> ## Documentation Index
> Fetch the complete documentation index at: https://docs.macstadium.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Architecture

> MacStadium VDI architecture explained: the four system layers, user session flow, control plane responsibilities, and the three deployment models.

MacStadium VDI is built on four logical layers: a VDI broker/gateway, a control plane, Apple silicon hosts, and macOS virtual machines. This page describes what each layer does and how they connect.

<img src="https://mintcdn.com/macstadiuminc/0YsMQFLUbXS5qwex/images/vdi-architecture.svg?fit=max&auto=format&n=0YsMQFLUbXS5qwex&q=85&s=f0d071e7e6ef1ec56b91a97814c0a2a1" alt="MacStadium VDI architecture overview showing the IT Admin, control plane, Mac hosts, and VDI delivery components" width="990" height="545" data-path="images/vdi-architecture.svg" />

## System components

**VDI broker/gateway**

The broker is the entry point for end users. It authenticates against your identity provider, enforces <Tooltip tip="Single Sign-On: lets users authenticate once and access multiple services without re-entering credentials.">SSO</Tooltip>, <Tooltip tip="Multi-Factor Authentication: requires users to verify identity with a second factor beyond a password.">MFA</Tooltip>, and conditional access policies, and assigns each user to an available macOS VM. MacStadium VDI works with any VDI platform that supports macOS, including [Citrix DaaS](https://docs.citrix.com/en-us/citrix-daas) and HP Anyware. The broker is always customer-managed or provided as a cloud service by your VDI vendor. MacStadium does not operate it.

**Control plane**

The control plane is the orchestration layer that manages VM lifecycle, image distribution, and host capacity. It runs on the [Orka Engine](https://www.macstadium.com/orka) and exposes two interfaces: the management UI for day-to-day operations and the Ansible CLI for automation and advanced workflows. In an MSDC-Hosted (MacStadium Data Centers) deployment, MacStadium operates the control plane on your behalf. In Self-Hosted deployments, you run it yourself.

**Apple silicon hosts**

The hosts are the physical Mac hardware (Mac mini or Mac Studio) running the Orka Engine hypervisor. Each host can run up to two macOS VMs, a limit set by Apple's software license agreement. Adding hosts is how you scale user capacity.

**macOS VMs**

Each VM is an isolated macOS desktop assigned to a single user session. It runs your golden image, which includes the VDI agent, user-facing applications, <Tooltip tip="Mobile Device Management: software for enrolling and managing device configuration, policies, and apps across a fleet.">MDM</Tooltip> enrollment scripts, and any system configuration your organization requires.

## Session connection

Connecting a user to their desktop is a two-phase process.

In the first phase, the VDI agent installed inside each VM registers itself with the Delivery Controller, the brokering component of your VDI platform. When a user authenticates, the Delivery Controller selects an available VM and notifies the user's client of the assignment.

In the second phase, session data (screen, keyboard, mouse, audio) flows directly between the agent on the VM and the user's client. <Tooltip tip="The brokering component of your VDI platform. It assigns sessions to available VMs and manages machine catalogs and delivery groups.">The Delivery Controller</Tooltip> is not in the data path. This direct connection is what the remoting protocol carries, so broker availability doesn't affect session performance once a session is established.

## Control plane

The control plane handles VM deployment and deletion, golden image distribution to hosts, and host capacity management. IT admins interact with it through two interfaces:

* **Management UI:** a web-based interface for triggering operations without writing commands. This is the primary interface for day-to-day work.
* **Ansible CLI:** the playbook-based interface for automation, bulk operations, and CI/CD integration.

Both interfaces call the same underlying Ansible playbooks. For a full breakdown of how images move from a base image through customization to deployment, see the Image Lifecycle page (coming in a later section).

<Note>
  For a step-by-step view of how a VM is provisioned from the moment you request it to the moment it's registered with your session broker, see the VM Provisioning page (coming in the Operations section).
</Note>

## Identity

MacStadium VDI integrates with your existing identity provider (Active Directory, Microsoft Entra ID, or Okta) at the broker layer. Your VDI broker handles authentication, SSO, MFA, and conditional access. User group membership in your directory controls which desktops each user can access. No MacStadium-specific identity configuration is required.

## Networking

MacStadium VDI uses bridged networking to give each macOS VM a direct IP address on the host's network. This is required for VDI workloads: the VDA inside each VM must be reachable by your delivery controller for registration, and end-user remoting protocol sessions connect directly to the VM's IP. Without bridged networking, you'd need port forwarding for every VM, which doesn't scale.

Bridged networking is configured per deployment using the `network_interface` variable in your Ansible inventory. Set it to the physical interface on each Mac host, typically `en0` for Ethernet. VMs deployed with this setting receive an IP address from your DHCP server or management VLAN, just like any other device on that network.

<Note>
  Bridged networking requires Orka Engine 3.5.0 or later and is supported for MSDC-Hosted and Self-Hosted (On-Prem) deployments. For Self-Hosted (AWS), confirm bridged networking support with your MacStadium account representative before relying on it.
</Note>

## Deployment models

MacStadium VDI runs in three deployment configurations. The components and connection flows are the same in all three; what differs is where the hardware lives and who manages the control plane.

<Tabs>
  <Tab title="MSDC-Hosted">
    MacStadium hosts the Apple silicon hardware in a MacStadium data center and operates the control plane on your behalf. You manage the VDI broker, golden images, identity, and shared services such as MDM, monitoring, and DNS.

    <img src="https://mintcdn.com/macstadiuminc/0YsMQFLUbXS5qwex/images/msdc-arch.svg?fit=max&auto=format&n=0YsMQFLUbXS5qwex&q=85&s=aceae252d32f3d1f172f58cf05211b00" alt="MSDC-Hosted architecture diagram showing end users, VDI broker, identity, and the MacStadium data center with control plane, shared services, and Apple silicon hosts" width="1400" height="728" data-path="images/msdc-arch.svg" />
  </Tab>

  <Tab title="Self-Hosted (On-Prem)">
    You own and operate the Apple silicon hardware and the control plane in your own data center. MacStadium provides the software and support. You're responsible for all hardware, networking, and shared services.

    <img src="https://mintcdn.com/macstadiuminc/0YsMQFLUbXS5qwex/images/onprem-arch.svg?fit=max&auto=format&n=0YsMQFLUbXS5qwex&q=85&s=fcca30af86de50b1fafbab60ffcdf2b5" alt="Self-Hosted On-Premises architecture diagram" width="1400" height="728" data-path="images/onprem-arch.svg" />
  </Tab>

  <Tab title="Self-Hosted (AWS)">
    The control plane and hosts run on [EC2 Mac dedicated instances](https://aws.amazon.com/ec2/instance-types/mac/) in your AWS account. The architecture is otherwise identical to on-premises. EC2 Mac hosts have a 24-hour minimum allocation per host.

    <img src="https://mintcdn.com/macstadiuminc/0YsMQFLUbXS5qwex/images/aws-arch.svg?fit=max&auto=format&n=0YsMQFLUbXS5qwex&q=85&s=a782e879d904a3ea9cf62c05bb5d6db1" alt="Self-Hosted AWS architecture diagram" width="1400" height="728" data-path="images/aws-arch.svg" />
  </Tab>
</Tabs>