# Enterprise Deployment Recommendations for Splashtop Secure Workspace
Overview
This article provides deployment recommendations for organizations deploying Splashtop Secure Workspace (SSW) in enterprise environments protected by endpoint security solutions and managed through Mobile Device Management (MDM) platforms.
The guidance covers:
- Microsoft Defender Antivirus
- Microsoft Defender for Endpoint (MDE)
- Attack Surface Reduction (ASR) Rules
- Firewall and Network Requirements
- Microsoft Intune Deployments
- Mosyle Deployments
In most environments, Secure Workspace operates without requiring special antivirus or firewall exclusions. However, organizations with strict endpoint protection, application control, or outbound filtering policies may need to configure allowlists for Secure Workspace components.
Microsoft Defender Antivirus
Recommended Antivirus Exclusions
Secure Workspace generally does not require antivirus exclusions. However, if Microsoft Defender Antivirus or another endpoint security solution is interfering with Secure Workspace functionality, administrators may consider excluding the Secure Workspace installation directory.
Windows (64-bit)
C:\Program Files\Secure Workspace\
Windows (32-bit)
C:\Program Files (x86)\Secure Workspace\
Exclusions should only be implemented when security software is confirmed to be blocking or interfering with normal Secure Workspace operation.
Microsoft Defender for Endpoint (MDE)
Recommended Process Allowlisting
Organizations using Microsoft Defender for Endpoint, Microsoft Defender Application Control, or other application control solutions may wish to allowlist Secure Workspace executables.
Secure Workspace (User Interface)
The primary Secure Workspace application used for user sign-in and application access.
Windows (64-bit)
C:\Program Files\Secure Workspace\Secure Workspace.exe
Windows (32-bit)
C:\Program Files (x86)\Secure Workspace\Secure Workspace.exe
SDP Client (Secure Connectivity Service)
The SDP Client (sdpc) is responsible for secure connectivity, tunnel establishment, and policy enforcement.
Windows (64-bit)
C:\Program Files\Secure Workspace\resources\release\app\sdpc.exe
Windows (32-bit)
C:\Program Files (x86)\Secure Workspace\resources\release\app\sdpc.exe
SSW Agent (Background Service)
The SSW Agent (ssw-agent) runs as a background service and is responsible for launching and managing privileged Secure Workspace components, including sdpc, device authentication services, and endpoint-related functionality.
Windows (64-bit)
C:\Program Files\Secure Workspace\resources\release\app\ssw-agent.exe
Windows (32-bit)
C:\Program Files (x86)\Secure Workspace\resources\release\app\ssw-agent.exe
Osquery Agent (Endpoint Management)
The Osquery Agent (osqueryd) is used by Secure Workspace Endpoint Management features to collect device inventory and compliance information.
This component is only required when Endpoint Management functionality is enabled.
Windows (64-bit)
C:\Program Files\Secure Workspace\resources\osqueryd\osqueryd.exe
Windows (32-bit)
C:\Program Files (x86)\Secure Workspace\resources\osqueryd\osqueryd.exe
Attack Surface Reduction (ASR) Rules
Secure Workspace is generally compatible with Microsoft's Attack Surface Reduction (ASR) rules.
If Secure Workspace applications, Private Apps, Browser Isolation sessions, or secure connectivity features are blocked after enabling ASR policies, review any rules that restrict:
- Application execution
- Child process creation
- Script execution
- Credential access
- Network communications
Where necessary, create exceptions for the approved Secure Workspace executables listed above.
Network Requirements
Required Outbound Ports
Secure Workspace requires outbound network connectivity to Splashtop cloud services.
| Protocol | Port | Purpose |
|---|---|---|
| TCP | 443 | Secure Workspace cloud communication |
| TCP | 9202 | Secure tunnel establishment |
| UDP/TCP | 53 | DNS resolution |
Port 9202
The SDP Client (sdpc) uses TCP port 9202 to establish secure tunnels between the endpoint and Splashtop Secure Workspace services.
Blocking this port may prevent:
- Private App access
- Secure application connectivity
- Tunnel-based access workflows
Domain Allowlist Recommendations
Organizations implementing outbound filtering, web filtering, SSL inspection, DNS filtering, or firewall restrictions should allow access to Splashtop services.
Recommended Domain Allowlist
*.splashtop.com
This wildcard covers Secure Workspace cloud services, authentication services, API endpoints, update services, and connectivity infrastructure.
Microsoft Intune Deployment Best Practices
Recommended Deployment Configuration
- Deploy Secure Workspace as a Win32 application.
- Install in System context.
- Enable automatic updates where applicable.
- Configure application detection rules based on the Secure Workspace installation path.
Recommended Detection Rules
Windows (64-bit)
C:\Program Files\Secure Workspace\Secure Workspace.exe
Windows (32-bit)
C:\Program Files (x86)\Secure Workspace\Secure Workspace.exe
Mosyle Deployment Best Practices
For macOS deployments managed through Mosyle:
Application Paths
Secure Workspace
/Applications/Secure Workspace.app
SDP Client
/Applications/Secure Workspace.app/Contents/Resources/release/app/sdpc
SSW Agent
/Applications/Secure Workspace.app/Contents/Resources/release/app/ssw-agent
Osquery Agent
/Applications/Secure Workspace.app/Contents/Resources/osqueryd/osquery.app/Contents/MacOS/osqueryd
Note: The Osquery Agent is only required when Endpoint Management features are enabled.
Recommended Configuration
- Deploy Secure Workspace as a managed application.
- Allow application updates.
- Deploy browser extensions through managed browser policies when applicable.
- Approve any required permissions through PPPC profiles.
Depending on the Secure Workspace features being used, organizations may need to approve:
- Accessibility permissions
- Screen Recording permissions
- Notification permissions
Troubleshooting Security Software Conflicts
If Secure Workspace functionality is blocked by endpoint security software:
-
Verify the following processes are running as expected:
- Secure Workspace
- sdpc
- ssw-agent
- osqueryd (if Endpoint Management is enabled)
-
Review Microsoft Defender Antivirus quarantine events.
-
Review Microsoft Defender for Endpoint alerts.
-
Review ASR rule events.
-
Verify outbound TCP 443 connectivity.
-
Verify outbound TCP 9202 connectivity.
-
Verify DNS resolution.
-
Confirm access to:
*.splashtop.com
- Temporarily bypass SSL inspection during troubleshooting if HTTPS interception is enabled.