Frame-Provided IGEL Profiles
Profile Options
Frame-provided UMS Profiles offer various configuration options to customize and optimize your IGEL environment. These profiles range from basic Frame App desktop integration to specialized kiosk modes supporting SAML2 and Secure Anonymous Tokens (SAT) authentication. Click here to skip ahead to instructions on how to import Frame App into UMS 12.
Basic Frame App Profile
Bundle location: igel/frame-app-basic-profile.xml
This "basic" UMS Profile simply enables a Frame App icon on the IGEL Desktop.
Admins can customize the default settings and launch parameters by adding command line arguments in your UMS by editing the Frame App Basic Profile Settings: Firmware Customization > Custom Application > Frame > Settings.
When configuring the profile, you need to specify the Frame App version in the command field, use /custom/frame/frame-sat-kiosk-launcher.sh v7
Please refer to our Linux command-line arguments for Frame App for more information.
Frame SAML2 Kiosk Mode Profile
Bundle location: igel/frame-saml2-kiosk-profile.xml
This profile is designed to support a specific end user workflow and assumes a particular Frame configuration.
SAML2 Kiosk Mode User Experience
The SAML2 Kiosk Mode provides a seamless and secure user experience, integrating Frame App with third-party identity providers. Here's what users can expect:
Upon launch, Frame App clears its cache to ensure a fresh session and secure authentication.
Users are presented with a full-screen Kiosk Mode interface, supporting multiple monitors. The login screen of the configured third-party identity provider appears, prompting for credentials.
After successful authentication, Frame App directs users to either a desktop or specific application, based on the Launch Link configuration.
The Frame session begins in full-screen mode, providing an immersive remote desktop experience.
If users disconnect, either manually or due to inactivity, they have the option to resume their session within the account's or Launchpad's configured idle timeout.
When users end their session (by quitting or shutting down the Windows instance), they are logged out and returned to the identity provider's login screen, ready for the next user.
This workflow ensures a secure, stateless experience for shared devices while maintaining ease of use for end-users.
SAML2 + Kiosk Mode Requirements
To set up the SAML2 Kiosk Mode, ensure you have the following:
- A Published Launchpad
- A configured identity provider with associated roles/permissions allowing access to the desired Frame Account
- A Frame Launch Link with the additional "Quit and log out" URL parameter:
&qlo=1 - (Optional) Frame account production workload VMs joined to a Windows domain, if desired
Additionally, you need to configure the IGEL UMS Custom Profile:
Navigate to:
System > Firmware Customization > Environment Variables > Predefined
Add the following environment variable:
FRAME_LAUNCH_URL: This is your Launch Link, obtained from the Account's Dashboard > Launchpad > Advanced Integrations. You'll find a configurable dialog with Launch Links there.
While we recommend using Launch Links for Kiosk scenarios, you can also use a standard Launchpad URL for the FRAME_LAUNCH_URL value if needed.
This configuration ensures that your SAML2 Kiosk Mode is properly set up and integrated with your Frame Account and IGEL environment.
SAML2 + Kiosk Mode Configuration
- Import the SAML2 kiosk launcher profile template (with .ipm extension) into your UMS12.
- After importing, update the template values with your specific configuration.
- Follow the existing steps for setting up the environment variables.
Frame SAT Kiosk Mode Profile
Bundle location: igel/frame-sat-kiosk-profile.xml
The Frame SAT Kiosk Custom Profile is designed to support a specific end user workflow relying on Frame's Secure Anonymous Tokens (SAT) for authentication. This flow also assumes a particular Frame configuration to support the kiosk experience as defined below.
SAT Kiosk Mode User Experience
With the SAT Kiosk Mode user experience, end users will not authenticate to a SAML2-based identity provider (this script uses the Frame Secure Anonymous Token (SAT) functionality for session authentication).
Frame App will launch in "kiosk mode" (full screen).
User cache is cleared prior to start and exit of Frame App to ensure no user preference settings have persisted since the prior use of Frame App.
End users are authenticated using Frame Secure Anonymous Token (SAT) functionality.
Frame App directs the end user directly to the desktop or application (depending on the Launch Link configuration).
When a Frame session starts, the remote desktop will be in full-screen mode.
Upon session disconnect or closure, Frame App will restarts with a new SAT token.
noteDisconnect behavior is configurable from Session Settings.
SAT + Kiosk Configuration Requirements
- A Published Launchpad.
- API Provider configured at the Organization entity.
- Secure Anonymous Token Provider at the Account entity level granting a role of Launchpad User for a specific Launchpad in a Frame account (under the Organization entity).
- Frame Launch Link is used, rather than a Launchpad URL to support automatic start of the user's session and to simplify the UX.
- Optional: The Frame account production workload VMs can be joined to a Windows domain, if desired.
- The Environment Variables listed below:
Environment Variables
The following environment variables must be configured in the IGEL Custom Profile for this profile to work.
Edit your IGEL UMS Custom Profile and go to:
System > Firmware Customization > Environment Variables > Predefined
Set the following environment variables:
| Environment Variable | Description |
|---|---|
FRAME_CLIENT_ID | Obtained from the API provider when a set of API credentials are created. |
FRAME_CLIENT_SECRET | Obtained from the API provider when a set of API credentials are created. |
FRAME_SAT_URL | URL obtainable from the Playground. For example: https://api.console.nutanix.com/v1/accounts/XXXXXXXX-XXXX-XXXX-XXXX-31d09e2881cd/secure-anonymous/secure-anon-XXXXXXXX-XXXX-XXXX-XXXX-c5e2dc93df1e/tokens. |
FRAME_ACCOUNT_ID | Sign in to Frane Console as an Admin. Locate your account, click the three-dot menu, and select "update" to view the Account's entity settings. Next, copy the Account UUID from the browser's URL bar. For example:https://console.nutanix.com/frame/account/YOUR-FRAME-ACCOUNT-UUID-HERE/basic-info or use the Admin API to List Accounts. |
FRAME_EMAIL_DOMAIN | Email domain name used to create the anonymous user email addresses that will be visible in the Session Trail. Example: frame.igel.mycompany.com |
FRAME_LAUNCH_URL | Obtained from an Account's Dashboard > Launchpad > Advanced Integrations to get a configurable dialog with Launch Links. While we recommend Launch Links for Kiosk scenarios, the value of FRAME_LAUNCH_URL could instead be a standard Launchpad URL. |
FRAME_TERMINAL_CONFIG_ID | Obtainable from the Launch Link URL. |
FRAME_LOGOUT_URL | Optional. Allows configuration of the "logout" behavior by specifying a URL. Useful when using a Frame Launch Link with additional "Quit and log out" url parameter: &qlo=1. |
Frame Admin API and SAT Quick Setup Guide
Enable API access
Account > Users > Authentication
Add an API
Account > Users > API
Create an API integration with with the ability to generate anonymous tokens and manage your account as an Account Administrator. These roles are mandatory for this custom partition's scripts; they use account-based Admin API calls to validate the current status of sessions (statuses such as "initializing", "open", "closing", etc.).
Create a set of credentials for use with the Custom Profile.
Manage Credentials 
Create new API key 
Copy the credentials for use in the IGEL Environment Variables. Keep it secret; keep it safe.
Secure Anonymous Access Setup
Enable "Secure Anonymous" access
Account > Users > Authentication
Create Anonymous Access Provider
Account > Users > Secure Anonymous
Add the Launchpad User role to the Provider
Note: If Launchpad User Role is not visible on the list, be sure you've created a launchpad first. If you have, refresh the page and try again.
- Copy Provide URL from Playground Examples
Easily find and copy your SAT Provider URI:
Import a Frame App Profile
Follow these simple steps to import the Frame App profile into your IGEL environment and configure it according to your needs.
Step 1: Import the Frame App Profile
- Navigate to the IGEL App Portal in the UMS server.
- Go to the Apps tab (yellow tab at the top).
- In the left panel, select Cloud.
- Locate and select Frame App.
Step 2: Create a New Frame App Profile
- Click on the "Create new profile" button.
- In the dialog box that appears:
- Enter a Name (e.g., "FrameApp-Test").
- Enter a Description (optional, e.g., "Frame App application").
- Select the Location (e.g., under "Profiles").
- Click Save to confirm.
Step 3: Configure the Frame App Profile
- Once the Frame App profile is created, click the Edit Configuration button.
- Update the profile settings based on your requirements. Some configuration options include:
- Check for updates on startup
- Clear cache before starting
- Enable kiosk mode
- Set kiosk timeout behavior
Refer to your specific Frame use case to determine which options need to be enabled or customized.
Example Configuration
The final configuration may look similar to the following:
- A created profile named FrameApp-Test.
- Key settings such as startup behavior, cache clearing, and kiosk options enabled.
Frame-provided UMS profiles options are detailed at the top of the page. Pick a UMS Profile that sounds best for your IGEL use-case and import it to try it out.