When you create an application-specific access policy for Office 365 in the Workspace ONE Access console, to restrict access to Office 365 from only managed Windows 10 devices create a rule using the Windows 10 Enrollment as a device type.
Prerequisites
- Office 365 configured with the primary identity provider. The primary identity provider can be Workspace ONE Access, Okta, or ADFS. Workspace ONE Access must be configured as the secondary identity provider when Okta or ADFS is the primary identity provider.
- Device enrollment is managed through the Windows 10 Out-of-Box experience (OOBE) or when joining the Azure Active Directory domain.
- Authentication methods configured and enabled for the identity provider.
- Office 365 app added to the Hub catalog.
Procedure
- In the Workspace ONE Access console page, click Add Policy.
- Add a policy name and description in the respective text boxes.
- In the Applies To section, select the applications that require restricted access.
- Click Next.
- Click Add Policy Rule to add a rule.
Option Description If a user's network range is Select a network range. and user accessing content from Select Windows 10 Enrollment as the device type. and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box. If no group is selected, the access policy rule applies to all users.
Then perform this action Select Authenticate using.... then the user may authenticate using Select the authentication method to use. Important: Do not use Certificate (Cloud Deployment). Devices do not have the proper certificate before the device is enrolled.To require users to authenticate through two authentication methods, click + and in the drop-down menu select a second authentication method.
If the preceding methods fails or is not applicable, then Configure a fallback authentication method, if necessary. Re-authenticate after Select the length of the session, after which users must authenticate again. - Click Save.
