check-circle-line exclamation-circle-line close-line

VMware Identity Manager 3.3 Release Notes

VMware Identity Manager for Linux 3.3 | September 2018 | Build 10084102

VMware Identity Manager for Windows 3.3 | September 2018 | Build VMware Identity Manager_3.3.0.0_Full_Install.exe

VMware Identity Manager Connector (Linux) 2018.8.1 |  September 2018 | Build 10084104

VMware Identity Manager (Windows) 2018.8.1 | September 2018 | Build VMware Identity Manager Connector 2018.8.1.0 Installer.exe

VMware Identity Manager Integration Broker 3.3 | September 2018 | Build 9588001

VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055

Release date: September 18, 2018

What's in the Release Notes

The release notes cover the following topics:

What's New for VMware Identity Manager 3.3

Workspace ONE User Experience

  • Enhancement to Identifier Based Login
    • We have enhanced the identifier-based login so that users are not prompted to re-enter their email address again post auto-discovery, if configured to propagate email address used for auto-discovery.
    • This feature is currently supported for user name/password-based authentication methods only.
  • Managed App Configuration to Disable the Remove Account Setting
    • Admins can now disable the Remove Account option while using Workspace ONE as an app catalog for Agent-enrolled devices. Disabling this option can prevent accidental un-enrolls triggered by users trying to log out from Workspace ONE.

What's New in VMware Identity Manager Service 3.3

  • Migration to Virtual App Collection

    • With this release, administrators will need to migrate their existing Virtual App and Desktop Integration such as Horizon, Citrix, Horizon Cloud and ThinApp into Virtual App Collections before they can modify existing or add new integrations with VMware Identity Manager. See Migrating Existing Configurations to Virtual Apps Collection in the VMware Identity Manager Resources Guide.
  • Better Error Messaging to Troubleshoot Horizon, Horizon Cloud, and Citrix Launch Failures through VMware Identity Manager
    • Admins can now easily troubleshoot launch failures by seeing error messages about the root cause and steps to resolve right through the VMware Identity Manager console. Navigate to Dashboards -> Reports -> Audit Events Report. Set the Type as LAUNCH (or LAUNCH_ERROR).  Run the report and click View Details and scroll down to the “failure message” section to see the error details and steps to troubleshoot.
  • Diagnostics Improvements
    • Admins can now see the following diagnostic data on the VMware Identity Manager console.
      • RabbitMQ health status

      • Android Mobile SSO (Cert Proxy)

      • iOS Mobile SSO (KDC/Hybrid KDC health)

      • DNS access from service/connector

      • Connectivity to all required clustered ports.

  • Cluster Related Enhancements

    • In multi-data centers clusters, the VMware Identity Manager console will show service nodes grouped by data centers.

  • Fault Resiliency Improvements

    • Rate Limiter resiliency technique enforced on VMware Identity Manager service and connector REST API’s to protect against burst of request that can eventually bring down the VMware Identity Manager service and connector. Communication Channel (Service to Connector communication) is now network fault tolerant and protects against service becoming unresponsive when there is a network glitch.

    • VMware Identity Manager service is now more resilient to Domain Controller (DC) down time during login. It can route the login requests to the next available Domain Controller. It periodically (24 hours) scans the available Domain Controllers, prepares the list of fast responding DCs and use it for next 24 hours.

  • OpenID Certification

    • VMware Identity Manager is OpenID Connect certified.

  • Support JIT Users for Group Based Policies

    • Currently when a group-based access policy is configured, Just-In-Time (JIT) users cannot log in because they don’t belong to any group. With this release, “ALL Users” based access policy will be applied to these users instead of group-based access policy.

  • Administrator User SSO

    • VMware Identity Manager local user can do single sign-on to the Workspace ONE UEM console.

  • Support for UDID in Subject DN

    • iOS mobile SSO feature now supports the placement of the UDID value into the "CN" field on the subject DN.

  • Set up Android Mobile SSO using the Configurator UI from the VMware Identity Manager console

    • Android Mobile SSO can now be enabled and configured from the configurator UI instead of using the command line script and editing files.

  • On Windows Generate Cluster file using Configurator UI of group-based access policy.

    • On Windows machines, the cluster file can now be generated in the configurator UI instead of from a command line script.

  • Federating Access to Amazon AppStream 2.0 from VMware Workspace ONE

    • Workspace ONE admins can now configure Amazon AppStream 2.0 through VMware Identity Manager's SaaS application catalog so that end users can single sign-on into Amazon AppStream directly through their Workspace ONE portal. See the blog for configuration details.

End of Support for VMware Identity Manager Integration with Citrix XenApp 5.x

  • VMware Identity Manager will no longer support integration of XenApp 5.x versions. All other currently supported versions of XenApp and XenDesktop will continue to be supported. For more information see this knowledge base article.

Internationalization

VMware Identity Manager 3.3 is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  •  Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager appliance supports the following versions of vSphere and ESXi.

  • 5.5, 6.0+

VMware identity Manager on Windows machines supports the following version of Windows Server

  • Windows Server 2008 R2
  • Windows Server 2012 R2
  • Windows Server 2016

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Verified VMware Identity Manager integration with Citrix Virtual Apps & Desktops (previously XenApp & XenDesktop) versions 7 1808 and 7.18. Tested use case was with the end users doing internal and external launches (via Netscaler) of their entitled Citrix resources from the Workspace ONE portal.

Browser Compatibility for the VMware Identity Manager Administration Console

Latest versions of Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, and  Internet Explorer 11

For other system requirements, see the VMware Identity Manager Installation guides for 3.3 on the VMware Identity Manager documentation landing center.

Upgrading to VMware Identity Manager 3.3 (Linux)

To upgrade to VMware Identity Manager for Linux 3.3, see Upgrading VMware Identity Manager 3.3 (Linux) on the VMware Identity Manager documentation landing center. During the upgrade, all services are stopped, so if only one connector is configured plan the upgrade with the expected downtime in mind.

You must be running VMware Identity Manager version 3.2. or 3.2.0.1 to upgrade to VMware Identity Manager 3.3.

If you integrate Citrix published resources with VMware Identity Manager, upgrade to the latest version of the Integration Broker. You must be running Integration Broker 3.3 with the VMware Identity Manager latest service.

Note: When you upgrade to VMware Identity Manager 3.3 for Linux, if you see the following error message and the upgrade is aborted, follow these steps to update the certificate. After the certificate is updated, restart the upgrade.

"Certificate auth configuration update required for tenant <tenantName> prior to upgrade. Pre-update check failed, aborting upgrade."
  1. Log in to the VMware Identity Manager console.
  2. Navigate to Identity & Access Management > Setup.
  3. In the Connectors page, click the link in the Worker column
  4. Click the Auth Adapters tab, then click CertificateAuthAdapter.
  5. In the Uploaded CA Certificates section, click the red X next to the certificate to remove it.
  6. In the Root and intermediate CA Certificates section, click Select File to re-add the certificate.
  7. Click Save.

Upgrading Connector

You can upgrade from 2017.8.1.0, 2017.12.1.0, 2018.1.1.0, and 2018.1.1.1 versions to the latest connector, 2018.8.1

Upgrading from VMware Identity Manager 2.7.1

To upgrade VMware Identity Manager 2.7.1, you must first upgrade to 2.9.2.x, then to 3.1, and then to 3.2.0.1, before upgrading to 3.3. See KB article 2151825 Upgrading from VMware Identity Manager 2.7.1 to VMware Identity Manager 3.1.

Upgrading to VMware Identity Manager 3.3 (Windows)

You can upgrade from 3.2.0.1 to 3.3. See the VMware Identity Manager 3.3 Upgrade guide.

If you are using a version earlier than 3.2.0.1, you must migrate from AirWatch. Beginning with VMware Identity Manager for Windows 3.2.0.1, the AirWatch installer EXE setup file no longer included the installation of VMware Identity Manager. A separate VMware Identity Manager EXE set up file can be downloaded from the My VMware download page.

  • VMware Identity Manager 3.1 (Windows) is installed as part of the AirWatch installations for AirWatch version 9.2.2 through 9.3.x.
  • To migrate to version or 3.3, VMware Identity Manager must be at version 3.1 for Windows.
  • This migration to 3.3 for Windows moves the VMware identity Manager installation directory from the AirWatch directory structure to a staging directory on the server. Uninstalls the AirWatch directory and upgrades to VMware Identity Manager for Windows 3.3. 
  • See the Migrate VMware Identity Manager for Windows guide in the VMware Identity Manager documentation center.

VMware Identity Manager Connector 2018.8.1 (Windows)

A new installer is available for VMware Identity Manager Connector for Windows. Use the installer to upgrade from VMware Enterprise System Connector or to install the VMware Identity Manager Connector.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Documentation

The VMware Identity Manager 3.3 documentation is in the VMware Identity Manager documentation center.

Known Issues

  • Clock Section of System Diagnostics Shows Data for Only One Node on Secondary Site

    When you have a multi-site setup with the primary site in read/write mode and the secondary site in read-only mode, the Clock section of the system diagnostics page shows the status of only one node in the secondary site.

    No workaround.

  • Directory Sync > Click Sync Users Button on Domain Users Build-in Group page Causes Existing Domain Users to be Removed

    In the Users & Groups tab, Groups page, if you select a group and click the Sync Users button on the Users page, all existing domain users are removed.

    Do not click the Sync Users button. If you would like to use Domain Users group members, either assign the group to apps in the Catalog tab or enable the Sync Group Members to the Directory When Adding Group option in the Identity & Access Management > Setup > Preferences page.

  • Horizon View IDDS Not Working

    In VMware Identity Manager 3.3, when configuring a Horizon Virtual App Collection, the configuration check box, Perform Directory Sync, cannot be enabled.

    Workaround: You might first sync in users and groups entitled to Horizon resources as part of Directory Sync and then proceed to sync a Horizon Virtual App Collection.  For more information and a potential workaround, contact Support.

  • In VMware Identity Manager 3.3, when configuring a Horizon Virtual App Collection, the following configuration check box, Configuring Horizon Connection Server 5.X, cannot be enabled. 

    If you are configuring Horizon 5.x servers with VMware Identity Manager, contact Support for a workaround.

  • Configuration Issues in Citrix when VMware Directory is Created Using sAMAccountName Cause Citrix Launches from Workspace ONE to Fail

    If the option "Any Domain" is selected in the Citrix configuration location is Storefront settings under Manage Authentication Methods > User Name and Password > Configure Trusted Domains, and if VMware Identity Manager is created using sAMAccountName and the Citrix integration is configured using the Storefront API option, Citrix launches from Workspace ONE will fail.

    In the Citrix Storefront, change the option from "Any Domain" to "Trusted Domains only". Then add the list of trusted domains. Enter the names in the FQDN format (not in NetBiosName format).