Peer-to-Peer (P2P)
Direct connection between client and host. Session data does not flow through our infrastructure. If P2P fails due to restrictive NAT, WinDesk automatically falls back to a Swiss TURN relay — with the same end-to-end encryption.
Features
Everything remote support needs — nothing it doesn't.
Every feature was developed by asking: «Do IT providers and support teams in Switzerland actually need this?» No bloated feature set, no hidden limits. Current version: 0.5.2.
Connection & Architecture
AES-256-GCM, end-to-end
Each session uses an ephemeral AES-256 key that is discarded once the session ends. The key exchange uses ECDH (Curve25519) with mutual authentication.
NAT traversal (UDP hole punching)
Works in over 95% of home and corporate networks without port forwarding. IPv4 and IPv6 are tried in parallel (Happy Eyeballs).
Adaptive codec
The screen is transmitted via a codec tuned on top of LiteNetLib. The bitrate adapts automatically to bandwidth and CPU (20–80 FPS).
Productivity
Multi-monitor support
Up to 4 monitors at once or one at a time. Switch via keyboard shortcut or dropdown.
Multiple sessions in parallel
Several hosts open at once in tabs, each connection with its own monitor, audio and file manager. Tabs can be torn out into their own window and dragged back in.
File transfer
Drag-and-drop between local and remote desktop. Resumable transfers for large files, integrity-checked via SHA-256.
Clipboard sync
Text and images are synced bidirectionally — optionally disabled for compliance scenarios.
System audio
Audio from the remote device is delivered in the stream (music, conferences, system sounds) — Windows WASAPI loopback and macOS ScreenCaptureKit.
Session history
All connections are logged (who, when, how long, which host). Exportable as CSV for billing.
Chat panel
During the session: text messages, links, code snippets.
Unattended access (Pro)
Always-connected hosts
Install the host as a service — access without anyone on site, 24/7.
Hardware-bound device tokens
Each device receives a token bound to the hardware (TPM on Windows, Secure Enclave on Apple Silicon, TPM 2.0 on Linux with tpm2-tools). Copying the token file to another machine renders it invalid.
Host management
Central overview of all devices in the portal: online status, last connection, OS version, IP. Drag-and-drop into folders.
Groups & roles
Sort hosts into logical groups (customers, sites, servers). Roles: admin, supporter, read-only.
Passkey support
Hardware-bound authentication instead of passwords (WebAuthn/FIDO2).
90-day token rotation
Device tokens renew automatically without user action. Auditable in the portal.
Admin & user management
Company administrator
The Pro subscription includes one administrator account with full control over the organisation. Additional users are added via email invitation (link valid 24h); MFA setup is enforced on first login.
Named logins instead of shared accounts
Every user gets their own login. Account sharing is explicitly forbidden in the terms — audit trail, offboarding and compliance all depend on individual accountability.
Role-based permissions
Three roles: admin (full access, billing), supporter (sessions, host groups), read-only (session logs only). Admins can change roles at any time.
Per-user pricing
Every user beyond the base admin costs CHF 4.90/month — as an add-on to the Pro plan. Scales linearly, no bundle tiers.
Session logs & audit trail
Immutable record of connections, file transfers and permission changes. Filterable by user. GDPR Art. 30 ready.
SSO ready
SAML and OIDC are on the Pro roadmap for 2027. Until then: passkey login as a phishing-resistant alternative.
Two-factor mandatory
Required for admin roles, recommended for supporter/read-only. New users must set up MFA on first login (TOTP or passkey).
Remote kill switch
Admin can remotely disconnect a connected host and remove it from the account. Also for emergency offboarding of individual users on suspicion.
Platforms
Windows 10/11
EV-signed installer, automatic updates, hardware-bound device tokens via TPM.
macOS (Apple Silicon)
Apple Developer ID signed + notarised by Apple. ScreenCaptureKit for picture and system audio. Details.
Linux & Pi
.deb for Ubuntu/Debian, .rpm for Fedora/RHEL, arm64 for Raspberry Pi 4/5. Wayland and X11. Details.
Web portal
Invoices, host management, team management — modern and mobile-friendly.
Frequently asked questions
Does screen data ever travel through WinDesk servers?
Only when a direct P2P connection cannot be established (around 5% of cases, e.g. behind symmetric NAT). In that case WinDesk falls back to a Swiss TURN relay. The relay only sees encrypted packet bytes — screen content is unreadable to us.
Can I disable features such as file transfer?
Yes. In the Pro portal admins can disable file transfer, clipboard sync and chat per host or per group.
Is there an API?
A REST API for host management and session logs is on the Pro roadmap. Webhooks for session events are already available.