Generic Desktop App

If you’d like to add a desktop applications that aren’t in our Centrify Desktop App Catalog, you can create custom application profiles using the generic application template. Custom application profiles provide user access to desktop applications that may not be open to the general public or that haven’t yet been added to the app catalog.

Adding a Generic desktop app to your desktop app catalog allows Privileged Access Service administrators to configure which users are allowed to connect to desktop applications that reside on a remote application host system. Users can log in to remote desktop applications with specified credentials and without having to checkout a password. Centrify lPrivileged Access Service uses standard command-line architecture to pass account parameters and credentials to desktop applications running under remote desktop services. Additionally, detailed information about user activity on the host application system can be captured on the systems you choose to audit.

Generic desktop app prerequisites

Before you configure Desktop Applications in the Admin Portal for remote access, you need to make sure your environment meets the following requirements:

  • A standalone Windows Server with Remote Desktop Services deployed. In Remote Desktop Services, you need to:
    • Publish the desktop application to your remote desktop collection.
    • Configure desktop application parameters to Allow any command-line parameters. This enables the Privileged Access Service command line functionality.

    Note:   Centrify recommends that you do not run remote desktop services on the same Windows Server that includes the Centrify Connector.

  • One or more of the following Privileged Access Service administrator rights to access the Apps tab in Admin Portal (also see Admin Portal administrative rights):

    • Privileged Access Service User
    • Privileged Access Service Power User
    • Privileged Access Service Administrator
  • The application host must have View permission.
  • Application Management administrator right to access Apps > Add Desktop Apps.
  • Desktop App administrator has Grant permissions for account objects that are specified as arguments in a command line.
  • If you configure the remote desktop app host login to use Shared account credentials, the Desktop App administrator must have Grant permission for the user associated with the Shared Host Login account.

Configuring Generic desktop apps

The following steps are specific to the generic desktop application template and are required in order to manage application access.

  1. In the Admin Portal. click Apps, and then Desktop Apps to add the SQL Server Management Studio application.
  2. Click Add Desktop App to open the Add Desktop Apps wizard.
  3. Next to the application you want to add, click Add.

    You can also use the Search tab to find an application. Enter the partial or full application name in the Search field and click the search icon.

  4. In the Add Desktop App screen, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application that you just added opens to the Application Settings page.

  6. On the Application Settings page, specify the following settings:




    Application Host

    To add an application host system with a database instance:

    1. Click Select next to the Application Host text box to select the relevant remote host system.
    2. Start typing the system name into the search box and select the system you want to add.

      Systems that you have View rights to are displayed.

    3. Click Done.

      The relevant remote host system is displayed in the text box.

    Host Login Credentials

    Select one of the following log in methods to be used when launching the RDP connection to the application host system:

    • User's Active Directory credential

      Select this option to allow users to log in to the application host system using their AD credentials. To configure this option you also need to make sure that Securely capture users passwords at login is enabled in Settings > Authentication > Security Settings.

    • Select Alternative Account

      Select this option to allow users to log in to the application host system using their alternative account. If only one alternative account is available, then selecting Launch from the Admin Portal proceeds directly to a login screen. If more than one alternative account is available, you need to first select which account to use to log in to the application host system, and then click Continue. For information on alternative accounts, see Discovering alternative accounts.

    • Prompt for username and password

      Select this option to allow users to log in to the application host system using their own Windows credentials. Selecting Launch from the Admin Portal, prompts the user for their Windows User Name and Password.

    • Shared Account

      Select this option to allow users to log in to the application host system using shared accounts. Administrators must have the Grant permission for the shared account in order to configure the account for access. Selecting this option means that all users use the same shared account in order to access the application host system. Centrify recommends that you use a different Windows account for each Desktop App configuration using a shared account to avoid session conflicts.

      1. Click Select next to the Shared Account text box to select the relevant account.

      2. Start typing the system name into the search box.

        Available shared accounts are displayed.

      3. Select the shared account you want to have access to the host system.

      4. Click Done.

        The shared account is displayed in the text box.

  7. Locate the Alias name in the remote desktop server (Server Manager > Remote Desktop Services > Alias column) for the published application and enter the information into Application Alias field in the Admin Portal.

  1. (Optional) Click Add to select the command-line arguments to be used when launching the application host system.

    These arguments instruct the application host system how to access the application and replace the placeholders in the command line string (described below). Once added, you can either click Select to choose from available options or click the edit icon to add relevant information. You can define multiple arguments for the same type. For details on the available arguments and their descriptions, see the information icon next to the field in the Admin Portal.

  2. (Optional) Enter a custom command line string that uses the arguments defined in the Command Line Arguments field.

    The command line string you configure is flexible and is dependent upon the requirements of the target application. Two types of placeholders are available; value type and linked objects. A value type argument is displayed as {argumentName} , and a linked object is displayed as {argumentName.linkedObjectAttribute}.

    This field, when configured with the command line arguments, passes information to the desktop application on how to launch and log in to the application host system. Use the command line arguments in the field above to replace the placeholders in the string provided. When you launch the application the placeholders are replaced with the arguments you specify.

  3. (Optional) On the Description page, you can:

    • Add a unique name and description for each supported language instance.
    • Change the name, description, and logo for the application.
  4. Configure the following Desktop App pages as needed. Click Save at the bottom of each page to save your changes.

For information on actions available for Desktop Apps, see Selecting actions for desktop apps.