---|---|
| Form Factor | Desktop or laptop | Headless desktop mini-PC |
| Remote Desktop | Optional | Required |
| OS | macOS within the last 2 years Windows 10 or Windows 11 version within the last 2 years |
|
| RAM | 4 GB+ | |
| Drive Capacity | 20 GB+ SSD | |
| Permission: Allow accessory to connect (see note below table) | Required for Mac Launchpads running MacOS 13 (Ventura) and later. | |
| Concurrent connections to smart hubs | Launchpads only support concurrent connections to smart hubs of the same manufacturer. | |
| Unattended Use | Launchpad systems must be configured for unattended use. For more information, see this article. |
|
| Dedicated system | The PC should be dedicated for GroundControl and not shared with other apps. On Windows Launchpads, do not install the Imprivata agent (for Imprivata OneSign) on the Launchpad, because it will conflict with the proximity card reader. |
|
| VNC or other remote access | Some method of VNC or other remote access is required to all stations. | |
| iTunes app | Windows Launchpads: Install the current iTunes app or extract DLLS from iTunes for Apple's MobileDevice components. |
|
| GroundControl.app installed in a directory local user has full file permissions to | On Mac Launchpads, the GroundControl.app must be installed in a directory the local user has full file permissions over, or the local Mac user must be a macOS local admin. For more information, see this article. |
|
| Network connection | Launchpads require a stable 24 × 7 network connection via Ethernet. | |
NOTES:
- “Allow accessory to connect” setting is required for Mac launchpads running MacOS 13 (Ventura) and later. For more information, see this article.
- Imprivata does not test with or support virtual or thin-client systems.
Test your model thoroughly before selecting a computer to be used as a Launchpad. If your computer has trouble connecting to more than 8 or so iPhones at once, disable XHCI in the PC’s BIOS to determine if this solves the issue.
Network
Imprivata Mobile Access Management (MAM) uses HTTPS (port 443) for all communication between the Launchpad and the Cloud Administrator Console. After initial registration, the Launchpad switches to Secure WebSockets (also port 443) for asynchronous bi-directional messaging.
Firewalls must support Secure WebSockets. A common firewall feature is to force close any sockets that remain open for a long period of time, but this will cause MAM to lose the client-server connection.
| Source | Destination | Protocol | Use |
|---|---|---|---|
| Launchpad | US: us.groundctl.com / 52.202.156.90, 54.197.149.48 UK: uk.groundctl.com / 18.168.161.122, 13.41.242.92 | HTTPS/443 and WSS/443 | Server communication |
| Launchpad | US: groundcontrol-prod.s3.amazonaws.com UK: c16-assets-groundctl-com.s3.amazonaws.com | HTTPS/443 | Asset downloads |
| Launchpad | *.bugsplatsoftware.com | HTTPS/443 | Crash reporting |
| Launchpad (iOS only) | albert.apple.com gs.apple.com appldnld.apple.com secure-appldnld.apple.com | HTTPS/443 | Apple device activation & IPSW downloads |
| Launchpad | Your Imprivata OneSign appliance | HTTPS/443 | Identify look up during Checkout (if used) |
| Launchpad Locker app (iOS and Android) | ctlful.imprivata.com | HTTPS/443 | Log submission |
| Device | US: groundcontrol-prod.s3.amazonaws.com UK: c16-assets-groundctl-com.s3.amazonaws.com | HTTPS/443 | Checkout (if used) |
| Device | Your Imprivata OneSign appliance | HTTPS/443 | Identity look up during Checkout (if used) |
| Device (iOS only) | *.push.apple.com | TCP Ports: 443, 80, 5223, 2197 | Apple push notifications |
| Device (Android only) | See Firebase Documentation | TCP ports: 443, 5228, 5229, 5230 | Firebase push notifications |
| GroundControl Server US: 52.21.126.154, 52.20.201.34 UK: 18.169.178.173 35.177.97.127 | Your MDM Server | HTTPS/443 | MDM API requests (if used) |
Apple products on enterprise networks typically require specific hosts and ports to be open. For more information, see Apple’s documentation on the use of Apple products on enterprise networks.
Android products on enterprise networks require specific hosts and ports to be open for Firebase push notifications. For more information, see Google documentation.
MDMs
The following MDM systems are supported for Check Out. For more information, see the MDMs article.
| Feature | Ivanti EMM | Ivanti Neuron | Jamf Pro | Samsung Knox Manage | Microsoft Intune | Soti MobiControl | VMware Workspace ONE |
|---|---|---|---|---|---|---|---|
| Check In / Check Out (iOS) | |||||||
| Personal Passcodes | |||||||
| Set Labels/Tags/Org Groups | |||||||
| Assign to User | |||||||
| Enable Lost Mode | |||||||
| Check In / Check Out (Android) | |||||||
| Personal Passcodes | |||||||
| Set Labels/Tags/Org Group | |||||||
| Assign to User | |||||||
| Enable Lost Mode | |||||||
| Provisioning (iOS) | |||||||
| DEP Provisioning | |||||||
| Non-DEP Provisioning | |||||||
| Assign DEP Profile | |||||||
| Delete / Retire | |||||||
Required MDM Configurations
You must integrate Imprivata Mobile Access Management with your MDM’s APIs.
- The API integration is used by MAM to clear any device passcodes on check in.
- The API integration can trigger Lost Mode for overdue devices.
MDM Requirements for iOS Devices
The following items are required in your MDM system for iOS devices.
| Item | Description |
|---|---|
| DEP profile | Must include Imprivata GroundControl’s supervision identity. This allows your device to more reliably connect to GroundControl. |
| Disable USB Restricted Mode | All devices must be set to Disable USB Restricted Mode. This feature has different names in different MDMs, but is used to keep your device’s USB connection active even when it is passcode locked. For more information, see this article. |
| Allow Recovery for Unpaired Devices | The MDM should Allow Recovery for Unpaired Devices. For more information, see this article. |
| Notification profile allowing Imprivata Locker app to receive notifications | All devices must receive a notificiation profile to allow the Imprivata Locker app to recieve notifications. The app ID for the Locker app for iOS is com.imprivata.b2b.locker. - Apple permits a maximum of one notification profile on devices. This limitation is usually not enforced by MDM systems, leading to conflicts and unexpected behaviors. - To avoid unexpected notification behavior, Imprivata strongly recommends using one master notification profile for all iOS devices - both shared and dedicated - in your organization. |
Proxy Support
Imprivata Mobile Access Management has limited support for proxies:
- Proxies must be configured in the Launchpad app during initial registration
- Only unauthenticated proxies are supported
- Authenticated proxies and PAC files are not supported
- System proxy settings are ignored
USB Hubs and Carts
USB hubs vary wildly in quality. Imprivata recommends a very limited number of hubs and carts from trusted manufacturers.
| Vendor | Model | Notes |
|---|---|---|
| Bretford | Imprivata branded PowerSync Pro v2 | iPhone 15's are only recognized on Bretford PowerSync 2 hubs when the hub's firmware version is 2.2.16 or higher. |
| Cambrionix | ThunderSync | |
| Datamation | UniDock Tarys U-Series Sync & Charge hubs and related carts | Imprivata does not recommend using Datamation Unilock's locking risers, because they delay access to the devices. |
- Imprivata Mobile Access Management does not support the daisy-chaining of hubs.
- Poor-quality electronics will display intermittent errors during restores and iOS updates.
Proximity Card Readers
Imprivata Mobile Access Management supports USB-connected proximity card readers manufactured by rf IDEAS. Many brands resell the rf IDEAS reader, including Imprivata.
Imprivata models
- IMP-75
- IMP-80
- IMP-60
- IMP-82
- IMP-80-mini
Lifecycle
As previously communicated, the GroundControl Locker 2 (iOS) reached its end of life in 2022.
New iOS Workflows will no longer require selecting an app version. Existing Workflows are unaffected, although Check In Workflows with GroundControl Locker 2 will no longer be supported.
Devices
Imprivata Mobile Access Management supports Apple iOS and Android devices.
Apple Devices
Apple device support is based on iOS version support. Imprivata Mobile Access Management supports iOS 17, 16, and 15. Only factory-reset devices are supported.
Android Devices
Imprivata Mobile Access Management 6.0 and later supports Android devices, running Android 9 and above.
| Item | Support |
|---|---|
| Android OS | Android 9 or later |
| Devices | |
| Cisco devices | CP 860 |
| Google Pixel 7 Google Pixel 7a Google Pixel 8 Google Pixel 8 Pro |
|
| Honeywell devices | CT30 (non-healthcare) |
| Samsung devices | Samsung S22 Samsung A14 |
| Spectralink devices | Versity 95 Versity 96 Versity 97XX |
| Zebra devices | Zebra TC5 series - TC52, TC57 Zebra TC2 series - TC21, TC26 Zebra HC50 |
| Device settings and permissions | The Imprivata Locker app for Android devices requires the following device settings and permissions: - Draw over (overlay) other apps. - Accessibility Service. |
| MDMs | Android devices must be enrolled in an MDM system: - Workspace ONE (AirWatch) - Microsoft Intune - SOTI MobiControl |
Device Cases & Batteries
Imprivata Mobile Access Management does not support all device cases. For more information, see this article.
Supported Applications
For more information on supported applications, see this article.
| Item | Support |
|---|---|
| Cerner Mobile Applications: - PowerChartTouch v 1.14 and later - Cerner Camera - Capture v4.1 and later - Connect Messenger v 3.26 and later - Connect Nursing v3.2 and later - Bridge v2.0 and later - Connect Phlebotomy v1.6 and later - Connect Patient Flow v1.7 and later | Imprivata Locker Android 1.0.0.10 and later |
| DrFirst Backline v.7.4.1.3 | Imprivata Locker Android 1.0.0.10 and later |
| Vocera Edge v4.12.2 | Imprivata Locker iOS |