WorkSpaces Manager Administration Guide
This guide is constantly updated. For the most recent administration guide, including visual walkthroughs, we recommend downloading the latest for your version and using within Adobe Acrobat.
WorkSpaces Manager Version 5.5 – Updated 25th Jan 2023 >>>
WorkSpaces Manager Version 5.4
WorkSpaces Manager Version 5.3
WorkSpaces Manager Version 5.2
WorkSpaces Manager Version 4.7
WorkSpaces Manager Version 4.6
WorkSpaces Manager Version 4.5
WorkSpaces Manager Version 4.4
WorkSpaces Manager Version 4.3
WorkSpaces Manager Version 4.2
WorkSpaces Manager Version 4.0
WorkSpaces Manager Version 3.0
WorkSpaces Manager Version 2.0
WorkSpaces Manager Administrator Guide
Please refer to PDF’s above for absolute latest revisions.
Updated 8th February 2021 for WorkSpaces Manager 4.1.0
Introduction
This guide has been authored by experts at Nuvens to provide information and guidance on using WorkSpaces Manager.
Information in this document is subject to change without notice. No part of this publication may be reproduced in whole or in part, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any external use by any person or entity without the express prior written consent of Nuvens Consulting Ltd.
Contents
2.1 Actions that a user can perform on their WorkSpace from the portal 7
2.2 Adding and removing an application. 8
2.2.1 Example of adding an application delivered via an Active Directory group membership. 9
2.2.2 Example of launching an application via Cloudpaging from the Self-Service portal. 9
2.2.3 Example of adding an AppStream ‘dynamic’ application the Self-Service portal 10
3.2.1 Creating a new WorkSpace for a user. 11
3.2.1.1 Adding a single new user and creating them a WorkSpace. 11
3.2.1.2 Bulk importing new users and creating them a Workspace. 12
3.2.1.3 Copying an existing user and creating them a WorkSpace. 14
3.2.1.4 Creating a WorkSpace from a user already in Active Directory. 14
3.2.2 Adding an application to a user. 14
3.3.10 Schedule Termination. 16
3.3.11 Change WorkSpace Type. 16
3.3.12 Change WorkSpace Mode. 16
3.3.16 Processor and Memory utilisation. 17
3.3.17 Client IP and approximate location. 18
3.3.18 User last login times and dates. 18
4.3.1.3 Remote Service Account 21
4.3.1.4 Auto Change Compute Type. 21
4.3.1.5 Active Directory (SingleMultiple Domain Forest) 21
4.3.1.6 Amazon Web Services. 22
4.3.1.6.1 SingleMulti-AWS Account 22
4.3.1.6.4 Default AWS Region. 23
4.3.1.6.5 Cost Optimizer Bucket 23
4.3.1.6.7 AWS Cost Optimizer. 23
4.3.1.7 Additional Options. 23
4.3.1.7.1 Statistics Retention Days. 23
4.3.1.7.2 WorkSpace Service Update Frequency (mins) 24
4.3.1.7.5 Multiple Domains. 24
4.3.1.7.6 Password Expiry Emails. 24
4.3.1.7.9 Disable Scheduler. 25
4.3.1.7.10 Activity Reporting. 25
4.3.1.7.11 Email For Report 25
4.3.1.7.13 Auto Delete Days. 25
4.3.1.7.14 Safety Days Before Termination. 25
4.3.1.7.16 Unhealthy Reboot 26
4.3.1.8.1 AD Group applications. 26
4.3.1.8.2 Application Group Prefix. 27
4.3.1.8.3 Cloudpaging Applications. 27
4.3.1.8.4 Cloudpaging Username. 27
4.3.2.1 Adding a new portal Administrator. 27
4.3.2.2 Restricting users to Regions, Directories or Tags. 27
4.3.5 AP (Auto-Provisioning) Profiles. 29
4.4.1 Cost Estimator and Optimizer. 30
5.1 Active Directory (AD) Group Applications. 34
5.2 Cloudpaging applications. 35
5.2.6 License (Cloudpaging Only) 35
5.2.7 Expiry Period (Cloudpaging Only) 36
5.2.9 Upgrade License (Cloudpaging Only) 36
5.2.10 Upgrade URL (Cloudpaging Only) 36
5.2.11 Upgrade Type (Cloudpaging Only) 36
5.3 AppStream applications. 36
5.3.7 AppStream Launch Path. 37
5.3.9 AppStream Dynamic App. 37
7.3 STEP 3: Configure WorkSpaces Manager in your main account (Account A). 45
8.1 How does Dynamic Application delivery differ from normal AppStream application delivery? 47
8.2 Image Builder Preparation. 48
Step 1: Create a folder called C:DynamicApps. 48
Step 2: Create a folder called C:DynamicAppIcons. 48
Step 3: Create a folder called C:DynamicAppIconsEncoded. 48
Step 4: Amend the AppStream Sessions Scripts script 48
8.3 Creating a Base64 string for the application icons. 48
8.3.1 How do I create a PNG icon for my application?. 49
8.4 Testing applications from the Image Builder. 49
8.5 Top level AppStream Dynamic Applications access control group. 49
8.6 Adding an AppStream Dynamic Application in WorkSpaces Manager. 49
8.7 Assigning an AppStream Dynamic Application to a user. 50
8.7.1 Assign the application to user in WorkSpaces Manager. 50
8.7.2 Put the user in the Active Directory Group associated with the Dynamic application. 50
8.8 Removing a Dynamic Application from the main list for all users. 51
8.9 Removing a Dynamic Application from a user. 51
8.10 Dynamic Application configuration files. 51
1. WorkSpaces Manager Portal minimum supported browser requirements
2. User Self-Service Portal
This covers the ‘User’ section of the Portal.
2.1 Actions that a user can perform on their WorkSpace from the portal
Users can save time by accessing the WorkSpaces Manager website by using the same URL as WorkSpace Administrators use. If they are not members of your WorkSpaces Admin group specified in the ‘Options > Settings > Applications’ section of the WorkSpaces Manager portal, they will get a limited Portal which is specific to their Workspace(s) that use the logon that they are logged on with.
This saves a user calling the Service Desk if they cannot connect to their WorkSpace (for example, if the status is UNHEALTHY and they cannot connect to their WorkSpace) or they can stop it without any intervention from support. If the ‘User Restore’ and/or ‘User Rebuild’ options are checked in the Options > Settings > Additional Options section of the WorkSpaces Manager admin portal, then these will appear too in the list.
2.2 Adding and removing an application
If your company uses products such as Liquidware FlexApp or App-V to deploy their applications to their users within your WorkSpace (as well as other devices such as PCs) then users can add and remove the applications themselves within constraints on licensing with some applications.
From WorkSpaces Manager 4.0.0, users can now add and remove applications via Self Service from:
- Active Directory Groups
These applications are delivered by the likes of App-V, FlexApp, etc. Users are free to add and remove ‘Free’ applications themselves. Those are not deemed as ‘Free’ are license based and will require administrative intervention.
- Cloudpaging
If you use Numecent Cloudpaging, users can add and remove applications to their Cloudpaging client on their WorkSpace.
- AppStream
Users can add and remove ‘dynamic applications’ to their AppStream session (if administrators permit). Please refer to the Section 8 for more information on ‘AppStream Dynamic Applications’ for more information.
2.2.1 Example of adding an application delivered via an Active Directory group membership
The user will select ‘App Groups’ from their Self-Service portal.
Here they can see all the applications that are available. However, they may not all be accessible to them. The ones marked ‘Type’ of ‘Free’ can be added by the user with no administrative intervention.
PLEASE NOTE: The administrator will need to go and set up the ‘Application Group’ and ‘Type’. Please refer to Section 5 of this document to see how this is done.
The ones not marked type ‘Free’ must be requested by whichever the method the user would normally use (for example, their corporate Service Desk). This is because it may have licensing constraints such as Microsoft Visio or 3rd party vendor user limits. This is to adhere to software compliance.
This user will now choose a ‘Free’ application from the list. In our instance, Adobe Reader. To do this, just click anywhere on the Adobe Reader line you will get asked if you want to add the application. Select ‘Add Application’. This will then add the user to the Active Directory group (in this case ‘FA-USR-Google’).
To get the application, the user will need to log out of the WorkSpace and go back in. If the user then goes back to the User Dashboard, they will see a message of ‘Pending Reboot’. A log off should suffice on most occasions, but some applications do require a reboot.
Similarly, a user can remove themselves from seeing the application by selecting ‘remove’ next to the application under ‘Applications’. This will remove them from the Active Directory group for the application. Again, a logoff from the WorkSpace will be necessary to remove them from the group (or a reboot to make sure).
2.2.2 Example of launching an application via Cloudpaging from the Self-Service portal.
A user can launch a Cloudpaging app that is assigned to them via the ‘Cloudpaging’ option on their Self-Service portal. The application link will download and the Cloudpaging client will open the application. Or they can select it from the Cloudpaging application itself on the WorkSpace.
2.2.3 Example of adding an AppStream ‘dynamic’ application the Self-Service portal
A user can addremove an AppStream ‘dynamic’ application in their AppStream session if the applications are marked ‘Free’. If they are marked ‘Paid’ then there are restrictions in place (for example, you may not want them to give themselves access to a licensed application or applications they do not require access to).
3. Administration of the portal
This covers the ‘Admin’ section of the portal.
3.1 Admin Dashboard
This gives an overview of your environment, along with an audit of actions carried out by portal admins and recommendations made. The audit log is fully searchable by anything that you see.
3.2 Users
3.2.1 Creating a new WorkSpace for a user
If you are in an organisation where every new user will automatically be assigned a WorkSpace, you can assign them one from within WorkSpaces Manager. WorkSpaces Manager can also seamlessly integrate with your joiners and leavers software such as SalesForce.
If you are doing this yourself, there are four ways of creating a user a WorkSpace:
- Adding a single new user.
- Bulk importing users.
- Creating one when you create a new user where you are using another user as a copy ‘template’.
- Creating one for an existing AD user.
3.2.1.1 Adding a single new user and creating them a WorkSpace
In the WorkSpaces Manager dashboard, go to the Users section and select the Actions button on the right-hand side. You will see an option for ‘Add User’.
Fill in the details and select what type of WorkSpace you would like the user to have (Mode can be either ALWAYS_ON or AUTO_STOP and the preconfigured Bundle ID of your choice). Select ‘Add User’ and you now get a confirmation box to confirm if you would like to proceed.
The WorkSpace will take around 30 minutes to set up. An email is automatically sent to the user with instructions on how to access their WorkSpace.
3.2.1.2 Bulk importing new users and creating them a Workspace.
In the WorkSpaces Manager dashboard, go to the ‘Users’ section and select the ‘Actions’ button on the right-hand side. You will see an option for ‘Import Users’.
You will now see the following screen where you will be guided on how you need to fill in the template.
Select ‘Template’ and the template (Import_Template.xlsx) will be automatically downloaded. You will already have a sample user in there so you can see what you need to fill in. You will need to ensure that you have the correct Directory ID (as you may have more than one depending on where in Active Directory you want the users WorkSpace to be created) as well as the correct Bundle ID for the user (which may contain a different application set from other users).
- If you do not wish to create the user a WorkSpace at this point, set CreateWorkspace to FALSE.
- If you do not wish to copy from a template user, set CopyUser to FALSE. You can specify which OU to place the new user in by entering the full OU location in the CreateOU column.
- If want to copy from a template user, set CopyUser to TRUE and specify the username. This will place the copied user in the same OU as the template user. At this point, the process ignores whatever is in the CreateOU column.
Once you have filled in the users that you will need to back to the ‘Import’ screen, select your template from ‘Choose File’ and then select ‘Import File’.
When you select ‘Import File’, you are automatically taken to the ‘Task Queue’ option where you are advised of the status of your request. If you fill in an information incorrectly (such as DirectoryID andor BundleID) then you will get an error stating that the WorkSpace could not be created.
The Task Queue will tell you at what stage the job is at. It will:
- Change User to TRUE when the user account is created.
- Change WorkSpace to TRUE if a WorkSpace has completed creation.
- Change Invite to TRUE if a user has been sent an email inviting them to connect to their WorkSpace.
- Change Completed Status to TRUE if (a) a user account has been created but no WorkSpace creation was specified in the template or (b) a user account and WorkSpace has been created.
3.2.1.3 Copying an existing user and creating them a WorkSpace
If you want to create a new user in Active Directory which is copied from an existing user (which will also copy all their AD groups) and create a WorkSpace for them at the same time, firstly search for the user that you want to copy in ‘Users’.
Then select the action button next to the user you want to use as a copy template. (You can see at this point, this user has a WorkSpace and you can perform various actions). In this case, select ‘Copy User’.
You then get a screen to fill in the information for the new user. When you have finished, select Save. This then goes into the Task Queue (which you can view from the menu). When complete, it will disappear from the list. The user will also get an email to say that their WorkSpace has been set up if that option is chosen.
3.2.1.4 Creating a WorkSpace from a user already in Active Directory
If your user already has an account in Active Directory, search for their account in ‘Users’. Select the domain that you are searching if you are using multi-domain. NOTE: As with any accounts you want to assign a WorkSpace to, it must have an email address associated with it. If an account has no email address, it will not show up in this search.
Select the user and WorkSpaces Manager will inform you if there is no WorkSpace for the user. You can now fill in the Directory, Region, Bundle, Running Mode and drive encryption options. When complete, select Save. As it says at the bottom, the user will be sent an email when the WorkSpace is created. If you wish to see the progress of the creation request, go to Task Queue in the main menu.
3.2.2 Adding an application to a user
A user can assign an application delivered to them via the likes of FlexApp, Cloudpaging, SCCM, etc, via their user portal (see Section 2.2). However, this may be a ‘paid for’ application (for example, MS Visio) and would require an administrator to add it for them.
Also, administrators can add applications that are no paid for themselves. To set up these applications, please refer to Section 5.
To add an application to the user’s WorkSpace, select the application from the drop down list and select ‘Save’. To remove an application from the user’s list, select the icon to the right of the application in ‘Already assigned apps’.
3.3 WorkSpaces
If you go to the WorkSpace tab, you will see a list of the users with WorkSpaces. This list is fully searchable by part searches on the contents of any column.
If you select a WorkSpace, you will see the details for it. To manage it, select the Actions button. This will give you a range of options.
3.3.1 Refresh
Refreshes the state of the WorkSpace to the latest state.
3.3.2 RDP
Downloads an RDP file so you can connect to the user’s WorkSpace. Note, this is not shadowing a user. It just lets you get on to their WorkSpace to look at processes, memory, etc.
3.3.3 Dameware
This requires the Dameware agent to be installed onto the WorkSpace. For this to generate the correct downloadable batch file with the credentials already filled in to connect, you must enter the correct connection account name in the Remote Service Account section of ‘Options > Settings’.
We have also tested this process with other session sharing tools such as TeamViewer. Please contact us for more information. The settings to auto-connect via DameWare can be found here.
3.3.4 Reboot
Reboots the user WorkSpace.
3.3.5 Recovery Boot
In the event of your WorkSpace residing on faulty host and it will not start, a recovery reboot will move it to another host.
3.3.6 Restore
Restores a user’s WorkSpace to the last known ‘good’ backup (AWS automatically takes backups every 12 hours).
3.3.7 Rebuild
If there are any issues with a user’s Workspace that cannot be resolved, you can rebuild the Workspace to its original state. This will rebuild the WorkSpace C drive and will restore the contents of the D drive the last automatic backup (D drive backups occur every 12 hours).
3.3.8 Stop
Stops the user WorkSpace.
3.3.9 Terminate
Deletes the WorkSpace permanently. Please note that if a WorkSpace is deleted, all contents will be lost. If a user has been storing configurations and documents on their D drive, then these will be permanently removed.
3.3.10 Schedule Termination
You can schedule a termination of a WorkSpace by entering the date and time of termination.
If you want to see what WorkSpaces are scheduled for deletion, go to the Task Queue option. If you want to delete the Scheduled Termination task, select ‘Delete’.
3.3.11 Change WorkSpace Type
This allows the administrator to change the type of WorkSpace to a different compute type. This is not available to normal users through User Dashboard as they could choose a more powerful (and more expensive) WorkSpace without the administrator(s) being advised. Note that you can only change a WorkSpace type again after 24 hours has elapsed.
3.3.12 Change WorkSpace Mode
Allows you to manually change the WorkSpace from ALWAYS_ON to AUTO-STOP and vice versa. There is no limit to how many times this can be changed in any given time period. This option is only available to WorkSpaces Manager administrators.
3.3.13 Manage Tags
Allows you to add tags to the WorkSpace. You may need this for such things as billing. An example of tagging could be:
Cost Code = 2344
Department = Finance
** If you do not want your WorkSpace to be rebooted or rebuilt as part of a schedule, you can set a user WorkSpace tag as NoRebuild = True and/or NoReboot = True.
An example is if a user is a developer user and they have installed applications on their WorkSpaces. A WorkSpace rebuild will return the WorkSpace back to the original bundle build which will not have their custom applications. Hence, setting NoRebuild = True will stop this occurring as part of any automated task.
3.3.14 Change Reboot Hour
If you turn on the ‘Auto Reboot’ option in the Options > Settings > Amazon Web Services section, you can set the reboot time for individual WorkSpaces. By default, WorkSpaces do not automatically reboot, and this option allows you do set the option of doing so based on a time best suited to your user (or users).
You can then set the reboot hour (24-hour format). This is in 24-hour format (i.e. 11pm is 23).
3.3.15 Migrate
This enables you to migrate a user from one bundle to another.
3.3.16 Processor and Memory utilisation.
Statistics are available if you have installed the WorkSpace Performance Monitor Agent (Windows only) as highlighted in the ‘Workspaces Manager Installation Guide’. By hovering over points in the graph, you can see approximately when spikes occur. You can also zoom in and out and download graphs in SVG, PNG and CSV format.
At the bottom, it shows the % Free space on the root (C) and user (D) volumes.
3.3.17 Client IP and approximate location
You can view the approximate location of a user by selecting the icon next to their ‘Client IP’.
This will then show you their approximate location.
You can enabledisable the activity reporting function in the ‘Additional Options’ section of OptionsSettings.
3.3.18 User last login times and dates.
You can view user activity (logonlogoffdisconnectidle) times and dates of a user by selecting the icon next to their ‘Last Login’.
3.4 Task Queue
This shows you the status of creation of WorkSpaces and users accounts if you are using the Import Template function. The update job runs every 10 minutes, hence please wait for the status to be updated in the next running job update phase. This list is fully searchable by part searches on the contents of any column.
It also shows you tasks such as scheduled terminations of WorkSpaces.
4. Config
This covers the Config section of the Portal.
4.1 Resources
4.1.1 Bundles
Lists all the WorkSpace bundles in the AWS account. The Search feature is available to filter. This list is fully searchable by part searches on the contents of any column.
4.1.2 Directories
Lists all the WorkSpace Directories in the AWS account. This list is fully searchable by part searches on the contents of any column.
4.1.3 Regions
Lists all the regions configured for the account and whether the AppStream service is available in them. This list is fully searchable by part searches on the contents of any column.
4.1.4 Images
Lists all the WorkSpace images in the AWS account. This list is fully searchable by part searches on the contents of any column.
4.2 Update
This ensures that the data that you are presented with for AD users, WorkSpaces, etc, is fully up to date in the local database on the WorkSpaces Manager appliance. You can choose whichever section of the database you want to update. If you do a Full Update (‘All’), it will take longer as it will do each of the updates. If you are working in a large Active Directory environment with a lot of WorkSpaces, this may take some time. It will inform you of when it is complete.
When you select an update on any of the options, wait for the status update to say, ‘Update of WorkSpaces Completed’.
4.2.1 WorkSpaces
Performs a quick update of existing WorkSpaces. This will only update WorkSpaces that you have permission to manage.
4.2.2 Tags
Update Tags of existing WorkSpaces. This will only update Tags for WorkSpaces that you have permission to manage.
4.2.3 Orphans
This is the same report as in Section 4.4.6.
4.2.4 Directories
This will update directories in all Regions.
4.2.5 All
Performs every update option. This can take some time, especially in large environments with many WorkSpaces.
4.2.6 Update Fleets
Updates AppStream Fleet information.
4.2.7 Update Fleet usage
Updates the AppStream Fleet usage.
4.2.8 Update session data
Updates the AppStream session data for reports.
4.3 Options
4.3.1 Settings
This is your main setup page. Most will have been filled in as part of your installation.
4.3.1.1 Licenses
This shows the WorkSpaces Manager version, the number of licenses procured, the current number of licenses in use and the expiry date of the license.
4.3.1.2 SMTP
This enables you to send emails to users when their new WorkSpace is ready andor if their password is to expire.
You could use AWS Simple Email Service to achieve this, or your own SMTP setup. You can test the connection by selecting the icon highlighted.
4.3.1.3 Remote Service Account
This is an account that you configure to remote control user devices using Dameware, etc. This is the generic account that you connect with (which will be standard throughout your organisation). You can remote control a user’s WorkSpaces by selecting ‘Dameware’ (if you have selected the ‘Enable Dameware’ option in ‘Additional Options’ and it downloads a connection file for you to run.
4.3.1.3.1 Enable RDP
Enables the option for downloading an RDP file to connect to the user’s WorkSpace from within the Portal.
4.3.1.3.2 Enable DameWare
Enables the option for downloading an RDP file to connect to the user’s WorkSpace from within the Portal.
4.3.1.4 Auto Change Compute Type
You can opt for WorkSpaces Manager to automatically change compute type of a WorkSpace. This is useful if, for example, you had a user running heavy spreadsheets on a Standard WorkSpace and it would benefit them with being upgraded to a Performance WorkSpace.
Set Low and High Processor and Memory values (these are up to you). WorkSpaces Manager will also advise you of recommendations.
It will also advise the user in their portal if an optimisation recommendation is required. They can either schedule it there and then, or can schedule it at another time (i.e., when they are not working).
4.3.1.5 Active Directory (SingleMultiple Domain Forest)
You can either have a single Active Directory domain for WorkSpaces, or multiples.
On initial setup, and by default, you will have one domain. You can enable multiple domains by enabling the feature in Additional Options.
You will then add the details for your domain.
AD Service Account and password:
When creating the AD Service Account to support AWS WorkSpaces you will have already provided an account with permissions to create computer objects within AD to the OU specified at the time.
We recommend using the same service account and providing additional permissions to delete computer objects.
NetBIOS name:
NetBIOS name of the domain that your WorkSpaces will be joining.
FQDN:
Fully Qualified Domain Name of the domain that your WorkSpaces will be joining.
Default User OU:
If you create a user in the ‘Add User’ section of the Portal, this is where it will place that user. If you use the ‘Import Template’ then you can specify where you want the user(s) to be located per OU or by copying template users.
4.3.1.6 Amazon Web Services
4.3.1.6.1 SingleMulti-AWS Account
WorkSpaces Manager allows you manage WorkSpaces across single, or multiple, AWS accounts. When you set up WorkSpaces Manager, you will set up a single account. You can set up multi-AWS accounts by enabling this function and following the instructions in Section 7 of this document.
You will see a summary of the Account ID(s) when they are added.
Click on one and you will see the options. You can turn some on and off (like Dry Run mode) as preferences.
4.3.1.6.2 WorkSpaces
Turns on the WorkSpaces Management menu function.
4.3.1.6.3 AppStream
Turns on the AppStream Management menu function.
4.3.1.6.4 Default AWS Region
This is the AWS Region that your Amazon WorkSpaces are hosted in. For example, Ireland will be eu-west-1. A full list of Regions can be located here.
4.3.1.6.5 Cost Optimizer Bucket
This is the bucket name mentioned in the ‘AWS WorkSpaces Cost Optimizer’ section earlier on the document.
4.3.1.6.6 AppStream Bucket
Specifies the AppStream Usage bucket.
4.3.1.6.7 AWS Cost Optimizer
This enables the AWS Cost Optimiser.
4.3.1.6.8 Dry Run
Running the Cost Optimiser in Dry Run Mode will show you the changes that would have been made.
4.3.1.6.9 Auto Reboot
This gives the ability to set reboot times on WorkSpaces. This is available once you have set up the Portal.
4.3.1.7 Additional Options
4.3.1.7.1 Statistics Retention Days
If the WorkSpace Performance Monitor Agent has been deployed to the WorkSpaces, it will be reporting back to the server key metric statistics periodically as defined in the Group Policy (see section in the ‘WorkSpaces Manager Installation Guide’ on ‘Installing The WorkSpaces Performance Monitor Agent’). In a large estate, this will create millions of rows within the database over a period. The number of days that are retained within the database can be specified here. If the number of days is too high on a large estate (e.g., 60) then it will have an impact on queries of statistics and increased disk space usage. For smaller estates, you can set this to 30 days and monitor from there.
4.3.1.7.2 WorkSpace Service Update Frequency (mins)
This will automatically update the local database with up-to-date information on this period. 15 minutes is sufficient for most cases, but you would not want to do this on, for example, a 1-minute period on a very large WorkSpaces and user estate. If you need to do a manual update for any reason, you can do this in the Update section of the portal.
4.3.1.7.3 Portal URL
Enter your portal URL here. e.g. http://ourwsmportal.mycompany.internal.
4.3.1.7.4 Multiple Account
This enables management of WorkSpaces across multiple AWS accounts. Please refer to Section 7 of this document which tells you how to set it up.
4.3.1.7.5 Multiple Domains
If you are using a multi-domain forest, you can add multiple domains that host your user accounts. Therefore, their WorkSpaces can be managed, searched, and reported on.
4.3.1.7.6 Password Expiry Emails
If this is chosen, users will receive a notification email two weeks prior to their password expiring. This can be turned onoff whenever and is not required to complete the Portal configuration at this stage.
4.3.1.7.7 User Restore
Enables the Self-Service function for a user to restore their WorkSpace to a last known healthy state. Automatic snapshots for use when restoring a WorkSpace are scheduled every 12 hours.
If the WorkSpace is healthy, snapshots of both the root volume and user volume are created around the same time. If the WorkSpace is unhealthy, these snapshots are not created.
If needed, a user can restore a WorkSpace to its last known healthy state. This recreates both the root volume and user volume, based on the most recent snapshots of these volumes that were created when the WorkSpace was healthy.
4.3.1.7.8 User Rebuild
Enables the Self-Service function for a user to rebuild their WorkSpace.
The system is refreshed with the most recent image of the bundle that the WorkSpace was created from. Any applications that were installed, or system settings that were changed after the WorkSpace was created, are lost.
The user volume (for Microsoft Windows, the D drive; for Linux, /home) is recreated from the most recent snapshot. The current contents of the user volume are overwritten.
Automatic snapshots for use when rebuilding a WorkSpace are scheduled every 12 hours. If the WorkSpace is healthy, a snapshot of the user volume is created. If the WorkSpace is unhealthy, the snapshot is not created.
The primary elastic network interface is recreated. The WorkSpace receives a new private IP address.
4.3.1.7.9 Disable Scheduler
This quickly disables ALL automation of the WSM Appliance.
4.3.1.7.10 Activity Reporting
This enableddisables the sending of a daily report on user login, logoff, idle times and when activity was resumed. The report is sent at 3am each morning.
4.3.1.7.11 Email For Report
The email of the persongroup that receives the Activity report.
4.3.1.7.12 Auto Delete
You can set up WSM to automatically delete unused workspaces after a defined period of days.
4.3.1.7.13 Auto Delete Days
This value is the number of days a WorkSpace should be considered for deletion e.g., 45 or 60 days.
4.3.1.7.14 Safety Days Before Termination
This value is the number of days a user will be given to inform their helpdesk or IT Function that they still require the WorkSpace before deletion.
For example, if Autodelete was set for 60 days. On the 60th day of the WorkSpace being unused, the user that is associated with the WorkSpace will receive an email informing them that their WorkSpace is to be deleted in (Safety days VALUE) with the request for them to contact support remove the Autodeletion request. After the safety days value and if autodeletion is not removed.
4.3.1.7.15 Auto-Provision
Turns on Auto-Provisioning of WorkSpaces via Active Directory groups. See Section 4.3.5 for more information on this.
If Auto-Provision is enabled, the service will poll the Active Directory groups every 15 minutes for new members.
Removing a user from the AD group will not terminate the WorkSpace. This functionality can be obtained in conjunction with Auto-Delete.
4.3.1.7.16 Unhealthy Reboot
If this option is enabled the service will check for any WorkSpaces with a status of “UnHealthy” every 10 minutes. Any WorkSpaces found in this state will have there status re-evaluated and if still found to be “UnHealthy” they will be rebooted. If after a reboot the status remains at “UnHealthy” the WorkSpace running mode will be set to “Auto-Stop” (if not already) and the WorkSpace Stopped. Once Stopped the WorkSpace will be Started again and its original running mode restored. This action can initiate a migration from the underlying physical host.
If the WorkSpace remains in an “UnHealthy” state an error is recorded on the admin dashboard.
4.3.1.8 Applications
This allows users to Self-Service their applications in their dashboard – from Numecent Cloudpaging and products such as FlexApp, APP-V, etc. You can enable both here.
4.3.1.8.1 AD Group applications
Enable this is you use software distribution on to your WorkSpaces from the likes of Liquidware FlexApp, App-V, etc. This allows users to add and remove applications available to them through the Self-Service side of the WorkSpaces Manager Portal. You can change this to your own prefix when you have logged into the Portal. For example, your FlexApp groups could be prefixed ‘FA-USR’.
For an application group to be imported into this list, it will need to have a Description and the group prefix specified in the ‘Application Group Prefix’ field of ‘Options > Settings > Applications’.
This is a list of applications that a user can addremove as a Self-Service function in the WorkSpaces Manager portal. To know more about this, go to Section 5 where you will be shown how to amend this list where it says ‘Type’. All imported applications are ‘Free’ of Type by default – a user can add and remove themselves from the application in the WorkSpaces Manager Self-Service portal. However, you may want to amend the ‘Type’ to ‘Paid’ for such applications as Visio which have licensing constraints. A user can hence remove themselves from the group, but will have to ask the Service Desk (or another AD administrator) to add them back in.
4.3.1.8.2 Application Group Prefix
As above, this is the prefix of your application distribution groups with whatever product you are using (FlexApp, App-V, etc).
4.3.1.8.3 Cloudpaging Applications
If you want to use Numecent Cloudpaging applications with WorkSpaces, you can enable this feature on here.
4.3.1.8.4 Cloudpaging Username
This is where you enter the account name that you use for Numecent Cloudpaging.
4.3.2 Administrators
You can granularly assign WorkSpaces Manager portal admin users to do specific tasks.
This especially useful for delegation of support roles purposes where you do not want all users to have full administration rights over every WorkSpace in the estate. For example, you may have two staff who look after users who have critical roles and policy stipulates that they are the only users who can change the reboot times for their WorkSpaces.
4.3.2.1 Adding a new portal Administrator
IMPORTANT NOTE: Before you do this, check the Roles, and make sure that there is an Administrator role set up with ‘SysAdmin’ permissions. Go to Section 6.3 and add a sysadmin role with the following selections.
To add a new portal administrator, select the icon on the right nd select ‘Add Administrator’.
Now fill in the administrator details from Active Directory. Ensure that the username is prefixed with your domain name. You can choose the Role Name for this user. The Roles are defined in the next section and you can set up whatever roles you wish for that user to fulfil their working role. In this case, we want our portal admin to just be able to restart, stop and start a users’ WorkSpace (which we have defined in our roles as a ‘Support Staff’ role.
4.3.2.2 Restricting users to Regions, Directories or Tags
For delegation of support roles purposes, you may wish to have portal administrators restricted to WorkSpaces in specific AWS Regions (e.g., a support team in APAC), specific WorkSpace Directories (e.g., which may contain Finance and Marketing users only) or WorkSpace Tags (e.g., the Department is Finance).
With this user, we have restricted the administrator to WorkSpaces in eu-west-1 Region, with no specific WorkSpace Directory, and any WorkSpaces that are tagged with ‘Department’ of ‘Finance’. They cannot administer anything other than these WorkSpaces (for example, they cannot terminatereboot a WorkSpace in ‘Marketing’). You can add remove Regions, Directories and Tags but selecting the ‘Action’ button on the top left.
4.3.3 Roles
You can create roles which can be assigned to WorkSpaces Manager portal administrators. Only these functions will be available to them from within the WorkSpaces Manager portal.
You add a new role by selecting the ‘Action’ button on top right. Fpr example, we want to create a role which only allows the user with that role assigned the ability to Restart, Stop and Start a users’ WorkSpace. When you have chosen the actions, select ‘Save’. You can change these at any time by double clicking on the role and saving it.
NOTE: Even though the user has permissions to restart, stop and start a Workspace here as part of their role, they may be restricted by Regions, Directories and Tags above (as in Section 4.3.2.2). So, for example, a user cannot restartstopstart a WorkSpace of a WorkSpace tagged with ‘Department – Catering’ if they only have permissions to do so with ‘Department – Finance’ tagged WorkSpaces.
4.3.4 Schedule Rebuild
The Rebuild function is performed on the WorkSpaces associated with a selected bundle. AWS do not currently provide API’s to create images, therefore association of a new image version to a bundle is a manual task within the AWS console. The Scheduled Rebuild will be performed 1 hour after the user’s selected Reboot Hour. The function will rebuild all bundles based on the bundle name selected in the last regardless of Account, Region or Directory.
Example of a rebuild process:
Here we are going to rebuild all WorkSpaces in a bundle called ‘nuvens-wsp’ tomorrow morning at 01:00. Some of our development users have installed applications of their own and have a tag set on their WorkSpace called NoRebuild = True. These WorkSpaces will be omitted from the task.
Select ‘Schedule’. You can, at this point, select to override the ‘NoRebuild’ tag as mentioned above.
You will now see a screen confirming that the scheduled task has been submitted to the Hangfire console.
To view the task, go to the Hangfire console (http://your-WSM-IP-or-FQDN/hangfire).
Go to the Scheduled Jobs tab and you will see an AmazonService.ScheduledRebuildWorkSpace task which is due in around 12 hours.
Select the ID and it will give you more information about the task.
4.3.4 Schedule Start
If you want to patch WorkSpaces and to ensure that they are on at the time, you can now schedule the start of stopped ‘Auto-Stop’ WorkSpaces. To do this, you select the bundle, select the datetime that you want them to start and then select ‘Schedule’. If you want to stop all stopped WorkSpaces regardless of bundle, select the button to the right of ‘Start All Stopped WorkSpaces’.
4.3.5 AP (Auto-Provisioning) Profiles
You can now choose to Auto-Provision WorkSpaces by putting users in an Active Directory group. Select ‘Add Profile’.
Now type in the Active Directory group, select the AWS Region for the WorkSpaces to be created, select the WorkSpaces directory, select the WorkSpaces bundle, select the AWS account number that the WorkSpaces will reside in, select the running mode and then select to enabledisable root and user volume encryption. Then press ‘Save’.
If Auto-Provision is enabled, the service will poll the Active Directory groups every 15 minutes for new members.
Removing a user from the AD group will not terminate the WorkSpace. This functionality can be obtained in conjunction with Auto-Delete.
4.3.6 Fixed tags
It is important to obtain consistency when manually tagging WorkSpaces. You can achieve this with the fixed tagging functionality.
To be able to assign tags to user WorkSpaces, the portal administrator needs permission to do so via a role. Roles can be accessed in the portal under (Roles > Options) and covered in Section 4.3.3. Sys Admin permissions have this permission by default.
Create a tag called Cost Centre and will populate this with some dummy values for different Cost Centres in an organisation. First, select ‘Add Tag Name’ from the menu.
Then add ‘Cost Centre’ as the Tag name and then select the ‘Fixed Tag Values’ option and then select ‘Save’. If you don’t select this, then you can assign that tag, but you will have to type in a value (for example, something unique like an alternative email address, mobile number, etc).
Now go back to Fixed Tags and select ‘View’ next to Cost Centre and you’ll see no tag values as we’ve not created one. Select ‘Add Tag Value’ from the menu option.
Then start adding your tags. Add one and then select ‘Save’. You then repeat the process to add others and you will see them as Tag Values against the Cost Centre tag. You can also delete tags here too if you have made any errors in typing, etc.
You can now add a fixed tag to a user’s WorkSpace. We will add the Country of United Kingdom to a user’s WorkSpace. Go to the list of WorkSpaces in the portal and search for your user. Select ‘Manage Tags’ from the menu.
You can see that there is already a tag that exists, so we will now add the Cost Centre of ‘GB-123’ to this user’s WorkSpace. Select ‘Cost Centre’ from the drop down box and then it will present you with your list of fixed tags. Select GB-123 and then select ‘Save’.
Carry out this process for any other fixed tags that you wish to apply.
4.3.7 Branding
You can brand the WorkSpaces Manager portal with your company logo. It must be 150px x 40px in size.
4.4 Reports
You can control who has access to the Reports section by assigning the ‘View Reports’ permission based on a role assigned to a user in Section 4.3.3.
4.4.1 Cost Estimator and Optimizer
This report shows if the optimiser has is about to change, or has changed, the running modes of a WorkSpaces. You can let the optimizer do it for you, or you can view the recommendations (click on the blue bar at the top) and you can change the type manually. This report can be exported to Excel.
You may have a recommendation at the top of the page where, if you click on the banner, you get the recommended optimisation(s).
PLEASE NOTE: AWS WorkSpaces Cost Optimiser requires enabling on your AWS account containing the WorkSpaces for these reports to be available. Additionally, this feature must be enabled in WorkSpaces Manager portal under ‘OptionsSettings’.
4.4.2 Cost History
Shows the cost of your WorkSpaces over the last 12 months. The current month is based on the Cost Estimator above and will update at the end.
PLEASE NOTE: AWS WorkSpaces Cost Optimiser requires enabling on your AWS account containing the WorkSpaces for this to be available.
4.4.3 Unused
Gives a list of WorkSpaces that have not been used within 31 days (by default). Monitoring this every month can assist you in keeping your costs down. You may wish to change this to 90 days or whatever you like. If your users are not using their WorkSpace, you may query if they need it. This can be exported to Excel.
Actions:
- You can select the whole page or unselect it.
- You can also select WorkSpaces individually.
- You can then select ‘Process Selected’ to decide what you want to do with the WorkSpace(s).
If you choose Terminate, you will need to type in CONFIRM to process the termination of the WorkSpace(s).
You can also click on a WorkSpace and it will hyperlink directly to the information on that WorkSpace. You can then perform actions on it as normal.
4.4.4 Unhealthy
Gives a list of WorkSpaces that are in an Unhealthy status and users will not be able to reconnect to them without action. This can be a good pro-active remediation task, but please be aware that if somebody is running such processes as heavy compute then the CPU may be high over a long period of time. With the WorkSpaces Manager User Dashboard, users can reboot their own WorkSpaces if they get the ‘Unhealthy’ status on their WorkSpaces client.
This report can be exported to Excel. You can select the WorkSpaces and select Process Selected for rebooting them.
You can also click on a WorkSpace and it will hyperlink directly to the information on that WorkSpace. You can then perform actions on it as normal.
4.4.5 Stopped
Gives a list of WorkSpaces that are in Stopped ‘state’.
You can select them all, or select them one by one, and perform an action. You will need to type in CONFIRM to action and select ‘Go’.
You can also click on a WorkSpace and it will hyperlink directly to the information on that WorkSpace. You can then perform actions on it as normal.
This report can also be exported to Excel.
4.4.6 Orphaned
Check for Orphaned WorkSpaces. This will only update WorkSpaces that you have permission to manage and OU’s within AD that you have access to.
If users have been deleted from Active Directory, it is likely that their WorkSpace will remain.
You can select them all, or select them one by one, and perform an action. This report can also be exported to Excel.
You can export these to Excel if you have a good many. Select the WorkSpaces you wish to act on. Select ‘Process Selected’ and you now get a drop-down list with a selected list of actions. In reality, you’d only need to select ‘Terminate’ (delete).
To terminate them, select ‘TERMINATE’ and then type CONFIRM and select ‘Go’.
You will now receive a confirmation message.
You can also click on a WorkSpace and it will hyperlink directly to the information on that WorkSpace. You can then perform actions on it as normal.
4.4.7 Hours since Reboot
The gives information on the hours since the WorkSpace was last rebooted.
If you want to reboot WorkSpaces that have not been rebooted for some time, you can select them all, or select them one by one, and perform an action. (You can also clicking on a WorkSpace will hyperlink directly to its information and perform actions on it as normal). This report can also be exported to Excel.
You can export these to Excel if you have a good many. Select the WorkSpaces you wish to act on. Select ‘Process Selected’ and you now get a drop-down list with a selected list of actions. Select ‘REBOOT’ if you wanted to reboot them. Then type CONFIRM and select ‘Go’.
You will now receive a confirmation message.
5. Presenting applications to users via various delivery methods (Active Directory, Cloudpaging and AppStream).
Applications can be delivered to users via either:
- In a WorkSpace (using Active Directory group membership and products such as App-V, FlexApp, etc) or via Numecent Cloudpaging.
* The likes of FlexApp and Numecent Cloudpaging is a separate application suite where applications are packaged and delivered in containers. If you need to know more about how they could fit your organisation, please contact us here at Nuvens.
- In an AppStream session.
5.1 Active Directory (AD) Group Applications
Firstly, enable “AD Group Applications” in the Applications menu.
When you’ve enabled this option, you will get an ‘App Groups’ option on the menu.
To add a new application to the user’s menu which is delivered via an Active Directory group membership, select ‘Add Application from the ‘Packaged Applications’ menu.
5.1.1 Application
Name of your application.
5.1.2 Version
The application version.
5.1.3 AD Group Name
The Active Directory group name that the user must be a member of to obtain this application.
5.1.4 Application Type
Random field where you can put in what you like (e.g., Payroll, HR, IT, etc).
5.2.5 License Type
This is either ‘Free’ (the user can addremove this application via Self-Service) or ‘Paid’ (which requires administrator intervention).
5.2.6 License Count
This is the total number of licenses for the application. This will go against the License Type above if it is put as ‘Paid’.
5.2.7 WorkSpace App
Select this option for Active Directory group delivered applications.
5.2 Cloudpaging applications
Firstly, enable “Cloudpaging Applications” in the ‘Applications’ menu and enter your Cloudpaging username that is used to control the delivery of the applications.
This will enable the ‘Cloud Paging’ menus for administration and on the user Self-Service portal.
You can now add your Cloudpaging applications. Enable ‘Cloudplayer app’ function for it to be delivered via the Cloudpaging application.
5.2.1 Application
Name of your application.
5.2.2 Version
The application version.
5.2.3 AD Group Name
For applications deployed based on AD group membership
5.2.4 Application Type
Random field where you can put in what you like (e.g., Payroll, HR, IT, etc).
5.2.5 License Type
This is either ‘Free’ (the user can addremove this application via Self-Service) or ‘Paid’ (which requires administrator intervention).
5.2.6 License (Cloudpaging Only)
The license is determined when the application is packaged which will generate a license GUID.
5.2.7 Expiry Period (Cloudpaging Only)
The number of days that the license is assigned for before being returned to the pool.
5.2.8 License Count
The number of licenses purchased/available for the product.
5.2.9 Upgrade License (Cloudpaging Only)
If a Cloudpaging application is provided with an Upgrade License GUID, Numecent will automatically provision the upgraded version of the product.
5.2.10 Upgrade URL (Cloudpaging Only)
The URL for the upgraded application package.
5.2.11 Upgrade Type (Cloudpaging Only)
The upgrade can be optional or enforced.
5.2.12 Cloudplayer App
Enables this as a Cloudplayer (Cloudpaging) application in the users’ Self-Service portal.
5.3 AppStream applications
If the application is delivered into an AppStream session as a Dynamic Application. This points to the path of the application executable to launch.
Please refer to Section 8 for information on ‘AppStream Dynamic Applications’.
5.3.1 Application
Name of your application.
5.3.2 Version
The application version.
5.3.3 AD Group Name
The Active Directory group that the user must be a member of to get the application via Dynamic Application delivery.
5.3.4 Application Type
Random field where you can put in what you like (e.g., Payroll, HR, IT, etc).
5.3.5 License Type
This is either ‘Free’ (the user can addremove this application via Self-Service) or ‘Paid’ (which requires administrator intervention).
5.3.6 License Count
This is the number of licenses available if the application is marked as ‘Paid’.
5.3.7 AppStream Launch Path
If the application is delivered into an AppStream session as a Dynamic Application. This points to the path of the application executable to launch. Please refer to the separate ‘AppStream Dynamic Applications’ document.
5.3.8 App Icon Data
If the application is delivered into an AppStream session as a Dynamic Application. This is the Base64 representation of the application icon. Please refer to the separate ‘AppStream Dynamic Applications’ document.
5.3.9 AppStream Dynamic App
Enables this as a AppStream Dynamic application in the users’ Self-Service portal.
Please refer to Section 8 for information on ‘AppStream Dynamic Applications’.
6. Multi-Domain forest
If you have users in a multi-domain forest, you can add your domains to the WorkSpaces Manager portal. For this configuration, you will need to switch the Multiple Domains function in Additional Options to ‘On’. You will have a single domain by default.
Enable ‘Multiple Domains’ in the Additional Options section of ‘Options > Settings’.
You add more domains by clicking on the ‘+’ button.
You now add your WorkSpaces Directory ID, FQDN and NetBIOS name of your Active Directory domain, the default OU for your user accounts in that domain, and the username and password for the service account in that domain that you are using to add and remove WorkSpaces.
7. Multi AWS Accounts
Using WorkSpaces Manager, it is possible to manage WorkSpaces in different AWS accounts in the same console.
7.1 STEP 1: In Account A (which is the main account that the WorkSpaces Manager instance resides in)
Firstly, make a note of the following:
- The account number of Account A (where your WorkSpaces Manager instance resides). For this example, we will refer to it as 111111111111.
- The account number of Account B (where your other WorkSpaces reside that you want to manage). For this example, we will refer to it as 222222222222.
- The IAM role that is associated with your WorkSpaces Manager in Account A. For this example, we will refer to it as WSM320-YourWSMRole.
- The Instance ID of your WorkSpaces Manager. For this example, we will refer to it as
i-99999999999999999.
- Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WSMAllowAccountBAccess’.
We will call the role in Account B ‘AllowMSAccess’ and will be creating it in the next section.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “arn:aws:iam::222222222222:role/AllowWSMAccess”
}
]
}
- Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WSMAccount222222222222CloudwatchPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“cloudwatch:DescribeAlarmHistory”,
“cloudwatch:GetDashboard”,
“cloudwatch:GetMetricData”,
“cloudwatch:DescribeAlarmsForMetric”,
“cloudwatch:DescribeAlarms”,
“workspaces:*”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:GetMetricWidgetImage”,
“ce:*”
],
“Resource”: [
“*”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
- Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WSMAccount222222222222PricingPolicy’. Insert this JSON.
{
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “pricing:*”,
“Resource”: [
“*”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
- Insert an inline policy which gives access to the second account with the WorkSpaces in. Call the inline policy ‘WSMAccount222222222222CostExplorerPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “ce:*”,
“Resource”: [
“*”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
7.2 STEP 2: In Account B (where the WorkSpaces are that you need to administer with WorkSpaces Manager).
- In IAM, create a policy called ‘WorkSpacesManagerAdminPortal’ with the following JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“logs:ListTagsLogGroup”,
“logs:GetLogRecord”,
“cloudwatch:GetMetricData”,
“logs:DescribeLogStreams”,
“logs:DescribeSubscriptionFilters”,
“logs:StartQuery”,
“logs:DescribeMetricFilters”,
“sts:GetAccessKeyInfo”,
“logs:GetLogDelivery”,
“logs:ListLogDeliveries”,
“sts:GetSessionToken”,
“cloudwatch:DescribeAlarmHistory”,
“cloudwatch:DescribeAlarmsForMetric”,
“logs:GetLogEvents”,
“logs:FilterLogEvents”,
“logs:DescribeResourcePolicies”,
“cloudwatch:GetMetricWidgetImage”,
“sts:GetServiceBearerToken”,
“logs:DescribeDestinations”,
“logs:DescribeQueries”,
“cloudwatch:GetDashboard”,
“logs:DescribeLogGroups”,
“logs:StopQuery”,
“logs:TestMetricFilter”,
“cloudwatch:GetMetricStatistics”,
“logs:DescribeExportTasks”,
“logs:GetQueryResults”,
“workspaces:*”,
“cloudwatch:DescribeAlarms”,
“sts:GetCallerIdentity”,
“logs:GetLogGroupFields”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“sts:AssumeRole”,
“sts:GetFederationToken”
],
“Resource”: [
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
- Create a role called ‘AllowWSMAccess’ and attach the policy ‘WorkSpacesManagerAdminPortal’ that you created above.
- Attach an inline policy to the role ‘AllowWSMAccess’ role and call it ‘WSMIAMPassPolicy’. Insert this JSON.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“iam:GetRole”,
“iam:PassRole”,
“sts:AssumeRole”
],
“Resource”: [
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:sts::111111111111:assumed-role/WSM320-YourWSMRole/i-99999999999999999”
]
}
]
}
- Go to the ‘AllowWSMAccess’, select ‘Trust Relationships’ and then ‘Edit Trust Relationships’. Insert this JSON and select ‘Update Trust Policy’.
{
“Version”: “2008-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::111111111111:root”,
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:sts::111111111111:assumed-role/WSM320-YourWSMRole/i-99999999999999999”
],
“Service”: [
“workspaces.amazonaws.com”,
“ec2.amazonaws.com”
]
},
“Action”: “sts:AssumeRole”
}
]
}
- Create a policy called ‘WSMS3Access’ with the content below and attach it to the ‘AllowWSMAccess’ role. Insert this JSON.
Replace ‘workspacescostoptimizer-costoptimizerbucket-1234567890123’ with the S3 bucket name of your WorkSpaces Cost Optimiser in Account B.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“s3:GetObject”,
“s3:ListBucket”,
“s3:GetBucketVersioning”
],
“Resource”: [
“arn:aws:s3:::workspacescostoptimizer-costoptimizerbucket-1234567890123”,
“arn:aws:s3:::*/*”
]
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“s3:GetObject”,
“s3:ListBucket”,
“s3:GetBucketVersioning”
],
“Resource”: “arn:aws:s3:::*/*”
},
{
“Sid”: “VisualEditor2”,
“Effect”: “Allow”,
“Action”: [
“s3:ListAllMyBuckets”,
“s3:HeadBucket”
],
“Resource”: “*”
},
{
“Sid”: “VisualEditor3”,
“Effect”: “Allow”,
“Action”: [
“sts:AssumeRole”,
“sts:GetFederationToken”
],
“Resource”: [
“arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
“arn:aws:iam::222222222222:role/AllowWSMAccess”
]
}
]
}
7.3 STEP 3: Configure WorkSpaces Manager in your main account (Account A).
Configure the WorkSpaces Manager Portal to accept the new account. Go to Options > Settings > Additional Options and set ‘Multiple account’ to ‘On’.
In one left hand side pane, you’ll now see a Multi AWS Account option with your root (Master) WorkSpaces Manager account already filled in.
To add Account B, select the ‘+’. Enter the details for the AWS account.
- AD Integrated – Your WorkSpaces can either be domain joined or non-domain joined. If they are domain joined, select this.
- WorkSpaces – WorkSpaces are viewable and enabled in this account. Select this.
- AWS Cost Optimiser – Select.
- Cost Optimiser Bucket – This is the s3 bucket that represents the Cost Optimiser location on Account B.
- Access Log Group – Leave blank here at the moment.
Leave AppStream option and AppStream Bucket.
Your new account will show up. Up to 10 accounts can show on one list, and any more will be on the next page where you can select ‘Next’.
8. Creating Dynamic Applications in AppStream
8.1 How does Dynamic Application delivery differ from normal AppStream application delivery?
When an administrator installs applications on an AppStream image, every icon on that image is delivered to every user that connects to that fleet. Whilst you can restrict these from launching, you will still be allocating an RDS CAL, which will incur additional costs.
Using Dynamic Applications, we completely remove the user’s visibility of applications they cannot use, reducing costs and providing a clean AppStream image. Applications are delivered based on Active Directory group membership.
It is also important not to give users access to AppStream services if they do not have any AppStream applications. This is explained in Section 8.11.
The end-user process to launch an AppStream Dynamic Application is:
(1) The user connects to the AppStream service (2) They enter their Active Directory password (3) The list of applications builds based on their Active Directory group membership (4) The user launches their application.
8.2 Image Builder Preparation
To install the Dynamic Applications components, the local Image Builder administrator will need to log on to the Image Builder and create the Dynamic Application Provider environment.
Step 1: Create a folder called C:DynamicApps
Copy in and extract DynamicApps.zip (to be supplied by Nuvens) to this folder.
IMPORTANT: As these extracted files will be copied in from outside the instance, the administrator must ensure that each of these files is ‘Unblocked’ by the operating system. To do this, right click on each of the extracted files and select ‘Unblock’.
Step 2: Create a folder called C:DynamicAppIcons
This is where the local administrator will put the application icons so they can be converted to Base64 format so the administrator can use this information later in WorkSpaces Manager to assign icons to the applications.
AppStream does not use these icons directly. It is just an area where the administrator can store ‘.png’ icons that represent the applications and have them created to Base64 via a PowerShell script.
Please refer to Section 8.3.1 for creating the application icons.
Step 3: Create a folder called C:DynamicAppIconsEncoded
This is where the Base64 encoded text files will reside when they are converted in Section 8.3.1.
Step 4: Amend the AppStream Sessions Scripts script
Edit the file config.json in the location C:AppStreamSessionScripts and put the following entry in the location shown. This will invoke the Dynamic Application functionality which supplies the applications to the users.
“filename”: “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe”,
“arguments”: “-File “C:DynamicAppsDynApps.ps1″”,
8.3 Creating a Base64 string for the application icons
Copy in the file ‘GetBase64ofPNG.ps1’ from the C:DynamicApps folder into the C:DynamicAppIcons folder. The administrator will need to amend this with your own application .png files.
Run this PowerShell script to obtain the Base64 files of those in text format. It puts them in the ‘encoded’ sub-folder. These will be used later to create a Dynamic Application in the WorkSpaces Manager admin portal.
8.3.1 How do I create a PNG icon for my application?
The local administrator can obtain an icon for the application by using the Image Assistant to create one. Go to Image Assistant on the Image Builder desktop and add the application
To find the icon, go to C:ProgramDataAmazonPhotonAppCatalogHelperAppIcons and there will be a list of png files in here which relate to the applications. Just double click on them to find the icon that is required. They will be named randomly.
Copy the relevant icon file to the C:DynamicAppIcons folder and then go to Section 8.3 to convert it to Base64.
8.4 Testing applications from the Image Builder
Dynamic Applications behave differently on an image builder when testing applications from the Image Assistant and creating the new image. Dynamic Applications will not show up to test, but non-dynamic applications will.
For Dynamic Application functionality to be available, select ‘Enable dynamic app providers’ with the check box.
If the administrator wants to test the applications that are published dynamically, they must do so via the usual menu shortcuts, etc.
8.5 Top level AppStream Dynamic Applications access control group
An administrator can specify if a user is enumerated for applications in WorkSpaces Manager by using a general Active Directory control group. For example, there is an Active Directory group called ‘AppStreamDA’. If a user is not a member of this group, then a CSV will not be generated for them with application entitlements. However, if the administrator gives them access to the stack then they can still connect to it (which the administrator does not want as it will take resource). Control this access via Section 8.11.
8.6 Adding an AppStream Dynamic Application in WorkSpaces Manager
In the WorkSpaces Manager portal, go to ‘AppStream Apps’ in ‘Options’. The list of AppStream Dynamic Applications will be shown.
To add an application, select the menu on the right and select ‘Add Application’.
Now enter the details for the application. The AD Group Name will be the group that users will be a member of. They must be a direct member of this group as group nesting will not work.
8.7 Assigning an AppStream Dynamic Application to a user.
There are two ways of achieving this.
8.7.1 Assign the application to user in WorkSpaces Manager
PLEASE NOTE: Refer to Section 8.5 as the AppStream users will need to be in a top-level access Active Directory group to get their applications.
First, search for the user in the ‘Users’ menu.
Then select this user, select ‘Assign Application’ from the menu.
It can now be seen that there are two Dynamic Applications assigned to this user via AD groups (DA-Notepad and DA-Explorer of ‘Notepad’ and ‘Explorer’ apps respectively). The Active Directory groups have been stated the Active Directory groups for the Dynamic Applications when configuring them in Section 8.6.
Now select the application from the drop-down list and select ‘Save’.
Go back to the user’s apps list and the new application will be visible. This is now available to them via Dynamic Apps once the update routine runs (every 20 minutes).
8.7.2 Put the user in the Active Directory Group associated with the Dynamic application.
PLEASE NOTE: Refer to Section 8.5 as the AppStream users will need to be in a main access Active Directory group to get their applications. Without this, they will not get a configuration file generated.
This is the best method if there are a lot of users to assign the application to.
IMPORTANT NOTE REGARDING GROUP MEMBERSHIPS: Nested Group membership does not work. The user must explicitly be a member of the AD group assigned to that application for it to work.
An AD Sync process will be run each day from the WorkSpaces Manager application at 04:30 daily, or an administrator can manually instigate the process by going into the WorkSpaces Manager ‘Hangfire’ console (http(s)://yourWSMportaladdress/hangfire ) and run the ‘syncAdGroups’ job.
Go to ‘Recurring jobs’ at the top and look for the ‘syncAdGroups’ job. Select it and select ‘Trigger now’. ** DO NOT SELECT ‘DELETE’ **
Additionally, do the same with the ‘dynamicAppFiles’ job.
The user’s CSV file is updated on the 20-minute schedule or the administrator can invoke it themselves by going to the WorkSpaces Manager console and selecting ‘Update Dynamic Apps’ from the ‘Update’ menu.
8.8 Removing a Dynamic Application from the main list for all users
In WorkSpaces Manager, go to ‘AppStream Apps’ in Options.
Click on the application to be deleted (Paint will be selected above). Then select ‘Delete’ to remove the application.
The user’s CSV file is updated on the 20-minute schedule or the administrator can invoke it themselves by going to the WorkSpaces Manager console and selecting ‘Update Dynamic Apps’ from the ‘Update’ menu.
The application will now be there the next time they log in to AppStream.
8.9 Removing a Dynamic Application from a user
First, search for the user in WorkSpaces Manager and select ‘Assign Application’.
Then select the icon to the right of the application to be removed.
Alternatively, you can also remove them directly from the Active Directory group assigned to that application.
8.10 Dynamic Application configuration files
The configuration files that are used to deliver Dynamic Applications based on Active Directory groups are held on the WorkSpaces Manager appliance in a share called ‘AppStreamApps’. These will be Read Only to users. Each user who accesses AppStream and uses Dynamic Applications will have one and is written automatically by WorkSpaces Manager.
The information contained within each of these user files will provide access to the applications that user is granted via Active Directory group.
8.11 Can I stop users accessing AppStream and running up a session when they do not have any applications assigned?
Yes. An administrator will have to control this at the first port of call for user access. For example, if using Okta, the administrator would use another Active Directory group to show the AppStream stack icon. If using GSuite only, the administrator would not configure the user to use AppStream based on their own account (hence the service would not be available to them).
Instructions on how to do this are outside the scope of this document.