Skip to content
MyWorkspace

Architecture · Security · Operations

How MyWorkspace works under the hood

MyWorkspace by Intryl is a managed secure work access layer for organisations that need controlled access to office PCs, cloud workspaces, remote applications, and hybrid environments—without putting users through traditional VPN-heavy workflows or fragmented tooling.

This page is for teams who want a credible, high-level picture of the platform—how sessions flow, what major components are involved, and how security is layered—without implementation trivia or customer-specific deployment detail.

Contact

What makes the architecture different

MyWorkspace is designed to replace fragmented access workflows with one managed portal for users, assignments, authentication, and secure launch paths. Instead of stitching together separate tools for VPN-style access, user provisioning, device assignment, and remote workspace delivery, teams get a centralized operational layer with admin controls, included 2FA, and private secure routing.

Security

Security model

MyWorkspace operates as a governed work-access layer: users authenticate to the portal first, assignments and policy are resolved server-side, and approved environments become reachable through controlled session paths. The goal is not to turn every device into a permanent corporate endpoint, but to provide users with controlled access to the environments they are allowed to use.

  • Identity and access controlsportal sign-in, roles, and tenant-scoped rules governing what may be launched.
  • Assignment-based launch pathsonly active assignments resolve to brokered connection paths; access is not guessable from URLs alone.
  • Browser-contained session experienceinteraction stays inside governed browser-oriented surfaces where that is how delivery is configured.
  • Office PCs and cloud workspacesone assignment model can reach physical desks, hosted desktops, and cloud workloads consistently.
  • Tenant and role boundariesconfiguration and privileged actions stay scoped and role-checked as operational constraints.
  • Separation of secrets and session materialtarget-environment credentials stay inside session boundaries rather than living as durable web-tier secrets.
  • Centralized administrationusers, assignments, and policies converge in one operational layer instead of fragmented tooling.
  • Compatibility with existing security layersdesigned to coexist with your edge, zero-trust posture, and enterprise identity investments.

The portal controls identity, roles, assignments, and launch authorisation. The secure access layer governs which paths are reachable for browser and remote flows. The target environment enforces its own session authentication where that is required. Together, that is deliberate separation of concerns—not one oversized trust zone. Least privilege, explicit trust boundaries, and allow-listed redirects are part of how integrations are handled in production configurations. Remote environment credentials are not stored in the web tier as durable secrets for session takeover. API responses are shaped to avoid leaking stack traces, internal hostnames, or other detail that aids reconnaissance.

How the platform operates

  • 01

    End-to-end flow

    • Administrators define users, roles, assignments, and allowed environments before anyone signs in.
    • At sign-in the platform resolves tenant context, assignment scope, and policy—then shows only approved launch targets.
    • Launches are brokered server-side; the endpoint device is an access surface, not the primary execution environment.

  • 02

    Platform stack

    • Tenant-aware portal and administration surfaces in one operational layer.
    • Assignment management, session-launch orchestration, and audit-oriented events.
    • Secure routing to approved environments; tenant data and integrations stay on controlled server boundaries.

  • 03

    Reliability and tenancy

    • Customer workspaces are logical boundaries—configuration and assignments stay tenant-scoped.
    • Assignments and access policies are operational limits, not UI filters alone.
    • Health checks and observability support incident response without collecting secrets or end-user passwords.

Production deployments are reasoned about through layered controls, least privilege, tenant scoping, explicit trust boundaries, and clear separation between the browser, the portal, the secure access edge, and the target environment.

Technical overview for developers & IT

Frequently asked questions

These answers now live in the main FAQ on the Contact page, alongside product and access questions.

If you have other questions, see the FAQ.