To achieve the single sign-on experience when users access apps from the Workspace ONE Intelligent Hub app or from their Hub portal in the browser, the default access policy is configured with rules for each type of device that is used in your environment, Android, iOS, and macOS, and set the order in which the authentication methods are used for authentication.


  • The authentication methods that your organization supports configured and enabled.
  • Network ranges of defined IP addresses created and assigned to the identity providers.

You chain Device Compliance to the device authentication method to measure the health of the managed device, resulting in pass or fail based on Workspace ONE UEM defined criteria.

Create a rule for each device type that can be used to access the Workspace ONE Intelligent Hub app.

This example is for the rule to allow access from the device type iOS and with device compliance.

Screenshot of the Add Policy Rule page

Create policy rules that apply to all authentication method in every directory that is configured. If a directory uses an authentication method that is not configured in a policy rule, users in that directory cannot log in.


  1. In the Workspace ONE Access console Resources > Policies page, click Edit Default Policy.
  2. You can change the policy name to be more specific. For example, Company Basic Access Policy.
    The policy applies to all apps that are in the catalog, unless the app is assigned to a web-specific access policy.
  3. Click Next to open the Configuration page.
  4. Select the rule name to edit, or to add a policy rule, click Add Policy Rule.
    Option Description
    If a user's network range is Verify that the network range is correct, If adding a rule, select the network range.
    and user accessing content from Select the device type that this rule manages. When the Workspace ONE Intelligent Hub app is used to access Workspace ONE and resources, create the first rule with Apps on Workspace ONE Intelligent Hub configured as the device type.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    Then perform this action Select Authenticate using....
    then the user may authenticate using Configure the authentication method order. Select the authentication method to apply first.

    To require users to authenticate through two authentication methods, click + and in the drop-down menu select a second authentication method.

    If the preceding methods fails or is not applicable, then Configure fallback authentication methods as Password.

    This configuration provides the best experience to manage deices, while still providing a manual sign-in option for unmanaged devices.

    Re-authenticate after Select the length of the session, after which users must authenticate again.
  5. (Optional) In Advanced Properties, create a custom access denied error message that displays when user authentication fails. You can use up to 4000 characters, which are about 650 words. If you want to send users to another page, in the Custom Error Link URL text box, enter the URL link address. In the Custom Error Link text box, enter the text to describe the custom error link. This text is the link. If you leave this text box blank, the word Continue displays as the link.
  6. Click Next to review the rules and then click Save.

What to do next

Create additional rules, if necessary.

After all the rules are created, order the rules in the list as to how they are applied.

The edited policy rules take effect immediately.