September 2021

What's in the Release Notes

What's New in the September FedRAMP Release 

Workspace ONE Access Connector Support for Virtual Apps

The 21.08 release of the Workspace ONE Access Connector includes a new Virtual App service that supports integrating Horizon and Citrix virtual apps. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or to version 21.08.x. Both directories and virtual apps collections must be migrated together during this one-time process.

Build: VMware Workspace ONE Access Connector (Windows) 21.08 | September 2021 | Build Workspace ONE Access Connector 21.08.0 Installer.exe

RSA SecurID Updates

We have updated the way we integrate with RSA SecurID by using REST APIs. If you are currently using RSA SecurID as an authentication method, then a new connector for the User Auth service can be added before migration for minimal downtime to RSA SecurID logins.

Introducing Hub Services Roles Based Access Control  

Hub Services Roles Based Access Control (RBAC) allows admins to assign roles to different stakeholders and manage their access permissions to the Hub Services admin console. Hub Services RBAC supports 5 pre-defined roles that admins can assign to user groups:

  •     Super Admin
  •     Auditor
  •     Notification Admin
  •     Notification Creator
  •     Notification Auditor

Assign notification specific roles to stakeholders who can help manage your corporate communication by sending out notifications to users on Workspace ONE Intelligent Hub. Employees in teams like Marketing or HR who want to inform employees about important company news such as an upcoming all-hands meeting or open enrollment benefits can be assigned a restricted role that grants them permission to create and send notifications.

Mobile SSO for iOS and Android devices

  • Workspace ONE Access offers support to implement mobile SSO authentication to the Workspace ONE UEM-managed iOS and Android devices.

Certificate (cloud deployment)

  • Certificate-based authentication is supported.

Authentication Policies

  • Allow support for multiple authentication methods. The ability to configure authentication methods and access policies is enabled. Authentication methods supported includes Password (cloud deployment), RSA SecurID (cloud deployment), RADIUS (cloud deployment), Kerberos Auth,  and Password (AirWatch Connector).
  • More Information: Configuring Authentication in VMware Workspace ONE Access

SSO through SAML Identity Providers

Access to Third Party Managed Applications

ADFS as the Third-Party Identity Provider with Just-in-Time Provisioning

  • Offers support to configure ADFS as the identity provider to authenticate users and create the user account in the Workspace ONE Access service through just-in-time provisioning.
  • More Information: Just-in-Time User Provisioning

Directory Types

Workspace ONE Access Connector 20.01 and Connector 19.03.01

Application Catalog

Administration through the Console

  • Provides support for centralized management through the administration console to help manage users and groups, add resources to the catalog, manage entitlements to resources in the catalog, configure Workspace ONE UEM integration, and set up and manage authentication and access policies
  • More Information: Working in VMware Workspace ONE Access Console


Hub Services Features

Hub App Catalog

  • The Hub Catalog lists the apps that you make available to your users. You can arrange the layout of the Hub catalog page to make it easy for users to find apps from the Workspace ONE Intelligent Hub app and the Hub portal in a web browser. You can add sections such as Categories or Favorites to organize apps and you can enable App Rating to let users rate an app with a thumb up or down click.
  • More Information: Setting Up the Hub Catalog


  • Hub Notifications service is a cloud-hosted service designed to generate and serve real-time notifications to your employees. In Hub Services, you can create custom informational and actionable notifications to send to selected groups in your organization.
  • More Information: Using Hub Notifications Services in Workspace ONE Hub

End User Self-Service Help

  • In the Employee Self-Service Help service, you will be able to help employees find answers and troubleshoot their own issues. You can add helpful links to the self-service tab to empower and educate users about how to perform basic device management tasks, investigate issues, and fix problems. You can enable device self-service to display a My devices section in the self-service tab in the Workspace ONE Intelligent Hub app. My devices section provides detailed information about the user's devices.
  • More Information: Configuring Employee Self-Service Features in Hub Services


  • When Hub Services is fully integrated with Workspace ONE Access, you can enable access to the People service to let users search for their colleagues and view user details and organization charts directly from the Workspace ONE Intelligent Hub app or Hub portal in a web browser.
  • More Information: Enabling Access to Workspace ONE People Search

Custom Tab

  • The Custom Tab feature lets you add a custom tab in the Workspace ONE Intelligent Hub app that links to your company website or to another resource that you want to share with users.
  • More Information: Add A Custom Tab


Compatibility and Upgrade

Component Compatibility

Windows Server Supported

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Web Browser Supported

  • Mozilla Firefox, latest version
  • Google Chrome, latest version
  • Safari, latest version
  • Microsoft Edge, latest version

Database Supported

  • MS SQL 2012, 2014, 2016, 2017, 2019
  • Important: Microsoft SQL server 2012 and 2014 must be updated with the Microsoft SQL patch to support TLS 1.2.

Directory Server Supported

  • Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
  • OpenLDAP - 2.4.42
  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (
  • IBM Tivoli Directory Server 6.3.1

Virtual Apps Compatibility

The Workspace ONE Access 21.08 connector now supports Virtual Apps (Citrix and Horizon integrations) with the new Virtual App service. The 21.08 connector does not support Horizon Cloud and ThinApp integrations.

The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The 21.08 connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.

For supported Horizon versions, see the VMware Product Interoperability Matrix.

Integration with Horizon Cloud Service on Microsoft Azure with Universal Broker is configured from the Horizon Cloud administration console. The Workspace ONE Access 21.08 connector does not support integration with Horizon Cloud Service on IBM Cloud or Horizon Cloud Service on Microsoft Azure with Single-Pod Broker.

To use Horizon Cloud Service virtual apps on Microsoft Azure (Single-Pod Broker) with Workspace ONE Access 21.08, you must use VMware Identity Manager connector version

To use VMware ThinApp with Workspace ONE Access 21.08,  you must use the VMware Identity Manager Linux-based connector appliance version 2018.8.1.0.  If you use ThinApp packages, do not upgrade to newer versions of the Workspace ONE Access connector.

Certificate Requirement for Horizon Virtual Apps Collections

Ensure that the Horizon Connection Servers have valid certificates signed by a trusted Certificate Authority (CA). If the Horizon Connection servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon Connection servers. This is a new requirement in Workspace ONE Access connector 21.08. You upload the certificates using the connector installer. See Installing the Workspace ONE Connector documentation on the  Workspace ONE Access Documentation page. for more information.

Requirements for RSA SecurID Authentication Method

The RSA SecurID integration has the following new requirements:

  • In the RSA Security console, the Workspace ONE Access connector must be added as an authentication agent using the fully qualified domain name (FQDN). For example, If you have already added the connector as an authentication agent using the NetBIOS name instead of the FQDN, add another entry using the FQDN. Leave the IP address field empty for the new entry. Do not delete the old entry.
  • If you deployed multiple instances of the RSA Authentication Manager server, you must configure them behind a load balancer. See Workspace ONE Access Requirements for RSA SecurID Load Balancer for more information.


VMware Workspace ONE Access Connector 21.08

The VMware Workspace ONE Access connector is an on-premises component of VMware Workspace ONE Access that integrates with your on-premises infrastructure. The connector is a collection of enterprise services that can be installed individually or together on windows servers. The following service components can be installed.

  • Directory Sync service to sync users from your enterprise directories
  • User Auth service that includes Password (cloud), RSA SecurID (cloud), and RADIUS (cloud)
  • Kerberos Auth service for Kerberos authentication

You can upgrade Workspace ONE Access connector versions 20.10.x  to version 21.08.

See the Upgrading to VMware Workspace ONE Access Connector 21.08 guide for information.

Migrating to Workspace ONE Access 21.08 Connectors

From Workspace ONE Access connector version 19.03 and, a migration path to version 21.08 is available. The process includes installing new 21.08 connectors and migrating your existing directories and Horizon and Citrix virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.

After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.

Important: All legacy connectors must be version 19.03.x before you can migrate.

See Migrating to VMware Workspace ONE Access 22.08 Connectors 21.08 guide for information.


Workspace ONE Access documentation for FedRAMP can be found in the  Workspace ONE Access Cloud section in the VMware Workspace ONE Access Documentation Center.

check-circle-line exclamation-circle-line close-line
Scroll to top icon