COVID-19 - Turning on Workday for mobile for your virtual employees

Most organizations around the world are asking employees to work from home, where possible, as a result of COVID-19. We recommend turning on Workday for mobile to ensure employees can access Workday on their mobile devices in order to continue performing their duties and daily tasks, such as managing their teams from anywhere.

For many organizations and their people this may be unchartered territory, and providing the right tools and support to help your employees effectively continue their work will make the transition as seamless as possible.

This reference guide provides information on turning on Workday’s mobile application, the mobile security standards and helpful tips and tricks for mobile users.

Workday application security and best practices

As a Workday customer, you have access to its mobile application to easily access and complete self-service tasks and view reports. Because Workday designs mobile applications for the self-service user, not all features are available based on their security settings and access levels.

Getting started with the Workday mobile application

When it comes to mobile applications, not all user settings are created equal. In order to see which business processes and actions you’re able to complete on each platform (Android, iPhone, etc.), run the List Tasks Available on Mobile report. While the mobile apps have limited functionality, you can access all features on the Workday browser application by entering your tenant URL in a web browser on your mobile device.

Easily enable Workday for mobile for your employees

Enabling the Workday mobile app on different devices is simple and compatible with any device, simply follow these steps below:

Enable and add users to the following mobile domains in the system functional area:
- Android: mobile usage
- iPad: mobile usage
- iPhone: mobile usage
Enable single sign-on under Edit Tenant Setup – Security.
- To enable Single Sign-on, update the Mobile App Login Redirect URL and Mobile Browser Login Redirect URL as required from your identity provider (IDP).
- Based on your company policy, enable Biometric Authentication, Mobile PIN Authentication, define PIN max/min length, PIN max failed sign-on attempts, and max mobile authentication age.
Create or edit existing authentication policy to control how users will log in and use Biometric Authentication and mobile PIN.

Workday’s mobile application security model

Workday approaches security with a ‘unified’ model and applies it across all platforms. It is completely independent of device types, so the user will be consistently granted or denied access to functionality regardless of which type of device they are on. Since access is provided based on this security policy, it is consistent across all platforms, including desktop. Some tasks might not be available on the mobile app per the List Task Available on Mobile report.

Access to Workday’s mobile application can be restricted for a user when they log in outside of a whitelisted network. This restriction will apply to all devices; access cannot be limited by device type (i.e. Workday mobile app or desktop off-network.)

Alight’s Point of View

On/Off Network Recommendations Access Restrictions (these recommendations apply to all device types).

The recommendations below can be accomplished using Security Group (Who), Authentication Type (How), IP Ranges (Where) and Access Restriction (What) in authentication policy. Please note: Authentication policy cannot differentiate between device types.

User	Allow only On Network	Allow on Both On/Off Network	Comments
Employees	- Export to PDF/Excel - Check In/Out - Inbox Approval - Payment Elections	- Attachment Download (Limited) - Inbox Complete Actions/To Dos	Unless Multifactor Authentication is in place, Payment Elections should only be allowed to change when on corporate network. Check In/Out should not have Off Network access unless there is specific business reason. Ensure you have reviewed the geofences on your Time Entry Template location settings tab to see where workers are able to submit their timesheets
Manager	- Attachment Download (Limited) - Check In/Out - Export to PDF/Excel - Payment Elections	- Inbox Approval - Inbox Complete Actions/To Dos	Manager should not be allowed to download data related to employees that they support
Administrators	- Attachment Download (Limited) - Check In/Out - Export to PDF/Excel - Inbox Approval - Inbox Complete Actions/To Dos - Payment Elections		Administrators, HR roles should not have Off Network access unless there is specific business reason.

Additional Workday mobile security recommendations

OFF CORPORATE NETWORK

Check with your information security team to determine whether your corporate policies allow enablement of data access off a corporate network. Confirm what data should be allowed on personally owned equipment. For mobile, if mobile devices are allowed on corporate network and what level of data access is allowed on/off network for mobile devices/personal mobile devices (BYOD).
Consider applying Workday authentication policies.
Multi factor authentication is recommended for off corporate network access. If you are using SSO/SAML to log in to Workday, multi factor authentication must be owned by your identity provider.

WORKDAY MOBILE APP

Description	Recommendation	Comments
Enable Attachments to be Imported from or Shared With External Sources	Check	Corporate policy should be reviewed to determine if appropriate. Workday’s Virus scanning functionality is currently limited to the recruiting and student products. Any other uploads by authenticated users are not scanned.
Disable Check In/Out on mobile	Check	If you are controlling Check In/Out by Access restriction on Authentication policy, then this can be left unchecked—review corporate policy to determine if appropriate.
Disable My Reports on mobile	Check	In most cases, access to the Workday W: drive is not necessary on mobile.
Disable Add to Contact	Uncheck	Disables the Add to Contact command from the Action menu on worker profiles on mobile devices.
Disable Mail to	Uncheck	Prevents native mail apps from opening on a mobile device when users click a mail link within Workday mobile apps.
Deter Screenshots	Check	The Workday app generates notifications to help discourage users from taking screen captures while in the app.
Disable mobile app store links	Uncheck	Aids in application adoption.
Disable automatic tenant configuration links	Uncheck	Aids in application adoption.

The Workday mobile application is a presentation layer only, so it does not store or cache any business data on the mobile device. Workday stores simple settings, such as the tenant web address and tenant name. An exception to this is when PDF or Excel files are viewed; Workday caches these files for the duration of the session. As mentioned above, file export can be restricted through an authentication policy.
Consider mobile device management system to have users go through a VPN when using mobile app. Workday does not allow “App wrapping”.

MOBILE SETUP UNDER TENANT SETUP - SYSTEM

Workday mobile security considerations
When enabling and getting started with Workday mobile, here are a few security items to consider.

Mobile-enabled inbox items can be acted upon regardless of authentication policy.
Mobile device browsers will mimic desktop access.
If an authentication policy is in place, a current authenticated session on corporate network will remain active after users leave the network until the session times out or user logs off.

Learn more

If you are an existing Workday customer, additional information on Workday Documentation regarding mobile set-up and best practices can be found here.

Let's Talk

If you need any help or would like to speak to one of our Workday experts, contact us today.