VMware Identity Manager 2.9.1 Release Notes

What's New for VMware Identity Manager 2.9.1

VMware Identity Manager 2.9.1 includes support for the following new features.

Authentication and Access

  • Office 365 Conditional Access Enhancements

    VMware Identity Manager already provides conditional access control for Office 365 clients using Modern Authentication. There are other Office 365 clients, however, that use legacy username/password authentication. With this update of VMware Identity Manager, admins can increase security and reduce risk of data loss by using enhanced conditional access policies to control clients such as native iOS and Android email apps, older versions of Office, and email clients such as Thunderbird. This feature works for both managed and unmanaged devices.

  • Group Based Conditional Access Policies

    Now you can apply different policies for authentication based on user's group membership. This feature can be used to enforce fine grained access policies. For example, requiring multi-factor authentication only for contractors.

  • Configurable Login Experience

    You can now configure the login experience for your users. You can choose to let users provide email address, employeeID or other attributes such as username.

  • Custom branding is enhanced to include the use of color transparency for background images


  • SAML Enhancements
    • Support for HTTP POST SAML binding when configuring third-party identity providers.
    • You can generate a Certificate signing Request (CSR) from the admin console and use it for generating a certificate from a certificate authority for SAML signing.
    • Support for encrypted SAML response.
  • Default launch option for Horizon apps and desktops

    A default launch option has been added with this release. Users can now set their preference of launching apps from the Browser or Native Client when launching apps or desktops. Admins also are now able to set this globally for all users as a managed setting that enforces the same behavior for all users.

  • Access Policy

    Improved access policy to include support for Horizon desktops and apps.

  • Custom ID Mapping for Horizon Cloud

    Just like SAML apps support has been added for additional username formats between IDM and Horizon Cloud.

  • Directory and Horizon Performance

    Both Active Directory and Horizon sync can now be configured to sync on shorter 15 minute intervals.


  • VMware Identity Manager for Windows (with AirWatch)

    The VMware Identity Manager server is also available on Windows and included with AirWatch installer.

  • VMware Identity Manager Enterprise System Connector for Windows with AirWatch

    The VMware Identity Manager connector can be installed on Windows. The Enterprise System Connector installer includes the option to install AirWatch Cloud Connector or the VMware Identity Manager Connector. See The VMware AirWatch 9.1 release notes for more information.

  • Easily migrate from AirWatch Cloud Connector (ACC) to VMware Identity Manager connector for connecting to AD/LDAP

    If you are using ACC to connect to Active Directory and want to migrate to using the VMware Identity Manager connector to take advantage of additional capabilities such as MFA, Horizon & Citrix integrations, you can do it by clicking on the Convert button under Other Directory configuration used for ACC integration. All application entitlements are preserved with this change.

  • Citrix XenApp and XenDesktop Integration

    With the EOL from Citrix of Citrix Web Interface. Citrix XenApp and XenDesktop integration has been migrated to using the Citrix Storefront SDK.


VMware Identity Manager 2.9.1 is available in the following languages:

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese
  • Korean
  • Taiwan
  • Russian
  • Italian
  • Portuguese (Brazil)
  • Dutch

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.0 U2+, 5.1+, 5.5, 6.0+

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and Horizon 7.

Browser Compatibility for the VMware Identity Manager Administration Console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

For other system requirements, see Installing and Configuring VMware Identity Manager guide.

Upgrading to VMware Identity Manager 2.9.1

To upgrade to 2.9.1, see Upgrading to VMware Identity Manager. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Note: Existing customers will upgrade to 2.9.1. Version 2.9 was not released externally.

Before you upgrade from the 2016.11.1 connector to the latest connector, see the KB article 2149179 Upgrading from VMware Identity Manager Connector 2016.11.1

Transport Layer Security (TLS) 1.0 is disabled by default in VMware Identity Manager 2.6 and later

Beginning with VMware Identity Manager 2.6, TLS 1.0 is disabled. We recommend that you update products configurations to use TLS 1.1 or 1.2.

External product issues are known to occur when TLS 1.0 is disabled. If your implementation of Horizon, Horizon Air, Citrix, or the load balancer in VMware Identity Manager has a dependency on TLS 1.0, or if you are using Office 365 active flow, follow the instructions in KB 2144805 to enable TLS 1.0.

Windows 2008 R2, 2012, and Windows 7 operating systems do not have TLS1.1 and 1.2 available by default. This can cause issues when connecting to VMware Identity Manager 2.8. See the Microsoft article Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols.

Bulk Sync Changes in VMware Identity Manager 2.9.1

In 2.8.1, bulk sync was processed with 4 threads per CPU through a global config parameter in the database called 'bulkSyncThreadLimitPerCPU=4'

In 2.9.1, the number of threads for bulk sync processing is not based on CPU. It is an absolute number configured in the global config parameter called 'bulkSyncSharedThreadCount'. The recommended value is the same as the number of CPUs on a node. The thread value must be added manually on all nodes and requires a restart of the node.

After upgrading to 2.9.1, Set the thread count in the system config parameter, /SAAS/jersey/manager/api/systemconfigparameter/bulkSyncSharedThreadCount in all nodes and restart the node.


To access the VMware Identity Manager 2.9.1 documentation, go to the VMware Identity Manager Documentation Center.

Known Issues

  • Generating CSR in Safari Browser Fails

    Safari browsers does not support downloading of the CSR that is generated.

    Workaround. Select and copy the CSR manually and save to a text editor.

  • Terms of Use with Workspace ONE with Android Does Not Work

    If the Terms of Use feature is enabled, users that download Workspace ONE for Android versions prior to the release of Workspace 3.0 for Android can possibly get a stack track exception error after they log in. The user portal cannot be launched.

    Workaround. Do not enable the terms of use for Android devices until the Workspace ONE 3.0 for Android app is released.

  • CSR for a signature algorithm SHA1 is not populated on the signing certificate

    The strongest available key is always selected. If your organization already uses RSA, SHA256withRSA key, this key is used because a key with algorithm RSA, SHA1with RSA is the lower priority key.

  • Horizon 7 and Citrix Xenapp might not launch on managed devices

    When a XenApp and Horizon 7 app is redirected to unmanaged Citrix Receiver or unmanaged Horizon Client, the apps are not launched. Workaround. Uninstall the unmanaged clients. XenApp and Horizon 7 apps that are redirected to a managed Citrix Receiver or Horizon Client launch successfully.

  • When using an iOS device to launch a Xenapp, the domain selection screen displays

    There is no workaround.

  • Issues with Access Point integration with VMware Identity Manager

    • Admin users logging in from external networks will not be able to access the admin console from their portal page when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Administrators should VPN into the internal network to access the admin console from an external network.

    • ThinApp packages cannot be downloaded when the Access Point appliance is deployed as a reverse proxy for VMware Identity Manager.

      Workaround: Set the ThinApp package installation mode to COPY_TO_LOCAL (default) or RUN_FROM_SHARE.

Have more questions? Submit a request


Article is closed for comments.