Update directory details for your WorkSpaces - Amazon WorkSpaces

Update directory details for your WorkSpaces

You can complete the following directory management tasks using the WorkSpaces console.

Select an organizational unit

WorkSpace machine accounts are placed in the default organizational unit (OU) for the WorkSpaces directory. Initially, the machine accounts are placed in the Computers OU of your directory or the directory that your AD Connector is connected to. You can select a different OU from your directory or connected directory, or specify an OU in a separate target domain. Note that you can select only one OU per directory.

After you select a new OU, the machine accounts for all WorkSpaces that are created or rebuilt are placed in the newly selected OU.

To select an organizational unit
  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Choose your directory.

  4. Under Target domain and organizational unit, choose Edit.

  5. To find an OU, under Target and organizational unit, you can start typing all or part of the OU name and choose the OU you want to use.

  6. (Optional) Choose an OU distiguished name to overwrite your selected OU with a custom OU.

  7. Choose Save.

  8. (Optional) Rebuild the existing WorkSpaces to update the OU. For more information, see Rebuild a WorkSpace.

Configure automatic public IP addresses

After you enable automatic assignment of public IP addresses, each WorkSpace that you launch is assigned a public IP address from the Amazon-provided pool of public addresses. A WorkSpace in a public subnet can access the internet through the internet gateway if it has a public IP address. WorkSpaces that already exist before you enable automatic assignment do not receive public addresses until you rebuild them.

Note that you do not need to enable automatic assignment of public addresses if your WorkSpaces are in private subnets and you configured a NAT gateway for the virtual private cloud (VPC), or if your WorkSpaces are in public subnets and you assigned them Elastic IP addresses. For more information, see Configure a VPC for WorkSpaces.

Warning

If you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool. To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace. If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace.

To configure Elastic IP addresses
  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select the directory for your WorkSpaces.

  4. Choose Actions, Update Details.

  5. Expand Access to Internet and select Enable or Disable.

  6. Choose Update.

Control device access

You can specify the types of devices that have access to WorkSpaces. In addition, you can restrict access to WorkSpaces to trusted devices (also known as managed devices).

To control device access to WorkSpaces
  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Choose your directory.

  4. Under Access control options, choose Edit.

  5. Under Trusted devices, specify which device types can access WorkSpaces by selecting either Allow all, Trusted devices, or Deny all. For more information, see Restrict WorkSpaces access to trusted devices.

  6. Choose Save.

Manage local administrator permissions

You can specify whether users are local administrators on their WorkSpaces, which enables them to install application and modify settings on their WorkSpaces. Users are local administrators by default. If you modify this setting, the change applies to all new WorkSpaces that you create and any WorkSpaces that you rebuild.

To modify local administrator permissions
  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Choose your directory.

  4. Under Local administrator settings, choose Edit.

  5. To ensure that users are local administrators, choose Enable local administrator setting.

  6. Choose Save.

Update the AD Connector account (AD Connector)

You can update the AD Connector account that is used to read users and groups and join WorkSpaces machine accounts to your AD Connector directory.

To update the AD Connector account
  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and then choose View details.

  4. Under AD connector account, choose Edit.

  5. Enter the sign-in credentials for the new account.

  6. Choose Save.

Multi-factor authentication (AD Connector)

You can enable multi-factor authentication (MFA) for your AD Connector directory. For more information about using multi-factor authentication with AWS Directory Service, see Enable multi-factor authentication for AD Connector and AD Connector prerequisites.

Note
  • Your RADIUS server can either be hosted by AWS or it can be on-premises.

  • The usernames must match between Active Directory and your RADIUS server.

To enable multi-factor authentication
  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select your directory and then choose Actions, Update Details.

  4. Expand Multi-Factor Authentication and then select Enable Multi-Factor Authentication.

  5. For RADIUS server IP address(es), type the IP addresses of your RADIUS server endpoints separated by commas, or type the IP address of your RADIUS server load balancer.

  6. For Port, type the port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (UDP:1812) from AD Connector.

  7. For Shared secret code and Confirm shared secret code, type the shared secret code for your RADIUS server.

  8. For Protocol, choose the protocol for your RADIUS server.

  9. For Server timeout, type the time, in seconds, to wait for the RADIUS server to respond. This value must be between 1 and 50.

  10. For Max retries, type the number of times to attempt communication with the RADIUS server. This value must be between 0 and 10.

  11. Choose Update and Exit.

Multi-factor authentication is available when RADIUS status is Enabled. While multi-factor authentication is being set up, users cannot log in to their WorkSpaces.