Jamf Blog
March 9, 2022 by Adam Mahmud

iOS and iPadOS re-provisioning workflows: protect patient data and streamline clinical access

It’s 2022, and your healthcare IT organization is managing a flood of mobile devices driven by new clinical and patient needs. While some regulatory exceptions were made to ease the use of mobile telehealth solutions in 2020, it’s important for each health system to assess its mobile security posture heading into 2022.

Regardless of whether mobile devices are used for remote hospital at home or within the hospital walls, there are strategies to prevent and mitigate threats that can be implemented today.

According to Verizon’s 2020 Healthcare Spotlight, 85% of healthcare organizations said that mobile will be their primary means of accessing cloud-based services within 5 years. With the heightened sensitivity of personal health information (PHI), which exists in these cloud-based systems, it is paramount that health systems build the barriers needed to support the wave of mobile adoption. Mission-critical considerations for success are solutions for zero trust network access (ZTNA), mobile threat defense and zero-day phishing prevention.

As InfoSec leaders explore ways to modernize their security strategy, what other ways can we protect patient data on corporate-owned devices? Read on to see some of our highlighted shared device management workflows. While each of these Jamf-powered solutions facilitates a unique patient, clinician or family member experience, they each protect sensitive patient data in the process.

Apple Shared iPad: Temporary Session Only

What’s new?

Jamf Pro 10.34 adds additional management commands for Apple’s “Shared iPad” feature of Apple Business Manager and Apple School Manager.

Devices can be put in a "Temporary Session Only" mode, and devices can be set to automatically log out after periods of inactivity.

Additionally, Shared iPad settings commands are consolidated in Jamf Pro 10.34 for managing both the new settings as well as existing device storage quota and maximum users values.

For more on Apple's official "Shared iPad" settings and configuration options, see the documentation in the Apple Deployment Guide.

Why this matters:

Using Shared iPad with only "Temporary Sessions" allows organizations to avoid requiring a Managed Apple ID to authenticate, which may be preferential to authenticating since this does not require personal data to be entered nor retained on the iPad.

Additionally, setting the time period before logging out from inactivity:

  • Ensures no personal data is stored in a Temporary Session after a user uses the iPad.
  • Ensures the device with user data is logged out when not in use, making the sign-in and user experience better/quicker for the next user of the iPad.

How does this apply to healthcare?

There are a number of waiting room use cases where a patient or guest may need quick access to a shared iPad for a basic task, but the device will change hands to another “temporary user” thereafter. A few examples include intake, registration and eConsent applications, which today are often completed on a kiosk device.

For organizations that wish to hand out loaner devices in their waiting rooms, Temporary Session Only may be a perfect option to explore. Since this doesn’t fully erase the device, it’s important to understand the desired scope of your iPad deployment. There are many other temporary patient-use workflows where the device needs to be erased after use, and Jamf Healthcare Listener and Jamf Reset support this.

Jamf Parent for Patient Bedside

What’s new?

Jamf Pro 10.32.0's Jamf Parent integration now includes an option to automatically revoke a parent's management of a device when it is wiped or re-enrolled.

This ensures parent devices are not able to perform management actions on re-provisioned devices.

Why this matters:

The Jamf Parent app has existed for years as a way for parents and guardians to have limited management of their child’s school-issued student iPad from their own personal device. Jamf Pro 10.32’s new feature for Jamf Parent introduces more flexible ways to end a parent app session, which increases the scenarios where the app can be used.

Key features available within the Jamf Parent App:

  • Restrict games, apps and social media, or set up rules that restrict social media use to certain periods of time throughout the day
  • Create custom rules with the simple step-by-step wizard
  • See a child’s device name, current device storage utilization, device model and iOS version
  • Quickly lock an iOS device into one or several apps, eliminating distractions during quiet time
  • New as of Jamf Pro 10.35: Ability to clear student device passcode

How does this apply to healthcare?

The new feature functionality allows a new way to use Jamf Parent alongside our Patient Bedside workflow! This means:

  • Parents and guardians have limited, remote management capabilities of their children’s hospital-issued device — wirelessly from their own device
  • A parent or guardian can quickly pair their personal device with the hospital’s managed iPad through a QR code pairing process within the Jamf Parent App. When the patient’s device is remotely wiped by Healthcare Listener or Jamf Reset, the Jamf Parent app session is disconnected automatically — no work from IT required
  • This feature is available for customers on Jamf Pro 10.32 and works with the Jamf Parent app for iOS and Android
  • With the new Clear Passcode feature in Jamf Parent as of Jamf Pro 10.35, healthcare organizations can require that device passcodes be deployed from Jamf Pro, which ensures the patient bedside iPad has 256-bit AES hardware encryption enabled. If the patient forgets their passcode, their parent or guardian can quickly reset it allowing the patient to set it up again!

Single Login

What’s new?

The latest release of the Jamf Setup and Jamf Reset apps supports a wireless, over-the-air workflow for shared device management.

This preview workflow called Single Login includes:

  • Cloud identity provider (IdP)-based network authentication with Microsoft Azure
  • Role-based provisioning and access control
  • Enhanced device passcode management
  • Cross-app single sign-on (SS0) for supporting iOS/iPadOS apps
  • A soft-reset logout workflow that doesn’t require a device wipe

Why this matters:

As mobile transformation initiatives have flourished, mobile workers now rely on multiple applications to perform vital daily tasks. In various industry markets where organizations deploy pools of shared iOS devices for frontline shift workers, challenges remain and impact user experience and satisfaction as well as mobile adoption.

In particular, Jamf’s Single Login workflow is designed to address three core problems with shared iOS device deployments:

  1. "Password fatigue” that emerges across devices and applications for users
  2. Access control and user assignments are difficult to manage
  3. End of shift device transitions have not been easy for users or IT

How does this apply to healthcare?

Leading healthcare institutions around the globe are testing Single Login workflow during Jamf’s free preview release phase. While the underlying Microsoft technology used in Single Login is currently in public preview and not for production use, these customers have proof of concept in their development environments, and we have received feedback from informatics and clinical champions for potential future production rollouts.

Additionally, these customers are working closely with Jamf and Apple to submit feature requests to key app partners for supporting Single Login in their iOS applications. Whether for clinical communications and workflow, mobile EHR or any other use case, Jamf’s Alliances team stands by to assist app partners with development and testing efforts.

Start a Single Login Preview for your own free proof of concept.

Learn more about how Healthcare + Jamf are the right prescription for your mobile fleet's security needs.

Contact Jamf, or your preferred representative today, to inject world class device management and endpoint security into your mobile device workflows.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.