To achieve the single sign-on experience when users access resources from the Workspace ONE app, the default access policy is configured with rules for each type of device that is used in your environment, Android, iOS, Mac OS, or Windows 10. You also create a rule for the device type Workspace ONE App.
In this example of a default access policy configuration, the default access policy is created with rules to cover users who sign in from all network ranges. The following rules are created.
- A rule for each device that can be used to access the Workspace ONE App.
- A rule for user access from the Workspace ONE App device type. Each authentication method configured for the devices must be included in the rule.
- A rule for user access from the Web Browser device type to access Workspace ONE from any web browser.
The rule for device type Workspace ONE App is configured with all authentication methods that can be used to access the Workspace ONE app. One authentication method is assigned first and the other authentication methods are configured as fallback authentication types. When users use one of the devices to sign in to the Workspace ONE app, they are authenticated according to the authentication method configured for the device type. After the user is successfully authenticated, when they launch other resources from the Workspace ONE app screen, that authentication method is recognized and the user is not prompted to authenticate again. If the authentication method used to authenticate to Workspace ONE is not recognized, when a user launches resources from the Workspace ONE app, the user is prompted to authenticate according to the Workspace ONE App rule.
For the best user experience, list the device type Workspace ONE App as the first rule in the default access policy. When the rule is first, users are signed in to the app and can launch resources without reauthenticating until the session expires.
1. Create rules for each device that can be used to access Workspace ONE. This example is for the rule for allow access from the device type iOS.
- Network range is ALL RANGES.
- Users can access the content from iOS.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Mobile SSO (for iOS).
- Fallback method 1: Password (cloud deployment).
- Fallback method 2: Device Compliance (with AirWatch).
- Session reauthentication after 8 hours.
2. Create the rule for the device type Workspace ONE App. Each authentication method configured for the devices must be included in the rule.
- Network range is ALL RANGES.
- Users can access the content from Workspace ONE App.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Mobile SSO (for iOS).
- Fallback method 1: Mobile SSO (for Android).
- Fallback method 2: Password (cloud deployment).
- Fallback method 3: Device Compliance (with AirWatch).
- Session reauthentication after 2160 hours.
2160 hours is equal to 90 days, which is the Workspace ONE App OAuth token refresh token time to live. See Applying Workspace ONE App Rules to Access Policies.
3. Create the rule for the device type Web Browser to access Workspace ONE from any web browser. This example includes as a fallback the authentication method Password (Local Directory). To authentication system administrators who sign in, at least one rule must be configured to authentication using Password (Local Directory). The session times out after 24 hours.
- Network range is ALL RANGES.
- Users can access the content from Web Browser.
- No groups are added to the policy rule. All Users are supported.
- Configure all authentication methods that are supported.
- Authenticate using Password (cloud deployment).
- Fallback method 2: Password.
- Fallback method 3: Password (Local Directory).
- Session reauthentication after 8 hours.
When you create rules for all devices, Workspace ONE App and Web Browser, you default policy set looks like the following screenshot.
Flow with this default access policy configured.
- UserA signs in to the Workspace ONE app from their iOS device and is asked to authenticate with Mobile SSO (for iOS). The authentication is successful.
- UserA launches a resource listed in the Workspace ONE app and because the Workspace ONE App rule includes the authentication method Mobile SSO (for iOS) as a fallback authentication method, the resource is launched without requesting authentication again. The user can launch resources without signing in to Workspace ONE again for 2160 hours.