check-circle-line exclamation-circle-line close-line

VMware Identity Manager 2.9.1 | 25 MAY 2017 | Build 5594761

VMware Identity Manager Connector 2017.5.1 | 25 May 2017 | Build 5594762

VMware Identity Manager Desktop 2.8 | 17 NOVEMBER 2016 | Build 4652980

VMware Identity Manager Integration Broker 2.9.1 | 25 May 2017 | Build 5582465

Release date: May 25, 2017

Updated July 20, 2017

What's in the Release Notes

The release notes cover the following topics:

What's New For VMware Workspace ONE App 3.0

Workspace ONE App 3.0 introduces next generation user experience on mobile, web, and desktop. New business capabilities that offer comprehensive support for BYOD and app catalog scenarios.

Update for July 20. Get ready! Web, iOS and Android apps are available now. Windows app coming soon.

  • Engaging User Experience
    • New Bookmarks view: replaces Launcher view to provide easy access to favorite or frequently used apps.

      End users can expect any apps that were a favorite to automatically display in the bookmark tab. If an end user has not favorited any web or virtual apps, they start fresh with a blank bookmarks tab.

    • Catalog view: discover, open or install apps; web, mobile and virtual apps, all in one place. And now includes AirWatch web apps!
    • Catalog and Launcher have been combined. You can now launch web apps and install native apps from the same screen!
    • Pull down to refresh app list and install status in the Catalog view (iOS and Android).
    • Intuitive visual cue for mobile apps that require Workspace Services.
    • One-tap navigation to easily switch between Apps, Support and Settings.
    • New first-time onboarding experience. Learn more while we setup your workspace.
    • Adaptive Management screens help users understand benefits of enabling Workspace Services.
    • New Workspace One icon for a whole new look and feel!
  • Support for Spotlight Search (iOS)

    Spotlight Search has been integrated to provide a unified launch experience for web/native apps. An end user can now search both their home screen and Workspace ONE catalog at the same time!

  • New Support section that allows end users to learn more and request help

    Utilize Rage Shake to send logs to app developers (iOS).

  • Enhanced in-app search
    • Quick search by app name and category
    • Actionable search results; launch a web/virtual app or download a native app directly from the search results
  • Sign Out action deprecated in favor of Remove Account option

    This allows users to disconnect from the enterprise without IT touch (iOS and Android only).

  • Assisted activation for custom enterprise apps that use AirWatch SDK

    Supports SDK or wrapped apps; requires custom apps to run SDK v17.5 (iOS and Android only).

  • Integration to complex Organization Group hierarchies in AirWatch

    Customers can now take advantage of complex organization hierarchies in AirWatch with Workspace ONE. You can link domains to specific AirWatch Organization Groups in VMware Identity Manager console. Workspace ONE users are verified and devices registered to the target organization group in AirWatch

    To use this feature on Windows 10 devices that will log in to Workspace ONE before they are enrolled into MDM, version 3.0 of the Workspace ONE app is required.

  • Terms of Use

    Ensure compliance by enforcing acceptance of company policies (terms of use) before using Workspace ONE.

  • Send Alerts to Workspace ONE users

    Admins can notify Workspace ONE users for upcoming system downtimes, compliance status, to request actions, or to send alerts. Notification can be sent via the AirWatch admin console. Can be viewed as device notification or in-app notification.

  • Custom branding is enhanced

    The option to use color transparency for background images has been added.

What's New for VMware Identity Manager 2.9.1

VMware Identity Manager 2.9.1 includes support for the following new features.

Authentication and Access

  • Office 365 Conditional Access Enhancements

    VMware Identity Manager already provides conditional access control for Office 365 clients using Modern Authentication. There are other Office 365 clients, however, that use legacy username/password authentication. With this update of VMware Identity Manager, admins can increase security and reduce risk of data loss by using enhanced conditional access policies to control clients such as native iOS and Android email apps, older versions of Office, and email clients such as Thunderbird. This feature works for both managed and unmanaged devices.

  • Group Based Conditional Access Policies

    Now you can apply different policies for authentication based on user's group membership. This feature can be used to enforce fine grained access policies. For example, requiring multi-factor authentication only for contractors.

  • Configurable Login Experience

    You can now configure the login experience for your users. You can choose to let users provide email address, employeeID or other attributes such as username.

  • Custom branding is enhanced to include the use of color transparency for background images

  • SAML Enhancements
    • Support for HTTP POST SAML binding when configuring third-party identity providers.
    • You can generate a Certificate signing Request (CSR) from the admin console and use it for generating a certificate from a certificate authority for SAML signing.
    • Support for encrypted SAML response.
  • Default launch option for Horizon apps and desktops

    A default launch option has been added with this release. Users can now set their preference of launching apps from the Browser or Native Client when launching apps or desktops. Admins also are now able to set this globally for all users as a managed setting that enforces the same behavior for all users.

  • Access Policy

    Improved access policy to include support for Horizon desktops and apps.

  • Custom ID Mapping for Horizon Cloud

    Just like SAML apps support has been added for additional username formats between IDM and Horizon Cloud.

  • Directory and Horizon Performance

    Both Active Directory and Horizon sync can now be configured to sync on shorter 15 minute intervals.


  • VMware Identity Manager for Windows (with AirWatch)

    The VMware Identity Manager server is also available on Windows and included with AirWatch installer.

  • VMware Identity Manager Enterprise System Connector for Windows with AirWatch

    The VMware Identity Manager connector can be installed on Windows. The Enterprise System Connector installer includes the option to install AirWatch Cloud Connector or the VMware Identity Manager Connector. See The VMware AirWatch 9.1 release notes for more information.

  • Easily migrate from AirWatch Cloud Connector (ACC) to VMware Identity Manager connector for connecting to AD/LDAP

    If you are using ACC to connect to Active Directory and want to migrate to using the VMware Identity Manager connector to take advantage of additional capabilities such as MFA, Horizon & Citrix integrations, you can do it by clicking on the Convert button under Other Directory configuration used for ACC integration. All application entitlements are preserved with this change.

  • Citrix XenApp and XenDesktop Integration

    With the EOL from Citrix of Citrix Web Interface. Citrix XenApp and XenDesktop integration has been migrated to using the Citrix Storefront SDK.


VMware Identity Manager 2.9.1 is available in the following languages:

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.5, 6.0+

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Browser Compatibility for the VMware Identity Manager Administration Console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see Installing and Configuring VMware Identity Manager guide.

Upgrading to VMware Identity Manager 2.9.1

To upgrade to 2.9.1, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Note: Existing customers will upgrade to 2.9.1. Version 2.9 was not released externally.

Before you upgrade from the 2016.11.1 connector to the latest connector, see the KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Bulk Sync Changes in VMware Identity Manager 2.9.1

In 2.8.1, bulk sync was processed with 4 threads per CPU through a global config parameter in the database called 'bulkSyncThreadLimitPerCPU=4'

In 2.9.1, the number of threads for bulk sync processing is not based on CPU. It is an absolute number and by default is the same as the number of CPUs on a node. If you sync large numbers of users and groups and you notice that sync is slow after upgrade, you can specify the number of threads by setting the global configuration parameter called 'bulkSyncSharedThreadCount'. Set the thread value in the database using the REST API, then restart the nodes for the changes to take effect.

See Configure Settings after Upgrade in the Upgrading to VMware Identty Manager 2.9.1 guide.


To access the VMware Identity Manager 2.9.1 documentation, go to the VMware Identity Manager Documentation Center.

Known Issues

  • Generating CSR in Safari Browser Fails

    Safari browsers does not support downloading of the CSR that is generated.

    Workaround. Select and copy the CSR manually and save to a text editor.

  • Terms of Use with Workspace ONE with Android Does Not Work

    If the Terms of Use feature is enabled, users that download Workspace ONE for Android versions prior to the release of Workspace 3.0 for Android can possibly get a stack track exception error after they log in. The user portal cannot be launched.

    Workaround. Do not enable the terms of use for Android devices until the Workspace ONE 3.0 for Android app is released.

  • CSR for a signature algorithm SHA1 is not populated on the signing certificate

    The strongest available key is always selected. If your organization already uses RSA, SHA256withRSA key, this key is used because a key with algorithm RSA, SHA1with RSA is the lower priority key.

  • Horizon 7 and Citrix Xenapp might not launch on managed devices

    When a XenApp and Horizon 7 app is redirected to unmanaged Citrix Receiver or unmanaged Horizon Client, the apps are not launched. Workaround. Uninstall the unmanaged clients. XenApp and Horizon 7 apps that are redirected to a managed Citrix Receiver or Horizon Client launch successfully.

  • Issues with Access Point integration with VMware Identity Manager

    • Admin users logging in from external networks will not be able to access the admin console from their portal page when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Administrators should VPN into the internal network to access the admin console from an external network.

    • ThinApp packages cannot be downloaded when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Set the ThinApp package installation mode to COPY_TO_LOCAL (default) or RUN_FROM_SHARE.