Lumos AppStore Quick Start Guide
Last updated: September 24, 2025
Audience: Lumos Admins, IT Project Owners
Purpose: Launch your AppStore quickly and confidently by focusing on high-impact actions, integrations, and repeatable best practices.
Pre-Work Checklist
Before launching, gather the following items to ensure a smooth rollout:
Why Use the AppStore?
Value Proposition:
The Lumos AppStore makes it as easy to request software as it is to download a phone app. Automate approvals, reduce license waste, and keep an audit trail.
Core Features:
Self-service access requests
Configurable approval workflows
Slack/Email notifications
Manual and automated provisioning
Time-based access support
Auditable request history
ITSM integrations
Further Reading: What is the AppStore?
Step-by-Step Setup Guide to the AppStore
Pre-requisites:
Have IdP Connected (see Foundation: Quick Start for Lumos Admins)
Have Lumos Admin permissions
Decide if you want customized branding for your AppStore (Capabilities here)
Step One: Add Apps to the AppStore
Steps:
Start with 10 - 20 high-volume apps
Go to AppStore Settings → Add Apps. In order to add the Apps to the AppStore you must assign an App Admin. This can be changed later. App Admins will be tasked with doing manual provisioning for manual apps or when automation steps fail, the App Admin is a fall-back to getting the App request across the line.
Preview the AppStore: You can see how your AppStore will look at any time by selecting on “AppStore” at the lower left hand side of your control panel
How to Choose Apps to Add:
Adding frequently requested, SCIM/IdP provisionable, or IT-managed Apps is a good way to get started
You can add all Apps and keep them as Hidden until you decide which Apps to allow into your Go-Live AppStore
Further Reading:
Coming soon: Custom Apps Guidebook
Step Two: Set Up Base Settings for your App
For each App, you will need to go through the configuration settings for the following:
Request Type:
AppStore Setup:
App Admins: Select who provisions users or who gets notified in case automated provisioning fails
Who Can Request: This determines WHO in your organization, by Group or Attribute, can request access to this Application
App Visibility: Hidden, Browse & Search or Search Only
Request Instructions: You can leave this as generic or get specific and directive so that employees know what this App is, what they need to know about requesting it, and perhaps even the cost of a license
Custom Fields: These are optional fields that some organizations use to configure additional context fields for the Approver or App Admins. They could include text fields or single select.
Approval Flow
Approvers: These are the people or the group that will determine whether or not the employee gains access to the app and permission they’re requesting. You can have up to three levels of approvers. Stage 1 approves then moves to Stage 2 which then will move to the Manager, if chosen.
Post-Approval Message: Sends a message to the employee once the request has been approved. This message may not be sent if immediately after approval, automated provisioning occurs.
Provisioning
Time-Based Access: Standard options include:
30 minutes
4 hours
12 hours
7 days
14 days
30 days
Unlimited
You can set a default time for employees to request or you can leave it as “No default”
You can remove base options
At this time, there is no way for you to customize additional options or change what we have. If this is necessary for you to run your business, please put in a request to support@lumos.com
Workflow Steps
The below options are available to configure and can vary by App and API capabilities:
Assign to App
Manual Provisioning
Provisioning Webhook
Add to Group
Remove From Group
Wait
Manual Provisioning - Assign to Target User
Activate Account (where available)
These steps can be changed per Permission where Permission-based Approvals are being configured
These steps can be stacked, in other words, you could configure the following:
Assign to App
Wait - configured for a wait period of 3 days
Manual Provisioning with Instructions and Custom Assignees
Deprovisioning
Workflow Steps
The below options are available to configure and can vary by App and API capabilities:
Unassign User from App
Manual Deprovisioning
Deprovisioning Webhook
Add to Group
Remove From Group
Wait
Deactivate Account (where available)
App Information
App Name: Can be changed for clarity or multiple instances
Category: Categories can be quick-filtered in the AppStore browser experience
Website URL: Direct employees to the log-in page
Upload Logo: Only jpeg, png, and jpg files. 500kb max file size
Description: Let employees know what this App is
Step Three: Set Up Permission-based Settings for your App
Adding an app to your AppStore gives people a fast + easy way to request access. You may have even made a few apps "self-service" so that people can choose the type of access (permission) they need.
Why fine-tune an app's permission workflows? Here are a couple of scenarios where it makes sense.
Cost Differences
A Basic Zoom license is usually free, so if someone requests one, it should just be auto-approved. On the other hand, a premium Zoom license costs money, so you might want someone to approve that before it's granted.
Admin Access
Someone needs admin access to AWS. That needs to go to a special team for approval, while all other AWS access requests go through a standard approval process.
Read on to learn how to set up approval workflows for specific app permissions.
Steps:
Go to the AppStore setup page.
Search for your app, click the "Advanced Settings" button, then click the "Permissions" tab.
To add a new permission, click "+Add a permission". To edit an existing one, click on the permission!
If permissions come from your IdP (i.e. Okta), there will be an IdP logo next to the name of the group. On the permission itself, you'll see an indicator of whether the app is currently hidden or visible to users in the AppStore, as well as the number of permission level overrides set on the permission itself. More on this in the next step!
If the permission/role/team/repo is coming directly from the connected integration, you will see a Lumos logo next to it
Edit the permission settings.
The settings are explained in more detail below.
Permission Label
This is what people see when they request the permission in Lumos, you can change this to make it easier to read.
If this permission is tied to a group in your IdP, changing the label will not change the name of the group in your IdP.
Approvers
If you want there to be specific approver(s) for this permission, what you set here will override what's set at the app level.
Visible in AppStore
If you want to hide a permission from requesters altogether, you can toggle this to the left. This is great if certain permission types should not be viewed at all.
Next to some permission configurations, you'll see this symbol (linked):
Or this symbol (unlinked):
This indicates whether the permission is linked to the app level configurations.
If the permission is linked, it means that it is inheriting the app level permission. That means if you change the app level configuration, the permission level configuration will also change.
If the permission is unlinked, it means that the permission is overriding the app level permission. That means if you change the app level configuration, the permission level configuration will not change. This is also the number of overrides you see on the permission list in Step 3.
If you want to unlink or link a permission, simply click on the button!
Step Four: AppStore Test Requests
Use your own account to:
Browse apps
Submit a request
Validate approval routing & provisioning
Further Reading:
Step Five: Launch & Communicate
🥳 Announce your Launch via Slack, email, or All-Hands: Get people excited!
(Optional): Redirect IT tickets to AppStore
Use provided comms templates
Step Six: Monitor & Improve
Track adoption, bottlenecks, and request velocity.
Use built-in analytics to see what’s working
Additional Tips for Success
Settings & Helpful Admin Tricks:
Set App Admins and Approvers as groups for redundancy
If you want Apps Auto-Approved, don't assign an Approver
If an App is missing: Sync your IdP if it's an App you've recently added in your IdP, create a Custom App if this is an App that resides outside of your IdP and doesn't exist as an integration, or add the integration
Build some redundancy and backup into your process by setting up the App Admins or Approvers as a Group. This is especially useful if you have employees coming and going or changing roles/responsibilities.
Change the visibility of Apps to “Hidden” and use this as your check list. As you configure an App and it’s ready, unhide it so it’s visible in the AppStore
Advanced Features:
If you're looking for more advanced roll-out techniques, feel free to browse our Developer Docs here
Change Management:
There is a school of thought that getting all Apps added to your AppStore gets the entire company onboarded at the same time and away from an out-dated process. The con to that is that it may take you longer to set it all up. The benefit is that you move everyone over at the same time and keep consistency across the board. The other school of thought is to onboard and go-live with 10 - 15 Apps. If you’re going to do the latter, it’s suggested that you roll this out to designated early-adopting teams (Engineers, Product, etc). This will give that team one place to request Apps and you benefit by gathering feedback early on before doing a larger company roll-out.
Additional Resources
Need help? Contact support@lumos.com