Appmarks are essentially bookmarks for applications. After you configure a connector for an application, you configure one or more appmarks to enable users to access the application in different ways. After a user logs in to CloudAccess, users see the appmarks on the landing page that they are entitled to see, according to the application settings for public access or policy mappings for the application to identity source roles (groups).
You can configure appmarks for any proxy connector, SaaS connector, or SSO connector. You can even configure multiple appmarks for the same connector. For example, you might want to have several appmarks for the various Office 365 applications so users can easily identify them. The connector for Google Apps includes default appmarks for Calendar, Drive, and Mail applications. You can copy an existing appmark to create a new one.
When you configure an appmark, you specify whether you want the application to launch in a desktop browser or on a supported mobile device, or both. If you configure a single appmark to display in both a desktop browser and on a mobile device, the appmark will have the same name, but you can customize the icons so they are different. Appmarks offer significant flexibility, enabling you to customize your users’ experience using different view options and variables.
When you configure a new appmark to display on a mobile device, after the appliance is finished applying your change, the user must do a refresh on the mobile device before the appmark appears. To do a refresh, the user does the standard “pull-to-refresh” action on the Applications page in the MobileAccess app. (This action is used in mail and other common applications on the mobile device.)
NOTE:Appmarks for proxy and SSO connectors have no access control associated with them. If users know how to get to a service, they can access the service. Appmarks just add convenience to the user experience.
Use the information in the following sections to help you understand and configure appmarks:
You configure appmarks on the Appmarks tab in the configuration window for the connector. On the Appmarks tab next to the name of the appmark in the blue bar are several icons for renaming, copying, disabling, or deleting the appmark. Use the mouseover text to identify the icon you want to use. You can view and edit appmark configuration options by clicking the blue bar or the plus sign (+) icon. The following appmark options are available:
This check box restores the Appmarks tab to the default settings for the connector. Consider using this option if you have configured custom connectors that are not working as expected. Click OK and apply the changes to the appliance to see the default appmark settings.
The display name for the appmark. If you want different display names for the appmark on the desktop browser page and on mobile devices, you should create a copy of the appmark and change the name. For more information, see Section 2.5.6, Creating Multiple Appmarks for an Application.
This option is available only for appmarks configured for Simple Proxy, Bookmark, OAuth2 Resources, and SSO-only type connectors. Public access is disabled by default for all connectors except connectors for Basic SSO. If you select the Public option, all users can see and use the appmark. If you deselect the Public option, no users can see the appmark until it is mapped to desired identity source roles (groups) in Policy Mapping.
Enables the appmark to be visible on the CloudAccess landing page.
Specifies whether the URL of the appmark on the landing page is the identity provider-initiated type or the service provider-initiated type. This option appears only for the full provisioning connectors (Google Apps, Salesforce, and Office 365) and the SSO-only connectors, such as Box or Accellion.
The URL that is to be used for the appmark. There are some replacement values that you can use. For more information, see Section 2.5.7, Using Appmark Variables.
The icon that appears on the landing page. Within the same appmark, you can use different icons for the landing page and for mobile devices. You can use a different custom icon for each connector to improve their usability for users.
Enables the appmark to be visible on supported iOS mobile devices in the MobileAccess app on the Applications page.
Enables the appmark to be visible on supported Android mobile devices in the MobileAccess app on the Applications page.
Specifies how to launch the application on the mobile device. Options include the following:
Safari: When the user opens the MobileAccess app on the mobile device and taps the appmark, the MobileAccess app launches Safari and directs it to the application.
Chrome: When the user opens the MobileAccess app on the mobile device and taps the appmark, the MobileAccess app launches Chrome and directs it to the application. If Chrome is not installed on the mobile device, the user is taken to the App Store to install it.
Internal viewer: When the user opens the MobileAccess app on the mobile device and taps the appmark, the MobileAccess app opens an embedded HTML viewer and directs it to the application. This view is similar to the Safari and Chrome options, except that the user does not have to leave the MobileAccess window. The application opens within the MobileAccess app window, and the user can tap the app name (as defined by the administrator when configuring the tool in the appliance) on the navigation bar in the top left corner of the screen to go back to the app home page and easily switch to another protected resource.
Native application: Use this option specifically for mobile apps. When the user opens the MobileAccess app on the mobile device and taps the appmark, MobileAccess opens the mobile app itself.
Use for the Native application option. This is the URL such as fb://profile that will launch another application installed on the device.
(Optional) You can use this option if you selected the Native application option. This is the URL to install the application if it is missing on the mobile device.
The URL that is to be used for the appmark. This can be different from the desktop URL if there is a mobile-specific version of the page.
The icon that represents the application in the MobileAccess app. Appmark icons for mobile devices should be in .png file format and ideally 72 x 72 pixels to ensure they display correctly. Square icons size well on mobile devices. Each icon should convey a good visual image of the application it represents.
When you select Safari or Chrome from the appmark Launch with list, MobileAccess opens the application in a new tab in the browser by using the MobileAccess proxy.
The browser workflow on the mobile device is as follows:
The end user opens the MobileAccess app on the mobile device.
(Conditional) If it is configured, the user is prompted for and enters an application PIN.
The user sees a list of protected resources and selects a protected resource.
The MobileAccess app starts Safari or Chrome and directs it to the protected resource via the MobileAccess proxy by opening a new tab in the browser.
The end user is allowed access to the protected resource.
In Google Chrome, the user can tap the button in the top left of the navigation bar to close the current tab and return to the MobileAccess app.
When you select Internal viewer from the appmark Launch with list, MobileAccess opens an embedded HTML viewer and directs it to the protected resource by using the MobileAccess proxy.
The workflow on the mobile device is as follows:
The end user opens the MobileAccess app on the mobile device.
(Conditional) If it is configured, the user is prompted for and enters an application PIN.
The user sees a list of protected resources and selects a protected resource.
The MobileAccess app opens an embedded HTML viewer and directs it to the protected resource using the MobileAccess proxy.
The end user is allowed access to the protected resource.
When a user opens a protected bookmarked application in a Safari browser, MobileAccess prompts the user for the application PIN, then allows the user to access the bookmarked application.
The workflow using bookmarks on the mobile device is as follows:
The end user opens Safari on the mobile device.
The end user selects a bookmark that points to a URL protected by MobileAccess (i.e., a protected resource).
The end user is redirected to the MobileAccess app.
(Conditional) If it is configured, the user is prompted for and enters an application PIN.
The end user is redirected back to Safari and the bookmarked URL (protected resource).
The end user is seamlessly allowed access to that bookmarked application.
After you have configured a connector for a proxy, SaaS, or SSO application, you can configure an appmark to simplify access to that application from the user’s landing page or from a mobile device, or both.
Log in with an appliance administrator account to the Admin page at
https://appliance_dns_name/appliance/index.html
(Conditional) If you have not already configured the connector for the application, drag it from the Applications palette to the Applications panel.
Click the configured connector on the Applications panel and click Configure.
(Conditional) If you have not already configured the connector, provide the appropriate information on the Configuration tab. The required information varies depending on the connector.
Click the Appmarks tab.
Click the plus (+) sign next to the default created appmark.
(Conditional) Select the Public check box if you want the appmark to appear for all users, regardless of their entitlement to the application.
(Conditional) If you want the appmark to be available on the user’s landing page, select the Desktop browser check box and complete the following steps:
(Conditional) If it is applicable to the connector, select the appropriate option from the Initiate login at list.
Leave the default value in the URL field.
(Optional) If you want to provide your own icon for the appmark, click the X on the Icon line to delete the default icon. Then browse to and select a .png file to represent the application on the browser’s landing page.
(Conditional) If you want the appmark to be available on the user’s mobile device, select the iOS devices or Android devices check box and complete the following steps.
Select an option from the Launch with list to specify how you want users to access the application on their mobile device. For more information about the available options, see Section 2.5.1, Understanding Appmark Options.
(Optional) If you want to provide your own icon for the appmark, click the X on the Icon line to delete the default icon. Then browse to and select a .png file to represent the application on the mobile device. You can use different icons for the landing page and mobile devices.
Click OK, then click Apply.
The appliance reconfigures with the new change. After this process has completed, users who enter the appliance URL are redirected to a login page. They enter their user name and password and are presented with a landing page containing the appmark icon that links to the application.
Application connectors can have multiple appmarks. For example, you might create several appmarks for different Office 365 or Google Apps applications. You can create a new appmark from scratch, or you can copy an existing appmark to save time, especially if you want to create several appmarks and just change one or two options on each one. This procedure assumes you have already configured the connector.
Log in with an appliance administrator account to the Admin page at
https://appliance_dns_name/appliance/index.html
Click the configured connector on the Applications panel, then click Configure.
Click the Appmarks tab, then do one of the following:
Click New
Click the Copy icon next to the existing appmark name
(Conditional) If you are copying an existing appmark, the Name field is pre-populated with COPY_$(DisplayName). You have several options:
You can accept this default name. (However, note that “COPY_” will be part of the name.)
You can change the display name by manually editing the text.
You can edit the display name by selecting from available variables. Type ${ at the end of the field, then select a variable from the list. For more information about the available variables, see Section 2.5.7, Using Appmark Variables.
Specify whether the application should be accessible from a desktop browser or a mobile device, or both, and complete the appropriate fields. For more information about available options, see Section 2.5.1, Understanding Appmark Options.
Click OK, then click Apply to update the appliance.
Each connector has different configuration settings and variables, and some appmarks need to contain information from the connector configuration to be useful. When you configure a connector, the Appmarks tab is automatically populated with one or more default appmarks, depending on the connector. The default settings contain some variables in the URL field.
You can use the variables that are available for a connector in the Name and URL fields if they are of the string type and have a value provided. To insert a variable, type ${ to display the available variables. Use the mouse or press the up/down arrow keys to select a variable. When you press the down arrow key, an additional box shows the resolved value. Press the up arrow key to close the resolved variables box. Some variables may not be resolvable until after you apply your changes on the appliance.
Appmarks for proxy and SSO applications are intended only for display and convenience. They are not connected to any authorization policy or access control list (ACL). The SSO and proxy appmark URLs are still available to be used by anyone who knows the link in the URL field. However, selecting or deselecting the Public option when configuring an appmark determines whether the appmark actually appears for the users in a group. If you deselect the Public check box, the appmark is not available for users until you map the appmark to one or more groups in your configured identity source. After mapping is completed, users in those mapped groups can see the appmark on the landing page or mobile device.
The following procedure assumes that you have already configured an appmark and applied the change on the appliance.
Switch to the Policy page of the administration console.
On the left side, locate the identity source that has the desired group (listed as Role Name) from the list.
On the right side, select Other Applications from the list.
Select the Authorization Name of the appmark and drag it to a Role Name.
In the mapping window, there are no approvals for appmarks because there is no account provisioning in this process. Users who are included in the group are automatically approved. Click OK to continue.
Now when users who are in the mapped group do a refresh in the MobileAccess app or access the landing page, they see the new appmark icon. Users who are not in the mapped group do not see the icon.