To provide secure access to the users' Workspace ONE portal and to launch Web and desktop applications, you configure access policies. Access policies include rules that specify criteria that must be met to sign in and to use their resources.

You must edit the default policy rules to select the authentication methods you configured. A policy rule can be configured to authenticate users based on conditions such as network, device type, AirWatch device enrollment and compliant status, or application being accessed. A policy rule can also be configured to deny access to users by network range and device type. You can add groups to a policy to manage authentication for specific groups.

When Compliance Check is enabled, you create an access policy rule that requires authentication and device compliance verification for devices managed by AirWatch.

The compliance checking policy rule works in an authentication chain with Mobile SSO for iOS, Mobile SSO for Android, and Certificate cloud deployment. The authentication method to use must precede the device compliance option in the policy rule configuration.


Authentication methods configured and associated to a built-in identity provider.

Compliance checking enabled in the VMware Identity Manager AirWatch page.


  1. In the administration console Identity & Access Management tab, select Manage > Policies.
  2. Click Edit Default Policy.
  3. Click Next.
  4. Click Add Policy Rule to add a rule, or select a rule to edit.
    The Add a Policy Rule page appears.
    1. Select the network range to apply to this rule.
    2. In the and user accessing content from drop-down menu, select the mobile device type.
    3. In the then the user may authenticate using drop-down menu, select the authentication method to use.
    4. Click + to select Device Compliance (with AirWatch)
    5. Click Save.
  5. Click Save.