VMware

VMware® Horizon Mobile™ 1.3.1 Release Notes

VMware® Horizon Mobile Manager™ 1.3 | 06 December 2012 | Build 926737

VMware Base Workspace Image | 22 April 2013 | Build 1032100

VMware Switch application | 22 April 2013 | Build 1042547

Last updated: 22 April 2013

What's in the Release Notes

These release notes cover the following topics:

Introducing Horizon Mobile

VMware Horizon Mobile enables enterprises to securely provision and manage corporate mobile workspaces on Android smartphones in isolation from employees' personal environments. This dual-persona solution makes corporate data more secure and enables enterprises to take advantage of employee-owned mobile devices.

Using Horizon Mobile features, you can enhance productivity by creating purpose-built, preconfigured native mobile workspaces based on each employee's responsibilities. Administrators can easily keep track of and manage corporate assets and applications on mobile devices through a Web-based portal. Security is seamlessly integrated with existing infrastructure to meet regulatory and compliance needs.

Internationalization

VMware Horizon Mobile workspaces are available in English, Spanish, French, German, Italian, Japanese, and Korean.

VMware Horizon Mobile Manager and online help for Horizon Mobile Manager are available in English, Spanish, and Japanese. To view the user interface in Spanish or Japanese:

  • For Spanish: You must set your Web browser locale to either the Spanish (es) or Spanish/Spain (es-ES) setting. Settings that use other regional codes for Spanish (such as es-AR) display English.
  • For Japanese: You can set your Web browser locale to either the Japanese (ja) or Japanese/Japan (ja-JA) setting.

System, Installation, and Configuration Requirements

The requirements are grouped as follows:

Mobile Device System, Installation, and Configuration Requirements

To run the workspace on a mobile device, the device must be a VMware® Ready™ smartphone. To verify that the device is a VMware Ready smartphone, view the list of applications installed on the device (for example, touch Settings > Apps > All) and verify that VMware Ready is listed. Do not root the phone or modify the Android operating system. After Horizon Mobile Manager is installed and configured in the organization to provide the server-side capability, device users can begin provisioning workspaces on their smartphones by installing the VMware Switch application from Google Play.

Note: If the organization's fleet manager has specified Enable VPN in the workspace's policy settings, before a device user touches the Switch icon to provision the workspace, the user should install the appropriate VPN client application from Google Play, and create a connection using the VPN connection settings appropriate for that workspace. The organization's fleet manager must provide users with the required VPN information.

After the VMware Switch application is installed to the device, touch the Switch icon. In the Set Up VMware Switch form, enter the following information:

  • The user name and password that are specified for that user in the directory service that is selected in your Horizon Mobile Manager configuration.
  • The login server URL that is specified in your Horizon Mobile Manager configuration.

The company name, logo, and usage terms (if defined in Horizon Mobile Manager) are displayed. Touch Next. The Switch application begins downloading the user's workspace. You can use the notifications display to see the progress. When the download process has completed, touch the Switch icon to complete the workspace setup on the device. Follow the onscreen instructions. If the Horizon Mobile Manager administrator has specified a required password protection policy for the workspace, you are prompted to create a password that adheres to that policy. After the password is created, the workspace opens.

Initial Email Settings

When the workspace opens for the first time, you are prompted to enter your email account credentials for the workspace's email application. Enter your email address and password and touch Next. Keep the displayed server address, or update it, and optionally enter a domain. Typically, the server address is set by the enterprise's administrator in Horizon Mobile Manager, and is provided in the email application in the workspace when it is downloaded to the device.

To skip the email setup, touch Manual Setup at the bottom left, and then touch Discard. When you next open the email application in the workspace, you are prompted to complete the email setup.

Using a Virtual Private Network (VPN)

When the organization's Horizon Mobile Manager fleet manager has enabled VPN in the device user's corresponding workspace policy, the user must have the appropriate VPN client installed from Google Play and configured with a connection that uses the appropriate corporate settings before provisioning the device. Otherwise, a policy violation occurs and the user cannot open the workspace. Obtain the name of the appropriate VPN client and the connection information from the organization's fleet manager.

Diagnostic Alerts on the Device

When the workspace's underlying operating system or a third party application running in the workspace fails, the failure generates a diagnostic log bundle and prompts the device user for permission to upload this bundle. If this occurs, please share the resulting diagnostic log bundle with VMware.

Identifying Software Version Numbers for the Horizon Mobile Components on the Mobile Device

Providing the software version numbers of the installed components to VMware Technical Support can aid in diagnosing the source of an issue. To see the software version numbers for the Horizon Mobile components, open the settings for the VMware Switch application, and view the diagnostics information; for example:

  1. Touch Settings > Apps > All
  2. In the displayed list, touch VMware Switch to view its settings.
  3. In the settings, touch Manage Space. In the Manage VMware Switch Settings display, touch Diagnostics. The software version numbers for the VMware Ready, VMware Switch, and the provisioned workspace are displayed. (If a workspace is not provisioned on the device, no workspace information is displayed.)

Providing the model number of the mobile device is also helpful in diagnosing issues that might occur. The model number is typically found in the device's About phone information. (See VMware Horizon Mobile Manager Installation and Configuration Guide for additional details.)

Horizon Mobile Manager System, Installation, and Configuration Requirements

Horizon Mobile Manager is distributed as an OVF 1.0 virtual appliance.

Minimum Requirements

For installing and running Horizon Mobile Manager, the minimum system requirements are:

  • OVF 1.0 compliant virtualization platform, such as vSphere version 4 or 5.
  • At least one NIC.
  • Intel or AMD x86 or x86_64 processor with at least two CPUs, each with a speed of at least 2GHz.
  • 4 GB RAM.
  • 2GB disk space when using thin provisioning, up to a maximum of 40GB. When using thick provisioning, 40GB disk space is required.
  • A Flash-enabled browser with Flash Player 10.1, to use the Horizon Mobile Manager configuration and administration interfaces. Use a recent browser version. Safari 5.x is not supported.

Appliance Configuration

When deployed in its default configuration, the appliance has the following hardware configuration:

  • CPUs: 2 vCPUs
  • Memory: 4GB
  • Hard disk: 2GB to start (thin provisioned) or 40GB (thick provisioned)

The appliance packages the following list of software:

  • SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64)
  • VMware® vFabric™ Postgres
  • OpenLDAP
  • Apache 2.2
  • Horizon Mobile Manager 1.3

For installation and configuration steps, descriptions of typical deployment scenarios and steps for verifying your setup, see VMware Horizon Mobile Manager Installation and Configuration Guide.

Supported User Store Directory Services

For the user store, by default the appliance contains a preconfigured OpenLDAP service. In the Horizon Mobile Manager configuration interface, you can select to use your own directory service. The directory service can be an LDAP service or a single-domain Active Directory. Use of multiple Active Directory domains is not supported.

When Horizon Mobile Manager is configured to use the Active Directory option, Horizon Mobile Manager uses the sAMAccountName property to search for a user. You cannot change this default behavior. When configured to use the embedded OpenLDAP service, Horizon Mobile Manager uses the UID property to search for a user. When you choose the option to use your own LDAP service, you can set a search key in the User search field, or keep the default (uid={0}).

The embedded OpenLDAP directory service is typically used for demonstration and test configurations. For information on working with the embedded OpenLDAP in Horizon Mobile Manager, see VMware Horizon Mobile Manager Installation and Configuration Guide.

Supported Databases

The appliance contains an embedded vFabric Postgres database. In the Horizon Mobile Manager configuration interface, you can select to use your own database. The following databases are supported: Microsoft SQL Server 2008 and Oracle 11g R2.

Supported SSL Certificates

Horizon Mobile Manager supports the use of SSL certificates issued by those certificate authorities (CAs) that are trusted by the Android operating system. In its default configuration, the embedded Apache server in Horizon Mobile Manager uses self-signed certificates. For information on how to replace the default certificates with your own, see VMware Horizon Mobile Manager Installation and Configuration Guide.

Enabling Remote Logins to Horizon Mobile Manager

By default, when the Horizon Mobile Manager appliance is deployed, you cannot log in from a remote machine as root. The default is the recommended setting. For the rare situation in which you want to enable logging into the appliance remotely, the settings in its embedded Linux operating system must be configured to allow remote incoming connections via SSH as root. After deploying the appliance, use these steps in the appliance's console:

  1. Log into the appliance.
  2. Navigate to the sshd_config file in the /etc/ssh directory.
  3. Edit the sshd_config file to comment out line 41 (PermitRootLogin no), and save the updated file.
  4. Navigate to the hosts.deny file in the /etc directory.
  5. Edit the hosts.deny file to comment out the All:All line, and save the updated file.
  6. Restart sshd with the new settings by running the /etc/init.d/sshd restart command.

Setting the Password Protection Policy for a Workspace

The password protection policy for a workspace is set in the Policy form in Horizon Mobile Manager. Because the workspace password protection policy is also used for the email application in the workspace, you should set the workspace password protection policy to the same strength and expiration settings as your email server's policy settings. For details about the workspace password protection settings, see the Horizon Mobile Manager Administration help.

Identifying the Software Version Number of your Horizon Mobile Manager Virtual Appliance

The software version of your installed virtual appliance is displayed in the appliance's console. For example, when working with the virtual appliance using VMware vSphere® Client™, you can see the version number by selecting the Horizon Mobile Manager virtual appliance and clicking Console. (For additional details, see VMware Horizon Mobile Manager Installation and Configuration Guide.)

Locating Diagnostic Information about the Horizon Mobile Manager Virtual Appliance

VMware Technical Support routinely requests the diagnostic information from you when a support request is addressed. This diagnostic information contains product specific logs from the embedded Apache server in the Horizon Mobile Manager virtual appliance. To obtain these server logs, use these steps in the appliance's console:

  1. Log into the appliance.
  2. Navigate to the /home/tcserver/tcserver-current/mmp/logs/ directory, and zip up the files in that directory. Copy the zip file to a location from where you can provide it in your support request.
  3. Navigate to the /home/tcserver/tcserver-current/mmp-config/logs/ directory, and zip up the files in that directory. Copy the zip file to a location from where you can provide it in your support request.

For additional details, see VMware Horizon Mobile Manager Installation and Configuration Guide.

Resolved Issues

This release resolves the following issues.

  • When the Switch application is configured to use the Cisco AnyConnect VPN client, the VPN connection remains active even when the user powers off the Switch application.
    This issue is resolved in this release. When the user powers off the Switch application, the VPN connection is disconnected.
  • Tasks folder in the VMware Email application does not display tasks that do not have a specified due date.
    This issue is resolved in this release. The user's tasks that exist in the associated Exchange server are displayed in the Tasks folder.

Known Issues

The known issues are grouped as follows:

Workspace Issues

  • If you reboot your phone or remove the battery in the middle of initialization of the workspace, when the phone restarts, initialization should resume from the point where it was interrupted. Instead, the download starts again.
  • After provisioning the workspace, the keyboard might fail to display.
    Workaround: Power off Switch and then restart Switch.
  • A workspace that includes more than 32 applications might fail to boot.
  • Applications that use the Google Maps API will not work in the workspace.
  • Applications that use Android Cloud to Device Messaging (C2DM) will not work in the workspace.

VPN Issues

  • When the workspace policy is set to use the Cisco AnyConnect VPN client or the F5 Edge VPN client, the device users must manually enter the organization's VPN concentrator URL in their VPN client.
  • When the workspace is actively connected to VPN, if the user goes to the personal phone side of the device and uninstalls the Switch application, the VPN connection remains active, even though the workspace is removed from the device, and you cannot activate a new VPN connection from the personal phone side.
    Workaround: Manually stop the VPN client in the personal phone side to end the connection, and then activate a new connection.
  • When the workspace policy is set to use the Juniper Junos Pulse VPN client, the VPN client application in the workspace does not activate a VPN connection unless the user first launches the Juniper Junos Pulse VPN client on the personal phone side and accepts the End User License Agreement (EULA).
    Workaround: Before starting the VPN client application in the workspace, switch to the personal phone side, launch the Juniper Junos Pulse VPN client, and accept the EULA.

Horizon Mobile Manager Issues

  • If the Server address field in the VMware Email application's preferences is empty, when the device users attempt to enter their email information after installing the workspace, the email application stops working on the device and the users cannot complete the email setup.
    Workaround: Ensure that the Server address field contains a value before users provision their devices.
  • The workspace distribution chart might not display all data.
    Workaround: Restart the web browser and reload the workspace distribution chart.
  • Some applications in the workspace might not have their preference set updated immediately when the administrator changes it.
    Workaround: If the application has a restart option, restart the application to apply the updated preference set. If the application does not have a restart option, then restart the workspace to apply the updated preference set.
  • If the wallpaper image file specified in the template is too large for the users' mobile devices, cropping or resizing occurs on the devices. For Android smartphones, a typical formula for optimal images sizes is 1*height by 2*width, where the height and width values are the hardware screen resolution values of the smartphone. However, because all of the users in a group receive the same workspace wallpaper image, some users might see the wallpaper image cropped or resized due to the screen resolutions of their devices.
    Workaround: Use wallpaper image files that follow the typical formula of 1*height by 2*width for the majority of the devices of your intended users.
  • When a template specifies a shortcut name that contains non-ASCII characters, the non-ASCII characters are not rendered correctly when the shortcut is displayed in the workspace on the device.
    Workaround: Avoid using non-ASCII characters in shortcut names that are specified in templates.
  • When using the administration user interface in Safari 5.x, and an application name contains Japanese characters, an error might occur when you try to delete the application from the Applications page.
    Workaround: Using Horizon Mobile Manager with Safari 5.x is not supported. To avoid this issue, use Safari 6.x.
  • If the Common Name field in the Generate Certificate Signing Request form contains the wildcard character (*), an error occurs and the request cannot be generated.
    Workaround: Avoid using the wildcard character (*) in the Common Name field when using the Generate Certificate Signing Request form from the Security page.
  • When a template specifies a wallpaper file with a file name that contains non-ASCII characters, the wallpaper is not deployed to the workspace on the mobile device, and the default wallpaper is displayed on the device instead.
    Workaround: Avoid using non-ASCII characters in wallpaper file names that are specified in templates.

Documentation Issues

  • The online help states that if the Enable VPN check box is selected you must specify a VPN server URL in the policy settings. Specifying the server URL in the policy settings is only required when the Juniper Juno Pulse VPN client is selected.
  • The description in the online help for the Automatic Lock control is incorrect. This control sets the amount of grace time for which a user who switches from the workspace to the personal phone side is allowed to subsequently re-enter the workspace without having to re-enter their password.
  • The description in the online help for the Max Retries control is incorrect. This control sets the number of times that a user can enter an incorrect workspace password before being locked out of the workspace for five minutes. After the five minutes has elapsed, the user can again enter an incorrect password up to the number of times specified by the Max Retries setting before being locked out of the workspace for a second five minute period. If the user enters a third set of incorrect attempts, up to the number set by the Max Retries control, the workspace is wiped.
  • Descriptions for some of the VMware Email application's permissions are missing. When you display the Permissions tab for the VMware Email application in the Horizon Mobile Manager administration user interface, some of the permission descriptions display No description available.
  • In the Install the Workspace on a Mobile Device section of the Installation and Configuration Guide, the note about the graphic image of the device is incomplete. In the user details pane in Horizon Mobile Manager, the application information and icons displayed in the graphic image of the device includes only those applications that are enabled for that workspace in the workspace's associated template. When you view the workspace on the user's actual device, the workspace displays icons for applications in addition to those listed in the user details pane. Those applications are provided in the workspace by the base workspace image, and are not reflected in the graphic image of the device displayed in the user details pane.
  • The description in the online help of a workspace image is incomplete. A workspace image is a version of the Android operating system that is installed as the base operating system for users' workspaces. In addition to the base operating system, a workspace image includes some default applications that one would typically find in a base Android operating system distribution, such as the Calculator and Browser applications.
  • The description about the camera policy in the online help is incomplete, and the description in the Update Policy Settings for the Cut/Copy/Paste and Camera Features section in the Installation and Configuration Guide is incorrect. Disabling the camera policy does not remove the camera application and icon from the workspace on the device, nor does it disable the shutter icon visible when the user launches the camera in the workspace. However, the normal camera functionality is rendered ineffective. If the user launches the camera, a static default image is displayed instead of the normal camera view, and if the user touches the shutter icon, an image file of that static default image is saved.
  • In the Collect Diagnostic Logs chapter of the Installation and Configuration Guide, the steps in the procedure are stated incorrectly. After logging into the virtual appliance as the root user, the correct steps are:
    1. Change to the root directory by entering cd / at the command prompt.
    2. Zip up the Apache server log files by running the commands: tar czf apachelog1.tgz home/tcserver/tcserver-current/mmp/logs/ and tar czf apachelog2.tgz home/tcserver/tcserver-current/mmp-config/logs/
    3. Zip up the vFabric Postgres database log files by running the command: tar czf postgreslog.tgz opt/vmware/vpostgres/1.0/data/pg_log/
    4. Zip up the Linux operating system log files by running the command: tar czf suselog.tgz var/log/
  • In Table 1-1 of the Installation and Configuration Guide, the second row incorrectly states that port 433 must be publically available to receive the requests from NAT. The correct port is port 443.
  • The procedure in the Generate a Certificate Signing Request online help is incorrect. The Server Signing Certificates area is used to manage the certificate that is used to sign communications between the server and the mobile devices. The correct procedure is documented in the Replace the Default Signing Certificate section of the VMware Horizon Mobile Manager Installation and Configuration Guide.
  • The description in the online help for the Common Name field is incorrect. This field is the fully qualified domain name (FQDN) that is externally resolvable to the public IP address used in your Horizon Mobile Manager deployment.