An app policy is an application security policy which allows you to define the security requirements for a specific app. With an app policy, admins can require multi-factor authentication, specify whitelisted IP addresses, and more.
To set up an app policy that fits your needs, you have several options:
- Add a multi-factor authentication (MFA) requirement to authenticate login for specific apps
- Bypass MFA if the user has previously authenticated within a defined number of minutes in their session
- Restrict the IP addresses that can access the app
- Name specific IP addresses that can bypass MFA, if MFA is required for the app
By allowing specific apps to have their own MFA policies, you can remove the MFA requirement from individual user policies while still maintaining strong authentication for the applications that require it. Restricting app access to particular IP addresses prevents users from accessing the app from outside your firewall, regardless of their user-based security policy.
You can apply an app policy to an app and apply a role-based app policy for users in a particular role. If users authenticate from a known and trusted IP address, admins can configure the policy to bypass MFA requirements for that address.
Create an app policy
- Go to Settings > Policies and click the New App Policy button.
On the Settings page, name the policy and select your policy options.
IP Address Whitelist: Enter a list of IP addresses, separated by spaces, that can access the apps associated with this policy.
Multi-Factor: Select the checkbox to require MFA verification for this app policy.
Bypass MFA for the following addresses: Enter a list of IP addresses that can bypass MFA requirements to access the apps associated with the policy.
Skip if OTP received within last X minutes: Ask for OTP only if the user hasn't already entered one within the number of minutes you select from the dropdown (when accessing OneLogin to sign into another app, for example).
Apply an app policy
To apply an app policy that applies to all users, go to Apps > Company Apps > App Name and select the Access Control tab.
Select the policy from the dropdown.
After you click Save, your app will adhere to the new security policy.
Add a role-based policy
Instead of applying the same policy to all users of an app, you can specify an alternate policy for a specific role. For example, you can require certain users to provide OTP verification for the app while letting other users sign in with only a user ID and password.
- Go to Apps > Company Apps and select an app. On the Access tab for the app, in the Role-Based Policy section, click Add Role-Specific Policy.
Under Role-Based Policy, select a role and the policy that you want to apply to the role from the dropdowns.
The role must be enabled for the app. You can enable it by clicking the role name under Roles.
Now the users in the selected role will have the access requirements specified by the application security policy you applied to the role, and the users in the other roles with access to the app will have the policy that you enabled under Policy.