Release notes for Imprivata GroundControl 5.0

Release highlights

Introducing Enterprise Password AutoFill with OneSign and GroundControl

Imprivata GroundControl Check Out is now integrated with Imprivata OneSign to support Enterprise Password AutoFill for iOS applications and web sites.

Through a fast, convenient badge tap at check out, users can now quickly access a device and carry their credentials into apps that support Apple’s native Password AutoFill to relieve password fatigue, streamline workflows and save valuable time while accessing these critical tools.

Enterprise Password AutoFill workflows will require Locker App 3.0. Existing check out workflows will continue to be supported by Locker 2.x and both versions can be deployed simultaneously in testing and production environments to allow for a phased migration. Imprivata will continue to support Locker 2.x through December 2021.

Imprivata Locker 3.0

Imprivata GroundControl 5 includes a completely redesigned Locker app for iOS, with a new, modern look and feel. Most importantly, when paired with Imprivata OneSign’s access management system, Imprivata Locker 3 supports auto filling credentials into iOS applications that natively support Apple’s Password AutoFill framework.

Imprivata Locker also enforces two-factor authentication for Password AutoFill workflows to support stronger security on shared-use, enterprise-owned devices.

Imprivata Locker is a new app, but like Locker 2 is a custom B2B app distributed via Apple Business Manager. We’ve already assigned Locker 3 to all Locker 2 customers, but you’ll need to “purchase” the app in Apple Business Manager and assign the app using MDM. To obtain Imprivata Locker 3.0, please contact us at [email protected] to get started.

Imprivata AutoFill Discovery

Imprivata AutoFill Discovery, now available on the App Store, allows you to validate if your applications natively support iOS’s Password AutoFill framework.

Your production devices will not need this application, as this tool is intended for you to test if third party apps deployed to your users support Password AutoFill.

Force recovery to recover passcode locked devices via the admin console

GroundControl can manage passcode locked devices by clearing the device’s passcode over-the-air via MDM, an action that requires WiFi connectivity on the device. In the event a passcode-locked device no longer has active connectivity, for example after a reboot, these devices can become unpaired and recovery mode is required to remove the passcode.

GroundControl can now force recovery workflows via the admin console, allowing IT to recover and reprovision an unpaired device remotely. Today, this action can be performed only one device at-a-time or automated via API, but it will be included as part of automation rules in a future release.

On iOS 14.5+ devices, this feature requires allowing force recovery via MDM restrictions profile.

Add or remove devices from Intune Static Groups

Static groups in Intune are used to support multiple use cases and deploy specific configurations, apps and profiles to devices, including iPhones for clinical or iPads for patients. The Perform MDM Command action for Intune now includes the option to automate static group assignments from within workflow actions.

Support multiple proximity card standards

For check out users, GroundControl can now support additional badge reader configurations via the admin console, matching the available options OneSign offers today.


Additional improvements

  • Launchpad List now includes a column for checked out devices — Thanks Drew!
  • Launchpad URLs included in Launchpad monitoring alerts work as expected for customers that use SAML — Thanks Rob!
  • Check out now defaults to Unlocked screen and the option to open a URL is no longer available
  • Launchpad OS bitness (32 or 64) is now included in Launchpad export
  • Application invites and forgot password emails are now branded with Imprivata logo


Bug fixes

  • [GG-6955] Launchpad will display a notification in the event of a Launchpad upgrade failure
  • [GG-6917] Fixed an issue where deleted assets would continue to show via the API — Thanks Jag and Sharad!
  • [GG-6881] Improved error message for deploying to pending devices via APIs
  • [GG-6877] Fixed Device Manager role permissions to allow setting Launchpad options and set log levels for support — Thanks Danny!
  • [GG-6808] Allow API to deploy to disconnected devices over-the-air
  • [GG-6768] Fixed an issue where check in workflows would succeed, even if the device was unlocked — Thanks Lex!
  • [GG-6545] We now fail sooner and with a friendly error message when Citrix MDM API authentication fails
  • [GG-6410] API /launchpads/checkout now respects ON/ OFF setting in Admin>Check Out
  • [GG-6391] API /devices/findBy/model/XXX now searches the correct fields
  • [GG-6328] Set Timezone is now logged in Activity Log
  • [GG-5726] When processing a check out request, the server no longer overrides the "built-in" device attributes sent by the Launchpad — Thanks Warren!
  • [GG-7066] Allow OneSign configuration to “Disable SSL” checks, as certificate integration is no longer required


Lifecycle notices

  • Device “Console” feature has been removed in GroundControl 5.0. The Console feature streams a remote device’s system log to a GroundControl admin. Changes to iOS privacy have made this feature less useful, as app data is now excluded from the log. Removing this feature will simplify the Launchpad code base and increase stability.
  • Support for Datamation UniLock risers has been deprecated. Current users using this product will not be affected.
  • GroundControl Locker 2.0 will reach end of life at the end of 2021. Please upgrade to Imprivata Locker 3.0.


Known issues


  • In 4.12 and later, some Mac Launchpads may fail to launch after an upgrade. We recommend disabling automatic upgrades if using check out at your organization.
  • iOS upgrades may fail with “fatal errors” during device activation. This may be mitigated with Launchpad Custom Option “RebootPostInstallBootDelay: 180”. Please contact Imprivata support if additional assistance is required.

 Imprivata Locker 3.0

  • App will fail to check in if manually launched before being checked in via a check in workflow. To resolve, force quit the app manually, reboot the phone, or erase and reprovision the device then check in.