check-circle-line exclamation-circle-line close-line

VMware Identity Manager 2.8 | 17 NOVEMBER 2016 | Build 4653705

VMware Identity Manager Connector 2016.11.1 | 17 NOVEMBER 2016 | Build 4642246

VMware Identity Manager Desktop 2.8 | 17 NOVEMBER 2016 | Build 4652980

VMware Identity Manager Integration Broker 2.8 | 17 NOVEMBER 2016 | Build 4601559

Release date: November 17, 2016

What's in the Release Notes

The release notes cover the following topics:

What's New for 2.8

This version of VMware Identity Manager includes support for the following new features.

Workspace ONE Application

  • Workspace ONE app delivering internal enterprise mobile apps to unmanaged devices

    In addition to public mobile applications, you can use Workspace ONE to distribute internal enterprise mobile apps that do not leverage the AirWatch SDK or wrapping engine to unmanaged devices through the Workspace ONE app catalog.

  • Workspace ONE app providing Adaptive Management for Android for Work devices

    Now your Android users can enjoy the benefits of adaptive management. Users can download the Workspace ONE app from the Google Play Store and start using the app in standalone Mobile Application Management (MAM) mode. They can progress to OS MAM when an application with a lock icon in the catalog is selected for installation. Once, the user enrolls the device into OS MAM, the lock icon goes away. The user can now install all the apps from the catalog. Users no longer have to install AirWatch agent on their Android devices to get their devices enrolled into OS MAM.

  • Open Web app in VMware Browser

    Now you can force the launch of certain Web apps through VMware Browser instead of through the system browser when the Web app is launched through the Workspace ONE app. You can control this setting on a per-app basis. VMware Browser is a secure browser which provides IT unparalleled control over browser cache, such as remote wiping the cache when the user leaves the company or a device goes out-of-compliance. Requires Workspace ONE app v2.2.

Authentication and Access

  • VMware Verify two-factor authentication for on-premise deployments

    Now you can use VMware Verify two-factor authentication with your VMware Identity Manager on-premise deployment. This feature was available only for the VMware Identity Manager cloud previously. The VMware Verify authentication method provides two-factor authentication at login time or step-up authentication post-login when a user accesses a critical app from the launcher. VMware Verify supports convenient push authentication from smart phones or time based one-time password (TOTP) authentication when the device is offline, or SMS passcode for flip phones.

  • Conditional access for Horizon and Citrix apps

    Conditional access policies that were available for Web apps can now be applied to Horizon and Citrix apps. With this feature, you can take actions such as block, allow, or step-up authenticate users based on conditions such as the network, device type or AirWatch device enrollment and compliant status to access these applications.

  • Conditional access for local users

    Users created locally in VMware Identity Manager can now participate in conditional access policies. This allows you to take actions such as block, allow, or step-up authenticate local users based on conditions such as network, device type, AirWatch device enrollment and compliant status, or application being accessed.

  • How-to guide for adding conditional access to your internal apps using OAuth2.0

    Workspace ONE includes an OAuth 2.0 server that can be used to add authentication and conditional access to your internal enterprise mobile apps, such as adding mobile SSO or device compliance check at login time. Refer to these how-to guides and sample app to learn more.

  • Self-service Active Directory change password

    Workspace ONE users can change their Active Directory password anytime from their account settings page. Also, if the Active Directory password expired, the next time users log in to Workspace ONE, they are asked to change their password. This feature is an optional features and requires VMware Identity Manager 2.8 and VMware Identity Manager Connector 2016.11.1 or above to connect to Active Directory.


  • Workspace ONE Getting Started wizard in AirWatch console

    If you are an existing AirWatch customer, enabling the Workspace ONE app has become even simpler. Walkthrough the getting started wizard in the AirWatch admin console, and you are ready to log in to the Workspace ONE app with VMware Identity Manager configured behind the scenes.

  • Local directories and users
  • Create and manage multiple local directories each with its own user schema. For example, you can create a directory for contractors and another one for partners. No need to manage users and groups in Active Directory or LDAP. Use VMware Identity Manager to manage the complete lifecycle (create, update, delete) for the user, including password management, and entitle local users to applications.

  • User provisioning to Office 365 and Google Apps

    Create, update, and deactivate user accounts in Office 365 and Google Apps when users are assigned or unassigned to these apps. When a user leaves the company, you no longer have to go into the Office 365 or Google Apps admin console to deactivate the user. It can be automated through Workspace ONE. Both local and Active Directory/LDAP users are supported.

  • External approval support for Horizon & Citrix apps

    Workspace ONE allows for self-service access request for Web applications through external workflow engines. Self-service access request is now available with Horizon and Citrix apps.

  • Support for on-premises approval workflow systems

    Approval workflow systems which are in on-premises data centers and not accessible from the VMware Identity Manager Cloud can now be integrated through the VMware Identity Manager connector. The VMware Identity Manager connector can route approval request message from the VMware Identity Manager Cloud service to an on-premises approval application and communicate back the response message.


  • Microsoft SQL server 2016 supported

    With this release, the Microsoft SQL server 2016 database can be used with VMware Identity Manager, including the Always ON functionality.


VMware Identity Manager 2.8 is available in the following languages:

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.0 U2+, 5.1+, 5.5, 6.0+

Browser Compatibility for the VMware Identity Manager administration console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see Installing and Configuring VMware Identity Manager guide.

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Upgrading to VMware Identity Manager 2.8

To upgrade to 2.8, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.


To access the VMware Identity Manager 2.8 documentation, go to the VMware Identity Manager Documentation Center.

Known Issues

  • Reset View desktop option is not working

    Users cannot reset their unresponsive View desktops from the Workspace ONE apps portal.

    Workaround: User can reset the desktop directly from the Horizon Client desktop menu icon.

  • An administrator cannot reset his own VMware Verify enrollment

    Workaround: Log in as another administrator and reset the other administrator VMware Verify enrollment.

  • When trying to create or edit a Network range the Cancel button does not cancel the changes

    Workaround: Re-edit the network range text box to undo the changes you do not want.

  • Citrix XenApp launch fails on Android with Chrome browser

    XenApp fails to launch when using the Chrome browser on an Android device.

    Workaround: Use Chrome 54.0 or later.

  • Citrix XenApp launch fails on Firefox

    The Citrix Receiver is not automatically activated.

    After the user allows the Citrix Receiver plug-in to run, the launch will be successful.

  • Citrix XenApp is not launched using Client Access URL host

    The Client Access URL Host is used to launch Citrix resources only when NetScaler option is selected in Network Ranges. Otherwise, the server specified on the sync page is used.

  • Horizon Air static desktop might fail from VMware Identity Manager when identity manager is setup for high availability.
  • Workaround: The admin must configure Horizon Air in all the connectors in their deployment. They can set the sync frequency in one of the connectors to be on a schedule. In the other connectors, the sync frequency should be set as Manual.

  • Issues with Access Point integration with VMware Identity Manager

    • Admin users logging in from external networks will not be able to access the admin console from their portal page when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Administrators should VPN into the internal network to access the admin console from an external network.

    • ThinApp packages cannot be downloaded when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Set the ThinApp package installation mode to COPY_TO_LOCAL (default) or RUN_FROM_SHARE.