To achieve the single sign-on experience when users access resources from the Workspace ONE Intelligent Hub app, the default access policy is configured in Workspace ONE Access with rules for each type of device that is used in your environment, Android, iOS, MacOS, or Windows 10.

In this example of a default access policy configuration, the default access policy is created with rules to cover users who sign in from all network ranges. For managed access, Device Compliance for Workspace ONE UEM is configured for the devices and the Workspace ONE Intelligent Hub app rules. The following rules are created.

  • A rule for each type of device that can be used to access the Workspace ONE Intelligent Hub App.
  • A rule for user access from the Apps on Workspace ONE Intelligent Hub device type for the Workspace ONE Intelligent Hub app. All authentication methods for all devices that are supported are configured in this rule. The Device Compliance authentication method is applied to support access from managed devices.
  • A rule for user access from the Web Browser device type to access Hub portal from any web browser.
  • A rule for users on unmanaged devices to access resources.

When users use one of the devices to sign in to the Workspace ONE Intelligent Hub app, they are authenticated according to the authentication method configured for the device type. After the user is successfully authenticated, when they launch other resources from the Workspace ONE Intelligent Hub app, that authentication method is recognized and the user is not prompted to authenticate again.

If the authentication method used to authenticate is not recognized when a user launches resources from the Workspace ONE Intelligent Hub app, the user is prompted to authenticate according to the rule that lets users access content from the Apps on Workspace ONE Intelligent Hub device type .

Example of Access Policy Rule Conditions to Use for Workspace ONE

For the best user experience, list the device type Apps on Workspace ONE Intelligent Hub as the first rule in the default access policy. When the rule is first, users are signed in to the app and can launch resources without reauthenticating until the session expires.

1. Create rules for each device that can be used to access the Workspace ONE Intelligent Hub app. This example is for the rule for allow access from the device type iOS.

  • Network range is ALL RANGES.
  • Users can access the content from iOS.
  • No groups are added to the policy rule. All Users are supported.
  • Configure all authentication methods that are supported.
    • Authenticate using Mobile SSO (for iOS) and Device Compliance (with Workspace ONE UEM).
    • Fallback method 1: Password (cloud deployment).
  • Session reauthentication after 8 hours.

2. Create the rule for the device type Apps on Workspace ONE Intelligent Hub. Each authentication method configured for the devices in step 1 must be included in this rule.

  • Network range is ALL RANGES.
  • Users can access the content from Apps on Workspace ONE Intelligent Hub.
  • No groups are added to the policy rule. All Users are supported.
  • Configure all authentication methods that are supported.
    • Authenticate using Mobile SSO (for iOS) and Device Compliance (with Workspace ONE UEM).
    • Fallback method 1: Mobile SSO (for Android) and Device Compliance (with Workspace ONE UEM).
    • Fallback method 2: Password (cloud deployment).
  • Session reauthentication after 2160 hours.

2160 hours is equal to 90 days.

3. Create the rule for the device type Web Browser to access the Hub portal from any web browser. This example includes as a fallback the authentication method Password (Local Directory). To authentication system administrators who sign in, at least one rule must be configured to authentication using Password (Local Directory). The session times out after 24 hours.

  • Network range is ALL RANGES.
  • Users can access the content from Web Browser.
  • No groups are added to the policy rule. All Users are supported.
  • Configure all authentication methods that are supported.
    • Authenticate using Password (cloud deployment).
    • Fallback method 2: Password.
    • Fallback method 3: Password (Local Directory).
  • Session reauthentication after 8 hours.

4. Create the rule for all device types to access unmanaged resources.

  • Network range is ALL RANGES.
  • Users can access the content from All Devices.
  • No groups are added to the policy rule. All Users are supported.
  • Configure all authentication methods that are supported.
    • Authenticate using Password (cloud deployment).
  • Session reauthentication after 8 hours.

When you create rules each type of device, Apps on Workspace ONE Intelligent Hub, and Web Browser, you default policy set looks like the following screenshot.

Figure 1. Default Policy Set with Apps on Workspace ONE Intelligent Hub Device Type Listed First
Example of the rule order with Apps on Workspace ONE Intelligent Hub device type as first in the default access policy

Flow with this default access policy configured.

  1. UserA signs in to the Workspace ONE Intelligent Hub app from their iOS device and is asked to authenticate with Mobile SSO (for iOS). The third rule is Mobile SSO (for iOS) and the authentication is successful.
  2. UserA launches a resource listed in the Workspace ONE Intelligent Hub app and because the rule with device type Apps on Workspace ONE Intelligent Hub includes the authentication method Mobile SSO (for iOS) as a fallback authentication method, the resource is launched without requesting authentication again. The user can launch resources without signing in again for 2160 hours.

Also see Configure Access Policy Rule for Compliance Checking.