Monday, June 24, 2019

Secure, Automated and Passwordless Mobile Clinical Device Provisioning

If you've ever been in a hospital, I'm sure you would have seen clinical staff (literally at times) running between rooms, back to nursing stations or if they're lucky into the hall to enter notes or lookup information on a WOW (Workstation on Wheels). Apart from the time it takes to get back to any of these places, they have to leave the patient bedside and remember what they need to capture in the medical records. Typically, to try and gain some time back computers are logged in as generic accounts (shudder) and there is no user personalisation or account auditing on these devices. To me, this just sounds like a recipe for disaster.

In recent years, we've seen the uptake of VDI (year of the desktop anyone?) and that brought some improvements around session portability between devices but there is no true mobility use case like a mobile tablet or phone that the clinician or doctor can take with them and complete their tasks at the bedside.

True, a device for every employee would be expensive. And they could just use their own devices to take notes or photos, but from a regulatory and compliance perspective this is really not a good idea.

This is where GroundControl and VMware Workspace ONE come in to save the day.

Imagine being a nurse, doctor or any healthcare employee for that matter. You now walk up to a pool of iOS devices, tap your RFID Employee badge onto the proximity card reader and in seconds a device is allocated to you which is completely personalised with your authentication credentials, your relevant applications and is ready to use without having to enter and passwords or further configuration. When you're done, just dock it back where you got it and it is securely erased to factory defaults ready for the next user.

Sound too good to be true?

Nope. Read to find out how and see this is action.


If you just want to see what this looks like, skip to the end where I have captured the process end-to-end. However for the technical audience, read on where I go through the high level concepts which explains this black magic.

In an ideal production deployment you need the following:

  • iOS devices purchased through the Device Enrollment Program
    • You can get away without DEP devices, but its less automated. Eww.
  • An Apple Volume Purchasing Program account where you purchase applications with device based assignment
    • If you don't have this, you'll need an AppleID on every device.
  •  An Apple Mac (Mac Mini is good) to host the GroundControl Launchpad Application and connect the devices to
    • You can use a Windows PC however you can use the macOS device as a caching server
  • A compatible dock for your iOS devices
  • For full tap and go capability a proximity card reader and licensing
My demonstration below has most of this. I am only using a cheap lightning connector dock purely so I don't have to physically connect the cable. I also cannot show the tap and go capability as I haven't been able to source a supported dock (yet).

Now, which bits do what?

GroundControl:

With Apple Business Manager and the Device Enrollment Program, you can skip most of the Out Of Box screens for end users. However, there are a few things (like Wifi and Regional Settings) that you can't. GroundControl also does more user specific personalisation and user assignment with its direct API integration with Workspace ONE.

It is made up of two main parts: the Management Console (SaaS Hosted) and the Launchpad (application on your Mac or PC).

Management Console

This is where you do all the automation and workflows.

If we start with Automation, these are where you define rules so that when they are matched an action is taken.

In my example its pretty basic. If a device with my specific serial number is connected run the specific workflow. But you can also add more conditions to be as granular as you need.

So now once that device is connected, it will run my workflow.

Workflows are the magic sauce. In runs from top to bottom and delivers consistent deployments.

In the above example, you'll see it does this:
  • Unenrolls and deletes the device from Workspace ONE
    • This allows it to be reassigned to someone else and also frees up any VPP App licenses, revokes certificates etc.
  • Erases the device to factory settings
    • Removes all user data completely and securely
  • Sets the timezone
    • The user doesn't get prompted 
  • Adds a WiFi Payload
    • The DEP profile will automatically be able to be deployed now
  • Sets a custom background and lockscreen text
  • Automates the enrollment as a user (for my demo purposes)
 There are a heap of other capabilities too:


Now that we have our device enrolled, this is where Workspace ONE takes over.

Workspace ONE is handling the Device Enrollment Program and Apple Business Manager integration. It also does all the application deployment, device restrictions and configuration, security and authentication, and VMware Identity Manager manages the SSO and access to SaaS Apps and VMware Horizon.

In my demo environment, I have the following:

I set some restrictions to make it more secure and remove ways to inadvertently store or leak data


I also set a Homescreen layout to give a consistent look and feel for the use case. This was also used to remove some applications that weren't needed for this clinical device.


The applications are added to the Workspace ONE Console using the Apple Volume Purchase Program





Now once we string this all together, we get an automated and touchless iOS deployment that massively improves user experience and clinical efficiency.

In the demo video below you'll see:

  • The GroundControl Launchpad application detects the iPad
  • Launchpad interacts with the the GroundControl Management Console and deploys the Workflow
  • The device gets the Workflow and enrolls into Workspace ONE
  • Personalisations are applied, apps are deployed and pre-configured
  • The user can SSO into their SaaS Applications and Open Virtual Apps and Desktops without needing to authenticate with their username/password.
  • Device is docked again and resets.

1 comment: