See What’s New in VMware Identity Manager 3.2

Mar 15, 2018
Ben Siler


Ben Siler is a product manager for VMware End-User Computing (EUC).

Share This Post On

VMware Workspace ONE provides a consumer simple, enterprise secure platform for all the apps your employees need, helping you build a digital workspace that protects your data and empowers your users. As we release the VMware Identity Manager 3.2 component of Workspace ONE, we’re focused on providing secure, simple access to all the apps your users need on all their devices. As our research shows, simple access to the apps workers need leads them to report a 34% increase in personal efficiency and a 100% increase in their level of customer service.


Figure 1. The digital workspace increases worker efficiency, improves customer service, and increases business revenue.

With  Identity Manager 3.2, we make it easier for you to complete your digital workspace with Workspace ONE. This release introduces new app types and access methods, new role-based control for admins, new admin usability improvements, and new end-user usability improvements.

New app types and access methods



Figure 2. OpenID Connect is an SSO protocol maintained by the OpenID Foundation.

We’ve added full-fledged support for OpenID Connect (OIDC) apps in Identity Manager and the Workspace ONE app and web portal. OIDC is an SSO protocol that is functionally very similar to SAML—it allows an IDP such as Identity Manager to authenticate users and then SSO those users into applications. For example, Identity Manager could authenticate a user using password-free Mobile SSO and then use OIDC to SSO the user into their Amazon Web Services account.

Although OIDC plays a similar SSO role to SAML, it’s also different in a few important ways: it’s based on JSON, rather than XML, which leads to lighter payloads—in general, OIDC is less verbose than SAML. OIDC’s JSON tokens can also avoid security vulnerabilities related to XML parsing in SAML. For mobile or web app developers, the ease of parsing JSON in JavaScript and the ubiquity of high-quality OIDC libraries such as AppAuth make OIDC an easy choice for new app development. The new OIDC features in Workspace ONE help you future-proof your digital workspace with support for upcoming apps, as well as giving any internal app developers at your company an attractive authentication protocol to work with.

We’ve also included support for new ways to access existing app types. In partnership with F5 Networks, we’ve added the ability for your users to launch Horizon resources using an Identity Manager instance and Horizon client on the internet, with F5 APM and the Horizon Server on premises. For customers who want to fulfill their goal of allowing access to all apps, no matter where users are and what devices they use, this change allows you to safely give workers at home, at the airport, or at the coffee shop access to on-premises Horizon apps and desktops.


Figure 3. Users outside your network can safely access on-prem Horizon apps and desktops.

Role-based access control for admins

Role-based access control (RBAC) allows you to follow the security principle of least privilege, ensuring your Identity Manager admins only have the access to the features they need to do their jobs. By default, you have access to super-admin roles (able to do anything in the Identity Manager Console), directory admins (able to manage users, groups, and directories), and read-only admins (only able to view reports). In addition, you can create custom admin roles that have only the exact privileges your admins need.

Limiting admins to a subset of Identity Manager adds another level to your defense in depth strategy for your digital workspace. For detailed information on how to implement RBAC in Identity Manager, see this blog post.


Figure 4. RBAC allows you to follow the principle of least privilege, giving admins only the permissions they need for their jobs.

Admin console usability improvements

To make it easier for you to manage access in your digital workspace, we’ve updated the Identity Manager admin console for better usability. Our changes focus on an intuitive discovery of the settings you need, making it easier to manage virtual apps, set up SaaS apps, and change general settings. We’ve also simplified the policies and network ranges settings, making it easier for you to set up the interdependent settings that protect your digital workspace.

For full info on all the usability improvements in 3.2, see this detailed blog post.

End-user usability improvements

As mentioned at the top of this blog post, simple access to the apps employees need on all their devices is proven to boost productivity, delight users, and help the business meet its financial goals. Simplifying access for employees is a big part of creating a true digital workspace, so we’ve added new end-user experience features that make it easier for your users to get simple, intuitive access to the apps they need:

  • Better VMware Tunnel experience. Per-App VPN provides a premium experience for users who need to securely access on-prem apps—rather than having to use a VPN client for their entire device (which can be especially frustrating on iOS and Android and raises privacy concerns about traffic from personal apps), users instead just click any app in Workspace ONE to get a secure, silent connection to VPN-only resources. Although Per-App VPN greatly improves user experience once it’s set up, it can be difficult for users to discover how to configure it on their devices. Rather than relying on users following instructions from IT, this update allows users to self-service configure VMware Tunnel by informing them in the UI when an application has a dependency on the Tunnel app. Workspace ONE guides users through the process of downloading the Tunnel app and initializing the Tunnel service. The Tunnel installation and redirect will be available for Android devices when the Workspace ONE for Android application v3.2.1 is released.
  • Intuitive Catalog tab launch. The Workspace ONE app and web portal normally start up in the Bookmarks tab, giving users simple access to the apps they use most. If users don’t have any apps in their Bookmarks, however, they may find the empty Bookmarks tab to be confusing. We’ve updated the Workspace ONE app and portal to start on the Bookmarks tab if the user has Bookmarks and to start on the Catalog tab if the user does not have any bookmarks, allowing them to discover apps and add their own Bookmarks.
  • Admin-defined Bookmarks. Admins can simplify access to frequently-used apps by providing a default set of apps in the Bookmarks tab. When employees log in for the first time, they’ll see the apps Admins have handpicked for them, helping them get started quickly and decreasing the helpdesk tickets required for setting workers up with the apps they need.
  • Admin control of Bookmarks and Catalog tabs. Admins can hide either the Catalog or the Bookmarks tab in the Workspace ONE app and portal to provide the experience that best suits employee needs. When a tab is hidden, users do not see an option to bookmark any apps.

Simplifying Access with Workspace ONE

The Identity Manager component of Workspace ONE is a core part of Workspace ONE’s capability to build a digital workspace for your employees. Together with AirWatch technology, it provides the tools you need to simplify access to all your apps across worker devices. To learn more about what Workspace ONE and Identity Manager can do for you, contact your VMware account representative today.

Stay tuned for updates on VMware Workspace ONE by subscribing to our blog, and following us on Twitter and Facebook.

468 ad