Enabling the Device Compliance (with Workspace ONE UEM) authentication policy in Workspace ONE Access

This is a follow-up from of my previous blogpost “Integrating Workspace ONE UEM with Workspace ONE Access”.

When the Workspace ONE Access and Workspace ONE UEM components are integrated, you can configure a Device Compliance authentication policy in Workspace ONE Access, based on Device Compliance rules you create in Workspace ONE UEM.

This offers an additional layer of security, with this method you are making sure only trusted endpoint devices, which meets your company device compliance rules, are allowed to authenticate and start applications in the Workspace ONE Access portal.

Creating the device Compliance Policy

If not done already, create a new device Compliance Policy in the Workspace ONE UEM Admin Console.

Go to the Devices, Compliance Policies, List View menu. Click Add.

In my case, I’m creating a new Compliance Policy for one of my Window 10 devices.

For this reason, I’m selecting Windows, Windows Desktop

Next, we are asked to choose from a variety of Compliance Policies. The complete list is listed here.

Some of the most common options are:

  • Encryption – To verify if Encryption is enabled on the system drive
  • OS version – To verify if the OS version is at least a certain OS version / build number
  • Passcode – To verify if a device passcode is present
  • AntiVirus – To verify if the AntiVirus status is active

In our example, we are going to choose Firewall Status, to check if the Firewall IS NOT enabled/good on the device.

Of course, you are also able to choose multiple rules.

In the Actions Tab, we must specify an action that will take place, if the device doesn’t meet the compliance.

The complete list per OS type is found here.

Basically, the options are:

  • Application – This option will allow you to Block or Remove Managed Apps
  • Command – Request a device check-in or perform an Enterprise Wipe of the device
  • Notify – Notify the end-user or administrator with a push message, SMS or email (or both)
  • Profile – Install a device compliance profile, which will force the compliance profile to the device, or Block or Remove profiles

In our example, we are going for Notify, send email to the end-user that registered the device.

In the Assignments tab, we are going to push this Compliance Policy to the Smart Group in which the device is enrolled in the Organization Group (OG).

When done, click Finish & Activate.

The device Compliance Policy for the Firewall Status is successfully created!

In our example, we can see in the Devices, List View menu, that one of our devices didn’t meet the Compliance Policy…!

Indeed, it turned out the Firewall was switched off. As defined in the Compliance Policy Actions, I also got an email notification.

As you might have guessed, switching the firewall back on solved the problem!

Enabling the Authentication Method

As stated earlier, with the Workspace ONE UEM and Workspace ONE Access integration we can leverage the Compliance Policy within the Workspace ONE Access Authentication Policy settings.

Before we can configure the authentication policy, we are required to enable the Authentication Method with Device Compliance (With Workspace ONE UEM) first. In the Workspace ONE Access Admin Console, open the Identity & Access Management, Authentication Methods menu.

Scroll down and edit the Device Compliance (with Workspace ONE UEM) authentication method.

Enable the Device Compliance Adapter and hit Save.

Next, in the Identity Providers menu, edit the Built-in IDP and enable the Authentication Method.

Click SAVE. You will see the Built-in IDP is successfully updated.

Creating the Workspace ONE Access Authentication Policy

We are now ready to create the authentication policy based on the device Compliance Policy we’ve created in Workspace ONE UEM!

Before we continue, it’s imported to note that the built-in identity provider authentication methods that can chain with Device Compliance (with Workspace ONE UEM) are:

  • Mobile SSO (for iOS)
  • Mobile SSO (for Android)
  • Certificate (Cloud Deployment) – this can be multiple OS types, including Windows 10.

In Workspace ONE Access, go to Identity & Access Management, Policies.

Add or edit the default policy. Specify in the Configuration for which network range and device type you want to create this policy. In my case, I’m editing the Web browser device type, with all network ranges.

Since I already configured the Certificate (cloud deployment) authentication policy in my previous blogpost, I can click the “+” sign and select the Device Compliance (with Workspace ONE UEM) authentication method as follow-up authentication.

Click SAVE.

The authentication policy is successfully configured and saved!

The end-user experience

It’s time to test the end-user experience with this newly created policy!

Let’s first test from a device that doesn’t meet the device compliance (firewall is switched off)

As expected, we see an Access Denied error right after the certificate authentication.

When we take a closer look at the Workspace ONE Access audit event logs, we see the following error:

“Your device is currently in violation of your organization’s compliance policy”

Let’s now logon from a device that meets the device compliance.

And yes, we are able to log on!

This time, the Workspace ONE audit event logs show a successful device compliance!

This concludes the Device Compliance blogpost!