When users enroll their devices in Workspace ONE UEM, samples containing data used to evaluate compliance are sent on a scheduled basis. The evaluation of this sample data ensures that the device meets the compliance rules set by the administrator in the Workspace ONE UEM console. If the device goes out of compliance, corresponding actions configured in the UEM console are taken.
The Workspace ONE Access service includes an access policy option that can be configured to check the Workspace ONE UEM server for device compliance status when users sign in from the device. The compliance check ensures that users are blocked from signing in to an application or using single sign-in to the user's portal if the device goes out-of-compliance. When the device is compliant again, the ability to sign in is restored.
The Workspace ONE Intelligent Hub app automatically signs out and blocks access to the applications if the device is compromised. If the device was enrolled through adaptive management, an enterprise wipe command issued through the UEM console unenrolls the device and removes the managed applications from the device. Unmanaged applications are not removed.
For more information about Workspace ONE UEM compliance policies, see the VMware Workspace ONE UEM Mobile Device Management Guide, in the VMware Workspace ONE UEM Documentation pages.
How to Enable Compliance Checking in Workspace ONE Access
In VMware Workspace ONE Access, enable device compliance in the Workspace ONE UEM configuration page and configure Device Compliance in the Components > Authentication Methods page.
- Go to the Workspace ONE Access console Device Compliance Check section and select Enable. > page,
- Click Save.
- Go to the Device Compliance (with Workspace ONE UEM) page, and select
- Enable Device Compliance authentication and set the maximum number of failed login attempts. The other text boxes are pre-populated with the configured Workspace ONE UEM values.
Option Description Enable Device Compliance Adapter Select this check box to enable Workspace ON UEM password authentication. Workspace ONE UEM Admin Console URL Pre-populated with the Workspace ONE UEM URL that you set up on the AirWatch configuration page. Workspace ONE UEM API Key Pre-populated with the Workspace ONE UEM Admin API key. Certificate Used for Authentication Pre-populated with the AirWatch Cloud Connector certificate. Password for Certificate Pre-populated with the password for the AirWatch Cloud Connector certificate.
- Click Save.
Important: When the AirWatch Cloud Connector software is upgraded, make sure that you update the Workspace ONE UEM configuration in the Workspace ONE Access console.
What to do Next
Associate the Device Compliance authentication method in the built-in identity provider. See Configure a Built-in Identity Provider in Workspace ONE Access.
Configure the default access policy to create rules to use device compliance with Workspace ONE UEM. See Configure Compliance Checking Rules in Workspace ONE Access.