VMware Workspace ONE Access Connector (Windows) 21.08 | September 2021 | Build Workspace ONE Access Connector 21.08.0 Installer.exe

VMware Identity Manager Connector (Windows) | October 2020 | Build VMware Identity Manager Connector Installer.exe

Latest Release - October,  2021

What's in the Release Notes

What's New in the October 2021 Release

Multiple directories are now supported for an Identity Provider
In today's Workspace ONE Access SaaS tenant deployments,  the Identity Provider setup was limited to only allow a single directory. In the October 2021 release of Workspace ONE Access SaaS, we are bringing back the ability to configure more than one directory for an Identity Provider. This will allow admins to configure seamless login experiences for end users. Also, administrators that are using a connectors and have multiple directories configured for an Identity Provider will be able to migrate to the latest 21.08 Connectors that have Enterprise Services without having to reconfigure the directory settings for their Identity Provider.

Workspace ONE Access Connector Support for Virtual Apps

The 21.08 release of the Workspace ONE Access Connector includes a new Virtual App service that supports integrating Horizon and Citrix virtual apps. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or to version 21.08.x. Both directories and virtual apps collections must be migrated together during this one-time process.

RSA SecurID Updates

We have updated the way we integrate with RSA SecurID by using REST APIs. If you are currently using RSA SecurID as an authentication method, then a new connector for the User Auth service can be added before migration for minimal downtime to RSA SecurID logins.

Resolved Issues for August 2021 Release

  • HW-131550   Issues around Active Directory domains in mixed-case mode have been addressed for new directory creation as well as upgrade from 19.03/ connectors
  • HW-137253   Citrix server failover to replication server in the collection
  • HW-121488   Entitlements are deleted and added again instead of being updated for Citrix and Horizon Cloud virtual apps collections
  • HW-120278   Added capability of removing the old labels for Citrix resources during sync  
  • HW-130381   Support launch even if metadata refresh fails for some of the Horizon connection servers
  • HW-127229   Sync failover to secondary connector node when primary node is down in on-premises environments
  • HW-121412   Horizon server failover to non-primary pods in the collection
  • HW-100498   Added support for syncing multiple virtual apps collections simultaneously
  • HW-95770     Support for Citrix integrations that have users/groups entitled from multiple domains to work with AD over LDAP directory too
  • HW-124523   Added filter on sync details and updated explanatory text for directory integration   
  • HW-126823   Fixed Web App assignment for more than 50 groups  
  • HW-135286   Re-configured Content Security Policy for headers for selected URLs   
  • HW-135872   Removed the option to assign ALL_USERS group to any admin roles
  • HW-138657   Fixed client FQDN for apps with global entitlement    
  • HW-139279   Fixed status of Directory Sync UI messages for failsafe conditions  

Magic Link Feature Is Configured from the Workspace ONE Access Console

You can now configure the magic link feature used for day zero onboarding from the Workspace ONE Access console. Creating this API is no longer required.

Support for Group Scope in OAuth 2.0 Clients and Templates
Administrators now have the ability to include group membership information in OIDC tokens. This capability is available for OAuth 2.0 Client and Template configurations found by navigating to Catalog > Settings > Remote App Access. The group scope can be added to new and existing OAuth 2.0 Clients and Templates by checking the checkbox next to Group in the Scope section of the configuration modal.

Verify (Intelligent Hub) New Features

  • Geolocation in Hub Notification is included in Verify (Intelligent Hub). There is now geolocation information within Verify (Intelligent Hub) push MFA notifications. this will allow end users to see the geolocation of the device that is making the MFA request.
  • Ability to reset user device selection for Verify (Intelligent Hub) - Administrator Flow. Workspace ONE Access now has the ability for administrators to unlink a device that end users configured with Verify (Intelligent Hub) within the Workspace ONE Access console. After unlinking the device, the next time that an end user logs in, they will go through the initial Verify (Intelligent Hub) flow and re-select the device that they wish to link with Verify (Intelligent Hub). This allows administrators to service users that do not have access to the device that is linked to Verify (Intelligent Hub).

Mapping Login Hint to User Attribute of NameID Value in Third-Party IDP Configurations

When you configure a SAML third-party identity provider in the Workspace ONE Access console, and you enable Send Subject in SAML Request (when available) in the SAML Metadata section, an additional option is displayed to map the login hint provided by the third-party app to the NameID value. Note that when Send Subject value based on NameID format mapping is enabled and during the authentication flow without previous authentication, you are vulnerable to a security risk known as user enumeration. Please enable with caution.

Set Which Horizon Client Access FQDN a Specific Group of Users Will Be Directed To
In some cases, only assigning network ranges to Horizon Client Access FQDNs is not optimal when users can be working from virtually anywhere. Leveraging user groups will grant more flexibility for launching Horizon desktops. In this cloud hosted release of Workspace ONE Access, the Horizon virtual apps integration will include the ability to assign client access FQDNs to groups of users.  This will add new functionality that brings together the use of both network ranges and groups to direct users to the appropriate client access FQDNs.

Improved User and Group Provisioning into Workspace ONE UEM The new Enable Certificate Auth option in the AirWatch Provisioning app simplifies the process and requirements for provisioning users and groups into Workspace ONE UEM from Workspace ONE Access. When this option is enabled, the AirWatch Provisioning app will mimic the settings that have been configured in the Workspace ONE Access console Identity & Access Management > Setup > VMware Workspace ONE UEM page. There are three main benefits to this update. When using certificate-based authentication, administrators no longer need to update the password of the account used for user and group provisioning every 30 days. If the integration between Workspace ONE Access and Workspace ONE UEM was configured using Workspace ONE UEM’s wizard (found in Workspace ONE UEM console System > Enterprise Integration > Workspace ONE Access > Configuration page), user and group provisioning events will no longer count against Workspace ONE UEM’s REST API request limits. The initial setup of the AirWatch Provisioning app is simplified as most of the required values are automatically populated.

Improved iPad Device Identification for Conditional Access Policies

With this release of Workspace ONE Access, iPads are no longer incorrectly identified as macOS devices based on their User-Agent string. This allows the iOS and iPad device types to be used to apply Conditional Access to iPads. The iOS device type can be used to uniformly apply Conditional Access to both iOS and iPadOS devices whereas the iPad device type can be used in environments where a different authentication experience between iOS and iPadOS devices is desired. Note that the iPad device type must be placed at a higher priority than the iOS device type if both options are being used in a single policy.

This change is required because in iPadOS 13 Apple changed the default behavior of the Safari browser so that it requests the Desktop version of web pages on an iPad rather than the Mobile version. The default behavior ultimately means that iPads running iPadOS 13 or newer present themselves to Workspace ONE Access as a macOS device rather than an iPad. With the January release, the workaround described in this KB article is no longer required.

Workspace ONE Access now Supports FIDO2 as an Authentication Method

Workspace ONE Access now allows FIDO2 authenticators to be registered and used for authentication. With this release, end users can now authenticate into Workspace ONE Intelligent Hub and Workspace ONE Access federated apps using a FIDO2 authenticator (i.e., YubiKey, Touch ID, Windows Hello). End users can also self-register a FIDO2 authenticator to be used as their primary or secondary method of authentication. Administrators also can add, remove, block, or unblock authenticators on behalf of end users.  Note: FIDO2 authentication currently only supports authentication in desktop browsers.

FIDO2 authentication is only available for Workspace ONE SaaS customers.

Introducing Login Risk Based Conditional Access

With the new Login Risk Score Authentication Method, you can now factor in a user's login risk score to authentication decisions. This means you can define policies using the login risk score to apply the right access controls when a user tries to access the network. For example, if the login risk score is low – allow access, medium – ask for MFA (Multi Factor Authentication) (multi-factor authentication, for example with RSA SecurID or VMware Verify), and high – deny access.  

The login risk score is assigned by Workspace ONE Intelligence using its proprietary risk scoring engine. See  Risk Scores - What are Login Risk Scores in the Workspace ONE Intelligence documentation.

Limit Monitoring Dashboard  

To ensure service availability, the Workspace ONE Access SaaS service sets rate limits and concurrency limits on certain APIs. When these limits are exceeded, a 429 'Too many requests' error is returned, and your users might not be able to log in or launch applications temporarily. When this happens, users can wait a minute before trying again. The new Limit Monitoring dashboard allows you to view these limits and monitor your usage against them.


VMware Workspace ONE Access is available in the following languages.

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Traditional Chinese
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

Component Compatibility

Windows Server Supported

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Web Browser Supported

  • Mozilla Firefox, latest version
  • Google Chrome, latest version
  • Safari, latest version
  • Microsoft Edge, latest version

Database Supported

  • MS SQL 2012, 2014, 2016, 2017, 2019
  • Important: Microsoft SQL server 2012 and 2014 must be updated with the Microsoft SQL patch to support TLS 1.2.

Directory Server Supported

  • Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
  • OpenLDAP - 2.4.42
  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (
  • IBM Tivoli Directory Server 6.3.1

Virtual Apps Compatibility

The Workspace ONE Access 21.08 connector now supports Virtual Apps (Citrix and Horizon integrations) with the new Virtual App service. The Virtual App service does not support Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, Horizon Cloud Service on IBM Cloud, or ThinApp integrations.

The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The 21.08 connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.

For supported Horizon versions, see the VMware Product Interoperability Matrix.

Integration with Horizon Cloud Service on Microsoft Azure with Universal Broker is configured from the Horizon Cloud administration console. The Workspace ONE Access 21.08 connector does not support integration with Horizon Cloud Service on IBM Cloud or Horizon Cloud Service on Microsoft Azure with Single-Pod Broker.

To use Horizon Cloud Service virtual apps on Microsoft Azure (Single-Pod Broker) with Workspace ONE Access 21.08, you must use VMware Identity Manager connector version

To use VMware ThinApp with Workspace ONE Access 21.08,  you must use the VMware Identity Manager Linux-based connector appliance version 2018.8.1.0.  If you use ThinApp packages, do not upgrade to newer versions of the Workspace ONE Access connector.

Compatibility Matrix

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.


VMware Workspace ONE Access Connector 21.08.0

You can upgrade Workspace ONE Access connector versions 20.10.x and 20.01.x to version 21.08.

See the Upgrading to VMware Workspace ONE Access Connector 21.08 guide for information.

Migrating to Workspace ONE Access 21.08 Connectors

From Workspace ONE Access connector version 19.03 and, a migration path to version 21.08 is available. The process includes installing new 21.08 connectors and migrating your existing directories and Horizon and Citrix virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.

After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.

Important: All legacy connectors must be version 19.03.x before you can migrate.

See Migrating to VMware Workspace ONE Access 22.08 Connectors 21.08 guide for information.

Certificate Requirement for Horizon Virtual Apps Collections

Ensure that the Horizon Connection Servers have valid certificates signed by a trusted Certificate Authority (CA). If the Horizon Connection servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon Connection servers. This is a new requirement in Workspace ONE Access connector 21.08. You upload the certificates using the connector installer. See Installing Workspace ONE Access Connector for more information.

Requirements for RSA SecurID Authentication Method

The RSA SecurID integration has the following new requirements:

  • In the RSA Security console, the Workspace ONE Access connector must be added as an authentication agent using the fully qualified domain name (FQDN). For example, connectorserver.example.com. If you have already added the connector as an authentication agent using the NetBIOS name instead of the FQDN, add another entry using the FQDN. Leave the IP address field empty for the new entry. Do not delete the old entry.
  • If you deployed multiple instances of the RSA Authentication Manager server, you must configure them behind a load balancer. See Workspace ONE Access Requirements for RSA SecurID Load Balancer for more information.


The VMware Workspace ONE Access documentation is in the VMware Workspace ONE Access Documentation Center.


check-circle-line exclamation-circle-line close-line
Scroll to top icon