To achieve the single sign-on experience when users access resources from the Workspace ONE app, the default access policy is configured in Workspace ONE Access with rules for each type of device that is used in your environment, Android, iOS, MacOS, or Windows 10.
In this example of a default access policy configuration, the default access policy is created with rules to cover users who sign in from all network ranges. For managed access, Device Compliance for AirWatch is configured for the devices and the Workspace ONE app rules. The following rules are created.
- A rule for each type of device that can be used to access the Intelligent Hub App.
- A rule for user access from the Workspace ONE App device type for the Intelligent Hub app. All authentication methods for all devices that are supported are configured in this rule. The Device Compliance authentication method is applied to support access from managed devices.
- A rule for user access from the Web Browser device type to access Workspace ONE from any web browser.
- A rule for users on unmanaged devices to access resources.
When users use one of the devices to sign in to the Workspace ONE app, they are authenticated according to the authentication method configured for the device type. After the user is successfully authenticated, when they launch other resources from the Intelligent Hub app screen, that authentication method is recognized and the user is not prompted to authenticate again.
If the authentication method used to authenticate to Workspace ONE is not recognized, when a user launches resources from the Intelligent Hub app, the user is prompted to authenticate according to the Workspace ONE App rule.
Example of Access Policy Rule Conditions to Use for Workspace ONE
For the best user experience, list the device type Workspace ONE App as the first rule in the default access policy. When the rule is first, users are signed in to the app and can launch resources without reauthenticating until the session expires.
1. Create rules for each device that can be used to access Workspace ONE. This example is for the rule for allow access from the device type iOS.
- Network range is ALL RANGES.
- Users can access the content from iOS.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Mobile SSO (for iOS) and Device Compliance (with AirWatch).
- Fallback method 1: Password (cloud deployment).
- Session reauthentication after 8 hours.
2. Create the rule for the device type Workspace ONE App. Each authentication method configured for the devices in step 1 must be included in this rule.
- Network range is ALL RANGES.
- Users can access the content from Workspace ONE App.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Mobile SSO (for iOS) and Device Compliance (with AirWatch).
- Fallback method 1: Mobile SSO (for Android) and Device Compliance (with AirWatch).
- Fallback method 2: Password (cloud deployment).
- Session reauthentication after 2160 hours.
2160 hours is equal to 90 days, which are the Workspace ONE App OAuth token refresh token time to live.
3. Create the rule for the device type Web Browser to access the Workspace ONE portal from any web browser. This example includes as a fallback the authentication method Password (Local Directory). To authentication system administrators who sign in, at least one rule must be configured to authentication using Password (Local Directory). The session times out after 24 hours.
- Network range is ALL RANGES.
- Users can access the content from Web Browser.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Password (cloud deployment).
- Fallback method 2: Password.
- Fallback method 3: Password (Local Directory).
- Session reauthentication after 8 hours.
4. Create the rule for all device types to access unmanaged resources.
- Network range is ALL RANGES.
- Users can access the content from All Devices.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Password (cloud deployment).
- Session reauthentication after 8 hours.
When you create rules for all devices, Workspace ONE App and Web Browser, you default policy set looks like the following screenshot.
Flow with this default access policy configured.
- UserA signs in to the Intelligent Hub app from their iOS device and is asked to authenticate with Mobile SSO (for iOS). The third rule is Mobile SSO (for iOS) and the authentication is successful.
- UserA launches a resource listed in the Workspace ONE app and because the Workspace ONE App rule includes the authentication method Mobile SSO (for iOS) as a fallback authentication method, the resource is launched without requesting authentication again. The user can launch resources without signing in to Workspace ONE again for 2160 hours.
Also see Configure Access Policy Rule for Compliance Checking.