check-circle-line exclamation-circle-line close-line

VMware Identity Manager 3.2.0.1 Release Notes

VMware Identity Manager for Linux 3.2.0.1 | May 2018 | Build 8435214

VMware Identity Manager for Windows 3.2.0.1 | May 2018 | Build VMware_Identity_Manager_3.2.0.1_Full_Install.exe

VMware Identity Manager Connector 2018.1.1.1 |  May 2018 | Build 8435207

VMware Enterprise Systems Connector 2018.1.1.1 | May 2018 | Build VMware Enterprise Systems Connector Installer.exe

VMware Identity Manager Integration Broker 3.2 | March 2018 | Build 8365776

VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055

Release date: May 10, 2018

What's in the Release Notes

The release notes cover the following topics:

What's New in VMware Identity Manager Service 3.2.0.1

  • Windows installer for VMware Identity Manger
    • A separate windows installer is created just for VMware Identity Manager to make download and install faster.
    • Some configuration steps are removed from the installer.  Now you can configure the identity manager service using a web browser after installation is complete.
    • If you are on VMware Identity Manager for Windows 3.1 or earlier, upgrade to this release to receive the 3.2 features and bug fixes.
  • Configurator UI Enhancements VMware Identity Manager (Windows)
    • Generate cluster file and configure proxy settings through configurator UI instead of command line.
  • Citrix Integration
    • Integration Broker is now supported on Windows 2016 Server
    • Citrix app launch with Storefront API option no longer needs ICA configuration.
  • Diagnostic Improvements
    • Following health checks have been added to the System Diagnosetics Dashboard to identify and resolve issues faster.
      • SSL pass-through cert
      • Access Control Service(ACS) health status
      • List of Installed CAs in the configurator
      • Database validation failure reason
      • Disk space usage of nodes
      • Elastic search health status and other details
  • Customer Experience Improvement Program
    • VMware's Customer Experience Improvement Program ("CEIP") provides information that helps VMware to improve our products and services, fix problems and advise you on how best to deploy and use our products. For more details, please see https://www.vmware.com/solutions/trustvmware/ceip.html

What's New for VMware Identity Manager 3.2

Workspace ONE User Experience

  • Better experience for applications and features that require VMware Tunnel
    • This improvement enhances the user experience by better informing users about whether an application has a dependency on the Tunnel app. Users are guided through the process of downloading the Tunnel app and initializing the Tunnel service in an intuitive way. The Tunnel installation and redirect will be available for Android devices when the Workspace ONE for Android application v3.2.1 is released.
  • Land users on the Catalog tab if no applications are bookmarked
    • When users launch Workspace ONE, the Catalog tab is displayed instead of an empty Bookmarks tab, if no applications have been bookmarked. When at least one application is bookmarked, users land on the Bookmarks tab when they launch Workspace ONE.
  • Ability to hide the Catalog or Bookmarks tab in Workspace ONE
    • Admins can hide either the Catalog or the Bookmarks tab in Workspace ONE to provide an experience that best suits their end user needs.  These settings are in the Catalog > Settings > User Portal Configuration page. When a tab is hidden, users do not see an option to bookmark any apps.
  • Admin defined bookmarked apps
    • Admins can curate the first time experience for their users by providing a set of preferred apps out of the box. Admins can select the applications that end users see in the Bookmarks page in the Workspace ONE portal or app. To achieve this, mark the applications as recommended apps. Then in the Catalog > Settings > User Portal Configuration page, select the option Show recommended apps in Bookmarks tab. Note: Applications that were previously un-bookmarked by the user are not displayed even if they are marked as recommended and this feature is enabled.

What's New in VMware Identity Manager Service 3.2

  • New Admin Console User Experience for Catalog and Access Policies
  • Role based access control (RBAC) for administrators
    • Three default administrator roles are available. Super Administrator with full access and control. Read-only Administrator with read-only access to view console information, such as reports. Directory Administrator with the ability to manage users, groups, and directories.
    • You can now create additional administrator roles with different level of access in the admin console. For example, you could create an administrator role that manages the Catalog resources, but cannot entitle users to resources, nor create access policies.
    • To learn more about RBAC, see the blog, Introducing Role-Based Access Control in VMware Identity Manager 3.2.
  • F5 APM integration to launch Horizon 7 resources
    • If you deployed F5 APM (instead of VMware Unified Access Gateway) and would like to launch Horizon applications and desktops using VMware Identity Manager, you can configure F5 APM as an authenticated proxy in the DMZ.  Refer to F5 documentation for version compatibility requirements for this feature.
  • OpenID Connect (OIDC) Applications in the Catalog
    • Apart from using SAML as a protocol to single sign-on (SSO) into applications, you can now use OIDC as a protocol to SSO into applications. You can assign users and access policies for OIDC applications in the same way as you do for SAML applications.
  • Reset Desktop for Horizon Cloud and Horizon 7
    • Users can now reset a Horizon Cloud or Horizon 7 desktop through the Workspace ONE portal or app. Resetting a remote desktop is equivalent to pressing the reset button on a physical computer to force the computer to restart. Reset can be used when a desktop operating system is unresponsive.
  • Enhanced Policy Actions
    • When creating a new policy rule for the default access policy or application-specific access policies, you can select actions such as "Authenticate Using", "Deny Access," and "Allow access with no further authentication" to control end user access based on conditions such as Network Ranges, Device Type, and Groups that users belong to. Previously, the ability to define how end users authenticated was supported, but with 3.2  admins have the flexibility to create fine-grained policy definitions.  Note: policy rules for the default access policy doesn’t support “Allow access with no further authentication” option.

Internationalization

VMware Identity Manager 3.2 is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  •  Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.5, 6.0+

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Browser Compatibility for the VMware Identity Manager Administration Console

Latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and  Internet Explorer 11

For other system requirements, see the  Installing and Configuring VMware Identity Manager guide.

Security  Intel Spectre, Meltdown

Security fixes for Spectre and Meltdown vulnerabilities. If you are using the virtual appliance for the connector or the server, then upgrade your environment immediately to Identity Manager version 3.2 which includes the updated Linux kernel in the appliance for mitigation of these security vulnerabilities CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown). See http://www.vmware.com/security/advisories/VMSA-2018-0007.html

Upgrading to VMware Identity Manager for Linux 3.2.0.1

To upgrade to VMware Identity Manager for Linux 3.2.0.1, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.

Before you upgrade to 3.2.0.1, upgrade to 3.1. You must be running VMware Identity Manager 3.1 or 3.2 to upgrade to VMware Identity Manager 3.2.0.1.

If you integrate Citrix published resources with VMware Identity Manager, upgrade to the latest version of the Integration Broker. You must be running Integration Broker 3.2 with the VMware Identity Manager latest service.

Upgrading Connector

You can upgrade from 2017.8.1.0, 2017.12.1.0 and 2018.1.1.0 versions to the latest connector, 2018.1.1.1.

Upgrade from 2016.11.1 Connector. Before you can upgrade to the latest 2018.1.1.1 connector, you must upgrade the 2016.11.1 connector to 2017.12.1.99. See KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1

Upgrading from VMware Identity Manager 2.7.1

To upgrade VMware Identity Manager 2.7.1 to 3.2, you must first upgrade to 2.9.2.x and then to 3.1. See KB article 2151825 Upgrading from VMware Identity Manager 2.7.1 to VMware Identity Manager 3.1.

Upgrading to VMware Identity Manager for Windows 3.2.0.1

Beginning with VMware Identity Manager for Windows 3.2.0.1, the AirWatch installer EXE setup file no longer includes the installation of VMware Identity Manager. A separate VMware Identity Manager EXE set up file can be downloaded from the My VMware download page.

VMware Identity Manager 3.1 (Windows) is installed as part of the AirWatch installations for AirWatch version 9.2.2 through 9.3.x.
To upgrade to version 3.2.0.1, VMware Identity Manager must be at version 3.1 for Windows.

This upgrade to 3.2.0.1 for Windows migrates the VMware identity Manager installation directory from the AirWatch directory structure to a staging directory on the server. Uninstalls the AirWatch directory and upgrades to VMware Identity Manager for Windows 3.2.0.1. 

See the Migrate VMware Identity Manager for Windows guide in the VMware Identity Manager documentation center.

Upgrading VMware Enterprise Systems Connector (Windows)

To upgrade the VMware Enterprise Systems Connector, which includes the AirWatch Cloud Connector (ACC) and VMware Identity Manager Connector components, see VMware Enterprise Systems Connector Installation and Configuration for information about upgrading each component.

When both components  are installed on a single Windows server, they must be upgraded together. In this case, ensure that you obtain the VMware Enterprise Systems Connector installer from the AirWatch console for upgrade. Run the installer and follow the prompts to upgrade both components. See Upgrading VMware Enterprise Systems Connector.

To be able to upgrade the ACC and VMware Identity Manager Connector components separately, install them on separate servers.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Documentation

The VMware Identity Manager 3.2, including updates for 3.2.0.1 documentation, is in the VMware Identity Manager documentation center.

Known Issues

  • Role-Based Access Control (RBAC) for Administrators Known Issues
    •  To manage VMware Verify, the admin role will require Identity and Access Management service as well as the Manage Users service.
    • Only the super administrator role can manage the ThinApp entitlements.
    • The super administrator role is required to get started with Virtual Apps Collection. When you select the Catalog > Virtual Apps> Virtual Apps Configuration tab for the first time, the Introducing Virtual Apps Collection link appears, and you need to click Get Started to display the Virtual Apps configuration page. This initial getting started flow requires a Super Admin role. After that an administrator role with the Catalog service can manage the Virtual Apps Collection pages.
    • Only groups with fewer than 500 users in the group can be promoted to an administrator role.

    Workaround. None

  • New Admin Console User Experience for Catalog and Access Policy Pages Known Issues
    • Provisioning Adapter is not yet enabled for Socialcast, GoogleApps, Mozy and Vchs.
    • For Office 365, the provisioning adapter is not accessible when an application is added to the Web catalog.  To access Provisioning, select Edit.
    • Import functionality is not available in the Catalog pages.
    • Web Apps cannot be filtered by Category.

    Workaround. None

  • ThinApp integration with VMware Identity Manager only is Supported when SMB1 is Enabled on Windows Servers

    To integrate ThinApp with VMware Identity Manager, SMB1 must be enabled on the Windows Servers.

    Workaround. None

  • Citrix Application Launch Fails when Older Connector is used with VMware Identity Manager 3.2

    For Citrix integration, you must use Connector version 2018.1.1.0 with VMware Identity Manager 3.2. If an older connector is used, application launch fails for users coming from an internal network. This issue occurs with new Citrix integrations set up in 3.2. Existing integrations continue to work.

    Workaround

    Edit all the internal network ranges and update the client access URL port to the Citrix XML port for internal network ranges.
    1. Select the Catalog > Virtual Apps tab.
    2. Click Virtual Apps Settings, then select Network Settings.
    3. Click the network range, update the port, and click Finish.

  • Existing Horizon Cloud Applications are not Associated with Any Access Policy.

    After VMware Identity Manager is upgraded to 3.2, existing Horizon Cloud applications are not associated with an access policy.

    Workaround: Edit the application and select the correct access policy to associate with the application. If applications are re-synced, the default access policy is automatically associated with the application.

  • Changes Made to AirWatch Settings are not seen Immediately in Cluster Environments

    When you integrate AirWatch with VMware Identity Manager and make changes to the AirWatch configuration, changes to the AirWatch configuration are only reflected on the node where the admin request hits. If end users access other nodes, they might not see the AirWatch apps, because the updated AirWatch configuration does not exist on the other nodes. State (cache) is not immediately updated across all nodes. The cache is updated after 24 hours.

    Workaround. Restart each VMware Identity Manager node when changes are made.

  • Horizon View IDDS Not Working

    In VMware Identity Manager 3.2.0.1, when configuring a Horizon Virtual App Collection, the configuration check box, Perform Directory Sync, cannot be enabled.

    Workaround: You might first sync in users and groups entitled to Horizon resources as part of Directory Sync, and then proceed to sync a Horizon Virtual App Collection. For more information and a potential workaround, contact Support.