VMware Workspace ONE Access for Linux 20.01 | January 2020 | Build 15509389 VMware Workspace ONE Access Connector (Windows) 20.01 | January 2020 | Build Workspace ONE Access Connector 20.01.0 Installer.exe Release date: January 30, 2020 Updated: October 11, 2021

12/08/2020      This release has been determined to be impacted by CVE-2020-4006. Fixes and workarounds are available to address this vulnerability. For more information please see VMSA-2020-0027.

What's in the Release Notes

Release notes covers the following topics:

• What's New in 20.01
• Internationalization
• Compatibility, Installation, and Upgrade
• Documentation
• Resolved Issues
• Known Issues

What's New for VMware Workspace ONE Access 20.01

VMware Workspace ONE Access formerly VMware Identity Manager

VMware Workspace ONE Access is the new name for what was called VMware Identity Manager. No functionality has been removed as a result of this name change.

  Revised Connector and Connector Management

• Ability to install connector components individually. The three components are
  • Directory Sync service - Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service.
  • User Auth service - Provides Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) deployments.
  • Kerberos Auth service - Provides Kerberos authentication for internal users.
• Improved and simplified connector configuration and life cycle management
  • Directory Sync service and the auth method service functional configuration is moved to the Workspace ONE Access service. Configuration for Directory Sync is in the Identity & Access Management > Directories page. Configuration of User Auth and Kerberos Auth methods is in Identity & Access Management > Enterprise Authentication Methods page in the Workspace ONE Access console. No configuration details are stored in the connector.
  • You can easily add and remove connectors as needed.
• Directory Sync
  • Improved stability and reduced resource needs.
  • Directory Sync is now driven from the Workspace ONE Access service. Users can easily add more Directory Sync nodes in the Directory Configuration page in the console for Sync high availability.
  • The ability to perform a dry run of the sync has been removed.
  • Test Directory button is removed. When the directory configuration is saved, the Directory Sync service tests the directory configuration in Active Directory.
  • Two sync options are now available in the UI, sync with safeguards and sync without safeguards. These actions can be performed from either the list of directories in the Identity & Access Management > Directories page, or from a specific directory landing page.
  • When an IWA directory is created, only the domain saved to the database in the directory's Domains tab is shown. The admin must select the refresh button to see all the domains that have two-way trust relationship with the base domain.
  • The directory's Group tab shows the Group DNs that are saved and the mapped groups from the DB. Calls are not automatically made to the Directory Sync service to fetch additional details, such as the number of groups in the container. You must explicitly click the Select button to run the Active Directory query to fetch the number of groups for the specific group DN.
  • Saving the user attribute mapping, user DNs, group DNs, safeguards, and sync schedule configurations is not sent to the Directory Sync service on the connector. These configurations are saved in the Workspace ONE Access service DB because the Directory Sync service is stateless.

Streamlined disaster recovery setup leveraging VMware Site Recovery Manager

• Support to leverage VMware Site Recovery Manager for automated failover between primary and secondary sites. See the Installing and Configuring VMware Workspace ONE Access 20.01 guide.

Support for service migration from Windows 19.03 to Linux 20.01

• Assisted migration of configuration from Windows 19.03 to Linux 20.01.
• VMware Identity Manager Windows service will reach End of General Support (EOGS) on November 24, 2020. See End of General Support KB article, 2961184.

Support for Hub Catalog on premises, supporting Workspace ONE Intelligent Hub app

• Hub Catalog will be default ON for the web browser view.
  • Customers who upgrade to 20.01 have the option to toggle off the new experience and go back to the Workspace ONE browser experience with the legacy catalog. To turn off the Hub Catalog, go to the Catalog > Hub Configuration page to launch the Hub Services console.  On the Customization page that appears, toggle off the Hub Browser Experience radio button.
  • If you are going to use the Hub Catalog after you upgrade, if you customized the Workspace ONE catalog page and log in screen in the VMware Identity Manger service, after the upgrade, you will need to go to the Hub Services console and customize the branding page to add your logo and colors.
• Allows for migration from legacy Workspace ONE application to the modern catalog within Workspace ONE Intelligent Hub.

Workspace ONE Access Appliance Settings UI Change

• The Appliance Setting tab manages SMTP, License and Telemetry configuration.
• VA configuration is moved to the System Diagnostics dashboard. You click VA Configuration on an appliance listed in the dashboard to log into the VA Configuration console for that appliance.

Internationalization

VMware Workspace ONE Access 20.01 is available in the following languages.

• English
• French
• German
• Spanish
• Japanese
• Simplified Chinese
• Korean
• Traditional Chinese
• Russian
• Italian
• Portuguese (Brazil)
• Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Workspace ONE Access appliance supports the following versions of vSphere and ESXi.

•  6.5 U3,    6.7 U2,     6.7 U3

Component Compatibility

Windows Server Supported

• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019

Web Browser Supported

• Mozilla Firefox, latest version
• Google Chrome 42.0 or later
• Internet Explorer 11
• Safari 6.2.8 or later
• Microsoft Edge, latest version

Database Supported

• MS SQL 2012, 2014, 2016, 2017

Directory Server Supported

• Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
• OpenLDAP - 2.4.42
• Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (11.1.1.7.0)
• IBM Tivoli Directory Server 6.3.1

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

For system requirements, see the VMware Workspace ONE Access Installation guides for 20.01 on the Workspace ONE Access documentation center.

Upgrading to VMware Workspace ONE Access 20.01 (Linux)

The VMware Identity Manager appliance must be at 19.03 to upgrade to Workspace One Access 20.01.

Upgrade VMware Identity Manager 3.3 to version 19.03 before upgrading to Workspace One Access 20.01.

Before You Upgrade

• Before upgrading, to ensure that Elasticsearch data is not deleted, prepare Elasticsearch for the upgrade. See Prerequisites for Online Upgrade in the Upgrading to VMware Workspace ONE Access 20.01 guide.

To upgrade to Workspace ONE Access for Linux 20.01, see Upgrading to VMware Workspace ONE Access 20.01 (Linux) in the Workspace ONE Access documentation center. During the upgrade, all services are stop; plan the upgrade with the expected downtime in mind.

After You Upgrade

• Make sure you go to the Workspace ONE UEM page in the Workspace ONE Access console and click Save in the Workspace ONE UEM Configuration section to populate the Device Services URL. If you do  not update the Device Services URL, new device enrollments with UEM will fail. See the Save the Workspace ONE UEM Configuration section in the Post-Upgrade Configuration topic in the Workspace ONE Access Upgrade guide.

Migrating VMware Identity Manager for Windows to Workspace ONE Access on Linux 20.01

Starting with version 20.01, the Workspace ONE Access service is available on-premises solely on Linux.

To migrate a Windows machine to the Workspace ONE Access appliance for 20.01, see the Migrating Windows to Linux for VMware Workspace ONE Access 20.01 guide in the Workspace ONE Access documentation center, to guide you through the migration steps.

VMware Identity Manager on Windows must be at the 19.03 version of Windows to migrate to the Workspace ONE Access on Linux 20.01

After you migrate to 20.01

• If Certificate (Cloud Deployment) authentication is being used, after you migrate, update the runtime-config.properties file to continue to use certificate authentication.  See Step 4 in Workspace ONE Access 20.01 Post-Migration Configuration.

VMware Workspace ONE Access Connector 20.01.0.0 (Windows)

The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on Windows servers. The following service components can be installed.

• Directory Sync service to sync users from your enterprise directories
• User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
• Kerberos Auth service for Kerberos authentication

Migrating to Workspace ONE Access 20.01 Connectors

When you upgrade to Workspace ONE Access, to use the new Workspace ONE Access 20.01 connectors, you install one or more 20.01 connectors and then migrate your existing directories and authentication methods from the 19.03 connectors to the new connectors.

The Windows servers for the 20.01 connectors must be separate from your legacy connector servers. During the migration process, you will switch between using the older connectors and the new connectors to test the migration. The 19.03 legacy connector servers must be running during the migration process. Do not uninstall the 19.03 connectors until the migration is complete.

You cannot upgrade older connector versions to 20.01.

See the Connector Migration Guide in the Workspace ONE Access Documentation Center.

Before You Migrate

• Make sure that all legacy connectors are at 19.03 version
• Before migrating RSA SecurID Authentication to the 20.01 connector, make sure to clear the Node Secret on the RSA Security console.

Virtual Applications

The Workspace ONE Access 20.01 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApp integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.01 connectors.

To use virtual apps with Workspace ONE Access 20.01, you must use VMware Identity Manager connector version 19.03.

• VMware Identity Manager Integration Broker 19.03 | April 2019 | Build 13221855 works only with VMware Identity Manager connector version 19.03.

To use VMware ThinApp with Workspace ONE Access 20.01,  you must use VMware Identity Manager Linux-based connector appliance version 2018.8.1.  If you use ThinApp packages do not upgrade to the 19.03 or the 20.01 version of VMware Workspace ONE Access connector.

• VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 is used with ThinApp packages

Documentation

The VMware Workspace ONE Access 20.01 documentation is in the VMware Workspace ONE Access Documentation Center.

Resolved Issue

• HW-111546    Upgraded third-party library jackson-databind to more recent versions to fix vulnerabilities.

• HW-111493    Password (Cloud) is shown in the policy auth methods without requiring manual edits to Identity Provider.

• HW-111177    Ability to allow admins to configure trusted URLs for which Workspace ONE Access log in screens can be rendered in an iFrame.

• HW-110395    Upgraded third-party components to more recent versions to fix vulnerabilities.

• HW-110384    Fixed an issue related to requesting an application for approval. See Enabling Application Approval for Resource Usage in  the  Workspace ONE Access documentation page.

• HW-109900    The connector URL was processed incorrectly if the third-party IDP was having authenticate in host name. This fix corrected the IDP URL.

• HW-109709    A Role to manage Entitlements of some specific resources could not be created. We fixed it.

• HW-109099    This fixed the issue with text "Setup Provisioning" which was used for showing the provisioning configuration steps in app add/edit wizard and not actually setting the provisioning for the app. Changed the text to "Show Provisioning Options" and added a hint text to clarify the intention of this option.

• HW-109018    Sync only connectors is showing Sync and Authentication in the connectors list page. This fix corrects it.

• HW-106922    REST API to set a 19.03 or older connector as sync connector for a directory.

• HW-106192    When users follow a link or type the Workspace ONE Access URL in a browser, after the page loads the focus was NOT in the user name field. This change is to fix this issue so the user can immediately start entering the username/password and login to the system without clicking or tabbing on the login page.

• HW-106121    This is about renaming all the references of AirWatch to Workspace ONE UEM in the Workspace ONE Access admin console. This change was made to the AirWatch configuration settings page, authentication methods list/edit page, identity provider list/edit page, and edit policy page.

• HW-105990    This fixed the cross-site scripting security vulnerability for input fields in Workspace ONE Access admin console. Especially fixed user and group name input values.

• HW-103859    The Workspace ONE Access Dashboard reports page shows the time in UTC when opened for the first time. This fix is to display the date in local time zone.

• HW-103065    Port 7443 is not being used by Android SSO. Fixed the string and removed "This certificate can also be used for Android SSO" from "Install SSL Certificate" => "Passthrough Certificate" page in the Configurator UI.

• HW-102820    Set "Remember this setting" default value is false in the username login and domain selection pages, so that the "Remember this setting" option will be unchecked from the next log in.

• HW-102616    Upgraded the base SLES SP4 Operating System to LTSS repo which also upgraded vulnerable packages.

• HW-102471    Prevent issues when trying to save audit records that are older than the analytics retention policy (analytics.maxQueryDays) by filtering out the older records before trying to save the audit records.

• HW-102016    This fix restricts the Built-In IDPs page to allow the selection of only 1 user store (this is when creating a built-in idp). Currently the Workspace IDP allows he selection of only 1 user store, but the Built in IDP allowed multiple user stores.

• HW-101717    People Search can filter out users based on msExchHideFromAddressLists attribute.

• HW-101711    This fix supports the following:  Display a loading icon when loading groups from Active Directory. Always show selected groups on top. Changed group selected count to be read-only and show only selected count. The total count will be shown on select more group modal and it will be refreshed from Active Directory by API call.   This change is effective for 20.01 connector based directories group sync list only.

• HW-101708    This provide options to sync a directory with and without safeguards. Dry run has been removed. These changes are only effective for 20.01 connector based directories.

• HW-101684    Skip metadata refresh for SAML disabled Connection Servers during launch to optimize it.

• HW-101642    This fix corrected the help text and labels in the "Add Directory" dialog.

• HW-101586    The self-signed SSL certificate generated by Workspace ONE Access now includes a Subject Alternative Name. This allows browsers like Chrome 58+ to connect without complaining about a missing element

• HW-101203    Updated the elasticsearch configuration so that recovery will wait for the correct number of nodes after a full cluster restart. This will help prevent the cluster from being stuck in a red state after a full cluster restart.

• HW-100661    Resolved the issue with the Roles tab not working when a proxy server was configured. See Setting Proxy Server Settings for Workspace ONE Access.

• HW-100273    Added support for Office 365 operated by 21Vianet.

• HW-95673    Fixed an issue on the System Diagnostics Dashboard that was incorrectly showing an "error connecting to the application" status. The status was shown wrong when a third party IDP is used in access policies and the IDP is not reachable from the Service appliance.

• HW-93025    Enabling PeopleSearch should not affect normal directory sync with 20.01 connectors.

• HW-92353    Admin can decide not to show "Change to a different domain" option on Workspace ONE Access login page.

• HW-76920    Workspace ONE Access can be configured to send application-level logs to an external syslog server using the Configure a Syslog Server instructions on the Workspace ONE Access documentation page.  This feature allows installation of Log Insight Agent to forward the logs to Log Insight server. See the vRealize Log Insight documentation for an overview of that product.

 

Known Issues

• Configuring RSA SecurID Authentication Method Intermittently Fails

  When you try to save your SecurID configuration in the Workspace ONE Access console, you get an error stating that RSA Auth was not set up.

  1. Try to save the configuration again after you see the error. (Retry saving the configuration several times.)

  2.  If this does not work, restart the connector where the User Auth service is installed.

• Directory Type Other Directory (AirWatch Cloud Connector) Cannot be Deleted From the Workspace ONE Access 20.01 Connector

  When you click Delete Directory to delete a directory of type "Other" (usually AirWatch Cloud Connector directory) from the Workspace ONE Access console, the progress bar keeps moving, but the directory is not deleted.

  Contact Support for an API to delete the directory.

• iOS Mobile SSO authentication to Workspace ONE Access fails for devices using mobile networks such as Verizon and T-Mobile

  If your cellular plan is a Verizon or T-Mobile plan that uses an IPv6 address and you use the built-in KDC for iOS mobile SSO authentication, users will not be able to sign in to apps using iOS Mobile SSO.
  Users can still sign in from the corporate WIFI or from other external WIFI networks. 

  To resolve this, you can switch from the built-in KDC to the Workspace ONE Access KDC cloud hosted service. See Using the Cloud-Hosted KDC Service and the Configure Mobile SSO of iOS Authentication in Workspace ONE Access topics.

  If you do not want to use the cloud hosted KDC service, you will need to configure a KDC load balancer that handles the IPv6 requests and proxies the requests over IPv4 to authenticate. Consult your load balancer documentation for details about how to accomplish this.

   

• NEW October 2021.  Users might not be able to launch Horizon 7.13 or later applications and desktops in a browser

  When Horizon 7.13 or later is integrated with Workspace ONE Access, users always see the option in Workspace ONE Intelligent Hub to launch applications or desktops in a browser, but browser launch fails if HTML Access is not installed on the Horizon Connection servers.

  Workaround: If you are using Horizon 7.13 or later versions, install HTML Access on the Horizon Connection servers so that browser launch succeeds. See the VMware Horizon HTML Access documentation for more information.