Business Continuity Featured Tech Zone Technical Guides VMware Workspace ONE

How to Enable Patient Device Wipe in Epic & Workspace ONE UEM

VMware and Epic recently announced a partnership to secure patient data.  This partnership allows the Epic system to call Workspace ONE UEM APIs and issue commands to iOS and Android devices when specific hospital actions occur. For example, whenever a patient is discharged, use this integration to wipe their device.

The integration creates a workflow as follows:

1. Workspace ONE installs MyChart Bedside with a device identifier using App Config.

2. MyChart Bedside application sends the device identifier and the logged-in patient to Epic backend systems.

3. Epic tells Workspace ONE to wipe the device with the specific device identifier when the healthcare provider discharges the mapped patient.

Integrating Workspace ONE UEM and EPIC

Today’s post walks-through setting up and configuring integration between the Epic and Workspace ONE UEM platforms.

Prerequisites

• Any supported Workspace ONE UEM tenant (cloud or on-premise)

• Access to customer OG with Console Administrator role or higher in that UEM tenant

• Epic August 2019 release or greater

• Access to Epic’s Galaxy documentation portal

• Supported Android or iOS device

• Apple Business Manager or Google Play for Work (optional)

• Epic MyChart Bedside app added to Workspace ONE UEM directly, synced from Apple Business Manager, or synced from Google Play for Work. If you need help with this step, please reach out to your VMware representative.

Step 1 – Create an API Admin in the Workspace ONE UEM Console

The first step in this setup is obtaining API admin credentials in the Workspace ONE UEM console. You need the API admin credentials for use in the Epic system.

1. Log in to the Workspace ONE UEM console with Console Administrator access.

2. Navigate to Accounts > Administrators > List View > Add Admin.

3. Click Add Admin.

4. Under Basic tab, configure the required fields.

5. Open the Roles tab and search for a role with appropriate permissions within the customer organization group. Any role with REST API Devices Execute permissions is sufficient.

6. Select the role with appropriate permissions.

7. Click Save.

Step 2 – Enable REST API in the Workspace ONE UEM Console

After obtaining API admin credentials, you must enable REST APIs in the Workspace ONE UEM console. You need the REST API for use in the Epic system.

In the Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > System > Advanced > API > REST API.

For Current Setting, select Override.

Set Enable API Access to Enabled.

Click Save.

Step 3 – Configure Epic MyChart Bedside in the Workspace ONE UEM Console

Apple iOS

These steps assume the Epic MyChart Bedside app has already been added to Workspace ONE UEM directly or synced from Apple Business Manager. If you need help with this step, please reach out to your VMware representative.

1. In the Workspace ONE UEM console, navigate to Apps & Books > Applications > Native > Public.

Alternatively, if using Apple Business Manager, navigate to Apps & Books > Applications > Native > Purchased.

2. Find and select the Epic MyChart Bedside app.

3. Click Assign.

4. Click Add Assignment.

5. Assign your preferred Smart Group and configure Deployment settings.

6. Enable Application Configuration. Add the following values for the Application Configuration fields.

• Configuration Key – mdmIdentifier

• Value Type – String

• Configuration Value – {DeviceUid}

7. Click Save.

8. Click Save & Publish.

Android

These steps assume the Epic MyChart Bedside app has already been added to Workspace ONE UEM directly or synced from Google Play for Work. If you need help with this step, please reach out to your VMware representative.

1. In the Workspace ONE UEM console, navigate to Apps & Books > Applications > Native > Public.

2. Find and select the Epic MyChart Bedside app.

3. Click Assign.

4. Click Add Assignment.

5. Assign your preferred Smart Group and configure Deployment settings.

6. Add Application Configuration. Add the following values for the Application Configuration fields:

• Configuration Key – mdmIdentifier

• Value Type – String

• Configuration Value – {DeviceUid}

7. Click Save.

8. Click Save & Publish.

Step 4 – Create External Endpoint Configuration in the Epic Galaxy Portal

This section is meant to supplement the resources provided by Epic in Epic’s Galaxy portal. If you have any questions, please reach out to your Epic MyChart Technical Services representative.

1. Configure the following values for the External Endpoint Configuration.

3. Connect the Extension to the Post-deactivate action at the System level and affected Service Areas as needed.

4. Configure tablet deactivation to occur on transfer and/or discharge at the System level and affected Service Areas as needed.

How Integration Works

Once you’ve successfully configured integration between Epic and Workspace ONE UEM, the following workflow occurs:

1. Workspace ONE installs MyChart Bedside with a device identifier using App Config.

2. MyChart Bedside application sends the device identifier and the logged-in patient to Epic backend systems.

3. Epic tells Workspace ONE  to wipe the device with the specific device identifier when the healthcare provider discharges the mapped patient.

Additional Authors and Contributors

Chris Burns, VMware, Senior Product Manager

Tech Zone