Configure Enterprise Password AutoFill on iOS Devices

Created: Modified: Checkout

NOTE: This article applies to iOS devices only.

After you’ve set up, tested and automated your check out workflows and also validated your environment supports Password AutoFill, you’re ready to get started.

Password AutoFill is available only when Admin > Check Out > Identity Provider is set to Imprivata Enterprise Access Management.

Configure AutoFill in Mobile Access Management

Two Factor Authentication (2FA) is needed for Password AutoFill, but not for device Check Out. Users are prompted to enter 2FA directly after Check Out. 

    1. Navigate to Admin > Check Out > Password AutoFill enable Password AutoFill.
    2. Set the option for Second factor authentication to match your Imprivata Enterprise Access Management (formerly Imprivata OneSign) configuration.

Disable the iOS Keychain

You can disable the iOS keychain from the password autofill selection on the devices by one of the following methods:

  • Set Restrictions action in the Workflow — you can set a Mobile Access Management restriction to disable Safari autofill. It disables Keychain as an option, while still allowing Autofill to be on and the Locker app to be selected. If you apply the restriction via a Workflow, ensure that you add it to either the Provisioning (Prep) or Check In Workflow.
  • MDM restriction — each MDM labels the ability to disable or remove Keychain from password autofill selection differently and ends up with different results.
    For more information, see your MDM’s documentation.
Add a Set Restrictions Action to the Workflow

In Mobile Access Management, adding a Set Restrictions action with the Disable Safari Auto-fill option selected disables the built-in iOS keychain, but should allow for Locker iOS to still be selected.

Best Practice

Add this restriction setting into your Provisioning (Prep) Workflows to ensure the device never has the option to use iOS Keychain.

If you have already deployed devices without this setting, you have three primary options:

  • Add this setting to your Check In Workflow.
  • Create a Workflow that specifically includes just this setting and deploy it to connected devices either manually or via a scheduled automation rule, until you’re confident it has applied to all devices in use.
  • Use an MDM Restrictions payload to disable the keychain. See below.

Expected Results

The device will have the iOS Keychain option in Autofill/Password options greyed out, making it unable to be selected. Despite the name of the restriction, password autofill will still be available on Safari web pages when using Imprivata Locker as the autofill source.

IMPORTANT: A device can have multiple Restrictions profiles. However, only one MAM-delivered Restriction Profile will be present at a time. So if MAM has sent a restrictions profile to a device that you’re now using this method to deploy the Disable Safari Auto-fill setting to, you will want your previous restriction profile settings to also be selected. Otherwise, they will be overwritten by this new restrictions profile.

To add a Set Restrictions action to the Workflow:

  1. Edit the Workflow. Ensure that you add the Set restrictions action to either the Provisioning or Check In Workflow.
  2. From the Add action menu, select Set Restrictions.
  3. On the Other Restrictions tab, select Disable Safari Auto-fill and click Save.
Configure an MDM Restriction

Configure the restrictions in your MDM.

Enable AutoFill on the iOS Device

Each iOS device must be manually configured to the Imprivata AutoFill extension — unfortunately there is no way to do this automatically using an MDM or Mobile Access Management.

To enable Password AutoFill on the iOS device:

  1. Navigate to Settings > Passwords > AutoFill Passwords > Turn ON.
  2. Allow filling from Locker.
  3. Make sure Keychain is not checked. In iOS 18, the setting is named Passwords.

BEST PRACTICE: This setting will persist between checkouts, if you’re not erasing the device. Imprivata strongly recommends not erasing devices between checkouts for this reason.

If AutoFill is enabled on the MAM server, but a device does not have AutoFill set in Settings, the device will display the following reminder screen on Check Out.

Create Upload and Deploy Imprivata Enterprise Access Management Profiles

For detailed instructions on creating application profiles for Imprivata Enterprise Access Management (OneSign), see Create Imprivata Enterprise Access Management Profiles.

Questions?

Check out our Password AutoFill FAQ.

Next: Custom Identity Web Services