When this option is enabled, and the service account has the necessary permissions in the LDAP Active Directory, users can change their passwords directly within the portal. Password security requirements can be configured in the settings menu to align with corporate standards. Additionally, if enabled, users will receive an email with a link to the WorkSpaces Manager portal 10 days before their password expires.

The User self-service portal that allows a user to manage their own WorkSpaces(s) and execute admin defined basic actions.

WorkSpaces Manager has three main sections for users and administrators to manage the the Portal:

End-Users can save time and reduce support tickets by accessing the WorkSpaces Manager User Portal.

This portal shares the same URL as the one used by WorkSpace Administrators but provides end-users with a simplified version tailored to their specific WorkSpaces. Users can log in using their existing credentials.

The self-service Portal can save a user from calling the Service Desk if they cannot connect to their WorkSpace or they can stop/restart their WorkSpace without any intervention from Support.

If enabled, the "User Restore" and "User Rebuild" options will also be available in the portal.

The dashboard provides a unified view of the entire WorkSpaces environment and estate. It also displays event logs, serving as an audit trail of actions performed by administrators.

In the centre of the dashboard :

• Unhealthy WorkSpaces

• Healthy WorkSpaces

• Standyby WorkSpaces

• Stopped WorkSpaces

• Unused WorkSpaces

• Connected Users

• Portal Licenses (in percentage of use)

• Always On

• AutoStop

• Disabled Users Account

• Orphaned (WorkSpaces)

• API Rate Exception

• Recently Disconnected

• Recommendations

• WorkSpaces Low Disk Volume

• CO Directories (Cost Optimizer)

WorkSpaces Manager Performance Monitor and CloudWatch Log Group are required to extend the available metrics beyond the default ones provided by AWS.

If the WSM Performance Monitor agent is installed, you can view the CPU and memory usage of the user's WorkSpace. The available disk space for the root and user volumes is displayed regardless of whether the agent is installed.

You can view the approximate location (based on the ISP provider)of a user by selecting the "User Location" Tab.

User last login times and dates

You can view user activity times and dates of a user by clicking on Activity.

In-Session Latency

This shows the in-session latency of the session over a defined period.

The Customise button on the right of the page allows the administrator to configure the tiles they would like displayed.

Below we have selected to see a few options, but not all. This is highly configurable by the user in question to fit their needs.

This information can be accessed by selecting a specific WorkSpace in the WorkSpaces section under the Admin tab. This will display a detailed overview of the WorkSpace and its associated user, including newly added metrics such as:

• Created: The date the WorkSpace was provisioned.

• Billing: Reflects the effectiveness of cost management. Clicking on this metric will take you directly to the Cost Optimization Report, where you can analyze detailed cost data and optimization opportunities.

• Performance: Represents the operational efficiency of the WorkSpace. Clicking on this metric will take you to the Underprovisioned WorkSpaces Report, where you can review WorkSpaces that may require additional resources.

You will find essential WorkSpace controls at the bottom of your screen, including icons for Refresh, Stop, Reboot, Restore, and Rebuild.

From the dropdown menu at the top right, you will see a list of possible actions, depending on your per

• RDP: If RDP is enabled in the Configurations > Settings > Remote Services menu, this will download an RDP file with the necessary details to connect to a user’s WorkSpace.

• Dameware: If Dameware is enabled in the Configurations > Settings > Remote Services menu, this will download a BAT file containing the necessary details to initiate a remote connection to a user’s Workspace using Dameware.

• Copy MSRA to Clipboard: Copies the MRSA key to your clipboard. This key is typically used for authentication, encryption, or secure communication between systems. Once copied, you can paste it into a required field or document for further use, such as establishing a secure connection or verifying a device's identity.

• Terminate: Permanently deletes a WorkSpace, resulting in the loss of all data.

• Schedule Termination: Schedules a WorkSpace termination at a specified date and time.

• Change WorkSpace Type: Allows switching to a different instance type (can only be changed every 24 hours).

• Change WorkSpace Mode: Switches between ALWAYS_ON and AUTO_STOP modes.

• Change WorkSpace Volumes: Increases the size of the C:\ and D:\ volumes (cannot decrease size).

• Change Protocol: If a WorkSpace was initially created with the PCoIP protocol, the 'Change Protocol' option allows you to switch between PCoIP and Amazon's WSP protocol, with a limit of two switches within 24 hours. The change of protocol will initiate an instant reboot

• Manage Tags: Adds tags to a WorkSpace.

• Change Reboot Hour: If "Auto Reboot" is enabled in Options > Settings, this allows you to set a specific reboot time for individual WorkSpaces. By default, WorkSpaces do not reboot automatically, but this option enables scheduling a reboot at a time that best suits your users.

• Migrate: to migrate a user from one bundle to another.

• Create Image: Captures a custom image of the current AWS Workspace.

In the WorkSpaces Personal tab, you’ll find a list of all existing WorkSpaces along with some of their attributes. This list is fully searchable by any of the information displayed in the columns. Some searchable elements include; Region, Computer Name, WorkSpace ID, Production/StandBy, Reg Code, Username, Name, IP Address, Compute, Mode, State, Directory, Protocol, Agent

In the WorkSpaces Pools tab, you'll find a overview of the pools in your AWS account displaying information of the usage and cost. A dropdown on the far right of each pool gives you options to view active sessions and monthly user usage.

Active Sessions will display any connected and not connected users with timestamps of the sessions

Monthly User Usage will show all the users that connected to the pool on the month selected on the top right, you can see total duration and cost along with monthly estimates.

In Secure Browser you will see a dashboard for WorkSpaces Web. It provides an overview of activity and usage including portals, users, active sessions, latest logs, url's visited, total cost in reporting period and user hours in report period.

There are a variety of reports available to help you understand costs and user behavior within your AWS WorkSpaces estate. If there is a specific report you would like to see, that doesn’t currently appear in the latest version, please reach out to support@workspaces.com to see if it is possible.

The following Reports that are currently available are as follows:

• User Activity

• Cost Optimization

• Cost Summary

• Underprovisioned

• Overprovisioned

• Unused WorkSpaces

• UnHealthy

• Stopped

• Orphaned WorkSpaces

• Orphaned Computer Objects

• Recommendations

• WorkSpace Tag report

• Bundle/Image in Use

• WorkSpace Service Limits

• Hour Since Reboot

• WorkSpace Provisioning

• WorkSpace User Locations

This tab displays the status of WorkSpace and user account creation. The update job runs every 10 minutes, so it may take a few minutes for the status to reflect changes in the next update cycle.

The list is fully searchable by the contents of any column and also includes tasks such as scheduled WorkSpace terminations.

WorkSpaces Manager provides a full Amazon WorkSpaces management portal. Containing a user self-service and an administration portal in a browser-based environment, without using the AWS Console.

WorkSpaces Manager is deployed as an appliance from the AWS Marketplace as an EC2 instance. It can be also deployed as a Packer AMI onto AWS. More information in the Installation section.

This guide has been authored by experts at Nuvens to provide information and guidance on using WorkSpaces Manager at full capacity. Product highlights:

• WorkSpaces Environment Management with optional application self-service feature for domain group-based application deployment

• Task driven User & WorkSpaces provisioning

• Multi-AWS Account and multi-region

• Forest-wide and Multi-Domain

• Automatic reboot schedule defined on a per WorkSpaces basis

• Cost reporting and Cost Optimisation

• WorkSpaces Performance Monitor Agent to report on Processor, Memory, Disk and connection statistics

This section contains the configuration for the Portal settings and the OpenID Connect Settings.

General: used to configure how the portal manages network settings, activity reporting, and logging.

Windows Server Update Services (WSUS): configures how the portal integrates with WSUS for managing updates, including connection details and security settings.

Self Service: provides various options for user self-management, such as changing passwords, restoring accounts, migrating data, and rebuilding configurations.

OpenID Connect Settings: for integrating the portal with an OpenID Connect provider (for single sign-on 'SSO'), enabling secure and streamlined user authentication.

The Update section allows you to refresh data from various APIs and repositories. You can select specific elements to force an update of their contents. Depending on the size of the estate and the update request, this process may take up to 20 minutes. A success message will be displayed upon completion.

The following elements can be updated:

• WorkSpaces

• WorkSpaces (Full)

• Tags

• Orphans

• Directories

• Check Tags

• AutoStop Timeout

This is the main setup page. Key entries have already been populated during installation and initial setup.

The top section provides a summary of essential system information, such as the version and licensing details. You can view the WorkSpaces Manager version (including any available updates), the number of licenses procured, the current number of licenses in use, and the license expiry date.

The settings page is divided into the following parts:

In this section you will be able to view your WorkSpaces Manager Licensing information which consists of the following:

• Version

• Maximum Licenses

• Licenses In Use

• License Expiry

If an upgrade is available, an upgrade icon will appear. Clicking on it will take you to the update page, where you can download and install the latest version of WorkSpaces Manager.

The 'Users' tab displays user attributes from the Active Directory domain.

From the main menu, one action can be performed with the Users:

Additionally, when viewing a user's information and attributes, several other actions can be executed, such as:

In this section you can configure settings for WorkSpaces Personal with the following:

• WorkSpaces: Enable/Disable AWS WorkSpaces Option from the Admin console.

• WorkSpace Update Frequency: Automatically update the local database with up-to-date information at regular intervals. A 15-minute interval is sufficient for most cases, but shorter intervals, such as 1 minute, may not be suitable for large WorkSpaces or user estates.

• Auto Provision Frequency: Allows the choice of auto-provisioning period. This checks the AD groups in your Auto- Provisioning profiles at specific time periods. If it finds a user in an AD group that does not have a WorkSpace, it auto-provisions one for them based on the Auto-Provisioning settings that you have specified. The field allows 0-59 minutes, but anything more than 60 becomes an hourly check.

• Unhealthy Reboot: If this option is enabled the service will check for any WorkSpaces with a status of "Unhealthy" every 10 minutes. Any WorkSpaces found in this state will have their status re-evaluated and if still found to be "Unhealthy" they will be rebooted or moved from hypervisor.

• Use Global AutoStop Time: Sets a global time for auto-stop all the WorkSpaces in this mode.

• AutoStop Timeout: Sets the number of hours before an idle WorkSpaces is stopped.

• AutoDelete: You can set up WSM to automatically delete unused workspaces after a defined period of days.

• AutoDelete Days: This value is the number of days a WorkSpace should be considered for deletion (e.g., 45 or 60 days).

• AutoDelete Safety Days: This value is the number of days a user will be given to inform their Service Desk or IT Function that they still require the WorkSpace before deletion. For example, if Auto-delete was set for 60 days. On the 60th day of the WorkSpace being unused, the user that is associated with the WorkSpace will receive an email informing them that their WorkSpace is to be deleted in (Safety days VALUE) with the request for them to contact support remove the Autodeletion request. After the safety days value and if autodeletion is not removed.

• AutoStop on AutoDelete: Automatically convert an Always-on WorkSpace to hourly mode

• Simulate AutoDelete: If Enabled will simulate a deletion in the service logs.

• Auto Reboot: Enables the Auto Reboot function.

• Auto Reboot Tag Name: Default time for Reboot is 3am, here you can set tag with different hour if you wish to change the Reboot Time.

• Access Log Group: Define a group or category for access logs within the system.

• Display Real Name: Shows real name for user in System.

• Display Username: Shows username for user in System.

• Multi Region Resiliance: Only enable this if you have configured Multi Region Resiliance

• Remove Standby on Termination: This determines whether resources that are in standby mode should be automatically terminated when a primary workspace is terminated. If this option is disabled, standby resources will remain even if the primary workspace is terminated.

• Disable Volume Encryption By Default: By default, the system selects encryption for each volume. To use non-encrypted volumes by default, enable the option to disable encryption.

In this section, we must configure the information about the Directory Service and the service account used to execute operations on it. The main part is set during the first setup, asking for the following information:

• Directory ID: Automatically populated once created.

• NetBios Name: A shortened version of the domain name, typically up to 15 characters. Example: CLOUD.

• Fully Qualified Domain Name (FQDN or DNS Name): The complete domain name that includes both the hostname and the domain. Example: NUVENS.CLOUD.

• Default OU: The default Organizational Unit (OU) for user accounts in Active Directory, provided in LDAP format using a distinguished name (DN) structure. Example: DC=nuvens,DC=cloud or OU=Sales,DC=nuvens,DC=cloud.

• Service Account: A specialized account for running services, applications, or scheduled tasks in an Active Directory Windows environment. It should have the required permissions for WSM to interact with Active Directory and may need to follow corporate naming conventions. Example: ad.service.

• Service Password: Critical for maintaining security, especially since service accounts typically have elevated permissions.

• Cost Optimizer Bucket: The name of the S3 bucket where the Amazon Cost Optimizer for WorkSpaces management tool stores its data.

• Dry Run Mode: A feature that simulates potential cost-saving actions without applying them.

• Active Directory Integrated: Enhances network and management capabilities by leveraging the security and replication benefits of Active Directory integration.

Multi Domains (Active Directory)

Once the Multiple Domains option for Active Directory has been enabled, additional configuration elements for the Forest can be defined, such as:

• Forest Service Account: A service account used within the context of an Active Directory forest, which is the top-level structure for managing a group of domains that share a common schema, configuration, and trust relationships.

• Forest Service Password: This password secures the Forest Service Account, which typically has elevated privileges across multiple domains. The security of this password is crucial due to the account's high-level access within the forest.

• Preferred Domain: Refers to the primary or most authoritative domain in the forest, typically used for managing resources, services, and administrative tasks across the entire forest.

• Disable Delete Computer Object: This feature prevents the deletion of computer objects in Active Directory when associated WorkSpaces are deleted, which could otherwise leave orphaned objects in the LDAP directory.

• Disable LDAPS: This disables LDAP over SSL, preventing encrypted communication if LDAPS is not implemented or enabled in the target domain.

WorkSpaces Pools provide non-persistent virtual desktops for users who need access to highly-curated desktop environments hosted on ephemeral infrastructure.

To display WorkSpaces Pools in the menu, you will need to toggle the Enable WorkSpaces Pools setting to on.

WorkSpaces Secure Browser provides a protected environment for users to access private websites, software-as-a-service (SaaS) applications, and the public internet. WorkSpaces Secure Browser works with the browser running locally on the end-user’s device.

To enable WorkSpaces Secure Browser and set up logging, start by navigating to the WorkSpaces Manager console and toggling the Enable Secure Browser setting to "On" to display it in the menu. Next, create an S3 bucket by going to the Amazon S3 Console and setting up a bucket with a name like workspacesweb-userlogs. Note down the bucket name for later use. Proceed to the Amazon Kinesis Console first create a data stream starting the name with amazon-workspaces-web- and set Capacity mode to On-demand, click Create data stream.

Then go to WorkSpaces, under the drop down for WorkSpaces Secure Browser go to Portals and click the active Portal for WorkSpaces Web. Select Portal settings then edit nect to User access logging details and select the Kinesis data stream.

Back to the Kinesis dashboard and go to Amazon Data Firehose, create a Firehose stream Set the source to Amazon Kinesis Data Streams and the destination to Amazon S3. In the Source Settings, click Browse and select the Kinesis Data Stream that was created.

Then, in the Destination Settings, click Browse and choose the S3 bucket you just created. Once done, click Create Firehose Stream to complete the setup.

Finally, return to the WSM console, and in the configuration, add the Bucket Name, Account ID, and Region, then click Add to finalize the integration. This will complete the setup for enabling and logging WorkSpaces Secure Browser activity.

In this section, you can configure the credentials for Remote Access, compatible with both Microsoft RDP and Dameware

This is the generic account used for connections across your organization. You can remotely control a user’s WorkSpace using the preferred application from the available list.

Enable RDP: enables the option for downloading an RDP file to connect to the user’s WorkSpace from within the Portal.

Enable DameWare: this is the toggle to switch on and off your preferred shadowing software.

This section allows you to configure an SMTP relay to send emails to users and administrators when certain actions are triggered.

We recommend using AWS Simple Email Service (SES) to create an SMTP Relay of your own. You can use a domain (nuvens.cloud) or a subdomain (mail.nuvens.cloud), aligned with your strategy.

You can test the connection by clicking Validate Configuration button highlighted above.

WorkSpaces Manager can automatically change the compute type of a WorkSpace. This is useful, for instance, if a user is regularly running heavy spreadsheets on a Standard WorkSpace and would benefit from an upgrade to a Performance WorkSpace. It can also downgrade a WorkSpace if it has been over-provisioned for the user's day-to-day needs.

You can set Low and High Processor and Memory values, according to your standards, without enabling the options. This would allow WorkSpaces Manager to run reports and recommendations for overutilized and underutilised WorkSpaces, without automatically changing them.

Additionally, the following settings can be configured in this section:

• Default AWS Region: This is the region automatically selected for running AWS services and resources unless a different one is specified. AWS regions are globally distributed locations where AWS data centers are hosted.

• Show AWS Bundles: AWS WorkSpaces provides several predefined bundles that include compute resources, storage, and an operating system for provisioning virtual desktops. It is recommended to hide these default bundles to make custom bundles more visible and easily identifiable.

• Fixed Tag Values: These are pre-set tag values that are automatically applied to Amazon WorkSpaces when created or managed through WSM. Tags in AWS, consisting of key-value pairs, help with organizing and categorizing resources, simplifying cost tracking, resource management, and automation.

• Use Custom KMS Keys: This option enhances security by encrypting Amazon WorkSpaces and related resources using your own encryption keys, rather than AWS-managed keys. It offers more control over key management, including rotation, access policies, and auditing.

• Dry Run Mode: This feature allows you to simulate potential cost-saving actions without actually implementing them, providing insights into possible savings before making changes.

• Cost Optimizer Bucket: Bucket name where Cost Optimizer data stored

• Cost Optimizer Version: The version determines the filename used to store the data

You will see a summary of the Account ID(s) as they are added.

If you want to deploy Roles and Policies on a Multi-Account AWS Environment, you can also check our GitLab with code for Terraform and CloudFormation examples:

The Rebuild function is applied to WorkSpaces associated with a selected bundle. A scheduled rebuild will occur one hour after the user’s selected Reboot Hour. This function rebuilds all WorkSpaces based on the selected bundle name, regardless of Account, Region, or Directory.

Example of a rebuild process:

Here we are going to rebuild all WorkSpaces in a bundle called "nuvens_bundle2024" tomorrow morning at 01:00. Some of our development users have installed applications of their own and have a tag set on their WorkSpace called "NoRebuild" that is set to value "True". These WorkSpaces will be omitted from the task.

Select "Schedule". You can, at this point, select to override the "NoRebuild" tag as mentioned above.

You will now see a screen confirming that the scheduled task has been submitted to the console.

If you need to patch WorkSpaces and ensure they are running at a specific time, you can now schedule the start of stopped WorkSpaces set to 'AUTO_STOP'.

To do this, select the bundle, choose the desired date and time for them to start, and click 'Schedule.'

If you want to stop all stopped WorkSpaces, regardless of bundle, simply click the button next to 'Start All Stopped WorkSpaces.

Configure the "Domain Password Policy" Email and Password text that users receive from the system when their password is to expire if the option is enabled for Password Expiry Emails.

You can enable Auto-Provisioning of WorkSpaces by adding users to an Active Directory group and configuring WorkSpaces Manager to read users from that group. To start, select Add Profile.

The following information is required to create and configure an AP Profile:

• AD Group Name: Populate the Active Directory group.

• Region: Select the AWS Region for the WorkSpaces to be created in.

• Directory: Select the WorkSpaces directory (AWS Directory Services or AD Connector).

• Bundle: Select the WorkSpaces bundle.

• Account: Select the AWS account number that the WorkSpaces will reside in (when multiple).

• Mode: Select the desired running mode.

• Encryption: Select to enable\disable root and user volume encryption

• Tags: Choose the Profile Tags to be added automatically.

If Auto-Provision is enabled, the service will poll the Active Directory groups every 15 minutes for new members.

To be able to assign tags to WorkSpaces, the Portal Administrator needs permission to do so via a Role. Roles can be accessed in the portal under (Security > Roles). SuperAdmin permissions have this permission by default. In the Role sample below, you can see that the role assigned to an administrator only allows them to add tags.

After enabling it, add which tags are going to be mandatory and possible values for it in; Configuration > Fixed Tags.

You can now add a fixed tag to a user’s WorkSpace. Navigate to a users WorkSpace in the portal. Select "Manage Tags" from the menu.

You can brand the WorkSpaces Manager Portal with your own company logo.

The Resources section allows to configure some elements of the Amazon WorkSpaces service like:

This section displays a list of all WorkSpace Directories in the AWS account, including AWS Directory Services and AD Connectors. As usual, the search option allows you to filter the content.

This action generates a report that includes best practice notes, detailed information, and test connections for creating and deleting Users and Computer Objects

If the action times out or returns an error, there may be an issue with the credentials or connectivity.

This report also shows how many of each bundle is deployed within the organisation.

In WorkSpaces Manager, Roles define a set of permissions that can be assigned to advanced users or administrators. Custom roles can be tailored to specific needs, such as the actions that can be performed or restrictions based on locations, for example.

To add a new role, select the ‘Action’ button in the top right. In this example, we want to create a role that only grants the ability to restart, stop, and start a user’s WorkSpace. After selecting the desired actions, click ‘Save’. You can modify the role at any time by double-clicking on it and saving the changes.

This section displays all WorkSpace images in the AWS account, both custom and default. The list is fully searchable by partial matches on any column's contents.

Email templates can be managed through this interface, which also supports dynamic variables for customization.

Email templates enable custom communication between the WorkSpaces Manager appliance and users or administrators via email. You can use various dynamic variables to compose personalized messages.

There are currently a total of 5 templates:

1. Amazon WorkSpace Termination Scheduled

2. Amazon WorkSpace Password Expires Soon

3. Amazon WorkSpace Reboot Scheduled

4. Amazon WorkSpace Rebuild Scheduled

5. Amazon WorkSpace New WorkSpace Created

The Support toolbar contains the following options;

Documentation - The admin guide for WorkSpaces Manager will open in a second window.

Service Log (Text File) - May be requested if support is needed.

Audit Log - An audit trail of users on WorkSpaces Manager and automated tasks carried out.

Error Log - Detailed Error Log.

All Logs - List of All Logs that include Audit, Info, Warning, Error and Critical.

Configuration Status - Status for Accounts and Directories in WorkSpaces Manager.

On the Admin Dashboard, if enabled, you will find a tile labeled Cost Optimizer: CO Directories. This tile provides confirmation of the system's status. If everything is functioning correctly, the status will indicate full operation. However, if an issue arises, it will display the specific number of directories running, such as "3/4" operational.

To identify the specific directory experiencing issues, navigate to the Support dropdown and select Configuration Status. In this section, under Directories, you will find details highlighting the directory that is not functioning properly.

The most likely cause of the issue is an incorrect S3 bucket name. To resolve this, navigate to Configuration > Settings > Active Directory under Forest Directories and ensure the S3 bucket name is accurate. Additionally, verify that the S3 bucket has been properly configured. For detailed guidance, refer to the AWS documentation.

Once the issue is resolved, the affected directory will turn green under C/O on the Configuration Status page, indicating it is functioning correctly.

On the Admin Dashboard, the CO tile will also update to reflect the current number of operating CO Directories.

If you are in an organisation where every new user will automatically be assigned a WorkSpace, you can assign them one from within WorkSpaces Manager. WorkSpaces Manager can also seamlessly integrate with your joiners and leavers software such as ServiceNow.

If you are doing this yourself, there are four ways of creating a user a WorkSpace: • Adding a single new user • Creating one when you create a new user where you are using another user as a copy ‘template’ • Creating one for an existing AD user • Auto Provision by AD Group

Administrators are granted permissions to perform advanced actions to manage the broader WorkSpaces estate. In WorkSpaces Manager, these permissions can be granularly assigned to Portal Administrators for specific tasks.

This section allows the delegation of support roles, enabling different users to access the WorkSpaces Manager console with specific administrative rights. For example, you may assign two staff members to manage users with critical roles, where policy dictates that only they are authorized to change the reboot times for those users' WorkSpaces.

Adding a new Administrator

To add a new Portal administrator, click the icon on the right and select Invite User.

Enter the user's email address. An invitation email with a registration link will be sent.

The user must complete the registration process and confirm their email.

Once the registration is confirmed, go to the Portal Users page. Click on the new user and assign a role either the SuperAdmin role or a custom Admin role you’ve created.

Restricting users to Accounts, Regions or Directories

For support role delegation, you may want to restrict Portal Administrators to managing WorkSpaces in specific AWS Regions (e.g., a Support team in APAC), specific WorkSpace Directories (e.g., directories containing only Finance and Marketing users), or based on WorkSpace Tags (e.g., where the Department is 'R&D').

With this Admin Role, we've restricted the assigned users to managing WorkSpaces in the eu-west-1, eu-west-2, and eu-central-1 regions, within a specific WorkSpace Directory, and any WorkSpaces in the assigned AWS Account (with multiple options if Multi-AWS accounts are set up). They cannot manage WorkSpaces outside of these parameters (e.g., they cannot terminate or reboot a WorkSpace in us-east-1). You can add or remove Accounts, Regions, and Directories by clicking the bin icon next to them.

In the WorkSpaces Manager dashboard, go to the Users section. You will see an option for ‘Add User’.

The WorkSpace will take around 20-45 minutes to set up, depending on if it is to be encrypted. Nuvens always recommend encrypting both volumes. An email is automatically sent to the user with instructions on how to access their WorkSpace.

If you want to create a new user in Active Directory which is copied from an existing user (which will also copy all their AD groups) and create a WorkSpace for them at the same time, firstly search for the user that you want to copy in ‘Users’.

Then select the copy button next to the user you want to use as a copy template. You can see at this point; this user has a WorkSpace and you can perform various actions. In this case, click Copy WorkSpace button.

You will then see a screen to enter the information for the new user, choose the running mode, and select encryption for the WorkSpace. Once completed, click 'Save.' The task will be added to the Task Queue, which you can view from the menu. Once the task is complete, it will disappear from the list. If selected, the user will also receive an email notification confirming that their WorkSpace has been set up.

Select the user and WorkSpaces Manager will show you if there is no WorkSpace for the user. Click Create WorkSpace.

WorkSpaces Manager can manage WorkSpaces within different AWS accounts from the same console.

Step 1: Which is the main account that the WorkSpaces Manager instance resides

Make a note of the following: • The account number of Account A (where your WorkSpaces Manager instance resides). For this example, we will refer to it as 111111111111 • The account number of Account B (where your other WorkSpaces reside that you want to manage). For this example, we will refer to it as 222222222222 • The IAM role that is associated with your WorkSpaces Manager in Account A. When deployed via CloudFormation, name can be similar to CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX. If it is deployed manually, it may have a different name, per example, WSMRole-XXXXXX. • The Instance ID of your WorkSpaces Manager. For this example, we will refer to it as i-99999999999999999

1. Create a new IAM policy on master account (Account A or 111111111111), which will give access to the second account (Account B or 222222222222) and call it ‘WSMAllowRemoteAccessPolicy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
  “Sid”: “VisualEditor0”,
  “Effect”: “Allow”,
  “Action”: [
  “cloudwatch:DescribeAlarmsForMetric”,
  “cloudwatch:DescribeAlarmHistory”,
  “cloudwatch:DescribeAlarms”,
  “cloudwatch:Describe*”,
  “cloudwatch:GetDashboard”,
  “cloudwatch:GetMetricData”,
  “cloudwatch:GetMetricStatistics”,
  “cloudwatch:GetMetricWidgetImage”,
  “kms:ListKeys”,
  “kms:ListAliases”,
  “kms:DescribeKey”,
  “sts:AssumeRole”,
  “appstream:*”,
  “ce:*”,
  “pricing:*”,
  “workspaces:*”
 ],
 “Resource”: [
 ”*”,
 “arn:aws:iam::222222222222:role/AllowWSMAccess”
  ]
 }
 ]
}

2. On the master account, look for the Role/Instance Profile associated to the WSM EC2 instance and edit it to also include the new IAM Policy just created and called ‘WSMAllowRemoteAccessPolicy’.

Step 2: In Account B (where there are WorkSpaces to be managed by WorkSpaces Manager in another account)

1. Create a new IAM policy on second account (Account B or 222222222222), which will give access to WSM to some services. Call it ‘WSMPortalPolicy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
   “cloudwatch:GetMetricData”,
   “cloudwatch:DescribeAlarmHistory”,
   “cloudwatch:DescribeAlarmsForMetric”,
   “cloudwatch:GetMetricWidgetImage”,
   “cloudwatch:GetDashboard”,
   “cloudwatch:GetMetricStatistics”,
   “cloudwatch:DescribeAlarms”,
   “logs:*”,
   “sts:GetAccessKeyInfo”,
   “sts:GetSessionToken”,
   “sts:GetServiceBearerToken”,
   “sts:GetCallerIdentity”,
   “ce:*”,
   “kms:*”,
   “pricing:*”,
   “workspaces:*”
  ],
  “Resource”: “*”
  },
  {
   “Sid”: “VisualEditor1”,
   “Effect”: “Allow”,
   “Action”: [
    “sts:AssumeRole”, “sts:GetFederationToken”
   ],
   “Resource”: [
    “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
    “arn:aws:iam::222222222222:role/AllowWSMAccess”
   ]
  }
 ]
}

2. Create a new IAM policy on second account (Account B or 222222222222), which will give access to WSM to assume a role remotely. Call it ‘WSMPortalIAMPolicy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
   “iam:GetRole”,
   “iam:PassRole”,
   “sts:AssumeRole”
  ],
  “Resource”: [
   “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
   “arn:aws:sts::111111111111:assumed-role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX/i-99999999999999999”
  ]
 }
 ]
}

3. Create a new IAM policy on second account (Account B or 222222222222), which will give access to WSM to assume a role remotely. Call it ‘WSMPortalS3Policy’. The content in JSON format will be:

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
    “s3:GetBucketVersioning”,
    “s3:GetObject”,
    “s3:ListAllMyBuckets”,
    “s3:ListBucket”
   ],
   “Resource”: “*”
   },
  {
   “Sid”: “VisualEditor1”,
   “Effect”: “Allow”,
   “Action”: [
    “sts:AssumeRole”,
    “sts:GetFederationToken”
   ],
   “Resource”: [
    “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
    “arn:aws:iam::222222222222:role/AllowWSMAccess”
   ]
  }
 ]
}

4. Create an IAM role called ‘AllowWSMAccess’ for AWS Account subservice and attach the policies ‘WSMPortalPolicy’, ‘WSMPortalPolicy’ and ‘WSMPortalS3Policy’ that we created above

{
 “Version”: “2012-10-17”,
 “Statement”: [
  {
   “Sid”: “VisualEditor0”,
   “Effect”: “Allow”,
   “Action”: [
    “iam:GetRole”, “iam:PassRole”, “sts:AssumeRole”
   ],
   “Resource”: [
    “arn:aws:iam::111111111111:role/WSM320-YourWSMRole”,
    “arn:aws:sts::111111111111:assumed-role/WSM320-YourWSMRole/i-99999999999999999”
   ]
  }
 ]
}

5. Go to the ‘AllowWSMAccess’ IAM role, select ‘Trust Relationships’ and then ‘Edit Trust Policy’. Insert this JSON and select ‘Update Policy’.

{
 “Version”: “2008-10-17”,
 “Statement”: [
  {
   “Effect”: “Allow”,
   “Principal”: {
    “AWS”: [
     “arn:aws:iam::111111111111:root”,
     “arn:aws:iam::111111111111:role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX”,
     “arn:aws:sts::111111111111:assumed-role/CF-WSM-WorkSpacesManagerRole-XXXXXXXXXXXX/i-99999999999999999”
    ],
    “Service”: [ “workspaces.amazonaws.com”, “ec2.amazonaws.com”]
   },
   “Action”: “sts:AssumeRole”
  }
 ]
}

Step 3: Config WorkSpaces Manager in your main account (Account A)

Configure the WorkSpaces Manager Portal to accept the new account. Go to Configuration > Settings > Amazon Web Services and set ‘Multiple account’ to ‘On’.

On the right hand side panel, you will now see a Add option with your root (Master) WorkSpaces Manager account already filled in.

To add Account B, select the ‘Add’. Enter the details for the AWS account. • AD Integrated – Your WorkSpaces can either be domain joined or non-domain joined. If they are domain joined, select this. • WorkSpaces – WorkSpaces are viewable and enabled in this account. Select this. • AWS Cost Optimiser – Select. • Cost Optimiser Bucket – This is the s3 bucket that represents the Cost Optimiser location on Account B. • Access Log Group – Leave blank here for now Leave AppStream option and AppStream Bucket

Your new account will show up as below. Up to 10 accounts can show on one list, and any more will be on the next page where you can select ‘Next’.

By far the most popular method of creating WorkSpaces is using the Auto-Provisioning (AP) Profile.

To set up an AP Profile, navigate to Configurations and then AP Profiles

Select ‘Add Profile’.

Now type in the Active Directory group, select the AWS Region for the WorkSpaces to be created, select the WorkSpaces directory, select the WorkSpaces bundle, select the AWS account number that the WorkSpaces will reside in, select the running mode and then select to enable\disable root and user volume encryption. Then press ‘Save’.

If Auto-Provision is enabled, the service will poll the Active Directory groups every 15 minutes for new members.

In order to verify that WorkSpaces Manager can has access to multiple account’s resources, we will need to use the AWS CLI.

msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

This will take 2-3 minutes to complete following the assistant:

To confirm the installation, from a new command-prompt or Powershell session, run command: aws ‑‑version

Since WorkSpaces Manager has an EC2 role assigned that grants some permissions on it, from a new Powershell Window, we will run the command: aws s3 ls

For this to be tested on multi-accounts, we need to modify the .aws/credentials file on our profile by running command: aws configure

A menu will ask for some details: AWS Access Key ID: keep blank AWS Secret Access Key: keep blank Default region name: use yours (in our case eu-central-1) Default output format: json (recommendation)

This will create a new directory called .aws that can be seen with the commands: ls cd .aws ls

We will edit the file by typing the command: notepad credentials Which will open the text editor for us to put the following: [default] region = eu-central-1 output = json

[remote] role_arn = arn:aws:iam::222222222222:role/AllowWSMAccess credential_source = Ec2InstanceMetadata

Verify role with command: aws sts get-caller-identity

Finally, check the permissions on the local account by running command: aws s3 ls

And remotely: aws s3 ls ‑‑profile remote

If you receive a message that role could not be assumed, you need to verify the steps to assure that all is properly configured.

It is important to make sure that you also have visibility of Directories and networks on the remote account. Verify it by running the command: aws workspaces describe-workspace-directories --query "Directories[*].Alias" --profile remote

Some other useful commands that can be helpful to verify that connection to remote AWS Accounts assuming roles are:

• List WorkSpaces in a table format (please, use the right region):

aws workspaces describe-workspaces --region eu-central-1 --query "Workspaces[*].[WorkspaceId, UserName]" --profile remote --output table

• List KMS keys ARNs:

aws kms list-keys --region eu-central-1 --query "Keys[*].KeyId" --profile remote --output table

On initial setup, and by default, you will have one domain. You can enable multiple domains by enabling the feature below in AD settings.

When Multi Domain is enabled, you can add more directories.

AD Service Account and password: When creating the AD Service Account to support AWS WorkSpaces you will have already provided an account with permissions to create computer objects within AD to the OU specified at the time. We recommend using the same service account and providing additional permissions to delete computer objects.

NetBIOS name: NetBIOS name of the domain that your WorkSpaces will be joining.

FQDN: Fully Qualified Domain Name of the domain that your WorkSpaces will be joining.

Default User OU: If you create a user in the ‘Add User’ section of the Portal, this is where it will place that user. If you use the ‘Import Template’ then you can specify where you want the user(s) to be located per OU or by copying template users.

Once the custom KMS Keys has been enabled from: Config > Settings > Amazon Web Services

Enable Multi-Domains from: Configuration > Settings > Active Directory and tick on “Multiple Domains”

The KMS Keys will now display for the same account in which the WSM is deployed:

In a multi-accounts scenario in AWS, you need to change the policies attached to the role in the secondary (or more) accounts and specify to WSM which role to use in each case. This is done in two different places: 1) In the secondary account in which you assign permissions for KMS to the existing role. 2) In WSM, for each account with WorkSpaces that are monitored, the role to assume has to be explicitly specified.

In the secondary account (and more if needed), a role like arn:aws:iam::222222222222:role/AllowWSMAccess will be edited and an AWS Managed Policy called “AWSKeyManagementServicePowerUser” will be added:

In WSM, you need to add the role that you are to use from a different account: