App policies allow users to apply specific security policies to apps, to add an extra layer of protection. Application security policies define:
- Multi-Factor Authentication (MFA) requirement to authenticate login for specific apps.
- If users can bypass MFA if previously entered within a defined number of minutes in their session.
- Restricted IP addresses that limit the IP's authorized to access the app.
- Specific IP addresses that can bypass MFA, if MFA is required for the app.
By allowing specific applications to have their own MFA policies, you can remove the MFA requirement from individual user policies while still maintaining strong authentication for the applications that require it. Restricting app access to particular IP addresses prevents users from accessing the app from outside your firewall, regardless of their user-based security policy.
You can apply an application security policy to the app users and add an alternate application security policy for users in a particular role. If users authenticate from a known and trusted IP address, admins can configure the policy to bypass MFA requirements for that address.
Create an application security policy
- Go to Settings > Policies and click the New App Policy button.
On the Settings page, name the policy and select your policy options.
Allowed IP Addresses: Enter a list of IP addresses, separated by spaces, that can access the apps associated with this policy.
Require MFA verification: Enables MFA verification for this app policy.
Bypass MFA for the following addresses: Enter a list of IP addresses, separated by spaces, that can bypass MFA requirements to access the apps associated with the policy.
Skip if OTP received within n minutes: Ask for OTP only if the user hasn't already entered one within the number of minutes you select from the drop-down (when accessing OneLogin to sign into another app, for example).
Apply the policy
You can apply an application security policy to all users of an app, and you can add an alternate application security policy for users in a particular role. This section describes how to apply an application security policy that applies to all users. For role-based application policies, see Adding a role-based policy.
Go to Apps > Company Apps > App Name and select the Access Control tab.
Select the policy from the Policy drop-down.
After you click Save, in our example, your Salesforce app will adhere to the new security policy and demand an OTP unless the user has already entered one within the last 30 minutes.
Add a role-based policy
Instead of applying the same application security policy to all users of an app, you can specify an alternate policy for a specific role. This enables you to require some users to provide OTP verification for the app, for example, while letting other users sign in with only a user ID and password.
- On the Access tab for the app, click ADD ROLE-SPECIFIC POLICY.
Under Role-Based Policy, select a role and the policy that you want to apply to the role from the drop-downs.
The role must be enabled for the app. You can enable it by clicking the role name under Roles.
Now the users in the selected role will have the access requirements specified by the application security policy you applied to the role, and the users in the other roles with access to the app will have the policy that you enabled under Policy.