To provide secure access to launch SaaS applications, you configure access policies. Access policies include rules that specify criteria that must be met to sign in to the Workspace ONE portal and to use applications.
For details about access policies in the VMware Identity Manager system, go to https://docs.vmware.com/en/VMware-AirWatch/index.html and search for Managing Access Policies.
For information on SaaS applications, see SaaS Applications in AirWatch.
Flexibility of Access Policies
Access policies allow lenient control in the network and restrict access out of the network. For example, you can configure one access policy with the following rules.
- Allow a network range access with single sign-on within the company network.
- Configure the same policy to require multi-factor authentication (MFA) when off of the company network.
- Configure the policy to allow access to a specific user group with a specific device-ownership type. It can block access to others not in the group.
Default Access Policy and Application-Specific Access Policies
Default Access Policy - The VMware Identity Manager service and the AirWatch Console include a default policy that controls access to SaaS applications as a whole. This policy allows access to all network ranges, from all device types, for all users. You can edit the default access policy but you cannot delete it.
Edits to the default access policy apply to all applications and can impact all users ability to access Workspace ONE.
To edit the default access policy, navigate to Apps & Books > Applications > Access Policies > Edit Default Policy. Then, follow the procedure listed in Configure Application-Specific Access Policies.
Application-Specific Access Policies - Create application-specific access policies to restrict access to applications. Configure IP addresses, authentication methods, and session time allowed for access.
- Configure the network ranges for your deployment. See Add Network Ranges for Use in Access Policies.
- If you plan to edit the default policy (to control user access to the service as a whole), configure it before creating an application-specific policy.