• Configurable External ID Directory Support

  When integrating with Active Directory, the user’s External ID attribute can now be mapped to a custom attribute other than the objectGUID attribute. Being able to map the External ID attribute to a custom attribute is useful when integrating Workspace ONE Access with VMware Workspace ONE UEM service that might use a different attribute other than objectGUID as the Object Identifier for syncing users.

• Support of 4096 Key Certificates for Workspace ONE Access and Connectors

  We now support 4096-bit key SSL certificates for Workspace ONE Access service and connector. With this implementation, we bring increased encryption strength to the SSL certificates.

  • Customers can use 4096-bit SSL certificates on the service when FIPS mode is enabled
  • Customers can upload 4096-bit SSL certificates on 20.10 and  19.03.0.1 connectors and on enterprise service connectors
  • 4096-bit SAML certificates are supported for this release
• Support of Custom LDAP Filters

  We are introducing a new feature to support custom LDAP filter query when syncing users in Workspace ONE Access. Today, when administrators configure the user sync in Workspace ONE Access, they can specify the OU's distinguished name. The administrator can now configure Workspace ONE Access to refine the LDAP query sent to the directory server by using query filters to filter users.

• Horizon Cloud Desktop and Apps are supported in the Hub Catalog

  Previously, customers integrating Workspace ONE Access with Horizon Cloud were required to configure a Virtual App Collection. Now, Horizon Cloud deployments are no longer required to configure virtual app collections, instead you can add Horizon Cloud desktop and app assignments to the Hub catalog directly from the Horizon Cloud admin console. App-specific access policies cannot be applied to Horizon Cloud apps when integrating in the new way. See About Using a Horizon Cloud Environment with VMware Workspace ONE and the Optional True SSO Feature.

• Two VMware Workspace ONE Access connectors (Windows) are released in October 2020.
  • 20.10 Connector.    A new 20.10 installer is available for Workspace ONE Access Connector for Windows.
  • 19.03.0.1 Connector.  A new 19.03.0.1 installer is available for Workspace ONE Access Connector for Windows. Use the installer to upgrade from version 19.03 to 19.03.0.1.

Preparing Workspace ONE Access for the Day Zero Onboarding Experience

• Magic Link.  With this feature, admins will be able to generate a one-time use “Magic Link” that will allow an end user to access a Welcome page in the Workspace ONE Intelligent Hub portal from a web browser. Admins can configure the length of time that the link is active as well as disable the link before the end user uses the link in case of a breach. This link can be generated via APIs and can be automatically sent out to end users, or admins can manually send it out via email. Note: Magic Links can only be generated for one Active Directory group.

• Token Auth. This feature is the backbone of the Magic Link. We have created a new method of authentication in a one-time access token that is used up once the Magic Link is clicked on for the first time. You configure the Workspace ONE Access API to create Token Auth authentication and then enable the authentication method of the Workspace ONE Access console.

To learn more about how to prepare the day zero onboarding experience, see How to Prepare a Day Zero Onboarding Experience in Workspace ONE Intelligent Hub.

Exclude is Now an Entitlement Type to Assign to Apps in Catalog

Workspace ONE Access provides a capability to configure every application to exclude certain groups for entitlements. Meaning, when admins assign an  application, they can choose which users and Active Directory groups to exclude from the application.

Group Exclusion allows our customers to disallow the pre-hire group from accessing sensitive applications within their Workspace ONE Intelligent Hub and restrict them to accessing only the essential applications they need for onboarding. 

Introducing Verify within Intelligent Hub

With the new Verify (Intelligent Hub) authentication adaptor, Workspace ONE now includes the industry’s first multi-factor authentication (MFA) solution built directly into the digital workspace. Users can leverage the Intelligent Hub app on their mobile devices to take action on push multi-factor authentication requests without ANY additional end user setup. This can be combined with Risk-Based conditional access for an adaptive MFA experience.

Powered by the entire Workspace ONE platform, this solution leverages Hub Services for delivering the notification, Workspace ONE UEM for ensuring the device is managed or registered, and Workspace ONE Access for authentication.

Existing VMware Verify customers are encouraged to upgrade to the new embedded MFA experience within the Intelligent Hub app.

Note: Verify (Intelligent Hub) will be made available in all SaaS environments over the coming months. The functionality is currently available in Workspace ONE Access Preview (UAT). Verify (Intelligent Hub) is available for test run with a Preview account in VMware Workspace ONE Access. The feature will be made available in October 2020.

Windows 10 Out-of-Box Experience (OOBE) Enrollment Policy

Ability to create an enrollment access policy rule specific to Windows 10 OOBE or when joining the Azure Active Directory domain. Customers that need to ensure that only Windows 10 managed devices gain access to Office 365 can leverage this enrollment policy to separate out enrollment from post-enrollment access.

Workspace ONE Intelligent Hub Enrollment Policy

Ability to configure an access policy rule for device enrollment into Workspace ONE UEM when the source of authentication in Workspace ONE UEM is set to Workspace ONE Access. This rule allows customers to leverage Mobile SSO for post enrollment login into Intelligent Hub without impacting the enrollment flow.

The device enrollment policy can also be used to block any further enrollments with the legacy Workspace ONE App.

The initial support is for iOS and Android Hub enrollment flows.

Password Caching for Virtual Apps

With the upcoming rollout, Workspace ONE Access provides admins the ability to control password caching. You can enable password caching in the Workspace ONE Access console to provide single sign on for users running Horizon, Horizon Cloud, and Citrix virtual apps from the Workspace ONE catalog when you are not using True SSO. See Configuring Password Caching for Virtual Apps for information.

If the password caching option is enabled, a user’s password is cached when first logging in to Workspace ONE Access using password-based authentication. If using an alternate method of authentication (such as a third-party identity provider, RADIUS, certificate-based, etc.), a user’s password is cached when they are challenged with password-based authentication during the first launch of a virtual app. Once users’ passwords are cached, they are not required to enter their passwords again while running virtual apps in the same login session.

If you are an existing customer using Virtual Apps, there will be no changes to the end user launch experience with this roll out. Customers newly setting up integrations with Horizon and Citrix could chose to enable this password caching option to have that seamless launch experience. For Horizon and Horizon Cloud, for the best user experience, set up True SSO instead of caching passwords.

Voluntary Product Accessibility Standards Improvements

Improved accessibility of Workspace ONE Access Login screens to comply with VPAT, or Voluntary Product Accessibility Template standards.

• Updated colors for sufficient contrast.
• Add alternative text as invisible label.

Updated the third-party identity provider page in admin console with an option to send subject information in SAML

Added functionality to be able to select the option to enable passing Subject, when available, in the SAML request for third-party identity providers.  This feature is disabled by default.

Install Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector

The recommendation of the Windows servers for the 20.01.0.1 connectors being separate from your legacy connector servers still stands. But, in situations where it is not possible to procure a new machine, you can install 20.01.0.1 Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector and then migrate your legacy connector.  Before you install any of these services on the Windows server, you must increase the CPU and memory on the machine because two versions of the connector will be running until the migration is complete. You need to increase the CPU and memory to meet the needs of both 19.03 and 20.01.0.1 connectors per the Sizing guidelines. After the migration is complete, you can stop the 19.03 connector and uninstall it

Sizing Requirement for the Connector

Support LDAP signing and LDAP channel binding

See the VMware KB article 77158 Support LDAP Signing and LDAP Channel Binding with VMware Workspace ONE Access, Identity Manager.

Note: You do not need to apply the hot fix mentioned in the KB article. The Workspace ONE Access 20.01.0.1 patch release includes the hot-fix mentioned in the KB article. 

• After installing Workspace ONE Access connector 20.01.0.1, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.
• Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
• DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.

Okta Universal Directory Integration – Connect Workspace ONE Access with Okta to import user accounts into Workspace ONE. Universal directory integration enables the following scenarios with Okta.

• Cloud-only Okta Universal Directory
• Contingent / seasonal workers
• Hybrid directory environments with on premises Active Directory + cloud only users
• HR mastered users

This integration is based on SCIM, which allows user accounts to be synchronized from Okta to Workspace ONE over an industry standard. Create, update, and delete are supported across users, user attributes, and groups. The existing AirWatch provisioning adapter in Workspace ONE Access can be used to further synchronize these users to Workspace ONE UEM. Once enabled, administrators can offer the full range of Workspace ONE features to these users including the unified catalog, mobile SSO, intelligence, and UEM enrollment. The VMware Workspace ONE SCIM application can be found on the Okta Integration Network (OIN) store.

No migration process is currently in place to migrate an existing Active Directory user over to SCIM, which means existing versus new deployments will benefit differently.

• A new deployment may take advantage of Universal Directory integration to deploy a single (Okta) connector in order to populate workspace one with a combination of AD and cloud-only users. This leads to an overall simplification of the required connector infrastructure for the combined products.
• Existing deployments should leave Workspace ONE connectors in place for the purposes of Active Directory users and deploy Universal Directory integration to import cloud only users, be it contingent workers, HR mastered users, or cloud-only users in a hybrid directory environment.

See SCIM Provisioning from Okta to VMware Workspace ONE Access documentation.

VMware Workspace ONE Access formerly VMware Identity Manager

VMware Workspace ONE Access is the new name for what was called VMware Identity Manager. No functionality has been removed as a result of this name change.

  Revised Connector and Connector Management

• Ability to install connector components individually. The three components are
  • Directory Sync service - Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service.
  • User Auth service - Provides Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) deployments.
  • Kerberos Auth service - Provides Kerberos authentication for internal users.
• Improved and simplified connector configuration and life cycle management
  • Directory Sync service and the auth method service functional configuration is moved to the Workspace ONE Access service. Configuration for Directory Sync is in the Identity & Access Management > Directories page. Configuration of User Auth and Kerberos Auth methods is in Identity & Access Management > Enterprise Authentication Methods page in the Workspace ONE access console. No configuration details are stored in the connector.
  • You can easily add and remove connectors as needed.
• Directory Sync-
  • Improved stability and reduced resource needs
  • Directory Sync is now driven from the Workspace ONE Access service. Users can easily add more Directory Sync nodes in the Directory Configuration page in the console for Sync high availability.
  • The ability to perform a dry run of the sync has been removed.
  • Test Directory button is removed. When the directory configuration is saved, the Directory Sync service tests the directory configuration in Active Directory.
  • Two sync options are now available in the UI, sync with safeguards and sync without safeguards. These actions can be performed from either the list of directories in the Identity & Access Management > Directories page, or from a specific directory landing page.
  • When an IWA directory is created, only the domain saved to the database in the directory's Domains tab is shown. The admin must select the refresh button to see all the domains that have two-way trust relationship with the base domain.
  • The directory's Group tab shows the Group DNs that are saved and the mapped groups from the DB. Calls are not automatically made to the Directory Sync service to fetch additional details, such as the number of groups in the container. You must explicitly click the Select button to run the Active Directory query to fetch the number of groups for the specific group DN.
  • Saving the user attribute mapping, user DNs, group DNs, safeguards, and sync schedule configurations is not sent to the Directory Sync service on the connector. These configurations are saved in the Workspace ONE Access service DB because the Directory Sync service is stateless.