To provide secure access to SaaS applications, you configure access policies. Access policies include rules that specify criteria that must be met to sign in to the Workspace ONE portal and to use applications.

For details about access policies in the Workspace ONE UEM system, see Workspace ONE Access and search for Managing Access Policies.

Flexibility of Access Policies

Access policies allow lenient control in the network and restrict access out of the network. For example, you can configure one access policy with the following rules.

  • Allow a network range access with single sign-on within the company network.
  • Configure the same policy to require multi-factor authentication (MFA) when off the company network.
  • Configure the policy to allow access to a specific user group with a specific device-ownership type. It can block access to others not in the group.

Default Access Policy and Application-Specific Access Policies

Default Access Policy - The Workspace ONE Access service and the Workspace ONE UEM console include a default policy that controls access to SaaS applications as a whole. This policy allows access to all network ranges, from all device types, for all users. You can edit the default access policy but you cannot delete it.

Important: Edits to the default access policy apply to all applications and can impact all users ability to access Workspace ONE.

Add Network Ranges for Access Policies

Define network ranges with IP addresses allowed for user logins to SaaS applications. Assign these ranges when you apply access rules to SaaS applications. You need the network ranges for your Workspace ONE Access deployment and your Workspace ONE UEM deployment. The organization's network department usually has the network topology.

  1. Navigate to Resources > Apps > Access Policies > Network Ranges.
  2. Select a name and edit the range or select Add Network Range.
  3. Complete the options for defining ranges.

    Setting Description
    Name Enter a name for the network range.
    Description Enter a description for the network range.
    IP Ranges Enter IP addresses that include the applicable devices in the range.
    Add Row Define multiple IP ranges.

Configure Application-Specific Access Policies

You can add application-specific access policies to control user access to SaaS applications.

  1. Navigate to Resources > Apps > Access Policies > Add Policy.
  2. Complete the options on the Definition tab

    Setting Description
    Policy Name Enter a name for the policy. Allowable name criteria include the listed parameters.Begin with a letter, either lowercase or uppercase, from a-Z. Include other letters, either lowercase or uppercase, from a-Z. You can also include dashes and numbers.
    Description (Optional) Provide a description of the policy.
    Applies to Select SaaS applications to which you want to assign the policy.
  3. Complete the options on the Configuration tab and select Add Policy Rule or edit an existing policy.

    Setting Description
    If a user's network range is Select a network range previously configured in the network ranges process.
    And user accessing content from Select device types allowed to access content according to the criteria in this policy.
    and user belongs to group(s) Select user groups allowed to access content according to the criteria in this policy. If you select no groups, the policy applies to all users.
    Then perform this action Allow authentication, deny authentication, or allow access with no authentication.
    then the user might authenticate using Select the initial authentication method for accessing content.
    If the preceding method fails or is not applicable, then Select a fallback method for authenticating to content in case the initial method fails.
    Add fallback method Add another authentication method. The system processes methods from the top down, so add them in the order you want the system to apply them.
    Reauthenticate after Select the length of an allowable access session before the user must reauthenticate to access the content.
  4. View the Summary for the application-specific access policy.

SSO Between Workspace ONE UEM and Workspace ONE Access for SaaS Apps and Access Policies

The Workspace ONE UEM console and the Workspace ONE Access use an authorization code work flow that allows access to the Workspace ONE Access console through the Workspace ONE UEM console and that allows admins to work on SaaS application configurations. This flow is specific to SaaS applications and access policies in Workspace ONE UEM. Additions and edits made in Workspace ONE UEM are reflected in Workspace ONE UEM.

Register the OAuth Client During Setup

When you set up Workspace ONE Access in the Workspace ONE UEM console, you register the OAuth client as part of the setup wizard. The OAuth client registration is a prerequisite for this SSO feature to work.


Workspace ONE Access and Workspace ONE UEM work in the back-end to authenticate the Workspace ONE UEM admin to Workspace ONE Access. The Workspace ONE Access console passes an ID token to Workspace ONE UEM. This token contains information about the admin and the authentication so that the admin can access both consoles. The two consoles follow the depicted process.

Work flow depicting SSO communication

check-circle-line exclamation-circle-line close-line
Scroll to top icon