To provide secure access to the users' apps portal and to launch Web and desktop applications, you configure access policies. Access policies include rules that specify criteria that must be met to sign in to their apps portal and to use their resources.

About this task

You must edit the default policy rules to select the authentication methods you configured. A policy rule can be configured to take actions such as block, allow, or step-up authenticate users based on conditions such as network, device type, AirWatch device enrollment and compliant status, or application being accessed. You can add groups to a policy to manage authentication for specific groups.

When Compliance Check is enabled, you create an access policy rule that requires authentication and device compliance verification for devices managed by AirWatch.

The compliance checking policy rule works in an authentication chain with Mobile SSO for iOS, Mobile SSO for Android, and Certificate cloud deployment. The authentication method to use must precede the device compliance option in the policy rule configuration.


Authentication methods configured and associated to a built-in identity provider.

Compliance checking enabled in the VMware Identity Manager AirWatch page.


  1. In the Identity & Access Management tab, go to Manage > Policies.
  2. Select the access policy to edit.
  3. In the Policy Rules section, select the policy rule to edit.
  4. In the drop-down menu for then the user must authenticate using the following method, click + and select the authentication method to use.
  5. In the second drop-down menu for then the user must authenticate using the following method, select Device Compliance (with AirWatch).
  6. (Optional) In the Custom Error Message Text text box, create a custom message that displays when user authentication fails because of the device is not compliant. In the Custom Error Link text box, you can add a link in the message.
  7. Click Save.