This guide documents the classic version of the AWS Wickr administration console, released before March 13, 2025. For documentation on the new AWS Wickr administration console, see [ Administration Guide](https://docs.aws.amazon.com/wickr/latest/adminguide/what-is-wickr.html). # Manage your AWS Wickr network Manage network In the **Network Settings** section of the AWS Management Console for Wickr you can manage your Wickr network name, security groups, SSO configuration, and data retention settings. **Topics** + [ # Network profile for AWS Wickr ](network-profile.md) + [ # Security groups for AWS Wickr ](security-groups.md) + [ # Single sign-on configuration for AWS Wickr ](sso-configuration.md) + [ # Network tags for AWS Wickr ](network-tags.md) + [ # Read receipts for AWS Wickr ](read-receipts.md) + [ # Manage network plan for AWS Wickr ](manage-plan.md) + [ # Data retention for AWS Wickr ](data-retention.md) + [ # What is ATAK? ](what-is-atak.md) + [ # Ports and domains to allow list for your Wickr network ](allow-list-ports-domains.md) + [ # GovCloud cross boundary classification and federation ](govcloud-cross-boundary.md) # Network profile for AWS Wickr Network profile You can edit the name of your Wickr network and view your network ID in the **Network Profile** section of the AWS Management Console for Wickr. **Topics** + [ # View network profile in AWS Wickr ](view-network-profile.md) + [ # Edit network name in AWS Wickr ](edit-network-name.md) + [ # Delete network in AWS Wickr ](delete-network.md) # View network profile in AWS Wickr View network profile You can view the details of your Wickr network profile, including your network name and network ID. Complete the following procedure to view your Wickr network profile and network ID. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. ![\[The Networks page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-admin-console-network-page-admin-link.png) You're redirected to the Wickr Admin Console for a specific network. ![\[The Dashboard page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-network-admin-console-dashboard-page.png) 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Network Profile**. The **Network Profile** page displays your Wickr network name and network ID. You can use the network ID to configure federation. # Edit network name in AWS Wickr Edit network name You can edit the name of your Wickr network. Complete the following procedure to edit your Wickr network name. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. Choose **Manage network**. 1. On the **Networks** page, select the checkbox next to the network name you want to edit, and then choose **View details**. ![\[Networks page showing a selected network with options to view details or create a new network.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-network-viewdetails.png) 1. In the **Network overview** section, choose **Edit**. 1. Enter your new network name into the **Network Name** text box. 1. Choose **Save changes** to save your new network name. # Delete network in AWS Wickr Delete network You can delete your AWS Wickr network. **Note** If you delete a premium free trial network, you won't be able to create another one. Complete the following procedure to delete your Wickr network. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. Choose **Manage network**. 1. On the **Networks** page, find the network you want to delete. 1. On the right-hand side of the network you want to delete, select the three dots, and then choose **Delete network**. 1. Type **confirm** in the pop-up window, and then choose **Delete**. It can take a few minutes for the network to delete. **Note** Data retained by your data retention configuration (if enabled) will not be deleted when you delete your network. For more information, see [ Data retention for AWS Wickr](https://docs.aws.amazon.com//wickr/latest/adminguide/data-retention.html). # Security groups for AWS Wickr Security groups In the **Security Groups** section of the AWS Management Console for Wickr, you can manage security groups and their settings, such as password complexity policies, messaging preferences, calling features, security features and network federation. **Topics** + [ # View security groups in AWS Wickr ](view-security-groups.md) + [ # Create a security group in AWS Wickr ](create-security-group.md) + [ # Edit a security group in AWS Wickr ](edit-security-group.md) + [ # Delete a security group in AWS Wickr ](delete-security-group.md) # View security groups in AWS Wickr View security groups You can view the details of your Wickr security groups. Complete the following procedure to view security groups. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. ![\[The Networks page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-admin-console-network-page-admin-link.png) You're redirected to the Wickr Admin Console for a specific network. ![\[The Dashboard page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-network-admin-console-dashboard-page.png) 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Security Group**. The **Security Groups** page displays your current Wickr security groups and gives you the option to view their details or create a new group. # Create a security group in AWS Wickr Create security group You can create a new Wickr security group. Complete the following procedure to create a security group. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. You're redirected to the Wickr Admin Console for a specific network. 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Security Group**. 1. Choose **New group** to create a new security group. A new security group with a default name is automatically added to the security groups list. For more information about editing the new security group, see [Edit a security group in AWS Wickr](edit-security-group.md). # Edit a security group in AWS Wickr Edit security group You can edit the details of your Wickr security group. Complete the following procedure to edit a security group. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. You're redirected to the Wickr Admin Console for a specific network. 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Security Group**. 1. Choose **Details** next to the name of the security group that you want to edit. The **Security Group Details** page displays the settings for the security group in different tabs. 1. The following tabs and corresponding settings are available: + **Security group name** — Choose the pencil icon next to the name of the group to edit the name. + **General** — Edit the basic configuration of the group. + **Messaging** — Manage messaging features for members of the group. + **Calling** — Manage calling features for members of the group. + **Security** — Configure additional security features for the group. + **Federation** — The ability to communicate between networks. This can be configured in the Admin console for a network at the security group level. AWS Wickr has 2 types of federation - Local and Global. + **Local Federation** — The ability to federate with AWS users in other networks within the same region. For example, if there are two networks in Canada with local federation enabled, they will be able to communicate with each other. + **Global Federation** — The ability to federate with either Enterprise users or AWS users in a different network who belong to other regions. For example, if there is a user in a network in Canada region and a user in a network in London region, and Global federation is turned ON for both networks, they will be able to communicate with each other. + **Restricted Federation** — The ability to federate with specific networks (Enterprise or AWS) belonging to different regions. Admins can allowlist specific networks their users can federate with. After the restriction, users can only communicate with users in the allowlisted networks. Both networks must allowlist each other from the security group settings in the federation tab to use restricted federation. 1. Choose **Save** to save edits that you make to the security group details. # Delete a security group in AWS Wickr Delete security group You can delete your Wickr security group. Complete the following procedure to delete a security group. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. You're redirected to the Wickr Admin Console for a specific network. 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Security Group**. 1. Choose the vertical ellipsis icon next to the name of the security group that you want to delete. 1. Choose **Remove** to delete the security group. When you delete a security group that has assigned users, those users are automatically added to the default security group. To modify the security group assigned to users see [Edit users in AWS Wickr network](edit-users.md). # Single sign-on configuration for AWS Wickr SSO configuration In the **SSO Configuration** section of the AWS Management Console for Wickr, you can configure Wickr to use a single sign-on system to authenticate. SSO provides an added layer of security when paired with an appropriate multi-factor authentication (MFA) system. Wickr supports SSO providers who use OpenID Connect (OIDC) only. Providers who use Security Assertion Markup Language (SAML) are not supported. **Topics** + [ # View SSO details in AWS Wickr ](view-sso-details.md) + [ # Configure SSO in AWS Wickr ](configure-sso.md) + [ # Grace period for token refresh ](token-refresh.md) # View SSO details in AWS Wickr View SSO details You can view the details of your single sign-on configuration for your Wickr network and the network endpoint. Complete the following procedure to view the current single sign-on configuration for your Wickr network, if any. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. ![\[The Networks page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-admin-console-network-page-admin-link.png) You're redirected to the Wickr Admin Console for a specific network. ![\[The Dashboard page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-network-admin-console-dashboard-page.png) 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **SSO Configuration**. The **Single Sign-on & LDAP Configuration** page displays your Wickr network endpoint and current SSO configuration. # Configure SSO in AWS Wickr Configure SSO To ensure secure access to your Wickr network, you can set up your current single sign-on configuration. Detailed guides are available to assist you with this process. For more information about configuring SSO, see the following guides: **Important** When you configure SSO, you specify a company ID for your Wickr network. Be sure to write down the company ID for your Wickr network. You must provide it to your end users when sending invitation emails. End users must specify the company ID when they register for your Wickr network. + [Configure AWS Wickr with Microsoft Entra (Azure AD) single sign-on](https://docs.aws.amazon.com/wickr/latest/adminguide/entra-ad-sso.html) + [Configure Okta single sign-on](https://support.wickr.com/hc/en-us/articles/360050850834-Setup-Okta-SSO) # Configure AWS Wickr with Microsoft Entra (Azure AD) single sign-on Configure AWS Wickr with Microsoft Entra SSO AWS Wickr can be configured to use Microsoft Entra (Azure AD) as an identity provider. To do so, complete the following procedures in both Microsoft Entra and the AWS Wickr admin console. **Warning** After SSO is enabled on a network it will sign active users out of Wickr and force them to re-authenticate using the SSO provider. ## Step 1: Register AWS Wickr as an application in Microsoft Entra Complete the following procedure to register AWS Wickr as an application in Microsoft Entra. **Note** Refer to the Microsoft Entra documentation for detailed screenshots and troubleshooting. For more information, see [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) 1. In the navigation pane, choose **Applications** and then choose **App Registrations**. 1. On the **App Registrations** page, choose **Register an application**, and then enter an application name. 1. Select **Accounts in this organizational directory only (Default Directory only - Single tenant)**. 1. Under **Redirect URI**, select **Web**, and then enter the following web address: `https://messaging-pro-prod.wickr.com/deeplink/oidc.php`. **Note** The Redirect URI can also be copied from the SSO configuration settings in the AWS Wickr Admin console. 1. Choose **Register**. 1. After registration, copy/save the Application (Client) ID generated. ![\[Client application ID image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/application-client-id.png) 1. Select the **Endpoints** tab to make a note of the following: 1. Oauth 2.0 authorization endpoint (v2): E.g.: `https://login.microsoftonline.com/1ce43025-e4b1-462d-a39f-337f20f1f4e1/oauth2/v2.0/authorize` 1. Edit this value to remove the 'oauth2/" and "authorize". E.g. fixed URL will look like this: `https://login.microsoftonline.com/1ce43025-e4b1-462d-a39f-337f20f1f4e1/v2.0/` 1. This will be referenced as the **SSO Issuer**. ## Step 2: Setup authentication Complete the following procedure to setup authentication in Microsoft Entra. 1. In the navigation pane, choose **Authentication**. 1. On the **Authentication** page, make sure that the **Web Redirect URI** is the same as entered previously (in *Register AWS Wickr as an Application*). ![\[Client authentication image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/authentication.png) 1. Select **Access tokens used for implicit flows** and **ID tokens used for implicit and hybrid flows**. 1. Choose **Save**. ![\[Request an access token image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/access-tokens.png) ## Step 3: Setup certificates and secrets Complete the following procedure to setup certificates and secrets in Microsoft Entra. 1. In the navigation pane, choose **Certificates & secrets**. 1. On the **Certificates & secrets** page, select the **Client secrets** tab. 1. Under the **Client secrets** tab, select **New client secret**. 1. Enter a description and select an expiration period for the secret. 1. Choose **Add**. ![\[Add client secret image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-create-client-secret.png) 1. After the certificate is created, copy the **Client secret value**. ![\[An example of a client secret value.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-client-secret-value.png) **Note** The client secret value (not Secret ID) will be required for your client application code. You may not be able to view or copy the secret value after leaving this page. If you do not copy it now, you will have to go back to create a new client secret. ## Step 4: Setup token configuration Complete the following procedure to setup token configuration in Microsoft Entra. 1. In the navigation pane, choose **Token configuration**. 1. On the **Token configuration** page, choose **Add optional claim**. 1. Under **Optional claims**, select the **Token type** as **ID**. 1. After selecting **ID**, under **Claim**, select **email** and **upn**. 1. Choose **Add**. ![\[Token type image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-token-type.png) ## Step 5: Setup API permissions Complete the following procedure to setup API permissions in Microsoft Entra. 1. In the navigation pane, choose **API permissions**. 1. On the **API permissions** page, choose **Add a permission**. ![\[Add an permission image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-api-permissions.png) 1. Select **Microsoft Graph ** and then select **Delegated Permissions **. 1. Select the checkbox for **email **, **offline\$1access**, **openid**, **profile**. 1. Choose **Add permissions**. ## Step 6: Expose an API Complete the following procedure to expose an API for each of the 4 scopes in Microsoft Entra. 1. In the navigation pane, choose **Expose an API**. 1. On the **Expose an API** page, choose **Add a scope**. ![\[Expose an API image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-expose-an-api.png) **Application ID URI** should auto populate, and the ID that follows the URI should match the **Application ID** (created in *Register AWS Wickr as an application*). ![\[Add a scope image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-add-scope.png) 1. Choose **Save and continue**. 1. Select the **Admins and users** tag, and then enter the scope name as **offline\$1access**. 1. Select **State**, and then select **Enable**. 1. Choose **Add scope**. 1. Repeat steps 1—6 of this section to add the following scopes: **email**, **openid**, and **profile**. ![\[Add scopes image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/entra-scopes-api.png) 1. Under **Authorized client applications**, choose **Add a client application**. 1. Select all four scopes created in the previous step. 1. Enter or verify the **Application (client) ID**. 1. Choose **Add application**. ## Step 7: AWS Wickr SSO configuration Complete the following configuration procedure in the AWS Wickr console. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks page**, choose the **Admin** link, to navigate to Wickr Admin Console for that network. 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **SSO Configuration**. 1. Under **Network Endpoint**, make sure the **Redirect URI** matches the following web address (added in step 4 under *Register AWS Wickr as an application*). `https://messaging-pro-prod.wickr.com/deeplink/oidc.php`. 1. Under **SSO Configuration**, choose **Start** 1. Enter the following details: + **SSO Issuer** — This is the endpoint that was modified previously (E.g. `https://login.microsoftonline.com/1ce43025-e4b1-462d-a39f-337f20f1f4e1/v2.0/`). + **SSO Client ID** — This is the **Application (client) ID** from the **Overview** pane. + **Company ID** — This can be a unique text value including alphanumeric and underscore characters. This phrase is what your users will enter when registering on new devices. + **Client Secret** — This is the **Client secret** from the **Certificates & secrets** pane. + **Scopes** — These are the scope names exposed on the **Expose an API** pane. Enter **email**, **profile**, **offline\$1access**, and **openid**. + **Custom Username Scope** — Enter **upn**. *Other fields are optional.* 1. Choose **Test and Save**. 1. Choose **Save**. SSO configuration is complete. To verify, you can now add a user to the application in Microsoft Entra, and login with the user using SSO and Company ID. For more information on how to invite and onboard users, see [Create and invite users](https://docs.aws.amazon.com/wickr/latest/adminguide/getting-started.html#getting-started-step3). ## Troubleshooting Following are common issues you might encounter and suggestions for resolving them. + SSO Connection test fails or is unresponsive: + Make sure the **SSO Issuer** is configured as expected. + Make sure the required fields in the **SSO Configured** are set as expected. + Connection test is successful, but the user is unable to login: + Make sure the user is added to the Wickr application you registered in Microsoft Entra. + Make sure the user is using the correct company ID, including the prefix. *E.g. UE1-DemoNetworkW\$1drqtva*. + The **Client Secret** may not be set correctly in the **AWS Wickr SSO Configuration**. Re-set it by creating another **Client secret** in Microsoft Entra and set the new **Client secret** in the **Wickr SSO Configuration**. # Grace period for token refresh Occasionally, there may be instances where identity providers encounter temporary or extended outages, which may lead to your users being logged out unexpectedly due to a failed refresh token for their client session. To prevent this problem, you can establish a grace period that allows your users to remain signed in even if their client refresh token fails during such outages. Here are the available options for the grace period: + No grace period (default): Users will be signed out immediately after a refresh token failure. + 30 minute grace period: Users can stay signed in for up to 30 minutes after a refresh token failure. + 60 minute grace period: Users can stay signed in for up to 60 minutes after a refresh token failure. # Network tags for AWS Wickr Network tags You can apply tags to Wickr networks. You can then use those tags to search and filter your Wickr networks or track your AWS costs. You can configure network tags in the **Network overview** page of the AWS Management Console for Wickr. A tag is a [key-value pair](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) applied to a resource to hold metadata about that resource. Each tag is a label consisting of a key and a value. For more information on tags, see also [What are tags?](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/what-are-tags.html) and [Tagging use cases](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-use-cases.html). **Topics** + [ # Manage network tags in AWS Wickr ](manage-tags.md) + [ # Add a network tag in AWS Wickr ](add-tag.md) + [ # Edit a network tag in AWS Wickr ](edit-tag.md) + [ # Remove a network tag in AWS Wickr ](remove-tag.md) # Manage network tags in AWS Wickr Manage network tags You can manage network tags for your Wickr network. Complete the following procedure to manage network tags for your Wickr network. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. Select **Networks** from the navigation pane of the AWS Management Console for Wickr. ![\[The AWS Management Console for Wickr.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-console-navpane-networks.png) 1. On the **Networks** page choose the name of the network for which you want to manage tags. ![\[The Networks page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-networks-example-network.png) 1. In the **Network overview** page, choose **Manage tags**. ![\[The Manage tags button.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-admin-console-manage-tags-button.png) 1. On the **Manage Tags** page, you can complete one of the following options: + **Add new tags** — Enter new tags in the form of a key and a value pair. Choose **Add new tag** to add multiple key value pairs. Tags are case-sensitive. For more information, see [Add a network tag in AWS Wickr](add-tag.md). + **Edit existing tags** — Select the key or value text for an existing tag, and then enter the modification into the text box. For more information, see [Edit a network tag in AWS Wickr](edit-tag.md). + **Remove existing tags** — Choose **Remove** button that is listed next to the tag you want to delete. For more information, see [Remove a network tag in AWS Wickr](remove-tag.md). # Add a network tag in AWS Wickr Add network tag You can add a network tag to your Wickr network. Complete the following procedure to add a tag to your Wickr network. For more information about managing tags, see [Manage network tags in AWS Wickr](manage-tags.md). 1. On the **Manage tags** page, choose **Add new tag**. 1. In the blank **Key** and **Value** fields that appear, enter the new tag key and value. 1. Choose **Save changes** to save the new tags. ![\[The Manage tags page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-admin-console-manage-tags-page-addtag.png) # Edit a network tag in AWS Wickr Edit network tag You can edit a network tag to your Wickr network. Complete the following procedure to edit a tag associated with your Wickr network. For more information about managing tags, see [Manage network tags in AWS Wickr](manage-tags.md). 1. On the **Manage tags** page, edit the value of a tag. **Note** You can't edit the key of a tag. Instead, remove the key and value pair, and add a new tag using the new key. ![\[The Manage tags page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-console-manage-tags-page-edit-tag.png) 1. Choose **Save changes** to save your edits. # Remove a network tag in AWS Wickr Remove network tag You can remove a network tag to your Wickr network. Complete the following procedure to remove a tag from your Wickr network. For more information about managing tags, see [Manage network tags in AWS Wickr](manage-tags.md). 1. On the **Manage tags** page, choose **Remove** for the tag you want to remove. ![\[The Manage tags page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-console-manage-tags-page-remove-tag.png) 1. Choose **Save changes** to save your edits. # Read receipts for AWS Wickr Read receipts Read receipts for AWS Wickr are notifications sent to the sender to show when their message has been read. These receipts are available in one-on-one conversations. A single check mark will appear for sent messages, and a solid circle with a check mark will appear for read messages. To see read receipts on messages during external conversations, both networks should have read receipts enabled. Administrators can enable or disable read receipts in the administrator panel. This setting will be applied to the entire network. Complete the following procedure to enable or disable read receipts. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Network Profile**. 1. On the **Network profile** page, in the **Read Receipts** section, choose **Edit**. 1. Select **Enable** or **Disable**. # Manage network plan for AWS Wickr Manage network plan In the **Manage Plan** section of the AWS Management Console for Wickr, you can manage your network plan based on your business needs. To manage your network plan, complete the following procedure. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. In the navigation pane of the Wickr Admin Console, choose **Manage Plan**, and then choose **My Plan**. 1. On the **My Plan** page, choose your desired network plan. You can modify your current network plan by choosing one of the following: + **Standard —** For small and large business teams that need administrative controls and flexibility. + **Premium** or **Premium Free Trial —** For businesses that require the highest feature limits, granular administrative controls, and data retention. Administrators can choose the premium free trial option, which is available for up to 30 users and lasts three months. This offer is open to new, legacy-free trial, and standard plans. Administrators can upgrade or downgrade to Premium or Standard plans during the premium free trial period. **Note** To stop usage and billing on your network, remove all users, including any suspended users from your network. ## Premium free trial limitations The following limitations apply to the premium free trial: + If a plan has ever been enrolled in a premium free trial before, it will not be eligible for another trial. + Only one network for each AWS account can be enrolled in a premium free trial. + The guest user feature is not available during the premium free trial. + If a standard network has more than 30 users, it will not be possible to upgrade to a premium free trial. # Data retention for AWS Wickr Data retention AWS Wickr Data retention can retain all conversations in network. This includes direct message conversations and conversations in Groups or Rooms between in-network (internal) members and those with other teams (external) with whom your network is federated. Data retention is only available to AWS Wickr Premium plan users and enterprise customers who opt in for data retention. For more information on the Premium plan, see [Wickr Pricing](https://aws.amazon.com/wickr/pricing/) When a network administrator configures and activates data retention for their network, all messages and files shared in their network are retained in accordance with the organization's compliance policies. These .txt file outputs are accessible by the network administrator in an external location (eg: local storage, Amazon S3 bucket, or any other storage as per user's choice), from where they can be analyzed, erased, or transferred. **Note** Wickr never accesses your messages and files. Therefore, it is your responsibility to configure a data retention system. **Topics** + [ # View data retention details in AWS Wickr ](view-data-retention-details.md) + [ # Configure data retention for AWS Wickr ](configure-data-retention.md) + [ # Get the data retention logs for your Wickr network ](getting-data-retention-logs.md) + [ # Data retention metrics and events for your Wickr network ](metrics-events.md) # View data retention details in AWS Wickr View data retention Complete the following procedure to view the data retention details for your Wickr network. You can also enable or disable data retention for your Wickr network. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. Choose **Manage network**. 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Data Retention**. The **Data Retention** page displays steps for setting up data retention, and the option to activate or deactivate the data retention feature. For more information about configuring data retention, see [Configure data retention for AWS Wickr](configure-data-retention.md). **Note** When data retention is activated, a **Data Retention Turned On** message will be visible for all users in your network informing them of the retention-enabled network. # Configure data retention for AWS Wickr Configure data retention To configure data retention for your AWS Wickr network, you must deploy the data retention bot Docker image to a container on a host, such as a local computer or an instance in Amazon Elastic Compute Cloud (Amazon EC2). After the bot is deployed, you can configure it to store data locally or in an Amazon Simple Storage Service (Amazon S3) bucket. You can also configure the data retention bot to use other AWS services like AWS Secrets Manager (Secrets Manager), Amazon CloudWatch (CloudWatch), Amazon Simple Notification Service (Amazon SNS), and AWS Key Management Service (AWS KMS). The following topics describe how to configure and run the data retention bot for your Wickr network. **Topics** + [ ## Prerequisites to configure data retention for AWS Wickr ](#data-retention-prerequisites) + [ # Password for data retention bot in AWS Wickr ](data-retention-password.md) + [ # Storage options for AWS Wickr network ](data-retention-storage-options.md) + [ # Environment variables to configure data retention bot in AWS Wickr ](data-retention-bot-env-variables.md) + [ # Secrets Manager values for AWS Wickr ](data-retention-aws-secret-values.md) + [ # IAM policy to use data retention with AWS services ](data-retention-aws-services.md) + [ # Start the data retention bot for your Wickr network ](starting-data-retention-bot.md) + [ # Stop the data retention bot for your Wickr network ](stopping-data-retention-bot.md) ## Prerequisites to configure data retention for AWS Wickr Prerequisites Before you get started, you must get the data retention bot name (labeled as **Username**) and initial password from the AWS Management Console for Wickr. You must specify both of these values the first time you start the data retention bot. You must also enable data retention in the console. For more information, see [View data retention details in AWS Wickr](view-data-retention-details.md). # Password for data retention bot in AWS Wickr Password The first time you start the data retention bot, you specify the initial password using one of the following options: + The `WICKRIO_BOT_PASSWORD` environment variable. The data retention bot environment variables are outlined in the [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) section later in this guide. + The **password** value in Secrets Manager identified by the `AWS_SECRET_NAME` environment variable. The Secrets Manager values for the data retention bot are outlined in the [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md) section later in this guide. + Enter the password when prompted by the data retention bot. You will need to run the data retention bot with interactive TTY access using the `-ti` option. A new password will be generated when you configure the data retention bot for the first time. If you need to re-install the data retention bot, you use the generated password. The initial password is not valid after the initial installation of the data retention bot. The new generated password will be displayed as shown in the following example. **Important** Save the password in a safe place. If you lose the password you will not be able to re-install the data retention bot. Don't share this password. It provides the ability to start data retention for your Wickr network. ``` ******************************************************************** **** GENERATED PASSWORD **** DO NOT LOSE THIS PASSWORD, YOU WILL NEED TO ENTER IT EVERY TIME **** TO START THE BOT "HuEXAMPLERAW4lGgEXAMPLEn" ******************************************************************** ``` # Storage options for AWS Wickr network Storage options After data retention is enabled and the data retention bot is configured for your Wickr network, it will capture all messages and files sent within your network. Messages are saved in files which are limited to a specific size or time limit that can be configured using an environment variable. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md). You can configure one of the following options for storing this data: + Store all captured messages and files locally. This is the default option. It's your responsibility to move local files to another system for long-term storage, and to make sure the host disk does not run out of memory or space. + Store all captured messages and files in an Amazon S3 bucket. The data retention bot will save all decrypted messages and files to the Amazon S3 bucket you specify. The captured messages and files are removed from the host machine after they are successfully saved to the bucket. + Store all captured messages and files encrypted in an Amazon S3 bucket. The data retention bot will re-encrypt all captured messages and files using a key that you supply and save them to the Amazon S3 bucket you specify. The captured messages and files are removed from the host machine after they are successfully re-encrypted and saved to the bucket. You will need software to decrypt the messages and files. For more information about creating an Amazon S3 bucket to use with your data retention bot, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the *Amazon S3 User Guide* # Environment variables to configure data retention bot in AWS Wickr Environment variables You can use the following environment variables to configure the data retention bot. You set these environment variables using the `-e` option when you run the data retention bot Docker image. For more information, see [Start the data retention bot for your Wickr network](starting-data-retention-bot.md). **Note** These environment variables are optional unless otherwise specified. Use the following environment variables to specify the data retention bot credentials: + `WICKRIO_BOT_NAME` — The name of the data retention bot. This variable is *required* when you run the data retention bot Docker image. + `WICKRIO_BOT_PASSWORD` — The initial password for the data retention bot. For more information, see [Prerequisites to configure data retention for AWS Wickr](configure-data-retention.md#data-retention-prerequisites). This variable is *required* if you don't plan to start the data retention bot with a password prompt or you don't plan to use Secrets Manager to store the data retention bot credentials. Use the following environment variables to configure the default data retention streaming capabilities: + `WICKRIO_COMP_MESGDEST` – The path name to the directory where messages will be streamed. The default value is `/tmp//compliance/messages`. + `WICKRIO_COMP_FILEDEST` – The path name to the directory where files will be streamed. The default value is `/tmp//compliance/attachments`. + `WICKRIO_COMP_BASENAME` – The base name for the received messages files. The default value is `receivedMessages`. + `WICKRIO_COMP_FILESIZE` – The maximum file size for a received messages file in kibibyte (KiB). A new file is started when the max size is reached. The default value is `1000000000`, as in 1024 GiB. + `WICKRIO_COMP_TIMEROTATE` – The amount of time, in minutes, for which the data retention bot will put received messages into a received messages file. A new file is started when the time limit is reached. You can only use the file size or time to limit the size of the received messages file. The default value is `0`, as in no limit. Use the following environment variable to define the default AWS Region to use. + `AWS_DEFAULT_REGION` – The default AWS Region to use for AWS services like Secrets Manager (not used for Amazon S3 or AWS KMS). The `us-east-1` Region is used by default if this environment variable is not defined. Use the following environment variables to specify the Secrets Manager secret to use when you opt to use Secrets Manager to store the data retention bot credentials and AWS service information. For more information about the values you can store in Secrets Manager see [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md). + `AWS_SECRET_NAME` – The name of the Secrets Manager secret that contains the credentials and AWS service information needed by the data retention bot. + `AWS_SECRET_REGION` – The AWS Region that the AWS secret is located in. If you are using AWS secrets and this value is not defined the `AWS_DEFAULT_REGION` value will be used. **Note** You can store all of the following environment variables as values in Secrets Manager. If you opt to use Secrets Manager, and you store these values there, then you don't need to specify them as environment variables when you run the data retention bot Docker image. You only need to specify the `AWS_SECRET_NAME` environment variable described earlier in this guide. For more information, see [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md). Use the following environment variables to specify the Amazon S3 bucket when you opt to store messages and files to a bucket. + `WICKRIO_S3_BUCKET_NAME` – The name of the Amazon S3 bucket where messages and files will be stored. + `WICKRIO_S3_REGION` – The AWS Region of the Amazon S3 bucket where messages and files will be stored. + `WICKRIO_S3_FOLDER_NAME` – The optional folder name in the Amazon S3 bucket where messages and files will be stored. This folder name will be preceded with the key for messages and files saved to the Amazon S3 bucket. Use the following environment variables to specify the AWS KMS details when you opt to use client side encryption to re-encrypt files when saving them to an Amazon S3 bucket. + `WICKRIO_KMS_MSTRKEY_ARN` – The Amazon Resource Name (ARN) of the AWS KMS master key used to re-encrypt the message files and files on the data retention bot before they are saved to the Amazon S3 bucket. + `WICKRIO_KMS_REGION` – The AWS Region where the AWS KMS master key is located. Use the following environment variable to specify the Amazon SNS details when you opt to send data retention events to an Amazon SNS topic. The events sent include startup, shutdown, as well as error conditions. + `WICKRIO_SNS_TOPIC_ARN` – The ARN of the Amazon SNS topic that you want data retention events sent to. Use the following environment variable to send data retention metrics to CloudWatch. If specified, the metrics will be generated every 60 seconds. + `WICKRIO_METRICS_TYPE` – Set the value of this environment variable to `cloudwatch` to send metrics to CloudWatch. # Secrets Manager values for AWS Wickr Secrets Manager values You can use Secrets Manager to store the data retention bot credentials and AWS service information. For more information about creating a Secrets Manager secret, see [Create an AWS Secrets Manager secret ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *Secrets Manager User Guide*. The Secrets Manager secret can have the following values: + `password` – The data retention bot password. + `s3_bucket_name` – The name of the Amazon S3 bucket where messages and files will be stored. If not set, the default file streaming will be used. + `s3_region` – The AWS Region of the Amazon S3 bucket where messages and files will be stored. + `s3_folder_name` – The optional folder name in the Amazon S3 bucket where messages and files will be stored. This folder name will be preceded with the key for messages and files saved to the Amazon S3 bucket. + `kms_master_key_arn` – The ARN of the AWS KMS master key used to re-encrypt the message files and files on the data retention bot before they are saved to the Amazon S3 bucket. + `kms_region` – The AWS Region where the AWS KMS master key is located. + `sns_topic_arn` – The ARN of the Amazon SNS topic that you want data retention events sent to. # IAM policy to use data retention with AWS services IAM policy If you plan to use other AWS services with the Wickr data retention bot, you must ensure the host has the appropriate AWS Identity and Access Management (IAM) role and policy to access them. You can configure the data retention bot to use Secrets Manager, Amazon S3, CloudWatch, Amazon SNS, and AWS KMS. The following IAM policy allows access to specific actions for these services. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "secretsmanager:GetSecretValue", "sns:Publish", "cloudwatch:PutMetricData", "kms:GenerateDataKey" ], "Resource": "*" } ] } ``` ------ You can create an IAM policy that is more strict by identifying the specific objects for each service that you want to allow the containers on your host to access. Remove the actions for the AWS services that you do not intend to use. For example, if you intent to use only an Amazon S3 bucket, then use the following policy, which removes the `secretsmanager:GetSecretValue`, `sns:Publish`, `kms:GenerateDataKey`, and `cloudwatch:PutMetricData` actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:PutObject", "Resource": "*" } ] } ``` ------ If you are using an Amazon Elastic Compute Cloud (Amazon EC2) instance to host your data retention bot, create an IAM role using the Amazon EC2 common case and assign a policy using the policy definition from above. # Start the data retention bot for your Wickr network Start the bot Before you run the data retention bot, you should determine how you want to configure it. If you plan to run the bot on a host that: + Will not have access to AWS services, then your options are limited. In that case you will use the default message streaming options. You should decide whether you want to limit the size of the captured message files to a specific size or time interval. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md). + Will have access to AWS services, then you should create a Secrets Manager secret to store the bot credentials, and AWS service configuration details. After the AWS services are configured, you can proceed to start the data retention bot Docker image. For more information about the details you can store in a Secrets Manager secret, see [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md) The following sections show example commands to run the data retention bot Docker image. In each of the example commands, replace the following example values with your own: + `compliance_1234567890_bot` with the name of your data retention bot. + `password` with the password for your data retention bot. + `wickr/data/retention/bot` with the name of your Secrets Manager secret to use with your data retention bot. + `bucket-name` with the name of the Amazon S3 bucket where messages and files will be stored. + `folder-name` with the folder name in the Amazon S3 bucket where messages and files will be stored. + `us-east-1` with the AWS Region of the resource you're specifying. For example, the Region of the AWS KMS master key or the Region of the Amazon S3 bucket. + `arn:aws:kms:us-east-1:111122223333:key/12345678-1234-abcde-a617-abababababab` with the Amazon Resource Name (ARN) of your AWS KMS master key to use to re-encrypt message files and files. # Start the bot with password environment variable (no AWS service) Start bot with password environment variable The following Docker command starts the data retention bot. The password is specified using the `WICKRIO_BOT_PASSWORD` environment variable. The bot starts using the default file streaming, and using the default values defined in the [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) section of this guide. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e WICKRIO_BOT_PASSWORD='password' \ wickr/bot-compliance-cloud:latest ``` # Start the bot with password prompt (no AWS service) Start bot with password prompt The following Docker command starts the data retention bot. Password is entered when prompted by the data retention bot. It will start using the default file streaming using the default values defined in the [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) section of this guide. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ wickr/bot-compliance-cloud:latest docker attach compliance_1234567890_bot . . . Enter the password:************ Re-enter the password:************ ``` Run the bot using the `-ti` option to receive the password prompt. You should also run the `docker attach ` command immediately after starting the docker image so that you get the password prompt. You should run both of these commands in a script. If you attach to the docker image and don’t see the prompt, press **Enter** and you will see the prompt. # Start the bot with 15 minute message file rotation (no AWS service) Start bot with 15 minute message file rotation The following Docker command starts the data retention bot using environment variables. It also configures it to rotate the received messages files to 15 minutes. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e WICKRIO_BOT_PASSWORD='password' \ -e WICKRIO_COMP_TIMEROTATE=15 \ wickr/bot-compliance-cloud:latest ``` # Start the bot and specify the initial password with Secrets Manager Start bot and specify initial password with Secrets Manager You can use the Secrets Manager to identify the data retention bot’s password. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e AWS_SECRET_NAME='wickrpro/alpha/new-3-bot' \ wickr/bot-compliance-cloud:latest ``` The `wickrpro/compliance/compliance_1234567890_bot` secret has the following secret value in it, shown as plaintext. ``` { "password":"password" } ``` # Start the bot and configure Amazon S3 with Secrets Manager Start bot and configure Amazon S3 with Secrets Manager You can use the Secrets Manager to host the credentials, and the Amazon S3 bucket information. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e AWS_SECRET_NAME='wickrpro/alpha/compliance_1234567890_bot' \ wickr/bot-compliance-cloud:latest ``` The `wickrpro/compliance/compliance_1234567890_bot` secret has the following secret value in it, shown as plaintext. ``` { "password":"password", "s3_bucket_name":"bucket-name", "s3_region":"us-east-1", "s3_folder_name":"folder-name" } ``` Messages and files received by the bot will be put in the `bot-compliance` bucket in the folder named `network1234567890`. # Start the bot and configure Amazon S3 and AWS KMS with Secrets Manager Start bot and configure Amazon S3 and AWS KMS with Secrets Manager You can use the Secrets Manager to host the credentials, the Amazon S3 bucket, and AWS KMS master key information. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e AWS_SECRET_NAME='wickrpro/alpha/compliance_1234567890_bot' \ wickr/bot-compliance-cloud:latest ``` The `wickrpro/compliance/compliance_1234567890_bot` secret has the following secret value in it, shown as plaintext. ``` { "password":"password", "s3_bucket_name":"bucket-name", "s3_region":"us-east-1", "s3_folder_name":"folder-name", "kms_master_key_arn":"arn:aws:kms:us-east-1:111122223333:key/12345678-1234-abcde-a617-abababababab", "kms_region":"us-east-1" } ``` Messages and files received by the bot will be encrypted using the KMS key identified by the ARN value, then put in the “bot-compliance'” bucket in the folder named “network1234567890”. Make sure you have the appropriate IAM policy setup. # Start the bot and configure Amazon S3 using environment variables Start bot and configure Amazon S3 using environment variables If you don't want to use Secrets Manager to host the data retention bot credentials, you can start the data retention bot Docker image with the following environment variables. You must identify the name of the data retention bot using the `WICKRIO_BOT_NAME` environment variable. ``` docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \ -d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \ -e WICKRIO_BOT_NAME='compliance_1234567890_bot' \ -e WICKRIO_BOT_PASSWORD='password' \ -e WICKRIO_S3_BUCKET_NAME='bot-compliance' \ -e WICKRIO_S3_FOLDER_NAME='network1234567890' \ -e WICKRIO_S3_REGION='us-east-1' \ wickr/bot-compliance-cloud:latest ``` You can use environment values to identify the data retention bot’s credentials, information about Amazon S3 buckets, and configuration information for the default file streaming. # Stop the data retention bot for your Wickr network Stop the bot The software running on the data retention bot will capture `SIGTERM` signals and gracefully shutdown. Use the `docker stop ` command, as shown in the following example, to issue the `SIGTERM` command to the data retention bot Docker image. ``` docker stop compliance_1234567890_bot ``` # Get the data retention logs for your Wickr network Get logs The software running on the data retention bot Docker image will output to log files in the `/tmp//logs` directory. They will rotate to a maximum of 5 files. You can get the logs by running the following command. ``` docker logs ``` Example: ``` docker logs compliance_1234567890_bot ``` # Data retention metrics and events for your Wickr network Data retention metrics and events Following are the Amazon CloudWatch (CloudWatch) metrics and Amazon Simple Notification Service (Amazon SNS) events that are currently supported by the 5.116 version of the AWS Wickr data retention bot. **Topics** + [ # CloudWatch metrics for your Wickr network ](cloudwatch-metrics.md) + [ # Amazon SNS events for your Wickr network ](sns-events.md) # CloudWatch metrics for your Wickr network Metrics are generated by the bot in 1 minute intervals and transmitted to the CloudWatch service associated with the account the data retention bot Docker image is running on. Following are the existing metrics supported by the data retention bot. | Metric | Description | | --- | --- | | Messages\$1Rx | Messages received. | | Messages\$1Rx\$1Failed | Failures to process received messages. | | Messages\$1Saved | Messages saved to the received messages file. | | Messages\$1Saved\$1Failed | Failures to save messages to the received messages file. | | Files\$1Saved | Files received. | | Files\$1Saved\$1Bytes | Number of bytes for files received. | | Files\$1Saved\$1Failed | Failures to save files. | | Logins | Logins (normally this will be 1 for each interval). | | Login\$1Failures | Failures to login (normally this will be 1 for each interval). | | S3\$1Post\$1Errors | Errors posting message files and files to Amazon S3 bucket. | | Watchdog\$1Failures | Watchdog failures. | | Watchdog\$1Warnings | Watchdog warnings. | Metrics are generated to be consumed by CloudWatch. The namespace used for bots is `WickrIO`. Each metric has an array of dimensions. Following is the list of dimensions that are posted with the above metrics. | Dimension | Value | | --- | --- | | Id | The bot's username. | | Device | Description of specific bot device or instance. Useful if you are running multiple bot devices or instances. | | Product | The product for the bot. Can be `WickrPro_` or `WickrEnterprise_` with `Alpha`, `Beta`, or `Production` appended. | | BotType | The bot type. Labeled as **Compliance** for the compliance bots. | | Network | The ID of the associated network. | # Amazon SNS events for your Wickr network The following events are posted to the Amazon SNS topic defined by the Amazon Resource Name (ARN) value identified using the `WICKRIO_SNS_TOPIC_ARN` environment variable or the `sns_topic_arn` Secrets Manager secret value. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) and [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md). Events generated by the data retention bot are sent as JSON strings. The following values are included in the events as of the 5.116 version of the data retention bot. | Name | Value | | --- | --- | | complianceBot | The username of the data retention bot. | | dataTime | The date and time when the event occurred. | | device | A description of the specific bot device or instance. Useful if you are running multiple bot instances. | | dockerImage | The Docker image associated with the bot. | | dockerTag | The tag or version of the Docker image. | | message | The event message. For more information see [Critical events](#sns-critical-events) and [Normal events](#sns-normal-events). | | notificationType | This value will be `Bot Event`. | | severity | The severity of the event. Can be `normal` or `critical`. | You must subscribe to the Amazon SNS topic so that you can receive the events. If you subscribe using an email address, an email will be sent to you containing information similar to the following example. ``` { "complianceBot": "compliance_1234567890_bot", "dateTime": "2022-10-12T13:05:39", "device": "Desktop 1234567890ab", "dockerImage": "wickr/bot-compliance-cloud", "dockerTag": "5.116.13.01", "message": "Logged in", "notificationType": "Bot Event", "severity": "normal" } ``` ## Critical events These events will cause the bot to stop or restart. The number of restarts is limited to avoid causing other issues. **Login failures** Following are the possible events that can be generated when the bot fails to login. Each message will indicate the reason for the login failure. | Event type | Event message | | --- | --- | | failedlogin | Bad credentials. Check the password. | | failedlogin | User not found. | | failedlogin | Account or device is suspended. | | provisioning | User exited the command. | | provisioning | Bad password for the `config.wickr` file. | | provisioning | Cannot read the `config.wickr` file. | | failedlogin | Logins all failed. | | failedlogin | New user but database already exists. | **More critical events** | Event type | Event messages | | --- | --- | | Suspended Account | WickrIOClientMain::slotAdminUserSuspend: code(%1): reason: %2“ | | BotDevice Suspended | Device is suspended\$1 | | WatchDog | The SwitchBoard system is down for more than <*N*> minutes | | S3 Failures | Failed to put file <*file-name*≫ on S3 bucket. Error: <*AWS-error*> | | Fallback Key | SERVER SUBMIITED FALLBACK KEY: Is not a recognized client active fallback key. Please submit logs to desktop engineering. | ## Normal events Following are the events that warn you about normal operating occurrences. Too many occurrences of these types of events within a specific time period may be cause for concern. **Device added to account** This event is generated when a new device is added to the data retention bot account. Under some circumstances, this can be an important indication that someone has created an instance of the data retention bot. Following is the message for this event. ``` A device has been added to this account! ``` **Bot logged in** This event is generated when the bot has successfully logged in. Following is the message for this event. ``` Logged in ``` **Shutting down** This event is generated when the bot is shutting down. If the user did not explicitly initiate this, it could be an indication of a problem. Following is the message for this event. ``` Shutting down ``` **Updates available** This event is generated when the data retention bot is started and it identifies that there is a newer version of the associated Docker image available. This event is generated when the bot starts, and on a daily basis. This event includes the `versions` array field which identifies the new versions that are available. Following is an example of what this event looks like. ``` { "complianceBot": "compliance_1234567890_bot", "dateTime": "2022-10-12T13:05:55", "device": "Desktop 1234567890ab", "dockerImage": "wickr/bot-compliance-cloud", "dockerTag": "5.116.13.01", "message": "There are updates available", "notificationType": "Bot Event", "severity": "normal", "versions": [ "5.116.10.01" ] } ``` # What is ATAK? What is ATAK? The Android Team Awareness Kit (ATAK)—or Android Tactical Assault Kit (also ATAK) for military use—is a smart phone geospatial infrastructure and situational awareness application that enables safe collaboration over geography. While it was initially designed for use in combat zones, ATAK has been adapted to fit the missions of local, state, and federal agencies. **Topics** + [ ## Enable ATAK in the Wickr Network Dashboard ](#atak) + [ ## Additional information about ATAK ](#additional-information) + [ # Install and pair the Wickr plugin for ATAK ](install-and-pair.md) + [ # Unpair the Wickr Plugin for ATAK ](unpair.md) + [ # Dial and receive a call in ATAK ](dial-and-receive-call.md) + [ # Send a file in ATAK ](send-a-file.md) + [ # Send a secure voice message (Push-to-talk) in ATAK ](send-secure-voice-message.md) + [ # Pinwheel (Quick Access) for ATAK ](pinwheel.md) + [ # Navigation for ATAK ](navigation.md) ## Enable ATAK in the Wickr Network Dashboard Enable ATAK AWS Wickr supports many agencies that use Android Tactical Assault Kit (ATAK). However, until now, ATAK operators that use Wickr have had to leave the application in order to do so. To help reduce disruptions and operational risk, Wickr has developed a plugin that enhances ATAK with secure communication features. With the Wickr plugin for ATAK, users can message, collaborate, and transfer files on Wickr within the ATAK application. This eliminates interruptions, and the complexity of configuration with ATAK’s chat features. ### Enable ATAK in the Wickr Network Dashboard Complete the following procedure to enable ATAK in the Wickr Network Dashboard. 1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/). 1. On the **Networks** page, choose the **Admin** link, to navigate to Wickr Admin Console for that network. ![\[The Networks page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-admin-console-network-page-admin-link.png) You're redirected to the Wickr Admin Console for a specific network. ![\[The Dashboard page.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/wickr-network-admin-console-dashboard-page.png) 1. In the navigation pane of the Wickr Admin Console, choose **Network Settings**, and then choose **Security Group**. 1. Choose **Details** next to desired security group for which you want to enable ATAK. 1. On the **General** tab, choose **Edit**. 1. In the **ATAK Functionality** section: 1. Enter the package name in the **Packages** text box. You can enter one of the following values depending on the version of the ATAK that your users will install and use: + `com.atakmap.app.civ` — Enter this value into the **Packages** text box if your Wickr end users are going to install and use the civilian version of the ATAK application on their Android devices. + `com.atakmap.app.mil` — Enter this value into the **Packages** text box if your Wickr end users are going to install and use the military version of the ATAK application on their Android devices. 1. Slide the **ATAK** toggle to the right to turn on the functionality. 1. Choose **Save**. ![\[The ATAK Functionality section of the Wickr Network Dashboard.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak_functionality_toggle.png) ATAK is now enabled for the selected Wickr Network, and the selected Security Group. You should ask the Android users in the security group for which you enabled the ATAK functionality to install the Wickr plugin for ATAK. For more information, see [Install and pair the Wickr ATAK plugin](https://docs.aws.amazon.com/wickr/latest/userguide/atak.html). ## Additional information about ATAK For more information about the Wickr plugin for ATAK, see the following: + [Wickr ATAK Plugin Overview](https://wickr.com/wp-content/uploads/2022/12/Wickr-ATAK-Plugin-Overview.pdf) + [Additional Wickr ATAK Plugin Information](http://wickr.com/atak-plugin) # Install and pair the Wickr plugin for ATAK Install and pair The Android Team Awareness Kit (ATAK) is an Android solution used by the US military, state, and governmental agencies that require situational awareness capabilities for mission planning, execution, and incident response. ATAK has a plugin architecture which allows developers to add functionality. It enables users to navigate using GPS and geospatial map data overlaid with real-time situational awareness of ongoing events. In this document, we show you how to install the Wickr plugin for ATAK on an Android device and pair it with the Wickr client. This allows you to message and collaborate on Wickr without exiting the ATAK application. ## Install the Wickr plugin for ATAK Complete the following procedure to install the Wickr plugin for ATAK on an Android device. 1. Go to the Google Play store, and install the Wickr for ATAK plugin. 1. Open the ATAK application on your Android device. 1. In the ATAK application, choose the menu icon (![\[Menu icon\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak_hamburger_icon.png)) at the top-right of the screen, and then choose **Plugins**. 1. Choose **Import**. 1. On the **Select Import Type** pop-up, choose **Local SD** and navigate to where you saved the Wickr plugin for ATAK .apk file. 1. Choose the plugin file and follow the prompts to install it. **Note** If you are asked to send the plugin file for scanning, choose **No**. 1. The ATAK application will ask if you would like to load the plugin. Choose **OK**. The Wickr plugin for ATAK is now installed. Continue to the following Pair ATAK with Wickr section to finish the process. ## Pair ATAK with Wickr Complete the following procedure to pair the ATAK application with Wickr after you successfully installed the Wickr plugin for ATAK. 1. In the ATAK application, choose the menu icon (![\[Menu icon\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak_hamburger_icon.png)) at the top-right of the screen, and then choose **Wickr Plugin**. 1. Choose **Pair Wickr**. A notification prompt will appear asking you to review permissions for the Wickr plugin for ATAK. If the notification prompt doesn't appear, open the Wickr client and go to **Settings**, then **Connected Apps**. You should see the plugin under the **Pending** section of the screen. 1. Choose **Approve** to pair. 1. Choose **Open Wickr ATAK Plugin** button to go back to the ATAK application. You have now successfully paired the ATAK plugin and Wickr, and can use the plugin to send messages and collaborate using Wickr without exiting the ATAK application. # Unpair the Wickr Plugin for ATAK Unpair You can unpair the Wickr plugin for ATAK. Complete the following procedure to unpair the ATAK plugin with Wickr. 1. In the native app, choose **Settings**, and then choose **Connected Apps**. 1. On the **Connected Apps** screen, choose **Wickr ATAK Plugin**. 1. On the **Wickr ATAK Plugin** screen, choose **Remove** at the bottom of the screen. You have now successfully unpaired the Wickr plugin for ATAK. # Dial and receive a call in ATAK Dial and receive a call You can dial and receive a call in the Wickr plugin for ATAK. Complete the following procedure to dial and receive a call. 1. Open a chat window. 1. In the **Map** view, choose the icon for the user you want to call. 1. Choose the phone icon at the top-right of the screen. 1. Once connected, you can return to the ATAK plugin view and receive a call. # Send a file in ATAK Send a file You can send a file in the Wickr plugin for ATAK. Complete the following procedure to send a file. 1. Open a chat window. 1. In the **Map** view, search for the user that you want to send a file. 1. When you find the user that you want to send a file, select their name. 1. On the **Send File** screen, select **Choose File**, and then navigate to the file that you want to send. ![\[Menu pane for users.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-choose-file.png) 1. On the browser window, choose the desired file. 1. On the **Send File screen**, choose **Send File**. The download icon displays, indicating the file you selected is being downloaded. # Send a secure voice message (Push-to-talk) in ATAK Send secure voice message You can send a secure voice message (Push-to-talk) in the Wickr plugin for ATAK. Complete the following procedure to send a secure voice message. 1. Open a chat window. 1. Choose the Push-to-Talk icon at the top of the screen, indicated by an icon of a person talking. ![\[Push-to-talk icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-wickr-push-to-talk-icon.png) 1. Select and hold the **Hold Button Down to Record** button. ![\[Record button.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-secure-voice-message.png) 1. Record your message. 1. After you record your message, release the button to send. # Pinwheel (Quick Access) for ATAK Pinwheel The pinwheel or quick access feature is used for one-one-one conversations or direct messages. Complete the following procedure to use the pinwheel. 1. Open the split screen view of the ATAK map and the Wickr for ATAK plugin simultaneously. The map displays your teammates or assets on the map view. 1. Choose the user icon to open the pinwheel. 1. Choose the Wickr icon to view the available options for the selected user. ![\[Wickr icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-pinwheel-wickr-icon.png) 1. On the pinwheel, choose one of the following icons: + **Phone**: Choose to call. ![\[Pinwheel call icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-pinwheel-call.png) + **Message**: Choose to chat. ![\[Pinwheel chat icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-pinwheel-message.png) + **File send**: Choose to send a file. ![\[Pinwheel send a file icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/atak-pinwheel-send.png) # Navigation for ATAK Navigation The plugin UI contains three plugin views that are indicated by the blue and white shapes at the bottom-right of the screen. Swipe left and right to navigate between the views. + **Contacts view**: Create a direct message group or room conversation. + **DMs view**: Create a one-to-one conversation. Chat functionality works as in the Wickr native app. This functionality allows you to remain in the Map view and communicate with others on the plugin. + **Rooms view**: The existing rooms in the native app are ported over. Anything done in the plugin reflects in the Wickr native app. **Note** Certain functions, such as deleting a room, can only be performed in the native app and in person to prevent unintended modification by users and interference cause by field equipment. # Ports and domains to allow list for your Wickr network Ports and domains to allow list Allow list the following ports to ensure Wickr functions correctly: **Ports** + TCP port 443 (for messages and attachments) + UDP ports 16384-16584 (for calling) ## Domains and addresses to allowlist by Region If you need to allowlist all possible calling domains and server IP addresses, see the following list of potential CIDRs by Region. Check this list periodically, as it is subject to change. **Note** Registration and verification emails are sent from `no-reply@amazonaws.com` and `donotreply@wickr.email`. ### US East (N. Virginia) | | | | --- |--- | | Domains: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Asia Pacific (Malaysia) | | | | --- |--- | | Domains: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Asia Pacific (Singapore) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Asia Pacific (Sydney) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Asia Pacific (Tokyo) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Canada (Central) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Europe (Frankfurt) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Messaging IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Europe (London) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Europe (Stockholm) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### Europe (Zurich) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | ### AWS GovCloud (US-West) | | | | --- |--- | | Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | | Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/allow-list-ports-domains.html) | # GovCloud cross boundary classification and federation GovCloud AWS Wickr offers WickrGov client tailored for GovCloud users. The GovCloud Federation allows communication between GovCloud users and commercial users. The cross boundary classification feature enables user interface changes to conversations for GovCloud users. As a GovCloud user, you must adhere to strict guidelines concerning government defined classification. When GovCloud users engage in conversations with commercial users (Enterprise, AWS Wickr, Guest users), they will see the following unclassified warnings displayed: + A U tag in the room list + An unclassified acknowledgment on the message screen + An unclassified banner on top of the conversation ![\[Messaging app interface showing rooms list, chat window, and security notice for Finance Room.\]](http://docs.aws.amazon.com/wickr/latest/adminguide-classic/images/gov-cloud-cross-boundary.png) **Note** These warnings will only be shown when a GovCloud user is in conversation or part of a room with external users. They will disappear if the external users leave the conversation. No warnings will be shown in conversations between GovCloud users.