Do you allow access to workday/HR application outside of InTune or another MDM tool? What is your policy for hourly employees accessing Workday ‘off hours’? How is this policy managed?
Sort by:
IT Director in Manufacturing4 months ago
We use Dayforce, so I hope my feedback is relevant.
We allow access off-premises and at any time; however, access is restricted through the mobile app for Users to view and modify their HR documentation (such as statements, tax information, and benefits), and shift/hourly workers can use it for scheduling purposes only, Managers have a limited set of actions as well, including approving PTO, approving schedule changes, etc.
We also have SSO and MFA enabled for all users.
CISO in Healthcare and Biotech4 months ago
We have been discussing this as well as some of our workers do not have laptops but will need access to the portal for their HR documentation. We are working out the best way for them to utilize MFA to still access it securely and will probably go that route if possible.
Hello Kara,
Recommend starting by defining what data is being accessed and what actions are being performed from these non-MDM governed devices. If the activity is low-risk—like entering hours, vacation, or sick time—that can often permit it with minimal friction. But if it involves viewing, uploading, or downloading sensitive HR data, treat that as a data loss risk and which require stronger controls before allowing access.
Policies could be managed through conditional access rules, risk-based authentication, and tight role-based access.
Strategically, I recommend:
- Classify HR tool/data transactions by risk, not just by app.
- Apply least privilege at the transaction level, where possible.
- Run periodic access reviews to catch drift in entitlements and behavior.