Parallels® Browser Isolation is a remote browser isolation (RBI) solution that provides secure access to websites and web applications. By using Parallels Browser Isolation, you can create a list of allowed web resources, configure access by using granular policies, and see usage statistics.

Parallels Browser Isolation consists of two services:

• Parallels Browser Isolation Management Portal for managing users and resources

• Parallels Browser Isolation User Portal for accessing resources

This guide explains how to use Parallels Browser Isolation Management Portal.

Parallels Browser Isolation 20250513 (May Release)

• The admin home page dashboard has a new design with more relevant insights and trends

• Improvements to custom branding feature.

Parallels Browser Isolation 20250402 (April Release)

• Administrators can now publish or unpublish apps using a toggle on the Applications page.

Parallels Browser Isolation 20250307 (March Release)

• Users can configure policies to disable downloads (all or by file type).

• Management Portal and Owner Portal have new UI.

Parallels Browser Isolation 20250129 (January Release)

• Ability to add custom branding to User Portal.

Parallels Browser Isolation 20241125 (November Release)

• Granular control for the clipboard: you can disable copying from PBI sessions and pasting to PBI sessions separately via policies

• You can select the location where the data plane will be hosted for the environment

Parallels Browser Isolation 20241106 (November Release)

This release contains optimizations of the underlying infrastructure, with no updates or changes to the product interface, features, or functionality.

Parallels Browser Isolation 20241016 (October Release)

• Added the ability to download reports from the Overview category in the XLSX format

• Added the ability to select the period for which Parallels Browser Isolation displays reports in the Overview category

• Added the option to disable the keyboard via the Policy features section

Parallels Browser Isolation 20240919 (September Release)

• Introduced the “Domain whitelisting — Learn and Discover" feature for secure web applications

• The “Applications” category has been redesigned and now has a quick access page for easier and faster navigation when viewing and editing applications

Parallels Browser Isolation 20240821 (August Release)

• New charts are added to Insights: “Top 5 Users with the Most Security Control Encounters (User Name vs. Total Encounters Per User)” and “Top 5 Regions with the Most Users (Region Name vs. User Count Per Region)"

• Introduced a Quick Access pane to provide easier and faster navigation for viewing and editing policies

Parallels Browser Isolation 20240724 (July Release)

• Ability to test IdP configuration in Parallels Browser Isolation.

Parallels Browser Isolation 20240627 (June Release)

• Ability to upload domains in bulk when creating policies and secure web applications.

• Option to provide feedback.

Parallels Browser Isolation 20240523 (May Release)

• Added the Overview section to the Insights category. This section shows a dashboard with key metrics on sessions, users, policies, and applications.

• Added instructions on configuring OIDC in Google and OKTA.

Parallels Browser Isolation 20240408 (April Release)

• Added usage-based Metrics (SPLA) Subscription.

• Several bug fixes and improvements to stability.

All Release notes: https://kb.parallels.com/en/130068.

When you are invited to Parallels Browser Isolation, you will receive an invitation email containing a license key, a link to Parallels Browser Isolation sign-in page, and instructions on activating the license key in Parallels My Account.

To sign in:

1. Sign in to Parallels My Account (https://my.parallels.com/login).

2. On the Home page, click the Register a License Key button. You might be prompted to enter business information if you do not yet have a business account.

3. In the License Key field, specify the license key you received in the invitation email. Provide an optional description of the key in the Display name field.

4. Click Register.

5. Click Dashboard on the top of the page.

6. On the Parallels Browser Isolation card, click Initial Configuration. You will be redirected to Parallels Browser Isolation

Next, you need to configure Parallels Browser Isolation.

To let users access applications, you need to add them to Parallels Browser Isolation.

Adding users

To add a user to Parallels Browser Isolation:

1. Navigate to the User Management category.

2. Select Users.

3. Click Add.

4. Specify the name of the user exactly as it is configured in the IdP.

5. Click Add.

Adding groups

To add a group to Parallels Browser Isolation:

1. Navigate to the User Management category.

2. Select Groups.

3. Click the Add button.

4. Specify the name of the group exactly as it is configured in the IdP.

5. Click Add to add the group to Parallels Browser Isolation.

Next, you need to add applications.

Follow one of the links below to learn how to configure your IdP:

Next, you need to .

To start working with Parallels Browser Isolation, follow the steps below:

1. Sign in to Parallels My Account and register your license key.

2. Configure your IdP for working with Parallels Browser Isolation.

3. Configure Parallels Browser Isolation.

4. Add users.

5. Add applications.

6. Add policies.

Applications are resources that your users can access in Paralles Browser Isolation.

To add an application:

1. Navigate to the Application category.

2. Click the Add Application button.

3. Parallels Browser Isolation supports two types of applications:

   • Secure browser: An instance of secure browser. You can create several instances for different users and groups and configure different policies for them.

   • Web application: A standalone web application.

   Depending on the type of application you want to add, click either Add Secure Browser or Add Secure Web Application.

4. Configure the application settings:

   • Name: The name of the application.

   • (Optional) Description: The description of the application.

   • (Optional) Icon: The application icon.

   • Start URL: Depends on the type of application. For secure browser instances, this is the URL of the home page. For the web application, this is the URL of the application.

   • (Web applications only) Allowed domain: Additional domains that can be accessed from the application, for example, IdP login pages. You can add several domains simultaneously by clicking the Add from File button and selecting a .csv file with the list of domains.

   • Users: Users who can access the application.

   • Groups: User groups that can access this application.

   • (Optional) Apply policies: Policies that apply to the application.

5. Click Save.

6. Navigate to the card with the application that you want to publish and click the Publish Application switch.

Next, you need to add policies.

Parallels Browser Isolation supports several types of licenses. You can purchase a license for a specific duration and number of users.

The user license is consumed dynamically when the end user signs in to Parallels Browser Isolation User Portal to access the resources. The license seat is persistently assigned to the named user. This provides the user the ability to access the resources from any device.

The differences between various types of licenses are explained below.

License comparison

Subscription

This type of license allows customers to use Parallels Browser Isolation to provide access to resources to their end users. The maximum number of end users allowed to access resources is based on the number of user seats specified in the license and available for the duration of the contract.

Parallels SPLA

The SPLA (Service Provider License Agreement) is designed for service providers and Independent Software Vendors (ISVs) offering Parallels DaaS to their customers. It allows you to pay for licenses based on the number of seats that you make available to your customers each billing period.

Trial

This type of license allows you to use Parallels Browser Isolation for free for a short period of time.

You can find the list of known issues and a resolution (timeline) over here in this article;

Known Issues

To configure Parallels Browser Isolation for the first time:

1. Read Cloud Solution Agreement, and if you agree to it, click Accept.

2. On the Select location card, click Set Location. The Resource Location category will open.

3. In the Region drop-down menu, select the region where Parallels will host your data plane. It is highly recommended that you select the region closest to your users for best performance and minimum latency.

1. Click Save. The Configuration category will open.

2. On the Configure Domain & IdP card, click IdP Configuration. The Configuration category will open.

3. In the Domain Configuration section, enter your organization's domain in the Domain field.

4. In the IdP Configuration section, do the following:

   • In the OpenID configuration URL field, specify the URL of the discovery document of your OpenID Connect provider.

   • In the Client ID field, specify your client ID for connecting to the identity provider. For Auth0, the format of the Client ID is https://<Domain_Name>/.well-known/openid-configuration.

   • In the Client secret field, specify the secret for connecting to the identity provider.

   • In the Username claim name field, specify the ID token that holds the username claim name:

     • For Entra ID, specify preferred_username

     • For Auth0, specify name

   • In the Group claim name field, specify the ID token that holds the group claim name.

   • Click the Test Configuration button to make sure that the specified settings are correct.

5. Click Save. The Overview category will open.

6. In the Users field, specify the email (UPN) of the user you want to add as an administrator and click Add. The email must be exactly the same as that used in your IdP. Do this multiple times if you want to add several users.

1. In the Groups field, specify the group you want to add as an administrator group and click Add. The group name must be exactly the same as that used in your IdP. Do this multiple times if you want to add several groups.

1. Click Save. The Overview category will open.

2. On the Access Admin Portal card, click Admin Sign In. You will be redirected to Parallels Browser Isolation Management Portal.

Next, you need to add users and groups that will access you applications.

The Insights category allows you to inspect current and historical usage statistics.

Overview

The Overview category shows key metrics on sessions, users, policies, and applications.

You can change the period for which Parallels Desktop Browser Isolation displays the data by clicking the drop-down menu in the top-right corner.

This category contains the following reports:

• Isolated Browser Sessions: The number of user sessions.

• Top 5 Most Visited Domains: The domains that users visited the most.

• Top 5 Web Apps Used: The apps that users opened the most.

• Top 5 Violations: The restricted actions that users performed the most.

• Top 5 Users with Security Controls Encounters: The users who performed restricted actions the most.

• Top 5 Regions: The regions with the most users.

Downloading reports

You can download the reports from the Overview category in the XLSX format by clicking the Menu button (...) and selecting Download.

Live reports

The Live reports category shows current usage statistics.

User Events

The User Events category shows historical events related to user activity.

Admin Events

The User Events category shows historical events related to administrator activity. You can click on an event to see the request and response information.

Policies allow you to configure things like access to resources, blocked domains, user experience, and so on.

To add a policy:

1. Navigate to the Policies category.

2. Click Add.

3. Configure the general policy settings:

   • Name: The name of the policy.

   • (Optional) Description: The description of the policy.

4. Configure settings in the Profile section. This section allows you to create an isolation profile based on users, groups, locations, time zones, and so on.

   • (Optional) Users: Users affected by this policy. Find the user in the Users drop-down menu and click the Add button to the right. Added users will appear in the list below.

   • (Optional) Groups: User groups affected by this policy. Find the group in the Groups drop-down menu and click the Add button to the right. Added groups will appear in the list below.

   • (Optional) Active Hours: The time period when the policy will be active.

   • (Optional) Location: Locations where the users are affected by this policy. Find the location in the Country drop-down menu and the Add button to the right. Added locations will appear in the list below.

5. Configure settings in the Security controls section. This section allows you to configure specific use cases or features like preventing uploading or downloading, restricting printing, or blocking an URL.

   • (Optional) Policy features: Features that are restricted under the policy.

   • (Optional) End user experience: The indicator that shows that the application is running inside Parallels Browser Isolation.

   • (Optional) Restrict domains: The URLs that are blocked under the policy. Specify the domain you want to block in the Block domain field and click the Add button to the right. Added URLs will appear in the list below. You can add several domains simultaneously by clicking the Add from File button and selecting a .csv file with the list of domains.

6. Click Save.

7. To apply the policy to an application, navigate to the category and edit the application accordingly. You can see the list of applications the policy is applied to in the Usage section of the policy settings.

Now your users can access all published resources using Parallels Web Client.

The Dashboard category allows you to perform quick actions and see general usage statistics.

Past 24 hour insights

This section lets you view what changes have taken place across metrics like total user session, total applications, policy violations and Current active users and a small arrow points the delta, whether it has a upward or downward trend.

Key trends

This section lists the top domains that were visited either over a day or over a month, same has been extend to view the top violated policies and top risky users. You can also view the regions on a map showing the user sessions origin.

The User Managment category allows you to add users and groups that exist in the IdP to Parallels Browser Isolation as well as assign the administrator role to these users and groups. After adding users and groups, you can assign policies and applications to them.

Users

To add a user to Parallels Browser Isolation:

1. Navigate to the User Management category.

2. Select Users.

3. Click Add.

4. Specify the name of the user exactly as it is configured in the IdP.

5. Click Add.

To remove a user from Parallels Browser Isolation:

1. Navigate to the User Management category.

2. Select Users.

3. Click the meatball icon in the rightmost column and select Remove.

4. In the dialog that appears, click Remove.

Groups

To add a group to Parallels Browser Isolation:

1. Navigate to the User Management category.

2. Select Groups.

3. Click the Add button.

4. Specify the name of the group exactly as it is configured in the IdP.

5. Click Add to add the group to Parallels Browser Isolation.

To remove a group from Parallels Browser Isolation:

1. Navigate to the User Management category.

2. Select Groups.

3. Click the meatball icon (three vertical dots) in the rightmost column and select Remove.

4. In the dialog that appears, click Remove.

Administrators

Administrator role allows a user or a group to access Parallels Browser Isolation Management portal.

To assign an administrator role to a user or group:

1. Navigate to the User Management category.

2. Select Administrators.

3. In either Users or Groups field, specify the name of the user or group exactly as it is configured in the IdP. Added users and groups will appear in the list below.

Custom Branding

You can customize the appearance and the domain name of User Portal.

To customize User Portal:

1. Navigate to the User Management category.

2. Select Custom Branding.

3. Configure settings in the Domain section:

   • Custom environment: The subdomain used for User Portal URL. The URL will have the format <your-subdomain>.pbi.parallels.com.

4. Configure settings in the Header section:

   • Header text: The text on the header.

   • Header logo: The header logo in the JPG or PNG format.

   • Header effect or color: The header color. You can choose between the blur effect and a solid color.

   • Header color: The HEX color code. You need to specify this if you selected Solid color in Header effect or color.

5. Configure settings in the Page settings section:

   • Background: The background image for User Portal in the JPG or PNG format. This image scales and crops according to the window size, but the sign-in prompt might partially cover it.

   • Favicon: The favicon that appears in the browser tab in the JPG or PNG format.

6. Click Save.

1. On your Okta admin dashboard, go to Applications > Applications.

2. Select Create App Integration.

3. In the Sign-in method section, select OIDC - OpenID Connect.

1. In the Application type section, select Web Application. Click Next.

2. Enter a name for the application as relevant to your organization. For example, Acme Inc.

3. In the Sign-in redirect URIs field, specify https://pbi.parallels.com/rbi/oidc/signin/callback and https://pbi.parallels.com/owner/test-idp.

4. On the General tab, copy the Client ID and Client secret.

1. Once the above steps are completed, copy the values from OKTA which should mimic the table below, and paste them into the Parallels Browser Isolation IDP configuration section as shown below:

1. Click Save and proceed with adding users using the Admin Management section that was configured in the OIDC.

Step 1. Create an application

1. Log in to https://manage.auth0.com/.

2. Navigate to Getting started and click Create Application.

3. Do one of the following:

   • If you don't have any specific requirements for your environment, select either Single Web Page Applications or Regular Web Applications.

   • If you know that your environment requires a specific type of application, select that type.

4. Click Create.

5. Select the Settings tab and copy the values of Client ID and Client Secret.

6. In the Allowed Callback URLs field, specify https://pbi.parallels.com/rbi/oidc/signin/callback and https://pbi.parallels.com/owner/test-idp.

7. Select the Endpoints tab in the Advanced settings section and copy the value of the OpenID Configuration field.

Step 2. Adding users

1. In the left pane, navigate to Users under User Management.

2. Navigate to Create Users and click Create User.

3. Add the email and password of the user.

4. (Optional) Verify the user's email:

   1. Click the three dots button.

   2. In Details, go to email and verify the email.

Step 3. IdP Configuration

1. Once the above steps are completed, copy the values from which should mimic the table below, and paste them into the Parallels Browser Isolation IDP configuration section as shown below:

1. Click Save and proceed with adding users using the Admin Management section that was configured in the OIDC.

The Policies category allows you to create and manage policies. Policies control things such as user access, scheduling, URL filtering, and much more.

Add a policy

To add a policy:

1. Navigate to the Policies category.

2. Click Add.

3. Configure the general policy settings:

   • Name: The name of the policy.

   • (Optional) Description: The description of the policy.

4. Configure settings in the Profile section. This section allows you to create an isolation profile based on users, groups, locations, time zones, and so on.

   • (Optional) Users: Users affected by this policy. Find the user in the Users drop-down menu and click the Add button to the right. Added users will appear in the list below.

   • (Optional) Groups: User groups affected by this policy. Find the group in the Groups drop-down menu and click the Add button to the right. Added groups will appear in the list below.

   • (Optional) Active Hours: The time period when the policy will be active.

   • (Optional) Location: Locations where the users are affected by this policy. Find the location in the Country drop-down menu and the Add button to the right. Added locations will appear in the list below.

5. Configure settings in the Security controls section. This section allows you to configure specific use cases or features like preventing uploading or downloading, restricting printing, or blocking an URL.

   • (Optional) Policy features: Features that are restricted under the policy.

     • Disable application: Disables the application.

     • Disable printing: Disables printing from the application.

     • Disable keyboard: Disables keyboard usage in the application.

     • Disable downloads: Disable downloading from the application.

       • Choose the file type extension that you want to specifically disable. for ex; audio files like .mp3, or .wav

     • Disable copy & paste from PBI: Disables copying from the application.

     • Disable copy & paste to PBI: Disables copying to the application.

   • (Optional) End user experience: The indicator that shows that the application is running inside Parallels Browser Isolation.

   • (Optional) Restrict domains: The URLs that are blocked under the policy. Specify the domain you want to block in the Block domain field and click the Add button to the right. Added URLs will appear in the list below. You can add several domains simultaneously by clicking the Add from File button and selecting a .csv file with the list of domains.

6. Click Save.

7. To apply the policy to an application, navigate to the Applications category and edit the application accordingly. You can see the list of applications the policy is applied to in the Usage section of the policy settings.

Edit a policy

To edit a policy:

1. Navigate to the Policies category.

2. Click the meatball icon (three vertical dots) in the rightmost column and select Edit.

3. Edit the policy as desired.

4. Click Save.

View policy information

To view policy information:

1. Navigate to the Policies category.

2. Click on the policy. A side pane with information opens.

Remove a policy

To remove a policy:

1. Navigate to the Policies category.

2. Click the meatball icon (three vertical dots) in the rightmost column and select Remove.

3. In the dialog that appears, click Remove.

1. Log in to the Google Cloud Console at .

2. At the top of the page, click Select a Project or New Project.

1. In the left menu (or under Quick access on the page), click on APIs & Services, then OAuth consent screen.

2. In the User Type section, select Internal.

1. Fill in Application name and Support email fields, and click Save and Continue.

1. Add email, profile, and openid.

1. Click the Create credentials button, and select OAuth client ID.

1. Fill in the details below and click Create. Application Type: Web application Name: [Name of you application] Authorized redirect URIs: https://pbi.parallels.com/rbi/oidc/signin/callback and https://pbi.parallels.com/owner/test-idp. This is the Parallels Browser Isolation redirect URL.

1. In the dialog that appears, copy the Client ID and Client Secret or download the JSON file.

2. Once the above steps are completed, copy the values which should mimic the table below, and paste them into the Parallels Browser Isolation IDP configuration section as shown below:

1. Click Save and proceed with adding users using the Admin Management section that was configured in the OIDC.

Step 1. Create a Microsoft Entra ID application

1. Log in to the Microsoft Azure portal .

2. Open the portal menu and select Microsoft Entra ID.

3. On the left pane, select App registrations.

1. Click New registration (at the top of the right pane). The Register an application blade opens.

1. In the Name field, type the name you want to use for the application.

2. Select an appropriate account type.

3. In the Redirect URI section, make sure that Web is selected in the drop-down list and add the following URIs:

   https://pbi.parallels.com/rbi/oidc/signin/callback and https://pbi.parallels.com/owner/test-idp.

1. Click Register (at the bottom left).

Step 2. Create a client secret for the Microsoft Entra ID application

1. If you are not on the application page anymore, navigate to it from the Home page by selecting Microsoft Entra ID > App registration and then clicking the app in the right pane.

2. In the left pane, click Certificates & secrets.

3. In the right pane, click New client secret.

4. Type a client name and select a desired expiration option.

5. Click Add. The new client secret appears in the Client secrets list.

Step 3. Configure a token

1. Select your application and on the left pane, select Token configuration.

2. Click Add groups claim.

1. Select an appropriate group type.

2. Click Add.

3. Click Add optional claim.

4. In the Token type section, select ID.

5. Select preferred_username.

1. Click Add.

Step 4. Assign Required Permissions to the Microsoft Entra ID application

1. Select your application and on the left pane, select API permissions.

2. Click Add a permission.

3. Click the Microsoft Graph card.

4. Click the Delegated permissions card.

5. Open the Group section.

6. Select the following permissions:

   • Group.Read.All

1. Click Add permissions.

2. Click Grant admin consent for...

3. Confirm you want to grant admin consent by clicking Yes.

Step 5. Save settings for future use

1. Select your application and on the left pane, select Overview.

2. Save the following information for use in the Parallels Browser Isolation Management Portal setup:

   • Application (client) ID

3. Click the Endpoints button.

4. Save the value of the OpenID Connect metadata document field for use in the Parallels Browser Isolation Management Portal setup.

Make sure to securely store the client secret and other sensitive information.

Step 6. IdP Configuration on PBI Owner Portal

1. Once the above steps are completed, copy the values from Entra ID which should mimic the table below, and paste them into the Parallels Browser Isolation IDP configuration section as shown below:

1. Click Save and proceed with adding users using the Admin Management section that was configured in the OIDC.

If you have comments or suggestions, we encourage you to send us feedback.

Sending feedback from Parallels Browser Isolation Management Portal

To send feedback from Parallels Browser Isolation Management Portal:

1. Click the "person" icon in the top-right corner.

2. From the menu that opens, select Provide Feedback.

3. Add your feedback and click Send.

The Applications category allows you to add applications that users can work with.

Add an application

To add an application:

1. Navigate to the Application category.

2. Click the Add Application button.

3. Parallels Browser Isolation supports two types of applications:

   • Secure browser: An instance of secure browser. You can create several instances for different users and groups and configure different policies for them.

   • Web application: A standalone web application.

   Depending on the type of application you want to add, click either Add Secure Browser or Add Secure Web Application.

4. Configure the application settings:

   • Name: The name of the application.

   • (Optional) Description: The description of the application.

   • (Optional) Icon: The application icon.

   • Start URL: Depends on the type of application. For secure browser instances, this is the URL of the home page. For the web application, this is the URL of the application.

   • (Web applications only) Domains: Additional domains that can be accessed from the application, for example, IdP login pages. You can add several domains simultaneously by clicking the Add from File button and selecting a .csv file with the list of domains. In addition to that, you can Add allowed domains by browsing a web application.

   • Users: Users who can access the application.

   • Groups: User groups that can access this application.

   • (Optional) Apply policies: Policies that apply to the application.

5. Click Add.

(Web applications only) Add allowed domains by browsing a web application

Instead of adding allowed domains manually and uploading a .csv file, you can add domains to the allowed domain list by browsing an application.

To add allowed domains by browsing a web application:

1. Navigate to the Application category.

2. Select the application that you want to edit.

3. Navigate to the card with the application that you want to edit and click the three dots button ( ).

4. Click Edit.

5. In the Domains section, click Discover.

6. A new dialog will open the page specified in the application's Start URL field. Navigate through the pages of the web application that access other domains and click Next.

7. In the dialog that opens, select the domains that you want to add to the allowed domains list and click Update.

Edit application settings

To edit application settings:

1. Navigate to the Application category.

2. Navigate to the card with the application that you want to edit and click the three dots button ( ).

3. Click Edit and change the settings.

4. Click Save.

You can also edit application settings by clicking the application card and then clicking the Edit button in the side drawer.

View application settings

To view application settings:

1. Navigate to the Application category.

2. Navigate to the card with the application that you want to view.

3. Do one of the following:

   1. Click the card.

   2. Click the three dots button ( ) and click View.

You can also view application settings by clicking on an application card.

Delete an application

To remove an application:

1. Navigate to the Application category.

2. Navigate to the card with the application that you want to delete and click the three dots button ( ).

3. Click Delete.

You can also delete an application by clicking the application card and then clicking the Delete button in the side drawer.