Applying Workspace ONE App Rules to Access Policies

When the Workspace ONE app is installed on devices, users can access their entitled apps using the single sign-on functionality through Workspace ONE Access.

The Workspace ONE app is an OAuth client that uses the GreenBox-TemplatedId OAuth template to manage access to the app. This template is registered in the Catalog > Settings > Remote Access page in the Workspace ONE Access console.

When users successfully sign in to the Workspace ONE App the first time, an OAuth access token is applied to the app. This access token is configured with a time to live (TTL). The TTL value is the maximum time that users can access Workspace ONE without signing in again.

A refresh token is configured so that when the access token expires, Workspace ONE requests a new access token. This way users can stay signed in to the Workspace ONE app for an extended period without having to sign in again.

The Workspace ONE access token time to live settings is configured as follows.

Access token time to live is 3 hours.
Refresh token time to live is 90 days.
Idle token time to live is 10 days.

If the user uses the Workspace ONE app every day, the user does not need to sign in again for 90 days, based on the refresh token TTL value. However, if the user is idle and does not use the Workspace ONE app for 10 days, the user must sign in to Workspace ONE again.

To sign in to Workspace ONE and have the access token applied to the app, the Device Type Workspace ONE App should be the first rule in the default access policy to enforce the OAuth TTL. After users are authenticated, the access token manages how long the session is valid, based on refresh token and idle token values.

You can configure the session reauthentication value in the access policy rule to be the same as the refresh token time to live value, 90 days, or 2160 hours. If you make the session reauthentication value less than the refresh token time to live, users are prompted to sign in to Workspace ONE when the session reauthentication threshold is met.

If the Workspace ONE App is not the first rule, an OAuth access token is not applied to the Workspace ONE app and single sign-on to other resources is not available. Users are required to sign to the apps in their portal in every time they access Workspace ONE from their device.