The Workspace ONE Access service includes a default access policy set that controls user access to their Workspace ONE portals and their Web applications.

The default access policy is configured to allow access to all network ranges from all device types. The session timeout is eight hours. You can edit the policy set to change the policy rules as necessary.

When you enable authentication methods other than password authentication in the Workspace ONE Access service, you must edit the default policy to add these authentication methods to the policy rules.

Access rules can be created in the default access policy to manage mobile single sign-on from iOS, Android, macOS, and Windows 10 devices.

When users attempt to sign in, the Workspace ONE Access service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

The number of attempts the service makes to log in a user using a given authentication method varies. The service only makes one attempt at authentication for Kerberos or certificate authentication. If the attempt is not successful in logging in a user, the next authentication method in the rule is attempted. The maximum number of failed sign-in attempts for Active Directory password and for RSA SecurID authentication is five by default. When a user has five failed login attempts, the service attempts to sign in the user with the next authentication method on the list. When all authentication methods are exhausted, the service issues an error message.