You can add Office 365 applications to the Workspace ONE UEM console so that you can control access with client access policies.


  1. Navigate to Apps & Books > Applications > Web > SaaS and select New.
  2. Complete the options on the Definition tab.
    Setting Description
    Search Enter Office 365 to see a list of available applications.
    Name Enter or view a name for the SaaS application.
    Description (Optional) Provide a description of the application. Often, this text box pre-populates.
    Icon (Optional) if an icon does not pre-populate, select an icon.
    Category (Optional) Assign categories to help users sort and filter the application in the Workspace ONE catalog.

    Configure categories in Workspace ONE Access so that they display in the category list.

  3. Complete the options on the Configuration tab.
    1. Office 365 applications use WSFed 1.2 for Authentication Type to provide single sign-on.
      Setting Description
      Target URL Enter the URL to direct users to the SaaS application on the Internet.
      Single Sign-On URL Enter the Assertion Consumer Service (ACS) URL.

      Workspace ONE sends this URL to your service provider for single sign-on.

      Application ID Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.

      Some service providers use the Single Sign-On URL.

      Username Format Select the format required by the service providers for the SAML subject format.
      Username Value Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.

      This value is a default profile text box value for a username at the application service provider.

    2. Add values for Application Parameters to allow the application to start.
    3. If you want greater control of messaging in single sign-on processes with Workspace ONE, add Advanced Properties for WSFed 1.2.
      Setting Description
      Credential Verification Select the method for credential verification.
      Signature Algorithm Select the signature algorithm that matches the digest algorithm.

      If your service provider supports SHA256, select this algorithm.

      Digest Algorithm Select the digest algorithm that matches the signature algorithm.

      If your service provider supports SHA256, select this algorithm.

      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
    4. Assign policies to secure signing in to application resources with Access Policies.
      Setting Description
      Access Policy Select a policy for Workspace ONE to use to control user authentication and access.

      The default access policy is available if you do not have custom access policies.

      You can configure these policies in the UEM console.

      Open in VMware Browser Require Workspace ONE to open the application in the VMware Browser.

      If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.

      License Approval Required Require approvals before the application installs and activates a license.
      • License Pricing - Select the pricing model to buy licenses for the SaaS application.
      • License Type - Select the user model for the licenses, named or concurrent users.
      • Cost Per License - Enter the price per license.
      • Number of Licenses - Enter the number of licenses bought for the SaaS application.

      Configure the corresponding Approvals in the Settings section of SaaS applications.

  4. Add Client Access Policies for Office 365 clients. A client access policy allows Workspace ONE UEM to manage the Office 365 client UI credentials collected for authentication. Some client examples include VMware Boxer and Microsoft Outlook. Select Add Policy Rule and complete the settings.
    If the user's client is Select an available Office 365 client.
    And a user's network range is Select a network range previously configured in the network ranges process.
    And the user's device type is Select the allowed device platform for access.
    and user belongs to group(s) Select user groups allowed to access content according to the criteria in this policy.

    If you select no groups, the policy applies to all users.

    And the client's email protocol is Select the allowable protocol for the Office 365 client.
    Then perform this action Allow or deny access to Office 365 applications.
  5. View the Summary for the SaaS application and move to the assignment process.

What to do next

Assign SaaS applications to users and groups configured in Workspace ONE Access . See Assign SaaS Applications.