Restrict WorkSpaces access to trusted devices - Amazon WorkSpaces

Restrict WorkSpaces access to trusted devices

By default, users can access their WorkSpaces from any supported device that is connected to the internet. If your company limits corporate data access to trusted devices (also known as managed devices), you can restrict WorkSpaces access to trusted devices with valid certificates.

When you enable this feature, WorkSpaces uses certificate-based authentication to determine whether a device is trusted. If the WorkSpaces client application can't verify that a device is trusted, it blocks attempts to log in or reconnect from the device.

For each directory, you can import up to two root certificates. If you import two root certificates, WorkSpaces presents them both to the client and the client finds the first valid matching certificate that chains up to either of the root certificates.

Supported clients

  • Android, running on Android or Android-compatible Chrome OS systems

  • macOS

  • Windows

Important

This feature is not supported by the following clients:

  • WorkSpaces client applications for Linux or iPad

  • WorkSpaces Web Access

  • Third-party clients, including but not limited to, Teradici PCoIP, RDP clients, and remote desktop applications.

Step 1: Create the certificates

This feature requires two types of certificates: root certificates generated by an internal Certificate Authority (CA) and client certificates that chain up to a root certificate.

Requirements

  • Certificates must be Base64-encoded certificate files in CRT, CERT, or PEM format.

  • Certificates must include a Common Name.

  • The maximum length of certificate chain supported is 4.

  • WorkSpaces does not currently support device revocation mechanisms, such as certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP), for client certificates.

  • Use a strong encryption algorithm. We recommend SHA256 with RSA, SHA256 with ECDSA, SHA384 with ECDSA, or SHA512 with ECDSA.

  • Make sure "key usage: Digital signature" is present on the public key of the client certificate, or device authentication will fail even if the public and private keys are present on the machine and in the WorkSpaces console.

  • For macOS, if the device certificate is in the system keychain, we recommend that you authorize the WorkSpaces client application to access those certificates. Otherwise, users must enter keychain credentials when they log in or reconnect.

Step 2: Deploy client certificates to the trusted devices

You must install client certificates on the trusted devices for your users. You can use your preferred solution to install certificates to your fleet of client devices; for example, System Center Configuration Manager (SCCM) or mobile device management (MDM). Note that SCCM and MDM can optionally perform a security posture assessment to determine whether the devices meet your corporate policies to access WorkSpaces.

The WorkSpaces client applications search for certificates as follows:

  • Android - On Android, searches the keychain for client certificates. On Android-compatible Chrome OS systems, searches the keychain for user certificates.

  • macOS - Searches the keychain for client certificates.

  • Windows - Searches the user and root certificate stores for client certificates.

Step 3: Configure the restriction

After you have deployed the client certificates on the trusted devices, you can enable restricted access at the directory level. This requires the WorkSpaces client application to validate the certificate on a device before allowing a user to log in to a WorkSpace.

To configure the restriction

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select the directory and then choose Actions, Update Details.

  4. Expand Access Control Options.

  5. Select the device type under For each device type, specify which devices can access WorkSpaces.

  6. Import up to two root certificates. For each root certificate, do the following:

    1. Choose Import.

    2. Copy the body of the certificate to the form.

    3. Choose Import.

  7. (Optional) Specify whether other types of devices have access to WorkSpaces.

    1. Scroll down to the Other Platforms section. By default, WorkSpaces Web Access and Linux clients are disabled, and users can access their WorkSpaces from their iOS devices, Android devices, Chromebooks, and PCoIP zero client devices.

    2. Select the device types to enable and clear the device types to disable.

    3. To block access from all selected device types, choose Block.

  8. Choose Update and Exit.