To provide secure access to the users' Hub portal and to launch web and desktop applications, you configure access policies.

After you enable and configure the authentication methods in the built-in identity provider, create policy rules in the default access policy to manage access from mobile devices.

Policy rules map the requesting IP address to network ranges and designate the type of devices that users can use to sign in. The rule defines the authentication methods and the number of hours the authentication is valid.

When users attempt to sign in, the Workspace ONE Access service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You can create policies and assign them to applications that require restricted access. The access policy set can be configured to check the Workspace ONE UEM server for device compliance status when users sign in from a device. The compliance check ensures that users are blocked from signing in to an application or using single sign-in to their user portal if the device goes out-of-compliance. When the device is compliant again, the ability to sign in is restored.