Application Access - Amazon WorkSpaces Applications

Application Access

By default, WorkSpaces Applications enables the applications that you specify in your image to launch other applications and executable files on the image builder and fleet instance. This ensures that applications with dependencies on other applications (for example, an application that launches the browser to navigate to a product website) function as expected. Make sure that you configure your administrative controls, security groups, and other security software to grant users the minimum permissions required to access resources and transfer data between their local computers and fleet instances.

You can use application control software, such as Microsoft AppLocker, and policies to control which applications and files your users can run. Application control software and policies help you control the executable files, scripts, Windows installer files, dynamic-link libraries, and application packages that your users can run on WorkSpaces Applications image builders and fleet instances.

Note

The WorkSpaces Applications agent software relies on the Windows command prompt and Windows Powershell to provision streaming instances. If you choose to prevent users from launching the Windows command prompt or Windows Powershell, the policies must not apply to the Windows NT AUTHORITY\SYSTEM or users in the Administrators group.

Rule type Action Windows user or group Name/Path Condition Description
Executable Allow NT AUTHORITY\System * Path Required for the WorkSpaces Applications agent software
Executable Allow BUILTIN\Administrators * Path Required for the WorkSpaces Applications agent software
Executable Allow Everyone %PROGRAMFILES%\nodejs\* Path Required for the WorkSpaces Applications agent software
Executable Allow Everyone %PROGRAMFILES%\NICE\* Path Required for the WorkSpaces Applications agent software
Executable Allow Everyone %PROGRAMFILES%\Amazon\* Path Required for the WorkSpaces Applications agent software
Executable Allow Everyone %PROGRAMFILES%\<default-browser>\* Path Required for the WorkSpaces Applications agent software when persistent storage solutions, such as Google Drive or Microsoft OneDrive for Business, are used. This exception is not required when WorkSpaces Applications home folders are used.