Workspace ONE offers many conditional access options. Use VMware Identity Manager as your identity provider (IDP) or use a third-party identity provider to offer the level of authentication that is best for the device, user, and app.

Use more than one method for extra control. For example you can set access policies at the app level, set compliance policies at the device level, and use VMware Tunnel to secure the connection between the app and the device.

Access Policies and Compliance Policies

Access policies for web (SaaS) apps include rules that specify criteria to meet for access. Criteria include network ranges, device types, authentication methods, and session lengths. Configure these policies in VMware Identity Manager or in Workspace ONE UEM.

The compliance engine in Workspace ONE UEM secures apps and devices and can prevent compromised resources from accessing your network.

VMware Tunnel

The VMware Tunnel provides a secure method for individual apps to access corporate resources. It authenticates and encrypts traffic from individual apps on compliant devices to the back-end system they are trying to reach.


For this method to work, devices must be managed by Workspace ONE UEM.

Certificate Based Authentication (CBA)

Certificate based authentication (CBA) requires a certificate from the user to establish trust and allow access to apps. To use this option, ensure that the app supports CBA for the desired platform. Workspace ONE UEM supports numerous certificate authorities as does VMware Identity Manager.