| VMware Identity Manager for Linux 19.03 | April 2019 | Build 13322314 VMware Identity Manager for Windows 19.03 | April 2019 | Build VMware Identity Manager 19.03.0 Full_Install.exe VMware Identity Manager Connector (Windows) 19.03 | April 2019 | Build VMware Identity Manager Connector 19.03.0 Installer.exe VMware Identity Manager Integration Broker 19.03 | April 2019 | Build 13221855 VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 Release date: April 16, 2019 Updated: December 8, 2020 |
NEW 12/08/2020 This release has been determined to be impacted by CVE-2020-4006. Fixes and workarounds are available to address this vulnerability. For more information, see VMSA-2020-0027.
What's in the Release Notes
These release notes cover the following topics:- What's New in 19.03
- Architectural Changes in 19.03 for VMware Identity Manager
- Internationalization
- Compatibility, Installation, and Upgrade
- Documentation
- Known Issues
What's New for VMware Identity Manager 19.03
- VMware Identity Manager releases following a new versioning format
- VMware Identity Manager is moving away from the major.minor version numbers to a date driven model represented by a year and month (yy.mm). This release is version 19.03. The previous release was version 3.3.
- TrueSSO Unlock Support
- With TrueSSO, users can log in to Horizon apps or desktops without entering a password. However, if the Horizon desktop or app is locked, users must use their user credentials to unlock it. This feature allows users to unlock without entering a password. Requires VMware Horizon 7.8.
- New User Interface for Virtual Apps Configuration
- Redesigned and improved the Virtual apps UI screens within the VMware Identity Manager console.
- Directory Sync Management Improvements
- Ability to associate multiple connectors with a directory and specify a fallback order in the case of a primary connector failure.
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (11.1.1.7.0) Support Improvements
- Search and query pagination support.
- Support filter queries, for example, to extract information when there is no DN.
- Support for IBM Tivoli Directory Server
- SAML Federation flexibility, with the ability to identify user NameID from SAML Attribute Statement
- Improved compatibility with third party identify providers.
- Audit log data storage limit
- Provide admins with capability to limit audit storage capacity.
- Network policy for Android SSO
- Ability to specify network range access criteria for Android SSO.
- Workspace ONE UEM (AirWatch) provisioning adapter
- Support users provisioned via SCIM across VMware Identity Manager and Workspace ONE UEM. Provision users from VMware Identity Manager to Workspace ONE UEM.
- Support for ms DS-Consistency GUID for Office 365 federation
- Ability to transform current VMware Identity Manager source anchor attribute to ms-DS-consistency GUID when federating Office 365.
- Ability to use a PFX file for the VMware Identity Manager SSL certificate
VMware Identity Manager 19.03 Architectural Changes
- Embedded connector removed from the VMware Identity Manager Linux and Windows deployments.
- External Linux connector is no longer supported. Migrate to the VMware Identity Manager Connector for Windows.
- Certification authentication service has been redesigned
- For the VMware Identity Manager appliance, the embedded certificate auth component has been replaced with the certificate adapter that is also used for cloud deployment
- Improved diagnostics page performance
- Improved auditing capabilities for virtual apps
- Removed support for Horizon 5.x
Internationalization
VMware Identity Manager 19.03 is available in the following languages.
- English
- French
- German
- Spanish
- Japanese
- Simplified Chinese
- Korean
- Traditional Chinese
- Russian
- Italian
- Portuguese (Brazil)
- Dutch
Compatibility, Installation, and Upgrade
VMware vCenter™ and VMware ESXi™ Compatibility
VMware Identity Manager appliance supports the following versions of vSphere and ESXi.
- 6.5 U3, 6.7 U2, 6.7 U3
Component Compatibility
Windows Server Supported
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Web Browser Supported
- Mozilla Firefox, latest version
- Google Chrome 42.0 or later
- Internet Explorer 11
- Safari 6.2.8 or later
- Microsoft Edge, latest version
Database Supported
- MS SQL 2012, 2014, and 2016
Directory Server Supported
- Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
- OpenLDAP - 2.4.42
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (11.1.1.7.0)
- IBM Tivoli Directory Server 6.3.1
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.
Verified VMware Identity Manager integration with Citrix Virtual Apps & Desktops (previously XenApp & XenDesktop) versions 7 1808 and 7.18. Tested use case was with the end users doing internal and external launches (via Netscaler) of their entitled Citrix resources from the Workspace ONE portal.
For other system requirements, see the VMware Identity Manager Installation guides for 19.03 on the VMware Identity Manager Documentation center.
Upgrading to VMware Identity Manager 19.03
Beginning with 19.03, the VMware Identity Manager service no longer includes an embedded connector and no longer supports an external connector for Linux.
If you configured the embedded connector, you must install the latest VMware Identity Manager Connector for Windows and migrate your existing connector data before you upgrade to VMware Identity Manager 19.03. You can migrate external Linux-based connectors after you upgrade the service.
VMware Identity Manager 3.2.0.1 and 3.3 can be upgraded to version 19.03
Upgrading to VMware Identity Manager 19.03 (Linux)
To upgrade to VMware Identity Manager for Linux 19.03, see Upgrading VMware Identity Manager 19.03 (Linux) on VMware Identity Manager Documentation center. During the upgrade, all services are stopped, plan the upgrade with the expected downtime in mind.
If you integrate Citrix published resources with VMware Identity Manager, upgrade to the latest version of the Integration Broker. You must be running Integration Broker Build 13221855 with the VMware Identity Manager latest service.
Upgrading from VMware Identity Manager 2.7.1
To upgrade VMware Identity Manager 2.7.1, you must first upgrade to 2.9.2.x, then to 3.1, and then to 3.2.0.1, before upgrading to 19.03. See KB article 2151825 Upgrading from VMware Identity Manager 2.7.1 to VMware Identity Manager 3.1.
Upgrading to VMware Identity Manager 19.03 (Windows)
Note: If you are using a version earlier than 3.2.0.1, you must migrate from AirWatch. Beginning with VMware Identity Manager for Windows 3.2.0.1, the AirWatch installer EXE setup file no longer included the installation of VMware Identity Manager. A separate VMware Identity Manager EXE set up file can be downloaded from the My VMware download page.
VMware Identity Manager 3.2.0.1 and 3.3 can be upgraded to version 19.03. See the Migrate VMware Identity Manager for Windows guide in the VMware Identity Manager Documentation center.
VMware Identity Manager Connector 19.03.0.0 (Windows)
Beginning with the 19.03.0.0 release of VMware Identity Manager, only the VMware Identity Manager Connector for Windows will be available. The Linux version of the VMware Identity Manager Connector is no longer available.
You will be able to migrate your existing configuration that is on a Linux connector to the latest VMware Identity Manager connector for Windows. See the Installing and Configuring the VMware Identity Manager Connector 19.03 in the VMware Identity Manager Documentation center.
Sync Settings > Sync Schedule
Beginning with 19.03, the sync schedule is no longer set to run in the connector's machine's time zone. Sync time is based on UTC standard time. Update the sync frequency setting in the Sync Settings page based on UTC standard time.
Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later
Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.
External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.
Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.
Documentation
The VMware Identity Manager for v 19.03 documentation is in the VMware Identity Manager Documentation center.
Known Issues
- Cannot remove connector from built-in IDP
When the built-in IDP has only one connector configured and that connector is down, trying to remove the connector fails with this error message "The node could not be removed because authentication methods configured on connector <name> are associated to a built-in identity provider"
Workaround.
- Navigate to the VMware Identity Manager console Identity & Access Management > Identity Providers tab.
- Open the Built-in identity provider and click Save.
- Open the Built-in identity provider again and in the Connector(s) section, click X to remove the connector. The connector will be removed this time.
- Click Save.
- VMware Cert Proxy Service Status is Shown as Dead in the Dashboard in the Admin Console
The vmware-certproxy service status is shown as "dead". The health status for Cert Proxy in the admin console dashboard shows green, but the Cert Proxy State is shown as "unknown"
Workaround: Restart the cert proxy service.
service vmware-certproxy restart
- Active Directory Over IWA Fails when Computer Name Domain is Different from Domain Field
When adding Active Directory over IWA, if you see the following error "Connector communication failed because of invalid data: The specified Bind DN and password could not be used to successfully authenticate against the directory", one possible reason for this error could be that the computer name and the name in the domain field do not match.
No workaround. Make sure that the computer name is the same name as the name in the domain field.
- Desktop Pool Based Applications in Horizon 7.9 cannot be launched in browser
The option to open the desktop pool app in the browser is not displayed when opening Horizon 7.9 desktop pools from the VMware Identity Manager.
To open in a browser, launch another pool with the browser and then from the sidebar select Launch Desktop app pool. The pool will launch.
