Amazon WorkSpaces Application Manager
Administration Guide

Sandboxing Your Package

Sandboxing means to separate changes made to the file system or registry from the Amazon WorkSpaces Application Manager client application. Amazon WAM Admin Player performs partial sandboxing for files, which means that only content modified or added to folders or subfolders of root folders in the package are sandboxed. For example, if a package contains only the installation root folder and the Program Files folder, and if the application creates a new file under the Windows folder, then this new file is directly written to the system. Amazon Admin Player sandboxes all default registry hives (that is, HKCR, HKCU, HKLM, HKU), but any other hive must be part of the package to be sandboxed.

For the paths in the package that are sandboxed, the content is separated from the system, meaning that they are not written to the local system but stored separately and only made available to the application. Again using the example above, if the package creates a new file under the Program Files folder, then the file is sandboxed and not written to the system. Only existing files under the Program Files folder that are not contained in the package would be modified by the application if attempted. The same rule applies for existing registry keys not contained within the package.

As a rule, do not sandbox any documents or data saved by the user. The following table lists the folders are the only exception for sandboxed folders.

Sandbox exclusion folders

Sandbox exclusion folder Path
System Root C:\
Desktop C:\Users\<username>\Desktop
Documents C:\Users\<username>\Documents
Downloads C:\Users\<username>\Downloads
Music C:\Users\<username>\Music
Pictures C:\Users\<username>\Pictures
Videos C:\Users\<username>\Videos
Links C:\Users\<username>\Links
Favorites C:\Users\<username>\Favorites
Contacts C:\Users\<username>\Contacts
Saved Games C:\Users\<username>\Saved Games
Searches C:\Users\<username>\Searches
Temp C:\Users\<username>\AppData\Local\temp
Internet Cache C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files
Shared Documents C:\Users\<username>\Documents
Shared Downloads C:\Users\<username>\Downloads
Shared Music C:\Users\Public\Music
Shared Pictures C:\Users\Public\Pictures
Shared Video C:\Users\Public\Videos

If your application writes to these folders, the data is directly written to the system, even if the Users folder is part of the application as a root folder, as would be expected by users.

To configure sandboxing in your package

  1. In Amazon Studio, choose Update to get the files in your package.

  2. Under 3. Optional settings, choose Settings.

  3. In the navigation pane, choose Sandboxing.

  4. To exclude a folder, choose Folder Exclusions. In the Sandbox Folder Exclusions dialog box, choose Add and then type the path to the folder that you want to exclude. Choose OK.


    You can drag-and-drop the folder to exclude to the Folder Exclusions dialog box from Explorer.

  5. To exclude a registry key, choose Registry Key Exclusions. In the Sandbox Registry Key Exclusions dialog box, choose Add and enter the registry key to exclude from the package.

  6. For Disposition for new registry key roots, choose Virtual-integrated (layer 3) for resources that the application and local system can see but are not physically installed on the local system, or Virtual-isolated (layer 4) for resources that only the application can see and are not physically installed on the local system.

  7. For Application settings, choose Preserve application settings when application is removed to save the application-specific settings modified by the user when the application assignment is removed from the user, or Allow Windows to road application settings to write the application-specific settings to the standard Windows roaming profiles location.

  8. Choose OK.