VMware Identity Manager 2.7 Release Notes

VMware Identity Manager 2.7 | 29 JUNE 2016 | Build 4063461

VMware Identity Manager Connector 2016.6.1 | 29 JUNE 2016 | Build 4063462

VMware Identity Manager Desktop 2.7.0 | 29 JUNE 2016 | Build 4049873

VMware Identity Manager Integration Broker 2.6 | 17 MARCH 2016 | Build 3561485

Release date: June 29, 2016

Updated July 19, 2016

What's in the Release Notes

The release notes cover the following topics:

What's New

This version of VMware Identity Manager includes support for the following new features.

Workspace ONE Application

  • Workspace ONE app providing standalone Mobile Application Management features

    You can use the Workspace ONE app to distribute public mobile applications to unmanaged devices through the Workspace ONE app catalog. Users can single sign-on between the Workspace ONE app and productivity apps from VMware - AirWatch Browser and Secure Content Locker, and any custom app built using the AirWatch SDK. And, when the device goes out-of-compliance (such as jail broken), the Workspace ONE app, productivity apps, and any custom app built using AirWatch SDK self-destruct.

  • Workspace ONE app providing Adaptive Management

    Users can start using the Workspace ONE app in standalone Mobile Application Management (MAM) mode and progress to OS MAM when an application with a lock icon in the catalog is selected for installation. Once, the user enrolls the device into OS MAM, the lock icon goes away. The user can now install all the apps from the catalog. Users no longer have to install AirWatch agent to get their devices enrolled into OS MAM. Available now for iOS and Windows devices with support for Android devices coming soon.

Authentication and Access

  • OneTouch SSO and device compliance check for Android, Window 10, and Mac OS devices

    The convenient OneTouch SSO available for iOS is now available for the rest of the platforms, including Android, Windows 10 and Mac OS. In addition, administrators can configure conditional access policies that check for the device posture. When these devices go out of compliance, the sign in access is blocked to the applications.

  • LDAP Directory support

    Connect any LDAP directory (such as OpenLDAP) and not just Active Directory to authenticate users.


  • Simplified deployment of Integration Broker for Citrix Integration

    Making the Integration Broker accessible from the Internet is no longer a requirement. All communication between the service and the Integration Broker is now through the VMware Identity Manager Connector. You must install or upgrade to the new connector version released June 2016.

  • Changes required for VMware Identity Manager Cluster
  • For high-availability, if you deployed two VMware Identity Manager appliances in a cluster, beginning with 2.7, you must have a minimum of three appliances in the cluster to ensure consistent search results for users and groups data.


VMware Identity Manager 2.7 is available in the following languages:

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Taiwan

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.0 U2+, 5.1+, 5.5, 6.0+

Browser Compatibility for the VMware Identity Manager administration console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and View.

Upgrading VMware Identity Manager 2.7

See the Upgrading to VMware Identity Manager 2.7. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

During the upgrade of VMware Identity Manager to 2.7, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issue are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager have a dependence on TLS 1.0 follow the instruction in KB 2144805 to enable TLS 1.0.


To access the VMware Identity Manager 2.7 documentation, go to the VMware Identity Manager Documentation Center.

Known Issues

  • New KDC Certificate to use in MDM profile cannot be downloaded
    Sometimes when you click Download Certificate in the Built-in identity provider, the KDC certificate does not download.

    Workaround: Manually download the KDC root certificate. Sign in to VMware Identity Manager admin console and in the browser address bar enter as
    https://<myco.example.com>/SAAS/jersey/manager/api/kdcrootcertificate. Save the KDC-root-cert.cer file to a location that can be accessed from the AirWatch console.

  • When connectors are set up in an HA enviornment, when a connector is disabled, when a second connector is associated with the directory, the sync can take some time. The server does not give any notification that it is syncing.

    Workaround: No workaround. Please wait.

  • Users unable to log in with RSA SecurID token in a load-balanced environment

    When users are using RSA SecurID authentication in a load-balanced environment, if they are prompted for 'Next Token' or 'Collect Pin', or if a 'Pin Error' occurs, and if the request is redirected to another connector for handling such scenarios, they might be unable to log in.

    If your deployment has multiple connector appliances, you must enable the sticky session setting on the load balancer.

  • Rest View desktop option does not work from the Workspace ONE luancher page

    Users cannot reset their unresponsive View desktops from the VMware Identity Manager apps portal.

    Workaround: Administrators can reset the user's View desktop.

  • Issues with Access Point integration with VMware Identity Manager

    • Admin users logging in from external networks will not be able to access the admin console from their portal page when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Admins should VPN into the internal network to access the admin console from an external network.

    • Certificate based authentication does not work when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: No workaround available. Certificate based authentication cannot be set for external users that are proxied by Access Point.

  • ThinApp packages cannot be downloaded when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

    Workaround: Set the ThinApp package installation mode to COPY_TO_LOCAL (default) or RUN_FROM_SHARE.

  • The time format does not fallback correctly when browser's locale is da_DK

    For local da_DK (Denmark) the time in hours, minutes, seconds that appears in the Last Sync column in the Identity & Access Management > Directories page displays with dots instead of a colon. Example, 11.15.12 instead of 11:15:12.

    Workaround: There is no workaround.

  • XenApp cannot be launched with Chrome 42 and above
    XenApp cannot be launched from the Google Chrome 42 and later browsers because Chrome no longer supports NPAPI plugins.

    Workaround: For Chrome 42, 43, and 44, you can enable NPAPI. Beginning with Chrome 45, NPAPI is no longer available.

    To enable the plugin, type "chrome://flags/#enable-npapi" into your Chrome browser bar and click Enable under the section EnableNPAPI. Restart Chrome.

  • When two or more applications are launched using HTML Browser, the browser tab that shows the applications is not in focus
    When users launch a Horizon app from their apps portal, their browser focus is directed to the tab where the app is open. When a second Horizon app is launched from the apps portal, the users' focus remain on their apps portal page.

    Workaround: Users can navigate to the tab where the Horizon apps are running to access them.