You must edit the policy rules to select the authentication methods you configured in Workspace ONE Access and set the order in which the authentication methods are used for authentication.


  • The authentication methods that your organization supports configured and enabled.
  • Network ranges of defined IP addresses created and assigned to the identity providers.

The Password (Local Directory) authentication method is applied to the System Directory. The default access policy includes a policy rule configured with Password (Local Directory) as a fallback method so that admins can log into the Workspace ONE Access console. See the Workspace ONE Access Administration guide .

Create policy rules that apply to all authentication method in every directory that is configured. If a directory uses an authentication method that is not configured in a policy rule, users in that directory cannot log in.


  1. In the Workspace ONE Access console Identity & Access Management tab, select Manage > Policies.
  2. Click Edit Default Policy.
  3. You can change the policy name to be more specific. For example, Company Basic Access Policy.
    The policy applies to all apps that are in the catalog, unless the app is assigned to a web-specific access policy.
  4. Click Next to open the Configuration page.
  5. Select the rule name to edit, or to add a policy rule, click Add Policy Rule.
    Option Description
    If a user's network range is Verify that the network range is correct, If adding a rule, select the network range.
    and user accessing content from Select the device type that this rule manages. When the Workspace ONE app is used to access Workspace ONE and resources, create the first rule with Workspace ONE app configured as the device type.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    Then perform this action Select Authenticate using....
    then the user may authenticate using Configure the authentication method order. Select the authentication method to apply first.

    To require users to authenticate through two authentication methods, click + and in the drop-down menu select a second authentication method.

    If the preceding methods fails or is not applicable, then Configure fallback authentication methods.
    Re-authenticate after Select the length of the session, after which users must authenticate again.
  6. (Optional) In Advanced Properties, create a custom access denied error message that displays when user authentication fails. You can use up to 4000 characters, which are about 650 words. If you want to send users to another page, in the Custom Error Link URL text box, enter the URL link address. In the Custom Error Link text box, enter the text to describe the custom error link. This text is the link. If you leave this text box blank, the word Continue displays as the link.
  7. Click Next to review the rules and then click Save.

What to do next

Create additional rules, if necessary.

After all the rules are created, order the rules in the list as to how they are applied. If the Workspace ONE app is used to access Workspace ONE and other resources, make sure that the Workspace ONE app is the first rule in the list.

The edited policy rules take effect immediately.

Figure 1. Default Access Policy Configuration