October 29, 2019

Enabling Patient Device Wipe with Epic & Workspace ONE UEM Integration

This blog post discusses how to set up and configure the integration between the Epic and Workspace ONE UEM platforms.

As of Epic’s 2019 August release, VMware Workspace ONE now integrates directly with Epic’s systems and MyChart Bedside app to secure patient data. This integration allows the Epic system to call Workspace ONE UEM APIs and issue commands to iOS and Android devices when specific hospital actions occur. For example, whenever a patient is discharged, use this integration to wipe their device.

How to Integrate Epic with Workspace ONE UEM

Today’s post walks through setting up and configuring integration between the Epic and Workspace ONE UEM platforms.

Prerequisites

Before you can perform the steps outlined in this post, you must meet the following requirements:

  • Any supported Workspace ONE UEM tenant (cloud or on-premise)
  • Access to customer OG with Console Administrator role or higher in that UEM tenant
  • Epic August 2019 release or greater
  • Access to Epic’s Galaxy documentation portal
  • Supported Android or iOS device
  • Apple Business Manager or Google Play for Work (optional)

  • Epic MyChart Bedside app added to Workspace ONE UEM directly, synced from Apple Business Manager, or synced from Google Play for Work. If you need help with this step, please reach out to your VMware representative.

Step 1: Create an API Admin in the Workspace ONE UEM Console

The first step in this setup is obtaining API admin credentials in the Workspace ONE UEM console. You need the API admin credentials for use in the Epic system.

  1. Log in to the Workspace ONE UEM console with Console Administrator access.
  2. Navigate to Accounts > Administrators > List View > Add Admin.
  3. Click Add Admin.
  4. Under Basic tab, configure the required fields.
  5. Open the Roles tab and search for a role with appropriate permissions within the customer organization group. Any role with REST API Devices Execute permissions is sufficient.
  6. Select the role with appropriate permissions.
  7. Click Save.
Step 2: Enable REST APIs in the Workspace ONE UEM Console

After obtaining API admin credentials, you must enable REST APIs in the Workspace ONE UEM console. You need the REST API for use in the Epic system.

  1. In the Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > System > Advanced > API > REST API.
  2. Set Current Setting to Override.
  3. Set Enable API Access to Enabled.
  4. Click Save.
Step 3: Configure Epic MyChart Bedside App in the Workspace ONE UEM Console

In order for the integration to work, you must configure the Epic MyChart Bedside app in the Workspace ONE UEM console.You can configure the iOS or the Android app using the steps below. However, the option to use Apple Business Manager only applies to iOS devices.

  1. In the Workspace ONE UEM console, navigate to Apps & Books > Applications > Native > Public. Alternatively, if using Apple Business Manager, navigate to Apps & Books > Applications > Native > Purchased.
  2. Find and select the Epic MyChart Bedside app.
  3. Click Assign.
  4. Click Add Assignment.
  5. Assign your preferred Smart Group and Deployment settings.
  6. Add Application Configuration. Enter the following values for the Application Configuration fields:
    • Configuration KeymdmIdentifier
    • Value TypeString
    • Configuration Value{DeviceUid}
  7. Click Save.
  8. Click Save & Publish.
Step 4: Configure the External Endpoint in Epic

This section is meant to supplement the resources provided by Epic in Epic’s Galaxy portal. If you have any questions, please reach out to your Epic MyChart Technical Services representative.

  1. Configure the following values for the External Endpoint Configuration:

    Endpoint Type

    Address

    HTTP Method

    Content Type

    Authentication

    REST

    https:///api/mdm/devices/commands?command=DeviceWipe&id={deviceId}&searchBy=Udid

    POST

    text/xml

    Basic

     

    Encryption

    Mode

    Callback Method

    Username

    Password

    SSL

    ASYNC

    airwatchMDMServiceCallback^WBCOREMDM

    Username of API admin from step #1

    Password of API admin from step #1
  2. Create an Extension.
  3. Connect the Extension to the Post-deactivate action at the System level and affected Service Areas as needed.
  4. Configure tablet deactivation to occur on transfer and/or discharge at the System level and affected Service Areas as needed.

How Epic Integration Works

Once you've successfully configured integration between Epic and Workspace ONE UEM, the following workflow occurs:

  1. Workspace ONE installs MyChart Bedside with a device identifier using App Config.
  2. MyChart Bedside application sends the device identifier and the logged-in patient to Epic backend systems.
  3. Epic tells Workspace ONE  to wipe the device with the specific device identifier when the healthcare provider discharges the mapped patient.

Additional Authors and Contributors

Chris Burns, VMware, Senior Product Manager

Epic and MyChart are trademarks of Epic Systems Corporation.

Filter Tags

Workspace ONE Blog Announcement Operational Tutorial Intermediate

George Spelvin

Read More from the Author

Multi-Cloud Computing Guru, VMware. George has been working as a VMware guru since time began. People say that he actually does very little and exists solely to claim ownership of work produced by people that have gone before. Thankfully, we only pay him in kibble. George never attended university, and has never been seen in the office or on a Zoom call. He is a good boy.