Fast User Switching Overview
What is Fast User Switching (aka FUS)?
Fast User Switching is a term that can often be confused because it can be applied to an application workflow or a workstation that is shared among different users. For example, in the healthcare field, many Electronic Medical Record (EMR) vendors have a feature built-in that allows a user to “suspend” or “log off” the application without actually closing the application down, thus requiring the user to have to restart the application. This feature is primarily a time saver and is most often seen in an Outpatient care model where a patient comes in for an appointment but is not being admitted to the hospital. For additional security, you’ll also see the “log off” or “suspend” feature used via an application inactivity timeout policy setting. EMR vendors will often have this turned on for HIPAA security because of users leaving workstations unattended and the need to protect electronic Protected Health Information (e-PHI) as well as for patient safety concerns.
Application-level Fast User Switching
In the typical Outpatient care workflow, the nurse comes in to collect some patient vitals (blood pressure, temperature, etc.) and updates the electronic patient chart while logged in under their account. Once the patient chart has been prepared, the nurse can “suspend” or “log off” the application. This takes the application to a state where the physician can come in later and log back into the application with their own identity and go right to the patient chart that the nurse just prepared. This saves time for the caregivers as this workflow is repeated many times during the day.
EMR application with Fast User Switching capability. Note the “Return to Chart” option.
NOTE: Imprivata OneSign supports this application workflow through our SSO technology which has the ability to execute the proper logoff keystrokes for an application during a Fast User Switch at the workstation level (see below). If configured, the OneSign Agent will send the logoff keystrokes when a new user is logging into the workstation and at the same time, we will not close the application (i.e. the default SSO Agent behavior is to close the previous user’s applications. This is a workflow scenario where you don’t want that to happen). When the new user logs into OneSign, they will see the application login screen and the OneSign Agent will proxy their SSO credentials. This workflow is repeated several times a day as each user logs into OneSign on these workstations.
Workstation-level Fast User Switching
At the PC operating system level, vendors like Microsoft have built into their platforms the ability for different users to log into the PC and get their own desktop. This is the case with Windows Vista and 7, but was also the case with Windows XP if the PC was not joined to an Active Directory domain.
Using OneSign with Shared Workstations
Imprivata OneSign offers two different shared workstation modes for customers:
- Fast User Switching for Kiosk Workstations, which runs on one generic Windows desktop which lets multiple users sign in and out of OneSign without having to go through the lengthy Windows logon process.
- Fast User Switching for Multiple desktops (i.e. each user can log in and get their own local Windows desktop on that PC)
Fast User Switching for Kiosk Workstations
In an Enterprise setting like healthcare, the clinical workflow needs require IT departments to often have the PC’s in a state where the computer is already logged in on busy clinical floors or in an Outpatient clinic setting. This is typically done via a generic account with the workstation configured for autologon (http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx or http://support.microsoft.com/kb/315231). In the autologon state, the users are not logging in and out of Windows and only need to log into their applications without the need to logoff the workstation.
With OneSign, you can leverage the generic desktop so that users log into the OneSign Agent and will have access to their applications along with Single Sign-On. IT administrators will also be able to have an audit trail of who was using the kiosk PC as well as what applications were accessed, etc.
OneSign Agent in Kiosk Mode (PC is in an Autologon State)
Kiosk Workstation Benefits
- Designed to leverage PC’s that already use a generic Windows login
- Used for applications that run “hot” – i.e. where the user is logged off of the application but the application is left open for the next user.
- Users do not have to go through the full Windows logon process to access the applications
- Supports lower powered workstations that do not have a lot of memory
- Can be used to gain access to Citrix, Terminal Server or Virtual Desktop environments
Kiosk Workstation Limitations
- Because users share the same generic desktop, shortcuts, etc. are not personalized for each user.
Fast User Switching for Multiple Desktops
Imprivata OneSign also supports a shared workstation model where user’s need to log into the PC and get their own Windows desktop leveraging the native capabilities within Windows 7, XP and Vista.
NOTE: this is not the same thing as a virtual or published desktop through Citrix or Terminal Services – more on that in a future blog post.
OneSign Agent in Multi-Desktop Mode (Each user has their own local desktop)
Benefits of Multiple Windows Desktops
- Because each user has their own private Windows desktop, drive mappings, shortcuts, browser favorites, etc. are specific to each user. Applications that use Integrated Windows Authentication or Kerberos can also be used.
- Users can lock their desktops when they leave and resume exactly where they left off when they return, even if other users have logged on to the workstation in between.
- Users go through a full Windows logon once, but from then on can switch to their private desktop very quickly throughout their work shift.
- No budget yet for a VDI solution
Limitations of Multiple Windows Desktops
- The OneSign Multiple Windows Desktops feature requires Windows XP sp2 or Windows Vista. This feature works only on Microsoft Windows GINA clients. Novell and other login clients are not supported.
- Running multiple Windows desktops requires more computer memory than in kiosk mode.
- The user’s desktop is running locally and won’t roam as the user logs into another shared workstation.
Since the Multi-Desktop mode is not the most common shared workstation configuration we see (vs. the Kiosk Mode), I thought it might be helpful to close out this blog by providing a few interesting customer examples of how they implemented Multi-Desktop Mode in their environment:
- A few years ago, a customer in North Carolina had just upgraded their EMR software which was now integrated to use Active Directory authentication. At the same time, they had hired some contractors to help scan in their old paper patient records into the EMR database. The contractors were working in shifts on shared PC’s in the records room and would often move around and would not always be working on the same PC. The shared workstations had originally been configured in “Kiosk mode” but because the EMR had been switched to use AD authentication, the contractors were running into issues when scanning their records on the machines that had been auto logged in with a generic account.
- RESOLUTION: we switched these shared workstations over to Multi-Desktop mode so each contractor could log into the PC with their own AD account and desktop. This resolved the issue they had encountered.
- Camden Living recently won the “MFE” (Multi-Family Executive) award for their OneSign project at this year’s MFE conference. Their presentation focused on the customer service/productivity gains that they had achieved with OneSign. They deployed OneSign using the Multi-Desktop mode. Here’s their story:
- 'Multi-Desktop mode allows any user to be able to logon (to an existing or new session) while preserving the previous users' sessions even when the prior user's session is locked. Once again, this is extremely valuable in busy apartment offices where multiple users often must access one computer to assist an on-going stream of customers. For example, in the past this could create delays when Camden employee 'Suzie' left the guest card page up while touring a prospect and a resident called to tell Camden employee 'Robbie' that her toilet was overflowing because her son flushed his Legos. When 'Robbie' accessed the same computer 'Suzie' was using to create the emergency maintenance request it would cause 'Suzie' to lose the entire guest card she had carefully created. 'Suzie' would then have to recreate the guest card information when she returned with her prospect potentially frustrating this prospective resident.'