A workspace is a collection of environment configurations of cloud desktops and includes settings such as secure office networks, user account systems, and Internet access. Cloud desktops are deployed within workspaces. This topic describes the terms and features of workspaces.

Secure office networks

A secure office network is a private network on top of Alibaba Cloud virtual private clouds (VPCs). Different secure office networks are logically isolated from each other. You can divide secure office networks to suit your needs and create different workspaces to improve security.

If network connectivity is required between workspaces, you can attach the workspaces to Cloud Enterprise Network (CEN) instances. For more information, see Attach a secure office network to or detach a secure office network from a CEN instance.

Account systems

Elastic Desktop Service (EDS) provides the following account systems:
  • Convenience accounts

    Convenience accounts are a system of dedicated EDS user accounts. These accounts are suitable for scenarios where Active Directory (AD) is not required. Convenience accounts can be managed in the EDS console.

  • Enterprise AD accounts
    AD connectors are used to connect to enterprise AD systems and synchronize the information of AD accounts. The AD domain controller is used for centralized management of user permissions and resources.
    Note You are charged for AD connectors used to connect to enterprise AD systems. For more information about the billing of AC connectors, see Billing of AD connectors.

Internet access

If your cloud desktop requires Internet access, you can enable the Internet access feature for the workspace to which your cloud desktop belongs. The system creates a NAT gateway and configures the SNAT feature to enable Internet access. For more information, see Manage Internet access.

Logon settings

EDS supports the multi-factor authentication (MFA) and single sign-on (SSO) features. After a workspace is created, you can enable or disable these features on the workspace details page.
  • MFA

    When MFA is enabled, regular users must enter their username and password as well as a dynamic authentication code generated by the MFA device to log on to a client. This enhances security for the account. The first time a regular user logs on to a client, the user must bind an MFA device such as the Alibaba Cloud app. For more information, see Configure MFA.

  • SSO

    After SSO is enabled, mutual trust is required between identity providers (IdPs) such as Active Directory Federation Services (AD FS) and service providers (SPs) such as Alibaba Cloud EDS. After mutual trust is configured, a regular user needs only to pass logon authentication at the IdP before the user can log on to the client and implement SSO. For more information, see Configure SSO for AD users.

  • Changes to the MFA or SSO settings of a workspace apply to all cloud desktops in the workspace.
  • The SSO feature is supported only for workspaces that belong to AD accounts.

Shared storage

Each workspace can have an Apsara File Storage NAS file system created, and cloud desktops in the workspace can share files by using the NAS file system. For more information, see Create a NAS file system.