NOTE: This article applies to iOS devices only.
After you’ve set up, tested and automated your check out workflows and also validated your environment supports Password AutoFill, you’re ready to get started.
Password AutoFill is available only when Admin > Check Out > Identity Provider is set to Imprivata OneSign.
Configure AutoFill in GroundControl
Two Factor Authentication is needed for Password AutoFill, but not for device Check Out. Users will be prompted to enter 2FA only when attempting to use the Password AutoFill extension when logging into an app.
-
- In GroundControl, Admin > Check Out > Password AutoFill enable Password AutoFill.
- Set the option for Second factor authentication to match your Imprivata OneSign configuration.
Disable the iOS Keychain
You can disable the iOS keychain from the password autofill selection on the devices by one of the following methods:
- Set Restrictions action in the Workflow — you can set a GroundControl restriction to disable Safari autofill. It disables Keychain as an option, while still allowing Autofill to be on and the Locker app to be select. If you apply the restriction via a Workflow, ensure that you add it to either the Provisioning or Check In Workflow.
- MDM restriction — each MDM labels the ability to disable or remove Keychain from password autofill selection differently, and ends up with different results. For more information, see your MDM’s documentation.
Add a Set Restrictions Action to the Workflow
In GroundControl, adding a Set Restrictions action with the Disable Safari Auto-fill option selected disables the built-in iOS keychain, but should allow for Locker iOS to still be selected.
Best Practice
Add this restriction setting into your provisioning Workflows to ensure the device never has the option to use Keychain.
If you have already deployed devices without this setting, you have three primary options:
- Add this setting into your Checkin Workflow.
- Create a Workflow that specifically includes just this setting, and deploy it to connected devices either manually or via a scheduled automation rule until you’re confident it has applied to all devices in use.
- Utilize an MDM Restrictions payload to disable the keychain. See below.
Expected Result
The device will have the Keychain option in Autofill/Password options greyed out, making it unable to be selected. Despite the name of the restriction, password autofill will still be available on Safari web pages when using Imprivata Locker as the autofill source.
IMPORTANT: A device can have multiple Restrictions profiles. However, only one GroundControl-delivered Restriction Profile will be present at a time. So if GroundControl has sent a restrictions profile to a device that you’re now using this method to deploy the Disable Safari Auto-fill setting to, you will want your previous restriction profile settings to also be selected. Otherwise, they will be overwritten by this new restrictions profile.
To add a Set Restrictions action to the Workflow:
- Edit the Workflow. From the Add action menu, select Set Restrictions.
- On the Other Restrictions tab, select Disable Safari Auto-fill and click Save.
Configure MDM Restriction
Configure the restrictions in your MDM.
Enable AutoFill on the iOS Device
Each iOS device must be manually configured to the Imprivata AutoFill extension — unfortunately there is no way to do this automatically using MDM or GroundControl.
To enable Password AutoFill on the iOS device:
- Navigate to Settings > Passwords > AutoFill Passwords > Turn ON.
- Allow filling from Locker.
- Make sure Keychain is not checked.
This setting will persist between check outs, if you’re not erasing it the device. We highly recommend not erasing devices between check out for this reason!
If AutoFill is enabled on the GroundControl server, but a device does not have AutoFill set in Settings, the device will show the following reminder screen on Check Out.
Create Upload and Deploy Imprivata OneSign Profiles
For detailed instructions on creating application profiles for Imprivata OneSign, see this article.
Questions?
Check out our Password AutoFill FAQ.