Leading Auto Manufacturer Hyundai Implements Workspot Enterprise Desktop Cloud. Learn More

Workspot Client

Workspot Client ensures secure access
Ask an Expert

Secure Access Using Azure AD

Workspot Client is a downloadable application for the user’s device. It ensures secure access by conducting device posture checks, securing data in motion and at rest, whitelisting and blacklisting traffic, and logging events for compliance and auditing.

When a user logs in, based on IT configuration the user can be challenged to authenticate against Microsoft Azure AD or an AD Domain Controller in the cloud or on-prem. All existing Workspot security policies configured to work with your AD Groups are embraced and used to unlock Workspot Client. Conditional access policies are supported transparently in Workspot Client because of deep integration with your AD configuration.

Upon initial login, users provide their Active Directory (AD) credentials for authentication. Workspot Client can be configured to encrypt and cache credentials to be used automatically on subsequent logins.

Secure Access with PIN

When a user launches Workspot Client for the first time on their device, the user is prompted for their AD credentials for authentication (which are then encrypted and stored) and then they are prompted to create a PIN for Workspot Client on that device. The next time the user launches Workspot Client, the AD credentials are provided via SSO (single sign on) and only the PIN is required. The PIN is validated against the client master secret (CMS). If the CMS can be decrypted, the PIN is deemed valid; otherwise the PIN is invalid.

Incorrect PIN entries are subject to increasing wait times to circumvent brute force attacks. Workspot Client will allow up to 5 invalid PIN entries after which the data inside Workspot Client will be wiped from the device, thereby keeping the organization’s assets secure.

Once authenticated to AD, users can set a PIN, which is all that’s required on subsequent logins to provide single-sign-on

Securing Data in Motion

All communication to Workspot Control and cloud assets are protected with SSL/TLS. The embedded network stack enables secure L4-L7 access to network resources. The client implements a split tunnel that allows Workspot Client to be connected simultaneously to both the corporate and public networks. Application traffic can be routed to either network based on IT policies. Workspot is using a FIPS compliant TLS/SSL library in the embedded network stack.

Securing Data at Rest

All configuration information inside Workspot Client is encrypted with a multi-layer scheme using industry standard AES-256 encryption. 

  • All assets are encrypted in memory before they touch the file system. Every object is encrypted using a different key. 
  • Each key is encrypted using a master key.
  • The master key is encrypted with a user specified PIN that is not stored on the device. The user can access the Workspot application only when they can successfully provide the PIN or authenticate with Microsoft Azure AD or Microsoft AD credentials.

Secure Access to Desktops & Apps

Workspot Client enables secure access to different classes of applications running in the data center:

  • Windows Applications: Workspot Client is integrated with industry leading H.264 based RDP10.x protocol stack and enables access to an application running on Windows Server 2012 and above. Deep integration with Microsoft RDSH Service enables seamless delivery to Windows applications.
  • Web Applications: There is a secure browser bundled into Workspot that enables access to web applications such as SAP, SharePoint, etc.

Workspot Client presents all of the icons that represent the virtual cloud applications and desktops available to each user.

Whitelist / Blacklist Traffic

IT can control which sites the user can and cannot visit from inside Workspot Client by configuring a blacklist/whitelist. Browser based apps can leverage this feature for restricted intranet access.

Specify which URLs can be allowed access (White List) or specifically denied access (Black List).

Big Data Contextual Security

When a user accesses enterprise IT assets, Workspot Client collects contextual data about who did what, when, where, and how. Workspot cannot see this data and only collects it for relevant business activity – it does not collect data from personal applications such as Facebook – on the device. This data can be used for compliance, auditing, and adaptive authentication.

Workspot Client continuously monitors system activity and reports it to Workspot Control for use in identifying usage patterns and anomalies.


A seamless Workspot POC process with seasoned experts who had strong Azure expertise gave Workspot an edge. It was a unanimous decision to select Workspot.”

Matt Hallenborg, Senior Systems Engineer, Technical Operations

Workspot on Google Cloud is the perfect combination of price performance and simplicity.”

Civil Engineering

Flexibility and disaster recovery are strong arguments for choosing Workspot. The cloud approach secures our data better, and we are much better prepared for a business continuity event with the built-in disaster recovery capabilities of cloud desktops.”


Additional Resources

We’re here to help! Access these valuable resources to help guide your journey to cloud desktops.

Enterprise Cloud Desktops

Workspot is designed to work with the tools and processes you already have in place, like multi-factor authentication…Read more.

Executive Brief
Architected for Your Success

Virtual desktop architecture design predicts your success. Understand the differences … Read more.

Executive Brief
Cloud Desktop BC/DR

Workspot is the only SaaS platform for cloud desktops that offers multi-region backup and recovery…Read more.

Executive Brief