Documentation Index

Fetch the complete documentation index at: https://docs.ssw.splashtop.com/llms.txt

Use this file to discover all available pages before exploring further.

Enterprise Deployment Recommendations for Splashtop Secure Workspace

Prev Next

# Enterprise Deployment Recommendations for Splashtop Secure Workspace

Overview

This article provides deployment recommendations for organizations deploying Splashtop Secure Workspace (SSW) in enterprise environments protected by endpoint security solutions and managed through Mobile Device Management (MDM) platforms.

The guidance covers:

  • Microsoft Defender Antivirus
  • Microsoft Defender for Endpoint (MDE)
  • Attack Surface Reduction (ASR) Rules
  • Firewall and Network Requirements
  • Microsoft Intune Deployments
  • Mosyle Deployments

In most environments, Secure Workspace operates without requiring special antivirus or firewall exclusions. However, organizations with strict endpoint protection, application control, or outbound filtering policies may need to configure allowlists for Secure Workspace components.


Microsoft Defender Antivirus

Recommended Antivirus Exclusions

Secure Workspace generally does not require antivirus exclusions. However, if Microsoft Defender Antivirus or another endpoint security solution is interfering with Secure Workspace functionality, administrators may consider excluding the Secure Workspace installation directory.

Windows (64-bit)

C:\Program Files\Secure Workspace\

Windows (32-bit)

C:\Program Files (x86)\Secure Workspace\

Exclusions should only be implemented when security software is confirmed to be blocking or interfering with normal Secure Workspace operation.


Microsoft Defender for Endpoint (MDE)

Recommended Process Allowlisting

Organizations using Microsoft Defender for Endpoint, Microsoft Defender Application Control, or other application control solutions may wish to allowlist Secure Workspace executables.

Secure Workspace (User Interface)

The primary Secure Workspace application used for user sign-in and application access.

Windows (64-bit)

C:\Program Files\Secure Workspace\Secure Workspace.exe

Windows (32-bit)

C:\Program Files (x86)\Secure Workspace\Secure Workspace.exe

SDP Client (Secure Connectivity Service)

The SDP Client (sdpc) is responsible for secure connectivity, tunnel establishment, and policy enforcement.

Windows (64-bit)

C:\Program Files\Secure Workspace\resources\release\app\sdpc.exe

Windows (32-bit)

C:\Program Files (x86)\Secure Workspace\resources\release\app\sdpc.exe

SSW Agent (Background Service)

The SSW Agent (ssw-agent) runs as a background service and is responsible for launching and managing privileged Secure Workspace components, including sdpc, device authentication services, and endpoint-related functionality.

Windows (64-bit)

C:\Program Files\Secure Workspace\resources\release\app\ssw-agent.exe

Windows (32-bit)

C:\Program Files (x86)\Secure Workspace\resources\release\app\ssw-agent.exe

Osquery Agent (Endpoint Management)

The Osquery Agent (osqueryd) is used by Secure Workspace Endpoint Management features to collect device inventory and compliance information.

This component is only required when Endpoint Management functionality is enabled.

Windows (64-bit)

C:\Program Files\Secure Workspace\resources\osqueryd\osqueryd.exe

Windows (32-bit)

C:\Program Files (x86)\Secure Workspace\resources\osqueryd\osqueryd.exe

Attack Surface Reduction (ASR) Rules

Secure Workspace is generally compatible with Microsoft's Attack Surface Reduction (ASR) rules.

If Secure Workspace applications, Private Apps, Browser Isolation sessions, or secure connectivity features are blocked after enabling ASR policies, review any rules that restrict:

  • Application execution
  • Child process creation
  • Script execution
  • Credential access
  • Network communications

Where necessary, create exceptions for the approved Secure Workspace executables listed above.


Network Requirements

Required Outbound Ports

Secure Workspace requires outbound network connectivity to Splashtop cloud services.

Protocol Port Purpose
TCP 443 Secure Workspace cloud communication
TCP 9202 Secure tunnel establishment
UDP/TCP 53 DNS resolution

Port 9202

The SDP Client (sdpc) uses TCP port 9202 to establish secure tunnels between the endpoint and Splashtop Secure Workspace services.

Blocking this port may prevent:

  • Private App access
  • Secure application connectivity
  • Tunnel-based access workflows

Domain Allowlist Recommendations

Organizations implementing outbound filtering, web filtering, SSL inspection, DNS filtering, or firewall restrictions should allow access to Splashtop services.

Recommended Domain Allowlist

*.splashtop.com

This wildcard covers Secure Workspace cloud services, authentication services, API endpoints, update services, and connectivity infrastructure.


Microsoft Intune Deployment Best Practices

Recommended Deployment Configuration

  • Deploy Secure Workspace as a Win32 application.
  • Install in System context.
  • Enable automatic updates where applicable.
  • Configure application detection rules based on the Secure Workspace installation path.

Recommended Detection Rules

Windows (64-bit)

C:\Program Files\Secure Workspace\Secure Workspace.exe

Windows (32-bit)

C:\Program Files (x86)\Secure Workspace\Secure Workspace.exe

Mosyle Deployment Best Practices

For macOS deployments managed through Mosyle:

Application Paths

Secure Workspace

/Applications/Secure Workspace.app

SDP Client

/Applications/Secure Workspace.app/Contents/Resources/release/app/sdpc

SSW Agent

/Applications/Secure Workspace.app/Contents/Resources/release/app/ssw-agent

Osquery Agent

/Applications/Secure Workspace.app/Contents/Resources/osqueryd/osquery.app/Contents/MacOS/osqueryd

Note: The Osquery Agent is only required when Endpoint Management features are enabled.

Recommended Configuration

  • Deploy Secure Workspace as a managed application.
  • Allow application updates.
  • Deploy browser extensions through managed browser policies when applicable.
  • Approve any required permissions through PPPC profiles.

Depending on the Secure Workspace features being used, organizations may need to approve:

  • Accessibility permissions
  • Screen Recording permissions
  • Notification permissions

Troubleshooting Security Software Conflicts

If Secure Workspace functionality is blocked by endpoint security software:

  1. Verify the following processes are running as expected:

    • Secure Workspace
    • sdpc
    • ssw-agent
    • osqueryd (if Endpoint Management is enabled)
  2. Review Microsoft Defender Antivirus quarantine events.

  3. Review Microsoft Defender for Endpoint alerts.

  4. Review ASR rule events.

  5. Verify outbound TCP 443 connectivity.

  6. Verify outbound TCP 9202 connectivity.

  7. Verify DNS resolution.

  8. Confirm access to:

*.splashtop.com
  1. Temporarily bypass SSL inspection during troubleshooting if HTTPS interception is enabled.