This article covers what's new in the November release of one of the lesser known pieces of VMware's EUC proposition: VMware Identity Manager.
Windows 10 and Mac OS X Access Policies
VMware Identity Manager provides a conditional access policy engine you can use to apply different authentication methods based on the user’s device, network (location), and application. With this new release, you can apply different authentication policies if the device type is Windows 10 or Mac OS X, in addition to the previous iOS, Android, Web browser, and all other devices. If a particular device type such as Windows 10 is selected, then all authentication requests coming from that device, including native applications and browsers, use this policy.
To access conditional access policies, from the Administration console, click the Identity & Access Management tab, and click Policies.
Figure 1: Edit Policy Rule Window
Custom Access Policy Error Message
Now administrators can set a customized error message that displays to the user when the access policy fails. You can display a customized message that guides users through enrolling a device when they access a managed application from un-enrolled devices.
Figure 2 shows how the administrator can set up the customized error message.
Figure 2: Setting Up a Customized Error Message
After you customize the error message, the end user sees the message on their device, as shown in Figure 3.
Figure 3: Customized Error Message
Single Sign-On with Safari View Controller on iOS and with Chrome Custom Tabs on Android
With iOS 9, Apple added a new Safari View Controller class for developers to use in applications for browser access, instead of embedded WebView. Similarly, Google added the new Chrome Custom tabs feature for browser access in Android applications, instead of using WebView. Both of these capabilities allow users to sign in once to the device, and then achieve single sign-on between the system browser and native applications using either Safari View Controller or Chrome Custom tabs, respectively. To use this feature, enable the Persistent Cookies for User Sessions check box as shown in Figure 4. The cookie time-out can be adjusted from the Access Policy Rule definition accessible from theIdentity & Access Management tab, then Manage, and Policies. Follow the steps as presented in the following figure.
Figure 4: Setting Up Single Sign-On
- From the Identity & Access Management tab, click the Setup button.
- Click the Preferences tab.
- For Persistent Cookie for User Sessions, select Enable Persistent Cookie.
Same User Name and Group Name Now Allowed in Multiple Domains
An important feature of VMware Identity Manager is that you can abstract multiple Active Directory (AD) instances within an enterprise to create a single point of policy management. In the past if you had multiple ADs connected to a single VMware Identity Manager tenant, you were not able to synchronize users with the same user name across multiple ADs because they were treated as duplicates. Now you can synchronize those users because we have updated the user uniqueness rule to be a combination of user name plus domain name. This allows a user name such as Administrator to have both an AD account in multiple AD domains as well as a local user account in VMware Identity Manager. Similarly, now you can have the same group name synchronized into VMware Identity Manager from multiple AD domains, or create a local group with the same name.