Skip to main content

Reference articleEnclaves User Guide

  • Updated

Enclaves User Guide

A Tehama Enclave provides an isolated set of tools and services, so you can collaborate securely. Organizations work together using a shared Enclave with access governed by policies. A Enclave is connected to a network, either a private or a public network (e.g., resources in the cloud) in which remote people work. All work performed in the connected network through the Enclave is audited.

What is an Enclave?

An Enclave is a container with a set of tools and services running within it.

Tools and services in a Tehama Enclave:

  • Firewall Rules, a set of rules that constrain access to the 'connected network' and the internet. 
    (See the description of the 'connected network' below.) 
     
  • DNS Filtering, an optional layer of access control to the 'connected network' and the internet on top of the firewall rules that takes the form of a list of allowed domains.
     
  • Secrets Vault, secure storage of access credentials for assets in the connected network (only available in AWS Enclaves).  
     
  • File Vault, a secure transfer mechanism for files between the users local environment and the connected network. 
     
  • App Vault, a way to securely transfer application installation files to the Enclave's desktops (only in AWS Enclaves). 
     
  • Desktops, both Windows and Linux Virtual Machines (VMs), used by Enclave members to interact with the connected network. Enclaves contain Desktop templates from which Desktop instances are generated. A Desktop template contains the description of the Desktop configuration and the users assigned to it - those Enclave members who can connect to the template's generated Desktop instances. There can be as many as 500 Desktop instances in an Enclave. Each Desktop instance runs a 'Tehama Desktop Agent' application (AKA Workspace Agent) which provides access to tools/services in the Enclave. An Enclave member connects (logs in) to a Desktop instance to run a Desktop session. There can be a maximum of 75 concurrent Desktop sessions per Enclave when the Recordings Enclave feature is enabled and up to 200 concurrent Desktop sessions when the Recordings Enclave feature is disabled. (See the Desktop Session Auditing/Recordings User Guide for more details.) 
     
  • Audit, a set of audit tools including live Desktop session viewing, Desktop session recording, an activity stream of events occurring in the Enclave and reports.

The firewall rules, DNS Filtering, secrets vault, the file vault and the audit capabilities, are managed through the Tehama Web UI and accessible from the Tehama Desktop Agent in the Desktops. The app vault is managed through the Tehama Web UI and the files it contains are accessible from mapped drives in the Desktops.

Each Enclave is owned by a Tehama organization, the 'owner organization', and is connected to the network of a Tehama organization, the 'connected organization'. (These can be the same organization.) Other organizations can be invited to use the Enclave as well. These are known as 'user organizations'.

An Enclave has Desktops (as described in the list of Tools and Services above), used to interact with the connected network through Desktop sessions. The Enclave's owner organization manages the creation and lifecycle of Desktops in the Enclave, and controls the number of Desktop instances.

An Enclave has members. Members are users from the Tehama organizations in the Enclave. Members must comply with the access policy set for their organization in the Enclave. Only members in an Enclave can be assigned to Desktop templates in the Enclave. Typically, a Desktop instance is created from a template for each member that is assigned to it. Members access their Desktop instances through the Tehama Web UI. The Enclave's connected organization controls which members can be added to the Enclave, while the Enclave's owner organization is in charge of assigning/removing members to/from Desktop templates.

Note: The owner organization must, when constructing and assigning members to Desktop templates in the Enclave, take into consideration the number of concurrent Desktop sessions they expect to have running. While a Enclave can contain as many as 500 Desktop instances and unlimited members, to ensure optimum performance the maximum number of concurrent Desktop sessions per Enclave is limited to 75 when the Recordings Enclave feature is enabled and limited to 200 concurrent Desktop sessions when the Recordings Enclave feature is disabled. (See the Desktop Session Auditing/Recordings User Guide for more details.) If a higher number of concurrent sessions is expected, multiple Enclaves may be required. Enclave owner organizations are encouraged to contact Tehama Support if they would like assistance in optimizing their Enclave environment for performance and availability, taking your auditing/recording needs into consideration.

An Enclave is connected to a network, either a private network or a public network (e.g. resources in the cloud) that is controlled by the Enclave's 'connected organization'. This is referred to as the 'connected network'. The only way the tools and services in the Enclave can access the connected network is through the connection the Enclave provides, isolating access to the connected network's access to Enclave members.

Since it is the confidentiality of their network and data that is at stake, the connected organization in the Enclave manages the network settings for the Enclave in addition to the Enclave membership.

Your Enclave's 'connected network' is zero or more private networks managed by the Enclave's connected organization (as well as desired resources in the cloud), constrained by your Enclave's firewall settings and its DNS Filtering. IPSec VPN connections must be made to each network. 
 

Image of the Tehama security architecture with Multi-Path connectivity

More information on the Enclave concept is available in the 'Enclave' section of the Introduction.

Enclave Regions

A Enclave's infrastructure is provisioned within a given region.

Regions that Tehama supports include:

  • US East (N. Virginia)
  • US West (Oregon)
  • EU (Ireland)
  • EU (Frankfurt)
  • EU (London)
  • Asia Pacific (Sydney)
  • Asia Pacific (Singapore)
  • Asia Pacific (Mumbai)
  • Canada (Montreal)
  • Brazil (São Paulo)
  • Africa (Cape Town)

Org Roles and Responsibilities in an Enclave

Each organization plays a 'role' or 'function' in an Enclave. This organization 'Enclave role/function' is different from a user's role in their organization (Org Admin, Org Manager, Enclave Manager, Staff, or Custom). It describes the purpose of the organization in the Enclave and defines what responsibilities the organization has in the Enclave.

Each organization in an Enclave has one of the following 'roles', or 'functions', each coming with its own set of allotted responsibilities:

  • owner+connected: The organization created the Enclave (i.e.: they are paying for it) and connected it (i.e.: they configured the network access for the Enclave to connect to their private (or public) network). (The organization will have both the owner organization icon and the connected organization icon under its name in the Enclave's MEMBERS tab.)
  • user-only: The organization has been added (invited to join) to a Enclave and has no particular responsibilities in the Enclave.
  • user+owner: The organization created and is paying for the Enclave but the Enclave is connected to by another organization. (The organization will have the owner organization icon under its name in the Enclave's MEMBERS tab.)
  • connected-only: The organization connected to the Enclave that another organization is paying for. (The organization will have the connected organization icon under its name in the Enclave's MEMBERS tab.)

A connected organization in a Enclave is either an owner+connected organization or a connected-only organization.

Similarly, an owner organization in a Enclave is either an owner+connected organization or a user+owner organization.

The management responsibilities in a Enclave are available to users with one of the manager roles (Org Admin, Org Manager and Enclave Manager). These will be different depending on which of the above 'Enclave roles' their organization plays in a Enclave.

Enclave management responsibilities are divided as follows:

⦿ In your role as the Org Admin user or an Org Manager or an Enclave Manager (who is a member of the Enclave) of the Enclave's connected organization (owner+connected or connected-only), it is your responsibility to:

  • configure and manage the VPN IPSec connections to the connected networks, zero or more.
  • set up firewall rules.
  • set up DNS Filtering. (optional)
  • add/remove secrets. (optional).
  • grant membership to the Enclave to users from your own and other organizations.
  • monitor and audit the actions users perform when accessing and using resources on the connected network. (See note below.) Actions you can audit include user sessions, users' use of access credentials, the transfer of files in and out of your systems, and much more.

⦿ In your role as the Org Admin user or an Org Manager or an Enclave Manager (who is a member of the Enclave) of the Enclave's owner organization (owner+connected or user+owner), it is your responsibility to:

  • add Desktop templates for Enclave members.
  • in Tehama Gateway Enclaves, enable/disable the Multiple Gateways option for the Enclave.
  • monitor and audit Enclave activity.

In addition ...

⦿ In your role as the Org Admin or an Org Manager or a Enclave Manager (who is a member of the Enclave) of an organization in the Enclave that IS NOT the organization that is connected to the Enclave (user+owner or user-only), you can:

  • request/propose users from your organization for membership in the Enclave.

⦿ In your role as a Staff member of an organization in the Enclave that has been approved as a member of the Enclave, you can:

  • be assigned to Desktop templates in the Enclave.
  • connect to and work in Desktops in the Enclave - Desktops generated from the Desktop templates that you have been assigned to.

All of the above responsibilities are handled through the Tehama Web UI.

The Roles User Guide provides an overview of the responsibilities of the manager roles in Enclaves, broken down by the roles/functions of an organization in a Enclave. See the section 'User Management Roles vis-a-vis Org Functions/Roles in an Enclave' in the guide.

Typical Enclave workflow

First an Enclave has to be created.

Once an Enclave has been created, it must be set up properly. Between them, the Org Admin users and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's connected organization and its owner organization will:

After that, as a member of a Enclave, you can start to work as follows:

  • Log in to one of your Desktops.
    • You can launch a Desktop directly from the Tehama Web UI, logging in using the single click Connect button. In AWS Enclaves, your Tehama desktop credentials are automatically processed and passed along for you by the UI to launch the Tehama client. In Azure Enclaves, you can also connect using the single click Connect button which will redirect you to the web version of Windows App to authenticate to your Tehama Azure Virtual Desktop.
    • Alternatively, in AWS Enclaves, you can also launch a Desktop from the Teradici PCoIP Client, logging in with temporary access credentials that you can obtain from the Tehama Web UI. (See section 'Connect to a Desktop (with credentials)' via Teradici PCoIP Client in the Desktops User Guide.). In Azure Enclaves, an alternative desktop authentication method is through the installed Windows App application permitting you to launch your desktop outside the web browser.

Through the Desktop, you have access to the Enclave's connected network. This is where you perform your tasks on the connected network.

To help you in your work, you can:

  • transfer files between your local environment and the connected network using the Enclave's file vault. 
    (See the File Vault User Guide.)
    • use the Tehama Web UI to upload files from and download files to your local environment.
    • use the Tehama Desktop Agent (Workspace Agent) to upload files from and download files to your Desktop (and from there to the connected network)
       
  • use the secrets from the Enclave's secrets vault to access assets in the connected network. 
    (See the Secrets Vault User Guide.)
    • access the secrets in the secrets vault (from either the Tehama Web UI or the Tehama Desktop/Workspace Agent) to generate temporary credentials that you can use to gain access to password protected assets/resources in the Enclave's connected network.

View list of Enclaves

All roles in all organizations can access the list of Enclaves. The Org Admin user and Org Managers in an organization will see all Enclaves the organization has a stake in. Enclave Managers and Staff members will only see those Enclaves of which they are a member.

Check the description of your custom role, to see what Enclaves you can see in the Enclaves list.

View the list of Enclaves you have access to as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ENCLAVES tab.

An organization's Org Admin user and its Org Managers will see all the Enclaves the organization has a stake in - that is all the Enclaves they own, are connected to or otherwise use.

An organization's Enclave Managers and Staff members will see all the Enclaves that they are a member of.

The list displays the following information for each Enclave:

  • Enclave: the name of the Enclave and its description.
  • Members:* the number of members in the Enclave.
  • Desktops: the number of Desktops in the Enclave.
  • In Use:* the number of Desktops in the Enclave that are currently in use.
  • TCU This Month: the TCU usage for the Enclave. Only visible to the Org Admin and TCU Usage Auditor users in the Enclave's owner organization. (See the TCU Usage reports under REPORTS for more information on TCU Usage.)
  • Region: the region in which the Enclave's infrastructure is provisioned.
  • Status: the status of the Enclave (Healthy, Unhealthy, Pending, Impaired or Updating, Archived).

* User (third-party) organizations in a Enclave can only see numbers of members/Desktops for their own members in the Enclave.

Click on the 'Refresh' icon at the top right of the list to refresh the contents of the list.

Note if the text for an entry overruns the column width, it can be viewed in a tooltip by hovering over the text.

Create and connect a Standard Enclave

Only the Org Admin user and Org/Enclave Managers of an organization can create a Enclave and connect it. Check the description of your custom role, to see if you can perform these actions.

Use cases for creating and connecting a Standard Enclave:

  1. Enclave for a Remote Workforce 
    "I want an Enclave that my organization owns and that is connected to my private network (either a physical or an internet-based network). My organization is the primary organization doing work in the Enclave, though I can invite other organizations to join the Enclave if I need to." 
     
  2. Enclave for a Service Consumer 
    "I want an Enclave that my organization owns and that is connected to my private network (either a physical or an internet-based network). I will invite my service provider's organization to join the Enclave They will be the primary organization doing work in the Enclave, though I can invite other organizations to join the Enclave if I need to."

In a Standard Enclave, your organization both owns and controls access to the Enclave. i.e.: Your organization pays for the Enclave and has control over what services/tools are provisioned in it (the owner responsibilities), and controls which other organizations and members have access and what assets are accessible through the Enclave (the access/connected responsibilities). Your organization will be the Enclave's owner+connected organization.

See the Create and connect a Standard Enclave section in the Getting Started with Tehama Enclave Creation guide for instructions to create and connect to a Standard Enclave.

Once your Enclave is created, it will appear in the list of Enclaves in the Tehama Web UI.

 

Create a Service-Provider Enclave and invite another organization to connect it

Only the Org Admin user and Org/Enclave Managers of an organization can create a Enclave and invite another organization to connect to it. Check the description of your custom role, to see if you can perform these actions.

Use case for creating a Service-provider Enclave: (a special case of a Standard Enclave)

  • "I want an Enclave that my organization owns and that is connected to another organization's private network (either a physical or an internet-based network). This second organization is the consumer of my services and is referred to as the connected organization. If necessary, the connected organization can invite other organizations to join the Room." 
     

This is a special type of Standard Enclave where the responsibilities in the Enclave are divided between two organizations - the owner organization, that pays for the Enclave and has control over what services/tools are provisioned in it, and the access/connected-to organization, that controls which other organizations and which members have access and what assets are accessible through the Enclave. Your organization will be the Enclave's user+owner organization and the other organization will be the Enclave's connected-only organization.

See section Create a Service-provider Enclave in the Getting Started with Tehama Enclave Creation guide for instructions to create a Service-provider Enclave and invite another organization to connect it.

Once your Enclave is created, it will appear in the list of Enclaves in the Tehama Web UI.

Connect a Service-provider Enclave via invitation

Only the Org Admin user and Org Managers of an organization can connect their organization to a Enclave, having received an invitation to do so from the Enclave's owner organization. Check the description of your custom role, to see if you can perform this action.

Use case for connecting a Service-provider Enclave: (a special case of a Standard Enclave)

  • "I've been invited to connect my network to a Enclave that was created by my service provider."

In this configuration scenario, your organization will be the Enclave's connected organization and the other organization will be its owner. (i.e.: Your organization will be the Room's connected-only organization and the organization that invited you will be the Room's user+owner organization.)

See section Connect a Service-provider Enclave in the Getting Started with Tehama Enclave Creation guide for instructions to connect a Service-provider Enclave, having received an invitation to do so.

Join a Enclave via invitation

Only the Org Admin user and Org Managers of an organization can join their organization to an Enclave, having received an invitation to do so from the Enclave's connected organization. Check the description of your custom role, to see if you can perform this action.

Use case for joining a Standard Enclave or a Service-provider Enclave:

  • "I've been invited to join an Enclave as a third-party organization."

In this configuration scenario, your organization will not have any particular management responsibilities in the Room. _(i.e.: Your organization will be (one of) the Room's user-only organization(s).)

See the Join a Standard or Service-provider Enclave section in the Getting Started with Tehama Enclave Creation guide for instructions to join a Standard or a Service-provider Enclave, having received an invitation to do so.

Delete or archive a Enclave

Only the Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's owner organization (owner+connected or user+owner) in a Enclave can delete or archive the Enclave. Check the description of your custom role, to see if you can perform these actions.

WARNING: A Enclave once deleted, cannot be recovered. Connections associated to the Enclave are also deleted and cannot be recovered. Archiving the Enclave will preserve recordings.

Delete or archive an Enclave as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ENCLAVES tab.
  3. Locate the entry for the Enclave you wish to delete or archive.
  4. Click on the three vertical dots under the Actions column for the entry.
  5. Select the "Delete" menu item. You will see the DELETE ENCLAVE dialog. 
  6. Acknowledge the warning and type the name of the Enclave into the dialog.
  7. If you want to delete the Enclave:: Click DELETE.
  8. If you want to archive the Enclave:: Click ARCHIVE.

View an Enclave's interface

The Org Admin user and Org Managers in an organization can access the interface of all Enclaves the organization has a stake in. Enclave Managers and Staff members of an organization will only be able to access the interface of those Enclaves of which they are a member. Check the description of your custom role, to see what Enclaves you are able to access.

Essentially, if you can see an Enclave in the list of Enclaves under the ENCLAVES tab, you can access its interface.

Be aware that you must accept the policy assigned as the "conditions of use" for your organization in the Enclave, in order to work in the Enclave. See section "Accept a policy/condition-of-use for an organization in an Enclave" in the Policies (Conditions of Use for Enclaves) User Guide for more information.

Access the interface for a Enclave in the Tehama Web UI as follows: (Choose A or B.)

A: find the Enclave in the list of Enclaves that you have access to

  1. Log in to the Tehama Web UI.
  2. Click on the ENCLAVES tab. You will see a list of all the Enclaves that you have access to. (For Enclave Managers and Staff members, this will only be those Enclaves of which they are members.)
  3. Click on the name of the Enclave you want to access. You will see the interface page for the Enclave.

B: find the Enclave in the list of all your Desktops in the organization

Note, this method will only let you find Enclaves that have at least one Desktop. If you are a Staff member, this method will only let you find Enclaves in which you yourself have an assigned Desktop.

  1. Log in to the Tehama Web UI.
  2. Click on the DESKTOPS tab.
  3. Verify that the DESKTOPS option at the top of the page is selected. You will see a table of Desktop instances. (NOTE: If you are a Staff member in the organization, you will not see options at the top of the DESKTOPS page; the page you see is the equivalent of the DESKTOPS option. Otherwise, your options are DESKTOPS and IMAGES. DESKTOPS is the default option.)

  4. Either:

    • List your assigned Desktops: Click the My Desktops radio button at the top of the page. Your Desktop instances will be uniquely identified by the template name and the Enclave name. Note, this list will not contain any entries with Enclaves in which you are not assigned to a Desktop template. (NOTE: If you are a Staff member in the organization, you will not see this radio button. The list will be restricted to only your assigned Desktops by default.)

    or:

    • List all Desktop instances in the organization: Click the All Desktops radio button at the top of the page.* The Desktop instances listed will be uniquely identified by the template name, the Enclave name, and the name of the assigned user. Note, this list will not contain any entries with Enclaves that do not have any Desktop templates. (NOTE: If you are a Staff member in the organization, you will not see this radio button. You are unable to see Desktops that are not your own.)

    Each entry in the table contains the name of the Enclave to which the Desktop and its template belongs.

  5. Click on the name of the Enclave you want to access, in any of the entries with that Enclave name. You will see the interface page for the Enclave

 

* Org Admin users and Org Managers and Enclave Managers also have the option of seeing a list of Desktop instances in the organization that are In use. (Note, for Enclave Managers, the listed Desktops instances, when either All Desktops or In use is selected, are restricted to those belonging to Enclaves of which they are members.)

 

Here is the Enclave interface with the WORK tab selected for a member of a Enclave's third-party organization who is not currently assigned to a Desktop template in the Enclave:

Here is the Enclave interface with the WORK tab selected for an Org Manager of a Enclave's owner organization who is assigned to a couple of Desktop templates in the Enclave:

View/Edit an Enclave's name

Only the Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's owner organization (owner+connected or user+owner) can edit the Enclave's name.

The Org Admin user and Org Managers in an organization can view Enclaves (identified by name) of all Enclaves the organization has a stake in. Enclave Managers and Staff members of an organization will only be able to view Enclaves of which they are a member.

Check the description of your custom role, to see if you can view/edit an Enclave's name.

Essentially, if you can see a Enclave in the list of Enclaves under the ENCLAVES tab, you can access its interface and see references to it, by name, in other parts of the UI.

View Enclave names:

Enclaves are identified by name, in whatever context they appear. For each entry in the Enclaves list or the Desktops list or various Reports, the value found under the "Enclave" column is always the name of the Enclave.

If you are viewing an Enclave's interface, (see Access the Enclave's interface), you will see the name of the Enclave whose interface is being displayed in the breadcrumbs at the top left of the page.

Edit a Enclave's name as follows: (This functionality is not available to all users.)

  1. Log in to the Tehama Web UI.
  2. Click on the ENCLAVES tab. You will see a list of all the Enclaves that you have access to.
  3. Locate the Enclave in the list of Enclaves to which you have access.
  4. Click on the three vertical dots under the Actions column for the entry.
  5. Select the "Edit Enclave info" menu item. You will see the EDIT ENCLAVE INFORMATION dialog.
  6. Edit the "Enclave Name" field.
  7. Click SAVE.

Alternatively:

  1. Access the Enclave's interface
    Note it does not matter which subpage in the Enclave's interface is currently displayed.
  2. Click on the Enclave name in the breadcrumbs at the top of the page. You will see the EDIT ENCLAVE INFORMATION dialog.
  3. Edit the "Enclave Name" field.
  4. Click SAVE.

Note that a Enclave's name can only be modified if the Enclave has not been archived.

Note that an Enclave's name can be modified by a 'Tehama Super Admin' user (a superuser belonging to the Tehama Support team) if necessary.

View/Edit a Enclave's description

The Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's owner organization (owner+connected or user+owner) can both view and edit the Enclave's description.

The Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's connected organization (connected-only) can only view the Enclave's description.

Check the description of your custom role, to see if you can view/edit a Enclave's description.

Staff members who are members of the Enclave, regardless of their organization's role in the Enclave, can only view the Enclave's description.

View a Enclave's description as follows:

  1. Log in to the Tehama Web UI.
  2. Click on the ENCLAVES tab. You will see a list of all the Enclaves that you have access to.
  3. Locate the Enclave in the list of Enclaves to which you have access. The description will be under the name in the Enclave column.

Alternatively:

  1. Access the Enclave's interface
    The description will be under the Enclave name in the breadcrumbs at the top of the page.

Edit a Enclave's description as follows: (This functionality is not available to all users.)

  1. Log in to the Tehama Web UI.
  2. Click on the ENCLAVES tab. You will see a list of all the Enclaves that you have access to.
  3. Locate the Enclave in the list of Enclaves to which you have access.
  4. Click on the three vertical dots under the Actions column for the entry.
  5. Select the "Edit Enclave info" menu item. You will see the EDIT ENCLAVE INFORMATION dialog.
  6. Edit the "Description" field.
  7. Click SAVE.

Alternatively:

  1. Access the Enclave's interface
    Note it does not matter which page in the Enclave's interface is currently displayed.
  2. Click on the Enclave name in the breadcrumbs at the top of the page. You will see the EDIT ENCLAVE INFORMATION dialog.
  3. Edit the "Description" field.
  4. Click SAVE.

Note that a Enclave's description can be modified by a 'Tehama Super Admin' user (a superuser belonging to the Tehama Support team) if necessary.

Enclave Desktop Settings

Only the Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's owner organization (owner+connected or user+owner) and the Org Admin user and Enclave Managers (who are members of the Enclave) of the Enclave's connected organization (owner+connected or connected-only) can configure the Enclave's Desktop settings. Check the description of your custom role, to see if you can perform this action.

An Enclave has a collection of Desktop settings that are applied to all the Desktops that belong to the Enclave. These settings can be set from your Enclave's CONFIGURE -> SETTINGS page.

 Set Idle Session Timeout

The idle session timeout setting is the length of time a desktop session will idle before disconnecting (and no longer using TCU).

Change a Enclave's idle session timeout setting as follows:

  1. Access the Enclave's interface.
  2. Click the Enclave's CONFIGURE tab.
  3. Click on the SETTINGS sidebar item.
  4. Click on the EDIT button at the top right of the DESKTOP SETTINGS section.
  5. Locate the dropdown field to the right of the "Idle Session Timeout" desktop-setting.
  6. Click on the dropdown field to display the preconfigured idle timeout options.
  7. Select the idle timeout option you wish for your Enclave's desktop sessions.
  8. Click SAVE.

Enclave Feature Settings (Enable/Disable)

Only the Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of a Enclave's owner organization (owner+connected or user+owner) and the Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) of the Enclave's connected organization (owner+connected or connected-only) can configure the Enclave's Feature settings. Check the description of your custom role, to see if you can perform this action.

A Enclave has a collection of features that can be enabled or disabled for the Enclave. These features can be enabled or disabled from your Enclave's CONFIGURE -> SETTINGS page. Note that only one feature can be enabled/disabled at a time, to allow the Enclave's infrastructure to update before the next change is made.

 App Vault (only available in AWS Enclaves)

The App Vault Enclave feature provides a way to securely transfer application installation files to the Enclave's Tehama Desktops, through the Tehama Web UI and mapped drives on the Enclave's desktops. See the App Vault User Guide for more details.

When it is enabled, the Org Admin user and Org Managers and Enclave Managers (who are members of the Enclave) in the Enclave's owner organization will be able to see the APP VAULT page under the Enclave's CONFIGURE tab; and all Enclave members assigned to a desktop will be able to see the corresponding mapped drive for the App Vault feature in their desktops.

When it is disabled, the APP VAULT page under the Enclave's CONFIGURE tab will not be available, nor will the mapped drives on the Enclave's desktops.

Enable or disable the App Vault Enclave feature as follows:

  1. Access the Enclave's interface.
  2. Click the Enclave's CONFIGURE tab.
  3. Click on the SETTINGS sidebar item.
  4. Click on the EDIT button at the top right of the ENCLAVE SETTINGS section.
  5. Locate the toggle to the right of the "App Vault" feature.
  6. Enable the feature as follows:
    • Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
    • Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
  7. Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)

 File Vault

The File Vault Enclave feature secures the transfer of files between your local environment & the Enclave's Tehama Desktops. See the File Vault User Guide for more details.

When it is enabled, all users with access to the Enclave will be able to see the FILE VAULT page under the Enclave's WORK tab.

When it is disabled, the FILE VAULT page under the Enclave's WORK tab will not be available.

When enabled, a sub-option exists that allows users in the Enclave to download files from the File Vault to their local desktops from the File Vault interface in the Tehama Web UI. (See SUB-OPTION in step 6 below.)

Enable or disable the File Vault Enclave feature as follows:

  1. Access the Enclave's interface.
  2. Click the Enclave's CONFIGURE tab.
  3. Click on the SETTINGS sidebar item.
  4. Click on the EDIT button at the top right of the ENCLAVE SETTINGS section.
  5. Locate the toggle to the right of the "File Vault" feature.
  6. Enable or disable the feature as follows:
    • Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
    • Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.) 

      SUB-OPTION: Once the file vault feature toggle has been enabled, you will see another option, the "Allow users to download files, except any containing sensitive data as determined by our Data Loss Prevention system, onto their local desktops" sub-option. Proceed to enable or disable this sub-option as follows:
      • Check the box to the left of the sub-option to enable it. 
        - Once saved, the users will be able to download files from the File Vault to their local desktops, (except any containing sensitive data as determined by the Data Loss Prevention system - unless they have been explicitly released for download by an administrator).
      • Un-check the box to the left of the sub-option to disable it. 
        - Once saved, the users will not be able to download files from the File Vault to their local desktops. 
         
  7. Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value, or its sub-option value.)

 Linux Desktops (only available in AWS Enclaves)

The Linux Desktop Enclave feature provides virtual Desktop environments connected via PCoIP to Linux-based servers. These are known as Tehama Linux Desktops. It is offered with a range of hardware and software options similar to a Windows Desktop. The currently available Operating System is Ubuntu Server 22.04.

The Linux Desktop Enclave feature, when enabled, allows the creation of Tehama Linux Desktops in the Enclave.

When enabled, Tehama Linux Desktops can be created in the Enclave, and the LINUX DESKTOPS page found under the Enclave's CONFIGURE tab in the Tehama Web UI will be present.

When disabled, Tehama Linux Desktops cannot be created in the Enclave, and the LINUX DESKTOPS page found under the Enclave's CONFIGURE tab in the Tehama Web UI will be absent.

Note any Tehama Linux desktops that have been created for the Enclave will continue to exist after the feature has been disabled and will be accessible through the Tehama Web UI (although note that the ability to add new Tehama Linux desktops will be unavailable).

Enable or disable the Linux Desktop Enclave feature as follows:

  1. Access the Enclave's interface.
  2. Click the Enclave's CONFIGURE tab.
  3. Click on the SETTINGS sidebar item.
  4. Click on the EDIT button at the top right of the ENCLAVE SETTINGS section.
  5. Locate the toggle to the right of the "Linux Desktop" feature.
  6. Enable or disable the feature as follows:
    • Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
    • Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
  7. Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)

 Windows Desktops

The Windows Desktop Enclave feature provides virtual Desktop environments connected via PCoIP to Windows-based servers. These are known as Tehama Windows Desktops. It is offered with a range of hardware and software options. The currently available Operating System is Windows Server 2019.

The Windows Desktop Enclave feature, when enabled, allows the creation of Tehama Windows Desktops in the Enclave.

When enabled, Tehama Windows Desktops can be created in the Enclave, and the WINDOWS DESKTOPS page found under the Enclave's CONFIGURE tab in the Tehama Web UI will be present.

When disabled, Tehama Windows Desktops cannot be created in the Enclave, and the WINDOWS DESKTOPS page found under the Enclave's CONFIGURE tab in the Tehama Web UI will be absent.

Note any Tehama Windows desktops that have been created for the Enclave will continue to exist after the feature has been disabled and will be accessible through the Tehama Web UI (although note that the ability to add new Tehama Windows desktops will be unavailable).

Enable or disable the Windows Desktop Enclave feature as follows:

  1. Access the Enclave's interface.
  2. Click the Enclave's CONFIGURE tab.
  3. Click on the SETTINGS sidebar item.
  4. Click on the EDIT button at the top right of the ENCLAVE SETTINGS section.
  5. Locate the toggle to the right of the "Windows Desktop" feature.
  6. Enable or disable the feature as follows:
    • Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
    • Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
  7. Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)

 Recordings

The Recordings Enclave feature provides recordings of the Enclave's Desktop sessions.

From the time it is enabled, any subsequent desktop sessions in the Enclave will be recorded.

From the time it is disabled, any subsequent desktop sessions in the Enclave will not be recorded.

Recordings are available in the Enclave's SESSIONS page under the AUDIT tab. See the Desktop Session Auditing/Recordings User Guide for more details.

Note, any recordings that are already present will continue to be available once the feature is disabled.

This Enclave feature is a useful capability, but it does come with a cost in Desktop performance and availability. When Recordings are enabled in a Enclave, the Enclave can support a maximum of 75 concurrent Desktop sessions. When Recordings are disabled, the Enclave can support up to 200 concurrent Desktop sessions. Enclave owner organizations are encouraged to contact Tehama Support if they would like assistance in optimizing their Enclave environment for performance and availability, taking your auditing needs into consideration.

IMPORTANT: Before enabling the Recordings feature for a Enclave, confirm that the current number of concurrent Desktop sessions in the Enclave is at most 75. Enabling Recordings while the number of concurrent Desktop sessions is higher than this maximum will result in undefined behaviour. You can view a list of the "in-use" Desktop Templates in your Enclave on the DESKTOPS page. (See section View list of in-use Desktop templates in your Organization in the Desktops User Guide.)

Enable or disable the Recordings Enclave feature as follows:

  1. Access the Enclave's interface.
  2. Click the Enclave's CONFIGURE tab.
  3. Click on the SETTINGS sidebar item.
  4. Click on the EDIT button at the top right of the ENCLAVE SETTINGS section.
  5. Locate the toggle to the right of the "Recordings" feature.
  6. Enable or disable the feature as follows:
    • Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
    • Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
  7. Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value.)

 DIA (available only in AWS Enclaves)

The Desktop Intelligence and Automation (DIA) diagnostic tool monitors, troubleshoots, and gathers intelligence across all Desktops in Enclaves that have enabled DIA, through an agent installed on each Desktop.

NOTE: Access to Tehama's DIA diagnostic tool is not available to all organizations by default. Access to the tool is an optional organization feature that Tehama Support will set up for your organization upon request. Contact Tehama Support for more details.

Enabling the DIA Enclave feature will trigger the installation of the DIA agent on all Desktops in the Enclave. (Desktops in-use at the time the feature is enabled will be updated after the session ends.) The agents will link the Desktops to the DIA tenant for your organization in the DIA diagnostic tool, adding entries for the Desktops in its Devices list. Access the DIA diagnostic tool to view data on the Desktops.

Disabling the DIA Enclave feature will trigger the uninstallation of (will remove) the DIA agent from all Desktops in the Enclave. (Desktops in-use at the time the feature is disabled will be updated after the session ends.) The Desktops will no longer be linked to the DIA diagnostic tool.

WARNING: If you enable, disable, then re-enable this feature, your Desktops will have new entries in DIA diagnostic tool.

For information on how to access and use Tehama's DIA diagnostic tool, see the Desktop Intelligence and Automation (DIA) user guide.

Enable or disable the DIA Enclave feature as follows:

  1. Obtain the credentials required to enable DIA for your Enclave. You will need the "Tenant name" and "device registration code" for your organization in DIA.
    • Get this information from your organization's DIA user (a user with a user account in DIA); or
    • Contact Tehama Support, who will pass this information along to you.
  2. Access the Enclave's interface.
  3. Click the Enclave's CONFIGURE tab.
  4. Click on the SETTINGS sidebar item.
  5. Click on the EDIT button at the top right of the ENCLAVE SETTINGS section.
  6. Locate the toggle to the right of the "Desktop Intelligence and Automation (DIA)" feature.
  7. Enable or disable the feature as follows:
    • Click on the left of the toggle to disable the feature. (The toggle will display an 'x'.)
    • Click on the right of the toggle to enable the feature. (The toggle will display a checkmark.)
      1. Enter the name given to you for your organization in the Tenant name field. (e.g.: "example.dia.tehama.io)
      2. Enter the device registration code given to you for your organization in the Registration code field. (e.g.: 1234567890abcdef1234567890abcdef12345678)
  8. Click SAVE to save your change, or CANCEL to cancel your change. (Note that the SAVE and CANCEL buttons only become visible once you have changed the toggle's currently saved value; and the SAVE button will be inactive unless there are values in both fields.)

Related articles