This guide documents the new AWS Wickr administration console, released on March 13, 2025. For documentation on the classic version of the AWS Wickr administration console, see [Classic Administration Guide](https://docs.aws.amazon.com/wickr/latest/adminguide-classic/what-is-wickr.html).
# Manage your AWS Wickr network
In the AWS Management Console for Wickr you can manage your Wickr network name, security groups, SSO configuration, and data retention settings.
**Topics**
+ [
# Network details for AWS Wickr
](network-profile.md)
+ [
# Security groups for AWS Wickr
](security-groups.md)
+ [
# Single sign-on configuration for AWS Wickr
](sso-configuration.md)
+ [
# Network tags for AWS Wickr
](network-tags.md)
+ [
# Read receipts for AWS Wickr
](read-receipts.md)
+ [
# Manage network plan for AWS Wickr
](manage-plan.md)
+ [
# Data retention for AWS Wickr
](data-retention.md)
+ [
# What is ATAK?
](what-is-atak.md)
+ [
# Ports and domains to allow list for your Wickr network
](allow-list-ports-domains.md)
+ [
# GovCloud cross boundary classification and federation
](govcloud-cross-boundary.md)
+ [
# File preview for AWS Wickr
](file-preview.md)
# Network details for AWS Wickr
You can edit the name of your Wickr network and view your network ID in the **Network details** section of the AWS Management Console for Wickr.
**Topics**
+ [
# View network details in AWS Wickr
](view-network-profile.md)
+ [
# Edit network name in AWS Wickr
](edit-network-name.md)
+ [
# Delete network in AWS Wickr
](delete-network.md)
# View network details in AWS Wickr
You can view the details of your Wickr network, including your network name and network ID.
Complete the following procedure to view your Wickr network profile and network ID.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, find the network you want to view.
1. On the right-hand side of the network you want to view, select the vertical ellipsis icon (three dots), and then choose **View details**.
The **Network home** page displays your Wickr network name and network ID in the **Network details** section. You can use the network ID to configure federation.
# Edit network name in AWS Wickr
You can edit the name of your Wickr network.
Complete the following procedure to edit your Wickr network name.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to the Wickr Admin Console for that network.
1. On the **Network home** page, in the **Network details** section, choose **Edit**.
1. Enter your new network name into the **Network Name** text box.
1. Choose **Save** to save your new network name.
# Delete network in AWS Wickr
You can delete your AWS Wickr network.
**Note**
If you delete a premium free trial network, you won't be able to create another one.
**To delete your Wickr network on the Networks home page, complete the following procedure**.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, find the network you want to delete.
1. On the right-hand side of the network you want to delete, select the vertical ellipsis icon (three dots), and then choose **Delete network**.
1. Type **confirm** in the pop-up window, and then choose **Delete**.
It can take a few minutes for the network to delete.
**To delete your Wickr network while in the network, complete the following procedure**.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network you want to delete.
1. Near the top right corner of the **Network home** page, choose **Delete network**.
1. Type **confirm** in the pop-up window, and then choose **Delete**.
It can take a few minutes for the network to delete.
**Note**
Data retained by your data retention configuration (if enabled) will not be deleted when you delete your network. For more information, see [ Data retention for AWS Wickr](https://docs.aws.amazon.com//wickr/latest/adminguide/data-retention.html).
# Security groups for AWS Wickr
In the **Security Groups** section of the AWS Management Console for Wickr, you can manage security groups and their settings, such as password complexity policies, messaging preferences, calling features, security features and network federation.
**Topics**
+ [
# View security groups in AWS Wickr
](view-security-groups.md)
+ [
# Create a security group in AWS Wickr
](create-security-group.md)
+ [
# Edit a security group in AWS Wickr
](edit-security-group.md)
+ [
# Delete a security group in AWS Wickr
](delete-security-group.md)
# View security groups in AWS Wickr
You can view the details of your Wickr security groups.
Complete the following procedure to view security groups.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Security groups**.
The **Security groups** page displays your current Wickr security groups and gives you the option to create a new group.
On the **Security groups** page, select the security group you want to view. The page will display the current details for that security group.
# Create a security group in AWS Wickr
You can create a new Wickr security group.
Complete the following procedure to create a security group.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Security groups**.
1. On the **Security groups** page, choose **Create security group** to create a new security group.
**Note**
A new security group with a default name is automatically added to the security groups list.
1. On the **Create security group** page, enter the name of your security group.
1. Choose **Create security group**.
For more information about editing the new security group, see [Edit a security group in AWS Wickr](edit-security-group.md).
# Edit a security group in AWS Wickr
You can edit the details of your Wickr security group.
Complete the following procedure to edit a security group.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Security groups**.
1. Select the name of the security group that you want to edit.
The security group details page displays the settings for the security group in different tabs.
1. The following tabs and corresponding settings are available:
+ **Security group details** — Choose **Edit** in the **Security group details** section to edit the name.
+ **Messaging** — Manage messaging features for members of the group.
+ **Burn-on-read** — Controls the maximum value that users can set for their burn-on-read timers in their Wickr clients. For more information, see [ Set message expiration and burn timers in the Wickr client](https://docs.aws.amazon.com//wickr/latest/userguide/message-timers.html).
+ **Expiration timer** — Controls the maximum value that users can set for their message expiration timer in their Wickr clients. For more information, see [ Set message expiration and burn timers in the Wickr client](https://docs.aws.amazon.com//wickr/latest/userguide/message-timers.html).
+ **Message forwarding** — Controls whether users can forward messages in their Wickr clients. For more information, see [ Forward messages in the Wickr client](https://docs.aws.amazon.com//wickr/latest/userguide/message-forwarding.html).
+ **Quick responses** — Set a list of quick responses for users to respond to messages.
+ **Secure shredder intensity** — Configure how frequently the secure shredder control runs for users. For more information, see [ Messaging](https://docs.aws.amazon.com//wickr/latest/enterpriseadminguide/messaging.html).
+ **Calling** — Manage calling features for members of the group.
+ **Enable audio calling** — Users can initiate audio calls.
+ **Enable video calling and screen sharing** — Users can start video calls or share screen during call.
+ **TCP calling** — Enabling (or forcing) TCP calling is typically used when standard VoIP UDP ports are disallowed by an organization's IT or security department. If TCP calling is disabled, and UDP ports are not available for use, Wickr clients will try UDP first and fallback to TCP.
+ **Media and links** — Manage settings related to media and links for members of the group.
**File download size** — Select **Best quality transfer** to allow users to transfer files and attachments in their original encrypted form. If you select **Low bandwidth transfer**, file attachments sent by users in Wickr will be compressed by the Wickr file transfer service.
+ **Location** — Manage location sharing settings for members of the group.
**Location sharing** — Users can share their locations using GPS-enabled devices. This feature displays a visual map based on the device's operating system defaults. Users have the option to disable the map view and share a link containing their GPS coordinates instead.
+ **Security** — Configure additional security features for the group.
+ **Enable account takeover protection** — Enforce a two-factor authentication when a user adds a new device to their account. To verify a new device, user can generate a Wickr code from their old device, or perform an email verification. This is an additional layer of security to prevent unauthorized access to AWS Wickr accounts.
+ **Enable always re-authenticate** — Force users to always re-authenticate when re-entering the application.
+ **Master recovery key** — Creates a Master recovery key when an account is created. Users can approve the addition of a new device to their account if no other devices are available.
+ **Notification and visibility** — Configure notification and visibility settings such as message previews in notifications for members of the group.
+ **Wickr open access** — Configure Wickr open access settings for members of the group.
+ **Enable Wickr open access** — Enabling Wickr open access will disguise traffic to protect data on restricted and monitored networks. Based on geographic location, Wickr open access will connect to various global proxy servers that provide the best path and protocols for traffic obfuscation.
+ **Force Wickr open access** — Automatically enables and enforces Wickr open access on all devices.
+ **Federation** — Control your users ability to communicate with other Wickr networks.
+ **Local federation** — The ability to federate with AWS users in other networks within the same region. For example, if there are two networks in AWS Canada (Central) Region with local federation enabled, they will be able to communicate with each other.
+ **Global federation** — The ability to federate with either Wickr Enterprise users or AWS users in a different network who belong to other regions. For example, a user on a Wickr network in AWS Canada (Central) Region, and a user in a network in AWS Europe (London) Region will be able to communicate with each other when global federation is turned **ON** for both networks.
+ **Restricted federation** — Allow list specific AWS Wickr or Wickr Enterprise networks that users can federate with. When configured, users can only communicate with external users in allow listed networks. Both networks must allow list each other to use restricted federation.
For information on guest federation, see [ Enable or disable guest users in AWS Wickr network](https://docs.aws.amazon.com//wickr/latest/adminguide/guest-users-enable-disable.html).
+ **ATAK plugin configuration** — For more information on enabling ATAK, see [ What is ATAK?](https://docs.aws.amazon.com//wickr/latest/adminguide/what-is-atak.html).
1. Choose **Save** to save edits you make to the security group details.
# Delete a security group in AWS Wickr
You can delete your Wickr security group.
Complete the following procedure to delete a security group.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Security groups**.
1. On the **Security groups** page, find the security group you want to delete.
1. On the right-hand side of the security group you want to delete, select the vertical ellipsis icon (three dots), and then choose **Delete**.
1. Type **confirm** in the pop-up window, and then choose **Delete**.
When you delete a security group that has assigned users, those users are automatically added to the default security group. To modify the security group assigned to users see [Edit users in AWS Wickr network](edit-users.md).
# Single sign-on configuration for AWS Wickr
In the AWS Management Console for Wickr, you can configure Wickr to use a single sign-on system to authenticate. SSO provides an added layer of security when paired with an appropriate multi-factor authentication (MFA) system. Wickr supports SSO providers who use OpenID Connect (OIDC) only. Providers who use Security Assertion Markup Language (SAML) are not supported.
**Topics**
+ [
# View SSO details in AWS Wickr
](view-sso-details.md)
+ [
# Configure SSO in AWS Wickr
](configure-sso.md)
+ [
# Grace period for token refresh
](token-refresh.md)
# View SSO details in AWS Wickr
You can view the details of your single sign-on configuration for your Wickr network and the network endpoint.
Complete the following procedure to view the current single sign-on configuration for your Wickr network, if any.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **User Management**.
On the **User Management** page, the **Single Sign-on** section displays your Wickr network endpoint and current SSO configuration.
# Configure SSO in AWS Wickr
To ensure secure access to your Wickr network, you can set up your current single sign-on configuration. Detailed guides are available to assist you with this process.
**Important**
When you configure SSO, you specify a company ID for your Wickr network. Be sure to record this company ID. You must provide it to your end users when sending invitation emails. End users must specify the company ID when they register for your Wickr network.
In September 2025, AWS Wickr introduced an improved, more secure SSO connection system. To take advantage of these security enhancements, organizations using SSO must migrate to a new redirect URI by March 09, 2026. For migration instructions, see the following AWS re:Post article: [Migrating to the New SSO Redirect URI for AWS Wickr](https://repost.aws/articles/ARwG2sEMHkShKNn77mc8pc8Q/migrating-to-the-new-sso-redirect-uri-for-aws-wickr).
For more information about configuring SSO, see the following guides:
+ [AWS Wickr Single Sign-on (SSO) setup with Microsoft Entra (Azure AD)](https://docs.aws.amazon.com/wickr/latest/adminguide/entra-ad-sso.html)
+ [AWS Wickr Single Sign-on (SSO) setup with Okta](https://repost.aws/articles/ARqcPJ8MctR02Om4APlBEANw/aws-wickr-single-sign-on-sso-setup-with-okta)
+ [AWS Wickr Single Sign-on (SSO) setup with Amazon Cognito](https://repost.aws/articles/ARIOjROyJDTfutje_DJW9wWg/aws-wickr-single-sign-on-sso-setup-with-amazon-cognito)
# Configure AWS Wickr with Microsoft Entra (Azure AD) single sign-on
AWS Wickr can be configured to use Microsoft Entra (Azure AD) as an identity provider. To do so, complete the following procedures in both Microsoft Entra and the AWS Wickr admin console.
**Warning**
After SSO is enabled on a network it will sign active users out of Wickr and force them to re-authenticate using the SSO provider.
## Step 1: Register AWS Wickr as an application in Microsoft Entra
Complete the following procedure to register AWS Wickr as an application in Microsoft Entra.
**Note**
Refer to the Microsoft Entra documentation for detailed screenshots and troubleshooting. For more information, see [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
1. In the navigation pane, choose **Applications** and then choose **App Registrations**.
1. On the **App Registrations** page, choose **Register an application**, and then enter an application name.
1. Select **Accounts in this organizational directory only (Default Directory only - Single tenant)**.
1. Under **Redirect URI**, select **Web**, and then enter the redirect URI available in SSO configuration settings in the AWS Wickr Admin console
1. Choose **Register**.
1. After registration, copy/save the Application (Client) ID generated.
![\[Client application ID image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/application-client-id.png)
1. Select the **Endpoints** tab to make a note of the following:
1. Oauth 2.0 authorization endpoint (v2): E.g.: `https://login.microsoftonline.com/1ce43025-e4b1-462d-a39f-337f20f1f4e1/oauth2/v2.0/authorize`
1. Edit this value to remove the 'oauth2/" and "authorize". E.g. fixed URL will look like this: `https://login.microsoftonline.com/1ce43025-e4b1-462d-a39f-337f20f1f4e1/v2.0/`
1. This will be referenced as the **SSO Issuer**.
## Step 2: Setup authentication
Complete the following procedure to setup authentication in Microsoft Entra.
1. In the navigation pane, choose **Authentication**.
1. On the **Authentication** page, make sure that the **Web Redirect URI** is the same as entered previously (in *Register AWS Wickr as an Application*).
![\[Client authentication image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/authentication.png)
1. Select **Access tokens used for implicit flows** and **ID tokens used for implicit and hybrid flows**.
1. Choose **Save**.
![\[Request an access token image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/access-tokens.png)
## Step 3: Setup certificates and secrets
Complete the following procedure to setup certificates and secrets in Microsoft Entra.
1. In the navigation pane, choose **Certificates & secrets**.
1. On the **Certificates & secrets** page, select the **Client secrets** tab.
1. Under the **Client secrets** tab, select **New client secret**.
1. Enter a description and select an expiration period for the secret.
1. Choose **Add**.
![\[Add client secret image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-create-client-secret.png)
1. After the certificate is created, copy the **Client secret value**.
![\[An example of a client secret value.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-client-secret-value.png)
**Note**
The client secret value (not Secret ID) will be required for your client application code. You may not be able to view or copy the secret value after leaving this page. If you do not copy it now, you will have to go back to create a new client secret.
## Step 4: Setup token configuration
Complete the following procedure to setup token configuration in Microsoft Entra.
1. In the navigation pane, choose **Token configuration**.
1. On the **Token configuration** page, choose **Add optional claim**.
1. Under **Optional claims**, select the **Token type** as **ID**.
1. After selecting **ID**, under **Claim**, select **email** and **upn**.
1. Choose **Add**.
![\[Token type image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-token-type.png)
## Step 5: Setup API permissions
Complete the following procedure to setup API permissions in Microsoft Entra.
1. In the navigation pane, choose **API permissions**.
1. On the **API permissions** page, choose **Add a permission**.
![\[Add an permission image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-api-permissions.png)
1. Select **Microsoft Graph ** and then select **Delegated Permissions **.
1. Select the checkbox for **email **, **offline\$1access**, **openid**, **profile**.
1. Choose **Add permissions**.
## Step 6: Expose an API
Complete the following procedure to expose an API for each of the 4 scopes in Microsoft Entra.
1. In the navigation pane, choose **Expose an API**.
1. On the **Expose an API** page, choose **Add a scope**.
![\[Expose an API image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-expose-an-api.png)
**Application ID URI** should auto populate, and the ID that follows the URI should match the **Application ID** (created in *Register AWS Wickr as an application*).
![\[Add a scope image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-add-scope.png)
1. Choose **Save and continue**.
1. Select the **Admins and users** tag, and then enter the scope name as **offline\$1access**.
1. Select **State**, and then select **Enable**.
1. Choose **Add scope**.
1. Repeat steps 1—6 of this section to add the following scopes: **email**, **openid**, and **profile**.
![\[Add scopes image.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/entra-scopes-api.png)
1. Under **Authorized client applications**, choose **Add a client application**.
1. Select all four scopes created in the previous step.
1. Enter or verify the **Application (client) ID**.
1. Choose **Add application**.
## Step 7: AWS Wickr SSO configuration
Complete the following configuration procedure in the AWS Wickr console.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks page**, select the network name to navigate to that network.
1. In the navigation pane, choose **User management**, and then choose **Configure SSO**.
1. Enter the following details:
+ **Issuer** — This is the endpoint that was modified previously (E.g. `https://login.microsoftonline.com/1ce43025-e4b1-462d-a39f-337f20f1f4e1/v2.0/`).
+ ** Client ID** — This is the **Application (client) ID** from the **Overview** pane.
+ **Client secret (optional)** — This is the **Client secret** from the **Certificates & secrets** pane.
+ **Scopes** — These are the scope names exposed on the **Expose an API** pane. Enter **email**, **profile**, **offline\$1access**, and **openid**.
+ **Custom username scope (optional)** — Enter **upn**.
+ **Company ID ** — This can be a unique text value including alphanumeric and underscore characters. This phrase is what your users will enter when registering on new devices.
*Other fields are optional.*
1. Choose **Next**.
1. Verify the details in the **Review and save** page, and then choose **Save changes**.
SSO configuration is complete. To verify, you can now add a user to the application in Microsoft Entra, and login with the user using SSO and Company ID.
For more information on how to invite and onboard users, see [Create and invite users](https://docs.aws.amazon.com/wickr/latest/adminguide/getting-started.html#getting-started-step3).
## Troubleshooting
Following are common issues you might encounter and suggestions for resolving them.
+ SSO Connection test fails or is unresponsive:
+ Make sure the **SSO Issuer** is configured as expected.
+ Make sure the required fields in the **SSO Configured** are set as expected.
+ Connection test is successful, but the user is unable to login:
+ Make sure the user is added to the Wickr application you registered in Microsoft Entra.
+ Make sure the user is using the correct company ID, including the prefix. *E.g. UE1-DemoNetworkW\$1drqtva*.
+ The **Client Secret** may not be set correctly in the **AWS Wickr SSO Configuration**. Re-set it by creating another **Client secret** in Microsoft Entra and set the new **Client secret** in the **Wickr SSO Configuration**.
# Grace period for token refresh
Occasionally, there may be instances where identity providers encounter temporary or extended outages, which may lead to your users being logged out unexpectedly due to a failed refresh token for their client session. To prevent this problem, you can establish a grace period that allows your users to remain signed in even if their client refresh token fails during such outages.
Here are the available options for the grace period:
+ No grace period (default): Users will be signed out immediately after a refresh token failure.
+ 30 minute grace period: Users can stay signed in for up to 30 minutes after a refresh token failure.
+ 60 minute grace period: Users can stay signed in for up to 60 minutes after a refresh token failure.
# Network tags for AWS Wickr
You can apply tags to Wickr networks. You can then use those tags to search and filter your Wickr networks or track your AWS costs. You can configure network tags on the **Network home** page of the AWS Management Console for Wickr.
A tag is a [key-value pair](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) applied to a resource to hold metadata about that resource. Each tag is a label consisting of a key and a value. For more information on tags, see also [What are tags?](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/what-are-tags.html) and [Tagging use cases](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-use-cases.html).
**Topics**
+ [
# Manage network tags in AWS Wickr
](manage-tags.md)
+ [
# Add a network tag in AWS Wickr
](add-tag.md)
+ [
# Edit a network tag in AWS Wickr
](edit-tag.md)
+ [
# Remove a network tag in AWS Wickr
](remove-tag.md)
# Manage network tags in AWS Wickr
You can manage network tags for your Wickr network.
Complete the following procedure to manage network tags for your Wickr network.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. On the **Network home** page, in the **Tags** section, choose **Manage tags**.
1. On the **Manage tags** page, you can complete one of the following options:
+ **Add new tags** — Enter new tags in the form of a key and a value pair. Choose **Add new tag** to add multiple key value pairs. Tags are case-sensitive. For more information, see [Add a network tag in AWS Wickr](add-tag.md).
+ **Edit existing tags** — Select the key or value text for an existing tag, and then enter the modification into the text box. For more information, see [Edit a network tag in AWS Wickr](edit-tag.md).
+ **Remove existing tags** — Choose **Remove** button that is listed next to the tag you want to delete. For more information, see [Remove a network tag in AWS Wickr](remove-tag.md).
# Add a network tag in AWS Wickr
You can add a network tag to your Wickr network.
Complete the following procedure to add a tag to your Wickr network. For more information about managing tags, see [Manage network tags in AWS Wickr](manage-tags.md).
1. On the **Network home** page, in the **Tags** section, choose **Add new tag**.
1. On the **Manage tags** page, choose **Add new tag**.
1. In the blank **Key** and **Value** fields that appear, enter the new tag key and value.
1. Choose **Save changes** to save the new tags.
# Edit a network tag in AWS Wickr
You can edit a network tag to your Wickr network.
Complete the following procedure to edit a tag associated with your Wickr network. For more information about managing tags, see [Manage network tags in AWS Wickr](manage-tags.md).
1. On the **Manage tags** page, edit the value of a tag.
**Note**
You can't edit the key of a tag. Instead, remove the key and value pair, and add a new tag using the new key.
1. Choose **Save changes** to save your edits.
# Remove a network tag in AWS Wickr
You can remove a network tag to your Wickr network.
Complete the following procedure to remove a tag from your Wickr network. For more information about managing tags, see [Manage network tags in AWS Wickr](manage-tags.md).
1. On the **Manage tags** page, choose **Remove** for the tag you want to remove.
1. Choose **Save changes** to save your edits.
# Read receipts for AWS Wickr
Read receipts for AWS Wickr are notifications sent to the sender to show when their message has been read. These receipts are available in one-on-one conversations. A single check mark will appear for sent messages, and a solid circle with a check mark will appear for read messages. To see read receipts on messages during external conversations, both networks should have read receipts enabled.
Administrators can enable or disable read receipts in the administrator panel. This setting will be applied to the entire network.
Complete the following procedure to enable or disable read receipts.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Network polices**.
1. On the **Network polices** page, in the **Messaging** section, choose **Edit**.
1. Select the checkbox to **Enable** or **Disable** read receipts.
1. Choose **Save changes**.
# Manage network plan for AWS Wickr
In the AWS Management Console for Wickr, you can manage your network plan based on your business needs.
To manage your network plan, complete the following procedure.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. On the **Network home** page, in the **Network details** section, choose **Edit**.
1. On the **Edit network details** page, choose your desired network plan. You can modify your current network plan by choosing one of the following:
+ **Standard —** For small and large business teams that need administrative controls and flexibility.
+ **Premium** or **Premium Free Trial —** For businesses that require the highest feature limits, granular administrative controls, and data retention.
Administrators have the option to select a premium free trial, which is available for up to 30 users and lasts for three months. For AWS WickrGov, the premium free trial option allows up to 50 users and also last for three months. This offer is open to new and standard plans. During the premium free trial period, administrators can upgrade or downgrade to Premium or Standard plans
**Note**
To stop usage and billing on your network, remove all users, including any suspended users from your network.
## Premium free trial limitations
The following limitations apply to the premium free trial:
+ If a plan has ever been enrolled in a premium free trial before, it will not be eligible for another trial.
+ Only one network for each AWS account can be enrolled in a premium free trial.
+ The guest user feature is not available during the premium free trial.
+ If a standard network has more than 30 users (more than 50 users for AWS WickrGov), it will not be possible to upgrade to a premium free trial.
# Data retention for AWS Wickr
AWS Wickr Data retention can retain all conversations in network. This includes direct message conversations and conversations in Groups or Rooms between in-network (internal) members and those with other teams (external) with whom your network is federated. Data retention is only available to AWS Wickr Premium plan users and enterprise customers who opt in for data retention. For more information on the Premium plan, see [Wickr Pricing](https://aws.amazon.com/wickr/pricing/)
When a network administrator configures and activates data retention for their network, all messages and files shared in their network are retained in accordance with the organization's compliance policies. These .txt file outputs are accessible by the network administrator in an external location (eg: local storage, Amazon S3 bucket, or any other storage as per user's choice), from where they can be analyzed, erased, or transferred.
**Note**
Wickr never accesses your messages and files. Therefore, it is your responsibility to configure a data retention system.
**Topics**
+ [
# View data retention details in AWS Wickr
](view-data-retention-details.md)
+ [
# Configure data retention for AWS Wickr
](configure-data-retention.md)
+ [
# Get the data retention logs for your Wickr network
](getting-data-retention-logs.md)
+ [
# Data retention metrics and events for your Wickr network
](metrics-events.md)
# View data retention details in AWS Wickr
Complete the following procedure to view the data retention details for your Wickr network. You can also enable or disable data retention for your Wickr network.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Network polices**.
1. The **Network polices** page displays steps for setting up data retention, and the option to activate or deactivate the data retention feature. For more information about configuring data retention, see [Configure data retention for AWS Wickr](configure-data-retention.md).
**Note**
When data retention is activated, a **Data Retention Turned On** message will be visible for all users in your network informing them of the retention-enabled network.
# Configure data retention for AWS Wickr
To configure data retention for your AWS Wickr network, you must deploy the data retention bot Docker image to a container on a host, such as a local computer or an instance in Amazon Elastic Compute Cloud (Amazon EC2). After the bot is deployed, you can configure it to store data locally or in an Amazon Simple Storage Service (Amazon S3) bucket. You can also configure the data retention bot to use other AWS services like AWS Secrets Manager (Secrets Manager), Amazon CloudWatch (CloudWatch), Amazon Simple Notification Service (Amazon SNS), and AWS Key Management Service (AWS KMS). The following topics describe how to configure and run the data retention bot for your Wickr network.
For production deployments of the Wickr Data Retention (DR) Bot, AWS recommends deploying to EC2/EBS with messages archived in S3 and the following minimum instance and storage sizing:
+ Instance type: m8i.large (8GiB RAM, 2vCPUs)
+ Storage: 1 TB Amazon EBS volume
+ Deployment: One DR Bot instance per EC2 host
For more information on EBS, see [Amazon EBS snapshot lifecycle](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshot-lifecycle.html) in the *Amazon EBS User Guide*.
**Topics**
+ [
## Prerequisites to configure data retention for AWS Wickr
](#data-retention-prerequisites)
+ [
# Password for data retention bot in AWS Wickr
](data-retention-password.md)
+ [
# Storage options for AWS Wickr network
](data-retention-storage-options.md)
+ [
# Environment variables to configure data retention bot in AWS Wickr
](data-retention-bot-env-variables.md)
+ [
# Secrets Manager values for AWS Wickr
](data-retention-aws-secret-values.md)
+ [
# IAM policy to use data retention with AWS services
](data-retention-aws-services.md)
+ [
# Start the data retention bot for your Wickr network
](starting-data-retention-bot.md)
+ [
# Stop the data retention bot for your Wickr network
](stopping-data-retention-bot.md)
## Prerequisites to configure data retention for AWS Wickr
This assumes you have an Amazon EC2 instance running already with the minimum storage requirements listed above and your VPC is able to reach the Wickr messaging endpoint:
`com.amazonaws.region.wickr-messaging` — the bot receives messages from the Wickr messaging service.
Before you get started, complete the following procedure to enable data retention in the console.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Network polices**.
1. On the **Network polices** page, in the **Data Retention** section, select **Edit**.
1. On the **Edit data retention** page, follow Steps 1 and 2.
1. Start your data retention bot. For more information, see [ Start the data retention bot for your Wickr network](https://docs.aws.amazon.com/wickr/latest/adminguide/starting-data-retention-bot.html).
1. In the **Configure your data retention server** section, copy the **Username** and **Initial Password**. Configure your data retention bot with the username and initial password by following, [ Password for data retention bot in AWS Wickr](https://docs.aws.amazon.com/wickr/latest/adminguide/data-retention-password.html).
1. Select the **Enable data retention** checkbox, then choose **Save changes**.
**Note**
The DR Bot is validated for sustained processing at approximately 11,000 messages per hour (\$13 messages/second). For workloads that consistently exceed this throughput or are expected to surpass 1.5 million messages in a single processing run, additional scaling strategies should be evaluated.
For Disaster Recovery, we recommend Snapshot Lifecycles on the EBS volume(s) and S3 Cross-Region Replication. To configure how often messages are sent to S3, you can set the environment variable WICKRIO\$1COMP\$1FILESIZE or `WICKRIO_COMP_TIMEROTATE` to rotate on size or time. Message logs and file attachments will get delivered into the same prefix in the same bucket. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md).
# Password for data retention bot in AWS Wickr
The first time you start the data retention bot, you specify the initial password using one of the following options:
+ The `WICKRIO_BOT_PASSWORD` environment variable. The data retention bot environment variables are outlined in the [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) section later in this guide.
+ The **password** value in Secrets Manager identified by the `AWS_SECRET_NAME` environment variable. The Secrets Manager values for the data retention bot are outlined in the [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md) section later in this guide.
+ Enter the password when prompted by the data retention bot. You will need to run the data retention bot with interactive TTY access using the `-ti` option.
A new password will be generated when you configure the data retention bot for the first time. If you need to re-install the data retention bot, you use the generated password. The initial password is not valid after the initial installation of the data retention bot. You can rotate the generated password. To rotate the generated password, use the guidance provided in the following sections.
## Password rotation
The data retention bot (minimum version 6.66.01.00) can roate its Wickr account password programmatically at startup by setting the WICKRIO\$1ROTATE\$1PASSWORD environment variable.
## Usage
Set the environment variable WICKRIO\$1ROTATE\$1PASSWORD when starting the bot with docker run:
`-e WICKRIO_ROTATE_PASSWORD="new_password" `
On startup, after the bot successfully logs in with its current password (from WICKRIO\$1BOT\$1PASSWORD or AWS Secrets Manager), it does the following:
1. Read WICKRIO\$1ROTATE\$1PASSWORD from the process environment.
1. Validate the new password (minimum 12 characters, must differ from current password).
1. Call the AWS Wickr service to rotate the password.
After a successful rotation, update WICKRIO\$1BOT\$1PASSWORD (or the secret in AWS Secrets Manager) to the new password before the next restart.
The new generated password will be displayed as shown in the following example.
**Important**
Save the password in a safe place. If you lose the password you will not be able to re-install the data retention bot. Don't share this password. It provides the ability to start data retention for your Wickr network.
```
********************************************************************
**** GENERATED PASSWORD
**** DO NOT LOSE THIS PASSWORD, YOU WILL NEED TO ENTER IT EVERY TIME
**** TO START THE BOT
"HuEXAMPLERAW4lGgEXAMPLEn"
********************************************************************
```
## Password requirements
+ New password must be at least 12 characters.
+ New password must differ from the current password.
+ Bot must be able to log in with the current password first.
# Storage options for AWS Wickr network
After data retention is enabled and the data retention bot is configured for your Wickr network, it will capture all messages and files sent within your network. Messages are saved in files which are limited to a specific size or time limit that can be configured using an environment variable. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md).
You can configure one of the following options for storing this data:
+ Store all captured messages and files locally. This is the default option. It's your responsibility to move local files to another system for long-term storage, and to make sure the host disk does not run out of memory or space.
+ Store all captured messages and files in an Amazon S3 bucket. The data retention bot will save all decrypted messages and files to the Amazon S3 bucket you specify. The captured messages and files are removed from the host machine after they are successfully saved to the bucket.
+ Store all captured messages and files encrypted in an Amazon S3 bucket. The data retention bot will re-encrypt all captured messages and files using a key that you supply and save them to the Amazon S3 bucket you specify. The captured messages and files are removed from the host machine after they are successfully re-encrypted and saved to the bucket. You will need software to decrypt the messages and files.
For more information about creating an Amazon S3 bucket to use with your data retention bot, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the *Amazon S3 User Guide*
# Environment variables to configure data retention bot in AWS Wickr
You can use the following environment variables to configure the data retention bot. You set these environment variables using the `-e` option when you run the data retention bot Docker image. For more information, see [Start the data retention bot for your Wickr network](starting-data-retention-bot.md).
**Note**
These environment variables are optional unless otherwise specified.
Use the following environment variables to specify the data retention bot credentials:
+ `WICKRIO_BOT_NAME` — The name of the data retention bot. This variable is *required* when you run the data retention bot Docker image.
+ `WICKRIO_BOT_PASSWORD` — The initial password for the data retention bot. For more information, see [Prerequisites to configure data retention for AWS Wickr](configure-data-retention.md#data-retention-prerequisites). This variable is *required* if you don't plan to start the data retention bot with a password prompt or you don't plan to use Secrets Manager to store the data retention bot credentials.
Use the following environment variables to configure the default data retention streaming capabilities:
+ `WICKRIO_COMP_MESGDEST` – The path name to the directory where messages will be streamed. The default value is `/tmp//compliance/messages`.
+ `WICKRIO_COMP_FILEDEST` – The path name to the directory where files will be streamed. The default value is `/tmp//compliance/attachments`.
+ `WICKRIO_COMP_BASENAME` – The base name for the received messages files. The default value is `receivedMessages`.
+ `WICKRIO_COMP_FILESIZE` – The maximum file size for a received messages file in kibibyte (KiB). A new file is started when the max size is reached. The default value is `1000000000`, as in 1024 GiB.
+ `WICKRIO_COMP_TIMEROTATE` – The amount of time, in minutes, for which the data retention bot will put received messages into a received messages file. A new file is started when the time limit is reached. You can only use the file size or time to limit the size of the received messages file. The default value is `0`, as in no limit.
Use the following environment variable to define the default AWS Region to use.
+ `AWS_DEFAULT_REGION` – The default AWS Region to use for AWS services like Secrets Manager (not used for Amazon S3 or AWS KMS). The `us-east-1` Region is used by default if this environment variable is not defined.
Use the following environment variables to specify the Secrets Manager secret to use when you opt to use Secrets Manager to store the data retention bot credentials and AWS service information. For more information about the values you can store in Secrets Manager see [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md).
+ `AWS_SECRET_NAME` – The name of the Secrets Manager secret that contains the credentials and AWS service information needed by the data retention bot.
+ `AWS_SECRET_REGION` – The AWS Region that the AWS secret is located in. If you are using AWS secrets and this value is not defined the `AWS_DEFAULT_REGION` value will be used.
**Note**
You can store all of the following environment variables as values in Secrets Manager. If you opt to use Secrets Manager, and you store these values there, then you don't need to specify them as environment variables when you run the data retention bot Docker image. You only need to specify the `AWS_SECRET_NAME` environment variable described earlier in this guide. For more information, see [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md).
Use the following environment variables to specify the Amazon S3 bucket when you opt to store messages and files to a bucket.
+ `WICKRIO_S3_BUCKET_NAME` – The name of the Amazon S3 bucket where messages and files will be stored.
+ `WICKRIO_S3_REGION` – The AWS Region of the Amazon S3 bucket where messages and files will be stored.
+ `WICKRIO_S3_FOLDER_NAME` – The optional folder name in the Amazon S3 bucket where messages and files will be stored. This folder name will be preceded with the key for messages and files saved to the Amazon S3 bucket.
Use the following environment variables to specify the AWS KMS details when you opt to use client side encryption to re-encrypt files when saving them to an Amazon S3 bucket.
+ `WICKRIO_KMS_MSTRKEY_ARN` – The Amazon Resource Name (ARN) of the AWS KMS master key used to re-encrypt the message files and files on the data retention bot before they are saved to the Amazon S3 bucket.
+ `WICKRIO_KMS_REGION` – The AWS Region where the AWS KMS master key is located.
Use the following environment variable to specify the Amazon SNS details when you opt to send data retention events to an Amazon SNS topic. The events sent include startup, shutdown, as well as error conditions.
+ `WICKRIO_SNS_TOPIC_ARN` – The ARN of the Amazon SNS topic that you want data retention events sent to.
Use the following environment variable to send data retention metrics to CloudWatch. If specified, the metrics will be generated every 60 seconds.
+ `WICKRIO_METRICS_TYPE` – Set the value of this environment variable to `cloudwatch` to send metrics to CloudWatch.
# Secrets Manager values for AWS Wickr
You can use Secrets Manager to store the data retention bot credentials and AWS service information. For more information about creating a Secrets Manager secret, see [Create an AWS Secrets Manager secret ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *Secrets Manager User Guide*.
The Secrets Manager secret can have the following values:
+ `password` – The data retention bot password.
+ `s3_bucket_name` – The name of the Amazon S3 bucket where messages and files will be stored. If not set, the default file streaming will be used.
+ `s3_region` – The AWS Region of the Amazon S3 bucket where messages and files will be stored.
+ `s3_folder_name` – The optional folder name in the Amazon S3 bucket where messages and files will be stored. This folder name will be preceded with the key for messages and files saved to the Amazon S3 bucket.
+ `kms_master_key_arn` – The ARN of the AWS KMS master key used to re-encrypt the message files and files on the data retention bot before they are saved to the Amazon S3 bucket.
+ `kms_region` – The AWS Region where the AWS KMS master key is located.
+ `sns_topic_arn` – The ARN of the Amazon SNS topic that you want data retention events sent to.
# IAM policy to use data retention with AWS services
If you plan to use other AWS services with the Wickr data retention bot, you must ensure the host has the appropriate AWS Identity and Access Management (IAM) role and policy to access them. You can configure the data retention bot to use Secrets Manager, Amazon S3, CloudWatch, Amazon SNS, and AWS KMS. The following IAM policy allows access to specific actions for these services.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"secretsmanager:GetSecretValue",
"sns:Publish",
"cloudwatch:PutMetricData",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}
```
------
You can create an IAM policy that is more strict by identifying the specific objects for each service that you want to allow the containers on your host to access. Remove the actions for the AWS services that you do not intend to use. For example, if you intent to use only an Amazon S3 bucket, then use the following policy, which removes the `secretsmanager:GetSecretValue`, `sns:Publish`, `kms:GenerateDataKey`, and `cloudwatch:PutMetricData` actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "*"
}
]
}
```
------
If you are using an Amazon Elastic Compute Cloud (Amazon EC2) instance to host your data retention bot, create an IAM role using the Amazon EC2 common case and assign a policy using the policy definition from above.
# Start the data retention bot for your Wickr network
Before you run the data retention bot, you should determine how you want to configure it. If you plan to run the bot on a host that:
+ Will not have access to AWS services, then your options are limited. In that case you will use the default message streaming options. You should decide whether you want to limit the size of the captured message files to a specific size or time interval. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md).
+ Will have access to AWS services, then you should create a Secrets Manager secret to store the bot credentials, and AWS service configuration details. After the AWS services are configured, you can proceed to start the data retention bot Docker image. For more information about the details you can store in a Secrets Manager secret, see [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md)
The following sections show example commands to run the data retention bot Docker image. In each of the example commands, replace the following example values with your own:
+ `compliance_1234567890_bot` with the name of your data retention bot.
+ `password` with the password for your data retention bot.
+ `wickr/data/retention/bot` with the name of your Secrets Manager secret to use with your data retention bot.
+ `bucket-name` with the name of the Amazon S3 bucket where messages and files will be stored.
+ `folder-name` with the folder name in the Amazon S3 bucket where messages and files will be stored.
+ `us-east-1` with the AWS Region of the resource you're specifying. For example, the Region of the AWS KMS master key or the Region of the Amazon S3 bucket.
+ `arn:aws:kms:us-east-1:111122223333:key/12345678-1234-abcde-a617-abababababab` with the Amazon Resource Name (ARN) of your AWS KMS master key to use to re-encrypt message files and files.
# Start the bot with password environment variable (no AWS service)
The following Docker command starts the data retention bot. The password is specified using the `WICKRIO_BOT_PASSWORD` environment variable. The bot starts using the default file streaming, and using the default values defined in the [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) section of this guide.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
-e WICKRIO_BOT_PASSWORD='password' \
wickr/bot-compliance-cloud:latest
```
# Start the bot with password prompt (no AWS service)
The following Docker command starts the data retention bot. Password is entered when prompted by the data retention bot. It will start using the default file streaming using the default values defined in the [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) section of this guide.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
wickr/bot-compliance-cloud:latest
docker attach compliance_1234567890_bot
.
.
.
Enter the password:************
Re-enter the password:************
```
Run the bot using the `-ti` option to receive the password prompt. You should also run the `docker attach ` command immediately after starting the docker image so that you get the password prompt. You should run both of these commands in a script. If you attach to the docker image and don’t see the prompt, press **Enter** and you will see the prompt.
# Start the bot with 15 minute message file rotation (no AWS service)
The following Docker command starts the data retention bot using environment variables. It also configures it to rotate the received messages files to 15 minutes.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
-e WICKRIO_BOT_PASSWORD='password' \
-e WICKRIO_COMP_TIMEROTATE=15 \
wickr/bot-compliance-cloud:latest
```
# Start the bot and specify the initial password with Secrets Manager
You can use the Secrets Manager to identify the data retention bot’s password. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
-e AWS_SECRET_NAME='wickrpro/alpha/new-3-bot' \
wickr/bot-compliance-cloud:latest
```
The `wickrpro/compliance/compliance_1234567890_bot` secret has the following secret value in it, shown as plaintext.
```
{
"password":"password"
}
```
# Start the bot and configure Amazon S3 with Secrets Manager
You can use the Secrets Manager to host the credentials, and the Amazon S3 bucket information. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
-e AWS_SECRET_NAME='wickrpro/alpha/compliance_1234567890_bot' \
wickr/bot-compliance-cloud:latest
```
The `wickrpro/compliance/compliance_1234567890_bot` secret has the following secret value in it, shown as plaintext.
```
{
"password":"password",
"s3_bucket_name":"bucket-name",
"s3_region":"us-east-1",
"s3_folder_name":"folder-name"
}
```
Messages and files received by the bot will be put in the `bot-compliance` bucket in the folder named `network1234567890`.
# Start the bot and configure Amazon S3 and AWS KMS with Secrets Manager
You can use the Secrets Manager to host the credentials, the Amazon S3 bucket, and AWS KMS master key information. When you start the data retention bot, you will need to set an environment variable that specifies the Secrets Manager where this information is stored.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
-e AWS_SECRET_NAME='wickrpro/alpha/compliance_1234567890_bot' \
wickr/bot-compliance-cloud:latest
```
The `wickrpro/compliance/compliance_1234567890_bot` secret has the following secret value in it, shown as plaintext.
```
{
"password":"password",
"s3_bucket_name":"bucket-name",
"s3_region":"us-east-1",
"s3_folder_name":"folder-name",
"kms_master_key_arn":"arn:aws:kms:us-east-1:111122223333:key/12345678-1234-abcde-a617-abababababab",
"kms_region":"us-east-1"
}
```
Messages and files received by the bot will be encrypted using the KMS key identified by the ARN value, then put in the “bot-compliance'” bucket in the folder named “network1234567890”. Make sure you have the appropriate IAM policy setup.
# Start the bot and configure Amazon S3 using environment variables
If you don't want to use Secrets Manager to host the data retention bot credentials, you can start the data retention bot Docker image with the following environment variables. You must identify the name of the data retention bot using the `WICKRIO_BOT_NAME` environment variable.
```
docker run -v /opt/compliance_1234567890_bot:/tmp/compliance_1234567890_bot --network=host \
-d --restart on-failure:5 --name="compliance_1234567890_bot" -ti \
-e WICKRIO_BOT_NAME='compliance_1234567890_bot' \
-e WICKRIO_BOT_PASSWORD='password' \
-e WICKRIO_S3_BUCKET_NAME='bot-compliance' \
-e WICKRIO_S3_FOLDER_NAME='network1234567890' \
-e WICKRIO_S3_REGION='us-east-1' \
wickr/bot-compliance-cloud:latest
```
You can use environment values to identify the data retention bot’s credentials, information about Amazon S3 buckets, and configuration information for the default file streaming.
# Stop the data retention bot for your Wickr network
The software running on the data retention bot will capture `SIGTERM` signals and gracefully shutdown. Use the `docker stop ` command, as shown in the following example, to issue the `SIGTERM` command to the data retention bot Docker image.
```
docker stop compliance_1234567890_bot
```
# Get the data retention logs for your Wickr network
The software running on the data retention bot Docker image will output to log files in the `/tmp//logs` directory. They will rotate to a maximum of 5 files. You can get the logs by running the following command.
```
docker logs
```
Example:
```
docker logs compliance_1234567890_bot
```
# Data retention metrics and events for your Wickr network
Following are the Amazon CloudWatch (CloudWatch) metrics and Amazon Simple Notification Service (Amazon SNS) events that are currently supported by the 5.116 version of the AWS Wickr data retention bot.
**Topics**
+ [
# CloudWatch metrics for your Wickr network
](cloudwatch-metrics.md)
+ [
# Amazon SNS events for your Wickr network
](sns-events.md)
# CloudWatch metrics for your Wickr network
Metrics are generated by the bot in 1 minute intervals and transmitted to the CloudWatch service associated with the account the data retention bot Docker image is running on.
Following are the existing metrics supported by the data retention bot.
| Metric | Description |
| --- | --- |
| Messages\$1Rx | Messages received. |
| Messages\$1Rx\$1Failed | Failures to process received messages. |
| Messages\$1Saved | Messages saved to the received messages file. |
| Messages\$1Saved\$1Failed | Failures to save messages to the received messages file. |
| Files\$1Saved | Files received. |
| Files\$1Saved\$1Bytes | Number of bytes for files received. |
| Files\$1Saved\$1Failed | Failures to save files. |
| Logins | Logins (normally this will be 1 for each interval). |
| Login\$1Failures | Failures to login (normally this will be 1 for each interval). |
| S3\$1Post\$1Errors | Errors posting message files and files to Amazon S3 bucket. |
| Watchdog\$1Failures | Watchdog failures. |
| Watchdog\$1Warnings | Watchdog warnings. |
Metrics are generated to be consumed by CloudWatch. The namespace used for bots is `WickrIO`. Each metric has an array of dimensions. Following is the list of dimensions that are posted with the above metrics.
| Dimension | Value |
| --- | --- |
| Id | The bot's username. |
| Device | Description of specific bot device or instance. Useful if you are running multiple bot devices or instances. |
| Product | The product for the bot. Can be `WickrPro_` or `WickrEnterprise_` with `Alpha`, `Beta`, or `Production` appended. |
| BotType | The bot type. Labeled as **Compliance** for the compliance bots. |
| Network | The ID of the associated network. |
# Amazon SNS events for your Wickr network
The following events are posted to the Amazon SNS topic defined by the Amazon Resource Name (ARN) value identified using the `WICKRIO_SNS_TOPIC_ARN` environment variable or the `sns_topic_arn` Secrets Manager secret value. For more information, see [Environment variables to configure data retention bot in AWS Wickr](data-retention-bot-env-variables.md) and [Secrets Manager values for AWS Wickr](data-retention-aws-secret-values.md).
Events generated by the data retention bot are sent as JSON strings. The following values are included in the events as of the 5.116 version of the data retention bot.
| Name | Value |
| --- | --- |
| complianceBot | The username of the data retention bot. |
| dataTime | The date and time when the event occurred. |
| device | A description of the specific bot device or instance. Useful if you are running multiple bot instances. |
| dockerImage | The Docker image associated with the bot. |
| dockerTag | The tag or version of the Docker image. |
| message | The event message. For more information see [Critical events](#sns-critical-events) and [Normal events](#sns-normal-events). |
| notificationType | This value will be `Bot Event`. |
| severity | The severity of the event. Can be `normal` or `critical`. |
You must subscribe to the Amazon SNS topic so that you can receive the events. If you subscribe using an email address, an email will be sent to you containing information similar to the following example.
```
{
"complianceBot": "compliance_1234567890_bot",
"dateTime": "2022-10-12T13:05:39",
"device": "Desktop 1234567890ab",
"dockerImage": "wickr/bot-compliance-cloud",
"dockerTag": "5.116.13.01",
"message": "Logged in",
"notificationType": "Bot Event",
"severity": "normal"
}
```
## Critical events
These events will cause the bot to stop or restart. The number of restarts is limited to avoid causing other issues.
**Login failures**
Following are the possible events that can be generated when the bot fails to login. Each message will indicate the reason for the login failure.
| Event type | Event message |
| --- | --- |
| failedlogin | Bad credentials. Check the password. |
| failedlogin | User not found. |
| failedlogin | Account or device is suspended. |
| provisioning | User exited the command. |
| provisioning | Bad password for the `config.wickr` file. |
| provisioning | Cannot read the `config.wickr` file. |
| failedlogin | Logins all failed. |
| failedlogin | New user but database already exists. |
**More critical events**
| Event type | Event messages |
| --- | --- |
| Suspended Account | WickrIOClientMain::slotAdminUserSuspend: code(%1): reason: %2“ |
| BotDevice Suspended | Device is suspended\$1 |
| WatchDog | The SwitchBoard system is down for more than <*N*> minutes |
| S3 Failures | Failed to put file <*file-name*≫ on S3 bucket. Error: <*AWS-error*> |
| Fallback Key | SERVER SUBMIITED FALLBACK KEY: Is not a recognized client active fallback key. Please submit logs to desktop engineering. |
## Normal events
Following are the events that warn you about normal operating occurrences. Too many occurrences of these types of events within a specific time period may be cause for concern.
**Device added to account**
This event is generated when a new device is added to the data retention bot account. Under some circumstances, this can be an important indication that someone has created an instance of the data retention bot. Following is the message for this event.
```
A device has been added to this account!
```
**Bot logged in**
This event is generated when the bot has successfully logged in. Following is the message for this event.
```
Logged in
```
**Shutting down**
This event is generated when the bot is shutting down. If the user did not explicitly initiate this, it could be an indication of a problem. Following is the message for this event.
```
Shutting down
```
**Updates available**
This event is generated when the data retention bot is started and it identifies that there is a newer version of the associated Docker image available. This event is generated when the bot starts, and on a daily basis. This event includes the `versions` array field which identifies the new versions that are available. Following is an example of what this event looks like.
```
{
"complianceBot": "compliance_1234567890_bot",
"dateTime": "2022-10-12T13:05:55",
"device": "Desktop 1234567890ab",
"dockerImage": "wickr/bot-compliance-cloud",
"dockerTag": "5.116.13.01",
"message": "There are updates available",
"notificationType": "Bot Event",
"severity": "normal",
"versions": [
"5.116.10.01"
]
}
```
# What is ATAK?
The Android Team Awareness Kit (ATAK)—or Android Tactical Assault Kit (also ATAK) for military use—is a smart phone geospatial infrastructure and situational awareness application that enables safe collaboration over geography. While it was initially designed for use in combat zones, ATAK has been adapted to fit the missions of local, state, and federal agencies.
**Topics**
+ [
## Enable ATAK in the Wickr Network Dashboard
](#atak)
+ [
## Additional information about ATAK
](#additional-information)
+ [
# Install and pair the Wickr plugin for ATAK
](install-and-pair.md)
+ [
# Unpair the Wickr Plugin for ATAK
](unpair.md)
+ [
# Dial and receive a call in ATAK
](dial-and-receive-call.md)
+ [
# Send a file in ATAK
](send-a-file.md)
+ [
# Send a secure voice message (Push-to-talk) in ATAK
](send-secure-voice-message.md)
+ [
# Pinwheel (Quick Access) for ATAK
](pinwheel.md)
+ [
# Navigation for ATAK
](navigation.md)
## Enable ATAK in the Wickr Network Dashboard
AWS Wickr supports many agencies that use Android Tactical Assault Kit (ATAK). However, until now, ATAK operators that use Wickr have had to leave the application in order to do so. To help reduce disruptions and operational risk, Wickr has developed a plugin that enhances ATAK with secure communication features. With the Wickr plugin for ATAK, users can message, collaborate, and transfer files on Wickr within the ATAK application. This eliminates interruptions, and the complexity of configuration with ATAK’s chat features.
### Enable ATAK in the Wickr Network Dashboard
Complete the following procedure to enable ATAK in the Wickr Network Dashboard.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Security groups**.
1. On the **Security groups** page, select the desired security group for which you want to enable ATAK.
1. On the **Integration** tab, in the **ATAK plugin** section, choose **Edit**.
1. On the **Edit ATAK plugin** page, select the checkbox **Enable ATAK plugin**.
1. Choose **Add new package**
1. Enter the package name in the **Packages** text box. You can enter one of the following values depending on the version of the ATAK that your users will install and use:
+ `com.atakmap.app.civ` — Enter this value into the **Packages** text box if your Wickr end users are going to install and use the civilian version of the ATAK application on their Android devices.
+ `com.atakmap.app.mil` — Enter this value into the **Packages** text box if your Wickr end users are going to install and use the military version of the ATAK application on their Android devices.
1. Choose **Save**.
ATAK is now enabled for the selected Wickr Network, and the selected Security Group. You should ask the Android users in the security group for which you enabled the ATAK functionality to install the Wickr plugin for ATAK. For more information, see [Install and pair the Wickr ATAK plugin](https://docs.aws.amazon.com/wickr/latest/userguide/atak.html).
## Additional information about ATAK
For more information about the Wickr plugin for ATAK, see the following:
+ [Wickr ATAK Plugin Overview](https://wickr.com/wp-content/uploads/2022/12/Wickr-ATAK-Plugin-Overview.pdf)
+ [Additional Wickr ATAK Plugin Information](http://wickr.com/atak-plugin)
# Install and pair the Wickr plugin for ATAK
The Android Team Awareness Kit (ATAK) is an Android solution used by the US military, state, and governmental agencies that require situational awareness capabilities for mission planning, execution, and incident response. ATAK has a plugin architecture which allows developers to add functionality. It enables users to navigate using GPS and geospatial map data overlaid with real-time situational awareness of ongoing events. In this document, we show you how to install the Wickr plugin for ATAK on an Android device and pair it with the Wickr client. This allows you to message and collaborate on Wickr without exiting the ATAK application.
## Install the Wickr plugin for ATAK
Complete the following procedure to install the Wickr plugin for ATAK on an Android device.
1. Go to the Google Play store, and install the Wickr for ATAK plugin.
1. Open the ATAK application on your Android device.
1. In the ATAK application, choose the menu icon (![\[Menu icon\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak_hamburger_icon.png)) at the top-right of the screen, and then choose **Plugins**.
1. Choose **Import**.
1. On the **Select Import Type** pop-up, choose **Local SD** and navigate to where you saved the Wickr plugin for ATAK .apk file.
1. Choose the plugin file and follow the prompts to install it.
**Note**
If you are asked to send the plugin file for scanning, choose **No**.
1. The ATAK application will ask if you would like to load the plugin. Choose **OK**.
The Wickr plugin for ATAK is now installed. Continue to the following Pair ATAK with Wickr section to finish the process.
## Pair ATAK with Wickr
Complete the following procedure to pair the ATAK application with Wickr after you successfully installed the Wickr plugin for ATAK.
1. In the ATAK application, choose the menu icon (![\[Menu icon\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak_hamburger_icon.png)) at the top-right of the screen, and then choose **Wickr Plugin**.
1. Choose **Pair Wickr**.
A notification prompt will appear asking you to review permissions for the Wickr plugin for ATAK. If the notification prompt doesn't appear, open the Wickr client and go to **Settings**, then **Connected Apps**. You should see the plugin under the **Pending** section of the screen.
1. Choose **Approve** to pair.
1. Choose **Open Wickr ATAK Plugin** button to go back to the ATAK application.
You have now successfully paired the ATAK plugin and Wickr, and can use the plugin to send messages and collaborate using Wickr without exiting the ATAK application.
# Unpair the Wickr Plugin for ATAK
You can unpair the Wickr plugin for ATAK.
Complete the following procedure to unpair the ATAK plugin with Wickr.
1. In the native app, choose **Settings**, and then choose **Connected Apps**.
1. On the **Connected Apps** screen, choose **Wickr ATAK Plugin**.
1. On the **Wickr ATAK Plugin** screen, choose **Remove** at the bottom of the screen.
You have now successfully unpaired the Wickr plugin for ATAK.
# Dial and receive a call in ATAK
You can dial and receive a call in the Wickr plugin for ATAK.
Complete the following procedure to dial and receive a call.
1. Open a chat window.
1. In the **Map** view, choose the icon for the user you want to call.
1. Choose the phone icon at the top-right of the screen.
1. Once connected, you can return to the ATAK plugin view and receive a call.
# Send a file in ATAK
You can send a file in the Wickr plugin for ATAK.
Complete the following procedure to send a file.
1. Open a chat window.
1. In the **Map** view, search for the user that you want to send a file.
1. When you find the user that you want to send a file, select their name.
1. On the **Send File** screen, select **Choose File**, and then navigate to the file that you want to send.
![\[Menu pane for users.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-choose-file.png)
1. On the browser window, choose the desired file.
1. On the **Send File screen**, choose **Send File**.
The download icon displays, indicating the file you selected is being downloaded.
# Send a secure voice message (Push-to-talk) in ATAK
You can send a secure voice message (Push-to-talk) in the Wickr plugin for ATAK.
Complete the following procedure to send a secure voice message.
1. Open a chat window.
1. Choose the Push-to-Talk icon at the top of the screen, indicated by an icon of a person talking.
![\[Push-to-talk icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-wickr-push-to-talk-icon.png)
1. Select and hold the **Hold Button Down to Record** button.
![\[Record button.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-secure-voice-message.png)
1. Record your message.
1. After you record your message, release the button to send.
# Pinwheel (Quick Access) for ATAK
The pinwheel or quick access feature is used for one-one-one conversations or direct messages.
Complete the following procedure to use the pinwheel.
1. Open the split screen view of the ATAK map and the Wickr for ATAK plugin simultaneously. The map displays your teammates or assets on the map view.
1. Choose the user icon to open the pinwheel.
1. Choose the Wickr icon to view the available options for the selected user.
![\[Wickr icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-pinwheel-wickr-icon.png)
1. On the pinwheel, choose one of the following icons:
+ **Phone**: Choose to call.
![\[Pinwheel call icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-pinwheel-call.png)
+ **Message**: Choose to chat.
![\[Pinwheel chat icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-pinwheel-message.png)
+ **File send**: Choose to send a file.
![\[Pinwheel send a file icon.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/atak-pinwheel-send.png)
# Navigation for ATAK
The plugin UI contains three plugin views that are indicated by the blue and white shapes at the bottom-right of the screen. Swipe left and right to navigate between the views.
+ **Contacts view**: Create a direct message group or room conversation.
+ **DMs view**: Create a one-to-one conversation. Chat functionality works as in the Wickr native app. This functionality allows you to remain in the Map view and communicate with others on the plugin.
+ **Rooms view**: The existing rooms in the native app are ported over. Anything done in the plugin reflects in the Wickr native app.
**Note**
Certain functions, such as deleting a room, can only be performed in the native app and in person to prevent unintended modification by users and interference cause by field equipment.
# Ports and domains to allow list for your Wickr network
Allow list the following ports to ensure Wickr functions correctly:
**Ports**
+ TCP port 443 (for messages and attachments)
+ UDP ports 16384-16584 (for calling)
## Domains and addresses to allowlist by Region
If you need to allowlist all possible calling domains and server IP addresses, see the following list of potential CIDRs by Region. Check this list periodically, as it is subject to change.
**Note**
Registration and verification emails are sent from `no-reply@amazonaws.com` and `donotreply@wickr.email`.
### US East (N. Virginia)
| | |
| --- |--- |
| Domains: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Asia Pacific (Malaysia)
| | |
| --- |--- |
| Domains: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Asia Pacific (Singapore)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Asia Pacific (Sydney)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Asia Pacific (Tokyo)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Canada (Central)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Europe (Frankfurt)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Messaging IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Europe (London)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Europe (Stockholm)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### Europe (Zurich)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
### AWS GovCloud (US-West)
| | |
| --- |--- |
| Domain: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling CIDR addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
| Calling IP addresses: | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/wickr/latest/adminguide/allow-list-ports-domains.html) |
# GovCloud cross boundary classification and federation
AWS Wickr offers WickrGov client tailored for GovCloud users. The GovCloud Federation allows communication between GovCloud users and commercial users. The cross boundary classification feature enables user interface changes to conversations for GovCloud users. As a GovCloud user, you must adhere to strict guidelines concerning government defined classification. When GovCloud users engage in conversations with commercial users (Enterprise, AWS Wickr, Guest users), they will see the following unclassified warnings displayed:
+ A U tag in the room list
+ An unclassified acknowledgment on the message screen
+ An unclassified banner on top of the conversation
![\[Messaging app interface showing rooms list, chat window, and security notice for Finance Room.\]](http://docs.aws.amazon.com/wickr/latest/adminguide/images/gov-cloud-cross-boundary.png)
**Note**
These warnings will only be shown when a GovCloud user is in conversation or part of a room with external users. They will disappear if the external users leave the conversation. No warnings will be shown in conversations between GovCloud users.
# File preview for AWS Wickr
Organizations using the Wickr Premium tier (including Premium free trial), can now manage file download permissions at the security group level.
File downloads are enabled by default in security groups. Administrators can enable or disable file downloads through the administrator panel. This setting is applied to the entire Wickr network.
To enable or disable file download, complete the following procedure.
1. Open the AWS Management Console for Wickr at [https://console.aws.amazon.com/wickr/](https://console.aws.amazon.com/wickr/).
1. On the **Networks** page, select the network name to navigate to that network.
1. In the navigation pane, choose **Security groups**.
1. Select the name of the security group that you want to edit.
The security group details page displays the settings for the security group in different tabs.
1. Under the **Messaging** tab, in the **Media and links** section, choose **Edit**.
1. On the **Edit media and links** page, check or uncheck the **File downloads** option.
1. Choose **Save changes**.
When file downloads are enabled for a security group, users can download files shared in direct messages and rooms. If downloads are disabled, they can only preview these files and upload to the **Files** tab, but cannot download them. Users are also restricted from taking screenshots; attempts will result in a black screen.
**Note**
When File downloads are disabled, all the users in that security group will need to be on Wickr versions 6.54 and above for this file setting to apply.
**Note**
In rooms where users from different networks (due to federation) and security groups are present, the ability of each user to preview or download files is based on their specific security group settings. As a result, some users can download files in a room while others can only preview them.