VMware Identity Manager 2.6 Release Notes

VMware Identity Manager 2.6 | 17 MARCH 2016 | Build 3644744

VMware Identity Manager Connector 2016.3.1 | 17 MARCH 2016 | Build 3645391

VMware Identity Manager Desktop 2.4.1 | 17 MARCH 2016 | Build 3591855

VMware Identity Manager Integration Broker 2.6 | 17 MARCH 2016 | Build 3561485

Release date: March 17, 2016

Updated May 20, 2016

What's in the Release Notes

The release notes cover the following topics:

What's New

This version of VMware Identity Manager includes support for the new Workspace ONE mobile experience and enhanced integrations with AirWatch, VMware Horizon, third-party identity providers, directory connector, and Citrix remote apps.

Workspace ONE Experience

  • Support for VMware Workspace ONE app for mobile devices

    The Workspace ONE app displays the user's application entitlements integrated within VMware Identity Manager 2.6. Users can launch these applications with single sign-on (SSO) based on VMware Identity Manager access policies. On AirWatch managed devices, the Workspace ONE app will also display native mobile apps as a unified catalog view and allow users to install them on the device. Users can download the Workspace ONE app from the Apple App Store, the Goggle Play Store, and the Windows 10 Store.

  • Improved one-touch single sign-on from iOS devices using embedded KDC.

    VMware Identity Manager provides one-touch mobile single sign-on that allows users to sign in to applications from mobile devices without entering passwords. For iOS devices, it requires integration with Microsoft Kerberos KDC. Now with this update, the KDC is included with VMware Identity Manager, removing this external dependency and speeding up the setup process.

  • Web portal redesigned for the Workspace ONE experience

    The 2.6 release includes a new Web portal redesigned for Workspace ONE experience. Customers upgrading from a previous release are recommended to enable this portal from the admin console, Catalog > Settings > New End User Portal UI page.

  • Number of apps in the Cloud Application catalog expanded

    The Cloud Application catalog now includes approximately 100 templates to Web app that can be download to help administrators set up single sign-on to these SAML apps.

  • Persistent Cookie can be enabled on mobile devices

    Persistent cookies can be enabled to provide single sign-on between the system browser and native apps and single sign-on between native apps when apps use Safari View Controller on iOS devices and Chrome Custom Tabs on Android devices.

Authentication and Access

  • Device compliance check

    Administrators can configure to check the compliance posture of devices when users sign in or access applications. This feature works for AirWatch managed iOS 9 devices in conjunction with the Built-in Kerberos authentication method enabled in the built-in identity provider.

  • Enterprise directory integration using AirWatch Cloud Connector

    Instead of using VMware Identity Manager Connector to integrate with an enterprise directory, such as Active Directory, now you can use AirWatch Cloud Connector (ACC). This speeds up deployment time and eliminates the need for deploying two connectors against Active Directory - one for AirWatch and the other for VMware Identity Manager.

  • Win10 and Mac OS/X device types added to access policy rules

    The device types Win10 and Mac OS X are added to the list of device types in the access policy rules page. You can configure a policy rule with one of these device types and all authentication requests coming from that type of device, including native apps and browsers, use this policy rule.

  • Customized Access Policy Error Messages

    Administrators can set a customized error message that displays to the user when the access policy fails. For example, you can display a customized message that guides users through enrolling a device when they access a managed application from un-enrolled devices.

  • Single sign-out from third party identity providers

    When third-party identity providers authenticate users into VMware Identity Manager, now they can sign-out users from the third-party identity provider when the user signs out from VMware Identity Manager.

Integration

  • Support for True SSO Horizon 7

    Horizon 7 True SSO (single sign-on) is supported for applications and desktops integrated with VMware Identity Manager. Users will never be asked to sign in to a True SSO enabled Windows resource when the resource is launched from the web portal.

  • Cloud Pod Architecture support for Horizon 6 and 7

    VMware Identity Manager 2.6 supports Horizon View Cloud Pod Architecture (CPA) for both applications and desktops. IDM supports one or more pod federations for high scalability in addition to continuing support for local pod entitlements simultaneously.

  • Support for XenApp and XenDesktop 7.x

    VMware Identity Manager can now integrate and launch Citrix XenApp and XenDesktop resources in the Web portal. The resources can be configured to route through Citrix Netscaler for larger deployments.

  • Updated Horizon Air BETA support

    VMware Identity Manager integrates Horizon Air apps plus static and dynamic desktops and allows them to be launched from the Web portal. Requires Horizon Air tenant authorized to participate in the beta program (contact your Horizon Air representative).

Directory Management

  • Inbound SAML Just-in-Time (JIT) Provisioning

    With SAML JIT provisioning, you can use a SAML assertion to create users on demand the first time they try to log in to VMware Identity Manager using a third-party identity provider, eliminating the need for user accounts to be created in advance.

  • Same user name and group name allowed in multiple domains

    You can now sync users and groups that have the same username or group name across multiple Active Directory domains. The uniqueness rule was updated to be a combination of username or group name and domain. For example, a username Administrator can have both an AD account in multiple Active Directory domains as well as a local user account in the VMware Identity Manager service.

  • Connector enhancements

    Following enhancements have been made to the connector that integrates with Active Directory.

    • Active Directory (Integrated Windows Authentication) is now site aware. When DNS lookup is enabled, the connector discovers the domain controllers nearest to its location and connects to it. Administrators have the option to override the auto-discovered domain controllers by updating the configuration file.
    • Directories that use DNS Service Location lookup can be configured to use SSL certificate for secure connection.
    • Administrators can now choose to disable syncing nested Active Directory groups. Disabling the nested group sync helps reduce the load on Active Directory servers and speeds up syncing users and groups in VMware Identity Manager.

Deployment

  • VMware Access Point availability as reverse proxy for VMware Identity Manager

    Access Point is now supported as reverse proxy in the DMZ for VMware Identity Manager. For compatibility with Access Point versions, see the VMware Product Interoperability Matrix.

Internationalization

VMware Identity Manager 2.6 is available in the following languages:

  • English
  • French
  • German
  • Japanese
  • Simplified Chinese

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.0 U2+, 5.1+, 5.5, 6.0+

Browser Compatibility for the VMware Identity Manager administration console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see Installing and Configuring VMware Identity Manager on the doc landing page.

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and View.

Upgrading from 2.4 to VMware Identity Manager 2.6

See the Upgrading to VMware Identity Manager 2.x from 2.4 guide. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

During the upgrade of VMware Identity Manager to 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issue are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager have a dependence on TLS 1.0 follow the instruction in KB 2144805 to enable TLS 1.0.

Documentation

To access the VMware Identity Manager 2.6 documentation, go to the VMware Identity Manager doc landing page and select On-Premises 2.6 from the drop-down menu.

Resolved Issues

  • Security Issue

    VMware Identity Manager 2.6 has been updated to address the glibc library CVE-2015-7547 security issue.

Known Issues

  • During a manual run of a directory sync, safeguards settings are not checked

    When you click Sync now on a directory page to manually start sync, the safeguard settings to limit the number of changes that can be made are not checked.

    Workaround: Set the Sync Frequency schedule to Every Hour for the quickest sync that checks the safeguard limits.

  • Cannot download the certificate in the Built-in IDP from the Internet Explorer browser

    When you open the Built-in IDP page in the admin console from Internet Explorer, the Download Certificate link displays an error message that the Built-in KDC is not configured.

    Workaround: Use Firefox or Chrome browsers to access the Built-in IDP to download the certificate.

  • Issues with Access Point integration with VMware Identity Manager 2.6

    • Admin users logging in from external networks will not be able to access the admin console from their portal page when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Admins should VPN into the internal network to access the admin console from an external network.

    • Certificate based authentication does not work when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: No workaround available. Certificate based authentication cannot be set for external users that are proxied by Access Point.

    • ThinApp packages cannot be downloaded when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Set the ThinApp package installation mode to COPY_TO_LOCAL (default) or RUN_FROM_SHARE.

  • Multiple users with same username unable to log in to the same VMware Identity Manager Desktop

    Multiple users that have the same username but belong to different domains are unable to log in to the same VMware Identity Manager Desktop. The first user is able to log in but subsequent users with the same username get the following error: The Identity Manager service is not available. Please try again later.

    Workaround: This problem occurs because the VMware Identity Manager Desktop device continues to be associated with the first user. After the first user logs out, to allow subsequent users with the same username to log in, either the administrator or the first user should delete the device from the administration console or user portal. The administrator can delete the device by selecting the Users & Groups > Users tab in the administration console, selecting the first user, and clicking Desktop Clients. Or the first user can delete the device by logging into the user portal, clicking the drop-down arrow next to the username in the top-right corner of the page, and selecting Devices.

  • The time format does not fallback correctly when browser's locale is da_DK
    For local da_DK (Denmark) the time in hours, minutes, seconds that appears in the Last Sync column in the Identity & Access Management > Directories page displays with dots instead of a colon. Example, 11.15.12 instead of 11:15:12.

    Workaround: There is no workaround.

  • Installing a new Integration Broker does not remove the existing one

    Workaround: Uninstall the existing Integration Broker before installing a new one.

  • XenApp cannot be launched with Chrome 42 and above
    XenApp cannot be launched from the Google Chrome 42 and later browsers because Chrome no longer supports NPAPI plugins.

    Workaround: For Chrome 42, 43, and 44, you can enable NPAPI. Beginning with Chrome 45, NPAPI is no longer available.

    To enable the plugin, type "chrome://flags/#enable-npapi" into your Chrome browser bar and click Enable under the section EnableNPAPI. Restart Chrome.

  • When two or more applications are launched using HTML Browser, the browser tab that shows the applications is not in focus
    When users launch a Horizon app from their apps portal, their browser focus is directed to the tab where the app is open. When a second Horizon app is launched from the apps portal, the users' focus remain on their apps portal page.

    Workaround: Users can navigate to the tab where the Horizon apps are running to access them.