To provide secure access to the users' Workspace ONE apps portal and to launch web and desktop applications, you configure access policies. Access policies include rules that specify criteria that must be met to sign in to the apps portal and to use resources.

Access policies allow administrators to configure features such as mobile single sign-on, conditional access to applications based on enrollment, and compliance status, step up, and multi factor authentication.

Policy rules map the requesting IP address to network ranges and designate the type of devices that users can use to sign in. The rule defines the authentication methods and the number of hours the authentication is valid. You can select one or more groups to associate with the access rule.

A broad range of configuration options are available, but this quick start guide describes enterprise mobility managed and unmanaged tier of application access.

The default access policy is configured when you run the Configure Mobile Single Sign-on wizard to allow access to all devices types that were configured. This policy is considered as level 1 access for applications that can be accessed by unmanaged devices.

You can create policies for applications that require restricted access from managed compliant devices. VMware Identity Manager provides various built-in authentication adapters to accomplish this experience. When mobile single sign-on is configured, these authentication methods are enabled.

  • Mobile SSO (for iOS). Kerberos-based adapter for iOS Devices

  • Mobile SSO (for Android). Specially tailored implementation of certificate auth for Android

  • Certificate (Cloud Deployment). Certificate authentication service aimed at Web browsers and desktop devices

  • Password. Allows for authentication of directory passwords with a single connector when VMware Identity Manager and AirWatch are deployed together with both components of the VMware Enterprise Systems Connector

  • Password (AirWatch Connector). Allows for authentication of directory passwords with a single connector when VMware Identity Manager and AirWatch are deployed together using only ACC

  • Device Compliance (with AirWatch). Measures the health of managed devices resulting in a pass or fail based on AirWatch defined criteria. Compliance can be chained with any other built-in adapter except password

Level 1 Default Access Policy for Unmanaged Devices

Use the default access policy as a baseline L1 policy to access all applications. When mobile single sign-on is configured, access rules are created for iOS, Android, and Windows 10 devices. Each device is enabled for single sign-on using the authentication method specific to that device. In each rule, the fallback method is password. This setup provides the best experience to manage devices, while still providing a manual sign-in option for unmanaged devices.

The default policy is configured to allow access to all network ranges. The session timeout is eight hours.

You might want to further secure access for unmanaged devices with VMware Verify or other multi factor authentication.

Figure 1. Example of the Default Policy for Unmanaged Devices

When mobile single-sign on wizard is used to configure mobile SSO, the default access policy rules reflect this level of access control.

Configuring Level 2 Policies for Managed Devices

If your organization deploys applications that contain sensitive data, you can restrict access to these applications to only MDM-managed devices. Managed devices can be tracked and wiped, if necessary, and enterprise data are removed when the device is unenrolled.

To enforce this managed requirement on a selection of applications, you create application-specific policies for these applications. When you create the policy, in the Applies to section you select the applications that apply to this policy.

Create a policy rule for each device platform in your deployment. Define the correct SSO authentication method. However, because unmanaged devices should not access these applications, do not define a fallback authentication method. For example, if an unmanaged iOS device tries to connect to an application configured only for managed devices access, the device does not respond with the appropriate Kerberos wrapped certificate. The authentication attempt fails, and the user is not able to access the content.

Figure 2. Example of Level 2 Access Policy for Managed Devices