Security Policies profiles offer security controls for SDK-built apps. Control security with authentication methods, tunneling app traffic, and restricting access to features with data loss prevention.

Navigation

Find settings in Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

Force Token For App Authentication

This setting controls how the system allows users to access SDK-built applications, either initially or through a forgot-passcode procedure. When enabled, the system forces the user to generate an application token through the Self-Service Portal (SSP) and does not allow username and password. This setting does not force the reset of the enrollment token.

Authentication Type

Select an authentication type that meets the security needs of your network. The passcode gives device users flexibility while user name and password offers compatibility with the Workspace ONE UEM system. If security is not an issue, then you do not have to require an authentication type.
Table 1. Descriptions of Authentication Items
Setting Description
Passcode Designates a local passcode requirement for supported applications. Device users set their passcode on devices at the application level when they first access the application.
User name and Password Requires users to authenticate to supported applications using their Workspace ONE UEM credentials. Set these credentials when you add users in the Accounts page of the Workspace ONE UEM console.
Disabled Requires no authentication to access supported applications.
Passcode Setting Description
Passcode Enable this option to require a local passcode requirement.
Authentication Timeout Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials.

On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.

Maximum Number Of Failed Attempts Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error.

Actions depend on the platform.

  • Android – The system performs an enterprise wipe on the device.
  • iOS – The system performs an enterprise wipe on the device.
Passcode Mode Select an option depending on your security needs and the platform.
  • Numeric
    • Android - You can enter only numbers.
    • iOS - You can enter numbers and letters.
  • Alphanumeric
    • Android - You can enter numbers and letters.
    • iOS - You can enter numbers and letters.
Allow Simple Value Set the passcode to allow simple strings. For example, allow strings like 1234 and 1111.
Minimum Passcode Length Set the minimum number of characters for the passcode.
Minimum Number Of Complex Characters (if Alphanumeric is selected) Set the minimum number of complex characters for the passcode. For example, allow characters like [], @, and #.
Maximum Passcode Age (days) Set the number of days the passcode remains valid before you must change it.
Passcode History Set the number of passcodes the Workspace ONE UEM console stores so that users cannot use recent passcodes.
Biometric Mode Select the system used to authenticate for access.
  • Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application.
  • Disabled – Does not require biometric authentication systems to access the application.
Username and Password Setting Description
Username and Password Enable this option to set authentication to use the Workspace ONE UEM credentials.
Authentication Timeout Define the time elapsed, ranging from the last successful authentication to the value set here, that triggers the system to prompt for Workspace ONE UEM credentials.

On newer Android applications, authentication timeout prompts for credentials when the session is inactive for the set time.

Maximum Number Of Failed Attempts Set the maximum times, a user can log in, with an incorrect passcode before the system throws an error.
Actions depend on the platform.
  • Android – The system performs an enterprise wipe on the device.
  • iOS – The system performs an enterprise wipe on the device.
Biometric Mode Select the system used to authenticate for access.
  • Enabled – Allow the use of Fingerprint, Touch ID, or Face ID for authentication to the application.
  • Disabled – Does not require biometric authentication systems to access the application.
Disabled Setting Description
Disabled Select to require no authentication to access the application.

Authentication Type and SSO

Authentication Type and SSO can work together or alone.

  • Alone – If you enable an Authentication Type (passcode or user name/password) without SSO, then users must enter a separate passcode or credentials for each individual application.
  • Together – If you enable both Authentication Type and SSO, then users enter either their passcode or credentials (whichever you configure as the Authentication Type) once. They do not have to reenter them until the SSO session ends.

Single Sign-On

If you want to require an SSO passcode on devices, set Authentication Type to Passcode and set the Passcode Mode to either Numeric or Alphanumeric.

Using either the Workspace ONE Intelligent Hub or Workspace ONE as a "broker application," end users can authenticate once using either their normal credentials or an SSO passcode. They gain access to other applications so long as the SSO session is active.

If you enable SSO but do not enable an Authentication Type, the system does not prompt end users with any recurring authentication. An exception to this behavior occurs when end users must authenticate during an initial installation of the application. They use their normal credentials to authenticate in this instance.

SSO Session

A single sign-on (SSO) session establishes when a user authenticates with an application participating in an SSO. The session is active until the it reaches the Authentication Timeout value or until the user manually locks the application. Control this behavior with the Workspace ONE Intelligent Hub and the SDK profile.

When using the Workspace ONE Intelligent Hub as a "broker application" for features such as SSO, configure the Workspace ONE Intelligent Hub with the applicable SDK profile. If you are using the default SDK profile, ensure that the Workspace ONE Intelligent Hub is configured to use this profile. If you do not set the Workspace ONE Intelligent Hub to use the default SDK profile, then the system does not apply your configurations you configure in the Settings and Policies section.

SSO and System Login Behavior for iOS Applications

SSO Enabled - The authentication process to an application with Workspace ONE UEM SSO enabled includes two phases: accessing the app and securing persistent access.
  1. Identify user for app access - The first phase ensures that the user's credentials are valid. The system identifies the user first by silent login. If the silent login process fails, then the system uses a configured, authentication system. Workspace ONE UEM supports username and password, token, and SAML.
  2. Secure persistent app access - The second phase grants the user access to the application and keeps the session live with a recurring authentication process. Workspace ONE UEM supports passcode, username and password, and no authentication (disabled).
Authentication Behavior - The SSO configuration controls the login behavior users experience when they access applications. The authentication setting and the SSO setting affect the experience of accessing the application.
Table 2. Login Behavior for Users when Passcode is Set for SSO
Authentication Phase SSO Enabled SSO Disabled
Identify
  • Silent login: The system registers credentials with the managed token for MDM.

    If silent login fails, the system moves to the next identification process.

  • Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).
  • Silent login: The system registers credentials with the managed token for MDM.

    If silent login fails, the system moves to the next identification process.

  • Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).
Secure
  • Prompt if passcode exists: The system does not prompt for the passcode if the session instance is live.
  • Prompt if passcode does not exist: The system prompts users to create a passcode.
  • Session shared: The system shares the session instance across applications configured with Workspace ONE UEM SSO enabled.
  • Prompt if passcode exists: The system prompts users the application passcodes.
  • Prompt if passcode does not exist: The system prompts users to create a passcode.
  • Session not shared: The system does not share the session or the passcode with other applications.
Table 3. Login Behavior for Users when Username and Password is Set for SSO
Authentication Phase SSO Enabled SSO Disabled
Identify
  • Silent login: The system registers credentials with the managed token for MDM.

    If silent login fails, the system moves to the next identification process.

  • Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).
  • Silent login: The system registers credentials with the managed token for MDM.

    If silent login fails, the system moves to the next identification process.

  • Authenticate: The system prompts for application login credentials.
Secure
  • Prompt: The system does not prompt for the login credentials if the session instance is live.
  • Session shared: The system shares the session instance across applications configured with Workspace ONE UEM SSO enabled.
  • Prompt: The system prompts for the login credentials for the application on every access attempt.
  • Session not shared: The system does not share the session with other applications.
Table 4. Login Behavior for Users when Disabled is Set for SSO
Authentication phase SSO enabled SSO disabled
Identify
  • Silent login: The system registers credentials with the managed token for MDM.

    If silent login fails, the system moves to the next identification process.

  • Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).
  • Silent login: The system registers credentials with the managed token for MDM.

    If silent login fails, the system moves to the next identification process.

  • Authenticate: The system prompts for application login credentials.
Secure Prompt: The system does not prompt users for authentication. Prompt: The system does not prompt users for authentication.

Integrated Authentication

Allow access to corporate resources, such as content repositories, through the Workspace ONE Intelligent Hub using Workspace ONE UEM SSO credentials.
Setting Description
Enable Kerberos Use your Kerberos system for authenticating to corporate resources and sites.
Use Enrollment Credentials Access corporate resources listed in the Allowed Sites field with the SSO credentials.

Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Use Certificate Upload the Credential Source or set a Defined Certificate Authority to access corporate resources listed in the Allowed Sites text box with the SSO credentials.

Enter systems in the Allowed Sites text box to control access to a specific set of sites and domains. You must complete this setting for Integrated Authentication to work. This setting ensures that Workspace ONE UEM does not expose credentials to non-trusted resources.

Offline Access

The SDK restricts or allows offline access depending on the configurations.
Offline Access Behavior

Enabled

Maximum Period Allowed = time

The SDK allows offline access and then restricts access when time offline meets the maximum period allowed value.

Enabled

Maximum Period Allowed = 0

The SDK allows offline access indefinitely.
Disabled The SDK prevents offline access.

Compromised Protection

Protect your mobile network from compromised resources with an enterprise wipe, It clears privileged corporate data off devices. The system does not perform wipe actions on data unrelated to the enterprise.

AirWatch App Tunnel

Allow an application to communicate through a VPN or reverse proxy to access internal resources, such as a SharePoint or intranet sites. To use Allow all non-FQDN URLs through App tunnel, applications must use Workspace ONE SDK v19.3+ (both Android and iOS Swift).

The Per-App Tunnel provides Device Traffic Rules. Device Traffic Rules allow you to set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps.

Before you can use VMware Tunnel - Proxy or VMware Tunnel menu items, you must install these tunnels. See VMware Tunnel.

If you are switching from VMware Tunnel - Proxy to VMware Tunnel, migrate the App Tunnel URLs entries.

If users access an internal resource through a non-standard port (a port that is not port 80 or 443), explicitly list the port number in the URL you enter in App Tunnel URLs. For example, if the resource URL is data.company.com and it is accessed through port 7777, you must add data.company.com:7777 in the App Tunnel URLs field.

Setting Description
VMware Tunnel

Sets devices to access corporate resources using the Per-App Tunnel component of VMware Tunnel.

For this option to work, install VMware Tunnel.

Also, the Per-App Tunnel component of VMware Tunnel uses rules to set policies for tunneling, blocking, or bypassing specific domains. Ensure that you have setup web and other SDK-enabled apps on the Device Traffic Rules page before enabling it here.

If you have some SDK applications that still use VMware Tunnel - Proxy, enable Tunnel Proxy for Backward Compatibility. This menu item allows those SDK applications that have not migrated to Per-App Tunnel to continue to work using Proxy.

This setting does not act as a backup. If your Tunnel gateway is not available, applications do not fall back to Proxy.

VMware Tunnel - Proxy

Sets devices to access corporate resources using the proxy component of the VMware Tunnel, also called Proxy. Consider migrating to the Per-App Tunnel component for better performance and new features.

For this option to work, install VMware Tunnel. If this feature is not installed and configured, use the UI links to go to the configuration pages.

  • Select Configure VMware Tunnel - Proxy Settings to enable Proxy if you have not already set this feature.
  • Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
    • YES - All non-FQDN URLs use the tunnel.
    • NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
  • To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.

    Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.

    If nothing is listed in this text box, all traffic directs through the app tunnel.

Standard Proxy
Sets devices to request resources using a proxy server that allows or denies connections to enterprise systems.
  • To access your internal network, select an App Tunnel Proxy from the menu . Add standard proxies by selecting Configure Standard Proxy Settings.
  • Use Allow all non-FQDN URLs through App tunnel to control traffic to non-FQDN (fully qualified domain name) URLs through the tunnel.
    • YES - All non-FQDN URLs use the tunnel.
    • NO - Only non-FQDN that are explicitly listed in the App Tunnel URLs use the tunnel.
  • To restrict the communication to a set of tunnel domains, enter domains in the App Tunnel URLs text box. All other traffic not listed in this text box, goes directly to the Internet.

    Use wildcards to allow access to any site with a domain subset. For example, *.<example > .com allows traffic to any site that contains .<example > .com in its domain. Similarly, it allows access to any port on that site with an implementation similar to *.<example > .com.

    If nothing is listed in this text box, all traffic directs through the app tunnel.

Migrate Proxy App Tunnel URLs to Per-App Tunnel

If you migrate from VMware Tunnel - Proxy to VMware Tunnel (Per-App Tunnel) and want to keep the domains that use the tunnel, enter the App Tunnel URLs from the Proxy to the Device Traffic Rules settings for Per-App Tunnel.

Go to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies > App Tunnel Mode > VMware Tunnel - Proxy and record the entries in the App Tunnel URLs field.

The Per-App Tunnel provides Device Traffic Rules. Device Traffic Rules allow you to set individual traffic policies for tunneling, blocking, and bypassing traffic for each of your apps.

For information on Device Traffic Rules, access Create Device Traffic Rules.

  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Network Traffic Rules > Device Traffic Rules.
  2. Select the applicable SDK application (like Workspace ONE Web). This configuration differs from the default SDK setting because you need to enter the domains to tunnel by the app rather than as a blanket entry for all SDK-built apps. Use Add to enter multiple applications.
  3. Select Tunnel for the Action.
  4. Enter the app tunnel URLs from the VMware Tunnel - Proxy option in Destination Hostname.Define a default policy for domains that do not match patterns with your destination host names.
  5. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies. select App Tunnel Mode and change from VMware Tunnel - Proxy to VMware Tunnel.

Content Filtering

Integrates your Forcepoint (Websense) content filtering service and the Workspace ONE Web. This integration requires settings on mulitple pages in the console.

This integration requires configurations on different pages in the Workspace ONE UEM console.
  • Third-Party Proxies – Add information on the Third-Party Proxies page for your content filtering system so Workspace ONE UEM can communicate with it. Configure your Forcepoint information in Groups & Settings > All Settings > System > Enterprise Integration > Third Party Proxies.
  • Settings and Policies – Used for content filtering on the Settings and Policies page. Using the Settings and Policies, you can filter traffic in the Workspace ONE Web with the policies and rules set in your Forcepoint service.

Integration results in the system filtering the Workspace ONE Web traffic with the settings in the content filtering system. If you use another application tunnel, Workspace ONE UEM sends data that is not going through your content filtering service to the configured app tunnel.

Geofencing

Restrict access to applications depending on the distances set in Geofencing settings in the Workspace ONE UEM console.

Data Loss Prevention (DLP)

Protect sensitive data in applications. DLP options control how and what data transmits back and forth.
Setting Description
Enable Bluetooth Allows applications to access Bluetooth functionality on devices when set to Yes.
Enable Camera Allows applications to access the device camera when set to Yes.
Enable Composing Email Allows an application to use the native email client to send emails when set to Yes.
Enable Copy and Paste Out Allows users to copy and paste content from SDK-built applications to external destinations when set to Yes.

When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.

Encryption of the pasted content depends upon the configurations for authentication and SSO. If you enable authentication and SSO, the system encrypts the content with a user pin-based key. Otherwise, the system encrypts content with a randomly generated key.

The system migrates the setting configured previously in the option to Enable Copy and Paste to this feature.

Enable Copy and Paste Into Allows users to copy and paste content from external destinations into SDK-built applications when set to Yes.

When you set it to No, the system allows copy and paste only between Workspace ONE UEM applications.

Enable Data Backup Allows wrapped iOS applications to sync data with a storage service like iCloud when set to Yes.
Enable Location Services Allows wrapped applications to receive the latitude and longitude of the device when set to Yes.
Enable Printing Allows an application to print from devices when set to Yes.
Enable Screenshot Allows applications to access screenshot functionality on devices when set to Yes.
Enable Third-Party Keyboards On iOS devices when set to No, SDK-built applications always open in the native keyboard and prevent the use of third-party keyboards.

On Android devices when set to No and the user did not set the system keyboard as the primary keyboard, SDK-built applications prevent user access.

Enable Watermark Displays text in a watermark in documents in the VMware Content Locker when set to Yes.

Enter the content to display in the Overlay Text text box or use lookup values. You cannot change the design of a watermark from the Workspace ONE UEM console.

Limit Documents to Open Only in Approved Apps Enter options to control the applications used to open resources on devices.
Allowed Applications List Enter the applications that you allow to open documents.

Network Access Control

Allow applications to access the mobile network.
Setting Description
Allow Cellular Connection Controls cellular connections by allowing them all the time, allowing connections when the device is not roaming, or never allowing cellular connections.
Allow Wi-Fi Connection Allows connections using Wi-Fi networks, or limits connections by Service Set Identifier (SSID).
Allowed SSIDs Enter the Service Set Identifiers (SSIDs) that devices can use to access the Wi-Fi network during limiting connections.