Amazon WorkSpaces
Administration Guide

Restrict WorkSpaces Access to Trusted Devices

By default, users can access their WorkSpaces from any supported device that is connected to the Internet. If your company limits corporate data access to trusted devices (also known as managed devices), you can restrict WorkSpaces access to trusted devices with valid certificates.

When you enable this feature, Amazon WorkSpaces uses certificate-based authentication to determine whether a device is trusted. If the WorkSpaces client application can't verify that a device is trusted, it blocks attempts to log in or reconnect from the device.

For each directory, you can import up to two root certificates. If you import two root certificates, Amazon WorkSpaces presents them both to the client and the client finds the first valid matching certificate that chains up to either of the root certificates.


This feature is supported for Windows computers and Mac computers.

Step 1: Create the Certificates

This feature requires two types of certificates: root certificates generated by an internal Certificate Authority (CA) and client certificates that chain up to a root certificate.


  • Certificates must be Base64-encoded certificate files in CRT, CERT, or PEM format.

  • Certificates must include a Common Name.

  • The maximum length of certificate chain supported is 4.

  • Amazon WorkSpaces does not currently support device revocation mechanisms, such as certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP), for client certificates.

  • Use a strong encryption algorithm. We recommend SHA256 with RSA, SHA256 with ECDSA, SHA381 with ECDSA, or SHA512 with ECDSA.

  • For macOS, if the device certificate is in the system keychain, we recommend that you authorize the WorkSpaces client application to access those certificates. Otherwise, users must enter keychain credentials when they log in or reconnect.

Step 2: Deploy Client Certificates to the Trusted Devices

You must install client certificates on the trusted devices for your users. You can use your preferred solution to install certificates to your fleet of client devices; for example, System Center Configuration Manager (SCCM) or mobile device management (MDM). Note that SCCM and MDM can optionally perform a security posture assessment to determine whether the devices meet your corporate policies to access WorkSpaces.

On Windows, the WorkSpaces client application searches for client certificates in both the user and root certificate stores. On macOS, the WorkSpaces client application searches for client certificates in the entire keychain.

Step 3: Configure the Restriction

After you have deployed the client certificates on the trusted devices, you can enable restricted access at the directory level. This requires the WorkSpaces client application to validate the certificate on a device before allowing a user to log in to a WorkSpace.

To configure the restriction

  1. Open the Amazon WorkSpaces console at

  2. In the navigation pane, choose Directories.

  3. Select the directory and then choose Actions, Update Details.

  4. Expand Access Control Options.

  5. [Windows] Choose Only Allow Trusted Windows Devices to Access WorkSpaces.

  6. [macOS] Choose Only Allow Trusted macOS Devices to Access WorkSpaces.

  7. Import up to two root certificates. For each root certificate, do the following:

    1. Choose Import.

    2. Copy the body of the certificate to the form.

    3. Choose Import.

  8. Choose Update and Exit.