VMware Workspace ONE Access | DECEMBER 2022
VMware Workspace ONE Access Connector (Windows) 22.09.1.0 | 13 DEC 2022 | Build Workspace-ONE-Access-Connector-Installer-22.09.1.0.exe
VMware Workspace ONE Access | DECEMBER 2022
VMware Workspace ONE Access Connector (Windows) 22.09.1.0 | 13 DEC 2022 | Build Workspace-ONE-Access-Connector-Installer-22.09.1.0.exe
New Admin Console Navigation Enabled for All Customers
The Workspace ONE Access console has been migrated to the new navigation for all users. The toggle to revert to the older navigation was removed from the console header for all customers. For an overview of the changed console, see the Workspace ONE Access Console Features and Settings topic, Navigating in the Workspace ONE Access Admin Console section.
Updated Workspace ONE Access Cloud Default Password Policy for Local Users
As VMware is committed to the highest security standards, Workspace ONE Access is hardening the default password policy for local users. The change impacts password length and number of numerical and special characters. Complexity requirements are enforced when passwords are changed or created. This update is applicable only to customers who use the default password policy for local users that are created in the Workspace ONE Access console.
Shift-Based Access Control in Workspace ONE (in Tech Preview)
The Shift-Based Access Control feature is available now as a Tech Preview.
Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. In the Workspace ONE Access console, you can configure Shift-based Auth as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift.
This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working.
The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature.
Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later.
New Admin Console Navigation on by Default
Based on the successful launch of the Workspace ONE Access console navigation re-design, the new navigation toggle at the header of your Workspace ONE Access console will now be switched on to see the new navigation by default for all users. For an overview of the changes, see the Workspace ONE Access Console Features and Settings topic, Navigating in the Latest Workspace ONE Admin Console section. The toggle will be removed in December 2022.
Re-designed User Engagement Dashboard
The User Engagement Dashboard in the Workspace ONE Access console displays information about users and resources. You can see who is signed in, which applications are being used, and how often the applications are being accessed. You can create reports to track users and group activities and resource usage. The re-designed UI is updated to the Workspace ONE standards. You can now find the number of Unique User Logins Today below the total number of users and groups available in Workspace ONE Access. Total Logins Over Time will show you the weekly login dynamics.
Directory Sync Frequency Updates
The interval between synchronization times has been made more flexible and will let administrators to choose between setting hourly synchronizations or synchronizations every 2, 6, or 12 hours. Administrators can also choose to set their sync frequency to be less often with daily or weekly intervals.
Shift-based conditional access policies in Workspace ONE Access to support Shift-based Access to Workspace ONE Digital Workspace
Shift-based access control with Workspace ONE enables your company to deliver a digital workspace that is shift aware. Shift-based access control restricts the use of different product apps and features when a worker is not clocked-in for their shift.
In the Workspace ONE Access console, you can configure Shift-based Auth as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift. The authorization is applied after workers are authenticated with a first factor authentication method based on your access policy rules.
UEM Token Device Enrollment Authentication Method
The UEM Token authentication method allows customers to seamlessly change the source of authentication from Workspace ONE UEM to Workspace ONE Access for device enrollment of the Workspace ONE Intelligent Hub for iOS and Android. Devices that are on registered mode and Android devices, which do not have a Workspace ONE UEM certificate at time of enrollment, can be identified and authenticate with Workspace ONE Access. This feature addresses the previous problem of duplicate authentication and provides the most seamless transition for Workspace ONE UEM customers to Workspace ONE Access yet and does not impact existing enrolled devices.
Note: UEM Token authentication works with Workspace ONE UEM version 2210 and later.
Time-based One-Time Password (TOTP) Authentication Now Available in Workspace ONE Intelligent Hub iOS and Android
Workspace ONE Intelligent Hub for iOS and Android brings support for adding and generating Time-based One-time Passwords or TOTP.
End users with a QR code or the secret key for an account can register that secret key with Workspace ONE Intelligent Hub to allow for the generation of Time-Based One-Time Passwords. This does not require an internet connection.
End users can find this functionality in the app’s Account screen under “Two Factor Authentication” by tapping on the icon at the top of the app in any of the screens, if users have Hub Services, and in the main screen if in UEM-only mode. This functionality is not supported for multi-staging users where the device is passed around for multiple users because of TOTP’s fundamental security feature of access to the device.
Bypass multipleauthn SAML attribute claims in WS-Fed active flows
The multipleauthn SAML attribute will no longer be passed in active federation flows.
Workspace ONE Access Connector 22.09
Integrate Citrix Virtual Apps and Desktops with Multi-Site Aggregation Enabled. Creating Citrix Apps and Desktops that have multi-site aggregation enabled is supported in the 22.09 release of Workspace ONE Access for both SaaS hosted and on-premises deployments. Citrix multi-site aggregation allows for an application or desktop that is duplicated across multiple sites to be combined and displayed as a single application or desktop icon.
Use Keyword Filtering for Citrix Virtual Apps and Desktops. Administrators can use keywords to filter the resources from their Citrix Virtual Apps and Desktops to only display the filtered resources to end users. This functionality is supported in both SaaS hosted and on-premises deployment models and can be configured while installing the 22.09 Workspace ONE Access Connector.
Windows Connector Support for ThinApp. ThinApp support is included with Workspace ONE Access Connector 22.09. This will allow for ThinApp package synchronization in both the on-premises and SaaS hosted versions of Workspace ONE Access. Existing ThinApp packages will have to be converted in order to be used with 22.09 Workspace One Access connectors. Also, legacy Linux connectors must be upgraded to VMware Identity Manager Connector for Windows 19.03.01 prior to migrating to the 22.09 connector.
The Workspace ONE Access Desktop application is required to launch ThinApp packages, and the 22.09 release provides new functionality. End users will be able to view a progress bar browser, which will enhance their user experience when ThinApp packages are being downloaded in the background. There is also a new Sync Now button that will allow users to force packages to be downloaded on demand.
Note: In the Workspace ONE Access Desktop application, the Open my Identity Manager portal command is deprecated.
This release includes the following issues resolved in Workspace ONE Access Connector 22.09
HW-157180: Improved resiliency of Horizon virtual apps collection synchronization
HW-164225: Resolved an issue related to launch of Citrix private desktops from the Workspace ONE catalog
HW-151085: Resolved an issue that shows an incorrect Display Name for Horizon applications and desktops that are synchronized through Workspace ONE Access
HW-139876: The UI now displays a warning on the POD configuration page if HTML Access for Horizon is not installed
HW-143339: Resolved an issue that causes syncs to fail when a user is migrated to a new domain within the same AD forest. Also, added support for users that are migrated to different domains and forests.
HW-163476: Resolved an issue where users were prompted to enter their credentials again when they launched Horizon applications and desktops
Refreshed People Search Setup with Added Support for Custom Attributes
When the new console navigation is enabled in Workspace ONE Access SaaS tenants, a new user interface for People Search configuration provides administrators with a step-by-step setup flow. Once the People Search setup is completed, the People Search page shows cards that display summary and sync status information. The summary card allows administrators to view the directory that People Search is associated with and the user attributes that are mapped in that directory. The sync status card allows administrators to see the progress of current synchronizations, force manual photo synchronizations, modify photo sync frequencies, and view sync logs.
Improved User Groups Management UI
When you use the new navigation and the re-designed look of the Workspace ONE Access console, you will see a refreshed look of the Accounts > User Groups pages. There are specific functional changes to the interface that will help you manage groups more efficiently.
Now you can assign roles to the group from the User Group > individual group page.
Groups can be sorted in ascending/descending order and filtered by name from the groups listings page.
Pagination was added to the User Group list page to improve scrolling.
Refreshed Login Preferences Page
When you use the new navigation and the re-designed look of the Workspace ONE Access console, you will see a refreshed Login Preferences page under Settings > Login Preferences. To change settings, the admin clicks on the Edit button at the header. Each field now has a tooltip with helper text to help understand how the setting is used.
Continue-on-Failure Authentication Policy
In this release, a new access policy configuration that offers flexibility to control how rule policy execution is introduced. You can now create an access policy with rules that let users progress to the next rule if the authentication fails on the present rule. In the Workspace ONE Access service, regular policy execution terminates when the conditions in the first matching rule are executed. The new rule progression option allows you to progress rule execution to the next matching rule in the policy if the authentication fails on the present rule. Common use cases of this configuration include password less authentication flows and flexible alternative authentication rules for different sets of users.
Refreshed Custom Branding Page
When you use the new navigation and the re-designed look of the Workspace ONE Access console, you will see a refreshed Branding page under Settings > Branding. The setting to change Favicon is no longer available in the re-designed console. The settings to customize branding for the VMware Verify application is now available on the Branding page.
Removed Settings Due to the End-of-Support-Life for the Workspace ONE application
Several configuration and branding settings have been removed from user interface in the Workspace ONE Access console because of the end-of-support-life for the Workspace ONE application. Please refer to the End of Support Life for the VMware Workspace ONE Application KB article (80208) for more information on the End of Support Life for the Workspace ONE Application.
Connector Support for Horizon Cloud Service on Microsoft Azure with Single-Pod Broker (Workspace ONE Access Cloud only)
The 22.05 release of the Workspace ONE Access Connectorincludes support for integrating with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud. This allows for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or 19.03.0.1 to version 22.05 connector. Both directories and virtual apps collections must be migrated together during this one-time process.
FIPS Mode Support for the Connector (Workspace ONE Access FedRAMP only)
The 22.05 Workspace ONE Access Connector includesan option to enable FIPS mode during installation. FIPS mode will set the connector to run with data and encryption that is secure at a level of compliance encouraged by the United States government. The algorithms used are FIPS 140-2 compliant algorithms.
Workspace ONE Access Connectors with FIPS mode enabled does not support integrating with Citrix, Horizon, Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, or Horizon Cloud Service on IBM Cloud. A Workspace ONE Access Connector with FIPS mode enabled supports integrating virtual apps that are running in Horizon Cloud Service on Microsoft Azure with Universal Broker.
The FIPS mode option is not available when you upgrade to a 22.05 connector. The option to enable FIPS mode is supported only in new connector installations.
If you enable FIPS mode in the connector, to disable FIPS mode, you must reinstall the connector.
Time-based One-Time Password (TOTP) support for RFC 6238 Compliant Authenticator Apps*
Workspace ONE Access now supports a new authentication method ‘Authenticator App’ to enhance its native MFA capabilities. This MFA is ideal for users with unmanaged devices, can be used offline, and requires no collection of personal identifying information (PII). Users can leverage any authenticator app of their choice–such as Google Authenticator, Microsoft Authenticator, Okta Verify, Authy, 1Password–that follows the time-based one-time passcode (TOTP) standards as defined in RFC 6238 on their own device. TOTP client support will be available on the Intelligent Hub iOS and Android App later this year in Q3. See Configure an Authenticator App with Two-Factor Authentication for configuration instructions.
Vulnerabilities with identifiers CVE-2021-44228 and CVE-2021-45046 were fixed in the Workspace ONE Access connector version 22.05. For more information, see VMware Security Advisory VMSA-2021-0028.
HW-151085. Fixed an issue where the wrong application display name was displayed on Horizon applications.
HW-155731. The computer object is no longer retrieved from Active Directory when syncing group memberships.
HW-126664. Resolved issues with the Workspace ONE Access connector retrying to establish a connection.
NEW December 19, 2022
HW-170576 – Workspace ONE Access 22.05 Connector. When a proxy is configured, Virtual App Service is unable to fetch metadata from Horizon Cloud Service Single Pod Broker setup.
Contact VMware Support to request a patch.
Introducing the Redesigned Workspace ONE Access Navigation
The redesigned Workspace ONE Access admin console improves your ability to navigate and edit key settings, helping you achieve your business goals. A new toggle at the header in the console will help you switch to the redesigned console and you can switch back for easy comparison. Pages are grouped under five tabs - Monitor, Accounts, Resources, Integrations, and Settings, with menus located on the left side panel. The former Manage and Setup buttons were removed to simplify the configuration process.
Monitor includes the former Dashboard tab as well as Limit and Report monitoring tools.
Accounts groups together the former Users & Groups and Roles tabs.
Resources replaced the Catalog tab and includes Policies as they provide secure access to the end-user portal.
Integrations include the on-premises and cloud components you integrate with Workspace ONE Access to manage users, configure authentication methods, and set up third-party integrations.
Settings is now a top-level navigation tab for faster access to branding, password policies, OAuth 2.0 management, and other settings.
We’ve redesigned several key pages to help you explore Workspace ONE Access functionality. When the toggle is on, some pages have critical improvements. For example, the User Profile page has a new look that also supports editing user roles from that page (Edit Roles) and overview of user activity (Activities Tab). For the Users page, we simplified user search by adding advanced search and sorting by user name. In the Settings tab, OAuth 2.0 pages are redesigned, Password Policies and Password Recovery pages are displayed together, and the User Attributes page is updated. For more information about the new console, see Workspace ONE Access Features and Settings topic.
Note: The change will affect all admin users in your tenant.
Managing OAuth 2.0 Clients in Workspace ONE Access
When the New Navigation toggle is turned on in the redesigned console, Remote App Access is re-named to OAuth 2.0 Management and was moved to the Settings Tab. Workspace ONE Access uses OAuth 2.0 to enable applications and create a secure delegated access to applications enabled in the Hub catalog.
You can create a single OAuth 2 client to enable a single application to register with Workspace ONE Access. You can also create a template to enable a group of clients to register dynamically to allow access to specified applications.
Improvements of the OAuth 2.0 Management page include:
Clients and Templates now support removal from listings
Templates are now editable
Ability to create own secret for a client is removed
And built-in templates and internal clients are now hidden
Accelerated EOL of Legacy Workspace ONE Experiences (Workspace ONE App and Web Portal EOL) on May 15, 2022
For several reasons listed in https://kb.vmware.com/s/article/87908, we are accelerating the EOL of these legacy experiences to May 15, 2022, which includes removing the Workspace ONE app from the App Store and Play Store. Customers who have the Workspace ONE Apps deployed should migrate immediately to the Workspace ONE Intelligent Hub app.
When the Workspace ONE app is EOL, new user enrollments for the Workspace ONE app will be blocked. Additionally, all login attempts to the Workspace ONE app will be detected and might be blocked as part of access policy rules with the Device Enrollment device type.
Verify (with Intelligent Hub) User Experience Enhancement
Workspace ONE Access has improved the fallback authentication experience for users without an enrolled device to perform Verify (with Intelligent Hub). After immediate detection of no eligible devices for the user, Verify (with Intelligent Hub) will seamlessly fail to the configured fallback authentication method instead of waiting for token time-out. This change improves general user experience when configuring access policy rules to use Verify (with Intelligent Hub) in combination with any other two-factor authentication method(s) for users without managed devices.
Default for Temporary Password Lifetime changed to 24 hours
In accordance to recommended security measures, we are changing the default lifetime value for temporary password reset links to be valid for 24 hours for new Workspace ONE Access tenants. This change will not affect any modified password policies, and admins will continue to have the ability to change this value to meet their unique business use cases. We recommend that all admins review their organization’s security policy to minimize the temporary password lifetime in the password settings to only the number of hours deemed strictly necessary.
Support for UEM Token Authentication - Beta Version (duration February 17, 2022 to March 31, 2022)
Access support for UEM Token Authentication will enable enrollment from Workspace ONE UEM for the Workspace ONE Intelligent Hub iOS and Android mobile apps when Workspace ONE Access is the “source of authentication”. To access the beta and for further instructions, customers need to have an account on the Early Access Community portal. On the portal, navigate to the “Beta - WS1 Access” project and fill out the request form with Access and UEM test tenant information. The production version for this feature will be released shortly after the end of the beta program.
Linux and Chrome OS are now supported device types in Access Policy Rules
Previously, Linux and Chrome OS devices were limited to only matching access policy rules that are accessing content from “Web Browser” or “All Device Types” to authenticate with Workspace ONE Access. Now, we individually support identifying Linux and Chrome OS devices with their own drop-down options, allowing for increased flexibility to configure Linux-specific or Chrome OS-specific authentication methods. This addition will not disrupt the function of any current access policy configurations as both “Web Browser” and “All Device Types” will still apply to any operating system.
VMware Workspace ONE Access is available in the following languages.
Windows Server Supported
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Web Browser Supported
Mozilla Firefox, latest version
Google Chrome, latest version
Safari, latest version
Microsoft Edge, latest version
MS SQL 2014, 2016, 2017, 2019
Important: Microsoft SQL server 2014 must be updated with the Microsoft SQL patch to support TLS 1.2.
Directory Server Supported
Active Directory - Single AD domain, multiple domains in a single AD forest, or multiple domains across multiple AD forests.
OpenLDAP - 2.4
Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (220.127.116.11.0)
IBM Tivoli Directory Server 6.3.1
Virtual Apps Compatibility
The Workspace ONE Access 22.09 connector supports VMware Horizon, Horizon Cloud Service, Citrix, and ThinApp integrations with the Virtual App service.
The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 2203, Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.
For supported Horizon versions, see the VMware Product Interoperability Matrix.
VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon.
Upgrade to VMware Workspace ONE Access Connector 22.09
You can upgrade Workspace ONE Access connector versions 22.05, 21.08.x, 20.10.x, and 20.01.x to version 22.09.
See the Upgrading to VMware Workspace ONE Access Connector 22.09 guide for information.
Migrating to Workspace ONE Access Connector 22.09 (Windows)
From Workspace ONE Access connector version 19.03.x, a migration path to version 22.09 is available. The process includes installing new 22.09 connectors and migrating your existing directories and virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.
After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.
All legacy connectors must be version 19.03.x before you can migrate.
To migrate ThinApp virtual apps collections, you must first migrate from the Linux 2018.8.1.0 connector to the Windows 19.03.0.1 connector. Then, migrate from version 19.03.0.1 to version 22.09.
See Migrating to VMware Workspace ONE Access Connector 22.09 guide for information.
Certificate Requirement for Horizon Virtual Apps Collections
Ensure that the Horizon Connection Servers have valid certificates signed by a trusted Certificate Authority (CA). If the Horizon Connection servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon Connection servers. This is a new requirement starting with the Workspace ONE Access connector 21.08. You upload the certificates using the connector installer. See Installing Workspace ONE Access Connector 22.09 for more information.
Requirements for RSA SecurID Authentication Method
The RSA SecurID integration has the following new requirements beginning with Workspace ONE Access connector version 21.08.
In the RSA Security console, the Workspace ONE Access connector must be added as an authentication agent using the fully qualified domain name (FQDN). For example, connectorserver.example.com. If you have already added the connector as an authentication agent using the NetBIOS name instead of the FQDN, add another entry using the FQDN. Leave the IP address field empty for the new entry. Do not delete the old entry.
If you deployed multiple instances of the RSA Authentication Manager server, you must configure them behind a load balancer. See Workspace ONE Access Requirements for RSA SecurID Load Balancer for more information.
The VMware Workspace ONE Access documentation is in the VMware Workspace ONE Access Documentation Center.