Amazon WorkSpaces is a fully managed, secure desktop computing service which runs on the AWS Cloud. Amazon AppStream 2.0 is a fully managed, secure application streaming service that allows you to stream desktop applications from AWS to any device running a web browser. This session will demonstrate how to automate Amazon WorkSpaces desktop and Appstream 2.0 application provisioning to provide users the appropriate experience as they enter, change roles, and leave an organization. Topics presented will include the Amazon WorkSpaces Cost Optimizer, AppStream 2.0 federated sign-in using SAML 2.0, and customer use cases. Learn More: https://aws.amazon.com/government-education/

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew DeFoe
AMAZON WEB SERVICES
SENIOR SOLUTIONS ARCHITECT
June 14, 2017
Automating Amazon WorkSpaces Desktop and
AppStream 2.0 Application Provisioning with the End
User Lifecycle
Your Cloud-based Desktop Experience Is Ready
Alex Pereluka
ARIZONA DEPARTMENT OF TRANSPORTATION
SERVER MANAGEMENT TECHNICIAN

2. What customers are telling us they want
Ability to
improve service
levels
Support for
different user
types
Flexibility for
different client
devices
Improved
security
Agility
without app
changes

3. Customer success story
Use case | Arizona Department of Transportation
 Arizona Department of Transportation (ADOT) operates hundreds of remote offices
with thousands of agents, and additionally supports hundreds of Authorized Third Party
locations.
 Migration from on-premises VDI to Amazon WorkSpaces eliminates on-premises server
and storage infrastructure and reduces operating costs.
 Using zero client and BYOD devices for Amazon WorkSpaces greatly reduces endpoint
management and, in most cases, eliminates the requirement for VPN connectivity from
Third Party locations. This further reduces costs and improves network security.
 Amazon WorkSpaces provides consistent performance, regardless of office location, with
high-speed, low-latency connectivity to cloud-based or on-premises applications.
 ADOT has fully automated provisioning of Amazon WorkSpaces desktops. This
improves service levels and reduces maintenance and operating costs (vs. traditional VDI
and PC desktops).

4. A cost-effective, managed cloud desktop
Secure
Pay as you go
Simple management
Highly interactive cloud desktops
your users will love
Scale consistently

5. A desktop experience your users will love
Securely access a persistent, nonvolatile desktop with a consistent CPU, memory, and
storage from zero clients, Windows, macOS, an iPad, an Android tablet, a Chromebook, a
Fire tablet, and Chrome or Firefox running on Windows, macOS, or Linux.
Persistent
desktop
Consistent
performance
Available on any
device

6. Improved security
Amazon WorkSpaces encrypts data and streams, keeps information off of devices, supports
VPC security groups, and supports RADIUS for user MFA authentication.
No sensitive
data on client
devices
WorkSpace data
encrypted at
rest
Desktop
stream
encrypted in
transit
Multi-factor
authentication
(RADIUS)

7. Plays well with on-premises services and your
VPC
Active Directory
SCCM and
Amazon EC2
Systems
Manager
On-premises
network and
applications
Amazon WorkSpaces integrates easily with Active Directory for domain joins, user
authentication, and GPOs. Use SCCM or Amazon EC2 Systems Manager to patch your
WorkSpaces, and privately access on-premises or cloud applications using your VPC.

8. No servers to
manage
Scale
on demand
Amazon WorkSpaces removes the burden of infrastructure management and scales
instantly. It provides the flexibility to pay monthly or hourly to support full-time and temporary
users. You can mix monthly and hourly billing within your AWS account, and you can also
switch between billing options at any time during a billing period to optimize your AWS bill.
Available
globally
Cloud economics
Pay only for
what you use

9. Amazon WorkSpaces regions

10. Automated provisioning components
Image
Windows 7
Desktop
Experience
Windows 10
Desktop
Experience
Plus Software
Bundle
Custom
Preinstalled
Software
BYOL
Software
Preinstalled
(Image)
Group Policy
Software
Installation
Amazon WAM
Amazon
AppStream 2.0
Hardware
Value
Standard
Performance
Graphics
Pricing
Model
Always On
Hourly
Active
Directory
Group Policy
Objects
Organizational
Units
Deployment
Groups
Local Admin
Groups
Service
Accounts
Scripts
Boot, Login, and
Logout
WorkSpaces API
Actions
AWS CloudTrail
Amazon
CloudWatch
AWS Lambda
Tags
AWS IAM Roles
AD Service
Account
Clients
Teradici Zero
Client
Teradici PCoIP
Connection
Manager (EC2)
Teradici PCoIP
Management
Console
(VMware)
WorkSpaces
Client
Web Access
Management
Image Lifecycle
(Manual)
WorkSpaces
Create
WorkSpaces
Reboot/Rebuild
WorkSpaces
Start/Stop
WorkSpaces
Modify
WorkSpaces
Terminate
Monitoring

11. Amazon WorkSpaces images
Included with AWS provided bundles:
 Windows 7 Desktop Experience (Windows Server
2008 R2)
 Windows 10 Desktop Experience (Windows Server
2016)
 Additional default software includes Firefox and
WinZip
 Plus Software Bundle additionally includes Microsoft
Office Professional and Trend Micro Worry-Free
Business Security Services
 Images are maintained by Amazon
BYOL images:
 Windows 7 or Windows 10 image and OS license
are provided by the customer and require dedicated
hardware
 Create custom bundles using BYOL images
Custom preinstalled software:
 Start with AWS provided bundle or custom bundle
using a BYOL image
 Configure software and prepare for imaging
 Create custom images and bundles
 Images are maintained by the customer
Image + Hardware = Bundle

12. Amazon WorkSpaces software
Strategies include:
 Preinstalled (image)
 Group Policy Software
Installation (GPSI)
 Amazon WorkSpaces
Application Manager (WAM)
 Amazon AppStream 2.0
 User installed
Things to consider:
 Image maintenance
 Number of applications and
combinations for different user
groups
 Size of application packages
 System requirements
 Usage pattern

13. Amazon WorkSpaces hardware
Things to consider:
 Selection is based on software system requirements for each user.
 Consider baseline vs. peak system requirements and software usage pattern.
 Consider Amazon AppStream 2.0 to offload and scale compute resources for
specific applications.

14. Amazon WorkSpaces pricing model
 Always On - fixed monthly fee for unlimited usage during the month.
This is best for workers who use their Amazon WorkSpace full-time
or as their primary desktop.
 Hourly - small fixed monthly fee per WorkSpace to cover
infrastructure costs and storage, and a low hourly rate for each hour
the WorkSpace is used during the month. Hourly billing works best
when Amazon WorkSpaces are used, on average, for less than a full
working day or for just a few days a month.

15. Example provisioning architecture
Use case | Arizona Department of Transportation

16. Active Directory
 Group Policy Objects
 Organizational units
 Deployment groups
 Local Administrator
groups
 Service accounts
Things to consider:
 Create OUs for WorkSpaces machine accounts to configure
settings and install software. Consider using the Active
Directory Group Policy loopback feature to apply Group Policy
Objects (GPOs) to users logging in to WorkSpaces.
 Consider a “Request Administrative Rights” workflow or use
Group Policy Preferences to selectively allow users to be part
of their own WorkSpaces local Administrators group on a
temporary or permanent basis.
 Use separate OUs with blocked GPO inheritance when you
create WorkSpaces images (separate WorkSpaces directory-
id).
Active Directory

17. Active Directory
 Group Policy Objects
 Organizational units
 Deployment groups
 Local Administrator
groups
 Service accounts
Things to consider:
 Create Active Directory security groups for every WorkSpaces bundle
and environment lifecycle, and provision based on user membership in a
deployment group.
 Install the pcoip.adm Group Policy administrative template to apply
settings that are specific to Amazon WorkSpaces.
 Use a domain service account with WorkSpaces directory-ids to
authenticate users and join computers to the domain. Use additional
service accounts for WorkSpaces image creation and to run provisioning
automation scripts.
Active Directory

18. Scripts
 Boot, login, and logout
 WorkSpaces API
actions
 AWS CloudTrail
 Amazon CloudWatch
 AWS Lambda
 Tags
 AWS IAM roles
 Active Directory service
account
Things to consider:
 Run login (user profile), logout (profile cleanup), and boot (public profile) scripts
to maintain the WorkSpaces user environment.
 Execute Amazon WorkSpaces API and other actions (CreateTags,
CreateWorkspaces, DeleteTags, DescribeTags, DescribeWorkspaceBundles,
DescribeWorkspaceDirectories, DescribeWorkspaces,
DescribeWorkspacesConnectionStatus, ModifyWorkspaceProperties,
RebootWorkspaces, RebuildWorkspaces, StartWorkspaces, StopWorkspaces,
and TerminateWorkspaces) using AWS SDKs and audit activity with AWS
CloudTrail.
 Run scripts on a scheduled basis from Amazon EC2, or use AWS Lambda
functions to poll for changes to deployment group membership. Or run scripts
based on auditing security events on domain controllers when users are added
or removed from deployment groups. Security logs can be delivered to Amazon
CloudWatch Logs and processed using AWS Lambda.

19. Scripts
 Boot, login, and logout
 WorkSpaces API
actions
 AWS CloudTrail
 Amazon CloudWatch
 AWS Lambda
 Tags
 AWS IAM roles
 Active Directory service
account
Things to consider:
 Use tags to manage and track Amazon WorkSpaces. Tags help
categorize WorkSpaces so you can easily identify their purpose and
track costs accordingly. For example, tags can help you identify all of the
WorkSpaces for a particular department, project, application, vendor, or
use case. You can also use tags to control billing options using the
Amazon WorkSpaces Cost Optimizer.
 Create AWS Identity and Access Management (IAM) roles and policies
for Amazon EC2 or AWS Lambda functions to execute WorkSpaces API
and other actions. To directly interact with Active Directory, protect Active
Directory service account credentials in Amazon EC2 Systems
Manager Parameter Store and AWS Key Management Service
(KMS).

20. Example user management components
 A GPO to control the appearance of the Desktop, Start Menu, and lockdown policies
 A default profile created by the “WorkSpaces Builder” during the imaging process
 A roaming profile to retain the user’s customization (excluding data)
 Folder Redirection to a network share running in an accessible VPC for My Documents, Desktop, and Favorites
folders
 Boot scripts controlling the Public Desktop folder and the Public Start Menu for all users
 A Login script controlling users’ individual Start Menu, Desktop, and mandatory Favorites folders
 Region-based GPO Software Restriction Policies (SRPs) to control access to applications installed on the
WorkSpaces image based on Active Directory security group membership, in order to reduce the number of
images required
 A Logout script to clean the user profile (Temporary Internet Files, Downloads, Cookies, etc.) at logout to reduce
the size of the user profile and maintain a consistent user experience
Use case | Arizona Department of Transportation

21. Clients
 Teradici zero client
 Teradici PCoIP
Connection Manager
(EC2)
 Teradici PCoIP
Management Console
(VMware)
 WorkSpaces client
 Web access
Things to consider:
 Teradici zero clients require Teradici PCoIP Connection Manager to
authenticate users and connect to Amazon WorkSpaces. PCoIP Connection
Manager is available in the AWS Marketplace.
 Teradici PCoIP Management Console is an on-premises VMware appliance
that enables administrators to quickly and easily provision new devices, report
on inventory, review metrics, configure settings, and update firmware from a
single console. This means that Teradici zero clients can be automatically
provisioned for use with Amazon WorkSpaces in a plug-and-play model.
 You can access all Amazon WorkSpaces clients and the web access client at
https://clients.amazonworkspaces.com/. Users or desktop administrators need
to know their WorkSpaces Registration Code to configure the client and access
the WorkSpace.
 Web access must be enabled on the Amazon WorkSpaces Directory.

22. Management
 Image lifecycle (manual)
 WorkSpaces create
 WorkSpaces
reboot/rebuild
 WorkSpaces start/stop
 WorkSpaces modify
 WorkSpaces terminate
 Monitoring using
CloudWatch
Things to consider:
 Rebuild Amazon WorkSpaces periodically as part of scheduled
maintenance.
 When a rebuild occurs, the system is restored to the most
recent image of the bundle that the WorkSpace is created
from.
 Any applications that have been installed or system settings
that have been made after the WorkSpace was created are
not retained.
 During a rebuild, the user data drive (D:) is recreated from the
last automatic snapshot taken of the data drive. The current
contents of the data drive are overwritten. Automatic
snapshots of the data drive are taken every 12 hours, so the
snapshot can be as much as 12 hours old.

23. Management
 Image lifecycle (manual)
 WorkSpaces create
 WorkSpaces
reboot/rebuild
 WorkSpaces start/stop
 WorkSpaces modify
 WorkSpaces terminate
 Monitoring using
CloudWatch
Things to consider:
 Use folder redirection for redirecting user Documents and Desktop
folders to an EC2-based file share or DFS in the same VPC as the
WorkSpaces. Also, consider Amazon WorkDocs for file sharing and
collaboration. Restrict user-installed software so that rebuilds or
complete WorkSpaces replacements don’t impact user productivity. Keep
WorkSpaces updated by updating images and rebuilding. Alternatively,
use SCCM or EC2 Systems Manager to update WorkSpaces in place.
 WorkSpaces start/stop actions are used with WorkSpaces in AutoStop
mode (hourly billing). Scheduled starts of WorkSpaces can make them
ready for use so that users don’t have to wait when logging in.
 Send notifications to users or administrators as part of the automated
provisioning process using Amazon SNS when WorkSpaces are ready
for use or are impacted by other lifecycle events.

24. Desktop application streaming
Securely stream desktop applications
without rewriting to any web browser
with instant-on access.
Pay as you go Scale globally
Secure apps and dataRun desktop apps
in a web browser

25. AppStream 2.0 key features
 Image Builder
 Multiple Streaming
Instance Types
 Amazon VPC
Support
 Identity Federation
 Monitoring
 Fleet Auto Scaling
 Programmatic Control
 Simple End-User
Interface
 NICE DCV for
Streaming
 HTTPS Secure
Access

26. Amazon WorkSpaces Cost Optimizer
AWS offers the Amazon WorkSpaces Cost Optimizer, a
solution that analyzes all of your WorkSpace usage data
and automatically converts the WorkSpace to the most
cost-effective billing option (hourly or monthly), depending
on the user's individual usage.

27. Thank you!