Architecture · Security · Operations
How MyWorkspace works under the hood
MyWorkspace by Intryl is a managed secure work access layer for organisations that need controlled access to office PCs, cloud workspaces, remote applications, and hybrid environments—without putting users through traditional VPN-heavy workflows or fragmented tooling.
This page is for teams who want a credible, high-level picture of the platform—how sessions flow, what major components are involved, and how security is layered—without implementation trivia or customer-specific deployment detail.
What makes the architecture different
MyWorkspace is designed to replace fragmented access workflows with one managed portal for users, assignments, authentication, and secure launch paths. Instead of stitching together separate tools for VPN-style access, user provisioning, device assignment, and remote workspace delivery, teams get a centralized operational layer with admin controls, included 2FA, and private secure routing.
End-to-end flow
Administrators provision users and assign the devices, desktops, cloud workspaces, or remote applications each person may use. Users sign in through the company portal; where policy requires it, second-factor authentication is part of the flow. When someone launches an assigned resource, the request is validated on the server—only active assignments resolve to a connection path. Browser-based sessions are carried through protected access layers that fit your deployment. Credentials for the remote environment remain inside the remote session boundary, not as long-lived secrets in the web tier. Users do not need to follow a traditional VPN-heavy workflow to start a session after onboarding. Your architecture may still include enterprise network components, a secure access edge, or zero-trust policies—the portal is designed to work alongside those controls, not to pretend they disappear.
Platform stack
Operationally, MyWorkspace packages what teams often buy in fragments: a company portal, an admin panel, user management, device and workspace assignment, authentication and session controls, and integration points for private secure routing—implemented as a modern web application with server-side APIs and managed PostgreSQL-backed tenant data. Optional object storage, where enabled, is integrated through server-mediated uploads so controls stay centralized. Administrative actions are enforced with explicit role checks. Where you standardise on an access edge or SSO gateway, the platform can participate as an OpenID Connect provider so those layers trust the same identity without ad hoc password sharing.
Security posture
The portal controls identity, roles, assignments, and launch authorisation. The secure access layer governs which paths are reachable for browser and remote flows. The target environment enforces its own session authentication where that is required. Together, that is deliberate separation of concerns—not one oversized trust zone. Least privilege, explicit trust boundaries, and allow-listed redirects are part of how integrations are handled in production configurations. Remote environment credentials are not stored in the web tier as durable secrets for session takeover. API responses are shaped to avoid leaking stack traces, internal hostnames, or other detail that aids reconnaissance.
Reliability and tenancy
Customer workspaces are logical boundaries in the data model—configuration and assignments stay scoped to the tenant. Tenant-scoped configuration, user assignments, and access policies are treated as operational boundaries, not just UI filters. Operational hooks such as dependency health checks help catch misconfiguration early. Observability is designed to support incident response without collecting secrets, raw cookies, or end-user passwords.
Production deployments are reasoned about through layered controls, least privilege, tenant scoping, explicit trust boundaries, and clear separation between the browser, the portal, the secure access edge, and the target environment.
Privacy·Terms
Frequently asked questions
Does MyWorkspace require users to use a traditional VPN?
MyWorkspace is designed to reduce traditional VPN-heavy workflows for end users. After onboarding, users access assigned resources through the company portal and protected launch flow, while customer-specific network or edge controls can still be part of the deployment.
What does MyWorkspace include?
MyWorkspace includes a company portal, admin panel, user management, assignment controls, 2FA support, secure launch flows, and private routing integration points for accessing assigned devices, workspaces, desktops, or applications.
Can administrators manage users and devices centrally?
Yes. Administrators can manage users and assign the workspaces, desktops, remote applications, or devices each person is allowed to access.
Is 2FA included?
Yes, MyWorkspace supports second-factor authentication as part of the access flow where policy requires it.
Does MyWorkspace replace every security layer?
No. MyWorkspace acts as a managed secure work access layer. It can work with an organisation’s edge, zero-trust, SSO, and target-environment controls instead of replacing every layer.