check-circle-line exclamation-circle-line close-line

VMware Workspace ONE Access Connector (Windows) 20.01 | January 2020 | Build Workspace ONE Access Connector 20.01.0 Installer.exe

Release  September 2020

What's in the Release Notes

This release note covers the following topics.

What's New in this Release of Workspace ONE Access

Preparing Workspace ONE Access for the Day Zero Onboarding Experience

  • Magic Link.  With this feature, admins will be able to generate a one-time use “Magic Link” that will allow an end user to access a Welcome page in the Workspace ONE Intelligent Hub portal from a web browser. Admins can configure the length of time that the link is active as well as disable the link before the end user uses the link in case of a breach. This link can be generated via APIs and can be automatically sent out to end users, or admins can manually send it out via email. Note: Magic Links can only be generated for one Active Directory group.

  • Token Auth. This feature is the backbone of the Magic Link. We have created a new method of authentication in a one-time access token that is used up once the Magic Link is clicked on for the first time. You configure the Workspace ONE Access API to create Token Auth authentication and then enable the authentication method of the Workspace ONE Access console.

To learn more about how to prepare the day zero onboarding experience, see How to Prepare a Day Zero Onboarding Experience in Workspace ONE Intelligent Hub.

Exclude is Now an Entitlement Type to Assign to Apps in Catalog

Workspace ONE Access provides a capability to configure every application to exclude certain groups for entitlements. Meaning, when admins assign an  application, they can choose which users and Active Directory groups to exclude from the application.

Group Exclusion allows our customers to disallow the pre-hire group from accessing sensitive applications within their Workspace ONE Intelligent Hub and restrict them to accessing only the essential applications they need for onboarding. 

Introducing Verify within Intelligent Hub

With the new Verify (Intelligent Hub) authentication adaptor, Workspace ONE now includes the industry’s first multi-factor authentication (MFA) solution built directly into the digital workspace. Users can leverage the Intelligent Hub app on their mobile devices to take action on push multi-factor authentication requests without ANY additional end user setup. This can be combined with Risk-Based conditional access for an adaptive MFA experience.

Powered by the entire Workspace ONE platform, this solution leverages Hub Services for delivering the notification, Workspace ONE UEM for ensuring the device is managed or registered, and Workspace ONE Access for authentication.

Existing VMware Verify customers are encouraged to upgrade to the new embedded MFA experience within the Intelligent Hub app.

Note: Verify (Intelligent Hub) will be made available in all SaaS environments over the coming months. The functionality is currently available in Workspace ONE Access Preview (UAT). Verify (Intelligent Hub) is available for test run with a Preview account in VMware Workspace ONE Access. The feature will be made available in October 2020.

Windows 10 Out-of-Box Experience (OOBE) Enrollment Policy

Ability to create an enrollment access policy rule specific to Windows 10 OOBE or when joining the Azure Active Directory domain. Customers that need to ensure that only Windows 10 managed devices gain access to Office 365 can leverage this enrollment policy to separate out enrollment from post-enrollment access.

Workspace ONE Intelligent Hub Enrollment Policy

Ability to configure an access policy rule for device enrollment into Workspace ONE UEM when the source of authentication in Workspace ONE UEM is set to Workspace ONE Access. This rule allows customers to leverage Mobile SSO for post enrollment login into Intelligent Hub without impacting the enrollment flow.

The device enrollment policy can also be used to block any further enrollments with the legacy Workspace ONE App.

The initial support is for iOS and Android Hub enrollment flows.

Password Caching for Virtual Apps

With the upcoming rollout, Workspace ONE Access provides admins the ability to control password caching. You can enable password caching in the Workspace ONE Access console to provide single sign on for users running Horizon, Horizon Cloud, and Citrix virtual apps from the Workspace ONE catalog when you are not using True SSO. See Configuring Password Caching for Virtual Apps for information.

If the password caching option is enabled, a user’s password is cached when first logging in to Workspace ONE Access using password-based authentication. If using an alternate method of authentication (such as a third-party identity provider, RADIUS, certificate-based, etc.), a user’s password is cached when they are challenged with password-based authentication during the first launch of a virtual app. Once users’ passwords are cached, they are not required to enter their passwords again while running virtual apps in the same login session.

If you are an existing customer using Virtual Apps, there will be no changes to the end user launch experience with this roll out. Customers newly setting up integrations with Horizon and Citrix could chose to enable this password caching option to have that seamless launch experience. For Horizon and Horizon Cloud, for the best user experience, set up True SSO instead of caching passwords.

Voluntary Product Accessibility Standards Improvements

Improved accessibility of Workspace ONE Access Login screens to comply with VPAT, or Voluntary Product Accessibility Template standards.

  • Updated colors for sufficient contrast.
  • Add alternative text as invisible label.

Updated the third-party identity provider page in admin console with an option to send subject information in SAML

Added functionality to be able to select the option to enable passing Subject, when available, in the SAML request for third-party identity providers.  This feature is disabled by default.

Install Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector

The recommendation of the Windows servers for the 20.01.0.1 connectors being separate from your legacy connector servers still stands. But, in situations where it is not possible to procure a new machine, you can install 20.01.0.1 Directory Sync, User Auth, and Kerberos Auth services on a Windows server that is running Workspace ONE Access 19.03 connector and then migrate your legacy connector.  Before you install any of these services on the Windows server, you must increase the CPU and memory on the machine because two versions of the connector will be running until the migration is complete. You need to increase the CPU and memory to meet the needs of both 19.03 and 20.01.0.1 connectors per the Sizing guidelines. After the migration is complete, you can stop the 19.03 connector and uninstall it

Sizing Requirement for the Connector

Support LDAP signing and LDAP channel binding

See the VMware KB article 77158 Support LDAP Signing and LDAP Channel Binding with VMware Workspace ONE Access, Identity Manager.

Note: You do not need to apply the hot fix mentioned in the KB article. The Workspace ONE Access 20.01.0.1 patch release includes the hot-fix mentioned in the KB article. 

  • After installing Workspace ONE Access connector 20.01.0.1, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.
  • Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
  • DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.

Okta Universal Directory Integration – Connect Workspace ONE Access with Okta to import user accounts into Workspace ONE. Universal directory integration enables the following scenarios with Okta.

  • Cloud-only Okta Universal Directory
  • Contingent / seasonal workers
  • Hybrid directory environments with on premises Active Directory + cloud only users
  • HR mastered users

This integration is based on SCIM, which allows user accounts to be synchronized from Okta to Workspace ONE over an industry standard. Create, update, and delete are supported across users, user attributes, and groups. The existing AirWatch provisioning adapter in Workspace ONE Access can be used to further synchronize these users to Workspace ONE UEM. Once enabled, administrators can offer the full range of Workspace ONE features to these users including the unified catalog, mobile SSO, intelligence, and UEM enrollment. The VMware Workspace ONE SCIM application can be found on the Okta Integration Network (OIN) store.

No migration process is currently in place to migrate an existing Active Directory user over to SCIM, which means existing versus new deployments will benefit differently.

  • A new deployment may take advantage of Universal Directory integration to deploy a single (Okta) connector in order to populate workspace one with a combination of AD and cloud-only users. This leads to an overall simplification of the required connector infrastructure for the combined products.
  • Existing deployments should leave Workspace ONE connectors in place for the purposes of Active Directory users and deploy Universal Directory integration to import cloud only users, be it contingent workers, HR mastered users, or cloud-only users in a hybrid directory environment.

See SCIM Provisioning from Okta to VMware Workspace ONE Access documentation.

VMware Workspace ONE Access formerly VMware Identity Manager

VMware Workspace ONE Access is the new name for what was called VMware Identity Manager. No functionality has been removed as a result of this name change.

  Revised Connector and Connector Management

  • Ability to install connector components individually. The three components are
    • Directory Sync service - Syncs users from Active Directory or LDAP directories to the Workspace ONE Access service.
    • User Auth service - Provides Password (cloud), RSA SecurID (cloud), and RADIUS (cloud) deployments.
    • Kerberos Auth service - Provides Kerberos authentication for internal users.
  • Improved and simplified connector configuration and life cycle management
    • Directory Sync service and the auth method service functional configuration is moved to the Workspace ONE Access service. Configuration for Directory Sync is in the Identity & Access Management > Directories page. Configuration of User Auth and Kerberos Auth methods is in Identity & Access Management > Enterprise Authentication Methods page in the Workspace ONE access console. No configuration details are stored in the connector.
    • You can easily add and remove connectors as needed.
  • Directory Sync-
    • Improved stability and reduced resource needs
    • Directory Sync is now driven from the Workspace ONE Access service. Users can easily add more Directory Sync nodes in the Directory Configuration page in the console for Sync high availability.
    • The ability to perform a dry run of the sync has been removed.
    • Test Directory button is removed. When the directory configuration is saved, the Directory Sync service tests the directory configuration in Active Directory.
    • Two sync options are now available in the UI, sync with safeguards and sync without safeguards. These actions can be performed from either the list of directories in the Identity & Access Management > Directories page, or from a specific directory landing page.
    • When an IWA directory is created, only the domain saved to the database in the directory's Domains tab is shown. The admin must select the refresh button to see all the domains that have two-way trust relationship with the base domain.
    • The directory's Group tab shows the Group DNs that are saved and the mapped groups from the DB. Calls are not automatically made to the Directory Sync service to fetch additional details, such as the number of groups in the container. You must explicitly click the Select button to run the Active Directory query to fetch the number of groups for the specific group DN.
    • Saving the user attribute mapping, user DNs, group DNs, safeguards, and sync schedule configurations is not sent to the Directory Sync service on the connector. These configurations are saved in the Workspace ONE Access service DB because the Directory Sync service is stateless.

Internationalization

VMware Workspace ONE Access is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Traditional Chinese
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

Component Compatibility

Windows Server Supported

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Web Browser Supported

  • Mozilla Firefox, latest version
  • Google Chrome 42.0 or later
  • Internet Explorer 11
  • Safari 6.2.8 or later
  • Microsoft Edge, latest version

Database Supported

  • MS SQL 2012, 2014, 2016, 2017

Directory Server Supported

  • Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
  • OpenLDAP - 2.4.42
  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (11.1.1.7.0)
  • IBM Tivoli Directory Server 6.3.1

 Component Versions No Longer Supported

  • Windows Server 2008R2
  • Windows Server 2012

This impacts Workspace ONE Access Connectors, Integration Broker, or database that might be installed on these versions of the Windows server.

This impacts Active Directory if it  running on these versions of a Windows server.

Compatibility Matrix

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

VMware Connector Compatibility

VMware Workspace ONE Access Connector 20.01.0.0 (Windows)

The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on windows servers. The following service components can be installed.

  • Directory Sync service to sync users from your enterprise directories
  • User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
  • Kerberos Auth service for Kerberos authentication

Migrating to Workspace ONE Access 20.01 Connectors

When you upgrade to Workspace ONE Access, to use the new Workspace ONE Access 20.01 connectors, you install one or more 20.01 connectors and then migrate your existing directories and authentication methods from the 19.03 connectors to the new connectors.

The Windows servers for the 20.01 connectors must be separate from your legacy connector servers. During the migration process, you will switch between using the older connectors and the new connectors to test the migration. The 19.03 legacy connector servers must be running during the migration process. Do not uninstall the 19.03 connectors until the migration is complete.

See the Connector Migration Guide in the Workspace ONE Access Documentation Center.

Before You Migrate

  • Make sure that all legacy connectors to migrate are at 19.03.
  • Before migrating RSA SecurID Authentication to the 20.01 connector, you must clear the Node Secret on the RSA Security console.

April Patch Release Changes for Upgrade

A new installer is available for Workspace ONE Access connector for Windows. Use the installer to Upgrade from version 20.01 to 20.01.0.1

Remember that after installing Workspace ONE Access connector 20.01.0.1, the functionality of Active Directory over IWA will become incompatible with the StartTLS option. When you upgrade follow these high-level steps.

  1. Disable StartTLS option in the Active Directory over IWA configuration before upgrading to the 20.01.01 connector
  2. DO NOT enable StartTLS option in Active Directory over IWA configuration after installing or upgrading to 20.01.01 connector.

Virtual Applications

The Workspace ONE Access 20.01 connector does not support Virtual Apps (Citrix, Horizon, Horizon Cloud, and ThinApp integrations). If your environment includes Virtual Apps or you plan to use Virtual Apps in the future, do not migrate to Workspace ONE Access 20.01 connectors.

To use virtual apps with Workspace ONE Access 20.01, you must use VMware Identity Manager connector version 19.03.

  • VMware Identity Manager Integration Broker 19.03 | April 2019 | Build  13221855 works only with VMware Identity Manager connector version 19.03.

To use VMware ThinApp with Workspace ONE Access 20.01,  you must use VMware Identity Manager Linux-based connector appliance version 2018.8.1.  If you use ThinApp packages do not upgrade to the 19.03 or the 20.01 version of VMware Workspace ONE Access connector.

  • VMware Identity Manager Desktop 3.2 | March 2018 | Build 7952055 is used with ThinApp packages

Documentation

The VMware Workspace ONE Access 20.01 documentation is in the VMware Workspace ONE Access Documentation Center.

Resolved Issues from the April Patch Release

  • HW-108342 - A Workspace ONE Access type of identity provider that is associated with Legacy Connectors cannot be deleted. However, a Workspace ONE Access type of identity provider that is associated with 20.01 or 20.01.0.1 connectors can be deleted.
  • HW-113389 - Fixed an issue that completes the logout process after login via Kerberos authentication method.
  • HW-113635 - Workspace ONE Access Connector installer “Configuration File” screen now has a clickable “Next” button
  • HW-113793, HW-115494 - Workspace ONE Access Connector works as expected when an outbound HTTP proxy is configured.
  • HW-113896 - Workspace ONE Access Connector can sync users from Oracle Directory Server Enterprise Edition where VLV pagination is used.
  • HW-114221 - The 19.03 connectors were able to connect to SAAS service using websocket through outbound proxy. This fix bring that feature to 20.01 connectors.
  • HW-114250 - When a directory is deleted, any associated third-party identity provider will not be deleted as part of directory deletion. This is done to keep the flexibility for the third-party identity provider to be reused again with another directory. The third-party identity provider can be deleted manually, if desired.