Overview
Workspot Control is a single location that enables customers to manage a unified workspace for their end-users. It is a cloud-based component that is accessed via URL: https://control.workspot.com.
Security Policies in Workspot Control apply access rules that control the different kinds of operations end-users can perform on their Workspot desktops and apps. As the name implies, these rules have a security focus.
These policies are applied on a per-group basis. The group that is used for Security Policy selection is called the “Selected Group” in the User Details page. For more about group management, see Self-Registration and Resource Entitlements and Active Directory (AD) Groups.
All the Workspot Control Policies (including Security Policies) are listed under the Policies tab in Control:
Create or Edit a Security Policy
To Create a New Security Policy
Go to "Control > Policies > Add a New Policy."
Give an appropriate name to this new policy in the Policy Name field.
Choose "Security" from the menu in the "Policy Type" field.
Select the Appropriate User groups to which you want this policy to be applied.
Adjust the settings in different sections according to your needs.
Click "Add Policy."
To Edit a Security Policy
Go to "Policies." You will see the list of existing policies.
Scroll down to the desired policy.
Click on the policy's name. This takes you to the "Edit Policy" page, which is almost identical to the "Add a New Policy" page.
Adjust the settings as needed.
Click "Save."
Security Policy Settings
Workspot PIN Settings
Typically, Client users need to set up a PIN during their first-time use of a Workspot Client (FTU). The Workspot PIN Settings control PIN parameters.
Different complexity requirements for desktop and mobile clients: You can apply different complexity for the Workspot PIN on Desktop Vs the Mobile Clients (iOS/Android) by choosing ‘Yes’. If this setting is set to ‘No’ then the same complexity is used across all the platforms.
Number of Characters: PIN length (4-8 characters).
Alphanumeric requirement: If unchecked, the PIN consists of numerals only. If checked, it can contain letters as well.
Change PIN Interval (days): If zero, PINs do not expire. If nonzero, PINs expire after the specified period, and the user is prompted to update them. Valid settings are zero and 14-365 days.
Enable Touch ID or Face ID: This setting enables the user to use the Touch ID and Face ID features on iOS and Android devices to authenticate to the Workspot Client.
Client Idle Lock Time: The Workspot Client locks itself if the local device has been idle for more than the specified period. The end-user must enter a PIN or password to unlock the Client.
Lock Inactive Client Dashboard: If “Yes,” the Client dashboard locks itself when it is idle, even if the connected desktops and apps are not. The helps prevent other users from launching resources when the user’s back is turned.
Note: The Workspot Web Client uses the idle time of the remote desktop or app, not the local device.
Online Authentication
These settings apply to signing into a Workspot desktop or app from the Client. They don’t apply to signing into the Client.
Do you use two-factor authentication: This feature enables two-factor Client authentication using either RSA or a Client certificate. Not required for Azure AD multifactor authentication, which is set up in Azure AD and is transparent to Control.
Would you like credentials to be cached on the client to enable auto-login (Single Sign-On/SSO): When this setting is set to Yes, the Client remembers desktop/app login credentials between Client sessions and attempts to use them again automatically next time. If they fail, the user is prompted for credentials. If this is set to No, desktop/app credentials are forgotten between Client sessions and the user has to sign in manually every time.
Disable Single Sign On (SSO): This feature disables the caching feature above (Single Sign-On) for the Workspot Web Client only. If enabled, the user is always prompted for credentials when launching a Workspot desktop or app from the Workspot Web Client.
Enterprise Browser Downloads
Specifies the allowed destinations (if any) for downloads via Workspot Enterprise Browser. These settings are used to prevent corporate data from being saved on the Client user’s local device.
These destinations can be:
A folder in a supported Cloud Storage account (initial support is for Microsoft OneDrive).
The user’s default Downloads folder on the Client device.
More than one of the above. The user can select a destination on a per-download basis.
None of the above: No downloads are allowed.
Cloud Storage downloads are sent directly to the Cloud Storage provider without being saved even temporarily on the Client device.
Note: The Cloud Storage option is a selective feature. Contact Workspot to enable it.
Note: The Cloud Storage option requires a compatible Workspot Client. Initial support will be in the Windows Client 8.0.0, with other browsers to follow.
Use Cloud Storage for Downloads:
Allow Microsoft OneDrive: If “Yes,” downloads can be sent to the user’s “Workspot Downloads” folder on Microsoft OneDrive.
Restrict OneDrive downloads to registered user: If “Yes,” the email address used to sign into the Client must be the same as the email address of the OneDrive account. If “No,” any OneDrive account can be used.
Note: The recommended setting for “Restrict OneDrive downloads” is “Yes,” even though the default is “No.”
Use Local Storage for downloads: If “Yes,” downloads can be sent to a local Client folder.
Best Practices
To prevent Enterprise Browser apps from downloading to the end-user’s local devices, use one of the following methods below.
Preferred (downloads are allowed but are not saved to the Client device):
Enable the “Enterprise Browser Downloads” selective feature (contact Workspot).
Set “Allow Microsoft OneDrive” to “Yes.”
Set “Restrict OneDrive downloads to registered user” to “Yes.”
Set “Use Local Storage for downloads” to “No.”
Alternate:
Set “Allow Microsoft OneDrive” to “No.”
Set “Use Local Storage for downloads” to “No.”
Note: Also consider disabling these settings in the “Protocol Settings” block further down the page: “Allow local drive sharing,” “Allow drives user plugs in while in session,” “Enable cut and paste,” “Enable screen capture,” and “Enable printing.” All these settings prevent data from being transferred to the Client device.
Utility Rules
Utility Rules control I/O between the Workspot desktop/app and the Client device, plus a few miscellaneous services.
Show advanced settings on desktop clients: Allow users to access advanced settings in desktop clients (Workspot Windows and Mac Clients).
Allow external applications to edit documents: Enables a user to edit Workspot documents with third-party applications, and a user can also save the documents on his device.
Enforce location services for Workspot: Requires users to enable Location Services on their device while using Workspot.
Enforce remote notification services for Workspot: This allows Workspot to send remote notifications to the user device (such as Policy Updates).
Allow uploads from the device: This allows the user to upload data from the local device to the Workspot vault.
Allow rooted Android devices - This setting allows the user to install and use Workspot Client on a rooted device.
Protocol Settings
Enable Locked Down Mode: Sets I/O between the Client device and the Workspot desktop/app to the most restrictive options, forbidding cut/paste, screen capture, printing, drive sharing, etc. Use of Client audio devices on the remote desktop is allowed unless disabled separately.
Enable Printing: Setting this to Yes will allow the user to print the documents using printers available to the Client device.
Enable Screen capture: If this is set to No, the user will not be able to do a Screen capture of the Workspot desktop/apps.
Enable copy and paste: Allows the user to copy/paste data to/from Workspot desktops/applications.
Allow audio redirection: Allows audio redirection between the Client device and the Workspot desktop/app.
Allow local drive sharing: Allow users to share disks on the Client device with the Workspot desktop/app.
Allow drives user plugs in while in session: As above, but includes disks that came online during the current session.
Allow redirection of Plug and Play devices: Allows the Workspot desktop/app to access Plug and Play devices on the Client device.
Allow Clients to reconnect automatically: If set to "No," the Workspot Client will not attempt to restore the connection after becoming disconnected. Defaults to "Yes," since automatic reconnection is generally desirable. Set to "No" if you are using a third-party authentication system that does not support automatic reconnection.
Display bandwidth and latency values on Desktop. If "Yes," the Client will display “Connection Quality” with green/yellow/red icons and rough estimates of bandwidth availability and connection latency. Defaults to "No" because these estimates are not very reliable and are useful mostly for debugging.
Allow audio redirection. If "Yes," the microphone on the Client device is available to the Workspot desktop. Defaults to "Yes."
Allow video redirection. If "Yes," the webcam on the Client device is available to the Workspot desktop. Defaults to "No."
Allow smartcard redirection. If "Yes," smartcard I/O on the client device is available to the Workspot desktop. Defaults to "No."
Enable Teams Client Plug-in. If "Yes," the Teams Client plug-in will be installed automatically for use with the Workspot Client (only). This improves video performance if the corresponding software is also installed on the Workspot desktop. Defaults to "No."
Enable Zoom Client Plug-in. If "Yes," the Zoom Client plug-in will be installed automatically for use with the Workspot Client (only). This improves video performance if the corresponding software is also installed on the Workspot desktop. Defaults to "No."
Windows Posture Check
This section is described in Security Posture Checking. In brief, it allows you to set tests that must be passed on the end-user’s local Windows device before it is allowed to connect to the Workspot desktops or apps covered by this Security Policy.