VMware Identity Manager 2.9.2.1 Release Notes

|

2.9.2.1 Release date: October 19, 2017

VMware Identity Manager 2.9.2.1 | 19 OCTOBER 2017 | Build 6912441

VMware Identity Manager Connector 2017.7.1.1 | 19 OCTOBER 2017 | Build 6912051

VMware Identity Manager Integration Broker 2.9.1 | 19 OCTOBER 2017 | Build 6849507

VMware Identity Manager Desktop 2.8 | 17 NOVEMBER 2016 | Build 4652980

2.9.2 Release date: July 27, 2017

2.9.1 Release date: May 25, 2017

What's in the Release Notes

The release notes cover the following topics:

Updates for 2.9.2.1

  • The Application Manager - Integrated Components section on the System Diagnostics Dashboard page now includes EhCache clustering health check details, including status, peer list of each node, and replication failure count.
  • In the Diagnostics Dashboard page, the check mark in the Clocks section is displayed as green when all nodes are in sync; yellow when trying to fetch time from a cluster node, and red when any of the node times are different. When a clock on a node is reset, the status returns to green.

Updates for 2.9.2

  • Improvements to the stability and speed of the Workspace ONE application
  • Improvements to the stability of the connector and syncing process
  • Miscellaneous bug fixes

What's New For VMware Workspace ONE App 3.0

Workspace ONE App 3.0 introduces next generation user experience on mobile, web, and desktop. New business capabilities that offer comprehensive support for BYOD and app catalog scenarios.

Web, iOS, Android, and Windows apps are available.

  • Engaging User Experience
    • New Bookmarks view: replaces Launcher view to provide easy access to favorite or frequently used apps.

      End users can expect any apps that were a favorite to automatically display in the bookmark tab. If an end user has not favorited any web or virtual apps, they start fresh with a blank bookmarks tab.

    • Catalog view: discover, open or install apps; web, mobile and virtual apps, all in one place. And now includes AirWatch web apps!
    • Catalog and Launcher have been combined. You can now launch web apps and install native apps from the same screen!
    • Pull down to refresh app list and install status in the Catalog view (iOS and Android).
    • Intuitive visual cue for mobile apps that require Workspace Services.
    • One-tap navigation to easily switch between Apps, Support and Settings.
    • New first-time onboarding experience. Learn more while we setup your workspace.
    • Adaptive Management screens help users understand benefits of enabling Workspace Services.
    • New Workspace One icon for a whole new look and feel!
  • Support for Spotlight Search (iOS)

    Spotlight Search has been integrated to provide a unified launch experience for web/native apps. An end user can now search both their home screen and Workspace ONE catalog at the same time!

  • New Support section that allows end users to learn more and request help

    Utilize Rage Shake to send logs to app developers (iOS).

  • Enhanced in-app search
    • Quick search by app name and category
    • Actionable search results; launch a web/virtual app or download a native app directly from the search results
  • Sign Out action deprecated in favor of Remove Account option

    This allows users to disconnect from the enterprise without IT touch (iOS and Android only).

  • Assisted activation for custom enterprise apps that use AirWatch SDK

    Supports SDK or wrapped apps; requires custom apps to run SDK v17.5 (iOS and Android only).

  • Integration to complex Organization Group hierarchies in AirWatch

    Customers can now take advantage of complex organization hierarchies in AirWatch with Workspace ONE. You can link domains to specific AirWatch Organization Groups in VMware Identity Manager console. Workspace ONE users are verified and devices registered to the target organization group in AirWatch

    To use this feature on Windows 10 devices that will log in to Workspace ONE before they are enrolled into MDM, version 3.0 of the Workspace ONE app is required.

  • Terms of Use

    Ensure compliance by enforcing acceptance of company policies (terms of use) before using Workspace ONE.

  • Send Alerts to Workspace ONE users

    Admins can notify Workspace ONE users for upcoming system downtimes, compliance status, to request actions, or to send alerts. Notification can be sent via the AirWatch admin console. Can be viewed as device notification or in-app notification.

  • Custom branding is enhanced

    The option to use color transparency for background images has been added.

What's New for VMware Identity Manager 2.9.1

VMware Identity Manager 2.9.1 and later includes support for the following new features.

Authentication and Access

  • Office 365 Conditional Access Enhancements

    VMware Identity Manager already provides conditional access control for Office 365 clients using Modern Authentication. There are other Office 365 clients, however, that use legacy username/password authentication. With this update of VMware Identity Manager, admins can increase security and reduce risk of data loss by using enhanced conditional access policies to control clients such as native iOS and Android email apps, older versions of Office, and email clients such as Thunderbird. This feature works for both managed and unmanaged devices.

  • Group Based Conditional Access Policies

    Now you can apply different policies for authentication based on user's group membership. This feature can be used to enforce fine grained access policies. For example, requiring multi-factor authentication only for contractors.

  • Configurable Login Experience

    You can now configure the login experience for your users. You can choose to let users provide email address, employeeID or other attributes such as username.

  • Custom branding is enhanced to include the use of color transparency for background images

  • SAML Enhancements
    • Support for HTTP POST SAML binding when configuring third-party identity providers.
    • You can generate a Certificate signing Request (CSR) from the admin console and use it for generating a certificate from a certificate authority for SAML signing.
    • Support for encrypted SAML response.
  • Default launch option for Horizon apps and desktops

    A default launch option has been added with this release. Users can now set their preference of launching apps from the Browser or Native Client when launching apps or desktops. Admins also are now able to set this globally for all users as a managed setting that enforces the same behavior for all users.

  • Access Policy

    Improved access policy to include support for Horizon desktops and apps.

  • Custom ID Mapping for Horizon Cloud

    Just like SAML apps support has been added for additional username formats between IDM and Horizon Cloud.

  • Directory and Horizon Performance

    Both Active Directory and Horizon sync can now be configured to sync on shorter 15 minute intervals.

Deployment

  • VMware Identity Manager for Windows (with AirWatch)

    The VMware Identity Manager server is also available on Windows and included with AirWatch installer.

  • VMware Identity Manager Enterprise System Connector for Windows with AirWatch

    The VMware Identity Manager connector can be installed on Windows. The Enterprise System Connector installer includes the option to install AirWatch Cloud Connector or the VMware Identity Manager Connector. See The VMware AirWatch 9.1 release notes for more information.

  • Easily migrate from AirWatch Cloud Connector (ACC) to VMware Identity Manager connector for connecting to AD/LDAP

    If you are using ACC to connect to Active Directory and want to migrate to using the VMware Identity Manager connector to take advantage of additional capabilities such as MFA, Horizon & Citrix integrations, you can do it by clicking on the Convert button under Other Directory configuration used for ACC integration. All application entitlements are preserved with this change.

  • Citrix XenApp and XenDesktop Integration

    With the EOL from Citrix of Citrix Web Interface. Citrix XenApp and XenDesktop integration has been migrated to using the Citrix Storefront SDK.

Internationalization

VMware Identity Manager 2.9.X is available in the following languages:

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.5, 6.0+

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Browser Compatibility for the VMware Identity Manager Administration Console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see Installing and Configuring VMware Identity Manager guide.

Upgrading to VMware Identity Manager 2.9.2.1

To upgrade to 2.9.2.1, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Important When upgrading to 2.9.2.1 in a multi-data center deployment where the elasticsearch discovery-idm has been removed, note that the discovery-idm plugin is added back with the upgrade. For elasticsearch to work again, the plugin must be removed after the upgrade. To remove discovery-idm, run this command.
JAVA_HOME=/usr/java/jre-vmware /opt/vmware/elasticsearch/bin/plugin -r discovery-idm.

When Horizon is configured in VMware Identity Manager and VMware Identity Manager is set up in a cluster, when you upgrade VMware Identity Manager, you must reconfigure Horizon in the service as follows.

  1. In the primary VMware Identity Manager connector, remove all the Horizon pods and add them back. Save and Sync.
  2. In the replica connectors, remove all the Horizon pods and add them back. Save.
Note: Version 2.9.0 was not released externally, 2.9.1 was the first 2.9.X version released.

Before you upgrade from the 2016.11.1 connector to the latest connector, see the KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1

Java Upgrades for VMware Identity Manager Connector on Windows

Automatic update of Java (Java Update) on Windows machines is not supported for the VMware Identity Manager connector because when the older version of java is removed, the certificates stored in the JAVA_HOME/lib/security/cacerts are also removed. Two options to update Java in the VMware Identity Manager connector on Windows machines are available.

  • If the Java update is through the VMware Identity Manager installer, restore the cacerts.sav (opt\vmware\horizon\workspace\install\cacerts.sav) file backed up through the installer to the JAVA_HOME\lib\security\ as cacerts. Restart the service.
  • To manually upgrade Java between VMWare Identity Manager connector versions, first make a backup of JAVA_HOME\lib\security\cacerts before the Java upgrade. Copying cacerts file manually and restore this file after the upgrade to the newer java location. Also modify the set.JAVA_HOME=C:\Program Files\Java\jre1.8.0_111 in opt/vmware/horizon/workspace/conf/wrapper.conf to the new JRE path.

    Note: the Java Unlimited Strength (JCE) policy files are a prerequisite in Windows. When you do a Java update, you might need to re-install JCE.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Bulk Sync Changes in VMware Identity Manager 2.9.1

In 2.8.1, bulk sync was processed with 4 threads per CPU through a global config parameter in the database called 'bulkSyncThreadLimitPerCPU=4'

In 2.9.1, the number of threads for bulk sync processing is not based on CPU. It is an absolute number and by default is the same as the number of CPUs on a node. If you sync large numbers of users and groups and you notice that sync is slow after upgrade, you can specify the number of threads by setting the global configuration parameter called 'bulkSyncSharedThreadCount'. Set the thread value in the database using the REST API, then restart the nodes for the changes to take effect.

See Configure Settings after Upgrade in the Upgrading to VMware Identity Manager 2.9.1 guide.

Documentation

To access the VMware Identity Manager 2.9.1 documentation, go to the VMware Identity Manager Documentation Center.

Resolved Issues

  • Generating CSR in Safari Browser Fails

    Safari browsers does not support downloading of the CSR that is generated.

  • Terms of Use with Workspace ONE with Android Does Not Work

    If the Terms of Use feature is enabled, users that download Workspace ONE for Android versions prior to the release of Workspace 3.0 for Android can possibly get a stack track exception error after they log in. The user portal cannot be launched.

  • CSR for a signature algorithm SHA1 is not populated on the signing certificate

    The strongest available key is always selected. If your organization already uses RSA, SHA256withRSA key, this key is used because a key with algorithm RSA, SHA1with RSA is the lower priority key.

  • Horizon 7 and Citrix XenApp might not launch on managed devices

Known Issues as of VMware Identity Manager 2.9.2.1

  • Save & Sync Does Not Work when a VMware Identity Manager Connector in a Cluster is down

    When a connector in a cluster is down, clicking Save & Sync does not open the dry run sync screen to proceed with the sync.

    Workaround: Close the Sync Settings page and click Sync now from the directory's main page.

  • When installing the 2.9.2.1 VMware Identity Manager Connector for Windows, Integration Broker 2.8.x is packed with the build, instead of 2.9.2.x.

    Workaround: Manually download the latest Integration Broker from the VMware Identity Manager 2.9 download page.

  • On Windows Uninstall issues with RabbitMQ

    When uninstalling VMware Identity Manager, RabbitMQ is not removed correctly, the service still exists on the server after the uninstall runs.

    Workaround: The issue is intermittent and when this happens, kill the RabbitMQ process and then manually delete the remaining files after the install.

  • Issues with Access Point integration with VMware Identity Manager

    • Admin users logging in from external networks will not be able to access the admin console from their portal page when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Administrators should VPN into the internal network to access the admin console from an external network.

    • ThinApp packages cannot be downloaded when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Set the ThinApp package installation mode to COPY_TO_LOCAL (default) or RUN_FROM_SHARE.