Step 3: Configure Device Trust and Access Policies in VMware for desktop devices
Prerequisites
Step 1: Configure VMware Identity Manager as an Identity Provider in Okta
Step 2: Configure Okta application source in VMware Identity Manager
To configure access policies for desktop devices, you configure identity provider routing rules in Okta and conditional access policies in VMware Identity Manager. The Okta Device Trust solution is not yet available for desktop devices. To configure device trust for desktop devices, you can use Device Compliance as the second-factor authentication method in VMware Identity Manager access policies.
Configure Identity Provider Routing Rules in Okta for Desktop Devices
- In the Okta Admin Console, go to .
- Click the Routing Rules tab.
- Click Add Routing Rule.
- Configure the following:
- Anything. Specifies any user. This is the default.
- Regex on login. Allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain, or if a user attribute is not sufficient for matching. For details, see Identity Provider routing rules.
- Domain list on login. Specify a list of the domains to match; for example, example.com. Do not add the @ symbol to the domain name. You can add multiple domains. Note that it is not necessary to escape any characters.
- User attribute. Select an attribute name in the left list, a type of comparison in the Starts with list, and then enter a value that you want to match in text field on the right.
- Click Create Rule.
| Setting | Action |
|---|---|
| Rule Name | Enter a name for the rule you are creating. |
| IF User's IP is | If appropriate for your implementation, you can specify network zones to which the routing does or does not apply. To specify a zone here, at least one network zone must be defined already in Okta. For more information, see Network zones. |
| AND User's device platform is |
Select Any of these devices and then select macOS or Windows, or both, depending on your implementation. |
| AND User is accessing |
Select Any of the following applications and then enter the application(s) to which you want the routing rule to apply. |
| AND User matches |
Select the appropriate action: |
| THEN Use this identity provider | Select the Identity Provider you created in Okta for VMware Identity Manager as detailed in Step 1: Configure VMware Identity Manager as an Identity Provider in Okta. |
Configure Conditional Access Policies in VMware Identity Manager for Desktop Devices
To provide SSO and device trust for desktop devices, additional access policy rules are required in VMware Identity Manager.
Create the access policy for macOS and Windows 10 with Certificate (Cloud Deployment) and Device Compliance as the authentication methods.
- Log in to the VMware Identity Manager console as System administrator.
- Click the Identity & Access Management tab.
- Click the Policies tab.
- Click Add Policy.
- In the Definition page of the wizard, enter the following information.
| Option | Description |
|---|---|
| Policy Name | A name for the policy. |
| Description | A description for the policy. |
| Applies to | Select Okta. This assigns the access policy set to the Okta Application Source. All authentication requests from Okta are evaluated with this policy rule set. |
- Click Next.
- In the Configuration page, click Add Policy Rule and configure the policy rule for Windows 10.
- Set Certificate (Cloud Deployment) as the first authentication method and Device Compliance (with AirWatch) as the fallback authentication method.
- Click Save.
If a user's network range is set to ALL RANGES and the user is accessing content from Windows 10, the user may authenticate using Certificate (Cloud Deployment).
If the preceding method fails or is not applicable, the user will authenticate using Device Compliance (with AirWatch)
- Click Add Policy Rule and configure the policy rule for macOS.
- Set Certificate (Cloud Deployment) as the first authentication method and Device Compliance (with AirWatch) as the fallback authentication method.
- Click Save.
If a user's network range is ALL RANGES and the user is accessing content from macOS, the action Authenticate using is Certificate (Cloud Deployment).
If the preceding method fails or is not applicable, then the authentication falls back to Device Compliance (with AirWatch).
- If you have also configured the mobile version of this integration, you must recreate mobile policies:
-
Create a policy rule for iOS devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
If a user's network range is ALL RANGES and the user is accessing content from iOS, the action Authenticate using is set to Mobile SSO (iOS).
If the preceding method fails or is not applicable, then the user authenticates with Okta Auth.
-
Create a policy rule for Android devices with Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
If a user's network range is ALL RANGES and the user is accessing content from Android,the action Authenticate using is set to Mobile SSO (Android).
If the preceding method fails or is not applicable, then the user authenticates with Okta Auth.
-
Create a policy rule for Web browsers with Okta as the authentication method.
If a user's network range is ALL RANGES and the user is accessing content from Web Browser, the action Authenticate using is set to Okta Auth.
- Arrange the policy rules in the following order, listed from top to bottom:
- Workspace ONE App or Hub App
- Windows 10 or Mac OS
- Windows 10 or Mac OS
- iOS or Android
- iOS or Android
- Web browser
This is necessary because the policy rules you created in the previous steps of this procedure override the default access policy you configured in VMware Identity Manager for mobile devices. Therefore, you must add policy rules for iOS, Android, and Web browser to this new policy similar to the rules that you added to the default access policy when you configured this solution for mobile devices.