Skip to main content

Workspace ONE Policy

Reid Rademaker

WorkSpace ONE Policy

Purpose

Workspace ONE is an application that ensures endpoint configuration and compliance with security requirements for any device, such as a mobile phone or laptop used to conduct Lincoln Investment business. It will helps us with regulations such as FINRA guidance released in its 2018 “Report on Cybersecurity Practices”.

The program can be used on mobile devices (Android, iOS, iPadOS) and PCs (macOS, Windows). Once installed, Workspace ONE will act as an ‘agent’ on the device which will allow it to manage access to certain apps, check for compliance and allow for enterprise data wipes in the event of breach, retirement, or loss of a device.

Workspace ONE helps ensure the security of Lincoln Investment customer data while it’s being accessed by employees and advisors from anywhere on the Internet.

Key Concepts

  • EndPoint User Security
  • Access Controls
  • Exemption Process

Key Policies

  • Any device, mobile or computer, that connects to, or stores any Lincoln data needs to be registered with Workspace ONE. This includes, but is not limited to; AdvisorLinc, StaffLinc, Email, Microsoft Teams, Office 365 apps, NetX360, RedTail, Lincoln contacts, and FPConnect. (Please note: some of the applications mentioned are accessed via AdvisorLinc.)
  • Access to certain Lincoln systems will be restricted to managed devices, meaning that any unmanaged device trying to access will be denied. This would include AdvisorLinc and email for any Lincoln owned or hosted domains.

Key Risks and Mitigation

  • The key risk with unprotected devices is unauthorized access to data, systems and PII 
  • Risk is mitigated through hardened configuration and controls in place to verify configuration and security posture compliance, and revoke conditional access when compliance cannot be verified.

Controls

Field Controls:

Personally-Owned Devices Used for Work Purposes (Bring-Your-Own-Device - BYOD):

  • Mobile Device (Android, iOS, iPadOS)
    • All devices that contain Lincoln Investment applications or access Lincoln Investment data or systems must be registered and enrolled in Workspace ONE.
    • This includes, but is not limited to; AdvisorLinc, Email, Microsoft Teams, Office 365 apps, NetX360, RedTail, MyRepChat, and FP Connect.
      • Please note - WorkSpace ONE will NOT access your personal information, like contacts, personal email, or any apps that you do not put in the 'managed HUB'.  For those apps that you add to the 'HUB' WorkSpace ONE protects and manages the application.
    • Workspace ONE will deny access to any unmanaged mobile device that tries to access any applications that are connected via SSO.
    • If you only use your mobile device as a Multi-Factor Authentication device (OneLogin Protect/Okta Verify/Google Authenticator), you may choose not to enroll your device.
    • Lincoln encourages enrollment to Workspace ONE regardless of mobile device usage.
  • Computer (Windows, macOS)
    • All devices that contain Lincoln Investment applications or access Lincoln Investment data or systems must be registered and enrolled in Workspace ONE.
    • This includes, but is not limited to; AdvisorLinc, Email, Microsoft Teams, Office 365 apps, NetX360, RedTail, MyRepChat, and FP Connect.
    • CrowdStrike Endpoint Detection and Response (EDR) will be deployed to all computer devices to provide anti-malware and anti-virus real-time protection and defense.
    • Workspace ONE will deny access to any unmanaged computer that tries to access AdvisorLinc and any applications that are connected via SSO.
    • There will be no exemptions or exceptions granted for any computer used by the field.

Lincoln Employee Controls:

Personally-Owned Devices Used for Work Purposes (Bring-Your-Own-Device - BYOD):

  • Mobile Device (Android, iOS, iPadOS)
    • All devices that contain Lincoln Investment applications or access Lincoln Investment data or systems must be registered and enrolled in Workspace ONE.
      • This includes, but is not limited to; AdvisorLinc, StaffLinc, Email, Microsoft Teams, Office 365 apps, NetX360, RedTail, Lincoln contacts and FP Connect.
      • Please note - WorkSpace ONE will NOT access your personal information, like contacts, personal email, or any apps that you do not put in the 'managed HUB'.  For those apps that you add to the 'HUB' WorkSpace ONE protects and manages the application.
    • Workspace ONE will deny access to any unmanaged mobile device that tries to access AdvisorLinc, StaffLinc, and any applications that are connected via SSO.
    • If you only use your mobile device as a Multi-Factor Authentication device (OneLogin Protect/Okta Verify/Google Authenticator), you may choose not to enroll your device. Workspace ONE will deny access to any unmanaged mobile device that tries to access AdvisorLinc and any applications listed above that are connected to AdvisorLinc via SSO.
      • Lincoln encourages enrollment to Workspace ONE regardless of mobile device usage.

Lincoln Owned Devices - Corporate-Owned-Personally-Enabled (COPE):

  • Mobile Devices (iPadOS Only)
    • All devices that contain Lincoln Investment applications or access Lincoln Investment data or systems must be registered and enrolled in Workspace ONE. 
    • Apple Business Manager will ensure enrollment through Apple's Device Enrollment Program, which registered the device as Lincoln-managed when purchased. 
      • This includes, but is not limited to; AdvisorLinc, StaffLinc, Email, Microsoft Teams, Office 365 apps, NetX360, RedTail, MyRepChat, and FP Connect.
      • Please note - WorkSpace ONE will NOT access your personal information, like contacts, personal email, or any apps that you do not put in the 'managed HUB'.  For those apps that you add to the 'HUB' WorkSpace ONE protects and manages the application.
    • Workspace ONE will deny access to any unmanaged mobile device that tries to access AdvisorLinc, StaffLinc, and any applications listed above that are connected to AdvisorLinc via SSO.
    • There will be no exemptions or exceptions granted for Lincoln owned devices

  • Computer (macOS Only)
    • All devices that contain Lincoln Investment applications or access Lincoln Investment data or systems must be registered and enrolled in Workspace ONE. 
    • Apple Business Manager will ensure enrollment through Apple's Device Enrollment Program, which registered the device as Lincoln-managed when purchased. 
      • This includes, but is not limited to; AdvisorLinc, StaffLinc, Email, Microsoft Teams, Office 365 apps, NetX360, RedTail, MyRepChat, and FP Connect.
      • Please note - WorkSpace ONE will NOT access your personal information, like contacts, personal email, or any apps that are not deployed by the 'managed HUB'. 
    • CrowdStrike Endpoint Detection and Response (EDR) will be deployed to all computer devices to provide anti-malware and anti-virus real-time protection and defense.
    • Workspace ONE will deny access to any unmanaged computer that tries to access AdvisorLinc, StaffLinc, and any applications that are connected via SSO.
    • There will be no exemptions or exceptions granted for Lincoln owned devices

Lincoln Owned Devices - Fully Managed Devices for Corporate Use Only:

  • (Windows, macOS)
    • All Lincoln owned devices will be enrolled into Workspace One
    • This will be complete as part of setup and configuration activities during the preparation and deployment of fully-managed devices. No enrollment action is needed from users.
    • CrowdStrike Endpoint Detection and Response (EDR) will be deployed to all computer devices to provide anti-malware and anti-virus real-time protection and defense.

Notes

Failure to comply with the standards set forth in this policy will result in disciplinary action up to and including termination or separation from Lincoln Investment affiliation.

Document Properties

Origination Date: June 5, 2020

Last Reviewed: March 28, 2024

Next Review: July 2024

Content Owner: Director of Digital Workplace

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk