Update the default access policy in Workspace ONE Access to include policy rules for iOS and Android devices. The default access policy governs login to the Workspace ONE Intelligent Hub catalog. Configuring mobile SSO policy rules is mandatory as it is part of passing device trust information to apps.

Create policy rules for iOS and Android with Mobile SSO as the authentication method and with Okta authentication as the fallback method. Also configure the rules for Apps on Workspace ONE Intelligent Hub and Web browser. Make sure that the policy rules are in the correct order.

Important: Do not add the Device Compliance (with AirWatch) authentication method to policy rules in Workspace ONE Access for apps that are configured with Device Trust in Okta. The Device Compliance authentication method is not compatible with apps using Okta Device Trust.

Procedure

  1. In the Workspace ONE Access console, select Resources > Policies.
  2. Click Edit Default Policy.
  3. In the Edit Policy wizard, click Configuration.
  4. Click Add Policy Rule and create a policy rule for iOS devices.
    1. Set Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method. 
      If a user's network range is: ALL RANGES
and the user is accessing content from: iOS
Then perform this action: Authenticate using
then the user may authenticate using: Mobile SSO (iOS)
If the preceding method fails or is not applicable, then: Okta Auth Method
      Note: For Okta Auth Method, select the authentication method you created for the Okta IDP in Create a New SAML Identity Provider in Workspace ONE Access.
    2. Click Save.
  5. Click Add Policy Rule and create a similar policy rule for Android devices.
    1. Set Mobile SSO (Android) as the first authentication method and Okta authentication as the fallback authentication method. 
      If a user's network range is: ALL RANGES
and the user is accessing content from: Android
Then perform this action: Authenticate using
then the user may authenticate using: Mobile SSO (Android)
If the preceding method fails or is not applicable, then: Okta Auth Method
    2. Click Save.
  6. Configure the policy rule for Apps on Workspace ONE Intelligent Hub.
    1. Click the policy rule for Apps on Workspace ONE Intelligent Hub to edit it.
    2. Configure the rule. 
      If a user's network range is: ALL RANGES
and the user is accessing content from: Apps on Workspace ONE Intelligent Hub
Then perform this action: Authenticate using
then the user may authenticate using: Mobile SSO (for iOS)
If the preceding method fails or is not applicable, then: Mobile SSO (for Android)
If the preceding method fails or is not applicable, then: Okta Auth Method
  7. Verify that the policy rule for Web browsers that you configured earlier in the integration process is configured correctly. 
    If a user's network range is: ALL RANGES
and the user is accessing content from: Web Browser
Then perform this action: Authenticate using
then the user may authenticate using: Okta Auth Method
  8. Arrange the policy rules in the following order, listed from top to bottom.
    1. Apps on Workspace ONE Intelligent Hub
    2. iOS or Android
    3. iOS or Android
    4. Web browser