Access policies

A Verify access policy is a combination of rules that controls the users' access to a Verify resource, based on defined conditions. Verify includes predefined access policies. Associate an access policy to an application to define how users can access it, including whether a second factor authentication (2FA) is required.

Access policies can be associated with the following resources:

Applications that are integrated with Verify and accessible from the Verify user home page.

Only entitled users can access the application. If the user is not entitled to the application, the user is automatically denied access to that application regardless of the other conditions.

You can control how users can access an application from desktops and mobile devices. Desktops include laptops and Microsoft tablets. Mobile devices include phones and tablets that use iOS and Android operating systems.

A mobile device can be:

Managed and compliant: The mobile device is enrolled in a device manager and complies with the device manager IT policy.
Managed and non-compliant: The mobile device is enrolled in a device manager, but it is not compliant with the device manager IT policy.
Unmanaged: The mobile device is NOT enrolled in a device manager, as such it is unmanaged.

Note: Jamf does not provide device compliance status. The compliance status for Jamf enrolled devices is shown as UNKNOWN.

You can enforce the following actions on the access request:

Allow access from the device.
The users are redirected to the Verify Sign In page to specify their login credentials.
Require users to complete a second factor authentication.
The users are redirected to the Verify Sign In page to specify their login credentials and then their one-time password either every time the users access an application on the device or one-time, on the first access attempt in an authenticated session with Verify.
Block access from the device.

The following table summarizes the rules that are associated for each access policy; the rules for sign-on access from a desktop device and for each state of the mobile device.

Table 1. Access policy rules based on the device
Policy ID	Devices
	Desktop	Mobile
		Managed		Unmanaged
		Compliant	Non-Compliant	Unmanaged
1	Allow	Allow	Allow	Allow
2	2FA always	Allow	Allow	2FA always
3	2FA once per session	Allow	Allow	2FA once per session
4	Block	Allow	Block	Block
5	Allow	Allow	Block	Block
6	Allow	Allow	Allow	Block
7	Block	2FA always	Block	Block
8	Block	2FA once per session	Block	Block
9	Allow	2FA always	Block	Block
10	Allow	2FA once per session	Block	Block
11	2FA always	Allow	2FA always	2FA always
12	2FA once per session	Allow	2FA once per session	2FA once per session
13	2FA always	Allow	2FA always	Block
14	2FA once per session	Allow	2FA once per session	Block
15	2FA always	Allow	Block	Block
16	2FA once per session	Allow	Block	Block
17	2FA always	2FA always	2FA always	2FA always
18	2FA once per session	2FA once per session	2FA once per session	2FA once per session

The following table describes each predefined access policy, including the required subscription.

Table 2. Predefined access policies
Policy ID	Policy name	Policy description
1	Allow access from all devices	Allow users access from desktops and from mobile devices. The mobile device can be managed or unmanaged by the device manager. The managed mobile device can be compliant or non-compliant to the device manager IT policy.
2	Allow access from managed mobile devices; others require 2FA	Allow users access from managed mobile devices. If users access from desktops or from unmanaged mobile devices, the users must complete a second factor authentication every time the users access an application from these devices.
3	Allow access from managed mobile devices; others require 2FA each session	Allow users access from managed mobile devices. If users access from desktops or from unmanaged mobile devices, prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify.
4	Allow access from compliant mobile devices only; block otherwise	Allow users access from compliant managed mobile devices. Deny access from desktops, unmanaged, and non-compliant managed mobile devices.
5	Allow access from desktops and compliant mobile devices; block otherwise	Allow users access from desktops and from compliant managed mobile devices. Deny access from unmanaged and non-compliant managed mobile devices.
6	Allow access from desktops and managed mobile devices; block otherwise	Allow users access from desktops and from managed mobile devices. Deny access from unmanaged mobile devices.
7	Always require 2FA in compliant mobile devices; block otherwise	Allow access from compliant managed mobile devices but always prompt users to complete a second factor authentication every time the users access an application from these devices. Deny access from desktops, unmanaged, and non-compliant managed mobile devices.
8	Require 2FA each session in compliant mobile devices; block otherwise	Allow access from compliant managed mobile devices but prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify. Deny access from desktops, and from unmanaged or non-compliant managed mobile devices.
9	Allow access from desktops; always require 2FA in compliant mobile devices; block otherwise	Allow users access from desktops by providing user name and password only. If users access from compliant managed mobile devices, the users must complete a second factor authentication every time the users access an application from these devices. Deny access from unmanaged and non-compliant managed mobile devices.
10	Allow access from desktops; require 2FA each session in compliant mobile devices; block otherwise	Allow users access from desktops by providing user name and password only. If users access from compliant managed mobile devices, prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify. Deny access from unmanaged and non-compliant managed mobile devices.
11	Allow access from compliant mobile devices only; others require 2FA	Allow users access from compliant managed mobile devices. If users access from desktops, or from unmanaged or non-compliant managed mobile devices, the users must complete a second factor authentication every time the users access an application from these devices.
12	Allow access from compliant mobile devices only; others require 2FA each session	Allow users access from compliant managed mobile devices. If users access from desktops or from unmanaged or non-compliant managed mobile devices, prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify.
13	Allow access from compliant mobile devices only; always require 2FA in desktops and non-compliant mobile devices; block otherwise	Allow users access from compliant managed mobile devices. If users access from desktops or from non-compliant managed mobile devices, the users must complete a second factor authentication every time the users access an application from these devices. Deny access from unmanaged mobile devices.
14	Allow access from compliant mobile devices only; require 2FA each session in desktops and non-compliant mobile devices; block otherwise	Allow users access from compliant managed mobile devices. If users access from desktops or from non-compliant managed mobile devices, prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify. Deny access from unmanaged mobile devices.
15	Allow access from compliant mobile devices only; always require 2FA in desktops; block otherwise	Allow users access from compliant managed mobile devices. If users access from desktops, the users must complete a second-factor authentication every time the users access an application from these devices. Deny access from unmanaged and non-compliant managed mobile devices.
16	Allow access from compliant mobile devices only; require 2FA each session in desktops; block otherwise	Allow users access from compliant managed mobile devices. If users access from desktops, prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify. Deny access from unmanaged and non-compliant managed mobile devices.
17	Always require 2FA in all devices	Always prompt users to complete a second factor authentication every time the users access an application from desktops and from mobile devices.
18	Require 2FA each session in all devices	Prompt users to complete a second factor authentication one-time, on the first access attempt in an authenticated session with Verify. Second factor authentication is not required on subsequent login to other applications when the users access the applications within the same authenticated session.

If you are configuring access from an unmanaged mobile device, you can choose from the following policies:

Allow access from all devices
Allow access from managed mobile devices; others require 2FA
Allow access from managed mobile devices; others require 2FA each session
Allow access from compliant mobile devices only; others require 2FA
Allow access from compliant mobile devices only; others require 2FA each session

Note: The users cannot single-sign-on to the native application in the mobile device but the users are redirected to the Verify Sign In page. Depending on the configured access policy, the users might be required to specify a one-time password.