VMware Workspace ONE Access | APRIL 2024

VMware Workspace ONE Access Connector (Windows) 23.09 | 19 OCT 2023 | Build Workspace-ONE-Access-Connector-Installer-

What's New in April 2024 Release

Support for Passkey Authentication

We are excited to announce the availability of passkeys for authentication in Workspace ONE Access.

Passkeys are discoverable FIDO credentials, built on the WebAuthn standard. Passkeys allow password-less authentication and provide users with faster, easier, and more secure login experiences across all their devices. Passkeys have garnered widespread industry support and offer a phishing-resistant, viable alternative to passwords.  

Passkeys simplify FIDO2 authentication by synchronizing FIDO registration information across user’s devices. Passkey support is available across all devices including iOS, Mac, Windows, and Android and all major browsers. Administrators can continue to configure FIDO2 as the authentication method in Workspace ONE Access and can leverage the advantages of passkey.

Passkeys uses public key cryptography and has two parts: a public key on the server you’re signing into and a corresponding private key on your devices. The public key is synced between devices that share a common login, such as Chrome browser profiles or Apple ID. When you sign in, the Workspace ONE Access initiates a webauthn flow that triggers device biometric authentication or PIN to verify the identity of the user and checks to see if your public key matches up with your private key. The user experience is consistent with the typical device unlock that the user is familiar with. The user will be signed in to the account, while the private key and their biometrics will stay safely on the device, and they will never be shared.

January 2024

Support for PKCE and OAuth 2.0 Public Clients

PKCE (Proof Key for Code Exchange) is an extension to OAuth 2.0 Authorization Code flow that helps in securing OAuth tokens from CSRF and code injection attacks. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. A communication path not protected by TLS is susceptible to this attack and an attacker can gain access to the authorization code and use it to obtain the access token.

PKCE extension utilizes a dynamically created cryptographically random key to ensure proof of possession by the client. Workspace ONE Access supports enabling PKCE for OAuth 2.0 public clients and clients participating in Authorization Code flow. Along with PKCE support, Workspace ONE Access now supports creation of OAuth 2.0 public clients. Public clients are useful for applications running in a browser or on a mobile device that cannot keep their registered client secret safe.

PKCE is enabled by default and is mandatory for all public clients created in Workspace ONE Access.

User Choice of Authentication

We are excited to announce the availability of User Choice of Authentication functionality with Workspace ONE Access. With this new feature, users have the flexibility to choose from a set of authentication options presented to them for their second factor authentication.

This feature is particularly valuable in scenarios where users might not have access to their second factor authentication option, such as a smartphone for receiving push notifications. In such cases, users can seamlessly opt for an alternative method from the presented choices to successfully complete the login sequence.

Administrators configure policies to control the availability of various authentication choices for specific authentication requirements. Further, conditional access parameters such as network range, device specifications, device management state or user groups can be configured to secure and customize authentication experience for end users.

This feature is available only with Workspace ONE Access SaaS. 

December 2023

Support for Duo v4 SDK with Duo Universal Prompt

Workspace ONE Access now supports Duo v4 SDK. Duo v4 supports the new Duo Universal Prompt that provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements. Workspace ONE Access users are automatically migrated from traditional Duo prompt to Duo Universal Prompt after this support is rolled out. No admin action is required to enable this change.

Support for Horizon Client and App Launch from Shortcuts

Workspace ONE Access now provides an ability to relaunch Horizon published virtual desktops and apps from shortcuts using launch URLs. Prior to this release, when launching a shortcut pointing to the Horizon Client or app, users were directed to a blank screen that blocks the client or app launch. With this update, the app information and a launch option is provided to the user. 

October 2023

Workspace ONE Access Connector 23.09

Workspace ONE Access connector 23.09 is compatible with Workspace ONE Access Cloud, Workspace ONE Access On-premise 23.09, and Workspace ONE Access for FedRAMP.

Resolved Issues for Connector 23.09

The following is a list of Connector resolved issues.

  • HW-180874: The Default Launch Client setting for Horizon virtual apps collections is ignored

  • HW-170798: Unable to sync Horizon Enterprise virtual apps collections when using a connection via a proxy

  • HW-174051: Updating a virtual apps collection resets the network range

  • HW-172671: Citrix App launch fails on Firefox browser

  • HW-171435: Citrix App launch fails when the first connector in the virtual apps collection is down

  • HW-170576: Unable to sync virtual apps collections when using a connection via a proxy

  • HW-174269: Workspace ONE Access Connector 22.09.1 fails to install when the domain name has a '_' character

  • HW-181989: Saving or syncing a Horizon virtual apps collection when a Horizon server is down removes existing  metadata

  • HW-170576: When a proxy is configured, the Virtual App service is unable to fetch metadata from a Horizon Cloud Service Single-Pod Broker setup

August 2023

Announcing General Availability of Mobile SSO for Apple Device Authentication

We are excited to announce the general availability of the Mobile SSO for Apple devices authentication - the next generation Mobile SSO feature in Workspace ONE Access.

As part of the iOS 13 SDK and MDM spec, Apple introduced a new cross-platform SSO extension that offered a native SSO approach using standard federation protocols. Mobile SSO for Apple devices in Workspace ONE Access leverages this native SSO Extension SDK in Apple.

In addition to providing seamless SSO across iOS and iPadOS devices,  Mobile SSO for Apple in Workspace ONE Access offers configurable biometric authentication that allows using the platform's built-in biometric authenticators such as TouchID, FaceID or Passcode for additional authentications before accessing applications.

The Mobile SSO for Apple authentication method features the ability to limit Single Sign-On to selected apps. The solution uses certificate based authentication to Workspace ONE Access and supports Workspace ONE Shared iOS devices Check-In Check-Out use cases.

NOTE: Workspace ONE Intelligent Hub must be installed in the devices participating in SSO.

Mobile SSO for Apple is a replacement for Mobile SSO for iOS that's available with Workspace ONE Access today. Both solutions can however co-exist as part of migration configuration. A gradual migration from Mobile SSO for iOS to Mobile SSO for Apple is recommended. Migration steps can be found here.

This feature is available only in the Workspace ONE Access Cloud environment.

June 2023

Support for Windows 11 devices in Workspace ONE Access Policy Rules

Workspace ONE Access now recognizes Windows 11 devices for enrollment and conditional access. Prior to this support, access policies with device type set to Windows 10 were not applied to Windows 11 devices. With this update, the Windows 10+ device type rules will be used for Windows 10 and Windows 11 devices. This functionality is supported across all Windows 11 devices, including desktops and mobile devices.

May 2023

Workspace ONE Access Now Supports FIDO2 as Primary Authenticator

Workspace ONE Access now allows FIDO2 authenticators to be configured as primary authenticators. Prior support of FIDO2 authentication was limited to step-up authentication. With this release, end users can authenticate into Workspace ONE Access using a FIDO2 authenticator. End users can also self-register a FIDO2 authenticator. Both platform authenticators (mobile devices, laptops etc. that support FIDO2) and third-party authenticators (Yubikey, USB secure devices etc.) are supported.

April 2023

Discontinuation of unsupported VMware Identity Manager Connectors

In this release of Workspace ONE Access Cloud, all functionality will cease on unsupported Connectors in any environment. To continue the functionality of all features, a supported version of the Workspace ONE Access Connector must be in use.

Environments that have unsupported Connectors running will have the following functionality discontinued with this change.

  1. Directory integration of Active Directory and other supported LDAP servers

  2. Change password for Active Directory users

  3. User authentication using connector-based authentication methods

  4. Virtual App Collections integration, including launch 

More information can be found in this VMwre KB article.

Renewed Workspace ONE Access reporting interface in the Workspace ONE Access console

Workspace ONE Access reporting received a renewed facelift for administrator users. This new design is up to date and allows for simple navigation through the following reports.

  • Recent Activity

  • Resource Usage

  • Resource Entitlements

  • Resource Activity

  • Group Membership

  • Users

  • Device Usage

  • Provisioning Status

  • Audit Events

Workspace ONE Access console, Reports > Audit Event report page view

Actions can be reconfigured with ease in new Role configuration page in the Workspace ONE Access console

The new navigation for configuring Roles allows for all actions to be added, reconfigured, and removed for a service. Roles can be customized with specific actions for each service in any fashion. Users that can manage administrator roles will also be able to delete any or all of the actions configured for a service.

Workspace ONE Access console, Roles page showing creating Actions for Directory Management

March 2023

Diminished functionality of unsupported VMware Identity Manager Connectors

In the March release of Workspace ONE Access Cloud, any environment that is using unsupported Connectors no longer can create, edit, or delete directories. To continue the functionality of all features, a supported version of the Workspace ONE Access Connector must be in use. Every customer is strongly encouraged to migrate to the latest Connector as soon as possible.

The ability to synchronize pre-existing directories will continue to function for both scheduled and on-demand syncs. More information can be found at https://kb.vmware.com/s/article/90808.

Refreshed Workspace ONE Access Navigation Pages

We are adding new navigation pages to the Workspace ONE Access console that were refreshed with an up-to-date design. The following pages have a fresh look and feel.

  • UEM Integration page

  • Directory page

  • Identity Provider page

The Auto Discovery and Terms of Use pages were removed as they are related to the Workspace ONE App that reached EOL. Information about the Workspace ONE App EOL can be found in the April 2022 release notes.

February 2023

New Option to Show Password on Login Screen

We are introducing a new toggle on the login screen to let users select to show the password when they are prompted to log in and authenticate using Workspace ONE Access services. This new feature will be available on authentication screens that use the password authentication method.

January 2023

Workspace ONE Access Now Supports FIDO2 Authentication on Mobile Browsers

Workspace ONE Access now allows FIDO2 authenticators to be registered and used for authentication on mobile browsers. Prior support of FIDO2 registration and authentication was limited to desktop browsers. With this release, end users can authenticate into Workspace ONE Access federated apps using a FIDO2 authenticator (i.e., YubiKey, Touch ID, Windows Hello, etc.) using mobile or desktop browsers. End users can also self-register a FIDO2 authenticator to be used as their primary authentication or as a second factor authentication.

Getting Started with VMware Identity Services

If you are a new customer of Workspace ONE Access and Workspace ONE UEM, we’ve added a service that will make user provisioning and federation easier! You can now leverage VMware Identity Services to configure a provisioned directory of users and groups using the SCIM 2.0 protocol in your Workspace ONE cloud admin console. VMware Identity Services will automatically provision users and groups, as well as authentication settings, to your Workspace ONE UEM and Workspace ONE Access admin consoles. 

Supported identity providers and directory sources:

  • Azure AD, a cloud-based identity service in Microsoft Azure

  • Generic SCIM 2.0 Identity Source (tested for Okta)

For more information, see the VMware Identity Services Release Notes.

Before You Begin

Component Compatibility

Windows Server Supported

Workspace ONE Access Connector 23.09 supports the following versions.

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012 R2

Web Browser Supported

  • Mozilla Firefox, latest version

  • Google Chrome, latest version

  • Safari, latest version

  • Microsoft Edge, latest version

Directory Server Supported

  • Active Directory -Windows Server 2022, Windows Server 2019, Windows Server 2016, or Windows Server 2012 R2 with a Domain functional level and Forest functional level of Windows 2003 or later.

  • OpenLDAP - 2.4

  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (

  • IBM Tivoli Directory Server 6.3.1

Virtual Apps Compatibility

The Workspace ONE Access 23.09 connector supports VMware Horizon, Horizon Cloud Service, Citrix, and ThinApp integrations with the Virtual App service.

The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 2203, Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The following versions of Citrix Gateway are supported: 12.1-62.27, 12.1-65.25, and 13.1-37.38. The connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.

For supported Horizon versions, see the VMware Product Interoperability Matrix.

Compatibility Matrix

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon.

Upgrade to VMware Workspace ONE Access Connector 23.09 (Windows)

Upgrade to Workspace ONE Access connector 23.09 is supported from versions,, 22.05,, and

See the Upgrading to VMware Workspace ONE Access Connector 23.09 guide for information.

Migrating to Workspace ONE Access Connector 23.09 (Windows)

You can migrate to Workspace ONE Access connector from the same versions as those supported for

From Workspace ONE Access connector version 19.03.x, a migration path to version 22.09 is available. The process includes installing new 22.09 connectors and migrating your existing directories and virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.

After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.

See Migrating to VMware Workspace ONE Access Connector 22.09 guide for information.

After migrating the legacy connectors to version 22.09, you can upgrade them to 23.09.


The VMware Workspace ONE Access documentation in in the VMware Workspace ONE Access Documentation Center.


VMware Workspace ONE Access is available in the following languages.

  • English

  • French

  • German

  • Spanish

  • Japanese

  • Simplified Chinese

  • Korean

  • Traditional Chinese

  • Russian

  • Italian

  • Portuguese (Brazil)

  • Dutch

Support Contact Information

Contact VMware Support when you need help with your Workspace ONE Access environment. You can submit a support request to VMware Support online using your VMware CustomerConnect account or by phone.

KB article 2151511, How to access VMware Workspace ONE Support describes how to contact Workspace ONE Support.

check-circle-line exclamation-circle-line close-line
Scroll to top icon