A client access policy uses Office 365 client authentication credentials to access Office 365 applications in your Workspace ONE deployment.An Office 365 client, such as VMware Boxer, Microsoft Outlook, and iOS and Android native email clients, collects credentials in their UI to authenticate. A client access policy enables Workspace ONE Access to manage the collected credentials for authentication. Client access policies also enable you to set other access parameters for Office 365 applications. Policies set in a single Office 365 application apply to all Office 365 applications. Any edits to client access policies impact the users' ability to access these applications.
Arrange the client access policies in order because the system enforces policies from top to bottom. The system uses the first policy to authenticate a client or to deny it access.
For example, if you create a policy denying access to all device types and drag it above a policy allowing access for Android devices, the system denies all devices access that attempt the user name and password. The system does not enforce the policy allowing access to Android devices. The first policy that denies access takes the precedent.
You can add Office 365 applications to the Workspace ONE UEM console so that you can control access with client access policies.
Complete the options on the Definition tab.
|Search||Enter Office 365 to see a list of available applications.|
|Name||Enter or view a name for the SaaS application.|
|Description||(Optional) Provide a description of the application. Often, this text box pre-populates.|
|Icon||(Optional) if an icon does not pre-populate, select an icon.|
|Category||(Optional) Assign categories to help users sort and filter the application in the Workspace ONE catalog.Configure categories in Workspace ONE Access so that they display in the category list.|
Complete the options on the Configuration tab.
Office 365 applications use WSFed 1.2 for Authentication Type to provide single sign-on.
|Target URL||Enter the URL to direct users to the SaaS application on the Internet.|
|Single Sign-On URL||Enter the Assertion Consumer Service (ACS) URL.
Workspace ONE sends this URL to your service provider for single sign-on.
|Application ID||Enter the ID that identifies your service provider tenant to Workspace ONE. Workspace ONE sends the SAML assertion to the ID.
Some service providers use the Single Sign-On URL.
|Username Format||Select the format required by the service providers for the SAML subject format.|
|Username Value||Enter the Name ID Value that Workspace ONE sends in the SAML assertion's subject statement.
This value is a default profile text box value for a username at the application service provider.
Add values for Application Parameters to allow the application to start.
If you want greater control of messaging in single sign-on processes with Workspace ONE, add Advanced Properties for WSFed 1.2.
|Credential Verification||Select the method for credential verification.|
|Signature Algorithm||Select the signature algorithm that matches the digest algorithm.
If your service provider supports SHA256, select this algorithm.
|Digest Algorithm||Select the digest algorithm that matches the signature algorithm.
If your service provider supports SHA256, select this algorithm.
|Assertion Time||Enter the seconds that the assertion Workspace ONE sends to the service provider for authentication is valid.|
|Custom Attribute Mapping||If your service provider allows custom attributes other than ones for single sign-on, add them.|
Assign policies to secure signing in to application resources with Access Policies.
|Access Policy||Select a policy for Workspace ONE to use to control user authentication and access. The default access policy is available if you do not have custom access policies.
You can configure these policies in the UEM console.
|Open in VMware Browser||Require Workspace ONE to open the application in the VMware Browser. If you use VMware Browser, opening SaaS applications within it adds extra security. This action keeps access within internal resources.|
|License Approval Required||Require approvals before the application installs and activates a license.
License Pricing - Select the pricing model to buy licenses for the SaaS application.
License Type - Select the user model for the licenses, named or concurrent users.
Cost Per License - Enter the price per license.
Number of Licenses - Enter the number of licenses bought for the SaaS application.
Configure the corresponding Approvals in the Settings section of SaaS applications.
Add Client Access Policies for Office 365 clients. A client access policy allows Workspace ONE Access to manage the Office 365 client UI credentials collected for authentication. Some client examples include VMware Boxer and Microsoft Outlook. Select Add Policy Rule and complete the settings.
|If the user's client is||Select an available Office 365 client.|
|And a user's network range is||Select a network range previously configured in the network ranges process.|
|And the user's device type is||Select the allowed device platform for access.|
|and user belongs to group(s)||Select user groups allowed to access content according to the criteria in this policy.
If you select no groups, the policy applies to all users.
|And the client's email protocol is||Select the allowable protocol for the Office 365 client.|
|Then perform this action||Allow or deny access to Office 365 applications.|
View the Summary for the SaaS application and move to the assignment process.
Provisioning provides automatic application user management from a single location. Provisioning adapters allow Web applications to retrieve specific information from the Workspace ONE UEM service as required. If provisioning is enabled for a Web application, when you entitle a user to the application in the Workspace ONE UEM service, the user is provisioned in the Web application. The Workspace ONE UEM service currently includes provisioning adapters for Microsoft Office 365.The Workspace ONE UEM service currently includes provisioning adapters for Microsoft Office 365. Complete the following steps to configuring the Provisioning Adapter for Office 365.
In the Provisioning tab, select Enable Provisioning, and enter the following information.
|Office 365 Domain||Enter the Office 365 domain name. For example, example.com. Users are provisioned under this domain.|
|Application Client ID||Enter the AppPrincipalId obtained when creating the service principal user.|
|Application Client Secret||Enter the password created for the service principal user.|
By default, Provision With License is disabled. On selecting Provision With License, you can enter the following information.
|SKU ID||Enter the SKU information.|
|Remove License When De-Provisioned||Select the option if you want to remove the license when you deprovision Office 365 application.|
To verify that the Office 365 tenant can be reached, Select Test Connection.
In the User Provisioning tab, select the attributes with which to provision users in Office 365.Make sure that the following required Active Directory attributes are configured to one of the required attribute names in the User Attributes page.
The UserPrincipalName (UPN) is constructed automatically. You do not see the mapped value. The provisioning adapter appends the Office 365 domain to the mailNickname attribute value (user.userName) to create the UPN. This is appended as, user name +@+ O365_domainname. For example, firstname.lastname@example.org
In the Group Provisioning screen, you can complete the Group Provisioning task. When a group is provisioned in Office 365, the group is provisioned as a security group. The members of the group are provisioned as users, if they do not exist in the Office 365 tenant. The group is not entitled to resources when provisioned. If you want to entitle the group to resources, create the group and then entitle resources to that group. Select Add Group and complete the following steps.
Select Next to view the Summary tab.