Configure Shift-based Authorization for Shift-based Access Control (Cloud only)

Workspace ONE shift-based access control can be configured to deliver a digital workspace that restricts the use of different product apps and features when a worker is not clocked-in for their shift.

In the Workspace ONE Access console, you can configure Shift-based Authorization as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift. You create application-specific access policies that specify the criteria that users must meet to access the apps. The authorization is applied after workers are authenticated with a first factor authentication method based on your access policy rules.

Controlling shift-based access is based on the worker status data retrieved from the WorkJam time management and scheduling system that is integrated in Workspace ONE Experience Workflows. You create an access policy with rules that requires workers to authenticate using an authentication method first and then use the shift-based authorization to manage access to the applications.

To manage circumstances when the shift status is not available, in the shift-based authorization configuration, you can enable the ability to authorize workers when the shift status is unknown or unreachable.

Prequisites

Hub Services activated with App catalog enabled.
Workjam - Worker status integration pack installed and configured in Workspace ONE Experience Workflows in the Hub Services console.
List of applications configured in the Workspace ONE Access catalog to restrict.

Procedure to Enable Shift-based Access

In the Workspace ONE Access console Integrations > Authentication Methods page, select Shift-based Access.

You enable the authorization method.

Option	Description
Enable Shift-Based Authorization	Set Enable to Yes.
Authorize for "Unknown" shift status. Authorize when shift status is unreachable	These two fields are optional to configure. They are used to enable the ability to authorize workers when the shift status is unknown or unreachable and is based on how the company uses WorkJam. If users without a shift status should be excluded from shift-based access, enable this “Unknown” field. If the company wants to prioritize giving access when the shift system is down, enable this “unreachable” field..

Option

Description

Enable Shift-Based Authorization

Set Enable to Yes.

Authorize for "Unknown" shift status.

Authorize when shift status is unreachable

These two fields are optional to configure. They are used to enable the ability to authorize workers when the shift status is unknown or unreachable and is based on how the company uses WorkJam.

If users without a shift status should be excluded from shift-based access, enable this “Unknown” field.

If the company wants to prioritize giving access when the shift system is down, enable this “unreachable” field..

Navigate to the Identity Providers page and select the built-in identity provider that is already configured.
1. In the Authentication Methods section, select Shift-based Access.
2. Click Save.

Create an Access Policy

You create an application-specific access policy with rules that require authentication first followed by shift-based authorization to access the app.

In the Workspace ONE Access console, navigate to Resources > Policies and click ADD POLICY.
On the Definition page, in Policy Name, enter a name for the policy and in the Description text box describe the purpose of the policy. For example, Policy to manage shift-based worker access.
in the Applies to section, add the restricted app names that require shift-based authorization to access an app.

On the Configuration page, click + ADD POLICY RULE.

Option	Description
If a user's network range is	Select the network range that workers can use to sign in and access apps.
and user accessing content from	Select the type of device that this rule applies to. Select All Device Types for a policy rule that applies to all cases of access.
and user belongs to groups	If this access rule is going to apply to specific groups, search for the groups in the search box. If no group is selected, the access policy rule applies to all users.
Then perform this action	Select Authenticate using...
then the user may authenticate using	Configure the authentication method order. Select the authentication method that the worker must use to access the application. Click + and select Shift-based Access.
If the preceding method fails or is not applicable, then	You do not configure a fallback option.
Re-authenticate after	Select the length of the session, after which workers must authenticate again. The default is 8 hours.
(Recommended) Advanced Properties > Custom Error Message	Create a custom error message that explains why the user cannot access an app.

Click SAVE.
If you did not configure All Device Types as the value for and user accessing content from, click ADD POLICY RULE to add and configure rules for shift-based access for each type of device that is used to access managed apps.
Click NEXT.
On the Configuration page, review the authentication order. You can drag the rule rows to change the order that rules are applied.