VMware Workspace ONE Access for Linux 20.10 | October 2020 | Build 17035009
VMware Workspace ONE Access Connector (Windows) 20.10 | October 2020 | Build Workspace ONE Access Connector 20.10 Installer.exe
VMware Identity Manager Connector (Windows) 19.03 | April 2019 | Build VMware Identity Manager Connector 19.03.0 Installer.exe
VMware Identity Manager Connector (Windows) 19.03.0.1 | October 2020| Build VMware Identity Manager Connector 19.03.0.1 Installer.exe
VMware Identity Manager Integration Broker 19.03 | April 2019 | Build 13221855
VMware Identity Manager Integration Broker 19.03.0.1 | October 2020 | Build 16975699
Release date November 3, 2020
12/17/2021 This release has been determined to be impacted by CVE-2021-44228 and CVE-2021-45046. Fixes and workarounds are available to address this vulnerability. For more information, see VMware Security Advisory VMSA-2021-0028.
12/17/2021 This release is also impacted by CVE-2021-22056 and CVE-2021-22057. Fixes and workarounds are available to address this vulnerability. For more information, see VMware Security Advisory VMSA-2021-0030.
12/08/2020 This release has been determined to be impacted by CVE-2020-4006. Fixes and workarounds are available to address this vulnerability. For more information, see VMSA-2020-0027.
What's in the Release NotesThis release note covers the following topics.
- What's New in 20.10
- Compatibility, Installation, and Upgrade
- Resolved Issues
- Known Issues
On-Premises Support for Hub Services Capabilities
To unleash the full potential of Hub Services and help our customers to be successful and remain productive during this pandemic time, we are excited to announce that Notification (“For You”), People, Self-Service Support and Custom tab capabilities of Hub Services are now available with your on-premise deployment.
Notification (“For You”)
Through a series of user experiments, we discovered an obvious pattern of how employees consume information. To reflect that pattern and present notification in a way that is easy to discover what is important and easy to digest, we built four types of notification: Priority, Actionable, Informational & Urgent. These notifications are available to the user from the For You page in the Intelligent Hub view.
We also offer an out–of-the-box weekly new app notification to inform employees of newly entitled apps. This can be turned off using the Hub Service admin console.
Admins will be able to user either the Notification API or Notification Builder in the Hub Services console to create and send notifications to different user groups or smart groups.
- Workspace ONE mobile flow will remain a cloud service and not available for integration in this release.
- For Windows platform push notification, we will not show notification title and description. See the HUBW-3389 KB article.
On-premise People Search
When Hub Services is fully integrated with Workspace ONE Access, you can enable access to the Hub Service People service to let users search for their colleagues and view user details and organization charts directly from the Intelligent Hub app or portal.
- Employees can use the search bar to look up colleague's information
- Navigation pills on the People page allow quick navigation to peers, direct reports, and manger information.
With Support services, admins will be able to help employees find answers and troubleshoot their own issues. Following is a list of the highlighted features in Self-Service support.
- Self-Service Tab Name. You can change the label in the Hub Services console. The tab name will be reflected in the navigation bar.
- Helpful Links. You can add links which are rendered in the Helpful Resources section under the support tab to equip employees with information to troubleshoot before reaching out to the IT help desk.
- Contact Information. We render a Contacts section that can include support email and phone numbers. You add the contact information from the Workspace ONE UEM console.
- Device Management. You can enable device self-service in the Hub Services console to display a My devices section on the support page. With this enabled, the My device section provides detailed information about the user’s devices and provides the capability to add devices, install profiles, and sync devices.
From the Hub Services console, you can add a custom tab in the Workspace ONE Intelligent Hub app that links to your company website or to another resource that you want to share with users.
New App Catalog Layout
We are excited to introduce an all-new layout for Hub catalog in the web browser.
- App categories are now located at the top of the catalog
- All app views are responsive grid layouts with no more app list views
- New breadcrumb navigation to easily move between app categories
- Improved All Apps layout for customers with simple catalogs
To learn more about these Hub Services features, see the Hub Services documentation.
Photon OS Migration
With Workspace ONE Access 20.10, the underlying operating system moved from SUSE Linux 11 SP4 to VMware Photon 3.0. Photon 3.0 addresses known security vulnerabilities and is an updated software stack.
Strong password policies for SSH logins have been applied. A password must be at least 14 characters and include one or more of the following - uppercase letters, lowercase letters, numerical digits, and special characters.
Note: Existing passwords that exists for Customers upgrading to 20.10 can continue to be used. Post upgrade, when customers change the password, the password complexity rule will apply.
For new installations, the minimum system requirements for deployment configuration for the appliance has been increased to the following.
- 100 GB hard disk
- 8 GB RAM
- 4 vCPUs
Configurable External ID Directory Support
When integrating with Active Directory, the user’s External ID attribute can now be mapped to a custom attribute other than the objectGUID attribute. Being able to map the External ID attribute to a custom attribute is useful when integrating Workspace ONE Access with VMware Workspace ONE UEM service that might use a different attribute other than objectGUID as the Object Identifier for syncing users.
SMTP over SSL/TLS
We now support configuring the SMTP with SSL/TLS for more secure communication between SMTP server and Workspace ONE Access appliance while sending the emails.
Support of 4096 Key Certificates for Workspace ONE Access Appliance and Connectors
We now support 4096-bit key SSL certificates for Workspace ONE Access service and connector. With this implementation, we bring increased encryption strength to the SSL certificates.
- Customers can use 4096-bit SSL certificates on the service when FIPS mode is enabled
- Customers can upload 4096-bit SSL certificates on 19.03.01 connector and on enterprise service connectors
- 4096-bit SAML certificates are supported for this release
Support of Custom LDAP Filters
We are introducing a new feature to support custom LDAP filter query when syncing users in Workspace ONE Access. Today, when administrators configure the user sync in Workspace ONE Access, they can specify the OU's distinguished name. The administrator can now configure Workspace ONE Access to refine the LDAP query sent to the directory server by using query filters to filter users.
Workspace ONE Intelligent Hub Enrollment Policy
Ability to configure an access policy rule for device enrollment into Workspace ONE UEM when the source of authentication in Workspace ONE UEM is set to Workspace ONE Access. This rule allows customers to leverage Mobile SSO for post enrollment login into the Workspace ONE Intelligent Hub app without impacting the enrollment flow.
The device enrollment policy can also be used to block any further enrollments with the legacy Workspace ONE App.
The initial support is for iOS and Android Hub enrollment flows.
Updated the Third-Party Identity Provider Page in Admin Console with an Option to Send Subject Information in SAML
Added functionality to be able to select the option to enable passing Subject, when available, in the SAML request for third-party identity providers. This feature is disabled by default.
VMware Workspace ONE Access is available in the following languages.
- Simplified Chinese
- Traditional Chinese
- Portuguese (Brazil)
VMware vCenter™ and VMware ESXi™ Compatibility
VMware Workspace ONE Access appliance supports the following versions of vSphere and ESXi.
- 7.0, 7.0 U1, 6.5 U3, 6.7 U2, 6.7 U3
Windows Server Supported
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Web Browser Supported
- Mozilla Firefox, latest version
- Google Chrome 42.0 or later
- Internet Explorer 11
- Safari 6.2.8 or later
- Microsoft Edge, latest version
- MS SQL 2012, 2014, 2016, 2017
Directory Server Supported
- Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
- OpenLDAP - 2.4.42
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (220.127.116.11.0)
- IBM Tivoli Directory Server 6.3.1
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.
For system requirements, see the VMware Workspace ONE Access Installation guides for 20.10 on the Workspace ONE Access documentation center.
Upgrading to VMware Workspace ONE Access 20.10 (Photon Linux)
The VMware Identity Manager appliance versions 19.03 or 20.01 can be upgraded to Workspace One Access 20.10.
Upgrade VMware Identity Manager 3.3 to version 19.03 before upgrading to Workspace One Access 20.10.
Before You Upgrade
- Before upgrading, to ensure that Elasticsearch data is not deleted, prepare Elasticsearch for the upgrade. See Prerequisites for Online Upgrade in the Upgrading to VMware Workspace ONE Access 20.10 guide.
To upgrade to Workspace ONE Access for Linux 20.10, see Upgrading to VMware Workspace ONE Access 20.10 (Linux) in the Workspace ONE Access documentation center. During the upgrade, all services are stopped; plan the upgrade with the expected downtime in mind.
After You Upgrade
- Make sure you go to the Workspace ONE UEM page in the Workspace ONE Access console and click Save in the Workspace ONE UEM Configuration section to populate the Device Services URL. If you do not update the Device Services URL, new device enrollments with UEM will fail. See the Save the Workspace ONE UEM Configuration section in the Post-Upgrade Configuration topic in the Workspace ONE Access Upgrade guide.
Migrating VMware Identity Manager for Windows to Workspace ONE Access on Photon Linux 20.10
Starting with version 20.10, the Workspace ONE Access service is available on-premises solely on Photon OS.
To migrate VMware Identity Manager 19.03 on Windows to Workspace ONE Access 20.10, first migrate to 20.01 on Linux. See Migrating Windows to Linux for VMware Workspace ONE Access 20.01.
Then upgrade the Linux service from 20.01 to 20.10. See Upgrading to VMware Workspace ONE Access 18.104.22.168
VMware Workspace ONE Access Connector 20.10 (Windows)
The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on Windows servers. The following service components can be installed.
- Directory Sync service to sync users from your enterprise directories
- User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
- Kerberos Auth service for Kerberos authentication
Migrating to Workspace ONE Access 20.10 Connectors
If you are upgrading to Workspace ONE® Access™ 20.10 from a version prior to 19.03, to use the new Workspace ONE Access 20.10 connectors you must follow a migration process. The process includes installing new 20.10 connectors and migrating your existing directories to the new connectors.
You cannot upgrade legacy connector versions to 20.10. You migrate to the 20.10 connector from legacy connectors, you migrate your directories. When you migrate the directories, all data, including authentication methods and identity providers, is migrated.
Before You Migrate
- Make sure that all legacy connectors are at 19.03
Upgrade to 20.10
To upgrade Workspace ONE Access connector 20.01 to 20.10, see Upgrading to VMware Workspace ONE Access Connector 20.10.
The Workspace ONE Access 20.10 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApp integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.10 connectors.
To use virtual apps with Workspace ONE Access 20.10, you must use VMware Identity Manager connector version 19.03.0.1 or 19.03.
- VMware Identity Manager Integration Broker 19.03.0.1 | October 2020 | Build 16975699 works only with VMware Identity Manager connector version 19.03.0.1
- VMware Identity Manager Integration Broker 19.03 | April 2019 | Build 13221855 works only with VMware Identity Manager connector version 19.03.
To use VMware ThinApp with Workspace ONE Access 20.01, you must use VMware Identity Manager Linux-based connector appliance version 2018.8.1. If you use ThinApp packages do not upgrade to the 19.03 or the 20.01 version of VMware Workspace ONE Access connector.
- VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 is used with ThinApp packages
The VMware Workspace ONE Access 20.10 documentation is in the VMware Workspace ONE Access Documentation Center.
The Hub Services documentation is in the VMware Workspace ONE Documentation Center.
HW-100092 We resolved the issue of displaying health status for Cert Proxy as Unknown on the Workspace ONE Access dashboard. Cert Proxy is an independent service running on a Workspace ONE Access node and used by Mobile SSO for Android.
HW-112466 Fixed issue that caused saving the configuration of a directory with hundreds of group DN's entries to be extremely slow.
HW-113379 Fixed issue with the search for catalog items that had special '[' character in the name failed.
HW-114942 Resolved an issue where rebooting of the appliance resulted in losing the persisted state of NTP configuration to host time sync.
HW-115266 Fixed the pagination in the Virtual Apps Collection page in the Workspace ONE Access console. We now allow more than 20 virtual app collections to be viewed in the console.
HW-116967 Fixed the issue where Workspace ONE Access server crashed under high load. This crash was observed under high load only if the Windows Workspace ONE app was used to access the catalog.
HW-117715 Export of audit events over 30 days failed with network timeout error. It is now fixed. However, we are still limited to exporting 10,000 records. Audit report will fail with an error if we try to export a date range that produces more than 10,000 records.
HW-117906 Fixed the issue that caused Workspace ONE Access looping when users tried to sign in if an administrator disabled an auth method that was used in the authentication policy.
HW-117930 Memory leak in Workspace ONE Access when VMware Verify was the second-factor authentication method has been fixed. It was causing Workspace ONE Access to become sluggish or unresponsive.
HW-121043 The virtual app profile is automatically saved before initiating sync to have the updated details from Horizon.
HW-121048 Viewing alerts on the Virtual App Collection page threw an error if the timezone was changed on Workspace ONE Access after the sync. We are now using the timestamp instead of current locale to fetch alerts.
HW-122016 For 20.10 version of connector, we resolved an issue where installer running with JRE version 1.8.0_261 failed to validate the correct password.
HW-123286 Resolved an issue where enabling the NTP service on connector machine caused CPU usage to go high.
HW-124103 The UI to upload image for VMware Verify should only appear if feature is enabled. It was not working that way and UI was enabled even when feature was disabled and uploading an image was throwing error.
HW-124428 Fixed memory leak in Workspace ONE Access that caused it to become unresponsive. Due to memory leak built up, the Workspace ONE Access URL ended up spinning and could never render the login page. Only workaround was a frequent reboot of Workspace ONE Access service.
HW-124475 Resolved an issue where the Cert Auth port is not being updated from gateway.port to custom port while configuring the Passthrough certificate.
HW-96225 Configuration of AirWatch Provisioning Adapter is reset if an invalid admin password is entered.
HW-97403 Fixed the issue that caused the search query for country not being cleared if the user didn't explicitly click on the country name that was suggested by auto complete service.
HW-97536 Added a UI validator to validate that the Workspace ONE UEM URL does not end with /API. It should not end with /API as Greenbox appends the /API even when /API is in UEM URL in Workspace ONE Access.
December 15, 2020. The Workspace ONE Access 20.10 on-premises virtual appliance is confirmed to be deployable. The download link is re-enabled.
- After changing the value of externalId, sync might not add back all users
When the externalId field is changed and a sync is triggered following the change, all users must to be deleted and recreated. Since deletion and creation of users is asynchronous, customer might see alerts that sync failed for some users. This would happen if the user is created before the user was deleted.
Workaround: To add the missing users, click Sync Now to perform another sync.
- sshuser/root user password that includes ! character (exclamation point) in the password cannot be saved
When setting up or updating passwords for sshuser/root users, passwords with ! as a special character cannot be saved.
Workaround: Use other special characters in the password, not !.
- Hub Notifications (For You) does not work in Workspace ONE Access with Microsoft SQL Server in Windows Authentication Mode
Hub Notifications (For You) does not work when Workspace ONE Access is configured with Microsoft SQL server in Windows Authentication Mode.
- October 2021. Users might not be able to launch Horizon 7.13 or later applications and desktops in a browser
When Horizon 7.13 or later is integrated with Workspace ONE Access, users always see the option in Workspace ONE Intelligent Hub to launch applications or desktops in a browser, but browser launch fails if HTML Access is not installed on the Horizon Connection servers.
Workaround: If you are using Horizon 7.13 or later versions, install HTML Access on the Horizon Connection servers so that browser launch succeeds. See the VMware Horizon HTML Access documentation for more information.