Workspace ONE Access | Hub Services | FEBRUARY 2024

VMware Workspace ONE Access Connector (Windows) 23.09 | 19 OCT 2023 | Build Workspace-ONE-Access-Connector-Installer-

What's New in February 2024

Push Notifications Enabled on FedRAMP

In a significant update to our FedRAMP-compliant tenants, Push Notifications are now enabled! This enhancement will help organizations reach their employees efficiently with Hub Notifications for prompt communication and operational efficiency within the FedRAMP environment. See the Hub Services documentation to learn more about how to leverage Hub Notifications.

January 2024

Support for PKCE and OAuth 2.0 Public Clients

PKCE (Proof Key for Code Exchange) is an extension to OAuth 2.0 Authorization Code flow that helps in securing OAuth tokens from CSRF and code injection attacks. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. A communication path not protected by TLS is susceptible to this attack and an attacker can gain access to the authorization code and use it to obtain the access token.

PKCE extension utilizes a dynamically created cryptographically random key to ensure proof of possession by the client. Workspace ONE Access supports enabling PKCE for OAuth 2.0 public clients and clients participating in Authorization Code flow. Along with PKCE support, Workspace ONE Access now supports creation of OAuth 2.0 public clients. Public clients are useful for applications running in a browser or on a mobile device that cannot keep their registered client secret safe.

PKCE is enabled by default and is mandatory for all public clients created in Workspace ONE Access.

User Choice of Authentication

We are excited to announce the availability of User Choice of Authentication functionality with Workspace ONE Access. With this new feature, users have the flexibility to choose from a set of authentication options presented to them for their second factor authentication.

This feature is particularly valuable in scenarios where users might not have access to their second factor authentication option, such as a smartphone for receiving push notifications. In such cases, users can seamlessly opt for an alternative method from the presented choices to successfully complete the login sequence.

Administrators configure policies to control the availability of various authentication choices for specific authentication requirements. Further, conditional access parameters such as network range, device specifications, device management state or user groups can be configured to secure and customize authentication experience for end users.

This feature is available only with Workspace ONE Access SaaS. 

December 2023

Support for Duo v4 SDK with Duo Universal Prompt

Workspace ONE Access now supports Duo v4 SDK. Duo v4 supports the new Duo Universal Prompt that provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements. Workspace ONE Access users are automatically migrated from traditional Duo prompt to Duo Universal Prompt after this support is rolled out. No admin action is required to enable this change.

Support for Horizon Client and App Launch from Shortcuts

Workspace ONE Access now provides an ability to relaunch Horizon published virtual desktops and apps from shortcuts using launch URLs. Prior to this release, when launching a shortcut pointing to the Horizon Client or app, users were directed to a blank screen that blocks the client or app launch. With this update, the app information and a launch option is provided to the user.

October 2023

Workspace ONE Access Connector 23.09

Workspace ONE Access connector 23.09 is compatible with Workspace ONE Access Cloud, Workspace ONE Access On-premise 23.09, and Workspace ONE Access for FedRAMP.

Resolved Issues for Connector 23.09

The following is a list of Connector resolved issues.

  • HW-180874: The Default Launch Client setting for Horizon virtual apps collections is ignored

  • HW-170798: Unable to sync Horizon Enterprise virtual apps collections when using a connection via a proxy

  • HW-174051: Updating a virtual apps collection resets the network range

  • HW-172671: Citrix App launch fails on Firefox browser

  • HW-171435: Citrix App launch fails when the first connector in the virtual apps collection is down

  • HW-170576: Unable to sync virtual apps collections when using a connection via a proxy

  • HW-174269: Workspace ONE Access Connector 22.09.1 fails to install when the domain name has a '_' character

  • HW-181989: Saving or syncing a Horizon virtual apps collection when a Horizon server is down removes existing  metadata

  • HW-170576: When a proxy is configured, the Virtual App service is unable to fetch metadata from a Horizon Cloud Service Single-Pod Broker setup

August 2023

Announcing General Availability of Mobile SSO for Apple Device Authentication in Workspace ONE Access

We are excited to announce the general availability of the Mobile SSO for Apple device authentication method - the next generation Mobile SSO feature in Workspace ONE Access.

As part of the iOS 13 SDK and MDM spec, Apple introduced a new cross-platform SSO extension that offered a native SSO approach using standard federation protocols. Mobile SSO for Apple devices in Workspace ONE Access leverages this native SSO Extension SDK in Apple.

In addition to providing seamless SSO across iOS and iPadOS devices,  Mobile SSO for Apple authentication method in Workspace ONE Access offers configurable biometric authentication that allows using the platform's built-in biometric authenticators such as TouchID, FaceID or Passcode for additional authentications before accessing applications.

The Mobile SSO for Apple authentication method features the ability to limit Single Sign-On to selected apps. The solution uses certificate based authentication to Workspace ONE Access and supports Workspace ONE Shared iOS devices Check-In Check-Out use cases.

NOTE: The Workspace ONE Intelligent Hub app must be installed in the devices participating in SSO.

Mobile SSO for Apple is a replacement for Mobile SSO for iOS that's available with Workspace ONE Access today. Both solutions can however co-exist as part of migration configuration. A gradual migration from Mobile SSO for iOS to Mobile SSO for Apple is recommended. See the How to Migrate from Workspace ONE Access Mobile (for iOS) to Mobile SSO (for Apple Authentication Method article.

This feature is available only in the Workspace ONE Access Cloud environment.

Limit Devices in Staging Accounts from Viewing Other Devices

For devices that are enrolled in a staging account, the Workspace ONE Intelligent Hub app’s Support tab will no longer list all devices enrolled in that staging account. Instead, the Support tab will only reflect the current device to prevent any malicious user(s) from taking action on all the other managed devices shown on the Support tab for that account.

Note: This requires Workspace ONE UEM version 23.06 or later.

Improved Search Experience on Hub Web

The Search Bar in the Hub Web portal has been moved to a more prominent location. App and People Search can now be performed easily and no longer requires end users to navigate to the Apps or People tabs to perform search.

Add Hub Deep Links and Workspace ONE Web Deep Links in as Helpful Links in the Support Tab

Self Service Helpful links have been updated to support Workspace ONE Intelligent Hub and VMware Workspace ONE Web apps' deep linking capabilities. This allows admins to setup helpful links that can seamlessly take their users to other parts of the Hub app using wsonehub://{deeplink} or launch web pages in a Web app using awb(s)://{url}.

Support for Windows 11 devices in Workspace ONE Access Policy Rules

Workspace ONE Access now recognizes Windows 11 devices for enrollment and conditional access. Prior to this support, access policies with device type set to Windows 10 were not applied to Windows 11 devices. With this update, the Windows 10+ device type rules will be used for Windows 10 and Windows 11 devices. This functionality is supported across all Windows 11 devices, including desktops and mobile devices.

Additional Self-Service Capabilities in the Support Tab

Workspace ONE Intelligent Hub Web now allows users to take actions such as Clear Passcode and Make Noise from the Support tab. These actions are enabled by default and can be managed by the admin from the Hub Services Console (Employee Self-Service > Device Self-Service > Non-Critical Actions).

May 2023

Workspace ONE Access GovCloud Now Supports FIDO2 Authentication

Workspace ONE Access GovCloud now allows FIDO2 authenticators to be registered and used for authentication. With this release, end users can authenticate into Workspace ONE Access using a FIDO2 authenticator (i.e., YubiKey, Touch ID, Windows Hello, etc.). End users can also self-register a FIDO2 authenticator to be used as their primary authentication or as a second factor authentication.

April 2023

Renewed Workspace ONE Access reporting interface in the Workspace ONE Access console

Workspace ONE Access reporting received a renewed facelift for administrator users. This new design is up to date and allows for simple navigation through the following reports.

  • Recent Activity

  • Resource Usage

  • Resource Entitlements

  • Resource Activity

  • Group Membership

  • Users

  • Device Usage

  • Provisioning Status

  • Audit Events

Actions can be reconfigured with ease in new Role configuration page in the Workspace ONE Access console

The new navigation for configuring Roles allows for all actions to be added, reconfigured, and removed for a service. Roles can be customized with specific actions for each service in any fashion. Users that can manage administrator roles will also be able to delete any or all of the actions configured for a service.

Refreshed Workspace ONE Access Navigation Pages

We are adding new navigation pages to the Workspace ONE Access console that were refreshed with an up-to-date design. The following pages have a fresh look and feel.

  • UEM Integration page

  • Directory page

  • Identity Provider page

Before You Begin

Component Compatibility

Windows Server Supported

Workspace ONE Access Connector 23.09 supports the following versions.

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012 R2

Web Browser Supported

  • Mozilla Firefox, latest version

  • Google Chrome, latest version

  • Safari, latest version

  • Microsoft Edge, latest version

Directory Server Supported

  • Active Directory - Windows Server 2022, Windows Server 2019, Windows Server 2016, or Windows Server 2012 R2 with a Domain functional level and Forest functional level of Windows 2003 or later.

  • OpenLDAP - 2.4

  • Oracle LDAP - Directory Server Enterprise Edition 11g, Release 1 (

  • IBM Tivoli Directory Server 6.3.1

Virtual Apps Compatibility

The Workspace ONE Access 22.09 connector supports VMware Horizon, Horizon Cloud Service, Citrix, and ThinApp integrations with the Virtual App service.

The following versions of Citrix are supported: Citrix Virtual Apps and Desktops 7 2203, Citrix Virtual Apps and Desktops 7 1912 LTSR, XenApp and XenDesktop 7.15 LTSR, and XenApp and XenDesktop 7.6 LTSR. The following versions of Citrix Gateway are supported: 12.1-62.27, 12.1-65.25, and 13.1-37.38. The connector supports the Citrix StoreFront API and does not support the Citrix Web Interface SDK.

For supported Horizon versions, see the VMware Product Interoperability Matrix.

Compatibility Matrix

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon.


Upgrade to VMware Workspace ONE Access Connector 23.09 (Windows)

Upgrade to Workspace ONE Access connector 23.09 is supported from versions,, 22.05,, and

See the Upgrading to VMware Workspace ONE Access Connector 23.09 guide for information.

Migrating to Workspace ONE Access Connector 23.09 (Windows)

You can migrate to Workspace ONE Access connector from the same versions as those supported for

From Workspace ONE Access connector version 19.03.x, a migration path to version 22.09 is available. The process includes installing new 22.09 connectors and migrating your existing directories and virtual apps collections to the new connectors. Migration is a one-time process, and you must migrate directories and virtual apps collections together.

After the migration is complete, you no longer need the Integration Broker for Citrix integrations. The required functionality is now part of the Virtual App service component of the Workspace ONE Access connector.

See Migrating to VMware Workspace ONE Access Connector 22.09 guide for information.

After migrating the legacy connectors to version 22.09, you can upgrade them to 23.09.


The VMware Workspace ONE Access documentation is in the VMware Workspace ONE Access Documentation Center.

For environments that have a tenant URL ending in, see the setup documentation specific to your supported product:

Support Contact Information

Contact VMware Support when you need help with your Workspace ONE Access environment. You can submit a support request to VMware Support online using your VMware Customer Connect account or by phone. KB article 2151511, How to access VMware Workspace ONE Support describes how to contact Workspace ONE Support.

For environments that have a tenant URL ending in, please contact support for the product that granted you access:

check-circle-line exclamation-circle-line close-line
Scroll to top icon