Workspace ONE Access Connector Support for Virtual Apps

The 21.08 release of the Workspace ONE Access Connector includes a new Virtual App service that supports integrating Horizon and Citrix virtual apps. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or 19.03.0.1 to version 21.08.x. Both directories and virtual apps collections must be migrated together during this one-time process.

RSA SecurID Updates

We have updated the way we integrate with RSA SecurID by using REST APIs. If you are currently using RSA SecurID as an authentication method, then a new connector for the User Auth service can be added before migration for minimal downtime to RSA SecurID logins.

Resolved Issues for August 2021 Release

• HW-131550   Issues around Active Directory domains in mixed-case mode have been addressed for new directory creation as well as upgrade from 19.03/19.03.0.1 connectors
• HW-137253   Citrix server failover to replication server in the collection
• HW-121488   Entitlements are deleted and added again instead of being updated for Citrix and Horizon Cloud virtual apps collections
• HW-120278   Added capability of removing the old labels for Citrix resources during sync  
• HW-130381   Support launch even if metadata refresh fails for some of the Horizon connection servers
• HW-127229   Sync failover to secondary connector node when primary node is down in on-premises environments
• HW-121412   Horizon server failover to non-primary pods in the collection
• HW-100498   Added support for syncing multiple virtual apps collections simultaneously
• HW-95770     Support for Citrix integrations that have users/groups entitled from multiple domains to work with AD over LDAP directory too
• HW-124523   Added filter on sync details and updated explanatory text for directory integration   
• HW-126823   Fixed Web App assignment for more than 50 groups  
• HW-135286   Re-configured Content Security Policy for headers for selected URLs   
• HW-135872   Removed the option to assign ALL_USERS group to any admin roles
• HW-138657   Fixed client FQDN for apps with global entitlement    
• HW-139279   Fixed status of Directory Sync UI messages for failsafe conditions  

Magic Link Feature Is Configured from the Workspace ONE Access Console

You can now configure the magic link feature used for day zero onboarding from the Workspace ONE Access console. Creating this API is no longer required.

Support for Group Scope in OAuth 2.0 Clients and Templates
Administrators now have the ability to include group membership information in OIDC tokens. This capability is available for OAuth 2.0 Client and Template configurations found by navigating to Catalog > Settings > Remote App Access. The group scope can be added to new and existing OAuth 2.0 Clients and Templates by checking the checkbox next to Group in the Scope section of the configuration modal.

Verify (Intelligent Hub) New Features

• Geolocation in Hub Notification is included in Verify (Intelligent Hub). There is now geolocation information within Verify (Intelligent Hub) push MFA notifications. this will allow end users to see the geolocation of the device that is making the MFA request.
• Ability to reset user device selection for Verify (Intelligent Hub) - Administrator Flow. Workspace ONE Access now has the ability for administrators to unlink a device that end users configured with Verify (Intelligent Hub) within the Workspace ONE Access console. After unlinking the device, the next time that an end user logs in, they will go through the initial Verify (Intelligent Hub) flow and re-select the device that they wish to link with Verify (Intelligent Hub). This allows administrators to service users that do not have access to the device that is linked to Verify (Intelligent Hub).

Mapping Login Hint to User Attribute of NameID Value in Third-Party IDP Configurations

When you configure a SAML third-party identity provider in the Workspace ONE Access console, and you enable Send Subject in SAML Request (when available) in the SAML Metadata section, an additional option is displayed to map the login hint provided by the third-party app to the NameID value. Note that when Send Subject value based on NameID format mapping is enabled and during the authentication flow without previous authentication, you are vulnerable to a security risk known as user enumeration. Please enable with caution.

Set Which Horizon Client Access FQDN a Specific Group of Users Will Be Directed To
In some cases, only assigning network ranges to Horizon Client Access FQDNs is not optimal when users can be working from virtually anywhere. Leveraging user groups will grant more flexibility for launching Horizon desktops. In this cloud hosted release of Workspace ONE Access, the Horizon virtual apps integration will include the ability to assign client access FQDNs to groups of users.  This will add new functionality that brings together the use of both network ranges and groups to direct users to the appropriate client access FQDNs.

Improved User and Group Provisioning into Workspace ONE UEM The new Enable Certificate Auth option in the AirWatch Provisioning app simplifies the process and requirements for provisioning users and groups into Workspace ONE UEM from Workspace ONE Access. When this option is enabled, the AirWatch Provisioning app will mimic the settings that have been configured in the Workspace ONE Access console Identity & Access Management > Setup > VMware Workspace ONE UEM page. There are three main benefits to this update. When using certificate-based authentication, administrators no longer need to update the password of the account used for user and group provisioning every 30 days. If the integration between Workspace ONE Access and Workspace ONE UEM was configured using Workspace ONE UEM’s wizard (found in Workspace ONE UEM console System > Enterprise Integration > Workspace ONE Access > Configuration page), user and group provisioning events will no longer count against Workspace ONE UEM’s REST API request limits. The initial setup of the AirWatch Provisioning app is simplified as most of the required values are automatically populated.

Improved iPad Device Identification for Conditional Access Policies

With this release of Workspace ONE Access, iPads are no longer incorrectly identified as macOS devices based on their User-Agent string. This allows the iOS and iPad device types to be used to apply Conditional Access to iPads. The iOS device type can be used to uniformly apply Conditional Access to both iOS and iPadOS devices whereas the iPad device type can be used in environments where a different authentication experience between iOS and iPadOS devices is desired. Note that the iPad device type must be placed at a higher priority than the iOS device type if both options are being used in a single policy.

This change is required because in iPadOS 13 Apple changed the default behavior of the Safari browser so that it requests the Desktop version of web pages on an iPad rather than the Mobile version. The default behavior ultimately means that iPads running iPadOS 13 or newer present themselves to Workspace ONE Access as a macOS device rather than an iPad. With the January release, the workaround described in this KB article is no longer required.

Workspace ONE Access now Supports FIDO2 as an Authentication Method

Workspace ONE Access now allows FIDO2 authenticators to be registered and used for authentication. With this release, end users can now authenticate into Workspace ONE Intelligent Hub and Workspace ONE Access federated apps using a FIDO2 authenticator (i.e., YubiKey, Touch ID, Windows Hello). End users can also self-register a FIDO2 authenticator to be used as their primary or secondary method of authentication. Administrators also can add, remove, block, or unblock authenticators on behalf of end users.  Note: FIDO2 authentication currently only supports authentication in desktop browsers.

FIDO2 authentication is only available for Workspace ONE SaaS customers.

Introducing Login Risk Based Conditional Access

With the new Login Risk Score Authentication Method, you can now factor in a user's login risk score to authentication decisions. This means you can define policies using the login risk score to apply the right access controls when a user tries to access the network. For example, if the login risk score is low – allow access, medium – ask for MFA (Multi Factor Authentication) (multi-factor authentication, for example with RSA SecurID or VMware Verify), and high – deny access.  

The login risk score is assigned by Workspace ONE Intelligence using its proprietary risk scoring engine. See  Risk Scores - What are Login Risk Scores in the Workspace ONE Intelligence documentation.

Limit Monitoring Dashboard  

To ensure service availability, the Workspace ONE Access SaaS service sets rate limits and concurrency limits on certain APIs. When these limits are exceeded, a 429 'Too many requests' error is returned, and your users might not be able to log in or launch applications temporarily. When this happens, users can wait a minute before trying again. The new Limit Monitoring dashboard allows you to view these limits and monitor your usage against them.