Application security and best practices

As a Workday customer, you have access to Workday’s mobile application to easily access and complete self-service tasks and view reports. Because Workday designs mobile applications for the self-service user, not all features are available based on their security settings and access levels. In this quick reference guide, we will discuss Workday’s mobile application security standards and provide helpful tips and tricks for mobile users.

Getting started with Workday mobile

When it comes to mobile applications, not all user settings are created equal. In order to see which business processes and actions you’re able to complete on each platform (Android, iPhone, etc.), run the List Tasks Available on Mobile report. While the mobile apps have limited functionality, you can access all features on the Workday browser application by entering your tenant URL in a web browser on your mobile device.

Easily enable Workday for mobile for your employees

Enabling the Workday mobile app on different devices is simple and compatible with any device, simply follow these steps below:

  1. Enable and add users to the following mobile domains in the system functional area:
    • Android: mobile usage
    • iPad: mobile usage
    • iPhone: mobile usage
  2. Enable single sign-on under Edit Tenant Setup – Security
    1. To enable Single Sign-on, update the Mobile App Login Redirect URL and Mobile Browser Login Redirect URL as required from your identity provider (IDP).
    2. Based on your company policy, enable Biometric Authentication, Mobile PIN Authentication, define PIN max/min length, PIN max failed sign-on attempts, and max mobile authentication age.
  3. Create or edit existing authentication policy to control how users will log in and use Biometric Authentication and mobile PIN.

Workday’s mobile application security model

Workday approaches security with a ‘unified’ model and applies it across all platforms. It is completely independent of device types, so the user will be consistently granted or denied access to functionality regardless of which type of device they are on. Since access is provided based on this security policy, it is consistent across all platforms, including desktop. Some tasks might not be available on the mobile app per the List Task Available on Mobile report.

Access to Workday’s mobile application can be restricted for a user when they log in outside of a whitelisted network. This restriction will apply to all devices; access cannot be limited by device type (i.e. Workday mobile app or desktop off-network.)

Alight's Point of View

On/Off Network Recommendations

Access Restrictions (These recommendations apply to all device types)

User

Allow only On Network

Allow on Both On/Off Network

Comments

Employees

Export to PDF/Excel

Check In/Out

Inbox Approval

Payment Elections

Attachment Download (Limited)

Inbox Complete Actions/To Dos

Unless Multifactor Authentication is in place, Payment Elections should only be allowed to change when on corporate network.

Check In/Out should not have Off Network access unless there is specific business reason.

Manager

Attachment Download (Limited)

Check In/Out

Export to PDF/Excel

Payment Elections

Inbox Approval

Inbox Complete Actions/To Dos

Manager should not be allowed to download data related to employees that they support.

Administrators

Attachment Download (Limited)

Check In/Out

Export to PDF/Excel

Inbox Approval

Inbox Complete Actions/To Dos

Payment Elections

 

Administrators, HR roles should not have Off Network access unless there is specific business reason.

The recommendations above can be accomplished using Security Group (Who), Authentication Type (How), IP Ranges (Where) and Access Restriction (What) in authentication policy. Please note: Authentication policy cannot differentiate between device types.

Additional recommendations

Off Corporate Network

  • Check with your information security team to determine whether your corporate policies allow enablement of data access off a corporate network.  Confirm what data should be allowed on personally owned equipment. For mobile, if mobile devices are allowed on corporate network and what level of data access is allowed on/off network for mobile devices/personal mobile devices (BYOD).
  • Consider applying Workday authentication policies.
  • Multi factor authentication is recommended for off corporate network access. If you are using SSO/SAML to log in to Workday, multi factor authentication must be owned by your identity provider.

Workday mobile app

  • The Workday mobile application is a presentation layer only, so it does not store or cache any business data on the mobile device. Workday stores simple settings, such as the tenant web address and tenant name. An exception to this is when PDF or Excel files are viewed; Workday caches these files for the duration of the session. As mentioned above, file export can be restricted through an authentication policy.
  • Consider mobile device management system to have users go through a VPN when using mobile app. Workday does not allow “App wrapping”.

Mobile setup under Tenant Setup - System

Description

Recommendation

Comments

Enable Attachments to be Imported from or Shared With External Sources

Check

Corporate policy should be reviewed to determine if appropriate. Workday’s Virus scanning functionality is currently limited to the recruiting and student products. Any other uploads by authenticated users are not scanned.

Disable Check In/Out on mobile

Check

If you are controlling Check In/Out by Access restriction on Authentication policy, then this can be left unchecked—review corporate policy to determine if appropriate.

Disable My Reports on mobile

Check

In most cases, access to the Workday W: drive is not necessary on mobile.

Disable Add to Contact

Uncheck

Disables the Add to Contact command from the Action menu on worker profiles on mobile devices.

Disable Mail to

Uncheck

Prevents native mail apps from opening on a mobile device when users click a mail link within Workday mobile apps.

Deter Screenshots

Check

Alert is displayed on iPad and iPhone devices that prohibits taking screenshot and on android devices the screenshot is blurred.

Disable mobile app store links

Uncheck

Aids in application adoption.

Disable automatic tenant configuration links

Uncheck

Aids in application adoption.

Considerations

When enabling and getting started with Workday mobile, here are a few items to consider.

  • Mobile-enabled inbox items can be acted upon regardless of authentication policy.
  • Mobile device browsers will mimic desktop access.
  • If an authentication policy is in place, a current authenticated session on corporate network will remain active after users leave the network until the session times out or user logs off.

Learn more

If you are an existing Workday customer, additional information on Workday Documentation regarding mobile set-up and best practices can be found here.

Want to learn more about Workday for mobile for your organization? Talk to one of our Workday experts today.
TALK TO AN EXPERT
Related Tags
HCM Financial Management Workday
Related Content
Article
Carlson Management Consulting, an Alight Company, named Winner of the FY21 Solution Provider of the
Carlson Management Consulting, an Alight Company, announced it was named a winner of the FY21 Solution Provider of the Year Award – Americas by Workday.
HCM
Financial Management
Article
Top questions to ask your payroll provider to mitigate your risk
When it comes to payroll, quality, accuracy and thoroughness are of the utmost importance.
HCM
Human Resources
Finance
Alight's guide to deploying Adaptive Planning
Learn how to get started on your Workday Adaptive Planning journey
Financial Management
HCM
The power of Workday Extend
Learn about the new functionality that came with Workday Extend.
HCM
Workday
Everest Group MPHRO Services PEAK Matrix™ Assessment 2021
Alight named a Leader in the Everest Group MPHRO Services PEAK Matrix™ Assessment 2021
HCM