check-circle-line exclamation-circle-line close-line

VMware Identity Manager 3.1 | 07 December 2017 | Build 7291215

VMware Identity Manager Connector 2017.12.1 | 07 December 2017 | Build 7291216

VMware Identity Manager Integration Broker 3.1 | 07December 2017 | Build 7245433

VMware Identity Manager Desktop 3.0 | 21 September 2017 | Build 6585499

Release date: December 7, 2017

Updated December 14, 2017

What's in the Release Note

The release notes cover the following topics:

What's New in the Release

Workspace ONE User Experience

  • Support for iOS DEP Use Cases Where SAML Authentication is Required

    • There has long been a gap in Apple DEP enrollment for scenarios where a customer is leveraging SAML for user authentication, as this is not supported on DEP devices. Now admins can stage the device, leverage Workspace ONE for SAML authentication, and dynamically switch the device assignment to the authenticated user. Any apps, profiles, or resources assigned to the authenticated user is then pushed to the device.

    • Note: v3.2 of the Workspace ONE application is required to use this feature. (Planned release December 2017)
  • Improved Searching in Workspace ONE Catalog
    • In addition to App names and Categories, now users can search within application description. When you search, the search terms are highlighted in the results.
  • New People Search App
    • You can download the VMware People Search app from the Apple App Store. People Search can be enabled in the VMware Identity Manager admin console to sync people hierarchy and pictures.
    • Note:  Customer that were using People Search during Beta, before the VMware Identity Manager 3.1 release, must re-enable the People Search Attribute to generate the People Search OAuth2 template. People Search will not work if the OAuth2 template is not created.
  • Applications can be Categorized as Recommended
    • A predefined category named Recommended is now available in the Catalog. Apps can now be categorized as “Recommended” to let your users know they are advised to use those apps. You can still tag apps with multiple categories including “Recommended”. Apps that are categorized as Recommended are displayed in the Recommended filter on the Workspace ONE Catalog page.  Users can filter using the category to see list of Recommended apps and bookmark recommended apps to add them to the Bookmark page.
  • Improved performance in Workspace ONE browser and app experience
    • End users will see faster loading of apps, bookmarks, and catalog tabs.

Conditional Access & Unified Catalog

  • Improved Manageability for Horizon and Citrix Application Integration
    • Virtual Apps Collection is a new feature that improves manageability of your Horizon and Citrix integrations. Instead of a single connector syncing resources, you can now split resources to be synced across multiple connectors. It also provides automatic failover to a secondary connector for synchronization if the primary connector is down. You now have the ability to sync resources present on multiple domains without a trust relationship. Finally, we have provided an easy to use wizard to migrate your current Horizon & Citrix resources sync to this new approach.
    • Once Citrix resources are migrated to Virtual Apps Collection, you must configure the SSO Integration Broker with HTTPS before you can edit the XenApp profile.
  • Citrix XenApp App & Desktop Visibility
    • When syncing entitlements from Citrix into VMware Identity Manager, you can include visibility restrictions to determine which applications or desktops within a Delivery Group are accessible through Workspace ONE. For apps, this is done through published app's limit visibility page and Application Groups. For desktops, it is done on Desktops page under Delivery Group.


  • Connector sync performance improvements
    • To improve performance, when Active Directory groups are added to Identity Manager, their members are not immediately added to the VMware Identity Manager. When resources are entitled to a group, their members are added to VMware Identity Manager.

VMware Identity Manager Service

  • Improved Flexibility in Deploying Certificate Authentication in the DMZ.
    • Certificate authentication is no longer defaulted to port 443 in the VMware identity Manager installers. Default  is port 7443. Ability to install an additional SSL cert for use with certificate authentication. Ability to customize certificate authentication port.  This allows for the use of load balancers which inspect or terminate SSL.
      • VMware Identity  Manager Appliance (Linux).  You can update the port number from admin console Appliance Settings > Manage Configuration > Install Certificate page.
      • VMware Identity Manager (Windows).  Manually change this port number in the file. 
        1. Stop the VMware Identity Manager service. 
        2. Enter the port number to the https.passthrough.port property in file. which can be found in this path C:\AirWatch\VMwareIdentityManager\opt\vmware\horizon\workspace\conf.
        3. Restart the service.


VMware Identity Manager 3.0 is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  •  Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.5, 6.0+

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Browser Compatibility for the VMware Identity Manager Administration Console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see the  Installing and Configuring VMware Identity Manager guide.

Upgrading to VMware Identity Manager 3.1

To upgrade to 3.1, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.

If you integrate Citrix published resources with VMware Identity Manager, consider upgrading to the latest version of the Integration Broker. Integration Broker 3.1 includes performance improvements. Note: You must be running Integration Broker 3.1 or later with the VMware Identity Manager 3.1 service.

The following is applicable only if you are upgrading from 2.9.2 or earlier.  If you are upgrading from or 3.0, the following does not apply.

The equivalent version of 2.9.2 connector is 2017.7.1.0

When Horizon is configured in VMware Identity Manager and VMware Identity Manager is set up in a cluster, when you upgrade VMware Identity Manager, you must reconfigure Horizon in the service as follows.

  1. In the primary VMware Identity Manager connector, remove all the Horizon pods and add them back. Save and Sync.
  2. In the replica connectors, remove all the Horizon pods and add them back. Save.

Upgrading from 2016.11.1 Connector

Before you upgrade from the 2016.11.1 connector to the latest connector. See KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1

Upgrading from VMware Identity Manager 2.7.1

To upgrade VMware Identity Manager 2.7.1 to 3.1, you must first upgrade to 2.9.2.x. See KB article 2151825 Upgrading from VMware Identity Manager 2.7.1 to VMware Identity Manager 3.1.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Java Upgrades for VMware Identity Manager on Windows

Automatic update of Java (Java Update) on Windows is not supported with VMware Identity Manager because when the older version of java is removed, the certificates stored in the JAVA_HOME/lib/security/cacerts are also removed.

When VMware Identity Manager 3.1 and later is installed on Windows, users can run the reloadInstallRootCerts.bat script to update java on Windows. For 3.1, this updates Java to JRE 8 152.

1. Stop the VMware Identity Manager, Cert Proxy, and Elastic Search services.

2. Updated the JAVA_HOME environment variable to point to new JRE.

3. Set crypto.policy=unlimited as in %JAVA_HOME%/lib/security.

4. Run <INSTALL_DIR>\VMwareIdentityManager\usr\local\horizon\scripts\reloadInstalledRootCerts.bat through cmd prompt as administrator.

5. Start VMware Identity Manager, Cert Proxy, and Elastic Search services.


The VMware Identity Manager 3.1 documentation is in the VMware Identity Manager documentation center.

Resolved Issues

  • When creating Workspace identity provider, the IDP name that is configured is not saved. 

    When a new Workspace identity provider is configured and given a unique name, the IDP is saved with the name Workspace _IDP2, not the unique name that was configured.

  • When upgrading to the latest Identity Manager Desktop Client, the shortcut of Identity Manager Desktop is not removed.

    When a newer version of the Identity Manager Desktop Client is installed, a shortcut link is added to the All Programs view, but the older version, called Identity Manager Desktop is not removed.

  • Icon is Missing When Exporting an application from the Catalog

    When an application is exported from the VMware Identity Manager Catalog, the zip file does not contain the icon for the app.

  • Jira HW-74884  Unable to update jdbc string following Windows IDM Installation

    After VMware Identity Manager is installed and the database needs to be setup as "always on synchronous", jbdc string should be changed to reflect multiSubnetFailover=true. There is a syntax error preventing this from automatically changing to true.

  • Issue when XenApp Launches in Workspace ONE on iOS Devices Resolved

    Resolved an issue where user was being prompted for password when launching Horizon/Citrix resources after the Workspace ONE app is relaunched.

Known Issues

  • People Search OAuth2 template is not created for Beta customers.

    Beta customers using the People Search application during Beta, before the VMware Identity Manager 3.1 release, did not use to the People Search OAuth2 template. This template must be created.

    To create the OAuth2 template for People Search, re-enable the People Search application in the VMware Identity Manager admin console Catalog > Settings > People Search page.

  • Directory Sync Does Not Remove All Expected Groups From the Service.

    When running a directory sync to remove a large number of groups, for example more than 50% of the groups, the sync might not remove all groups.

    Start the directory sync again.

  • Request for ThinApp package does not change to Pending

    In the Workspace ONE apps portal, when users request a ThinApp package, request link does not change to Pending.

    Users must log in to their portal again. Then the Pending state displays for the ThinApp package.

  • Profile sync dry run results do not include a link for more details

    The user profile page does not include a link that shows the complete details and the add/delete/update results.

    No workaround.

  • When installing the certificate to terminate SSL on a load balancer in a Windows environment, the VMware Identity Manager service does not come up.

    When a cert is generated using the command openssl s_client-connect - showcerts and then save the cert in the admin console, the service stops. When restarted the certificate is not installed.

    A manual restart of the VMware Identity Manager service is required when installing a certificate to support SSL terminate on a load balancer.

  • Horizon app entitlements are not synced when a group is entitled to Horizon apps

    When users are initially synced when a group is entitled to Horizon apps, the user's user level entitlement to the Horizon app is not added to VMware Identity Manager.

    Add the individual users.  Configure the user DNs and sync the individual users.

  • In Windows Installation of VMware Identity Manager Incorrect Value for connector.api.version

    During an upgrade to VMware Identity Manager 3.1 in a Windows environment, the value of connector.api version is not updated and stays set at 3.  The version should be 5. 

    For Windows, when upgrading from an earlier version to VMware Identity Manager 3.1, update the connector.api.version property in
    “InstallPath\usr\local\horizon\conf\” to 5 after the upgrade.