Security Policies profiles offer security controls for SDK-built apps. Control security with authentication methods, tunneling app traffic, and restricting access to features with data loss prevention.

Navigation

In the Workspace ONE UEM console, you can find these default SDK settings in Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

Assign the SDK Profile to the Workspace ONE Intelligent Hub

Control and apply SDK functionality with the Workspace ONE Intelligent Hub and an SDK profile (default or custom). When using the Workspace ONE Intelligent Hub as a "broker application" for features, such as SSO, configure the Workspace ONE Intelligent Hub with the applicable SDK profile. If you are using the default SDK profile, ensure that the Workspace ONE Intelligent Hub is configured to use this profile. If you do not set the Workspace ONE Intelligent Hub to use the default SDK profile, then the system does not apply your settings you configured in the Settings and Policies section.

Force Token for App Authentication

This setting controls how the system allows users to access SDK-built applications, either initially or through a forgot-passcode procedure. When enabled, the system forces the user to generate an application token through the Self-Service Portal (SSP) and does not allow user name and password. This setting does not force the reset of the enrollment token.

Authentication Type

Select an authentication type that meets the security needs of your network. The passcode gives device users flexibility while user name and password offers compatibility with the Workspace ONE UEM system. If security is not an issue, then you do not have to require an authentication type.
Table 1. Descriptions of Authentication Items
Setting Description
Passcode Designates a local passcode requirement for supported applications. Device users set their passcode on devices at the application level when they first access the application.
User name and Password Requires users to authenticate to supported applications using their Workspace ONE UEM credentials. Set these credentials when you add users in the Accounts page of the Workspace ONE UEM console.
Disabled Requires no authentication to access supported applications.
Passcode Setting Description
Passcode Enable this option to require a local passcode requirement.
Authentication Timeout Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials.

On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.

Maximum Number Of Failed Attempts Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error.

Actions depend on the platform.

  • Android – The system performs an enterprise wipe on the device.
  • iOS – The system performs an enterprise wipe on the device.
Passcode Mode Select an option depending on your security needs and the platform.
  • Numeric
    • Android - You can enter only numbers.
    • iOS - You can enter numbers and letters.
  • Alphanumeric
    • Android - You can enter numbers and letters.
    • iOS - You can enter numbers and letters.
Allow Simple Value Set the passcode to allow simple strings. For example, allow strings like 1234 and 1111.
Minimum Passcode Length Set the minimum number of characters for the passcode.
Minimum Number Of Complex Characters (if Alphanumeric is selected) Set the minimum number of complex characters for the passcode. For example, allow characters like [], @, and #.
Maximum Passcode Age (days) Set the number of days the passcode remains valid before you must change it.
Passcode History Set the number of passcodes the Workspace ONE UEM console stores so that users cannot use recent passcodes.
Biometric Mode Select the system used to authenticate for access.
  • Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application.
  • Disabled – Does not require biometric authentication systems to access the application.
Username and Password Setting Description
Username and Password Enable this option to set authentication to use the Workspace ONE UEM credentials.
Authentication Timeout Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials.

On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.

Maximum Number Of Failed Attempts Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error.
Actions depend on the platform.
  • Android – The system performs an enterprise wipe on the device.
  • iOS – The system performs an enterprise wipe on the device.
Biometric Mode Select the system used to authenticate for access.
  • Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application.
  • Disabled – Does not require biometric authentication systems to access the application.
Disabled Setting Description
Disabled Select to require no authentication to access the application.

Authentication Type and SSO

Authentication Type and SSO can work together or alone.

  • Alone – If you enable an Authentication Type (passcode or user name/password) without SSO, then users must enter a separate passcode or credentials for each individual application. The exception to this configuration is the Workspace ONE Intelligent Hub for Android. This productivity app does not prompt users to create a passcode or PIN. See the section SSO, the Workspace ONE Intelligent Hub for Android, and Forced PINs for details.
  • Together – If you enable both Authentication Type and SSO, then users enter either their passcode or credentials (whichever you configure as the Authentication Type) once. They do not have to reenter them until the SSO session ends.

SSO, the Workspace ONE Intelligent Hub for Android, and Forced PINs

If you disable SSO and use Authentication Type > Passcode and you are deploying the Workspace ONE Intelligent Hub for Android (which uses the Workspace ONE SDK framework), the Workspace ONE Intelligent Hub for Android does not prompt the user to create a PIN for access. If you want to protect the Workspace ONE Intelligent Hub with a passcode, you must either enable SSO or assign a Passcode profile under Resources and apply it to the whole device in the Workspace ONE UEM console.

Single Sign-On

If you want to require a single sign-on (SSO) passcode on devices, enable Single Sign-On and set Authentication Type to Passcode and set the Passcode Mode to either Numeric or Alphanumeric.

Using either the Workspace ONE Intelligent Hub or Workspace ONE as a "broker application," end users can authenticate once using either their normal credentials or an SSO passcode. They gain access to other applications so long as the SSO session is active.

If you enable SSO but do not enable an Authentication Type, the system does not prompt end users with any recurring authentication. An exception to this behavior occurs when end users must authenticate during an initial installation of the application. They use their normal credentials to authenticate in this instance.

SSO Sessions and SDK App Login Behaviors

An SSO session establishes when a user authenticates with an application participating in SSO. Although SSO sessions help streamline the login experience for the user, the variables that impact the SSO mechanism and the login behavior of the SDK app are varied and complex. The session is active until it reaches the Authentication Timeout value or the user manually locks the application (includes forcing it closed). The SDK app prompts for credentials depending on multiple variables including but not limited to the platform, SSO setting, SSO session status, and Authentication Type.
  • Platform
    • Android
    • iOS
  • SSO configuration
    • Enabled
    • Disabled
  • SSO session status
    • Active
    • Inactive
  • Authentication Type configuration
    • Username and Password
    • Passcode
    • Disabled
  • Authentication Type state
    • Credential value exists (Passcode or Username and Password)
    • Credential value does not exist
    • Authentication Timeout is active or expired
  • SDK app state
    • App forcibly closed
    • SDK upgraded

On iOS devices, the existence of a valid identity sent from the Workspace ONE UEM console also influences the login behaviors in SDK apps. This identity is a one-time use token and it establishes the user identity in the SDK app. If the identity exists in the SDK app, then the system does not prompt for credentials.

The system displays specific prompts in the SDK app depending on the Authentication Type and the request sent from the Workspace ONE UEM console.
Table 2. Login Prompts
Authentication Type Request Login Prompt
Passcode Create Credentials Create Passcode
Provide Credentials Enter Passcode
Username and Password Create Credentials Enter Username and Password
Provide Credentials Enter Username and Password

Android and SSO - Login Prompts for Authentication Modes, Passcode and Username and Password (Login Values)

SSO Setting SSO Session Status State (Login Value or App) Login Behavior
Enabled Active Credential exists The system does not prompt for the login value.
Credential does not exist The system prompts to create the login value.
App closes

When user accesses the app, and another SDK-app is still involved in the SSO session, the system does not prompt for the login value.

If the app is stopped or forcibly closed without reaching the Authentication Timeout value, the system does not prompt for the login value.

SDK upgraded When user accesses app after upgrade, the system does not prompt for the login value.
Inactive Credential exists The system prompts the user for the login value.
Credential does not exist The system prompts the user to create the login value.
App closes The system prompts the user for the login value.
SDK upgraded The system prompts the user for the login value.
Disabled

Authentication Timeout status impacts behavior (active or expired).

NA Credential exists The system prompts the user for the login value.
Credential does not exist The system prompts the user to the create login value.
App closes The system prompts the user for the login value if Authentication Timeout has expired.
SDK upgraded The system does not prompt for the login value.

Android and SSO - Login Prompts for Authentication Mode Disabled

SSO Setting SSO Session Status Login Behavior
Enabled Active

The system does not prompt for login values.

The SDK app opens with no challenges.

Inactive

The system does not prompt for login values.

The SDK app opens with no challenges.

Disabled NA The system prompts the user for the Workspace ONE UEM credentials as the login values on first start.

After the initial start, the system opens the SDK app with no challenges.

iOS and SSO - Login Prompts for Authentication Modes, Passcode and Username and Password (Login Values)

SSO Setting SSO Session Status State (Login Value or App) Login Behavior
Enabled

Keychain-sharing apps share the session.

Active Credential exists The system does not prompt since the credential exists and the SSO session is active.
Credential does not exist The system prompts the user to create credentials.

App closes

When user accesses app after closing, the system prompts the user for the credential value.
SDK upgraded When the user accesses app after upgrade, the system prompts the user for the credential value.

iOS quits the app on upgrade.

Inactive Credential exists The system prompts the user for the credential value. When the SSO session expires, credentials are removed and the system prompts for the credentials again.
Credential does not exist The system prompts the user to create credentials.

App closes

When the user accesses the app after closing, the system prompts the user for the credential value.
SDK upgraded When the user accesses app after upgrade, the system prompts the user for the credential value.

iOS closes the app on upgrade.

Disabled

Keychain-sharing apps are not sharing the session.

Authentication Timeout status impacts behavior (active or expired).

NA Credential exists

The system does not prompt since the credential exists and Authentication Timeout session is active.

If the Authentication Timeout is expired, the system prompts the user for the credential value. When the session expires, credentials are removed and prompted for again.

Credential does not exist The system prompts the user to create credentials no matter if the Authentication Timeout is active or expired.

App closes

When the user accesses the app after closing, the system prompts the user for the credential value no matter if the Authentication Timeout is active or expired.
SDK upgraded If the Authentication Timeout is active, and the user accesses the app after upgrading, the system prompts the user for the credential value.

If the Authentication Timeout is expired, and the user accesses app after upgrade, the system prompts the user for the credential value because iOS closes the app after upgrading.

iOS and SSO - Login Prompts for Authentication Mode Disabled

SSO Setting SSO Session Status Login Behavior
Enabled Active

The system does not prompt for login values.

The SDK app opens with no challenges.

Inactive

The system does not prompt for login values.

The SDK app opens with no challenges.

Disabled NA

If the device is MDM managed, then the system does not prompt for login values. The SDK app opens with no challenges.

If the device is in Registered Mode, the system prompts the user for the Workspace ONE UEM credentials as the login values on first start. After the initial start, the system opens the SDK app with no challenges.

iOS and SSO - One Time Login Prompts When the App Is Missing the Identity (Valid Token)

SSO Setting Scenario Login Behavior
Enabled Valid one time token is available through Workspace ONE UEM. The system does not prompt for Username and Password authentication because it uses a one time token to establish identity.
A valid one time token is NOT available.

The first Keychain-sharing app is installed within a Keychain sharing cluster.

If the one time token is not available to establish identity, the system prompts for the Username and Password authentication to establish identity.
A valid one time token is NOT available.

The second Keychain-sharing app is installed within a Keychain sharing cluster.

The system does not prompt for the Username and Password authentication and establishes the identity silently.
Disabled Valid one time token is available through Workspace ONE UEM. The system does not prompt for the Username and Password authentication because it uses a one time token to establish identity.
Valid one time token is NOT available. If the one time token is not available to establish identity, the system prompts for the Username and Password authentication to establish identity.

Integrated Authentication

Allow access to corporate resources, such as content repositories, through the Workspace ONE Intelligent Hub using Workspace ONE UEM SSO credentials.
Setting Description
Enable Kerberos Use your Kerberos system for authenticating to corporate resources and sites.
Use Enrollment Credentials Access corporate resources listed in the Allowed Sites field with the SSO credentials.

Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Use Certificate Upload the Credential Source or set a Defined Certificate Authority to access corporate resources listed in the Allowed Sites text box with the SSO credentials.

Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Offline Access

The SDK restricts or allows offline access depending on the configurations.
Offline Access Behavior

Enabled

Maximum Period Allowed = time

The SDK allows offline access and then restricts access when time offline meets the maximum period allowed value.

Enabled

Maximum Period Allowed = 0

The SDK allows offline access indefinitely.
Disabled The SDK prevents offline access.

Compromised Protection

Protect your mobile network from compromised resources with an enterprise wipe. It clears privileged corporate data off devices. The system does not perform wipe actions on data unrelated to the enterprise.

AirWatch App Tunnel

Allow an application to communicate through a VPN or reverse proxy to access internal resources, such as a SharePoint or intranet sites. To use Allow all non-FQDN URLs through App tunnel, applications must use Workspace ONE SDK v19.3+ (both Android and iOS Swift).

The Per-App Tunnel provides Device Traffic Rules. Device Traffic Rules allow you to set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps.

Before you can use VMware Tunnel - Proxy or VMware Tunnel menu items, you must install these tunnels. See VMware Tunnel.

If you are switching from VMware Tunnel - Proxy to VMware Tunnel, migrate the App Tunnel URLs entries.

If users access an internal resource through a non-standard port (a port that is not port 80 or 443), explicitly list the port number in the URL you enter in App Tunnel URLs. For example, if the resource URL is data.company.com and it is accessed through port 7777, you must add data.company.com:7777 in the App Tunnel URLs field.

Setting Description
VMware Tunnel

Sets devices to access corporate resources using the Per-App Tunnel component of VMware Tunnel.

For this option to work, install VMware Tunnel.

Also, the Per-App Tunnel component of VMware Tunnel uses rules to set policies for tunneling, blocking, or bypassing specific domains. Ensure that you have setup web and other SDK-enabled apps on the Device Traffic Rules page before enabling it here.

If you have some SDK applications that still use VMware Tunnel - Proxy, enable Tunnel Proxy for Backward Compatibility. This menu item allows those SDK applications that have not migrated to Per-App Tunnel to continue to work using Proxy.

This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy.

VMware Tunnel - Proxy

Sets devices to access corporate resources using the proxy component of the VMware Tunnel, also called Proxy. Consider migrating to the Per-App Tunnel component for better performance and new features.

For this option to work, install VMware Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.

  • Select Configure VMware Tunnel - Proxy Settings to enable Proxy if you have not already set this feature.
  • Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
    • YES - All non-FQDN URLs use the tunnel.
    • NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
  • To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.

    Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.

    If nothing is listed in this text box, all traffic directs through the app tunnel.

Standard Proxy
Sets devices to request resources using a proxy server that allows or denies connections to enterprise systems.
  • To access your internal network, select an App Tunnel Proxy from the menu . Add standard proxies by selecting Configure Standard Proxy Settings.
  • Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
    • YES - All non-FQDN URLs use the tunnel.
    • NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
  • To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.

    Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.

    If nothing is listed in this text box, all traffic directs through the app tunnel.

Migrate Proxy App Tunnel URLs to Per-App Tunnel

If you migrate from VMware Tunnel - Proxy to VMware Tunnel (Per-App Tunnel) and want to keep the domains that use the tunnel, enter the App Tunnel URLs from the Proxy to the Device Traffic Rules settings for Per-App Tunnel.

Go to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies > App Tunnel Mode > VMware Tunnel - Proxy and record the entries in the App Tunnel URLs field.

The Per-App Tunnel provides Device Traffic Rules. Device Traffic Rules allow you to set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps.

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Network Traffic Rules > Device Traffic Rules.
  2. Select the applicable SDK application (like Workspace ONE Web). This configuration differs from the default SDK setting because you must enter the domains to tunnel by the app rather than as a blanket entry for all SDK-built apps. Use Add to enter multiple applications.
  3. Select Tunnel for the Action.
  4. Enter the app tunnel URLs from the VMware Tunnel - Proxy option in Destination Hostname. Define a default policy for domains that do not match patterns with your destination host names.
  5. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies, select App Tunnel Mode, and change from VMware Tunnel - Proxy to VMware Tunnel.

Content Filtering

Integrates your Forcepoint (Websense) content filtering service and the Workspace ONE Web. This integration requires settings on multiple pages in the console.

This integration requires configurations on different pages in the Workspace ONE UEM console.
  • Third-Party Proxies – Add information on the Third-Party Proxies page for your content filtering system so Workspace ONE UEM can communicate with it. Configure your Forcepoint information in Groups & Settings > All Settings > System > Enterprise Integration > Third Party Proxies.
  • Settings and Policies – Used for content filtering on the Settings and Policies page. Using the Settings and Policies, you can filter traffic in the Workspace ONE Web with the policies and rules set in your Forcepoint service.

Integration results in the system filtering the Workspace ONE Web traffic with the settings in the content filtering system. If you use another application tunnel, Workspace ONE UEM sends data that is not going through your content filtering service to the configured app tunnel.

Geofencing

Restrict access to applications depending on the distances set in Geofencing settings in the Workspace ONE UEM console.

Data Loss Prevention (DLP)

Protect sensitive data in applications. DLP options control how and what data transmits back and forth.
Setting Description
Enable Bluetooth Allows applications to access Bluetooth functionality on devices when set to Yes.
Enable Camera Allows applications to access the device camera when set to Yes.
Enable Composing Email Allows an application to use the native email client to send emails when set to Yes.
Enable Copy and Paste Out Allows users to copy and paste content from SDK-built applications to external destinations when set to Yes.

When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.

Encryption of the pasted content depends upon the configurations for authentication and SSO. If you enable authentication and SSO, the system encrypts the content with a user pin-based key. Otherwise, the system encrypts content with a randomly generated key.

The system migrates the setting configured previously in the option to Enable Copy and Paste to this feature.

Enable Copy and Paste Into Allows users to copy and paste content from external destinations into SDK-built applications when set to Yes.

When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.

Enable Data Backup Allows wrapped iOS applications to sync data with a storage service like iCloud when set to Yes.
Enable Location Services Allows wrapped applications to receive the latitude and longitude of the device when set to Yes.
Enable Printing Allows an application to print from devices when set to Yes.
Enable Screenshot Allows applications to access screenshot functionality on devices when set to Yes.
Enable Third-Party Keyboards On iOS devices when set to No, SDK-built applications always open in the native keyboard and prevent the use of third-party keyboards.

On Android devices when set to No and the user did not set the system keyboard as the primary keyboard, SDK-built applications prevent user access.

Enable Watermark Displays text in a watermark in documents in the VMware Content Locker when set to Yes.

Enter the content to display in the Overlay Text text box or use lookup values. You cannot change the design of a watermark from the Workspace ONE UEM console.

Limit Documents to Open Only in Approved Apps Enter options to control the applications used to open resources on devices.
Allowed Applications List Enter the applications that you allow to open documents.

Network Access Control

Allow applications to access the mobile network.
Setting Description
Allow Cellular Connection Controls cellular connections by allowing them all the time, allowing connections when the device is not roaming, or never allowing cellular connections.
Allow Wi-Fi Connection Allows connections using Wi-Fi networks, or limits connections by Service Set Identifier (SSID).
Allowed SSIDs Enter the Service Set Identifiers (SSIDs) that devices can use to access the Wi-Fi network during limiting connections.