Getting the most out of Workday for mobile

Application security and best practices

As a Workday customer, you have access to Workday’s mobile application to easily access and complete self-service tasks and view reports. Because Workday designs mobile applications for the self-service user, not all features are available based on their security settings and access levels. In this quick reference guide, we will discuss Workday’s mobile application security standards and provide helpful tips and tricks for mobile users.

Getting started with Workday mobile

When it comes to mobile applications, not all user settings are created equal. In order to see which business processes and actions you’re able to complete on each platform (Android, iPhone, etc.), run the List Tasks Available on Mobile report. While the mobile apps have limited functionality, you can access all features on the Workday browser application by entering your tenant URL in a web browser on your mobile device.

Easily enable Workday for mobile for your employees

Enabling the Workday mobile app on different devices is simple and compatible with any device, simply follow these steps below:

Enable and add users to the following mobile domains in the system functional area:
- Android: mobile usage
- iPad: mobile usage
- iPhone: mobile usage
Enable single sign-on under Edit Tenant Setup – Security
1. To enable Single Sign-on, update the Mobile App Login Redirect URL and Mobile Browser Login Redirect URL as required from your identity provider (IDP).
2. Based on your company policy, enable Biometric Authentication, Mobile PIN Authentication, define PIN max/min length, PIN max failed sign-on attempts, and max mobile authentication age.
Create or edit existing authentication policy to control how users will log in and use Biometric Authentication and mobile PIN.

Workday’s mobile application security model

Workday approaches security with a ‘unified’ model and applies it across all platforms. It is completely independent of device types, so the user will be consistently granted or denied access to functionality regardless of which type of device they are on. Since access is provided based on this security policy, it is consistent across all platforms, including desktop. Some tasks might not be available on the mobile app per the List Task Available on Mobile report.

Access to Workday’s mobile application can be restricted for a user when they log in outside of a whitelisted network. This restriction will apply to all devices; access cannot be limited by device type (i.e. Workday mobile app or desktop off-network.)

Alight's Point of View

On/Off Network Recommendations

Access Restrictions (These recommendations apply to all device types)

User	Allow only On Network	Allow on Both On/Off Network	Comments
Employees	Export to PDF/Excel Check In/Out Inbox Approval Payment Elections	Attachment Download (Limited) Inbox Complete Actions/To Dos	Unless Multifactor Authentication is in place, Payment Elections should only be allowed to change when on corporate network. Check In/Out should not have Off Network access unless there is specific business reason.
Manager	Attachment Download (Limited) Check In/Out Export to PDF/Excel Payment Elections	Inbox Approval Inbox Complete Actions/To Dos	Manager should not be allowed to download data related to employees that they support.
Administrators	Attachment Download (Limited) Check In/Out Export to PDF/Excel Inbox Approval Inbox Complete Actions/To Dos Payment Elections		Administrators, HR roles should not have Off Network access unless there is specific business reason.

The recommendations above can be accomplished using Security Group (Who), Authentication Type (How), IP Ranges (Where) and Access Restriction (What) in authentication policy. Please note: Authentication policy cannot differentiate between device types.

Additional recommendations

Off Corporate Network

Check with your information security team to determine whether your corporate policies allow enablement of data access off a corporate network. Confirm what data should be allowed on personally owned equipment. For mobile, if mobile devices are allowed on corporate network and what level of data access is allowed on/off network for mobile devices/personal mobile devices (BYOD).
Consider applying Workday authentication policies.
Multi factor authentication is recommended for off corporate network access. If you are using SSO/SAML to log in to Workday, multi factor authentication must be owned by your identity provider.

Workday mobile app

The Workday mobile application is a presentation layer only, so it does not store or cache any business data on the mobile device. Workday stores simple settings, such as the tenant web address and tenant name. An exception to this is when PDF or Excel files are viewed; Workday caches these files for the duration of the session. As mentioned above, file export can be restricted through an authentication policy.
Consider mobile device management system to have users go through a VPN when using mobile app. Workday does not allow “App wrapping”.

Mobile setup under Tenant Setup - System

Description	Recommendation	Comments
Enable Attachments to be Imported from or Shared With External Sources	Check	Corporate policy should be reviewed to determine if appropriate. Workday’s Virus scanning functionality is currently limited to the recruiting and student products. Any other uploads by authenticated users are not scanned.
Disable Check In/Out on mobile	Check	If you are controlling Check In/Out by Access restriction on Authentication policy, then this can be left unchecked—review corporate policy to determine if appropriate.
Disable My Reports on mobile	Check	In most cases, access to the Workday W: drive is not necessary on mobile.
Disable Add to Contact	Uncheck	Disables the Add to Contact command from the Action menu on worker profiles on mobile devices.
Disable Mail to	Uncheck	Prevents native mail apps from opening on a mobile device when users click a mail link within Workday mobile apps.
Deter Screenshots	Check	Alert is displayed on iPad and iPhone devices that prohibits taking screenshot and on android devices the screenshot is blurred.
Disable mobile app store links	Uncheck	Aids in application adoption.
Disable automatic tenant configuration links	Uncheck	Aids in application adoption.

Considerations

When enabling and getting started with Workday mobile, here are a few items to consider.

Mobile-enabled inbox items can be acted upon regardless of authentication policy.
Mobile device browsers will mimic desktop access.
If an authentication policy is in place, a current authenticated session on corporate network will remain active after users leave the network until the session times out or user logs off.

Learn more

If you are an existing Workday customer, additional information on Workday Documentation regarding mobile set-up and best practices can be found here.

Want to learn more about Workday for mobile for your organization? Talk to one of our Workday experts today.

TALK TO AN EXPERT