[ZT] New Access app settings UI (cloudflare#19371)

* new Access app settings UI

* Update src/content/docs/cloudflare-one/identity/users/session-management.mdx

Co-authored-by: Denise Peña <[email protected]>

---------

Co-authored-by: Denise Peña <[email protected]>

src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx

@@ -19,8 +19,8 @@ To enable browser rendering:
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
 3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
-4. In the **Settings** tab, scroll down to **Additional settings**.
-5. For **Browser rendering**, choose *SSH* or *VNC*.
+4. Go to **Advanced settings** > **Browser rendering settings**.
+5. For **Browser rendering**, choose _SSH_ or _VNC_.
 6. Select **Save application**.
 
 When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.

src/content/docs/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication.mdx

@@ -16,7 +16,7 @@ To enable automatic `cloudflared` authentication:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 2. Locate your application and select **Configure**.
-3. In the **Settings** tab, scroll down to **Additional settings**.
+3. Go to **Advanced settings** > **Browser rendering settings**.
 4. Turn on **Enable automatic cloudflared authentication**.
 5. Select **Save application**.
 

src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx

@@ -51,8 +51,8 @@ There are three ways you can resolve this error:
 You can configure Cloudflare to send OPTIONS requests directly to your origin server. To bypass Access for OPTIONS requests:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2. Locate the origin that will be receiving OPTIONS requests and select **Edit**.
-3. In the **Settings** tab, scroll down to **CORS settings**.
+2. Locate the origin that will be receiving OPTIONS requests and select **Configure**.
+3. Go to **Advanced settings** > **Cross-Origin Resource Sharing (CORS) settings**.
 4. Turn on **Bypass options requests to origin**. This will remove all existing CORS settings for this application.
 
 It is still important to enforce CORS for the Access JWT -- this option should only be used if you have CORS enforcement established in your origin server.
@@ -65,11 +65,11 @@ To configure how Cloudflare responds to preflight requests:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Locate the origin that will be receiving OPTIONS requests and select **Edit**.
+2. Locate the origin that will be receiving OPTIONS requests and select **Configure**.
 
-3. In the **Settings** tab, scroll down to **CORS settings**.
+3. Go to **Advanced settings** > **Cross-Origin Resource Sharing (CORS) settings**.
 
-4. Configure the dashboard [CORS settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers) to match the response headers sent by your origin.
+4. Configure these [CORS settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers) to match the response headers sent by your origin.
 
    For example, if you have configured `api.mysite.com`to return the following headers:
 

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

@@ -67,7 +67,7 @@ As shown in the example below, `https://<your-team-name>.cloudflareaccess.com/cd
 
 
 * Validate tokens using the external endpoint rather than saving the public key as a hard-coded value.
-* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`. 
+* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`.
   :::
 
 ## Verify the JWT manually
@@ -100,7 +100,7 @@ To get the AUD tag:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
 2. Select **Configure** for your application.
-3. On the **Overview** tab, copy the **Application Audience (AUD) Tag**.
+3. From the **Basic information** tab, copy the **Application Audience (AUD) Tag**.
 
 You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application.
 

src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx

@@ -50,7 +50,7 @@ To enforce mTLS authentication from [Zero Trust](https://one.dash.cloudflare.com
 
 7. Next, go to **Access** > **Applications**.
 
-8. Find the application you would like to enforce mTLS on and select **Edit**. The application must be included in the **Associated hostnames** list from Step 5.
+8. Find the application you would like to enforce mTLS on and select **Configure**. The application must be included in the **Associated hostnames** list from Step 5.
 
 9. Create a new (or amend an existing) [Access policy](/cloudflare-one/policies/access/).
 

src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-gateway.mdx

@@ -11,28 +11,30 @@ head:
 
 import { Render } from "~/components"
 
-With Require Gateway, you can allow access to your applications only to devices enrolled in your organization's instance of Gateway. Unlike [Require WARP](/cloudflare-one/identity/devices/warp-client-checks/require-warp/), which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization's Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.
+With Require Gateway, you can allow access to your applications only to devices enrolled in your Zero Trust organization. Unlike [Require WARP](/cloudflare-one/identity/devices/warp-client-checks/require-warp/), which will check for any WARP instance (including the consumer version), Require Gateway will only allow requests coming from devices whose traffic is filtered by your organization's Cloudflare Gateway configuration. This policy is best used when you want to protect company-owned assets by only allowing access to employees.
 
 ## Prerequisites
 
 * <Render file="posture/prereqs-warp-is-deployed" params={{ name: "WARP Client Checks", link: "/cloudflare-one/identity/devices/warp-client-checks/" }} />
 
-## Enable the Gateway check
+## 1. Enable the Gateway check
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
 
 2. In **WARP client checks**, select **Add new**.
 
 3. Select **Gateway**, then select **Save**.
 
-## Add the check to an Access policy
+## 2. Add the check to an Access application
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Select the application for which you want to require Gateway, then select **Configure**.
+2. Locate the application for which you want to require Gateway. Select **Configure**.
 
-3. To create a new Access policy, select **Add a policy**. To require Gateway for an existing policy, select a policy, then select **Configure**.
+3. In the **Policies** tab, create a new Access policy or edit an existing policy.
 
-4. Add an Include or Require rule which uses the Gateway selector. Select **Save policy**.
+4. In the policy builder, add an Include or Require rule which uses the _Gateway_ selector. Save the policy.
 
-Before granting access to the application, your policy will now check that the device is running the WARP client and enrolled in your Zero Trust organization.
+5. Save the Access application.
+
+Before granting access to the application, the policy will check that the device is running the WARP client and enrolled in your Zero Trust organization.

src/content/docs/cloudflare-one/identity/devices/warp-client-checks/require-warp.mdx

@@ -29,22 +29,20 @@ Cloudflare Zero Trust enables you to restrict access to your applications to dev
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
 2. Ensure that **Proxy** is enabled.
-3. Next, go to **Settings** > **WARP Client**.
-4. Scroll down to **WARP client checks** and select **Add new**.
-5. Select **WARP**.
-
-You are now ready to start requiring WARP for your Access applications.
+3. Go to **Settings** > **WARP Client**.
+4. In **WARP client checks**, select **Add new**.
+5. Select **WARP**, then select **Save**.
 
 ## 2. Add the check to an Access policy
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Locate the application for which you want to require WARP.
+2. Locate the application for which you want to require WARP. Select **Configure**.
 
-3. Select **Edit**.
+3. In the **Policies** tab, create a new Access policy or edit an existing policy.
 
-4. To have an existing policy require WARP, select **Edit** for that specific policy. Then, add an **Include** or **Require** rule which uses the *WARP* selector.
+4. In the policy builder, add an Include or Require rule which uses the _WARP_ selector. Save the policy.
 
-5. Select **Save rule**.
+5. Save the Access application.
 
-Before granting access to the application, your policy will now check that the device is running the WARP client.
+Before granting access to the application, the policy will check that the device is running the WARP client.

src/content/docs/cloudflare-one/identity/users/session-management.mdx

@@ -32,6 +32,7 @@ You can set a global session duration between 15 minutes and 1 month.
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 2. Under **Global session timeout**, select **Edit**,
 3. Select the desired timeout duration from the dropdown menu.
+4. Select **Save**.
 
 The user will be required to re-authenticate with the IdP after this period of time.
 
@@ -40,8 +41,9 @@ The user will be required to re-authenticate with the IdP after this period of t
 You can set an application session duration for self-hosted and private Access applications. Available session durations range from immediate timeout to 1 month. The default is 24 hours.
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2. Locate the application you want to configure and select **Edit**.
-3. In the **Overview** tab, select a **Session Duration** from the dropdown menu.
+2. Choose an application and select **Configure**.
+3. Select a **Session Duration** from the dropdown menu.
+4. Save the application.
 
 The application token will expire after this period of time (unless you have set a [policy session duration](#set-policy-session-duration)).
 
@@ -56,6 +58,7 @@ You can set a policy session duration ranging from immediate timeout to one mont
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Policies**.
 2. Choose a policy and select **Configure**.
 3. Select a **Session Duration** from the dropdown menu.
+4. Save the policy.
 
 Users who match this policy will be issued an application token with this expiration time.
 
@@ -69,9 +72,9 @@ To immediately terminate all active sessions for a specific application:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
 
-2. Locate the application for which you would like to revoke active sessions and select **Edit**.
+2. Locate the application for which you would like to revoke active sessions and select **Configure**.
 
-3. In the **Overview** tab, select **Revoke existing tokens**.
+3. Select **Revoke existing tokens**.
 
 Unless there are changes to rules in the policy, users can start a new session if their profile in your identity provider is still active.
 

src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx

@@ -18,21 +18,25 @@ This feature is only available if you are using the following identity providers
 
 To enforce an MFA requirement to an application:
 
-1. In Zero Trust, go to **Access** > **Applications**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
 
-2. Find the application for which you want to enforce MFA and select **Edit**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/).
+2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/applications/configure-apps/).
 
-3. Go to the **Rules** section of the application.
+3. Go to **Policies**.
 
-4. If your application already has a rule containing an identity requirement, find it and select **Edit**.
+4. If your application already has a policy containing an identity requirement, find it and select **Configure**.
 
-   The rule must contain an Include rule which defines an identity. For example, the Include rule should allow for users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group.
+	:::note
+	The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/policies/access/groups/), email domain, or identity provider group.
+	:::
 
-5. Add a _Require_ action to the rule.
+5. Add the following rule to the policy:
 
-6. Select _Authentication Method_ and choose `mfa - multiple-factor authentication`.
+		| Rule type | Selector | Value |
+		| ---------- | -------- | ------ |
+		| Require    | Authentication method |  `mfa - multiple-factor authentication` |
 
-7. Save the rule.
+6. Save the policy.
 
 :::caution[Important]
 

src/content/docs/cloudflare-one/policies/access/require-purpose-justification.mdx

@@ -1,26 +1,28 @@
 ---
 pcx_content_type: how-to
-title: Require Purpose Justification
+title: Require purpose justification
 sidebar:
   order: 3
 head:
   - tag: title
-    content: Require Purpose Justification after login
+    content: Require purpose justification after login
 
 ---
 
-Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for *who* is accessing their resources, but also for *why* they are requesting access.
+Cloudflare Access allows security and IT teams to present users with a purpose justification screen directly after they log in to an Access application. This allows organizations to audit not only for who is accessing their resources, but also for why they are requesting access.
 
 The purpose justification screen will show for any new sessions of an application. For example, if an Access application has a session time of eight hours, a user will see the purpose justification screen once every eight hours.
 
 Configuring a purpose justification screen is done as part of configuring an Access policy.
 
-1. In Zero Trust, go to **Access** > **Applications**.
-2. Select an application and select **Edit**.
-3. Select the policy you want to configure with purpose justification.
-4. Open **Optional Configurations**.
-5. Enable purpose justification.
-6. (Optional) set a custom purpose justification message. This will appear on the purpose justification screen and will be visible to the user.
-7. Once configured, a user will see the following screen:
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+2. Choose an application and select **Configure**.
+3. Go to **Policies**.
+4. Choose an **Allow** policy and select **Configure**.
+5. Under **Additional settings**, turn on **Purpose justification**.
+6. (Optional) Set a custom purpose justification message. This will appear on the purpose justification screen and will be visible to the user.
+7. Save the policy.
+
+Users who match this policy will see the following screen:
 
 ![Finalized purpose justification screen displaying custom message.](~/assets/images/cloudflare-one/policies/purpose-justification.png)

src/content/docs/cloudflare-one/policies/access/temporary-auth.mdx

@@ -11,11 +11,14 @@ With Cloudflare Access, you can require that users obtain approval before they c
 ## Set up temporary authentication
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2. Choose a **Self-hosted** or **SaaS** application and select **Edit**.
-3. Choose the **Allow** policy you want to configure and select **Edit**.
+2. Choose a **Self-hosted** or **SaaS** application and select **Configure**.
+3. Choose an **Allow** policy and select **Configure**.
 4. Under **Additional settings**, turn on [**Purpose justification**](/cloudflare-one/policies/access/require-purpose-justification/).
 5. Turn on **Temporary authentication**.
-6. Enter the **Email addresses of the approvers**. (Note: your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/applications/app-launcher/).)
+6. Enter the **Email addresses of the approvers**.
+	:::note
+	Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/applications/app-launcher/).
+	:::
 7. Save the policy.
 
 Temporary authentication is now enabled for users who match this policy. You can optionally add a second **Allow** policy for users who should have persistent access. Be sure the policy order is set to allow persistent users through.

src/content/partials/cloudflare-one/access/app-launcher.mdx

@@ -38,21 +38,21 @@ To show an Access application in the App Launcher:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
 2. Select an application and select **Configure**.
-3. In the **Overview** tab, select **Enable App in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher.
+3. Go to **Experience settings**.
+4. Select **Show application in App Launcher**. The App Launcher link will only appear for users who are allowed by your Access policies. Blocked users will not see the app in their App Launcher.
 
-:::note
+		:::note
 
-This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application.
-:::
+		This toggle does not impact the user's ability to reach the application. Allowed users can always reach the application via a direct link, regardless of whether the toggle is enabled. Blocked users will never have access to the application.
+		:::
 
-4. Choose a domain to use for the App Launcher link.
+5. (Optional) To use a custom logo for the application tile, select **Use custom logo** and enter a link to your desired image.
 
-5. To use a custom logo for the application tile, select **Custom** and enter a link to your desired image.
+		:::note
+		If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will.
+		:::
 
-:::note
-
-If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will.
-:::
+6. In **Application domains**, choose a domain to use for the App Launcher link.
 
 ## Customize App Launcher appearance
 

src/content/partials/cloudflare-one/access/enable-isolation.mdx

@@ -7,11 +7,12 @@ import { Render } from "~/components"
 
 <Render file="clientless-browser-isolation" product="cloudflare-one" />
 
-3. Next, go to **Access** > **Applications**.
+3. Go to **Access** > **Applications**.
 4. Choose a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) and select **Configure**.
-5. Choose an [Allow policy](/cloudflare-one/policies/access/) and select **Configure**.
-6. Under **Additional settings**, turn on **Isolate application**.
-7. Save the policy.
+5. Go to **Policies**.
+6. Choose an [Allow policy](/cloudflare-one/policies/access/) and select **Configure**.
+7. Under **Additional settings**, turn on **Isolate application**.
+8. Save the policy.
 
 Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to [Check if a web page is isolated](/cloudflare-one/policies/browser-isolation/setup/#3-check-if-a-web-page-is-isolated).