A client access policy uses Office 365 client authentication credentials to access Office 365 applications in your Workspace ONE deployment.An Office 365 client, such as VMware Boxer, Microsoft Outlook, and iOS and Android native email clients, collects credentials in their UI to authenticate. A client access policy enables Workspace ONE Access to manage the collected credentials for authentication. Client access policies also enable you to set other access parameters for Office 365 applications. Policies set in a single Office 365 application apply to all Office 365 applications. Any edits to client access policies impact the users' ability to access these applications.

Order of Client Access Policies

Arrange the client access policies in order because the system enforces policies from top to bottom. The system uses the first policy to authenticate a client or to deny it access.

For example, if you create a policy denying access to all device types and drag it above a policy allowing access for Android devices, the system denies all devices access that attempt the user name and password. The system does not enforce the policy allowing access to Android devices. The first policy that denies access takes the precedent.

Add Office 365 Applications with a Client Access Policy

You can add Office 365 applications to the Workspace ONE UEM console so that you can control access with client access policies.

  1. Navigate to Resources > Apps > SaaS and select New.
  2. Complete the options on the Definition tab.

    Setting Description
    Search Enter Office 365 to see a list of available applications.
    Name Enter or view a name for the SaaS application.
    Description (Optional) Provide a description of the application. Often, this text box pre-populates.
    Icon (Optional) if an icon does not pre-populate, select an icon.
    Category (Optional) Assign categories to help users sort and filter the application in the Workspace ONE catalog.Configure categories in Workspace ONE Access so that they display in the category list.
  3. Complete the options on the Configuration tab.

    1. Office 365 applications use WSFed 1.2 for Authentication Type to provide single sign-on.

      Setting Description
      Target URL Enter the URL to direct users to the SaaS application on the Internet.
      Single Sign-On URL Enter the Assertion Consumer Service (ACS) URL.
      Workspace ONE sends this URL to your service provider for single sign-on.
      Application ID Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.
      Some service providers use the Single Sign-On URL.
      Username Format Select the format required by the service providers for the SAML subject format.
      Username Value Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.
      This value is a default profile text box value for a username at the application service provider.
    2. Add values for Application Parameters to allow the application to start.

    3. If you want greater control of messaging in single sign-on processes with Workspace ONE, add Advanced Properties for WSFed 1.2.

      Setting Description
      Credential Verification Select the method for credential verification.
      Signature Algorithm Select the signature algorithm that matches the digest algorithm.
      If your service provider supports SHA256, select this algorithm.
      Digest Algorithm Select the digest algorithm that matches the signature algorithm.
      If your service provider supports SHA256, select this algorithm.
      Assertion Time Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.
      Custom Attribute Mapping If your service provider allows custom attributes other than ones for single sign-on, add them.
    4. Assign policies to secure signing in to application resources with Access Policies.

      Setting Description
      Access Policy Select a policy for Workspace ONE to use to control user authentication and access. The default access policy is available if you do not have custom access policies.
      You can configure these policies in the UEM console.
      Open in VMware Browser Require Workspace ONE to open the application in the VMware Browser. If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.
      License Approval Required Require approvals before the application installs and activates a license.

      License Pricing - Select the pricing model to buy licenses for the SaaS application.

      License Type - Select the user model for the licenses, named or concurrent users.

      Cost Per License - Enter the price per license.

      Number of Licenses - Enter the number of licenses bought for the SaaS application.

      Configure the corresponding Approvals in the Settings section of SaaS applications.
  4. Add Client Access Policies for Office 365 clients. A client access policy allows Workspace ONE Access to manage the Office 365 client UI credentials collected for authentication. Some client examples include VMware Boxer and Microsoft Outlook. Select Add Policy Rule and complete the settings.

    Settings Description
    If the user's client is Select an available Office 365 client.
    And a user's network range is Select a network range previously configured in the network ranges process.
    And the user's device type is Select the allowed device platform for access.
    and user belongs to group(s) Select user groups allowed to access content according to the criteria in this policy.
    If you select no groups, the policy applies to all users.
    And the client's email protocol is Select the allowable protocol for the Office 365 client.
    Then perform this action Allow or deny access to Office 365 applications.
  5. View the Summary for the SaaS application and move to the assignment process.

Configure Provisioning Adapter for Office 365 Applications

Provisioning provides automatic application user management from a single location. Provisioning adapters allow Web applications to retrieve specific information from the Workspace ONE UEM service as required. If provisioning is enabled for a Web application, when you entitle a user to the application in the Workspace ONE UEM service, the user is provisioned in the Web application. The Workspace ONE UEM service currently includes provisioning adapters for Microsoft Office 365.The Workspace ONE UEM service currently includes provisioning adapters for Microsoft Office 365. Complete the following steps to configuring the Provisioning Adapter for Office 365.

  1. Navigate to Resources > Apps > SaaS and select New.
  2. In the Definition tab browse for Office 365. Complete the Definition tab and Select Next.
  3. Complete the text boxes in the Configuration tab.
  4. Enable Setup Provisioning. By default, the provisioning setup is disabled. Once you select Setup Provisioning, Provisioning, User Provisioning, Group Provisioning tabs added to the left navigation.
  5. Add Client Access Policies for Office 365 clients.
  6. In the Provisioning tab, select Enable Provisioning, and enter the following information.

    Setting Description
    Office 365 Domain Enter the Office 365 domain name. For example, example.com. Users are provisioned under this domain.
    Application Client ID Enter the AppPrincipalId obtained when creating the service principal user.
    Application Client Secret Enter the password created for the service principal user.
  7. By default, Provision With License is disabled. On selecting Provision With License, you can enter the following information.

    Setting Description
    SKU ID Enter the SKU information.
    Remove License When De-Provisioned Select the option if you want to remove the license when you deprovision Office 365 application.
  8. To verify that the Office 365 tenant can be reached, Select Test Connection.

  9. Select Next.
  10. In the User Provisioning tab, select the attributes with which to provision users in Office 365.Make sure that the following required Active Directory attributes are configured to one of the required attribute names in the User Attributes page.

    • The Mail Nickname attribute must be unique within the directory and cannot contain any special characters. Map the Mail Nickname attribute to user name. Once mapped, do not change the Mail Nickname.
    • The objectGUID attribute is a custom attribute that first must be added to the User Attribute list. The ObjectGUID is mapped to the GUID attribute.
    • Select Add Mapped Value, if you want to add an Attribute Name and Value. Note:

    The UserPrincipalName (UPN) is constructed automatically. You do not see the mapped value. The provisioning adapter appends the Office 365 domain to the mailNickname attribute value (user.userName) to create the UPN. This is appended as, user name +@+ O365_domainname. For example, jdow@office365example.com

  11. Select Next.

  12. In the Group Provisioning screen, you can complete the Group Provisioning task. When a group is provisioned in Office 365, the group is provisioned as a security group. The members of the group are provisioned as users, if they do not exist in the Office 365 tenant. The group is not entitled to resources when provisioned. If you want to entitle the group to resources, create the group and then entitle resources to that group. Select Add Group and complete the following steps.

    1. In the Select Group text box, search for the group to be provisioned in Office 365.
    2. In the Mail Nickname text box, enter a name for this group. The nickname is used as an alias. Special characters are not allowed in the nickname.
    3. Select Save. You can deprovision a group in the Office 365 application. The security group is removed from the Office 365 tenant. Users in the group are not deleted. To deprovision a group, select the user group and Select Deprovision.
  13. Select Next to view the Summary tab.

  14. Select Save to Save the configurations or Save and Assign to deploy Office 365 to users and groups configured from your Active Directory system.
check-circle-line exclamation-circle-line close-line
Scroll to top icon