Professional Documents
Culture Documents
OneSign 710 ReleaseNotes
OneSign 710 ReleaseNotes
10
Release Notes
Imprivata OneSign® 7.10 contains the following new features and technology updates. For more information
on these features and Imprivata OneSign, see "What's New in Imprivata OneSign 7.10" in the Imprivata
OneSign Help.
New Features
Virtual Smart Card Enhancements
End User Expiry Messaging - Imprivata now provides:
l Warning when a vSC is 30 days from expiration, appearing:
o As a popup balloon
o In the agent status bar
l Warning when a vSC has expired
All messages include a call to action for renewal
TLS Support
As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release,
Imprivata disables the use of older TLS versions 1.0 and 1.1 for all G3 appliance communications.
For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.
NOTE: For complete details on enabling the Chrome extension, see "Support for Applications that
Run in Google Chrome" in Imprivata OneSign help.
Considerations
The following section describes a change in behavior in Imprivata OneSign for this release.
New Appliances on Non-DHCP Networks Get Prepopulated Host and Domain Names
When you set up a new G3 or G4 appliance on a network that does not use DHCP, then in the Appliance
Setup Wizard process, under System Information, the Host Name and Domain Name fields get
prepopulated with values localhost and localdomain. Previously, in Imprivata OneSign 7.8 and earlier, these
fields were left blank. You must replace the prepopulated values with values for the permanent host name
and domain name of the appliance.
Known Issues
The following issues may occur in Imprivata OneSign 7.10.
Risk of PHI Exposure and/or Mischarting with Persistent Applications on IGEL 11.07.170 Using
Citrix and ProveID Embedded
For multi-user endpoints with ProveID Embedded 7.10 or 7.9 on IGEL 11.07.170 using a persistent application
workflow and brokered using Citrix 2203, a serious risk exists of exposing patient Protected Health
Information (PHI) and/or mischarting patient data.
In G4 Enterprises Upgraded from 7.8 to 7.10, if an Authorize Replace Operation is Needed, Use
a Freshly Built Appliance Instead of a Restaged Appliance
After upgrading a G4 enterprise from Imprivata OneSign 7.8 to 7.10, if you remove an appliance from the
enterprise, restage that appliance, and then use the Authorize Replace feature to replace the removed
appliance with the restaged appliance in the enterprise, then the Authorize Replace operation hangs at the
message "Waiting for Authorizing Appliance to setup initial tunnel". The enterprise
remains locked.
The workaround is to force unlock the enterprise, and then perform an Authorize Replace operation using a
freshly built G4 appliance instead of the restaged appliance. This includes shutting down the removed
appliance and then changing the IP address of the freshly built appliance to match the IP address of the
removed appliance.
Configuring Persistent Applications on IGEL Requires IGEL Universal Management Suite 6.0 or
Later
To configure the persistent applications workflow for IGEL endpoints running Prove ID Embedded, you need
the IGEL Universal Management Suite (UMS) version 6.0 or later to be able to see and set the IGEL Fast User
Switch settings on the IGEL management console.
Database Replication Fails If You Remove and Replace a G4 Database Appliance with an
Appliance Snapshot
If you remove a G4 (fourth generation) database appliance from a G4 enterprise and then want to add a
replacement G4 appliance to that enterprise, you must first restage the replacement appliance before adding
it to the enterprise. If instead you add a snapshot of a G4 appliance to the enterprise, which is not supported,
then database replication fails from the replacement appliance. The workaround for this failure is to contact
Imprivata Support and then start a Synchronize Enterprise Database operation from the replacement
appliance’s console after the Authorize Replace operation is completed. To avoid the failure, restage the
replacement appliance before adding it to the enterprise.
The Authorize Replace option appears on the Enterprise tab of the appliance console after you remove a G4
appliance from an enterprise. The Synchronize Enterprise Database option appears on the System tab of
that console.
For Many Prior Releases, During AD Domain Controller Failover, G3 or G4 Appliance Fails to
Negotiate TLS Version
This issue is fixed in Imprivata OneSign and Imprivata Confirm ID 7.10. A previous fix announced in OneSign
and Confirm ID 7.9 Release Notes, and made available for 7.8 in 7.8 HF 6, was found to not resolve the
Wrong Domain in Sender Address in Emails from Imprivata G3 and G4 Appliances on Azure
When setup is completed for an Imprivata G3 or G4 virtual appliance deployed on Microsoft Azure, the
appliance may send a test email. That email and any other emails generated by the appliance may appear to
be sent from incorrect address donotreply@<virtual-machine-name>.reddog.microsoft.com, for example,
do-not-reply@imp-vm0.reddog.microsoft.com. The correct sending address is do-not-reply@<virtual-
machine-name>.<your-domain>, where <your-domain> is the domain specified during appliance
configuration setup. This error occurs only if your Azure subscription uses your existing DNS infrastructure
instead of the Azure DNS, so that you must replace the domain name for the Imprivata appliance during
configuration with the wizard. There is no workaround for this problem.
Google Chrome Shows False Positive for the Agent as an "Incompatible Application"
When a user launches Google Chrome for the first time after upgrading to Version 72, the browser displays a
message listing incompatible applications. This list includes a false positive for the Imprivata agent. This
warning can be ignored, as the agent has no effect on Chrome functionality or performance.
desktop on Endpoint 1 and logs into Endpoint 2. The user's virtual desktop on Endpoint 2 opens but is
locked because the user's credentials were not passed to the virtual desktop from Endpoint 2. [AP-16]
o Computer policy > Virtual Desktops tab > VMware View setting Shutdown the View client and
disconnect the user session is enabled: A user logs into an endpoint and the virtual desktop opens. The
user then locks the virtual desktop and locks the endpoint computer, disconnecting the virtual desktop
session. If the user unlocks the same endpoint computer, the virtual desktop opens but is locked. [AP-
17]
If Citrix Workspace app has been upgraded after configuring Imprivata OneSign to support Citrix
XenDesktop or Citrix XenApp, restart the endpoint computer. Failing to restart the endpoint can result in
unexpected behavior, which includes:
o The endpoint computer does not lock after the last application is closed.
o The Citrix Workspace app login window prompts users to authenticate, even when Citrix Fast Connect is
configured.
Restarting the endpoint computer resolves these issues. [AP-2907]
If Internet Explorer (IE) is deployed as a Microsoft RDS RemoteApp program, default IE behavior causes an
additional IE window to open each time the user session is roamed. For example:
1. User 1 logs into endpoint 1. IE is launched.
2. User 1 logs into endpoint 2. The first IE window is roamed and a second IE window opens.
3. User 1 logs into endpoint 3. The IE windows from the previous endpoints are roamed and a third IE
window opens. [AP-3005]
l Under certain circumstances, default VMware Horizon View behavior prevents users from being
automatically logged into a virtual desktop. The following describes this behavior:
1. A user starts the VMware View Horizon client, launches the virtual desktop, and is logged in
automatically.
2. The user locks the desktop, and then unlocks it.
3. The user disconnects from desktop, but does not close the client.
4. The user launches the same desktop again. VMware requires that the user log into the desktop.
This is expected behavior. Locking the desktop causes the VMware server to remove the SSO credentials.
Solution: Closing the client after disconnecting or restarting the client prevents the behavior. [AP-5032]
l When the following conditions are met, Citrix Fast User Switching fails for Citrix XenDesktop:
o The computer policy for the Citrix server is enabled for OneSign Ticket Authentication (Citrix or Ter-
minal Server tab > Authenticating generic user or anonymous Citrix XenApp or Terminal Server ses-
sions section).
Authentication Management
l Allowing a beep on badge tap for nano proximity card readers requires access to the Microsoft Windows
speaker. As a result, under the following circumstances, users do not hear a beep when they tap their
badge:
o Windows single-user agent (Type 1) - The first time the computer starts, the reader does not beep on
initial logon.
o Windows single-user agent (Type 1) with multiple user desktops (MUD) - If the computer policy is
enabled for MUD, The reader beeps on log off only. The reader never beeps on log in.
l If a computer policy is configured to support smart card authentication on ProveID Embedded devices, the
setting does not take effect until the Imprivata agent is restarted. [MA-3269]