Introduction
The most important page in Workspot Control is the “Setup > Configuration” page. This page is accessible to Full Administrators only. It is divided into four main sections: “General Settings,” “Access,” “Authentication and Registration,” and “Connectivity and Routing.”
General Settings Section
The General Settings section has the following miscellaneous settings:
Login Message. An optional login message that is shown to your Workspot Client users after they sign into the Client.
Set Wallpaper. An optional bitmap image that is used as the background by the Workspot Client instead of the default image. This can be a .JPG, .JPEG, .PNG, or .GIF file. The recommended size is 768x1004 pixels and transparency is recommended in file formats that support it. The file size is limited to 2MB.
Support Email. Used by Workspot to contact your Workspot administrator.
Time Zone. The Time Zone you prefer when viewing log entries.
Template Registration Token. Used to register the Workspot Agent on a Workspot template, which associates the template with your Workspot deployment. You can also use the credentials of a Control Administrator. The “Regenerate” lets you create a fresh token without interfering with your already-registered templates.
Days to Wait Between Surveys. This refers to the optional User Surveys collected by Workspot Trace. Users can be asked for a survey after every Workspot connection or only once every 1-5 days.
Access Section
The Access section lists the URLs to access the Workspot Web Client, the Workspot Beta Web Client, Workspot Watch, and Workspot Trends. It also gives the command line to install the Workspot Windows Client in kiosk mode.
All these values rely on the Company Identifier, which is required to sign into any Workspot resource.
Authentication and Registration Section
Most of the “Authentication and Registration” section is concerned with end-user sign-in via the Workspot Client, but at the bottom it specifies Control, Watch, and Trends sign-in options as well.
Directory
Whether you are using Entra ID (Azure AD) directory service and, if so, whether the Client should use its built-in secure browser (default) for sign-in or the local device’s default browser.
Registration Options
Use Directory Services. Select between Azure AD (Entra ID) and Active Directory services when a user registers a Workspot Client.
Enable User email and verification code. Give the Client user the option of being emailed a code (to the address they are registering) rather than using sign-in credentials. The email includes a verification code that the user types into the Client to complete registration.
Use Identify Provider. If you have declared any third-party identity providers on “Setup > Identity Providers,” they are selectable here.
Use Alternate Claim for User Identity. This is the OIDC “Alternate Claim” that specified an Entra ID or Okta field other than the email record to use for use as the user’s identity for authentication.
Credential Caching
When using third-party identity providers or Entra ID, you can specify one of three levels of credential caching: Strict, Normal, and Less Strict. With “Strict,” users have to sign in every time.
If the Client device is joined to one of the domains in the Trusted Domains list, users will have to sign in less often than otherwise if “Strict” is not set.
Email Domain List
Specifies what happens when users who specify emails in different domains attempt to register a Workspot Client.
If “Self-Registration” is not enabled, the user needs an invitation to register their device.
If “Self-Registration” is enabled, all the users of the domain can be put into the specified Workspot Group or their Workspot assignment can be determined by their AD group membership. Mapping between an AD group and a Workspot Group is an optional part of a Workspot Group definition.
Additional Registration Options
This determines whether you forbid or allow users to register the Workspot Web Client, Workspot Windows Clients in kiosk mode, and Workspot Thin Clients and, if so, which Workspot Group to put such users in.
Watch and Trends Authentication
For Workspot Watch and Workspot Trends sign-ins, this selects between “Workspot Authentication” (AD and local accounts) or Azure AD/Entra ID authentication.
Control Authentication
For Workspot Control sign-ins, selects between “Workspot Authentication” (AD and local accounts), Azure AD/Entra ID authentication, and SAML.
Connectivity and Routing Section
The “Connectivity and Routing” section is a series of lists that affect access one way or another. They are as follows:
Trusted IP Addresses
No longer used.
Location Detector
For Desktop and App Server Pools that specify Gateway or VPN connectivity with the “External Only” option, the URLs in this list help to determine whether the Client should use the Gateway or Client VPN specified in the pool definition. These URLs should be accessible only when the Workspot Client is connected to your organization’s network. If at least one is accessible, the Client is “internal” and will optionally avoid routing Client traffic through a VPN or Gateway.
See Location Detector for details and for the precedence of the Location Detector, Custom Routing List, and Corporate WAN List fields.
Custom Routing List
For Desktop and App Server Pools that specify VPN connectivity with the “External Only” option, the destination addresses and subnets in this list help to determine whether the Client should use the Client VPN. If the “Route through VPN” box is checked, the VPN is used, otherwise it isn’t.
See Location Detector for details and for the precedence of the Location Detector, Custom Routing List, and Corporate WAN List fields.
Corporate WAN List
For Desktop and App Server Pools that specify VPN connectivity with the “External Only” option, the Wi-Fi SSIDs on this list help to determine whether the Client should use the Client VPN. If any of the listed SSIDs are detected by the Client, the Client assumes it is on your organization’s private network.
See Location Detector for details and for the precedence of the Location Detector, Custom Routing List, and Corporate WAN List fields.
Allowed RDP Add-ins
The Remote Desktop Protocol add-ins on this list are allowed to be installed on your Workspot Managed Gateways.
Authorized Ports (Custom RDP Ports)
This option is shown when the Custom RDP Ports selective feature is enabled. These determine the TCP ports on which your Workspot desktops and Appication Servers listen for incoming RDP connections and the ports the Workspot Clients use when making direct or VPN connections (When using an RD Gateway, the Client uses TLS connections on port 443 and the RD Gateway uses the specified RDP port).
Authorized ports separate Workspot and non-Workspot RDP connections, with Workspot traffic on one port and non-Workspot traffic (such as Windows administrator access) on the other port.
RDP UDP traffic is not affected.
There are two port options: Default and Custom.
The Default option enables TCP port 3389 for incoming RDP connections on Desktops and Application Servers, which is the standard port. Unless you customize the settings, this port is enabled, used for Workspot connections, and does not (and cannot) reject non-Workspot connections.
The Custom option lets you define a TCP port to supplement the Default port. You can specify that all Workspot connection use this port and that non-Workspot connections be rejected on this port.
The Workspot Clients (starting with Workspot Windows Client 7.0, with others to follow) will honor these assignments.
Older Clients will not, so update your Cilents before enabling this feature.
Using Authorized Ports
At least one of the ports must be enabled.
One of the enabled ports must be used for Workspot connections.
You cannot use both ports for Workspot connections.
The port that is used for Workspot connections can also reject non-Workspot connections.
The “Session” status under “Users > username > User Details” now shows the port number used for the connection as well as the IP of the desktop or Application server.