VMware Workspace ONE Access for Linux 21.08 | September 2021 | Build 18530336
VMware Workspace ONE Access Connector (Windows) 21.08 | September 2021 | Build Workspace ONE Access Connector 21.08.0.0 Installer.exe
VMware Identity Manager Connector (Windows) 19.03.0.1 | October 2020 | Build VMware Identity Manager Connector 19.03.0.1 Installer.exe
Release date September 7, 2021
12/17/2021 This release has been determined to be impacted by CVE-2021-44228 and CVE-2021-45046. Fixes and workarounds are available to address this vulnerability. For more information, see VMware Security Advisory VMSA-2021-0028.
12/17/2021 This release is also impacted by CVE-2021-22056 and CVE-2021-22057. Fixes and workarounds are available to address this vulnerability. For more information, see VMware Security Advisory VMSA-2021-0030.
What's in the Release NotesThis release note covers the following topics.
- What's New in 21.08
- Compatibility, Installation, and Upgrade
- Resolved Issues
- Known Issues
Connector Support for Virtual Apps
In the 21.08 release, the Workspace ONE Access Connector includes a new Virtual App service that supports integrating VMware Horizon and Citrix virtual apps. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or 19.03.0.1 to version 21.08. Both directories and virtual apps collections must be migrated together during this one-time process.
Set Which Horizon Client Access FQDN a Specific Group of Users Will Be Directed To
In some cases, only assigning network ranges to Horizon Client Access FQDNs is not optimal when users can be working from virtually anywhere. Leveraging user groups will grant more flexibility for launching Horizon desktops. In this release of Workspace ONE Access, the Horizon virtual apps integration includes the ability to assign client access FQDNs to groups of users. This adds new functionality that brings together the use of both network ranges and groups to direct users to the appropriate client access FQDNs.
RSA SecurID Updates
We have updated the way we integrate with RSA SecurID by using REST APIs. If you are currently using RSA SecurID as an authentication method, then a new connector for the User Auth service can be added before migration for minimal downtime to RSA SecurID logins.
Encrypted Connection to External Database
You can now add encryption when you configure a Microsoft SQL database for the first time or later. An encrypted connection to the database increases the security of data transmitted across networks. To enable encryption, the Microsoft SQL server must be configured with a root or intermediate certificate.
Updated Password Complexity Rules for admin Users
Password complexity rules have changed to incorporate a minimum of 8 characters and password complexity standards. See Manage Your Workspace ONE Access Appliance Passwords.
Syslog over TCP or UDP
Now you can choose between two standard protocols for connection to Syslog servers: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To use TCP, TLS (Transport Layer Security) has to be enabled for data encryption to provide secure communication. TCP over TLS is the default option.
OpenJDK 8 Support
The Workspace ONE Access appliance and connector have been migrated to OpenJDK 8 and no longer support Oracle JDK.
Disabled Break-Glass URL endpoint by default
The break-glass URL endpoint, https://<fqdn>.com/SAAS/login/0, allows system domain administrators to authenticate into Workspace ONE Access. To ensure a higher standard of security, this endpoint will be disabled by default starting in version 21.08. To re-enable this endpoint during emergency situations, see Workspace ONE Access Security Settings Guidelines.
On-Premises Support for Hub Services Capabilities
- Hub Templates
With Hub Templates you can control assignment of Hub Services capabilities to groups of users. This means you can now plan a slow rollout of Hub Services and its capabilities to your users. You no longer are required to enable Hub Services in one go for your entire workforce. Some examples of use cases where Hub Template will come in handy:
- Different custom tab URL for Sales versus R&D users
- Different branding for a subsidiary company
- Notifications capability only for R&D and Sales in North America
- Custom Tab for Web
A Custom tab can be configured and enabled for the Workspace ONE Intelligent Hub on the Web browser view. Admins can add a custom tab that links to their company website or to another resource that they want to share with users. To add a custom tab on the Web, navigate to Custom Tab on the Hub Services console. Enable the Custom Tab feature and then enable it for Web. Admins can define the tab’s title, add the URL of the destination, and select whether the custom tab displays in the first or last position in the Workspace ONE Intelligent Hub Web navigation bar. Admins can also choose to open the link in a new browser tab or in an iFrame embedded inside the Intelligent Hub Web. If admins choose to open the link in an embedded iFrame, a preview of that view is provided to allow admins to ensure that the link will load correctly in an iFrame.
- Mobile App Icon Option in Branding Page
Admins can now customize the Hub app icon color by picking from a list of curated colors to match your company branding. To customize the color of the icon, go to Hub Services console > Branding > Logos> Mobile App Icon and select an option from the color presets. Once the change is saved, users will see the new Hub icon color on the next launch of the Hub app.
- Support Tab on Windows Hub
Windows Hub now offers support for the Support Tab. When Employee Self-Service is enabled on the admin console, Windows Workspace ONE Intelligent Hub will display a tab for it. From the Employee Self-Service or Support tab in Workspace ONE Intelligent Hub, users can access resources and information in the Helpful Links section and view and manage their devices.
- Dark Mode Branding Configuration
Admins can configure their company dark mode logo and accent color on the Hub Services admin console. When dark mode is enabled through the user's device settings, users can browse Workspace ONE Intelligent Hub in a dark theme view.
Note: Dark mode is not available on all platforms currently. The Workspace ONE Intelligent Hub web browser does not support dark mode for on-premises Hub Services.
VMware Workspace ONE Access is available in the following languages.
- Simplified Chinese
- Traditional Chinese
- Portuguese (Brazil)
VMware vCenter™ and VMware ESXi™ Compatibility
VMware Workspace ONE Access appliance supports the following versions of vSphere and ESXi.
- 7.0, 6.7, 6.5
Windows Server Supported
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Web Browser Supported
- Mozilla Firefox, latest version
- Google Chrome, latest version
- Safari, latest version
- Microsoft Edge, latest version
- Microsoft SQL Server 2012, 2014, 2016, 2017, 2019
Important: Microsoft SQL server 2012 and 2014 must be updated with the Microsoft SQL patch to support TLS 1.2.
Directory Server Supported
- Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
- OpenLDAP - 2.4
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (188.8.131.52.0)
- IBM Tivoli Directory Server 6.3.1
Workspace ONE Access connector 21.08 is compatible with the Workspace ONE Access Cloud service and with Workspace ONE Access virtual appliance version 21.08 and later versions.
VMware Identity Manager connector 19.03.0.1 is compatible with the Workspace ONE Access Cloud service and with Workspace ONE Access virtual appliance version 20.10 and later versions.
Virtual Apps Compatibility
The Workspace ONE Access 21.08 connector now supports Virtual Apps (Citrix and Horizon integrations) with the new Virtual App service. The Virtual App service does not support Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, Horizon Cloud Service on IBM Cloud, or ThinApp integrations.
The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.
For supported Horizon versions, see the VMware Product Interoperability Matrix.
Integration with Horizon Cloud Service on Microsoft Azure with Universal Broker is configured from the Horizon Cloud administration console. The Workspace ONE Access 21.08 connector does not support integration with Horizon Cloud Service on IBM Cloud or Horizon Cloud Service on Microsoft Azure with Single-Pod Broker.
To use Horizon Cloud Service virtual apps on Microsoft Azure (Single-Pod Broker) with Workspace ONE Access 21.08, you must use VMware Identity Manager connector version 19.03.0.1.
To use VMware ThinApp with Workspace ONE Access 21.08, you must use the VMware Identity Manager Linux-based connector appliance version 2018.8.1.0. If you use ThinApp packages, do not upgrade to newer versions of the Workspace ONE Access connector.
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server and Horizon 7.
For system requirements, see the VMware Workspace ONE Access Installation guides for 21.08 in the Workspace ONE Access documentation center.
Upgrading to VMware Workspace ONE Access 21.08 (Photon Linux)
To upgrade to Workspace ONE Access 21.08, the current version must be Workspace ONE Access 20.10.x.
VMware Identity Manager appliance versions 19.03 or 20.01 must be upgraded to version 20.10.x before they can be upgraded to version 21.08.
During the upgrade, all services are stopped; plan the upgrade with the expected downtime in mind.
- Microsoft SQL server 2012 and 2014 must be updated with the Microsoft SQL patch to support TLS 1.2 before you upgrade the Workspace ONE Access service appliance.
- Before you upgrade to 21.08, verify that the NIC network adapter type on the Workspace ONE Access virtual appliance is set to VMXNET 3. See Update NIC from E1000 to VMXNET 3.
VMware Workspace ONE Access Connector 21.08 (Windows)
The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on Windows servers. The following service components can be installed.
- Directory Sync service that syncs users from your enterprise directories to the Workspace ONE Access service
- User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) authentication methods
- Kerberos Auth service for Kerberos authentication
- Virtual App service that syncs virtual apps from VMware Horizon and Citrix deployments to the Workspace ONE Access service
Upgrading to Workspace ONE Access Connector 21.08
You can upgrade Workspace ONE Access connector versions 20.10.x and 20.01.x to version 21.08.
See the Upgrading to VMware Workspace ONE Access Connector 21.08 guide for information.
Migrating to Workspace ONE Access Connector 21.08
From Workspace ONE Access connector version 19.03 and 19.03.0.1, a migration path to version 21.08 is available. The process includes installing new 21.08 connectors and migrating your existing directories and Horizon and Citrix virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.
After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.
Important: All legacy connectors must be version 19.03.x before you can migrate.
See the Migrating to Workspace ONE Access Connector 21.08 guide for information.
Certificate Requirement for Horizon Virtual Apps Collections
Ensure that the Horizon Connection Servers have valid certificates signed by a trusted Certificate Authority (CA). If the Horizon Connection servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon Connection servers. This is a new requirement in Workspace ONE Access connector 21.08. You upload the certificates using the connector installer. See Installing Workspace ONE Access Connector for more information.
Requirements for RSA SecurID Authentication Method
The RSA SecurID integration has the following new requirements:
- In the RSA Security console, the Workspace ONE Access connector must be added as an authentication agent using the fully qualified domain name (FQDN), for example, connectorserver.example.com. If you have already added the connector as an authentication agent using the NetBIOS name instead of the FQDN, add another entry using the FQDN. Leave the IP address field empty for the new entry. Do not delete the old entry.
- If you have deployed multiple instances of the RSA Authentication Manager server, you must configure them behind a load balancer. See Workspace ONE Access Requirements for RSA SecurID Load Balancer for more information.
The VMware Workspace ONE Access 21.08 documentation is in the VMware Workspace ONE Access Documentation Center.
The Hub Services documentation is in the VMware Workspace ONE Documentation Center.
- HW-137959: This release includes the fix for the issues in VMSA-2021-0016
- HW-131550: Issues around Active Directory domains in mixed-case mode have been addressed for new directory creation as well as upgrade from 19.03/19.03.0.1 connectors
- HW-137253: Citrix server failover to replication server in the collection
- HW-121488: Entitlements are deleted and added again instead of being updated for Citrix and Horizon Cloud virtual apps collections
- HW-120278: Added capability of removing the old labels for Citrix resources during sync
- HW-130381: Support launch even if metadata refresh fails for some of the Horizon connection servers
- HW-127229: Sync failover to secondary connector node when primary node is down in on-premises environments
- HW-121412: Horizon server failover to non-primary pods in the collection
- HW-100498: Added support for syncing multiple virtual apps collections simultaneously
- HW-95770: Support for Citrix integrations that have users/groups entitled from multiple domains to work with AD over LDAP directory too
- HW-124523: Added filter on sync details and updated explanatory text for directory integration
- HW-124652: Tomcat catalina localhost access logs are enabled
- HW-126823: Fixed Web App assignment for more than 50 groups
- HW-129121: Fixed Horizon user's password warning on hznEncrypt to allow changes to runtime-config.properties
- HW-127231: Removed rsyslogd from the list of root users
- HW-135286 Re-configured Content Security Policy for headers for selected URLs
- HW-135872: Removed the option to assign ALL_USERS group to any admin roles
- HW-138657: Fixed client FQDN for apps with global entitlement
- HW-139279: Fixed status of Directory Sync UI messages for failsafe conditions
- HW-143003: Fixed password expiration for vPostgres
- HW-130944: Fixed Hub Notifications (For You) does not work in Workspace ONE Access with Microsoft SQL Server in Windows Authentication Mode
- ESC-31636: Fixed issue of Horizon Pool-based apps not syncing with 19.03.0.1 connector
- NEW - Expired password error during installation of Workspace ONE Access virtual appliance
During the Workspace ONE Access virtual appliance installation process, you are unable to use the Setup wizard at https://WorkspaceONEAccessFQDN to complete setup tasks. The wizard prompts you to change the root user password with the following notification: "Appliance password for root user expired, please change the password for the root user from the virtual machine console."
Workaround: This issue is fixed in the Workspace ONE Access 21.08.0.1 release. See the 21.08.0.1 Release Notes for more information.
- Users might not be able to launch Horizon 7.13 or later applications and desktops in a browser
When Horizon 7.13 or later is integrated with Workspace ONE Access, users always see the option in Intelligent Hub to launch applications or desktops in a browser, but browser launch fails if HTML Access is not installed on the Horizon Connection servers.
Workaround: If you are using Horizon 7.13 or later versions, install HTML Access on the Horizon Connection servers so that browser launch succeeds. See the VMware Horizon HTML Access documentation for more information.
- Global Catalog issue with Citrix virtual apps sync
If Global Catalog is enabled on Active Directory, group entitlements do not get synced for Citrix integrations. User entitlements are synced.
Workaround: Use the following workarounds.
- Use multiple LDAP directories instead of using Global Catalog.
- Create user entitlements instead of group entitlements for Citrix resources.
- Cloud application catalog takes a long time to load after a service restart
When you configure an authenticated proxy with the Workspace ONE Access service and restart the service the first time after that, the cloud application catalog might take several minutes to load. In the Catalog > Web Apps tab, when you click New and either search for an application to add or click browse from catalog, the applications might not appear for several minutes. This issue might also occur each time you disable and enable the authenticated proxy.