You must edit the Workspace ONE Access default access policy to add the iOS Mobile SSO authentication method that you configured to the rules.

When users attempt to sign in from their iOS devices, Workspace ONE Access service evaluates the default access policy rules to select the rule that applies to iOS Mobile SSO authentication. The authentication policy you create determines which authentication method Workspace ONE Access implements, based on the network range, device type, and user group.


  1. In the Workspace ONE Access console Resources > Policies page, click Edit Default Policy and then click Next.
  2. Add a new policy rule, click Add Policy Rule.
    Option Description
    If a user's network range is Select the network range for this policy rule.
    and user accessing content from Select iOS.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If you do not select a group, the access policy applies to all users.

    Then perform this action Select Authenticate using....
    then the user may authenticate using Select Mobile SSO (for iOS).
    If the preceding methods fails or is not applicable, then Configure additional fallback authentication methods.

    You can add Device Compliance to check the Workspace ONE UEM server for device compliance status when users sign in from their devices. See Configure Compliance Checking Rules in Workspace ONE Access.

    Re-authenticate after Select the length of the session, after which users must authenticate again.
  3. (Optional) In Advanced Properties, create a custom access denied error message that displays when user authentication fails. You can use up to 4000 characters, which are about 650 words. If you want to send users to another page, in the Custom Error Link URL text box, enter the URL link address. In the Custom Error Link text text box, enter the text to describe the custom error link. This text is the link. If you leave this text box blank, the word Continue displays as the link.
  4. Click Save.
  5. Drag and drop this rule before the Web Browser rule in the list of default access policy rules.
  6. Click Next to review the rules and then click Save.

What to do next

Go to the Workspace ONE UEM console and configure the iOS device profile and add the KDC server issuer certificate from Workspace ONE Access. See Configure Apple iOS Profile in Workspace ONE UEM Using Workspace ONE UEM Certificate Authority.