Control: Security Policies

Overview

Workspot Control is a single location that enables customers to create and control a unified workspace for their end-users. It is a cloud-based component that is accessed via URL: https://control.workspot.com 

Security Policies in Workspot Control allow customers to apply access rules that permit or deny users permission to perform different kinds of operations on their Workspot desktops or apps.

All the Workspot Control Policies (Network/ Security) are listed under the Policies tab in Control:

Create or Edit a Security Policy

To Create a New Security Policy

  • Go to "Control > Policies > Add a New Policy."

  • Give an appropriate name to this new policy in the Policy Name field.

  • Choose "Security" from the menu in the "Policy Type" field. 

  • Select the Appropriate User groups to which you want this policy to be applied.

  • Adjust the settings in different sections according to your needs.

  • Click "Add Policy."

To Edit a Security Policy

Go to "Policies." You will see the list of existing policies.

  • Scroll down to the desired policy.

  • Click on the policy's name. This takes you to the "Edit Policy" page, which is almost identical to the "Add a New Policy" page.

  • Adjust the settings as needed.

  • Click "Save."

Security Policy Settings

Workspot PIN Settings

Typically, Client users need to set up a PIN during their first-time use of a Workspot Client (FTU). The Workspot PIN Settings control PIN parameters.

  • Different complexity requirements for desktop and mobile clients: You can apply different complexity for the Workspot PIN on Desktop Vs the Mobile Clients (iOS/Android) by choosing ‘Yes’. If this setting is set to ‘No’ then the same complexity is used across all the platforms. 

  • Number of Characters: PIN length (4-8 characters). 

  • Alphanumeric requirement: If unchecked, the PIN consists of numerals only. If checked, it can contain letters as well.

  • Change PIN Interval (days): If zero, PINs do not expire. If nonzero, PINs expire after the specified period, and the user is prompted to update them. Valid settings are zero and 14-365 days.

  • Enable Touch ID or Face ID: This setting enables the user to use the Touch ID and Face ID features on iOS and Android devices to authenticate to the Workspot Client.

  • Client Idle Lock Time: The Workspot Client locks itself if the local device has been idle for more than the specified period. The end-user must enter a PIN or password to unlock the Client.

  • Lock Inactive Client Dashboard: If “Yes,” the Client dashboard locks itself when it is idle, even if the connected desktops and apps are not. The helps prevent other users from launching resources when the user’s back is turned.

Note: The Workspot Web Client uses the idle time of the remote desktop or app.

Online Authentication

These settings apply to signing into a Workspot desktop or app from the Client. They don’t apply to signing into the Client.

  • Do you use two-factor authentication: This feature enables two-factor Client authentication using either RSA or a Client certificate. Not required for Azure AD multi-factor authentication, which is set up in Azure AD and is transparent to Control.

  • Would you like credentials to be cached on the client to enable auto-login (Single Sign-On/SSO):  When this setting is set to Yes, the Client remembers desktop/app login credentials between Client sessions and attempts to use them again automatically next time. If they fail, the user is prompted for credentials. If this is set to No, desktop/app credentials are forgotten between Client sessions and the user has to sign in manually every time.

  • Disable Single Sign On (SSO): This feature disables caching feature above (Single Sign-On) for the Workspot Web Client only. If enabled, the user is always prompted for credentials when launching a Workspot desktop or app from the Workspot Web Client.

Offline Access (Obsolete)

Allowed Client users to access cached copies of desktop/app files when the Client device is offline. This feature has been deprecated for years, was used by few if any customers, and support was removed in Control R17.4. 

  • Are documents available offline: Allows access to already cached company documents while the device is offline. 

  • Size of local cache:  Sets the total size limit to the cached data on the local device. For iOS and Android Devices. (Mac and Windows Clients have no set limit.)

Utility Rules

Utility Rules control I/O between the Workspot desktop/app and the Client device, plus a few miscellaneous services.

  • Show advanced settings on desktop clients: Allow users to access advanced settings in desktop clients (Workspot Windows and Mac Clients).

  • Allow external applications to edit documents: Enables a user to edit Workspot documents with third-party applications, and a user can also save the documents on his device. 

  • Enforce location services for Workspot: Requires users to enable Location Services on their device while using Workspot.  

  • Enforce remote notification services for Workspot: This allows Workspot to send remote notifications to the user device (such as Policy Updates).

  • Allow uploads from the device: This allows the user to upload data from the local device to the Workspot vault. 

  • Allow rooted Android devices - This setting allows the user to install and use Workspot Client on a rooted device. 

Protocol Settings

Tip: "Allow Video Redirection" was recently added and defaults to "No." Previously, video (webcam) redirection was controlled by"Allow Audio Redirection." If users' webcams stop working after a Client upgrade, set "Allow Video Redirection" to "Yes." 

  • Enable Locked Down Mode: Sets I/O between the Client device and the Workspot desktop/app to the most restrictive options, forbidding cut/paste, screen capture, printing, drive sharing, etc. Use of Client audio devices on the remote desktop is allowed unless disabled separately.

  • Enable Printing: Setting this to Yes will allow the user to print the documents using printers available to the Client device.

  • Enable Screen capture: If this is set to No, the user will not be able to do a Screen capture of the Workspot desktop/apps. 

  • Enable copy and paste: Allows the user to copy/paste data to/from Workspot desktops/applications. 

  • Allow audio redirection: Allows audio redirection between the Client device and the Workspot desktop/app. 

  • Allow local drive sharing: Allow users to share disks on the Client device with the Workspot desktop/app. 

  • Allow drives user plugs in while in session: As above, but includes disks that came online during the current session. 

  • Allow redirection of Plug and Play devices: Allows the Workspot desktop/app to access Plug and Play devices on the Client device.

  • Allow Clients to reconnect automatically: If set to "No," the Workspot Client will not attempt to restore the connection after becoming disconnected. Defaults to "Yes," since automatic reconnection is generally desirable. Set to "No" if you are using a third-party authentication system that does not support automatic reconnection.

  • Display bandwidth and latency values on Desktop. If "Yes," the Client will show rough estimates of bandwidth availability and connection latency. Defaults to "No" because these estimates are not very reliable and are useful mostly for debugging.

  • Allow audio redirection. If "Yes," the microphone on the Client device is available to the Workspot desktop. Defaults to "Yes."

  • Allow video redirection. If "Yes," the webcam on the Client device is available to the Workspot desktop. Defaults to "No."

  • Allow smartcard redirection. If "Yes," smartcard I/O on the client device is available to the Workspot desktop. Defaults to "No."

  • Enable Teams Client Plug-in. If "Yes," the Teams Client plug-in will be installed automatically for use with the Workspot Client (only). This improves video performance if the corresponding software is also installed on the Workspot desktop. Defaults to "No."

  • Enable Zoom Client Plug-in. If "Yes," the Zoom Client plug-in will be installed automatically for use with the Workspot Client (only). This improves video performance if the corresponding software is also installed on the Workspot desktop. Defaults to "No."

Windows Posture Check

This section is described in Security Posture Checking. In brief, it allows you to set tests that must be passed on the end-user’s local Windows device before it is allowed to connect to the Workspot desktops or apps covered by this Security Policy.