When users enroll their devices in Workspace ONE UEM, samples containing data used to evaluate compliance are sent on a scheduled basis. The evaluation of this sample data ensures that the device meets the compliance rules set by the administrator in the Workspace ONE UEM console. If the device goes out of compliance, corresponding actions configured in the UEM console are taken.

The Workspace ONE Access service includes an access policy option that can be configured to check the Workspace ONE UEM server for device compliance status when users sign in from the device. The compliance check ensures that users are blocked from signing into an application or using single sign-in to the user's portal if the device goes out-of-compliance. When the device is compliant again, the ability to sign in is restored.

The Workspace ONE Intelligent Hub app automatically signs out and blocks access to the applications if the device is compromised. If the device was enrolled through adaptive management, an enterprise wipe command issued through the UEM console unenrolls the device and removes the managed applications from the device. Unmanaged applications are not removed.

For more information about Workspace ONE UEM compliance policies, see the VMware Workspace ONE UEM Mobile Device Management Guide, in the Workspace ONE UEM Documentation Center.

Important: The Device Compliance authentication method does not work when Workspace ONE UEM is unreachable or unavailable for any reason, including planned maintenance and unplanned outages.

How to Enable Compliance Checking in Workspace ONE Access

In the Workspace ONE Access console, enable device compliance in the Integrations > Workspace ONE UEM configuration page and configure Device Compliance in the Authentication Methods page.

  1. Go to the Workspace ONE Access console Integrations > UEM Integration > page, Device Compliance Check section and select Enable.
  2. Click Save.
  3. Go to the Integrations > Authentication Methods page, and select Device Compliance (with Workspace ONE UEM)
  4. Enable Device Compliance authentication and set the maximum number of failed login attempts. The other text boxes are pre-populated with the configured Workspace ONE UEM values.
    Option Description
    Enable Device Compliance Adapter Select this check box to enable Workspace ONE UEM password authentication.
    Workspace ONE UEM Admin Console URL Pre-populated with the Workspace ONE UEM URL that you set up on the AirWatch configuration page.
    Workspace ONE UEM API Key Pre-populated with the Workspace ONE UEM Admin API key.
    Certificate Used for Authentication Pre-populated with the AirWatch Cloud Connector certificate.
    Password for Certificate Pre-populated with the password for the AirWatch Cloud Connector certificate.
  5. Click Save.
    Important: When the Workspace ONE UEM service details applicable to this authentication method change, make sure that you update the Workspace ONE UEM configuration in the Workspace ONE Access console. Otherwise this authentication method might fail.

What to do Next

Associate the Device Compliance authentication method in the built-in identity provider. See Configure a Built-in Identity Provider in Workspace ONE Access.

Configure the default access policy to create rules to use device compliance with Workspace ONE UEM. See Configure Compliance Checking Rules in Workspace ONE Access.