Use ChromeOS devices with Imprivata OneSign

Resolve common issues with Imprivata Onesign integration

For managed ChromeOS devices.

As an admin, you can troubleshoot problems with Imprivata OneSign on ChromeOS devices.

Access debug options

Because logs might contain sensitive information, we recommend that you use debug options only for problematic devices, and not in a production environment. Move devices that you’re having issues with to an organizational unit, such as a testing or debugging organizational unit.

Enable logs

  1. Enable debug mode.
    See Step 3: Configure Imprivata extensions. Set debugLoggingEnabled to true.
  2. Enable developer tools for force-installed extensions:
    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenManaged guest session settings.
    3. In the list of organizational units, find the one you want and select it.
      If you have many organizational units, you might have to scroll the list to find the one you want.
    4. Go to User experience.
    5. For Developer tools, select Always allow use of built-in developer tools.
    6. Click Save.

Access logs

Before you begin: Enable logs.

When logging is enabled, the sign-in screen extension should show a Show debug logs button in the lower right corner of the sign-in screen window.

(preferred) Collect logs using capture logs

Use the capture log mechanism for manual debugging and to extract specific logs.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Go to User and device reporting.
  5. Click Device system log upload.
  6. Select Enable device system log upload.
  7. Click Save.
  8. Click Extensions system logging.
  9. Select Enable enterprise extensions system logging.
  10. Click Save.

You'll then see the option to capture logs on the Devices page of the Admin console. You can download up to 2 days of logs. The collected logs archive contains the Imprivata logs (extensions.log) and can be used for debugging.

Collect logs via feedback reports

Feedback reports are useful for Google support. Press Alt+Shift+i on the affected ChromeOS device. The feedback report automatically includes the Imprivata logs. You can include some uniquely identifiable string that we can search for. Inform the Google support team about the feedback report and the report and the identifiable string.

Read Report a problem or send feedback.

Collect logs from device

Sign-in screen extension

If Google asks you to export logs, copy and paste them into a feedback report and include a uniquely identifiable string that we can search for. For details, see Report a problem or send feedback.

In-session extension

  1. On the ChromeOS device, open chrome://extensions in a browser tab.

  2. At the top-right corner, enable Developer mode.
  3. Find the Imprivata in-session extension.
  4. Click the link to open the background page.
  5. Click Console.
  6. To export the logs, right-click anywhere in the console window and click Save as…

Launch debug session

If the sign-in screen extension is not properly configured, you can still launch a debug session on the device.

  1. Enable debug mode.
  2. On the ChromeOS device:
    1. Go to the sign-in screen—not the lock screen.
    2. Close the Imprivata sign-in screen window.
    3. Launch a regular managed guest session.

Common issues

Open all  |  Close all

Check to make sure that:

  • ChromeOS devices meet the minimum version requirements.
  • Device is connected to the internet during initial setup.
  • You correctly configured the sign-in screen. For details, see Configure device settings.
  • Verify policy:
    1. Launch a debug session. For details, see Launch debug session above.
    2. Navigate to chrome://policy.
    3. Verify that DeviceLoginScreenExtensions is set.
The Imprivata sign-in screen is blank

If the sign-in screen extension is not able to connect to the Imprivata appliance, users see a blank sign-in screen.

  • In the Google Admin console:
    • For the CA certificate, make sure that the Imprivata App on Chromebooks box is checked.
    • Check that the sign-in screen’s extension policy has the correct server URL. For example, https://url-to-your-imprivata.appliance
  • On the device, launch a debug session.
    • Check that the server URL is displayed for the sign-in screen extension on chrome://policy.
    • Open the server URL in a new tab and see if there are certificate or DNS errors.
User’s badge reader is not working
Virtual desktops or apps are not launching or visible in the launcher
  1. On the device, sign in with a user ID that has virtual apps or desktops.
  2. Check that the Imprivata appliance is sending virtual apps or desktop resources to the client:
    1. Inspect the Imprivata in-session extension logs:
      1. Search for VdiAutoLaunchHandler.onActivated() and see what is supposed to automatically launch.

      2. Search for VdiResources to see a list of the user’s VDI resources retrieved from the Imprivata appliance.
    2. Ensure virtual apps or desktops are configured on the following pages in the Imprivata appliance console:
      1. Computersand thenVirtual desktops
        Ensure that the broker URLs do not end with a trailing slash, /.
      2. Computersand thenComputer policyand thenVirtual desktops tab
      3. Usersand thenUser policyand thenVirtual desktops tab
  3. Check if the virtual apps or desktops failed to launch:
    1. Inspect the Imprivata in-session extension logs.
    2. Search for errors around CitrixSessionHandler, CitrixSession, or VmwareSessionHandler.
  4. Check if the Citrix or VMware apps log any errors:
    1. Access Imprivata in-session extension logs to inspect the background page for the Citrix or VMware app.
    2. Search for errors.
  5. Launch the Citrix or VMware app, connect to your connection server, and see if you can launch the virtual app or desktop manually.
Imprivata admin console changes do not apply

Server settings are fetched in the background periodically in a configurable interval, typically between 3 minutes to 24 hours. Default is 10 minutes. You can change the interval in the Imprivata admin console—Go to and thenSettingsand thenRefresh interval when agents check server for updates in this site. That change requires one server settings update to propagate. During deployment, Imprivata settings can be fetched immediately by pressing Ctrl + R on the ChromeOS device.

User settings are updated in the same interval or whenever a new user signs in for the first time.

Additional questions?

If you have further questions or would like to request features that are currently missing, contact Chrome Enterprise support. For details, see Get support.

Before you contact Chrome Enterprise support for help with troubleshooting, you can help us resolve your issue more quickly by gathering:

  • Extension logs
    For details, see Access logs above.

  • Device's current Chrome policies

    1. On the ChromeOS device, browse to chrome://policy.

    2. Click Export to JSON.

    3. Name your file yourdomain-mmddyyyy.json. Include your domain name and today's date.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
16685056287961516513
true
Search Help Center
true
true
true
true
true
410864
false
false