IGEL Integrations

Frame provides a convenient Custom Partition for IGEL OS bundled with UMS Profiles for easy and secure integration with IGEL OS and management with IGEL's UMS. The included UMS Profiles allow admins to quickly and easily deploy Frame App tailored for your users and use-case(s).

Frame App Custom Partition

You can bundle Frame App into a IGEL Custom Partition for use with IGEL OS 11 following instructions below. Building the custom partition bundle currently requires Ubuntu 18.04 to build for IGEL OS 11.

Frame App IGEL Bundling instructions For Ubuntu 18.04

1. Download the latest Frame App for Linux (Debian) to your ~/Downloads directory.
2. Download and unzip Nutanix_Frame.zip from https://github.com/IGEL-Community/IGEL-Custom-Partitions/raw/master/CP_Packages/Apps/Nutanix_Frame.zip.
3. Using a terminal, navigate to the unzipped directory to /target/build/ and execute build-frame-cp.sh
4. Copy frame.ini and frame.tar.bz2 from /target/ to a new Frame folder in the UMS "ums_filetransfer" path depending on your OS:
   • UMS upload path on Linux: /opt/IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/Frame/
   • UMS upload path on Windows: C:/Program Files/IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/Frame/
5. Import Frame's Custom Profile(s) from /igel/*
6. Edit the profile and set up Firmware Customization -> Custom Partition -> Download with your UMS server info and credentials.
7. Setup env variables as instructed in the guides below.

Building the bundle will provide you with a zip file relative to the version of Frame App that was bundled. This bundle also includes Frame-provided UMS Profiles that you can quickly import and begin using with your Frame Custom Partition.

note

While these UMS Profiles are provided by Frame, they are not limiting your experience options to the details and user-experiences outlined in these profiles. Frame is extremely extensible and everything from authentication and RBAC to UI can be greatly customized. Customizations like this is often done so by orchestrating our Secure Anonymous Tokens for full-control of authentication flows and RBAC, as well as our Session API for controlling when/where/how customers interact with your Frame resources.

Frame-provided UMS Profiles

Below is a list of the Frame-provided UMS Profiles, how to configure and customize them, etc. Pick a UMS Profile that sounds best for your IGEL use-cases and import it to try it out.

Basic Frame App Profile

Bundle location: igel/frame-app-basic-profile.xml

This "basic" UMS Profile simply enables a Frame App icon on the IGEL Desktop.

Admins can customize the default settings and launch parameters by adding command line arguments in your UMS by editing the Frame App Basic Profile Settings: Firmware Customization > Custom Application > Frame > Settings.

Please refer to our Linux command-line arguments for Frame App for more information.

Frame SAML2 Kiosk Mode Profile

Bundle location: igel/frame-saml2-kiosk-profile.xml

This profile is designed to support a specific end user workflow and assumes a particular Frame configuration.

SAML2 Kiosk Mode User Experience

1. Frame App's cache is cleared each time Frame App starts and exits to ensure a fresh session and authentication.
2. Frame App is launched in Kiosk Mode with multiple monitor support, presenting a third-party identity provider's login screen.
3. After logging in, end users will be taken by Frame App directly to the desktop or application (depends on the Launch Link configuration).
4. When a Frame session starts, the remote desktop will be in full-screen mode.
5. When end users disconnects by action or inactivity timeout, they'll see an option to resume their session for the duration of the account/Launchpad's configured idle timeout.
6. When a user quits the session or shuts down Windows, they'll be logged out and redirected to the identity provider's initial login page.

SAML2 + Kiosk mode requirements

1. A Published Launchpad.

2. Configured identity provider with associated roles/permissions allowing access to the desired Frame Account.

3. Frame Launch Link with additional "Quit and log out" url parameter: &qlo=1.

4. Optional: The Frame account production workload VMs can be joined to a Windows domain, if desired.

5. Edit your IGEL UMS Custom Profile and go to:

   System > Firmware Customization > Environment Variables > Predefined

6. Paste your Launch Link:

   • FRAME_LAUNCH_URL - obtained from an Account's Dashboard > Launchpad > Advanced Integrations to get a configurable dialog with Launch Links. While we recommend Launch Links for Kiosk scenarios, the value of FRAME_LAUNCH_URL could instead be a standard Launchpad URL.

Frame SAT Kiosk Mode Profile

Bundle location: igel/frame-sat-kiosk-profile.xml

The Frame SAT Kiosk Custom Profile is designed to support a specific end user workflow relying on Frame's Secure Anonymous Tokens (SAT) for authentication. This flow also assumes a particular Frame configuration to support the kiosk experience as defined below.

SAT Kiosk Mode User Experience

1. End users will not authenticate to a SAML2-based identity provider (this script uses the Frame Secure Anonymous Token (SAT) functionality for session authentication).
2. User cache is cleared prior to start and exit of Frame App to ensure no user preference settings have persisted since the prior use of Frame App.
3. Frame App will launch in "kiosk mode" (full screen).
4. End users will be taken by Frame App directly to the desktop or application (depends on the Launch Link configuration).
5. When a Frame session starts, the remote desktop will be in full-screen mode.
6. When end users disconnect or close their session, Frame App will be restarted with a new SAT token. Disconnect behavior configurable with Frame Session Settings.

SAT + Kiosk configuration requirements

1. A Published Launchpad.
2. API Provider configured at the Organization entity.
3. Secure Anonymous Token Provider at the Account entity granting a role of Launchpad User for a specific Launchpad in a Frame account (under the Organization entity).
4. Frame Launch Link is used, rather than a Launchpad URL to support automatic start of the user's session and to simplify the UX.
5. Optional: The Frame account production workload VMs can be joined to a Windows domain, if desired.

Environment Variables

The following environment variables must be configured in the IGEL Custom Profile for this profile to work.

1. Edit your IGEL UMS Custom Profile and go to:

   System > Firmware Customization > Environment Variables > Predefined

2. Set the following environment variables:

Environment Variable	Description
FRAME_CLIENT_ID	Obtained from the API provider when a set of API credentials are created.
FRAME_CLIENT_SECRET	Obtained from the API provider when a set of API credentials are created.
FRAME_SAT_URL	URL obtainable from the Playground. For example: https://api.console.nutanix.com/v1/accounts/XXXXXXXX-XXXX-XXXX-XXXX-31d09e2881cd/secure-anonymous/secure-anon-XXXXXXXX-XXXX-XXXX-XXXX-c5e2dc93df1e/tokens.
FRAME_ACCOUNT_ID	Sign in to Nutanix Console as an Admin. Locate your account, click the three-dot menu, and select "update" to view the Account's entity settings. Next, copy the Account UUID from the browser's URL bar. For example: https://console.nutanix.com/frame/account/YOUR-FRAME-ACCOUNT-UUID-HERE/basic-info or use the Admin API to List Accounts.
FRAME_EMAIL_DOMAIN	Email domain name used to create the anonymous user email addresses that will be visible in the Session Trail. Example: frame.igel.mycompany.com
FRAME_LAUNCH_URL	Obtained from an Account's Dashboard > Launchpad > Advanced Integrations to get a configurable dialog with Launch Links. While we recommend Launch Links for Kiosk scenarios, the value of FRAME_LAUNCH_URL could instead be a standard Launchpad URL.
FRAME_TERMINAL_CONFIG_ID	Obtainable from the Launch Link URL.
FRAME_LOGOUT_URL	Optional. Allows configuration of the "logout" behavior by specifying a URL. Useful when using a Frame Launch Link with additional "Quit and log out" url parameter: &qlo=1.

Frame Admin API and SAT quick setup guide

1. Enable API access

   Account > Users > Authentication

   

2. Add an API

   Account > Users > API

   Create an API integration with with the ability to generate anonymous tokens and manage your account as an Account Administrator. These roles are mandatory for this custom partition's scripts; they use account-based Admin API calls to validate the current status of sessions (statuses such as "initializing", "open", "closing", etc.).

   

3. Create a set of credentials for use with the Custom Profile.

   

   Manage Credentials

   

   Create new API key

   

   Copy the credentials for use in the IGEL Environment Variables. Keep it secret; keep it safe.

Secure Anonymous Access Setup

1. Enable "Secure Anonymous" access

Account > Users > Authentication

2. Create Anonymous Access Provider

Account > Users > Secure Anonymous

3. Add the Launchpad User role to the Provider

Note: If Launchpad User Role is not visible on the list, be sure you've created a launchpad first. If you have, refresh the page and try again.

4. Copy Provide URL from Playground Examples

Easily find and copy your SAT Provider URI:

Testing newer versions of Frame App prior to deployment

When a new version of Frame App comes out, admins should test the new version of Frame App on a small subset of devices before rolling it out to the rest of their users. In order to configure multiple versions of Frame App in your UMS, you need to follow a few steps below to add a custom installation path of a test Frame App Custom Partition.

1. Create a new folder in your UMS file transfer server, something like Frame-Test. This would result in a folder at the following path:

   /IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/Frame-Test/

2. Once that's complete, import or create a copy of an existing profile and edit it. Navigate to Firmware Customization > Custom Partition > Download and edit the download URL to reference the same path.

   For our example: https://[YOUR_UMS_SERVER]:8443/ums_filetransfer/Frame-Test/frame.inf

3. That's it! Assign the profile to your devices and they should download the new partition accordingly.

note

Multiple versions of Frame App are not currently available on the same IGEL device. Admins must assign only one Frame App Custom Partition to a device at a time.