VMware Workspace ONE Access Connector (Windows) 20.10 | October 2020 | Build Workspace ONE Access Connector 20.10.0 Installer.exe

VMware Identity Manager Connector (Windows) | October 2020 | Build VMware Identity Manager Connector Installer.exe

VMware Identity Manager Integration Broker | October 2020 | Build 16975699

December 2020

Update Dec 8, 2020      Workspace ONE Access SaaS is not impacted by CVE-2020-4006, but SaaS customers that may have deployed Workspace ONE Access connectors should reference VMSA-2020-0027 to see if those components are affected and require a patch.

What's in the Release Notes

This release note covers the following topics.

What's New in This Releases

Native Duo MFA integration with Workspace ONE Access

  • Workspace ONE Access supports various third-party MFA providers using RADIUS-based integration. We are releasing a native API-based integration with Duo MFA.
  • Workspace ONE customers can leverage the new Duo authentication adapter to access corporate resources that require an additional factor of security.   
  • Current Duo customers can enable the authentication adapter and configure it in access policies just like other Workspace ONE Access authentication adapters.
  • The Duo native API integration is available only for Workspace ONE Access SaaS customers initially.

Support for OpenID Connect as Third-Party Identity Provider

  •  Workspace ONE Access can serve as an OpenID Connect relying party to any third-party OpenID Connect provider.  
  •  Customers can configure Workspace ONE Access to federate with an external OpenID Connect provider which is used as the source of authentication.  Moreover, Workspace ONE Access also supports custom OpenID Connect claims from third-party OpenID Connect providers. 
  • The OpenID Connect as a third-party identity provider is available only for Workspace ONE Access SaaS customers initially.

Verify (Intelligent Hub) Global Rollout

  • The Verify (Intelligent Hub) authentication adapter in Workspace ONE Access became available initially this fall. It’s the industry’s first multi-factor authentication (MFA) solution built directly into a digital workspace - Workspace ONE Intelligent Hub for iOS and Android. It allows users to request access to corporate resources and, instead of typing a password, receive a push notification direct to their phone to easily approve the request. Workspace ONE Access customers can take advantage of this capability at no additional cost or licensing requirements.
  • Verify (Intelligent Hub) is available only for Workspace ONE Access SaaS customers initially.

Factor-based Device Trust with Workspace ONE and Okta

  • Factor-based Device Trust is an additional offering from VMware and Okta that improves upon the existing Device Trust integration that was announced in 2019. Factor-based Device Trust utilizes Okta’s “IdP Factor” feature to allow all the capabilities in Workspace ONE Access’s conditional access policies to be evaluated during an authentication request.
  • Factor-based Device Trust has the following benefits over Device Trust:
    • Support for checking a device's management and compliance status with Workspace ONE UEM. The earlier Device Trust feature only can only check if the device is managed by Workspace ONE UEM.
    • Support for Windows, macOS, Android, and iOS operating systems. Device Trust only supports Android and iOS.
  • For customers who currently have Device Trust configured, no action is required if your needs are being met on Android and iOS.
  • Factor-based Device Trust can be used in tandem with Device Trust. If Device Trust is meeting your needs on Android and iOS, Factor-based Device Trust can be configured separately to handle Windows and macOS devices.
  • More information on configuring Factor-based Device Trust can be found here.
  • As part of our on-going partnership, VMware and Okta are working on a long-term vision for a more in-depth integration which includes sharing more device, application, and identity context between the two platforms.

  • Configurable External ID Directory Support

    When integrating with Active Directory, the user’s External ID attribute can now be mapped to a custom attribute other than the objectGUID attribute. Being able to map the External ID attribute to a custom attribute is useful when integrating Workspace ONE Access with VMware Workspace ONE UEM service that might use a different attribute other than objectGUID as the Object Identifier for syncing users.

  • Support of 4096 Key Certificates for Workspace ONE Access and Connectors

    We now support 4096-bit key SSL certificates for Workspace ONE Access service and connector. With this implementation, we bring increased encryption strength to the SSL certificates.

    • Customers can use 4096-bit SSL certificates on the service when FIPS mode is enabled
    • Customers can upload 4096-bit SSL certificates on 20.10 and connectors and on enterprise service connectors
    • 4096-bit SAML certificates are supported for this release
  • Support of Custom LDAP Filters

    We are introducing a new feature to support custom LDAP filter query when syncing users in Workspace ONE Access. Today, when administrators configure the user sync in Workspace ONE Access, they can specify the OU's distinguished name. The administrator can now configure Workspace ONE Access to refine the LDAP query sent to the directory server by using query filters to filter users.

  • Horizon Cloud Desktop and Apps are supported in the Hub Catalog

    Previously, customers integrating Workspace ONE Access with Horizon Cloud were required to configure a Virtual App Collection. Now, Horizon Cloud deployments are no longer required to configure virtual app collections, instead you can add Horizon Cloud desktop and app assignments to the Hub catalog directly from the Horizon Cloud admin console. App-specific access policies cannot be applied to Horizon Cloud apps when integrating in the new way. See About Using a Horizon Cloud Environment with VMware Workspace ONE and the Optional True SSO Feature.

  • Two VMware Workspace ONE Access connectors (Windows) are released in October 2020.
    • 20.10 Connector.    A new 20.10 installer is available for Workspace ONE Access Connector for Windows.
    • Connector.  A new installer is available for Workspace ONE Access Connector for Windows. Use the installer to upgrade from version 19.03 to

Preparing Workspace ONE Access for the Day Zero Onboarding Experience

  • Magic Link.  With this feature, admins will be able to generate a one-time use “Magic Link” that will allow an end user to access a Welcome page in the Workspace ONE Intelligent Hub portal from a web browser. Admins can configure the length of time that the link is active as well as disable the link before the end user uses the link in case of a breach. This link can be generated via APIs and can be automatically sent out to end users, or admins can manually send it out via email. Note: Magic Links can only be generated for one Active Directory group.

  • Token Auth. This feature is the backbone of the Magic Link. We have created a new method of authentication in a one-time access token that is used up once the Magic Link is clicked on for the first time. You configure the Workspace ONE Access API to create Token Auth authentication and then enable the authentication method of the Workspace ONE Access console.

To learn more about how to prepare the day zero onboarding experience, see How to Prepare a Day Zero Onboarding Experience in Workspace ONE Intelligent Hub.

Exclude is Now an Entitlement Type to Assign to Apps in Catalog

Workspace ONE Access provides a capability to configure every application to exclude certain groups for entitlements. Meaning, when admins assign an  application, they can choose which users and Active Directory groups to exclude from the application.

Group Exclusion allows our customers to disallow the pre-hire group from accessing sensitive applications within their Workspace ONE Intelligent Hub and restrict them to accessing only the essential applications they need for onboarding. 

Introducing Verify within Intelligent Hub

With the new Verify (Intelligent Hub) authentication adaptor, Workspace ONE now includes the industry’s first multi-factor authentication (MFA) solution built directly into the digital workspace. Users can leverage the Intelligent Hub app on their mobile devices to take action on push multi-factor authentication requests without ANY additional end user setup. This can be combined with Risk-Based conditional access for an adaptive MFA experience.

Powered by the entire Workspace ONE platform, this solution leverages Hub Services for delivering the notification, Workspace ONE UEM for ensuring the device is managed or registered, and Workspace ONE Access for authentication.

Existing VMware Verify customers are encouraged to upgrade to the new embedded MFA experience within the Intelligent Hub app.

Note: Verify (Intelligent Hub) will be made available in all SaaS environments over the coming months. The functionality is currently available in Workspace ONE Access Preview (UAT). Verify (Intelligent Hub) is available for test run with a Preview account in VMware Workspace ONE Access. The feature will be made available in October 2020.

Windows 10 Out-of-Box Experience (OOBE) Enrollment Policy

Ability to create an enrollment access policy rule specific to Windows 10 OOBE or when joining the Azure Active Directory domain. Customers that need to ensure that only Windows 10 managed devices gain access to Office 365 can leverage this enrollment policy to separate out enrollment from post-enrollment access.

Workspace ONE Intelligent Hub Enrollment Policy

Ability to configure an access policy rule for device enrollment into Workspace ONE UEM when the source of authentication in Workspace ONE UEM is set to Workspace ONE Access. This rule allows customers to leverage Mobile SSO for post enrollment login into Intelligent Hub without impacting the enrollment flow.

The device enrollment policy can also be used to block any further enrollments with the legacy Workspace ONE App.

The initial support is for iOS and Android Hub enrollment flows.

Password Caching for Virtual Apps

With the upcoming rollout, Workspace ONE Access provides admins the ability to control password caching. You can enable password caching in the Workspace ONE Access console to provide single sign on for users running Horizon, Horizon Cloud, and Citrix virtual apps from the Workspace ONE catalog when you are not using True SSO. See Configuring Password Caching for Virtual Apps for information.

If the password caching option is enabled, a user’s password is cached when first logging in to Workspace ONE Access using password-based authentication. If using an alternate method of authentication (such as a third-party identity provider, RADIUS, certificate-based, etc.), a user’s password is cached when they are challenged with password-based authentication during the first launch of a virtual app. Once users’ passwords are cached, they are not required to enter their passwords again while running virtual apps in the same login session.

If you are an existing customer using Virtual Apps, there will be no changes to the end user launch experience with this roll out. Customers newly setting up integrations with Horizon and Citrix could chose to enable this password caching option to have that seamless launch experience. For Horizon and Horizon Cloud, for the best user experience, set up True SSO instead of caching passwords.

Voluntary Product Accessibility Standards Improvements

Improved accessibility of Workspace ONE Access Login screens to comply with VPAT, or Voluntary Product Accessibility Template standards.

  • Updated colors for sufficient contrast.
  • Add alternative text as invisible label.

Updated the third-party identity provider page in admin console with an option to send subject information in SAML

Added functionality to be able to select the option to enable passing Subject, when available, in the SAML request for third-party identity providers.  This feature is disabled by default.

Install Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector

The recommendation of the Windows servers for the connectors being separate from your legacy connector servers still stands. But, in situations where it is not possible to procure a new machine, you can install Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector and then migrate your legacy connector.  Before you install any of these services on the Windows server, you must increase the CPU and memory on the machine because two versions of the connector will be running until the migration is complete. You need to increase the CPU and memory to meet the needs of both 19.03 and connectors per the Sizing guidelines. After the migration is complete, you can stop the 19.03 connector and uninstall it

Sizing Requirement for the Connector

Support LDAP signing and LDAP channel binding

See the VMware KB article 77158 Support LDAP Signing and LDAP Channel Binding with VMware Workspace ONE Access, Identity Manager.

Note: You do not need to apply the hot fix mentioned in the KB article. The Workspace ONE Access patch release includes the hot-fix mentioned in the KB article. 

  • After installing Workspace ONE Access connector, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.
  • Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
  • DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.

Okta Universal Directory Integration – Connect Workspace ONE Access with Okta to import user accounts into Workspace ONE. Universal directory integration enables the following scenarios with Okta.

  • Cloud-only Okta Universal Directory
  • Contingent / seasonal workers
  • Hybrid directory environments with on premises Active Directory + cloud only users
  • HR mastered users

This integration is based on SCIM, which allows user accounts to be synchronized from Okta to Workspace ONE over an industry standard. Create, update, and delete are supported across users, user attributes, and groups. The existing AirWatch provisioning adapter in Workspace ONE Access can be used to further synchronize these users to Workspace ONE UEM. Once enabled, administrators can offer the full range of Workspace ONE features to these users including the unified catalog, mobile SSO, intelligence, and UEM enrollment. The VMware Workspace ONE SCIM application can be found on the Okta Integration Network (OIN) store.

No migration process is currently in place to migrate an existing Active Directory user over to SCIM, which means existing versus new deployments will benefit differently.

  • A new deployment may take advantage of Universal Directory integration to deploy a single (Okta) connector in order to populate workspace one with a combination of AD and cloud-only users. This leads to an overall simplification of the required connector infrastructure for the combined products.
  • Existing deployments should leave Workspace ONE connectors in place for the purposes of Active Directory users and deploy Universal Directory integration to import cloud only users, be it contingent workers, HR mastered users, or cloud-only users in a hybrid directory environment.

See SCIM Provisioning from Okta to VMware Workspace ONE Access documentation.

VMware Workspace ONE Access formerly VMware Identity Manager

VMware Workspace ONE Access is the new name for what was called VMware Identity Manager. No functionality has been removed as a result of this name change.

  Revised Connector and Connector Management

  • Ability to install connector components individually. The three components are
    • Directory Sync service - Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service.
    • User Auth service - Provides Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) deployments.
    • Kerberos Auth service - Provides Kerberos authentication for internal users.
  • Improved and simplified connector configuration and life cycle management
    • Directory Sync service and the auth method service functional configuration is moved to the Workspace ONE Access service. Configuration for Directory Sync is in the Identity & Access Management > Directories page. Configuration of User Auth and Kerberos Auth methods is in Identity & Access Management > Enterprise Authentication Methods page in the Workspace ONE access console. No configuration details are stored in the connector.
    • You can easily add and remove connectors as needed.
  • Directory Sync-
    • Improved stability and reduced resource needs
    • Directory Sync is now driven from the Workspace ONE Access service. Users can easily add more Directory Sync nodes in the Directory Configuration page in the console for Sync high availability.
    • The ability to perform a dry run of the sync has been removed.
    • Test Directory button is removed. When the directory configuration is saved, the Directory Sync service tests the directory configuration in Active Directory.
    • Two sync options are now available in the UI, sync with safeguards and sync without safeguards. These actions can be performed from either the list of directories in the Identity & Access Management > Directories page, or from a specific directory landing page.
    • When an IWA directory is created, only the domain saved to the database in the directory's Domains tab is shown. The admin must select the refresh button to see all the domains that have two-way trust relationship with the base domain.
    • The directory's Group tab shows the Group DNs that are saved and the mapped groups from the DB. Calls are not automatically made to the Directory Sync service to fetch additional details, such as the number of groups in the container. You must explicitly click the Select button to run the Active Directory query to fetch the number of groups for the specific group DN.
    • Saving the user attribute mapping, user DNs, group DNs, safeguards, and sync schedule configurations is not sent to the Directory Sync service on the connector. These configurations are saved in the Workspace ONE Access service DB because the Directory Sync service is stateless.


VMware Workspace ONE Access is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Traditional Chinese
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

Component Compatibility

Windows Server Supported

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Web Browser Supported

  • Mozilla Firefox, latest version
  • Google Chrome 42.0 or later
  • Internet Explorer 11
  • Safari 6.2.8 or later
  • Microsoft Edge, latest version

Database Supported

  • MS SQL 2012, 2014, 2016, 2017

Directory Server Supported

  • Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
  • OpenLDAP - 2.4.42
  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (
  • IBM Tivoli Directory Server 6.3.1

 Component Versions No Longer Supported

  • Windows Server 2008R2
  • Windows Server 2012

This impacts Workspace ONE Access Connectors, Integration Broker, or database that might be installed on these versions of the Windows server.

This impacts Active Directory if it  running on these versions of a Windows server.

Compatibility Matrix

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

VMware Connector Compatibility

VMware Workspace ONE Access Connector (Windows)

The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on Windows servers. The following service components can be installed.

  • Directory Sync service to sync users from your enterprise directories
  • User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
  • Kerberos Auth service for Kerberos authentication

Migrating to Workspace ONE Access 20.10 Connectors

If you are upgrading to Workspace ONE® Access™ 20.10 from a version prior to 19.03, to use the new Workspace ONE Access 20.10 connectors you must follow a migration process. The process includes installing new 20.10 connectors and migrating your existing directories to the new connectors.

You cannot upgrade legacy connector versions to 20.10. You migrate to the 20.10 connector from legacy connectors, you migrate your directories. When you migrate the directories, all data, including authentication methods and identity providers, is migrated.

See Migrating to Workspace ONE Access 20.10 Connectors

Upgrade to 20.10

To upgrade Workspace ONE Access connector 20.01 to 20.10, see Upgrading to VMware Workspace ONE Access Connector 20.10.

VMware Workspace ONE Access Connector

You can upgrade to the Windows-based VMware Identity Manager connector from version to get the latest security updates and resolved issues. The connector supports Virtual Apps, specifically Horizon, Horizon Cloud, and Citrix integrations with Workspace ONE Access. See Upgrading to VMware Identity Manager Connector (Windows)

Virtual Applications

The Workspace ONE Access 20.10 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApp integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.10 connectors.

To use virtual apps with Workspace ONE Access 20.10, you must use VMware Identity Manager connector version or

To use VMware ThinApp with Workspace ONE Access 20.01,  you must use VMware Identity Manager Linux-based connector appliance version 2018.8.1.  If you use ThinApp packages do not upgrade to the 19.03 or the 20.10 version of VMware Workspace ONE Access connector.

  • VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 is used with ThinApp packages


The VMware Workspace ONE Access documentation is in the VMware Workspace ONE Access Documentation Center.

Resolved Issues in the Patch Release


Underscore is allowed in FQDN for Citrix servers


Sync would not fail if there are special characters in user name or group names but entitlement fetch would not happen for those specific groups


During launch, the Integration Broker will send the Deliverycontroller.AppName to Storefront to avoid launching the app from the wrong Citrix farm when the same app is hosted on multiple farms


Allowed cookies for NetScaler to be configured as VIP


Fixed CSRF cookie retrieval for Citrix external launch of applications


Citrix 1912 is supported with .net CLR version 4.0


Support for ReST API to update a sync connector to be set as non-sync connector for connectors


Config State doesn't get deleted when directory is deleted

ESC-22326 Fixed Sync of Citrix entitlements with Citrix 7.5


check-circle-line exclamation-circle-line close-line
Scroll to top icon