A policy contains one or more access rules. Each rule consists of settings that you can configure to manage user access to their Workspace ONE portal as a whole or to specific Web and desktop applications.

A policy rule can be configured to take actions such as block, allow, or step-up authenticate users based on conditions such as network, device type, AirWatch device enrollment and compliant status, or application being accessed You can add groups to a policy to manage authentication for specific groups.

Network Range

For each rule, you determine the user base by specifying a network range. A network range consists of one or more IP ranges. You create network ranges from the Identity & Access Management tab, Setup > Network Ranges page before configuring access policy sets.

Each identity provider instance in your deployment links network ranges with authentication methods. When you configure a policy rule, ensure that the network range is covered by an existing identity provider instance.

You can configure specific network ranges to restrict from where users can log in and access their applications.

Device Type

Select the type of device that the rule manages. The client types are Web Browser, Workspace ONE App, iOS, Android, Windows 10, OS X, and All Device Types.

You can configure rules to designate which type of device can access content and all authentication requests coming from that type of device use the policy rule.

Add Groups

You can apply different policies for authentication based on user's group membership. To assign groups of users to log in through a specific authentication flow, you can add groups to the access policy rule. Groups can be groups that are synced from your enterprise directory and local groups that you created in the admin console. Group names must be unique within a domain.

To use groups in access policy rules, you select a unique identifier from the Identity & Access Management > Preferences page. The unique identifier attribute must be mapped in the User Attributes page and the selected attribute synced to the directory. The unique identifier can be the user name, email address, UPN, or employee ID. See Login Experience Using Unique Identifier.

When groups are used in an access policy rule, the user login experience for the user changes. Instead of asking users to select their domain and then enter their credentials, a page displays prompting them to enter their unique identifier. VMware Identity Manager finds the user in the internal database, based on the unique identifier and displays the authentication page configured in that rule.

When a group is not select, the access policy rule applies to all users. When you configure access policy rules that include rules based on groups and a rule for all users, make sure that the rule designated for all users is the last rule listed in the Policy Rules section of the policy.

Authentication Methods

In the policy rule, you set the order that authentication methods are applied. The authentication methods are applied in the order they are listed. The first identity provider instance that meets the authentication method and network range configuration in the policy is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method in the list is selected.

Authentication Session Length

For each rule, you set the number of hours that this authentication is valid. The re-authenticate after value determines the maximum time users have since their last authentication event to access their portal or to start a specific application. For example, a value of 4 in a Web application rule gives users four hours to start the Web application unless they initiate another authentication event that extends the time.

Custom Access Denied Error Message

When users attempt to sign in and fail because of invalid credentials, misconfiguration or system error, an access denied message is displayed. The default message is Access denied as no valid authentication methods were found.

You can create a custom error message for each access policy rule that overrides the default message. The custom message can include text and a link for a call to action message. For example, in a policy rule for mobile devices that you want to manage, if a user tries to sign in from an unenrolled device, you can create the following custom error message. Enroll your device to access corporate resources by clicking the link at the end of this message. If your device is already enrolled, contact support for help.