The Security Policies page helps you to configure the UEM apps.
What can you do with the Settings Policies page?
The Security Policies page lets you configure options that affect Workspace ONE UEM apps, Workspace ONE SDK-built apps, and wrapped apps.
Determine your Organization group hierarchy
Before you review and modify the settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choice. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.
- Current Setting- Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
- Child Permission - Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.
Settings and Polices
- Force Token For App Authentication
Controls how the system allows users to access SDK-built applications, either initially or through a forgot-passcode procedure. When enabled, the system forces the user to generate an application token through the Self-Service Portal (SSP) and does not allow username and password.
- Authentication Type
Passcode Setting Description Passcode Enable this option to require a local passcode requirement. Authentication Timeout Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials. On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.
Maximum Number Of Failed Attempts Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error. Actions depend on the platform.
- Android – The system performs an enterprise wipe on the device.
- iOS – The system performs an enterprise wipe on the device.
Passcode Mode Select an option depending on your security needs and the platform. - Numeric
- Android - You can enter only numbers.
- iOS - You can enter numbers and letters.
- Alphanumeric
- Android - You can enter numbers and letters.
- iOS - You can enter numbers and letters.
Allow Simple Value Set the passcode to allow simple strings. For example, allow strings like 1234 and 1111. Minimum Passcode Length Set the minimum number of characters for the passcode. Minimum Number Of Complex Characters (if Alphanumeric is selected) Set the minimum number of complex characters for the passcode. For example, allow characters like [], @, and #. Maximum Passcode Age (days) Set the number of days the passcode remains valid before you must change it. Passcode History Set the number of passcodes the Workspace ONE UEM console stores so that users cannot use recent passcodes. Use Device Pin for Authentication Select to require the use of the device passcode (labelled PIN in the UI) to authenticate to and access SDK-built apps and Workspace ONE productivity apps. This setting is part of the Workspace ONE Require Device Passcode (RDP) feature supported by the Workspace ONE SDK.
Biometric Mode Select the system used to authenticate for access. - Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application.
- Disabled – Does not require biometric authentication systems to access the application.
Username and Password Setting Description Username and Password Enable this option to set authentication to use the Workspace ONE UEM credentials. Authentication Timeout Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials. On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.
Maximum Number Of Failed Attempts Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error. Actions depend on the platform.- Android – The system performs an enterprise wipe on the device.
- iOS – The system performs an enterprise wipe on the device.
Use Device Pin for Authentication Select to require the use of the device passcode (labelled PIN in the UI) to authenticate to and access SDK-built apps and Workspace ONE productivity apps. This setting is part of the Workspace ONE Require Device Passcode (RDP) feature supported by the Workspace ONE SDK.
Biometric Mode Select the system used to authenticate for access. - Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application.
- Disabled – Does not require biometric authentication systems to access the application.
Disabled Setting Description Disabled Select to require no authentication to access the application. - Single Sign-On
Using either the Workspace ONE Intelligent Hub or Workspace ONE as a "broker application," end users can authenticate once using either their normal credentials or an SSO passcode. They gain access to other applications so long as the SSO session is active.
- Integrated Authentication
Setting Description Enable Kerberos Use your Kerberos system for authenticating to corporate resources and sites. Use Enrollment Credentials Access corporate resources listed in the Allowed Sites field with the SSO credentials. Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.
Use Certificate Upload the Credential Source or set a Defined Certificate Authority to access corporate resources listed in the Allowed Sites text box with the SSO credentials. Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.
- Offline Access
Offline Access Behavior Enabled
Maximum Period Allowed = time
The SDK allows offline access and then restricts access when time offline meets the maximum period allowed value. Enabled
Maximum Period Allowed = 0
The SDK allows offline access indefinitely. Disabled The SDK prevents offline access. - Compromised Protection
Stops a compromised device from accessing your enterprise resources. An enterprise wipe clears privileged corporate data off devices. The system does not perform wipe actions on data unrelated to the enterprise. The system performs an enterprise wipe after the system detects a device is compromised.
- SafetyNet Attestation Evaluation Type
Select which evaluation types from SafetyNet Attestation are trusted as a part of Android Compromised Detection. Choose to continue using All Evaluation Types or trust Hardware-Backed only.
SafetyNet Attestation has to be enabled through custom settings on the Apps / Settings and Policies / Settings page. To enable SafetyNet Attestation, see Android Device Management with Workspace ONE UEM.
- AirWatch App Tunnel
Setting Description App Tunnel Mode Select the Tunnel Mode.
VMware Tunnel:Sets devices to access corporate resources using the Per-App Tunnel component of VMware Workspace ONE Tunnel.
For this option to work, install VMware Workspace ONE Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.
Also, the Per-App Tunnel component of VMware Workspace ONE Tunnel uses rules to set policies for tunneling, blocking, or bypassing specific domains. Ensure that you have setup web and other SDK-enabled apps on the Device Traffic Rules page before enabling it here.
- Select Configure Tunnel Settings to enable the VMware Workspace ONE Tunnel if you have not already set this feature.
-
This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy.
Tunnel Proxy:
Sets devices to access corporate resources using the proxy component of the VMware Workspace ONE Tunnel, also called Proxy. Consider migrating to the Per-App Tunnel component for better performance and new features.
For this option to work, install VMware Workspace ONE Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.
- Select Configure VMware Tunnel - Proxy Settings to enable Proxy if you have not already set this feature.
- To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.
Use wildcards to allow access to any site with a domain subset. For example,
allows traffic to any site that contains in its domain. Similarly, it allows access to any port on that site with an implementation similar to .If nothing is listed in this text box, all traffic directs through the app tunnel.
Standard Proxy:Sets devices to request resources using a proxy server that allows or denies connections to enterprise systems.- To access your internal network, select an App Tunnel Proxy from the menu . Add standard proxies by selecting Configure Standard Proxy Settings.
- To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.
Use wildcards to allow access to any site with a domain subset. For example,
allows traffic to any site that contains in its domain. Similarly, it allows access to any port on that site with an implementation similar to .If nothing is listed in this text box, all traffic directs through the app tunnel.
Device Traffic Rule Sets Select the Device Traffic Rule. Allow all non-FQDN URLs through App tunnel Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel. - YES - All non-FQDN URLs use the tunnel.
- NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
Tunnel Proxy for Backwards Compatibility If you have some SDK applications that still use VMware Tunnel - Proxy, enable Tunnel Proxy for Backward Compatibility. This menu item allows those SDK applications that have not migrated to Per-App Tunnel to continue to work using Proxy. This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy. - Content Filtering
Allow or block access to sites in the Workspace ONE Web depending on rules and policies you set in your Forcepoint service.
- Geofencing
Restrict access to applications depending on the distances set in Geofencing settings in the Workspace ONE UEM console. Enter the specific area in the Geofencing Area text box.
- Data Loss Prevention
Setting Description Enable Bluetooth Allows applications to access Bluetooth functionality on devices when set to Yes. Enable Camera Allows applications to access the device camera when set to Yes. Enable Composing Email Allows an application to use the native email client to send emails when set to Yes. Enable Copy and Paste Out Allows users to copy and paste content from SDK-built applications to external destinations when set to Yes. When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.
Encryption of the pasted content depends upon the configurations for authentication and SSO. If you enable authentication and SSO, the system encrypts the content with a user pin-based key. Otherwise, the system encrypts content with a randomly generated key.
The system migrates the setting configured previously in the option to Enable Copy and Paste to this feature.
Enable Copy and Paste Into Allows users to copy and paste content from external destinations into SDK-built applications when set to Yes. When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.
Enable Data Backup Allows wrapped iOS applications to sync data with a storage service like iCloud when set to Yes. Enable Location Services Allows wrapped applications to receive the latitude and longitude of the device when set to Yes. Enable Printing Allows an application to print from devices when set to Yes. Enable Screenshot Allows applications to access screenshot functionality on devices when set to Yes. Enable Third-Party Keyboards On iOS devices when set to No, SDK-built applications always open in the native keyboard and prevent the use of third-party keyboards. On Android devices when set to No and the user did not set the system keyboard as the primary keyboard, SDK-built applications prevent user access.
Enable Watermark Displays text in a watermark in documents in the VMware Content Locker when set to Yes. Enter the content to display in the Overlay Text text box or use lookup values. You cannot change the design of a watermark from the Workspace ONE UEM console.
Limit Documents to Open Only in Approved Apps Enter options to control the applications used to open resources on devices. Allowed Applications List Enter the applications that you allow to open documents. - Network Access Control
Setting Description Allow Cellular Connection Controls cellular connections by allowing them all the time, allowing connections when the device is not roaming, or never allowing cellular connections. Allow Wi-Fi Connection Allows connections using Wi-Fi networks, or limits connections by Service Set Identifier (SSID). Allowed SSIDs Enter the Service Set Identifiers (SSIDs) that devices can use to access the Wi-Fi network during limiting connections.