Skip to main content

IGEL Integrations

Frame provides a convenient Custom Partition for IGEL OS bundled with UMS Profiles for easy and secure integration with IGEL OS and management with IGEL's UMS. The included UMS Profiles allow admins to quickly and easily deploy Frame App tailored for your users and use-case(s).

Version Requirements

  • Frame App 7.4.x+ is compatible with IGEL OS 12
  • IGEL UMS 11 or higher

Frame App Custom Partition

You can bundle Frame App into an IGEL Custom Partition for use with IGEL OS 12 following the instructions below. Building the custom partition bundle currently requires Ubuntu 18.04 with IGEL OS 11.

Frame App IGEL Bundling instructions For Ubuntu 18.04

  1. Download the latest Frame App for Linux (Debian) to your ~/Downloads directory.
  2. Download and unzip Frame.zip from https://github.com/IGEL-Community/IGEL-Custom-Partitions/raw/master/CP_Packages/Apps/Frame.zip.
  3. Using a terminal, navigate to the unzipped directory to /target/build/ and execute build-frame-cp.sh
  4. Copy frame.ini and frame.tar.bz2 from /target/ to a new Frame folder in the UMS "ums_filetransfer" path depending on your OS:
    • UMS upload path on Linux: /opt/IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/Frame/
    • UMS upload path on Windows: C:/Program Files/IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/Frame/
  5. Import Frame's Custom Profile(s) from /igel/*
  6. Edit the profile and set up Firmware Customization -> Custom Partition -> Download with your UMS server info and credentials.
  7. Setup env variables as instructed in the guides below.

Building the bundle will provide you with a zip file relative to the version of Frame App that was bundled. This bundle also includes Frame-provided UMS Profiles that you can quickly import and begin using with your Frame Custom Partition.

note

The UMS Profiles provided by Frame serve as starting points for your implementation. However, they don't limit your options for customization. Frame is highly extensible, allowing for extensive customization of various aspects including authentication, Role-Based Access Control (RBAC), and user interface (UI). Advanced customizations can be achieved through:

  • Orchestrating Secure Anonymous Tokens for fine-grained control over authentication flows and RBAC
  • Leveraging the Session API to manage how, when, and where customers interact with your Frame resources

These tools enable you to tailor the Frame experience to your specific needs, going beyond the default configurations provided in the UMS Profiles.

Frame-provided UMS Profiles

Below is a list of the Frame-provided UMS Profiles, how to configure and customize them, etc. Pick a UMS Profile that sounds best for your IGEL use-cases and import it to try it out.

Basic Frame App Profile

Bundle location: igel/frame-app-basic-profile.xml

Frame App Basic Custom Partition

Blender in Frame App on an IGEL Device

This "basic" UMS Profile simply enables a Frame App icon on the IGEL Desktop.

Admins can customize the default settings and launch parameters by adding command line arguments in your UMS by editing the Frame App Basic Profile Settings: Firmware Customization > Custom Application > Frame > Settings.

info

When configuring the profile, you need to specify the Frame App version in the command field, use /custom/frame/frame-sat-kiosk-launcher.sh v7

Please refer to our Linux command-line arguments for Frame App for more information.

Frame SAML2 Kiosk Mode Profile

Bundle location: igel/frame-saml2-kiosk-profile.xml

This profile is designed to support a specific end user workflow and assumes a particular Frame configuration.

Frame App Kiosk with SAML

SAML2 Kiosk Mode User Experience

The SAML2 Kiosk Mode provides a seamless and secure user experience, integrating Frame App with third-party identity providers. Here's what users can expect:

  1. Upon launch, Frame App clears its cache to ensure a fresh session and secure authentication.

  2. Users are presented with a full-screen Kiosk Mode interface, supporting multiple monitors. The login screen of the configured third-party identity provider appears, prompting for credentials.

  3. After successful authentication, Frame App directs users to either a desktop or specific application, based on the Launch Link configuration.

  4. The Frame session begins in full-screen mode, providing an immersive remote desktop experience.

  5. If users disconnect, either manually or due to inactivity, they have the option to resume their session within the account's or Launchpad's configured idle timeout.

  6. When users end their session (by quitting or shutting down the Windows instance), they are logged out and returned to the identity provider's login screen, ready for the next user.

This workflow ensures a secure, stateless experience for shared devices while maintaining ease of use for end-users.

SAML2 + Kiosk Mode Requirements

To set up the SAML2 Kiosk Mode, ensure you have the following:

  • A Published Launchpad
  • A configured identity provider with associated roles/permissions allowing access to the desired Frame Account
  • A Frame Launch Link with the additional "Quit and log out" URL parameter: &qlo=1
  • (Optional) Frame account production workload VMs joined to a Windows domain, if desired

Additionally, you need to configure the IGEL UMS Custom Profile:

  1. Navigate to:

    System > Firmware Customization > Environment Variables > Predefined

  2. Add the following environment variable:

    • FRAME_LAUNCH_URL: This is your Launch Link, obtained from the Account's Dashboard > Launchpad > Advanced Integrations. You'll find a configurable dialog with Launch Links there.
note

While we recommend using Launch Links for Kiosk scenarios, you can also use a standard Launchpad URL for the FRAME_LAUNCH_URL value if needed.

This configuration ensures that your SAML2 Kiosk Mode is properly set up and integrated with your Frame Account and IGEL environment.

SAML2 + Kiosk Mode Configuration

  1. Import the SAML2 kiosk launcher profile template (with .ipm extension) into your UMS12.
  2. After importing, update the template values with your specific configuration.
  3. Follow the existing steps for setting up the environment variables.

Frame SAT Kiosk Mode Profile

Bundle location: igel/frame-sat-kiosk-profile.xml

The Frame SAT Kiosk Custom Profile is designed to support a specific end user workflow relying on Frame's Secure Anonymous Tokens (SAT) for authentication. This flow also assumes a particular Frame configuration to support the kiosk experience as defined below.

Frame App Kiosk powered by SAT

Frame App Kiosk with Windows Login

SAT Kiosk Mode User Experience

With the SAT Kiosk Mode user experience, end users will not authenticate to a SAML2-based identity provider (this script uses the Frame Secure Anonymous Token (SAT) functionality for session authentication).

  1. Frame App will launch in "kiosk mode" (full screen).

  2. User cache is cleared prior to start and exit of Frame App to ensure no user preference settings have persisted since the prior use of Frame App.

  3. End users are authenticated using Frame Secure Anonymous Token (SAT) functionality.

  4. Frame App directs the end user directly to the desktop or application (depending on the Launch Link configuration).

  5. When a Frame session starts, the remote desktop will be in full-screen mode.

  6. Upon session disconnect or closure, Frame App will restarts with a new SAT token.

    note

    Disconnect behavior is configurable from Session Settings.

SAT + Kiosk Configuration Requirements

  • A Published Launchpad.
  • API Provider configured at the Organization entity.
  • Secure Anonymous Token Provider at the Account entity level granting a role of Launchpad User for a specific Launchpad in a Frame account (under the Organization entity).
  • Frame Launch Link is used, rather than a Launchpad URL to support automatic start of the user's session and to simplify the UX.
  • Optional: The Frame account production workload VMs can be joined to a Windows domain, if desired.
  • The Environment Variables listed below:

Environment Variables

The following environment variables must be configured in the IGEL Custom Profile for this profile to work.

  1. Edit your IGEL UMS Custom Profile and go to:

    System > Firmware Customization > Environment Variables > Predefined

  2. Set the following environment variables:

Environment VariableDescription
FRAME_CLIENT_IDObtained from the API provider when a set of API credentials are created.
FRAME_CLIENT_SECRETObtained from the API provider when a set of API credentials are created.
FRAME_SAT_URLURL obtainable from the Playground.

For example:
https://api.console.nutanix.com/v1/accounts/XXXXXXXX-XXXX-XXXX-XXXX-31d09e2881cd/secure-anonymous/secure-anon-XXXXXXXX-XXXX-XXXX-XXXX-c5e2dc93df1e/tokens.
FRAME_ACCOUNT_IDSign in to Frane Console as an Admin. Locate your account, click the three-dot menu, and select "update" to view the Account's entity settings. Next, copy the Account UUID from the browser's URL bar. For example:
https://console.nutanix.com/frame/account/YOUR-FRAME-ACCOUNT-UUID-HERE/basic-info or use the Admin API to List Accounts.
FRAME_EMAIL_DOMAINEmail domain name used to create the anonymous user email addresses that will be visible in the Session Trail.
Example: frame.igel.mycompany.com
FRAME_LAUNCH_URLObtained from an Account's Dashboard > Launchpad > Advanced Integrations to get a configurable dialog with Launch Links. While we recommend Launch Links for Kiosk scenarios, the value of FRAME_LAUNCH_URL could instead be a standard Launchpad URL.
FRAME_TERMINAL_CONFIG_IDObtainable from the Launch Link URL.
FRAME_LOGOUT_URLOptional. Allows configuration of the "logout" behavior by specifying a URL. Useful when using a Frame Launch Link with additional "Quit and log out" url parameter: &qlo=1.

Frame Admin API and SAT Quick Setup Guide

  1. Enable API access

    Account > Users > Authentication

    Enable API

  2. Add an API

    Account > Users > API

    Create an API integration with with the ability to generate anonymous tokens and manage your account as an Account Administrator. These roles are mandatory for this custom partition's scripts; they use account-based Admin API calls to validate the current status of sessions (statuses such as "initializing", "open", "closing", etc.).

    API - Generate

  3. Create a set of credentials for use with the Custom Profile.

    Manage Credentials

    Manage Credentials

    Create new API key

    Create new API key

    Copy the credentials. Keep it secret; keep it safe.

    Copy the credentials for use in the IGEL Environment Variables. Keep it secret; keep it safe.

Secure Anonymous Access Setup

1. Enable "Secure Anonymous" access

Account > Users > Authentication

Secure Anonymous

2. Create Anonymous Access Provider

Account > Users > Secure Anonymous

Add Provider

3. Add the Launchpad User role to the Provider

Add Provider

Note: If Launchpad User Role is not visible on the list, be sure you've created a launchpad first. If you have, refresh the page and try again.

4. Copy Provide URL from Playground Examples

Anon Provider Playground

Easily find and copy your SAT Provider URI:

Copy Provider URI

Testing New Versions of Frame App

When a new version of Frame App comes out, admins should test the new version of Frame App on a small subset of devices before rolling it out to the rest of their users. In order to configure multiple versions of Frame App in your UMS, you need to follow a few steps below to add a custom installation path of a test Frame App Custom Partition.

info

When building the custom partition for Frame App 7.x+, make sure to use the build-frame-cp.sh script.

  1. Create a new folder in your UMS file transfer server, something like Frame-Test. This would result in a folder at the following path:

    /IGEL/RemoteManager/rmguiserver/webapps/ums_filetransfer/Frame-Test/

  2. Once that's complete, import or create a copy of an existing profile and edit it. Navigate to Firmware Customization > Custom Partition > Download and edit the download URL to reference the same path.

    For our example: https://[YOUR_UMS_SERVER]:8443/ums_filetransfer/Frame-Test/frame.inf

  3. That's it! Assign the profile to your devices and they should download the new partition accordingly.

note

Multiple versions of Frame App are not currently available on the same IGEL device. Admins must assign only one Frame App Custom Partition to a device at a time.

Troubleshooting

As of now, there are no specific common issues reported for Frame App 7 on IGEL OS. However, we are continuously monitoring user feedback and will update this section with any relevant troubleshooting information as it becomes available.

If you encounter any issues, please contact our support team for assistance.