Written by: Joel Hutson
Senior Site Reliability Engineer

This post is part of a series about Cloud Managed DevOps Service at CMD Solutions.


What Does End User Computing (EUC) Mean?

End User Computing (EUC) services provide secure access to the applications and desktops the workforce needs to get their job done. With AWS EUC services, workers can be productive from any supported device while improving IT agility and organizational security. You can scale up or scale down resources on demand, providing your teams with the resources they need, all without deploying and operating infrastructure


Three common problems End User Computing solves:

  1. While your workforce are working from home, it may be difficult to manage users that need to connect to internal resources. Furthermore, productivity may affect your remote users when they run into trouble connecting to the internal network. This could be due to limitations of the VPN termination devices or the users’ network connection.
  2. If you’re using a System Center Configuration Manager (SCCM) to deploy updates to machines, sometimes a user device may not connect back to SCCM to install the updates or may fail to deploy an application. Failures can happen for many reasons such as a bad network connection, not connecting to the VPN or perhaps the user’s computer is no longer reporting back to the management server.
  3. Another issue many companies face is ensuring all systems are secure and patched. As we covered in an earlier blog, patching and application updates can be difficult to automate with any system. With most people working from home, this task has become more difficult for system administrators to manage.

Setting up an End User Computing (EUC) Virtual Desktop Infrastructure (VDI) can solve many of the issues described above. Instead, having users connect to a secure Virtual Desktop lowers the potential risk of problems due to out of date software. VDI’s also give businesses more control on patching and application updates and installs, ensuring an efficient and continued service to end users.


What is Amazon Workspaces?

Amazon Workspaces is a fully managed VDI solution that sits in a Virtual Private Cloud (VPC) and allows users to connect to applications and databases from any supported device at any location with internet access. Amazon Workspaces supports the provisioning of both Windows and Linux workspaces, while user data is located on a separate drive allowing simplified management of persistent data like profiles and application customisation. AWS Key Management System (KMS) is used to encrypt user volumes improving the security of the workspace.

Amazon Workspaces can have multiple bundles that can be updated at any time with the latest applications and updates and, can fit multiple user personas.

A bundle is a pre-build combination of an operating system, storage and software. When you launch a workspace, you can select a bundle that meets the requirements you need.


How CMD Solutions approaches Amazon Workspaces

Typically, we would set up a connection from Amazon Workspaces to the client’s internal network, leveraging services like AWS Direct Connect or AWS VPN. We would also provide package deployments and a monthly workspace patching routine using Manage Engine.

Manage Engine is integrated with Active Directory, allowing us to stage the patching process to pilot users for testing before deploying to the rest of the user base.


Catering to all user personas via Amazon Workspaces

Building an Amazon Workspace that works for all users can be difficult, as each customer may have a variety of different user personas (Finance, Corp, Dev etc). In some situations, this may even be impossible if a business has specific data security requirements.

How we address this is by creating bundles that fit the requirements for each persona and use the auto provisioning solution above to automatically provision a Workspace that fits their requirements.

We do this by using Active Directory (AD) groups within the customer’s AD environment. The user is then added into the correct AD group and the automation Lambda function will use that information group to provision the required workspace for that user.


Managing, Provisioning and Terminating Amazon Workspaces

Workspace provisioning or deprovisioning can be a significant administrative overhead and if left unchecked, there may be a number of workspaces left unused, continuing to incur a monthly cost.

Here at CMD Solutions, we solve the problem by using an automated provisioning and terminating process that also provides reporting of the Workspace usage.


Provisioning Workspaces:

The Workspace automation process provisions Workspaces for new users in the specified Active Directory groups. It also creates a new KMS key (for Workspace encryption) when the number of grants of the current key is close to the limit. By default, the users are notified for their Workspace creation through Simple Email Service (SES), but optionally a SMTP server relay can be configured.


Terminating Workspaces:

The Workspaces termination process schedules a termination date to Workspaces whose user is no longer in the specified Active Directory group and (optionally) sends a summary of terminated and to-be-terminated workspaces by email. If the termination date was already defined and is expired, the Workspace is terminated. By default, the emails are sent through SES, but as above optionally a SMTP server relay can be configured.


Patching: How we keep your remote desktop secure and up to date

Here at CMD Solutions, we use a pilot patch group and patching automation to keep our client Workspaces up to date and secure. The patches are first released to the pilot group and after approval, they are then “approved” through Manage Engine. Following that, the automated patching process will apply any approved updates to all Workspaces.

AWS Workspaces also uses a maintenance window feature that will automatically turn on any auto-stopped Workspace. This allows Workspaces that don’t have much user activity to also remain up to date.

As part of our End User Computing service, we will also keep the bundles up to date. Bundles are used at the initial provisioning process to build the Workspace with the required applications for that “persona”.

Updating the bundles requires an image to be created with the latest updates. This image will be uploaded to the bundle and used for any further workspace provisioning.


Cost Optimisation Features of AWS Workspaces

The most cost effective configuration of Workspaces can change between autostop/always on. If a Workspace is used for longer than 80 hours, then the Workspace should be set to ‘always on’ (Monthly) state. The workspace usage can vary from month-to-month, potentially adding  administrative overhead.

AWS offers a cost optimisation solution to ensure you’re always paying the lowest price you can. This solution deploys an Amazon CloudWatch event that invokes an AWS Lambda function every 24 hours. The Lambda function leverages Amazon Elastic Container Service (Amazon ECS) to create an AWS Fargate task definition to poll AWS Directory Service to gather a list of all directories registered for Amazon WorkSpaces.

This will automatically change a workspace between auto stop / always on depending on the hours of use for that month, giving the customer the optimal cost for each workspace provisioned in their environment.



If not set up correctly, having all of the above working in a seamless, automated way can be difficult. The automation our team at CMD Solutions have created allows us to provision and deprovision new Workspaces, monitor Workspaces and provide the best VDI type for all users, ensuring cost optimisation across all user personas for all our customers.