Could Workspot's freemium approach to BYOD shift focus from "access and control" to "big data?"

Over the last several months, I've had the opportunity to advise entrepreneurs across several technology segments. What's common amongst the ones I respect is that they have a deep appreciation of how their target users behave in their lives.

Over the last several months, I’ve had the opportunity to advise entrepreneurs across several technology segments. What’s common amongst the ones I respect is that they have a deep appreciation of how their target users behave in their lives. This allows them to filter out a lot of industry noise, assumptions, and opinions that can distract from the fundamental exercise of immersing yourself in the user experience before building a product. This enables the formulation of data-driven hypotheses, which leads to product prototypes that better empathize with the needs of the end-user.  I especially like that this approach encourages all to ask the Columbo questions.  And of course, it’s always fun to take part when one is invited to do so!


My observation of the various industry discussions on Bring Your Own Device (BYOD) is that they all to hold similar assumptions about technology approaches. There's sparse discussion about how the products are actually “used” vs. opinion. (Such as, "users don’t like technology approach X," or arcane feature debates).

Let’s take the case of Mobile Device Management (MDM). Money (Airwatch raises $200M) is being thrown at it and consolidation (Citrix acquires Zenprise) is taking place. This is happening despite ample sentiment that MDM is a commodity and users don’t want it.  I’ve even heard opinions such as, “The MDM vendors are hiring $12 per/hour sales armies just to flood the market with seats priced as low as $0.60 per user/per month so they can upsell into this customer base with future wares.” 

So MDM is heading to free, users hate it because it provides no personal freedom, and it’s not clear for what it's actually used. What do users actually do with an MDM managed device beyond corporate controlled email, browsing, calendar and contacts? Is it really that different to a Blackberry Enterprise Server on a non-RIM device? How much additional productivity does MDM really enable? 

The incumbent vendors know this and are tweaking their MDM messaging to now say something along the lines of: MDM is a foundational piece of a larger macro trend called Enterprise Mobility Management (EMM). A classic case of, if you can’t win, you create a new category instead that pushes you into the position of looking like an industry leader.  

While vendors are busy positioning themselves, we’re seeing the evolution of the market towards Mobile Application Management (MAM), file synching solutions such as from Box/Citrix’s ShareFile and nascent talk of MIM (Mobile Information Management). We’re also seeing the emergence of SaaS aggregation services such as Citrix Cloud Gateway and VMware Horizon.  Have no doubt that these types of solutions, as they mature, will all be leveraged to strengthen the EMM category as analyst’s arms are also twisted to hasten the process to explain to you what EMM is. That’s all business as usual and I have no issue with it. However...

All this innovation is great, but again I have to ask to do what? How? Why? 

I’m a big fan of the nascent MAM market, but it’s still unclear beyond email/browser what mobile apps people actually care about for work. I’ve even suggested to Gabe that there should be a place on where people register what mobile apps they want to be MAM ready for work. When we understand that, we can have a meaningful discussion about what standards should evolve based on market demand.

MIM falls into the realm of "theory" for most, although there are various content protection approaches, (which are still evolving). The file sync vendors gloss over the costs of process and governance that have already been sunk into on premises storage, regulation, and migration costs. They're getting better, but new approaches will be required and need to mature for true enterprise enablement. But even here, thinking of data alone and applying user-based policy to it only partially addresses the end users' need to be productive.

Then there are the aggregators—who are still nascent—trying to figure out how to integrate content and data and apps into their MDM/mobile strategy. These are definitely not simple to use yet—especially if they also have to serve the dual purpose of replacing legacy functionality such as Citrix Web Interface.

With so many options, many end users and IT buyers become confused. As a result, many take a "wait and see" approach, simply trying the lowest common denominator approaches like MDM for now. But it still leaves me wondering, "Does this make the end user more productive?" Even when I try really hard to rationalize it, it’s marginal value at best.

Of course, I’m just one person, so I decided to test assumptions and asked friends and family not in the tech industry how they actually work. Their opinions are summarized below:

  • The reality for them is that the “stuff” they care about is still mostly at work.
  • They care about getting access to some of their “stuff” on devices they want. 
  • They are not anticipating a giant move away from PC/Laptop anytime soon but hate the experience IT has created. (Locked down, not personal, clumsy VPN, multi-factor authentication and so on.)
  • Some of the more technically minded also stated weak CIOs who won’t challenge their CSO or invent anything except status quo, etc. 
  • As a result, they are much more open at the very least to using mobile devices as an additional device, and want to be able to do some work on them, as long as it is relatively simple and painless. 
  • The most insightful mobile productivity use case I heard was. “I want to be able to collaborate outside the firewall with everybody I connect with for work.”
  • They have virtually zero in-house mobile apps that IT has developed for them. They see this as something that will happen slowly. They expect that business leaders will need to drive this, as IT doesn’t have the business insight to know what to build in many cases. Large IT shops more in touch with business. 
  • Friends working at smaller organizations have far less legacy and feel much more confident and open to tablet workflows. 
  • Universally they have no interest in using remote protocols on tablets on a regular basis for work. 

Introducing Workspot 

A company called Workspot has just launched with an approach to solving these types of use cases. The solution summary at a high level is a simple-to-use, secured workspace (not dual persona) on a personal user tablet.  The tablet acts as a springboard for enterprise applications, and provides frictionless access to applications and data secured behind firewalls leveraging existing infrastructure. 


Available from the app store, the Workspot client application at a technical level is a virtual encrypted file system and network stack on top of which various security, data collection and HMTL5 application viewer services are built. Workspot is calling this their unique approach to mobile virtualization.

It’s clear to me that mobile clients are becoming the new rich client. I find too many people still apply a thin client mindset to mobile devices. i.e. "Devices don’t do much and everything is in the cloud." This results in niche solutions that don’t work offline, resulting in a poor user experience. Services and content will be consumed close to where the user performs the execution. As this happens, the security perimeter must move closer to the user/content. We’d be foolish not to take advantage of all the power that devices offer in ever increasing permutations. You can no longer assume your enterprise firewall is your current DMZ perimeter. Your DMZ must extend to the device in a mobile world to enable user experience. To enable this, new mobile client security approaches are required.


The Workspot client is configured from Workspot Control, which is a free SaaS service. The setup is a two-step process: enter the existing VPN address and URLs for applications. Once configured, the client communicates with your existing enterprise infrastructure. Workspot supports enterprise infrastructure products including Cisco Adaptive Security Appliances (ASA), Dell SonicWALL Secure Remote Access (SRA), Juniper SA Series SSL-VPN, F5 SSL-VPN, RSA SecureID, and Microsoft Active Directory.

One thing I really like about the approach is that the data plane is back to the enterprise. So this makes the scalability of the solution as scalable as your existing infrastructure, and avoids high data costs flowing to and from a SaaS service. Additionally your corporate data does not flow through their SaaS service. I’ve learned from experience that many enterprises (due to security and regulatory reasons) will reject your SaaS solution when corporate data does not flow through existing trusted infrastructure. 


Once connected, users have access to on-premise applications and SaaS applications. Also, by virtue of being a SaaS service, various analytics can then be collected and insight into the end user experience reported on. 



The experience

The overall experience is simple. You set up your company at and then add your users. Once complete you can add various apps and policies. Users authenticate directly against your VPN appliance and its Active Directory + SecureID setup. The Workspot client only authenticates when the user is successful in unlocking the application with their PIN. 

Click to enlarge

Once the company, apps, policies and users are set up, the user simply downloads the Workspot client from a public app store and provides their email address. The Workspot client talks to the Workspot service and determines the configuration for that user. The Workspot client then prompts the user for their usual credentials, most likely Active Directory for most enterprises. These credentials are authenticated directly against the VPN appliance. The user then has access to corporate email using Outlook Web Access, Intranet, content and SaaS applications. The user can browse their work content.

Workspot  Workspot
Click to enlarge

That content can then also be edited or viewed using one of the viewers. Additionally, Microsoft has embedded web versions of Office into all their repositories (Skydrive, SharePoint etc.). For editing, Workspot is enabling Microsoft Office Web Edit that is bundled into SharePoint 2010 and above. This allows online editing in place and offline viewing if policy permits. Support for network file shares will be added in a future release, which will support viewing. 

I asked the Workspot team if offline editing would be possible. Their opinion at the time was, that without access to the full fidelity document offline it made less sense to edit. They have also deliberately chosen not to enable other Office editing tools, because they feel that the quality of Office viewers/editors currently available on the iPad are really poor. 


So overall my impression is that this approach is far simpler than MDM and workspace aggregation solutions on the market today. It get’s a user to the important work “stuff” that’s relevant today on personal devices, while also preserving the freedom to use devices for personal use. As a career enterprise guy, I also really like that the Workspot team is focused on user productivity, simplicity of experience, and low friction for IT, while also taking into account existing sunk cost of on-premise assets/services and avoiding the dual persona approach to BYOD which users don’t want. 

I believe when all of this is considered in the context of the freemium business model described below, at the very least many will be compelled to consider this approach to enabling BYOD.

Freemium business model with a new value proposition 

Most people are familiar with free products that get you to use their wares, which then upsell advanced features. So what’s different here? 

The product is not crippled in terms of features that enable client security and application access. Workspot allows you to use the product for an unlimited number of users indefinitely (others solutions have time limits). In effect, this means that Workspot are trying to commoditize the access and control part of the value chain for a large segment of customers. 

It’s a great answer to the $12 an hour sales guy knocking on your door trying to ram MDM down your throat. More importantly, I think this will incentivize many to ask better questions even if they still want to invest in MDM/MAM/other to cover additional application use cases. The conversation can now evolve to: Which approach better enables user productivity? How much of one particular approach do I need and what’s the respective value? The answers will be different depending upon each customer. But with 600 million people working within traditional enterprise today and an estimated 750 million tablets in 2015—representing more endpoints than desktops and laptops combined—there is a substantial segment of customers for whom a free product like this, that is aligned with existing enterprise workflows, will better increase user productivity vs. current alternatives. 

That’s a lot of value to give away for free. You may wonder why Workspot would do such a thing. This is true, but it all depends on where you believe you are creating value and what the customer will pay for. For traditional BYOD solutions, the value has been created in access and control. Workspot believes the value will come from insights created via the data generated by users using their service. In other words, end user big data created on mobile devices. They plan to leverage big data techniques to convert massive quantities of end point session data records into greater visibility, security, and performance. The data collected from free access and control represents end point visibility and big data that can perhaps be monetized a la ArcSight and Splunk. I also envision future opportunities to add advanced access and control capabilities to meet additional enterprises needs. 

Are they right? I don’t know, but one thing is for sure. It’s a bold move that I admire as something that could be very disruptive. There’s a good team in place. I worked with Workspot CEO Amitabh Sinha at Citrix when he was VP of product management for XenDesktop. So I can certainly attest to his understanding of the problem and am very impressed with progress to date. Early last year, this was just a discussion that we had. 

At that time, there certainly was the question of does this cover all app use cases? Well clearly it doesn’t today, it doesn’t directly replace RDS/VDI or offer a solution for native mobile apps. However, the focus for Workspot is to address use cases for mobile that they believe people will use for work today.  Other use cases such as mobile apps, can be added in a variety of ways in the future when its more clear what users will actually do. Despite this, what insights customers actually buy via analytic modules remains to be seen. 

Perhaps there’s hope for frustrated systems admins as illustrated in this hilarious video, staring Brian Madden as a systems admin struggling to support users who have all just been give Tablets. Brian’s current answer is to return their laptops…

I’m fortunate to be privy to a number of emerging stealth ideas. The BYOD, mobile, consumerization, cloud access market is still young and much innovation is needed to enable user productivity. New ideas are emerging and the value chain is evolving. In such a dynamic market, there is no reason not to rethink everything and develop solutions that people actually want to use. Disrupting incumbent approaches and forcing the pace of change is great for the industry. So congratulations to the Workspot team on their launch. I wish them the very best of luck and encourage the community to not be shy, and ask the Columbo questions.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

After reading this whole thing, I don't 100% "get" what Workspot actually does? Basically they're a secure browser and doc editor that uses your existing VPN and AD authentication? And they're free? And their value add is awesome reporting?

How's this different than an on-premises MAM solution? What am I missing?


OWA for email? No offline document editing? No thanks. There's a great value proposition for managed corporate browsers to deal with intranet and SaaS apps, and it's cool that they're making a go at it with a freemium model. But I don't think anyone will be able to tell their users they can only use OWA and keep a straight face. This may help deal with tablets, but it's not going to "solve" BYOD and mobility in a larger sense. You have to figure out how to do email for iPhones and Android, and when you figure that out, it will work for iPads, too.


Oh yeah that's a great point.. No matter what you have to solve email for iPhones and Androids.. so once you do that, you've instantly figured out email for iPads. And since you can't do that with the built-in mail client, you're talking about some third party MAM thing, and that probably has doc editing and secure browsing with VPN built in.. so why not just use that?


Brian/Jack - I understand and appreciate the skepticism. You folks are thought leaders in the space and have seen multiple technology transitions in our industry. Few assertions from our end:

* Yes, of course, you could solve the problem by installing more boxes in the datacenter and providing a secure browser and implementing secure file storage services. Complexity is not solved by adding more Complexity :)

Simple always wins. Just like salesforce won against Siebel. Meraki established a market dominated by Cisco. It takes years in our industry to understand the power of simplicity!

*Native email is a solved problem and a commodity solution. Our solution is focused on LOB apps, like SAP, Siebel, Sharepoint etc., which are primarily web based.

* Apple is the only company that can solve the native email security problem on the client. It will add an API this year to secure email using company provided encryption keys and all the MDM boxes in the DMZ will become redundant.

* Our solution leverages your existing SSL-VPN boxes, and is free. How do you compete with that?

The proof is in the pudding. Give us ~6 months and we would love to post our customer adoption numbers. I would like to point out that companies doing "awesome reporting" have done pretty well in our industry. I will take that as a compliment!




Hi Puneet,

Thanks for responding. Obviously you can show Citrix architecture to show how complex things are.. but what about other MAM solutions that solve native email and also leverage your existing VPNs? (Or aren't there any of those?)

BTW what's your source on Apple adding an API this year to secure email using company-provided encryption keys? Will that also allow companies to block unwanted apps from accessing the contacts, calendar, etc.?


@Jack @Brian I don't think MAM will give you access to things like Sharepoint or LOB apps in a simple integrated way. I assume that's the "stuff"/existing workflow point being made in the post coupled with Puneet's point about simplicity. Actually LMAO at the Citrix architecture link, case and point. But:

I don't buy Apple will solve native email. They may add some capabilities to make it more secure, but it's just not what they do. Would love to be proven wrong. The whole bet as far as I can tell to date is on LOB (sunk cost infrastructure) web apps which users know how to use already. Native apps simply can't be ignored. This goes beyond email. The whole HTML 5 vs. native app debate is moot, as in the real world we'll need to deal with both. I don't believe the OWA client will work offline, so that would be a major user experience ding. When I look at your pricing model, it seems to me that your target is small customers for now, so this may matter less, although I still believe everyone wants native email that works offline. Also @Brian today's MAM solutions don't solve native email. They only strip attachments. That's why third party clients are still in vogue.

Your virtualization technology is a container. Those can all be broken, just like MDM can, so it's a question of how much we trust your container vs. Good etc. More details on how secure it is, things it does etc. I assume will be available at some point. I have no doubt that initially you will fail security audits in bigger enterprises as they will require many more security wares. However, your collected data may actually turn into some useful security telemetry that may enable me to trust things more as I can report after the fact. Zero day/malware still a problem though, but I guess that's a pretty level playing field on iOS and not much you can do. Other user experience data your collect could be useful. We've seen things like Citrix Edgesight though, that collected so much data and it's hard to act upon and easy to be led down rat holes. But with modern analytics I'm open to this becoming a lot more than cool reports. Actionable insight please!

@Jack agree, don't like no offline editing. Are their any editors out there that you think are ok? Personally I don't edit docs on my Tablet, but that's my workflow. But if there's a decent editor I should try it.

I see no reason to not be able to use this side by side with MAM to manage the native apps you care about until Workspot has a solution. What I am sure about is that if you blindly pay for MDM you are an idiot outside of niche use cases where you have to own the device. For that I like the free approach. @harry I agree, people need to think more and ignore the marketing BS.

Anyway @puneet good luck, I agree simplicity is goodness that is hard to appreciate until you experience it. Hope to hear about your progress in the coming months.


We don't know of any solution out there doing a secure app-only tunnel to existing VPNs. If you see one, do let us know. MAM vendors do libc hooking for security. The hooking is not approved by Apple and therefore all the MAM apps are only deployed via private app stores. Can you please do a poll and ask how many customers want to deploy private app stores?

Re: Apple email and APIs

Wait for a few months. Jack posted a good article on "Who says Apple isn't enterprise focused".. and there are some good updates coming in 2013.


Puneet, I actually need a private app store to deliver in house mobile apps that are slowly but surely growing. It also allows me to have a higher level of trust that the source I am using is not compromised, plus all the benefits of MAM like controls in the app development teams want them, or more likely mandated by info sec in order to be mobile.


To me, Workspot looks like Twingo (Secure browser cache) for Mobile. Twingo was acquired by Cisco in the age of SSL VPNs. Re: native mail being solved, unfortunately, this is not the case. In fact, for most native apps, the mantra has been to use a new browser, new mail client etc. It would be so great if Apple has built-in container for all apps and/or key management for all apps. We do not see this coming.

Companies like us (Wheel Innovationz) have taken a network approach to enabling native apps like email with all the management and security. If only the closed platforms like IOS respect the HTTP headers properly, then we would not have this mess. Any existing proxy or cache csn take care of data-at-rest problem for web apps with the right cache-control header. However, RFCs do not enforce compliance -- so it will always be mess and hacky. I do agree with the simplicity and finally the customer traction are the important success criteria. Workspot resonance in the markertplace suggests that they are doing several things right.


@AppDetective I agree email in iOS is a sore spot. Here I was referring to native email apps in general, whether it's Apple's or a 3rd party app. As for the issues with third-party email apps, that's another conversation. (And of course ub\nless apple budges, we have to deal with some sort of compromise no matter what.) For offline editing, I use Google drive every now and then, and I know there are people that swear by Quick Office.


Brian/Puneet/Jack, try Aruba's Workspace for app-specific IKE/IPSec VPN tunnels to any VPN gateway. Yes, IPSec VPN and not a simple SSL reverse proxy support. They also support each Workspace app going to a different VPN gateway, which nobody supports. And guess what, Apple has already approved their approach, so it's not just for the in-house apps. And, the third-party app support is not based on a code-time SDK.

Here are a few more points to know about the Aruba Workspace, in the context of this discussion:

1. The browser running in their Workspace easily, and automatically, supports all the features that Workspot supports (which is basically running web apps on a secure browser) and more (try intercepting UDP traffic from a secure browser).

2. Easily supports native apps through its app-wrapping technology.

3. Data protection for Workspace apps even on a jailbroken device.

A couple of additional issues with the secure browser approach:

1. Any exploited vulnerability that compromises the browser, compromises the data of all the enterprise apps. But in the case of MAM, only that native app's data is compromised in case of a remote attack. Furthermore, each native app running in the workspace could be locked down by URL/hostname/IP blacklists, or tied down to a whitelist, so the threat could be mitigated.

2. The secure browser solutions do require their customers to upgrade their infrastructure, and of course pay for it, by installing Office Web Apps Server 2013 on-perm for the fancy HTML5 UI.

3. How do you support AD-based user authentication for enterprises that don't want to run an AD-plugin (for communicating with their cloud) on their AD server?

Still can't tell I am a fan of MAM? :)


"We don't know of any solution out there doing a secure app-only tunnel to existing VPNs"

Armor5 is doing this today, though it's arguably not app only tunnels without some additional filtering and such on the VPN ACLs.  One cool thing about the Armor5 approach is that they are creating an HTML5 proxy (essentially) so that the data is streamed to the endpoint device but not actually stored on the device (aside from browser cache which can be wiped).  This approach is sort of the best of both worlds between display remoting and full document download as you get more instant document viewing without waiting for the whole thing to download.  Try pulling a 200MB PDF/PPT down on a traditional solution and you'll wish you had display remoting.  Armor5 also has built in document watermarking which can make for some nice ways of knowing who leaked a document, etc.

I have to say I'm a little freaked out about the whole cloud hosting VPN'ing into corp data center model, but the experience is quite good so if you can get over that hump, then it seems compelling.  I think between them and Armor5 this new model is shaping up to be yet another model that we'll have to slap a name too.  It sort of fits MIM, not not exactly.

Congrats to Amitabh, Puneet and Ty on their official launch.  What happens with your old URL now?  Decom or is that a parent company name or the corporate/commercial side of the freemium model?



Re: the discussion about IPSec vs SSL VPN, I think we are discussing technology. Most of the apps today are built with http/https as the ubiquitous transport with integrated web sockets and/or html5. IPSec only make sense for UDP centric apps - I am not sure how man of today's apps only work with UDP.

For IPSec only connectivity, I think most people can run the app tunnels without actually doing much - leverage the native IPSec client or use one of the supported VPN clients with app specific Tunnel rules,

Anyways, we should fully support customers leveraging existing technologies and infrastructure and providing a value-add.

It is great to see so many smart people focused on mobile; let us hope for the market adoption..



And one more thing if the world is going back to IPSec for app-to-server or user-to-server secure remote access, then I think all the previous years of building SSL VPNs is a wasted effort. Maybe with IPV6 and/or IPSec combined with more app and L7 traffic intelligence - the latter is hard.

just curios with the back-and-forth on the technology discussions..


Thanks Shawn for the shout out to Armor5 and great post Harry. Good work Workspot team!

I will like to add that, in addition to everything Harry mentioned that should in a true BYOD solution, Armor5 takes simplicity to the next level.

1. Provides all the functionality without requiring any software install on the device. It's available today for iOS/Android/Blackberry/Amazon Kindle/... where ever you can find a HTML5 browser.

2. Users can view files on Network drives.

3. Editing will be provided irrespective of whether enterprise uses Sharepoint or not, files stored on Network drive or even Box/Dropbox.

4. Can seamlessly move content from Intranet to Cloud providers with complete IT control and visibility.

Feel free to give it a try at