UniFi Identity Security Policy and Its Benefits

Security Policy is a core UniFi Identity Enterprise feature that is highly flexible and reliable, protecting corporations from cyber security threats.
Once a workspace is created, a default security policy containing rules is triggered automatically and applied to all workspace users. While the default policy cannot be modified, workspace administrators can still customize security policies to meet their workspace needs.
With Security Policy, administrators can control user access and enforce login authentication rules based on different conditions. It offers a flexible login experience for users and ensures secure user access control for administrators.
The security of UniFi Identity Enterprise cloud data is our utmost concern. We have adopted industry-leading techniques to build a cloud infrastructure that is secure and scalable.


  • The principle of least privilege
    This principle allows administrators to configure different security authentication rules to authenticate user identity, thereby minimizing possible cyber security threats and maximizing data safety. This principle is vital for making UniFi Identity Enterprise Cloud as secure as possible.

  • Configure context-based policies
    With context-based policies, administrators can configure security authentication rules based on user role, device, IP address, location, and other factors. This minimizes the potential risks when users access their UniFi Identity Enterprise Workspace. Context-based authentication is much more reliable than other authentication methods.

  • Provide multiple identity authentication methods
    UniFi Identity Enterprise workspace administrators have full control over system settings and can configure policies and rules to not only simplify but also secure identity authentication, resource protection, and access control.

Key Features

  • Sign-On Policy
    Administrators can configure different policy rules to control how users access their UniFi Identity Enterprise Workspace. For example, you can specify that certain roles, users, or groups can log in to their UniFi Identity Enterprise Workspace only from certain network zones, as well as customize the validity period, session lifetime, and other conditions.

  • SSO Apps Sign-On Policy
    App sign-on policies can allow or restrict user access to SSO applications, thereby securing SSO application authentication.
    By default, all users can access the applications assigned to them without re-entering their passwords or performing MFA. But you can also configure granular access control by adding policies and rules and arrange their order by priority. A policy and rule with a higher priority take precedence over those with a lower priority.

  • Password Policy
    Determine users' password complexity, password validity period, password lockout, and account recovery policies. UniFi Identity Enterprise provides a default password policy that enforces users to use strong passwords to better protect their workspace assets.

  • VPN Policy
    Determine whether users are prompted MFA when connecting to One-Click VPN. Hardening your VPNs with an extra layer of authentication ensures only the right people can access your networks. Securing your VPNs with MFA can prevent hackers from accessing your credentials and sensitive data, even if passwords were unfortunately leaked.

  • Approval Policy
    Determine whether approvers are prompted MFA when approving or rejecting a request form. Approval Policy adds an extra layer of protection to your approvals and workflows. You can specify whether approvers, based on the different conditions, need to perform MFA before they can process the requests sent to them.


  1. Login authentication is required only on weekends

    • Administrators can add a sign-on policy and set the validity period to Saturday and Sunday (00:00 am ~ 23:59 pm).
  2. Extra authentication is required when specific users log in from desktop clients with new IPs

    • Administrators can set the following conditions and actions to enforce MFA when users log in to their UniFi Identity Enterprise Workspace from new IPs.
      • Set the user’s IP to Outside Zone.
      • Set device platform to macOS, Windows, and Other Desktop.
      • Set client to Identity Enterprise Desktop App and Identity Enterprise Manager.
      • Set behavior to New IP.
  3. Extra authentication is required when high-risk score users log in from desktop clients with new IPs

    • Administrators can set the following conditions and actions to enforce MFA when users request connections to One-Click VPN via specific MFA factors (e.g., Verify):
    • With adaptive MFA and risk-based contextual security policies, administrators can easily construct a zero-trust model and implement advanced security methods to protect all corporate resources including networks, doors, cameras, applications, and more.
  4. Extra authentication is not required when specific users have entered the office within the past 30 minutes and log in from desktop clients

    • Administrators can set the following conditions and actions to disable MFA when users have entered the office within the past 30 minutes.
      • Set the user's IP to Inside Zone.
      • Set device platform to macOS, Windows, and Others.
      • Set client to Identity Enterprise Desktop App and Identity Enterprise Manager.
      • Set the risk level to Low.
      • Set behavior to Enter the office within 30 minutes.
    • Except for default behaviors, UniFi Identity Enterprise also allows you to create different behavior rules based on user behaviors and needs.
Was this article helpful?
0 out of 1 found this helpful