Self healing for Igel 11.09 & Imprivata PIE 7.12
When upgrading to Igel 11.09 you may find Imprivata PIE 7.11 will not upgrade to 7.12.
Github write up and code available here.
Igel 11.09 os update is available
Everything is running fine. You see a new Igel OS update to 11.09 and give it a try. After reboot your left with a screen like this: the Imprivata lock screen did not load.
Deep dive time
After connecting with ssh to an Igel device run the command: ImprivataBootstrap and receive error 404 when trying to find the url:
https://umc-imprivata.yourdomain.com/sso/servlet/getembeddedloader?arch=amd64&collname=proveidembedded3
ProveID embedded 7.12
Looking at Imprivata your on ProvideID Embedded 7.11 and there is a new 7.12 release. Following the steps, download and install on your Imprivata appliance.
PIE 7.12 does install on your Igel device with os 11.09 though still no Imprivata lock screen. SSH to device and run: ImprivataBootstrap now returns:
2023-11-08 01:06:27,127 - bootstrap - ERROR: Failed to import main loader. Reason: bad magic number in 'MainLoader': b'\x03\xf3\r\n'
One off
Fix this for a single device at the command prompt with the following, which will remove the previous install of ImprivataBootstrap with a wipe then request a new install that will be PIE 7.12.
ImprivataBootstrap -w
ImprivataBootstrap
Thousands of devices
Now what to do for the multitude of Igel devices you need to upgrade?
I’ve put together a bash script that will accomplish the following:
Wait 5 minutes after boot, good incase an upgrade is still taking place.
Check if the file /.imprivata_data/runtime/offline/Agent/FirstDomain.txt exist. This file is only present if Imprivata lock screen loads.
If file is found take no action. If file is not found run the below bootstrap commands to wipe, install and reboot the device.
Imprivata_Clean.sh
#!/bin/bash
echo $(date +"%Y%m%d_%T")\n >> /run/Imprivata_BootCheck_Start.log
sleep 300
if [ -a /.imprivata_data/runtime/offline/Agent/FirstDomain.txt ]
then
echo $(date +"%Y%m%d_%T")\n >> /run/Imprivata_BootCheck_FileYes.log
else
echo $(date +"%Y%m%d_%T")\n >> /run/Imprivata_BootCheck_FileNo.log
ImprivataBootstrap -w
ImprivataBootstrap
reboot
fi
#EOF
As you can see this creates a log file when it starts and check files with results. Each file has a timestamp written into it.
Igel policy
Create an Igel policy named: OS11 Imprivata check if bootstrap. Then enter this:
System > Firmware Customizations > Custom Commands > Desktop > Final desktop command: /run/Imprivata_Clean.sh &
Create the bash file above, upload it to Igel file and put its path to /run.
Attach the file to the Igel profile you just created: OS11 Imprivata check if bootstrap.
Final thoughts
Attach the new Igel profile & OS 11.09 to the same folder. Then devices will upgrade to Igel OS 11.09 and PIE 7.12 automatically. In addition I’ve attached this policy to a folder with Igel OS 11.08. The result is a successful downgrade of both OS 11.08 and PIE 7.11.
Your safe to move up or down both Igel and Imprivata versions moving devices from one folder to the other. For a sense of scale I’ve used this against thousands of devices without a hitch.
Best Regards
Michael Wood
Resources
Note: Links only function for those already signed into https://support.imprivata.com
Imprivata ProveID Embedded 7.12
https://community.imprivata.com/s/article/Imprivata-ProveID-Embedded-7-12