VMware Workspace ONE Access 22.09 | 27 SEP 2022 | Build 20529090

VMware Workspace ONE Access Connector (Windows) 22.09 | 27 SEP 2022 | Build Workspace-ONE-Access-Connector-Installer-

VMware Workspace ONE Desktop 22.09 | 27 SEP 2022 | Build VMware-Workspace-ONE-Access-Desktop-22.09.00-20456045.exe

Check for additions and updates to these release notes.

What's in the Release Notes

VMware Workspace ONE Access helps you provide your users faster access to SaaS, web, and native mobile apps with multi-factor authentication, conditional access, and single sign-on.

The Release Notes describe the new features, resolved issues, and known issues in this version of Workspace ONE Access.

What's New

  • Introducing the Redesigned Workspace ONE Access Navigation

    After you upgrade to Workspace ONE Access 22.09, you will see a redesigned Workspace ONE Access administration console.

    The redesigned Workspace ONE Access admin console improves your ability to navigate and edit key settings, helping you achieve your business goals. Pages are grouped under five tabs—Monitor, Accounts, Resources, Integrations, and Settings—with menus located on the left side panel. The former Manage and Setup buttons were removed to simplify the configuration process. 

    • Monitor includes the former Dashboard tab and Reports monitoring tools.

    • Accounts groups together the former Users & Groups and Roles tabs.

    • Resources replaced the Catalog tab and includes Policies as they provide secure access to the end-user portal. It also includes Global Launcher Preferences settings which were previously shown on the Catalog tab.

    • Integrations includes the on-premises and cloud components you integrate with Workspace ONE Access to manage users, configure authentication methods, and set up third-party integrations.

    • Settings is now a top-level navigation tab for faster access to Appliance, Branding, Password Policy, Remote App Access, and other settings. 

    In the new console, tabs include Monitor, Accounts, Resources, Integrations, and Settings.

    We’ve redesigned several key pages to help you explore Workspace ONE Access functionality. For example, the user profile page has a new look that also supports editing user roles from that page (Edit Roles) and overview of user activity (Activities tab). For the Users page, we simplified user search by adding advanced search and sorting by user name. In the Settings tab, the Password Policy and Password Recovery pages are displayed together, and the User Attributes page is updated. For more information about the new console, see Workspace ONE Access Features and Settings.

  • Time-Based One-Time Password (TOTP) Support for RFC 6238 Compliant Authenticator Apps

    Workspace ONE Access now supports a new authentication method, Authenticator App, to enhance its native MFA capabilities. This MFA is ideal for users with unmanaged devices, can be used offline, and requires no collection of personal identifying information (PII). We recommend that users leverage the new authentication functionality available in the Workspace ONE Intelligent Hub iOS and Android apps to register their TOTP.

    End users with a QR code or the secret key for an account can register that secret key with Workspace ONE Intelligent Hub to allow for the generation of Time-Based One-Time Passwords. This does not require an Internet connection.

    End users can find this functionality in the Workspace ONE Intelligent Hub iOS or Android app's Account screen under Two Factor Authentication by tapping on the icon at the top of the app in any of the screens, if users have Hub Services, and in the main screen if in UEM-only mode. This functionality is not supported for multi-staging users where the device is passed around for multiple users because of TOTP’s fundamental security feature of access to the device.

    There are three screens: Authentication tab in app with Scan a QR code and Enter a setup key options, QR code, and a key.

    Users with or without the Workspace ONE Intelligent Hub app can also register any authenticator app of their choice—such as Google Authenticator, Microsoft Authenticator, Okta Verify, Authy, and 1Password—that follows the time-based one-time passcode (TOTP) standards as defined in RFC 6238 on their own device. See Configure an Authenticator App for Two-Factor Authentication with Workspace ONE Access for configuration instructions.


    The VMware Verify authentication method will reach end of availability on October 31, 2022, and the VMware Verify application will no longer be available in app stores starting with that date. On-premises customers can continue to use VMware Verify authentication until the extended on-premises end of support date of November 30, 2022. In Workspace ONE Access 22.09, customers who are not already using VMware Verify cannot activate VMware Verify as a new authentication method. For more information, see VMware Knowledge Base article 89465. For information on VMware Verify migration paths, see VMware Knowledge Base article 88424.

  • Directory Sync Frequency Updates

    The interval between synchronization times has been made more flexible and will let administrators choose between setting hourly synchronizations or synchronizations every 2, 6, or 12 hours. Administrators can also choose to set their synchronization frequency to be less often with daily or weekly intervals.

  • Configure Multiple Directories for an Identity Provider

    In today's Workspace ONE Access on-premises deployments, the Identity Provider setup was limited to only allow a single directory. This functionality was brought to Workspace ONE Access SaaS hosted tenants in October 2021, and now we are bringing the ability to configure more than one directory for an Identity Provider to our on-premises offering. This will allow admins to configure seamless login experiences for end users. Also, administrators that are using connectors and have multiple directories configured for an Identity Provider will be able to migrate to the latest 22.09 connectors that have enterprise services without having to reconfigure the directory settings for their Identity Provider.

  • Integrate Citrix Virtual Apps and Desktops with Multi-Site Aggregation Enabled

    Creating Citrix Apps and Desktops that have multi-site aggregation enabled is supported in the 22.09 release of Workspace ONE Access for both SaaS hosted and on-premises deployments. Citrix multi-site aggregation allows for an application or desktop that is duplicated across multiple sites to be combined and displayed as a single application or desktop icon.

  • Use Keyword Filtering for Citrix Virtual Apps and Desktops

    Administrators can use keywords to filter the resources from their Citrix Virtual Apps and Desktops to only display the filtered resources to end users. This functionality is supported in both SaaS hosted and on-premises deployment models and can be configured while installing the 22.09 Workspace ONE Access Connector.

  • Windows Connector Support for ThinApp

    ThinApp support is included with Workspace ONE Access Connector 22.09. This will allow for ThinApp package synchronization in both the on-premises and SaaS hosted versions of Workspace ONE Access. Existing ThinApp packages will have to be converted in order to be used with 22.09 Workspace One Access connectors. Also, legacy Linux connectors must be upgraded to VMware Identity Manager Connector for Windows 19.03.01 prior to migrating to the 22.09 connector.

    The Workspace ONE Access Desktop application is required to launch ThinApp packages, and the 22.09 release provides new functionality. End users will be able to view a progress bar browser, which will enhance their user experience when ThinApp packages are being downloaded in the background. There is also a new Sync Now button that will allow users to force packages to be downloaded on demand.


    In the Workspace ONE Access Desktop application, the Open my Identity Manager portal command is deprecated. 

  • Connector Support for Horizon Cloud Service on Microsoft Azure with Single-Pod Broker (New in Workspace ONE Access 22.09 On-premises)

    Workspace ONE Access Connector 22.09 includes support for integrating with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud. This allows for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or to version 22.09 connector. Both directories and virtual apps collections must be migrated together during this one-time process. This functionality is now in both SaaS hosted and on-premises offerings of Workspace ONE Access.

  • Bypass multipleauthn SAML Attribute Claims in WS-Fed active flows

    The multipleauthn SAML attribute will no longer be passed in active federation flows in the 22.09 release of Workspace ONE Access. This behavior has been changed in on-premises and SaaS hosted versions of Workspace ONE Access.

  • On-Premises Support for Hub Services Capabilities

    • Introducing Hub Services Roles Based Access Control

      Hub Services Roles Based Access Control (RBAC) allows admins to assign roles to different stakeholders and manage their access permissions to the Hub Services admin console. Hub Services RBAC supports five predefined roles that admins can assign to user groups:

      • Super Admin

      • Auditor

      • Notification Admin

      • Notification Creator

      • Notification Auditor

      Assign notification-specific roles to stakeholders who can help manage your corporate communication by sending out notifications to users on Workspace ONE Intelligent Hub. Employees in teams like Marketing or HR who want to inform employees about important company news such as an upcoming all-hands meeting or open enrollment benefits can be assigned a restricted role that grants them permission to create and send notifications.

    • Removing the 3-character Limit for People Search

      People Search (on Hub Web) will now allow searching with just one or two characters instead of the usual 3-character search. This enables support for searching names in logographic languages like Chinese and Japanese.

    • People Search Custom Attributes

      People Search was originally built with a set of standard attributes from Active Directory (AD). With this feature, admins will now be able to configure additional attributes that might be custom to their AD implementation. End users will now be able to see more attributes that are associated with their peers, such as Slack user names, Teams accounts, and so on.

    • Branding Background Image Support on Intelligent Hub Web

      Background Image is back! Admins will now be able to upload a background image from Hub Services Branding Settings and have that image rendered on the Hub end user UI. This capability builds on our existing branding settings and enables customers to deliver a more modern and stylish Hub Experience.


      This feature is available only on Hub Web with this release.

    • Install UEM Web Clips (on Windows Hub)

      UEM web clips (deployed through a profile) now have an added option to allow installation by the user. Previously, users could only launch these web clips.

    • Hub Templates Changes Will Update upon App Relaunch or Browser Refresh

      When changes are made to Hub Template assignments such as priority or reassignment of a template, the new template will be updated on a user’s device when the Hub app is relaunched or when Hub Web is refreshed.


      This feature is currently not supported on all platforms. This feature is available on Hub Web, iOS version 22.01 and later, Android version 22.01 and later, and macOS version 22.01 and later.

    • Removing Support for IE 11 on Workspace ONE Intelligent Hub Web and Hub Services Admin Console

      Workspace ONE Intelligent Hub Web and the Hub Services console no longer support Internet Explorer 11 due to security risks. For the best user experience and to continue to receive new feature updates, we recommend admins and users to use the following browsers to access Workspace ONE Intelligent Hub Web and Hub Services console:

      • Chrome

      • Safari

      • Firefox

      • Edge (Chromium based)

      For more information, see VMware Knowledge Base article 83271.

    • End-of-life of Legacy Workspace ONE experiences (Workspace One App and Web Portal)

      For several reasons listed in VMware Knowledge Base article 87908, we are accelerating the end-of-life of these legacy experiences. Customers who have the Workspace ONE apps deployed or are utilizing the legacy Web Portal should begin planning the lateral migration to Workspace ONE Intelligent Hub or look at enabling the new Hub browser experience.

  • Removed Settings Due to the End of Support Life for the Workspace ONE application (New in Workspace ONE Access 22.09 on premises)

    Several configuration and branding settings have been removed from the Workspace ONE Access console due to the end-of-life of the Workspace ONE app. These changes are in both SaaS and on-premises offerings of Workspace ONE Access. Please refer to VMware Knowledge Base article 87908 and VMware Knowledge Base article 80208 for more information about the end-of-life of the Workspace ONE app.

Before You Begin


VMware Workspace ONE Access is available in the following languages.

  • English

  • French

  • German

  • Spanish

  • Japanese

  • Simplified Chinese

  • Korean

  • Traditional Chinese

  • Russian

  • Italian

  • Portuguese (Brazil)

  • Dutch


VMware vCenter™ and VMware ESXi™ Compatibility

VMware Workspace ONE Access appliance supports the following versions of vSphere and ESXi.

  • 8.0, 7.0, 6.7, 6.5

Windows Server Supported

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

Web Browser Supported

  • Mozilla Firefox, latest version

  • Google Chrome, latest version

  • Safari, latest version

  • Microsoft Edge, latest version

Database Supported

  • Microsoft SQL Server 2014, 2016, 2017, 2019


    Microsoft SQL server 2014 must be updated with the Microsoft SQL patch to support TLS 1.2.

Directory Server Supported

  • Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests

  • OpenLDAP - 2.4

  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (

  • IBM Tivoli Directory Server 6.3.1

Connector Compatibility

Workspace ONE Access connector 22.09 is compatible with the Workspace ONE Access Cloud service and with Workspace ONE Access virtual appliance version 22.09 and later versions.

Virtual Apps Compatibility

Workspace ONE Access connector 22.09 supports VMware Horizon, Horizon Cloud Service, Citrix, and ThinApp integrations with the Virtual App service. 

The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 2203, Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The following versions of Citrix Gateway are supported: 12.1-62.27, 12.1-65.25, and 13.1-37.38. The connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.

For supported Horizon versions, see the VMware Product Interoperability Matrix.

Compatibility Matrix

The VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server and Horizon 7.

For system requirements, see the Workspace ONE Access Installation guides for 22.09 in the Workspace ONE Access documentation center.

Installation and Upgrade

Upgrading to VMware Workspace ONE Access 22.09 (Photon Linux)

To upgrade to Workspace ONE Access 22.09, the current version must be 21.08.x. Versions prior to 21.08.x must be upgraded to 21.08.x first, then upgraded from 21.08.x to 22.09.

During the upgrade, all services are stopped; plan the upgrade with the expected downtime in mind.

  • If you are upgrading from version, before you begin the upgrade you must download the update-fix.tgz package from the Workspace ONE Access 22.09 download page and replace the /usr/local/horizon/update/configureupdate.hzn file with the new configureupdate.hzn file from the package. See the instructions in the package for detailed information.

  • Microsoft SQL server 2014 must be updated with the Microsoft SQL patch to support TLS 1.2 before you upgrade the Workspace ONE Access service appliance.

See the Upgrading to Workspace ONE Access 22.09 guide in the Workspace ONE Access documentation center for more information.

Upgrading to Workspace ONE Access Connector 22.09 (Windows)

You can upgrade Workspace ONE Access connector versions 22.05, 21.08.x, 20.10.x, and 20.01.x to version 22.09.

See the Upgrading to Workspace ONE Access Connector 22.09  guide for information.

Migrating to Workspace ONE Access Connector 22.09 (Windows)

From Workspace ONE Access connector version 19.03.x, a migration path to version 22.09 is available. The process includes installing new 22.09 connectors and migrating your existing directories and virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.

After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.

  • All legacy connectors must be version 19.03.x before you can migrate to version 22.09.

  • To migrate ThinApp virtual apps collections, you must first migrate from the Linux 2018.8.1.0 connector to the Windows connector. Then, migrate from version to version 22.09.

See the Migrating to Workspace ONE Access Connector 22.09 guide for information.

Certificate Requirement for Horizon and Horizon Cloud Virtual Apps Collections

Ensure that the Horizon Connection Servers, or the Horizon Cloud service's underlying Horizon servers, have valid certificates signed by a trusted Certificate Authority (CA). If the Horizon servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon servers. This is a new requirement in Workspace ONE Access connector beginning with version 21.08. You upload the certificates using the connector installer. See Installing Workspace ONE Access Connector 22.09 for more information. 

Requirements for RSA SecurID Authentication Method

The RSA SecurID integration has the following new requirements beginning with Workspace ONE Access connector version 21.08:

  • In the RSA Security console, the Workspace ONE Access connector must be added as an authentication agent using the fully qualified domain name (FQDN), for example, connectorserver.example.com. If you have already added the connector as an authentication agent using the NetBIOS name instead of the FQDN, add another entry using the FQDN. Leave the IP address field empty for the new entry. Do not delete the old entry.

  • If you have deployed multiple instances of the RSA Authentication Manager server, you must configure them behind a load balancer. See Workspace ONE Access Requirements for RSA SecurID Load Balancer for more information.

Resolved Issues

This release includes the following resolved issues.

  • HW-157180: Improved resiliency of Horizon virtual apps collection synchronization

  • HW-164225: Resolved an issue related to launch of Citrix private desktops from the Workspace ONE catalog

  • HW-151085: Resolved an issue that shows an incorrect Display Name for Horizon applications and desktops that are synchronized through Workspace ONE Access

  • HW-139876: The UI now displays a warning on the POD configuration page if HTML Access for Horizon is not installed

  • HW-143339: Resolved an issue that causes syncs to fail when a user is migrated to a new domain within the same AD forest. Also, added support for users that are migrated to different domains and forests.

  • HW-163476: Resolved an issue where users were prompted to enter their credentials again when they launched Horizon applications and desktops

Known Issues

  • NEW, DEC 19 2022 - HW-170576: When a proxy is configured, the Virtual App service is unable to fetch metadata from a Horizon Cloud Service Single-Pod Broker setup.

    Contact VMware Support to request a patch.

  • People Search page does not display mapped attributes after upgrade

    After upgrade to Workspace ONE Access 22.09, mapped user attributes do not appear in the Summary card on the People Search page in the Workspace ONE Access console. This is only a display issue in the admin console. For end users, the People Search feature continues to work as expected.

    Workaround: In the Summary card, click Edit and save the configuration.

  • KDC health status does not appear on Resiliency dashboard 

    When a hybrid Key Distribution Center (KDC) for the Mobile SSO (for iOS) authentication method is configured, the Monitor > Resiliency dashboard does not display the KDC health status.

    Workaround: None

  • Notification about read-only mode does not appear in Workspace ONE Access console

    In a multi-data center environment, the Workspace ONE Access nodes in the secondary data center are configured in read-only mode. When Workspace ONE Access fails over, the environment becomes read-only, and some activities are not available. In earlier releases, a notification banner appeared in the Workspace ONE Access console, which informed administrators that read-only mode was enabled. The banner displayed the following message: The VMware Workspace ONE Access service is experiencing some issues. End users can still login and launch apps. For more details, go to the System Diagnostics Dashboard.

    In version 22.09, this banner does not appear.

    Workaround: None

  • Workspace ONE Access Desktop Client always uses Web Browser policy

    For ThinApp integrations, when end users install the Workspace ONE Access Desktop application on their Windows 10 systems, the Workspace ONE Access Desktop application always uses the Web Browser authentication policy for login, even if there is a matching policy for Windows 10.

    Workaround: Configure your access policies accordingly.

  • ThinApp application launch might not succeed the first time when User Activated entitlement type is used

    If the Activation Policy on the ThinApp virtual apps collection is set to User Activated, the first time a user tries to launch a ThinApp application from the Workspace ONE Intelligent Hub catalog, launch might not succeed.

    Workaround: Refresh the page and launch the application again. Or, set the Activation Policy to Automatic.


check-circle-line exclamation-circle-line close-line
Scroll to top icon