To provide secure access to SaaS applications, you configure access policies. Access policies include rules that specify criteria that must be met to sign in to the Workspace ONE portal and to use applications.
For details about access policies in the Workspace ONE UEM system, see Workspace ONE Access and search for Managing Access Policies.
Access policies allow lenient control in the network and restrict access out of the network. For example, you can configure one access policy with the following rules.
Default Access Policy - The Workspace ONE Access service and the Workspace ONE UEM console include a default policy that controls access to SaaS applications as a whole. This policy allows access to all network ranges, from all device types, for all users. You can edit the default access policy but you cannot delete it.
Important: Edits to the default access policy apply to all applications and can impact all users ability to access Workspace ONE.
Define network ranges with IP addresses allowed for user logins to SaaS applications. Assign these ranges when you apply access rules to SaaS applications. You need the network ranges for your Workspace ONE Access deployment and your Workspace ONE UEM deployment. The organization's network department usually has the network topology.
Complete the options for defining ranges.
|Name||Enter a name for the network range.|
|Description||Enter a description for the network range.|
|IP Ranges||Enter IP addresses that include the applicable devices in the range.|
|Add Row||Define multiple IP ranges.|
You can add application-specific access policies to control user access to SaaS applications.
Complete the options on the Definition tab
|Policy Name||Enter a name for the policy. Allowable name criteria include the listed parameters.Begin with a letter, either lowercase or uppercase, from a-Z. Include other letters, either lowercase or uppercase, from a-Z. You can also include dashes and numbers.|
|Description||(Optional) Provide a description of the policy.|
|Applies to||Select SaaS applications to which you want to assign the policy.|
Complete the options on the Configuration tab and select Add Policy Rule or edit an existing policy.
|If a user's network range is||Select a network range previously configured in the network ranges process.|
|And user accessing content from||Select device types allowed to access content according to the criteria in this policy.|
|and user belongs to group(s)||Select user groups allowed to access content according to the criteria in this policy. If you select no groups, the policy applies to all users.|
|Then perform this action||Allow authentication, deny authentication, or allow access with no authentication.|
|then the user might authenticate using||Select the initial authentication method for accessing content.|
|If the preceding method fails or is not applicable, then||Select a fallback method for authenticating to content in case the initial method fails.|
|Add fallback method||Add another authentication method. The system processes methods from the top down, so add them in the order you want the system to apply them.|
|Reauthenticate after||Select the length of an allowable access session before the user must reauthenticate to access the content.|
View the Summary for the application-specific access policy.
The Workspace ONE UEM console and the Workspace ONE Access use an authorization code work flow that allows access to the Workspace ONE Access console through the Workspace ONE UEM console and that allows admins to work on SaaS application configurations. This flow is specific to SaaS applications and access policies in Workspace ONE UEM. Additions and edits made in Workspace ONE UEM are reflected in Workspace ONE UEM.
When you set up Workspace ONE Access in the Workspace ONE UEM console, you register the OAuth client as part of the setup wizard. The OAuth client registration is a prerequisite for this SSO feature to work.
Workspace ONE Access and Workspace ONE UEM work in the back-end to authenticate the Workspace ONE UEM admin to Workspace ONE Access. The Workspace ONE Access console passes an ID token to Workspace ONE UEM. This token contains information about the admin and the authentication so that the admin can access both consoles. The two consoles follow the depicted process.