Basic-auth (401) without redirection to /my.policy

This is a fairly common issue with SharePoint. The problem lies in the fact that 1) APM, by default, uses session-based (in browser memory) cookies to maintain session state with the client browser, and 2) the applications that SharePoint spawns (Office apps, WebDAV, some others) can't access that cookie. So anything coming from that application looks like a new session to APM (and get's the initial 302 to /my.policy). The recommended solution is to use persistent session cookies in APM. It's a checkbox on the second tab of an access policy. This allows the APM cookie to be file-based and now accessible to the spawned applications. The expiration of that cookie is controlled by the settings on the first tab, and the value is rewritten on every APM response so that it accurately expires the ticket after a defined amount of idle time.