VMware Workspace ONE Access Connector (Windows) 20.10 | October 2020 | Build Workspace ONE Access Connector 20.10.0 Installer.exe
VMware Identity Manager Connector (Windows) 19.03.0.1 | October 2020 | Build VMware Identity Manager Connector 19.03.0.1 Installer.exe
VMware Identity Manager Integration Broker 19.03.0.1 | October 2020 | Build 16975699
Update Dec 8, 2020 Workspace ONE Access SaaS is not impacted by CVE-2020-4006, but SaaS customers that may have deployed Workspace ONE Access connectors should reference VMSA-2020-0027 to see if those components are affected and require a patch.
What's in the Release Notes
This release note covers the following topics.
- What's New in This Releases
- What's New in Previous Releases
- Compatibility, Installation, and Upgrade
- Resolved Issues
Native Duo MFA integration with Workspace ONE Access
- Workspace ONE Access supports various third-party MFA providers using RADIUS-based integration. We are releasing a native API-based integration with Duo MFA.
- Workspace ONE customers can leverage the new Duo authentication adapter to access corporate resources that require an additional factor of security.
- Current Duo customers can enable the authentication adapter and configure it in access policies just like other Workspace ONE Access authentication adapters.
- The Duo native API integration is available only for Workspace ONE Access SaaS customers initially.
Support for OpenID Connect as Third-Party Identity Provider
- Workspace ONE Access can serve as an OpenID Connect relying party to any third-party OpenID Connect provider.
- Customers can configure Workspace ONE Access to federate with an external OpenID Connect provider which is used as the source of authentication. Moreover, Workspace ONE Access also supports custom OpenID Connect claims from third-party OpenID Connect providers.
- The OpenID Connect as a third-party identity provider is available only for Workspace ONE Access SaaS customers initially.
Verify (Intelligent Hub) Global Rollout
- The Verify (Intelligent Hub) authentication adapter in Workspace ONE Access became available initially this fall. It’s the industry’s first multi-factor authentication (MFA) solution built directly into a digital workspace - Workspace ONE Intelligent Hub for iOS and Android. It allows users to request access to corporate resources and, instead of typing a password, receive a push notification direct to their phone to easily approve the request. Workspace ONE Access customers can take advantage of this capability at no additional cost or licensing requirements.
- Verify (Intelligent Hub) is available only for Workspace ONE Access SaaS customers initially.
Factor-based Device Trust with Workspace ONE and Okta
- Factor-based Device Trust is an additional offering from VMware and Okta that improves upon the existing Device Trust integration that was announced in 2019. Factor-based Device Trust utilizes Okta’s “IdP Factor” feature to allow all the capabilities in Workspace ONE Access’s conditional access policies to be evaluated during an authentication request.
- Factor-based Device Trust has the following benefits over Device Trust:
- Support for checking a device's management and compliance status with Workspace ONE UEM. The earlier Device Trust feature only can only check if the device is managed by Workspace ONE UEM.
- Support for Windows, macOS, Android, and iOS operating systems. Device Trust only supports Android and iOS.
- For customers who currently have Device Trust configured, no action is required if your needs are being met on Android and iOS.
- Factor-based Device Trust can be used in tandem with Device Trust. If Device Trust is meeting your needs on Android and iOS, Factor-based Device Trust can be configured separately to handle Windows and macOS devices.
- More information on configuring Factor-based Device Trust can be found here.
- As part of our on-going partnership, VMware and Okta are working on a long-term vision for a more in-depth integration which includes sharing more device, application, and identity context between the two platforms.
- Configurable External ID Directory Support
When integrating with Active Directory, the user’s External ID attribute can now be mapped to a custom attribute other than the objectGUID attribute. Being able to map the External ID attribute to a custom attribute is useful when integrating Workspace ONE Access with VMware Workspace ONE UEM service that might use a different attribute other than objectGUID as the Object Identifier for syncing users.
- Support of 4096 Key Certificates for Workspace ONE Access and Connectors
We now support 4096-bit key SSL certificates for Workspace ONE Access service and connector. With this implementation, we bring increased encryption strength to the SSL certificates.
- Customers can use 4096-bit SSL certificates on the service when FIPS mode is enabled
- Customers can upload 4096-bit SSL certificates on 20.10 and 19.03.0.1 connectors and on enterprise service connectors
- 4096-bit SAML certificates are supported for this release
- Support of Custom LDAP Filters
We are introducing a new feature to support custom LDAP filter query when syncing users in Workspace ONE Access. Today, when administrators configure the user sync in Workspace ONE Access, they can specify the OU's distinguished name. The administrator can now configure Workspace ONE Access to refine the LDAP query sent to the directory server by using query filters to filter users.
- Horizon Cloud Desktop and Apps are supported in the Hub Catalog
Previously, customers integrating Workspace ONE Access with Horizon Cloud were required to configure a Virtual App Collection. Now, Horizon Cloud deployments are no longer required to configure virtual app collections, instead you can add Horizon Cloud desktop and app assignments to the Hub catalog directly from the Horizon Cloud admin console. App-specific access policies cannot be applied to Horizon Cloud apps when integrating in the new way. See About Using a Horizon Cloud Environment with VMware Workspace ONE and the Optional True SSO Feature.
- Two VMware Workspace ONE Access connectors (Windows) are released in October 2020.
- 20.10 Connector. A new 20.10 installer is available for Workspace ONE Access Connector for Windows.
- 19.03.0.1 Connector. A new 19.03.0.1 installer is available for Workspace ONE Access Connector for Windows. Use the installer to upgrade from version 19.03 to 19.03.0.1.
Preparing Workspace ONE Access for the Day Zero Onboarding Experience
Magic Link. With this feature, admins will be able to generate a one-time use “Magic Link” that will allow an end user to access a Welcome page in the Workspace ONE Intelligent Hub portal from a web browser. Admins can configure the length of time that the link is active as well as disable the link before the end user uses the link in case of a breach. This link can be generated via APIs and can be automatically sent out to end users, or admins can manually send it out via email. Note: Magic Links can only be generated for one Active Directory group.
- Token Auth. This feature is the backbone of the Magic Link. We have created a new method of authentication in a one-time access token that is used up once the Magic Link is clicked on for the first time. You configure the Workspace ONE Access API to create Token Auth authentication and then enable the authentication method of the Workspace ONE Access console.
To learn more about how to prepare the day zero onboarding experience, see How to Prepare a Day Zero Onboarding Experience in Workspace ONE Intelligent Hub.
Exclude is Now an Entitlement Type to Assign to Apps in Catalog
Workspace ONE Access provides a capability to configure every application to exclude certain groups for entitlements. Meaning, when admins assign an application, they can choose which users and Active Directory groups to exclude from the application.
Group Exclusion allows our customers to disallow the pre-hire group from accessing sensitive applications within their Workspace ONE Intelligent Hub and restrict them to accessing only the essential applications they need for onboarding.
Introducing Verify within Intelligent Hub
With the new Verify (Intelligent Hub) authentication adaptor, Workspace ONE now includes the industry’s first multi-factor authentication (MFA) solution built directly into the digital workspace. Users can leverage the Intelligent Hub app on their mobile devices to take action on push multi-factor authentication requests without ANY additional end user setup. This can be combined with Risk-Based conditional access for an adaptive MFA experience.
Powered by the entire Workspace ONE platform, this solution leverages Hub Services for delivering the notification, Workspace ONE UEM for ensuring the device is managed or registered, and Workspace ONE Access for authentication.
Existing VMware Verify customers are encouraged to upgrade to the new embedded MFA experience within the Intelligent Hub app.
Note: Verify (Intelligent Hub) will be made available in all SaaS environments over the coming months. The functionality is currently available in Workspace ONE Access Preview (UAT). Verify (Intelligent Hub) is available for test run with a Preview account in VMware Workspace ONE Access. The feature will be made available in October 2020.
Windows 10 Out-of-Box Experience (OOBE) Enrollment Policy
Ability to create an enrollment access policy rule specific to Windows 10 OOBE or when joining the Azure Active Directory domain. Customers that need to ensure that only Windows 10 managed devices gain access to Office 365 can leverage this enrollment policy to separate out enrollment from post-enrollment access.
Workspace ONE Intelligent Hub Enrollment Policy
Ability to configure an access policy rule for device enrollment into Workspace ONE UEM when the source of authentication in Workspace ONE UEM is set to Workspace ONE Access. This rule allows customers to leverage Mobile SSO for post enrollment login into Intelligent Hub without impacting the enrollment flow.
The device enrollment policy can also be used to block any further enrollments with the legacy Workspace ONE App.
The initial support is for iOS and Android Hub enrollment flows.
Password Caching for Virtual Apps
With the upcoming rollout, Workspace ONE Access provides admins the ability to control password caching. You can enable password caching in the Workspace ONE Access console to provide single sign on for users running Horizon, Horizon Cloud, and Citrix virtual apps from the Workspace ONE catalog when you are not using True SSO. See Configuring Password Caching for Virtual Apps for information.
If the password caching option is enabled, a user’s password is cached when first logging in to Workspace ONE Access using password-based authentication. If using an alternate method of authentication (such as a third-party identity provider, RADIUS, certificate-based, etc.), a user’s password is cached when they are challenged with password-based authentication during the first launch of a virtual app. Once users’ passwords are cached, they are not required to enter their passwords again while running virtual apps in the same login session.
If you are an existing customer using Virtual Apps, there will be no changes to the end user launch experience with this roll out. Customers newly setting up integrations with Horizon and Citrix could chose to enable this password caching option to have that seamless launch experience. For Horizon and Horizon Cloud, for the best user experience, set up True SSO instead of caching passwords.
Voluntary Product Accessibility Standards Improvements
Improved accessibility of Workspace ONE Access Login screens to comply with VPAT, or Voluntary Product Accessibility Template standards.
- Updated colors for sufficient contrast.
- Add alternative text as invisible label.
Updated the third-party identity provider page in admin console with an option to send subject information in SAML
Added functionality to be able to select the option to enable passing Subject, when available, in the SAML request for third-party identity providers. This feature is disabled by default.
Install Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector
The recommendation of the Windows servers for the 20.01.0.1 connectors being separate from your legacy connector servers still stands. But, in situations where it is not possible to procure a new machine, you can install 20.01.0.1 Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector and then migrate your legacy connector. Before you install any of these services on the Windows server, you must increase the CPU and memory on the machine because two versions of the connector will be running until the migration is complete. You need to increase the CPU and memory to meet the needs of both 19.03 and 20.01.0.1 connectors per the Sizing guidelines. After the migration is complete, you can stop the 19.03 connector and uninstall it
Support LDAP signing and LDAP channel binding
See the VMware KB article 77158 Support LDAP Signing and LDAP Channel Binding with VMware Workspace ONE Access, Identity Manager.
Note: You do not need to apply the hot fix mentioned in the KB article. The Workspace ONE Access 20.01.0.1 patch release includes the hot-fix mentioned in the KB article.
- After installing Workspace ONE Access connector 20.01.0.1, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.
- Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
- DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.
Okta Universal Directory Integration – Connect Workspace ONE Access with Okta to import user accounts into Workspace ONE. Universal directory integration enables the following scenarios with Okta.
- Cloud-only Okta Universal Directory
- Contingent / seasonal workers
- Hybrid directory environments with on premises Active Directory + cloud only users
- HR mastered users
This integration is based on SCIM, which allows user accounts to be synchronized from Okta to Workspace ONE over an industry standard. Create, update, and delete are supported across users, user attributes, and groups. The existing AirWatch provisioning adapter in Workspace ONE Access can be used to further synchronize these users to Workspace ONE UEM. Once enabled, administrators can offer the full range of Workspace ONE features to these users including the unified catalog, mobile SSO, intelligence, and UEM enrollment. The VMware Workspace ONE SCIM application can be found on the Okta Integration Network (OIN) store.
No migration process is currently in place to migrate an existing Active Directory user over to SCIM, which means existing versus new deployments will benefit differently.
- A new deployment may take advantage of Universal Directory integration to deploy a single (Okta) connector in order to populate workspace one with a combination of AD and cloud-only users. This leads to an overall simplification of the required connector infrastructure for the combined products.
- Existing deployments should leave Workspace ONE connectors in place for the purposes of Active Directory users and deploy Universal Directory integration to import cloud only users, be it contingent workers, HR mastered users, or cloud-only users in a hybrid directory environment.
See SCIM Provisioning from Okta to VMware Workspace ONE Access documentation.
VMware Workspace ONE Access formerly VMware Identity Manager
VMware Workspace ONE Access is the new name for what was called VMware Identity Manager. No functionality has been removed as a result of this name change.
Revised Connector and Connector Management
- Ability to install connector components individually. The three components are
- Directory Sync service - Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service.
- User Auth service - Provides Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) deployments.
- Kerberos Auth service - Provides Kerberos authentication for internal users.
- Improved and simplified connector configuration and life cycle management
- Directory Sync service and the auth method service functional configuration is moved to the Workspace ONE Access service. Configuration for Directory Sync is in the Identity & Access Management > Directories page. Configuration of User Auth and Kerberos Auth methods is in Identity & Access Management > Enterprise Authentication Methods page in the Workspace ONE access console. No configuration details are stored in the connector.
- You can easily add and remove connectors as needed.
- Directory Sync-
- Improved stability and reduced resource needs
- Directory Sync is now driven from the Workspace ONE Access service. Users can easily add more Directory Sync nodes in the Directory Configuration page in the console for Sync high availability.
- The ability to perform a dry run of the sync has been removed.
- Test Directory button is removed. When the directory configuration is saved, the Directory Sync service tests the directory configuration in Active Directory.
- Two sync options are now available in the UI, sync with safeguards and sync without safeguards. These actions can be performed from either the list of directories in the Identity & Access Management > Directories page, or from a specific directory landing page.
- When an IWA directory is created, only the domain saved to the database in the directory's Domains tab is shown. The admin must select the refresh button to see all the domains that have two-way trust relationship with the base domain.
- The directory's Group tab shows the Group DNs that are saved and the mapped groups from the DB. Calls are not automatically made to the Directory Sync service to fetch additional details, such as the number of groups in the container. You must explicitly click the Select button to run the Active Directory query to fetch the number of groups for the specific group DN.
- Saving the user attribute mapping, user DNs, group DNs, safeguards, and sync schedule configurations is not sent to the Directory Sync service on the connector. These configurations are saved in the Workspace ONE Access service DB because the Directory Sync service is stateless.
VMware Workspace ONE Access is available in the following languages.
- Simplified Chinese
- Traditional Chinese
- Portuguese (Brazil)
Windows Server Supported
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Web Browser Supported
- Mozilla Firefox, latest version
- Google Chrome 42.0 or later
- Internet Explorer 11
- Safari 6.2.8 or later
- Microsoft Edge, latest version
- MS SQL 2012, 2014, 2016, 2017
Directory Server Supported
- Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
- OpenLDAP - 2.4.42
- Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (184.108.40.206.0)
- IBM Tivoli Directory Server 6.3.1
Component Versions No Longer Supported
- Windows Server 2008R2
- Windows Server 2012
This impacts Workspace ONE Access Connectors, Integration Broker, or database that might be installed on these versions of the Windows server.
This impacts Active Directory if it running on these versions of a Windows server.
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.
VMware Connector Compatibility
VMware Workspace ONE Access Connector 220.127.116.11 (Windows)
The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on Windows servers. The following service components can be installed.
- Directory Sync service to sync users from your enterprise directories
- User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
- Kerberos Auth service for Kerberos authentication
Migrating to Workspace ONE Access 20.10 Connectors
If you are upgrading to Workspace ONE® Access™ 20.10 from a version prior to 19.03, to use the new Workspace ONE Access 20.10 connectors you must follow a migration process. The process includes installing new 20.10 connectors and migrating your existing directories to the new connectors.
You cannot upgrade legacy connector versions to 20.10. You migrate to the 20.10 connector from legacy connectors, you migrate your directories. When you migrate the directories, all data, including authentication methods and identity providers, is migrated.
Upgrade to 20.10
To upgrade Workspace ONE Access connector 20.01 to 20.10, see Upgrading to VMware Workspace ONE Access Connector 20.10.
VMware Workspace ONE Access Connector 19.03.0.1You can upgrade to the Windows-based VMware Identity Manager connector 19.03.0.1 from version 19.03.0.0 to get the latest security updates and resolved issues. The 19.03.0.1 connector supports Virtual Apps, specifically Horizon, Horizon Cloud, and Citrix integrations with Workspace ONE Access. See Upgrading to VMware Identity Manager Connector (Windows) 19.03.0.1.
The Workspace ONE Access 20.10 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApp integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.10 connectors.
To use virtual apps with Workspace ONE Access 20.10, you must use VMware Identity Manager connector version 19.03.0.0 or 19.03.0.1
To use VMware ThinApp with Workspace ONE Access 20.01, you must use VMware Identity Manager Linux-based connector appliance version 2018.8.1. If you use ThinApp packages do not upgrade to the 19.03 or the 20.10 version of VMware Workspace ONE Access connector.
- VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 is used with ThinApp packages
The VMware Workspace ONE Access documentation is in the VMware Workspace ONE Access Documentation Center.
Underscore is allowed in FQDN for Citrix servers
Sync would not fail if there are special characters in user name or group names but entitlement fetch would not happen for those specific groups
During launch, the Integration Broker will send the Deliverycontroller.AppName to Storefront to avoid launching the app from the wrong Citrix farm when the same app is hosted on multiple farms
Allowed cookies for NetScaler to be configured as VIP
Fixed CSRF cookie retrieval for Citrix external launch of applications
Citrix 1912 is supported with .net CLR version 4.0
Support for ReST API to update a sync connector to be set as non-sync connector for connectors
Config State doesn't get deleted when directory is deleted
|ESC-22326||Fixed Sync of Citrix entitlements with Citrix 7.5|