What’s New in VMware Workspace ONE Nov 2016 Release
- Workspace ONE App Updates
- Deliver internal enterprise mobile apps to unmanaged devices
- Adaptive management for Android devices
- Open-in VMware Browser
- Conditional Access & Password Management
- Conditional access for Horizon and Citrix apps
- Conditional access for local users
- Conditional access for internal apps using OAuth2.0
- Self-service Active Directory change password
- Workspace ONE Getting Started wizard in VMware AirWatch console
- Local directories and users
- User provisioning to Office 365 and Google Apps
- External approval support for VMware Horizon & Citrix apps
- VMware Identity Manager (IDM) 2.8 on-premises virtual appliance: Nov 17, 2016
- Feature availability schedule for VMware IDM cloud
- North America data center: Nov 17, 2016
- EMEA and APAC data centers: Nov 30, 2016
- Download for on-prem appliance and connector for IDM cloud is available through both AirWatch and my VMware customer portals.
Now, let’s dig deeper into each new Workspace ONE release feature.
Workspace ONE App Updates
One of the key feature Workspace ONE provides is access to apps on personal devices in bring-your-own-device (BYOD) environments. With this release, you can distribute not only public mobile apps but also internal enterprise mobile apps to unmanaged devices through the Workspace ONE app. These internal enterprise mobile apps do not have to be built using AirWatch software development kit (SDK); if they use AirWatch SDK, the app gets containerized and you get additional control over remote wiping the data from these apps when the user leaves the company or the device gets compromised, such as jail broken.
***** Update Jan 6, 2017 *****
The feature of app containerization when using AirWatch SDK along with Workspace ONE app listed above is not generally available (GA) yet, and teams are working on delivering it soon. I’ll update the post as soon as it becomes available. Apologies for any confusion it may have caused.
Further, if you want to control remote wipe of data for public mobile apps, you can push a security profile to the device and bring these apps under management through a process called adaptive management. This new process was introduced for the iOS version of Workspace ONE app in Jun 2016. With this release, the same capability of adaptive management has been made available to the Android version of Workspace ONE app.
Another feature added to Workspace ONE app is the choice provided to administrators to have a web app open in either mobile system browser, such as Safari on iOS or Chrome on Android) or in the VMware Browser on those platforms. VMware Browser not only provides connectivity to on-premise intranet apps from unmanaged devices without VPN, but also control to admins to remotely wipe the corporate data from the browser cache when the user leaves the company or device gets compromised.
Conditional Access & Password Management Updates
Workspace ONE provides a powerful access control plane that utilizes contextual information from the device, network and/or app to determine if access should be denied, allowed or the user prompted for additional form of authentication, also called step-up authentication. These capabilities were available for web apps accessed by Active Directory (AD)users.
Update #1: With this release, conditional access policies can now be configured for Horizon and Citrix apps, as well as for local users managed by Workspace ONE with built-in local directory.
Update #2: Another question I often get from customers is how can they add the power of conditional access to their internally developed enterprise mobile and web apps. The solution for it is to integrate your app with Workspace ONE using OpenID Connect that leverages OAuth 2.0 underneath. We’ve published how-to guides with step-by-step instructions, along with a sample app to get you started.
Update #3: In June, Workspace ONE introduced a built-in two-factor authentication solution VMware Verify for cloud deployments. The same feature is now available in the on-premises build of VMware IDM 2.8. In addition, you can now apply custom branding to the VMware Verify mobile app. VMware Verify is now available as Chrome app in addition to iOS and Android.
Update #4: Change AD passwords on the go. With this feature, users can change their AD password anytime from Workspace ONE app on mobile devices or portal from desktop browser. Also, if the AD password is expired, the next time users log in to Workspace ONE, they are asked to change their password. This feature requires use of VMware IDM connector to connect to AD. Additional self-service AD password management features, such as advanced notifications, forgot password flow, and others will be coming in later releases.
This section contains updates made to enhance the admin experience.
Update #1: Domain name label change for local admin login.When you log in as a local admin, you would see domain name selection changed in the drop down from “Local Users” to “System Domain.” This is just a label name change with no change to rest of the functionality. This change was done in order to introduce the new feature of “Local directories and users” described later in this section.
Update #2: Workspace ONE getting started wizard. AirWatch customers can now log in into AirWatch console and walk through the new Workspace ONE getting started wizard. The wizard configures VMware IDM basic settings behind the scenes with the goal of letting the AirWatch users log in to Workspace ONE app to access the app catalog. This wizard reduces the setup time dramatically for both cloud and on-premises deployments.
Update #3: Local directories. AD provides largely two main functions:
- Store user and group info
- Group policies for AD-joined computers.
As more and more workers use either iOS or Android devices or Mac and Windowns 10 laptops that are not joined to the AD domain, reliance on AD has dramatically decreased. You should be able to store user and group information outside of AD without breaking any use cases.
Workspace ONE now includes a scalable built-in directory that provides an admin interface for user management, as well as programmatic access over standards-based REST APIs following the SCIM protocol. You can create multiple directories, each with its own schema of required and optional attributes, such as one to store partner identities and other to store supplier identities. Included with it is also a robust password management for local users.
Update #4: User provisioning for Office 365 and Google Apps. If you are an Office 365 customer, you may already be using security and convenience features such as mobile single sign-on (SS), conditional access, device compliance and DLP. Check out this video to learn more. With this release, we bring additional security by automatically de-activating user accounts in Office 365 when users leave the company, rendering Office apps running on BYOD mobile devices with long-lived tokens (OAuth tokens) inaccessible. This should allow you to meet data protection needs of your organization even for BYOD devices. In addition, you can use this feature to automate user account creation when the user is entitled to Office 365, helping reduce administrative overhead.
If you are a Google Apps customer instead, you can also configure user provisioning connector to Google Apps, automating user create/update/deactivate tasks.
Update #5: External approval support for Horizon and Citrix apps. If you are already using an external approval workflow integrated with VMware IDM over REST APIs for approving self-service access request to web apps, now you can extend the same self-service access request for Horizon and Citrix apps.
Update #6: New connector version. If you are using VMware IDM connector to connect to AD or Horizon connection server, please upgrade it to the new version available from the download site.