Robert Terakedis
Read More from the Author

Senior Technical Marketing Manager, End User Computing, VMware.
Robert is currently in his fifth year at VMware where he’s a Senior Technical Marketing Manager for all things Apple and Workspace ONE. He has over 16 years experience in the IT Industry, with roles spanning Enterprise Mobility solutions, Microsoft technologies, storage and network infrastructure. He is based out of Atlanta, Georgia and contributes regularly to VMware’s TechZone and EUC Blog and the MacAdmins.

Enabling Patient Device Wipe with Epic & Workspace ONE UEM Integration

October 29, 2019

VMware and Epic recently announced a partnership to secure patient data.  This partnership allows the Epic system to call Workspace ONE UEM APIs and issue commands to iOS and Android devices when specific hospital actions occur. For example, whenever a patient is discharged, use this integration to wipe their device. 

    How to Integrate Workspace ONE UEM and EPIC

    Today’s post walks-through setting up and configuring integration between the Epic and Workspace ONE UEM platforms.

    Before you can perform the steps outlined in this post, you must meet the following requirements:

    • Any supported Workspace ONE UEM tenant (cloud or on-premise)
    • Access to customer OG with Console Administrator role or higher in that UEM tenant
    • Epic August 2019 release or greater
    • Access to Epic’s Galaxy documentation portal
    • Supported Android or iOS device
    • Apple Business Manager or Google Play for Work (optional)
    • Epic MyChart Bedside app added to Workspace ONE UEM directly, synced from Apple Business Manager, or synced from Google Play for Work. If you need help with this step, please reach out to your VMware representative.

    The first step in this setup is obtaining API admin credentials in the Workspace ONE UEM console. You need the API admin credentials for use in the Epic system.

    1. Log in to the Workspace ONE UEM console with Console Administrator access.
    2. Navigate to Accounts > Administrators > List View > Add Admin.
    3. Click Add Admin.
    4. Under Basic tab, configure the required fields.
    5. Open the Roles tab and search for a role with appropriate permissions within the customer organization group. Any role with REST API Devices Execute permissions is sufficient.
    6. Select the role with appropriate permissions.
    7. Click Save.

    After obtaining API admin credentials, you must enable REST APIs in the Workspace ONE UEM console. You need the REST API for use in the Epic system.

    1. In the Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > System > Advanced > API > REST API.
    2. Set Current Setting to Override.
    3. Set Enable API Access to Enabled.
    4. Click Save.

    In order for the integration to work, you must configure the Epic MyChart Bedside app in the Workspace ONE UEM console.You can configure the iOS or the Android app using the steps below. However, the option to use Apple Business Manager only applies to iOS devices.

    1. In the Workspace ONE UEM console, navigate to Apps & Books > Applications > Native > Public. Alternatively, if using Apple Business Manager, navigate to Apps & Books > Applications > Native > Purchased.
    2. Find and select the Epic MyChart Bedside app.
    3. Click Assign.
    4. Click Add Assignment.
    5. Assign your preferred Smart Group and Deployment settings.
    6. Add Application Configuration. Enter the following values for the Application Configuration fields:
      • Configuration KeymdmIdentifier
      • Value TypeString
      • Configuration Value{DeviceUid}
    7. Click Save.
    8. Click Save & Publish.

    This section is meant to supplement the resources provided by Epic in Epic’s Galaxy portal. If you have any questions, please reach out to your Epic MyChart Technical Services representative.

    1. Configure the following values for the External Endpoint Configuration:

      Endpoint Type

      Address

      HTTP Method

      Content Type

      Authentication

      REST

      https:///api/mdm/devices/{deviceId}/commands?command=DeviceWipe&id={deviceId}&searchBy=Udid

      POST

      text/xml

      Basic

       

      Encryption

      Mode

      Callback Method

      Username

      Password

      SSL

      ASYNC

      airwatchMDMServiceCallback^WBCOREMDM

      Username of API admin from step #1

      Password of API admin from step #1

    2. Create an Extension.
    3. Connect the Extension to the Post-deactivate action at the System level and affected Service Areas as needed.
    4. Configure tablet deactivation to occur on transfer and/or discharge at the System level and affected Service Areas as needed.

    How Integration Works

    Once you've successfully configured integration between Epic and Workspace ONE UEM, the following workflow occurs:

    1. Workspace ONE installs MyChart Bedside with a device identifier using App Config.
    2. MyChart Bedside application sends the device identifier and the logged-in patient to Epic backend systems.
    3. Epic tells Workspace ONE  to wipe the device with the specific device identifier when the healthcare provider discharges the mapped patient.

    Additional Authors and Contributors

    Chris Burns, VMware, Senior Product Manager

    October 29, 2019
    Robert Terakedis
    Read More from the Author

    Senior Technical Marketing Manager, End User Computing, VMware.
    Robert is currently in his fifth year at VMware where he’s a Senior Technical Marketing Manager for all things Apple and Workspace ONE. He has over 16 years experience in the IT Industry, with roles spanning Enterprise Mobility solutions, Microsoft technologies, storage and network infrastructure. He is based out of Atlanta, Georgia and contributes regularly to VMware’s TechZone and EUC Blog and the MacAdmins.