VMware Identity Manager 3.2 | March 2018 | Build 8016174
VMware Identity Manager Connector 2018.1.1 | March 2018 | Build 7986908
VMware Identity Manager Integration Broker 3.2 | March 2018 | Build 7724548
VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055
Release date: March 15, 2018
What's in the Release NoteThe release notes cover the following topics:
- What's New in the Release
- Compatibility, Installation, and Upgrade
- Known Issues
Workspace ONE User Experience
- Better experience for applications and features that require VMware Tunnel
- This improvement enhances the user experience by better informing users about whether an application has a dependency on the Tunnel app. Users are guided through the process of downloading the Tunnel app and initializing the Tunnel service in an intuitive way. The Tunnel installation and redirect will be available for Android devices when the Workspace ONE for Android application v3.2.1 is released.
- Land users on the Catalog tab if no applications are bookmarked
- When users launch Workspace ONE, the Catalog tab is displayed instead of an empty Bookmarks tab, if no applications have been bookmarked. When at least one application is bookmarked, users land on the Bookmarks tab when they launch Workspace ONE.
- Ability to hide the Catalog or Bookmarks tab in Workspace ONE
- Admins can hide either the Catalog or the Bookmarks tab in Workspace ONE to provide an experience that best suits their end user needs. These settings are in the Catalog > Settings > User Portal Configuration page. When a tab is hidden, users do not see an option to bookmark any apps.
- Admin defined bookmarked apps
- Admins can curate the first time experience for their users by providing a set of preferred apps out of the box. Admins can select the applications that end users see in the Bookmarks page in the Workspace ONE portal or app. To achieve this, mark the applications as recommended apps. Then in the Catalog > Settings > User Portal Configuration page, select the option Show recommended apps in Bookmarks tab. Note: Applications that were previously un-bookmarked by the user are not displayed even if they are marked as recommended and this feature is enabled.
What's New in VMware Identity Manager Service
- New Admin Console User Experience for Catalog and Access Policies
- The VMware Identity Manager admin console Catalog pages and Policies pages have been redesigned with new navigation and look and feel. To become familiar with new admin console pages, see UX Updates Coming to the VMware Identity Manager 3.2 Admin Console.
- Role based access control (RBAC) for administrators
- Three default administrator roles are available. Super Administrator with full access and control. Read-only Administrator with read-only access to view console information, such as reports. Directory Administrator with the ability to manage users, groups, and directories.
- You can now create additional administrator roles with different level of access in the admin console. For example, you could create an administrator role that manages the Catalog resources, but cannot entitle users to resources, nor create access policies.
- To learn more about RBAC, see the blog, Introducing Role-Based Access Control in VMware Identity Manager 3.2.
- F5 APM integration to launch Horizon 7 resources
- If you deployed F5 APM (instead of VMware Unified Access Gateway) and would like to launch Horizon applications and desktops using VMware Identity Manager, you can configure F5 APM as an authenticated proxy in the DMZ. Refer to F5 documentation for version compatibility requirements for this feature.
- OpenID Connect (OIDC) Applications in the Catalog
- Apart from using SAML as a protocol to single sign-on (SSO) into applications, you can now use OIDC as a protocol to SSO into applications. You can assign users and access policies for OIDC applications in the same way as you do for SAML applications.
- Reset Desktop for Horizon Cloud and Horizon 7
- Users can now reset a Horizon Cloud or Horizon 7 desktop through the Workspace ONE portal or app. Resetting a remote desktop is equivalent to pressing the reset button on a physical computer to force the computer to restart. Reset can be used when a desktop operating system is unresponsive.
- Enhanced Policy Actions
- When creating a new policy rule for the default access policy or application-specific access policies, you can select actions such as "Authenticate Using", "Deny Access," and "Allow access with no further authentication" to control end user access based on conditions such as Network Ranges, Device Type, and Groups that users belong to. Previously, the ability to define how end users authenticated was supported, but with 3.2 admins have the flexibility to create fine-grained policy definitions. Note: policy rules for the default access policy doesn’t support “Allow access with no further authentication” option.
VMware Identity Manager 3.2 is available in the following languages.
- Simplified Chinese
- Portuguese (Brazil)
VMware vCenter™ and VMware ESXi™ Compatibility
VMware Identity Manager supports the following versions of vSphere and ESXi.
- 5.5, 6.0+
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.
Browser Compatibility for the VMware Identity Manager Administration Console
Latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and Internet Explorer 11
For other system requirements, see the Installing and Configuring VMware Identity Manager guide.
Security Intel Spectre, Meltdown
Security fixes for Spectre and Meltdown vulnerabilities. If you are using the virtual appliance for the connector or the server, then upgrade your environment immediately to Identity Manager version 3.2 which includes the updated Linux kernel in the appliance for mitigation of these security vulnerabilities CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown). See http://www.vmware.com/security/advisories/VMSA-2018-0007.html
Upgrading to VMware Identity Manager 3.2
To upgrade to 3.2, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.
Before you upgrade to 3.2, upgrade to 3.1. You must be running VMware Identity Manager 3.1 to upgrade to VMware Identity Manager 3.2.
If you integrate Citrix published resources with VMware Identity Manager, upgrade to the latest version of the Integration Broker. You must be running Integration Broker 3.2 with the VMware Identity Manager 3.2 service
You can upgrade from 2017.8.1.0 and 2017.12.1.99 to the latest connector, 2018.1.1.0.
Upgrade from 2016.11.1 Connector. Before you can upgrade to the latest 2018.1.1.0 connector, you must upgrade the 2016.11.1 connector to 2017.12.1.99. See KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1
Upgrading from VMware Identity Manager 2.7.1
To upgrade VMware Identity Manager 2.7.1 to 3.2, you must first upgrade to 2.9.2.x and then to 3.1. See KB article 2151825 Upgrading from VMware Identity Manager 2.7.1 to VMware Identity Manager 3.1.
Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later
Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.
External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.
Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.
The VMware Identity Manager 3.2 documentation is in the VMware Identity Manager documentation center.
- Request for ThinApp package does not change to Pending
In the Workspace ONE apps portal, when users request a ThinApp package, request link does not change to Pending.
- Profile sync dry run results do not include a link for more details
The user profile page does not include a link that shows the complete details and the add/delete/update results.
- When installing the certificate to terminate SSL on a load balancer in a Windows environment, the VMware Identity Manager service does not come up.
When a cert is generated using the command openssl s_client-connect xx.xx.xx.xxx - showcerts and then save the cert in the admin console, the service stops. When restarted the certificate is not installed.
- Directory Sync Does Not Remove All Expected Groups From the Service.
When running a directory sync to remove a large number of groups, for example more than 50% of the groups, the sync might not remove all groups.
- People Search OAuth2 template is not created for Beta customers.
Beta customers using the People Search application during Beta, before the VMware Identity Manager 3.1 release, did not use to the People Search OAuth2 template. This template must be created.
- Horizon app entitlements are not synced when a group is entitled to Horizon apps
When users are initially synced when a group is entitled to Horizon apps, the user's user level entitlement to the Horizon app is not added to VMware Identity Manager.
- In Windows Installation of VMware Identity Manager Incorrect Value for connector.api.version
During an upgrade to VMware Identity Manager 3.1 in a Windows environment, the value of connector.api version is not updated and stays set at 3. The version should be 5.
- Role-Based Access Control (RBAC) for Administrators Known Issues
- To manage VMware Verify, the admin role will require Identity and Access Management service as well as the Manage Users service.
- Only the super administrator role can manage the ThinApp entitlements.
- The super administrator role is required to get started with Virtual Apps Collection. When you select the Catalog > Virtual Apps> Virtual Apps Configuration tab for the first time, the Introducing Virtual Apps Collection link appears, and you need to click Get Started to display the Virtual Apps configuration page. This initial getting started flow requires a Super Admin role. After that an administrator role with the Catalog service can manage the Virtual Apps Collection pages.
- New Admin Console User Experience for Catalog and Access Policy Pages Known Issues
- Provisioning Adapter is not yet enabled for Socialcast, GoogleApps, Mozy and Vchs.
- For Office 365, the provisioning adapter is not accessible when an application is added to the Web catalog. To access Provisioning, select Edit.
- Import functionality is not available in the Catalog pages.
- Web Apps cannot be filtered by Category.
Workaround. Revert back to the old user interface. Tenants can ask to have the new UI flag turned off.
- ThinApp integration with VMware Identity Manager only is Supported when SMB1 is Enabled on Windows Servers
To integrate ThinApp with VMware identity Manager, SMB1 must be enabled on the Windows Servers.
- Citrix Application Launch Fails when Older Connector is used with VMware Identity Manager 3.2
For Citrix integration, you must use Connector version 2018.1.1.0 with VMware Identity Manager 3.2. If an older connector is used, application launch fails for users coming from an internal network. This issue occurs with new Citrix integrations set up in 3.2. Existing integrations continue to work.
Edit all the internal network ranges and update the client access URL port to the Citrix XML port for internal network ranges.
1. Select the Catalog > Virtual Apps tab.
2. Click Virtual Apps Settings, then select Network Settings.
3. Click the network range, update the port, and click Finish.
- Existing Horizon Cloud Applications are not Associated with Any Access Policy.
After VMware Identity Manager is upgraded to 3.2, existing Horizon Cloud applications are not associated with an access policy.
Workaround: Edit the application and select the correct access policy to associate with the application. If applications are re-synced, the default access policy is automatically associated with the application.