Hello,

I just migrated my customer on Windows 10 with Horizon 7. For one specific program, when the users launch a second instance of it, the display become transparent and its unusable like this :

All the display is broken on all other Windows's windows. The single way to correct the error is to reboot the VM. The editor of the application said that its compatible with Windows 10 and that I've to add his application to DEP's (Data Execution Prevention) list. I also tryed to launch the program in compatibility mode with Windows 7, its the same.

Any idea for this ?

Regards,

S

Still wondering, which DEM 2006 installer (Standard OR Enterprise) to use for our Citrix RDS on Windows server 2016?

We DO NOT user VMWARE Horizon.

Please help. Thanks

regards, Feroze

Hello to all,

we are distributing Samsung Android 9 devices registered on Workspace One (version 2001)

The devices are prepared in our warehouse using staging users and the end customer is asked to enter their AD credentials on the Hub app to complete the MDM registration.

For some devices configured in the same way as dozens of others they tell me that the screen of credentials insertion on Hub does not appear.

Basically it is as if the staging user is already the designated one. We tried to synchronize the Hub app, to clear its cache, to force the update of profiles both from app and console, but without taking advantage of it.

Have you ever encountered such a problem?

Do you have any ideas on how to ‘unlock’ the Hub and allow the employee’s AD credentials to be entered?

Thank you,

Gianmarco

Author :

URL : http:////docs.vmware.com/en/vRealize-Automation/8.1/reference-architecture/GUID-B6422967-D0EF-47C1-8D74-D1C1D71FC98C.html

Topic Name : Deployment and Configuration Recommendations

Publication Name : vRealize Automation 8.1 Reference Architecture Guide

Product/Version : vRealize Automation/8.1

Question :

Looking at the documentation I do not see any reference for multi-site deployment architecture best practices.  Is it feasible to have a large deployment facilitate a linked site in another geographical region?

I am working with a Managed Services IT Provider, and we are trying to determine the most efficient method of applying patches and updates to VMWare ESXi servers, and VCenter servers and appliances.  As of now, we manually apply updates to each server, but with hundreds and possibly thousands of servers at our various customers throughout the world, doing so in a timely manner is nearly impossible.

Does VMWare have a solution for managed service providers to allow this to happen in an efficient manner?  What is the best way for us to go about this, for all of our customers, without taking up a tremendous amount of time, and also allowing for this to happen on a routine basis, so our customer's VMWare servers are regularly patched?

Hello community,

I am trying to simply change the SSO domain of my vCenter 6.7 U3 6.7.45000 without replication partner.

When executing the domain repoint as following :

#cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name vsphere.local

The process fails on export Authz data export.

After checking the logs, I can see in /var/log/vmware/cloudvm/domain_data_export.log the following error :

############ domain_data_export.log #####################

2020-08-31T12:52:17.812Z [main DEBUG com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] Sending SOAP request to the STS server
2020-08-31T12:52:17.860Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the list of client-trusted certificates
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
  at sun.security.validator.Validator.validate(Validator.java:262)
  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:235)

.................................

2020-08-31T12:52:17.865Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the client-trusted thumbprint
2020-08-31T12:52:17.880Z [main ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] The SSL certificate of STS service cannot be verified
com.vmware.vim.sso.client.impl.ssl.UntrustedSslCertificateException: The SSL certificate of STS service cannot be verified
  at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.validateServerIdentityWithThumbprint(StsSslTrustManager.java:227)
  at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.checkServerTrusted(StsSslTrustManager.java:125)

######################################################

This happens with custom certificates and default VMware certificates.

Any idea from the community ?

Thank you

I am having a nasty problem and i can't figure out what's causing it.

We use DEM to create drivemappings. One of the drivermappings isn't being created and shows an error in the flexengine.log

[ERROR] Drive mapping refers to local drive 'H' (Homedir.xml)

To me it looks like driveletter H is occupied at the moment DEM is trying to create the drivemapping.

When i do a -UemRefreshDrives after login, the mapping is created.

I have looked in the golden image and there is no H: drive in use, only C: and sometimes D: (cdrom)

After some help from DEMdev

You could try to investigate with a Before profile archive import Logon Task, running something like cmd.exe /c DIR H:\ >"%USERPROFILE%\H-DIR.txt".

I have found the culprit. The H drive is indeed in use:

Volume in drive H is CVApps

Volume Serial Number is AEE0-8B16

 

 

Directory of H:\

 

 

04-09-2019  00:48                 0 allvolattached.bat

04-09-2019  00:48             1.355 allvolattached_shellstarted.bat

04-09-2019  00:48               320 cache.dat.initial

20-01-2020  14:19             1.472 cv_prestartup.log

20-01-2020  14:20               408 cv_prov_post.log

20-01-2020  14:20             6.225 META.ZIP

20-01-2020  14:20    <DIR>          METADATA

20-01-2020  14:19    <DIR>          OfficeTokensBefore

04-09-2019  00:48               261 prestartup.bat

04-09-2019  00:48             7.043 prov_post.bat

04-09-2019  00:48               372 shellstart.bat

20-01-2020  14:22            24.349 snapvol.cfg

04-09-2019  00:48                 0 startup.bat

04-09-2019  00:48               384 startup_postsvc.bat

28-08-2019  02:12           102.640 svoffice.exe

28-08-2019  02:09               228 svoffice.exe.config

04-09-2019  00:48            16.452 tokens.dat.initial

04-09-2019  00:49                20 version.txt

28-08-2019  02:12                87 VERSION32.txt

28-08-2019  02:17                87 VERSION64.txt

              18 File(s)        161.703 bytes

               2 Dir(s)  21.300.944.896 bytes free

To me it looks like an appstack or writable is attached before login and is using drive letter H: and a bit further in the process the driveletter is released as it is not visible afer login.

We do use Writable Volumes and Appstacks so that makes sense, but i never had any issues with driveletters before.

Do you have any idea what could be te cause of this?

These are the registry settings on HKLM\SYSTEM\CurrentControlSet\Services\svservice\Parameters

we migrated 30 plus vm's that were smaller than this one and never had a problem.  but this server after it started vmotioning, it lost ping.    just curious we do have a case open with vmware on this

As of now, I have successfully been able to get Microsoft Teams provisioned via two methods. AppVolumes Application and installed on the golden image. Along with DEM, I am able to persist settings correctly. All seems to work well. The only issue I am still experiencing and have been struggling with since day one with Teams is the known issues revolving around AzureAD Hybrid environments and instant clone VM's not registering correctly. This causes the following error more often than not when users log in and try to launch Teams:

I've read around online and found a few good resources, but have still not been able to get any consistency out of Teams when it comes to this issue. So far, my golden image has never been joined to the AzureAD domain. I have also implemented some startup / logoff scripts that implement the "dsregcmd /leave" and "dsregcmd /join" commands as recommended by several different articles I've come across, but I am still having no luck. Has anyone else using an AzureAD Hybrid setup experienced this? If so, is there any solution, or will I have to wait until Horizon 8 releases and "officially supports" Teams?

Any help is appreciated!

Hi,

Recently we installed some of Samsungs new NVME SSD Disks (PCIE M2) and there is quite a difference in the performace of that SSD on the Win 7 PC directly and within a Win 7 virtual machine on that very same PC...

The AS SSD Benchamrk gives following results:

Seq Read, 10 GB on PC directly:   2611 MB/s

Seq Write, 10 GB on PC directly:   1620 MB/s

Seq Read, 10 GB in VM:                1446 MB/s

Seq Write, 10 GB in VM:                  778 MB/s

The VM uses the SSD via SCSI.

Since it is the very first time I installed a VM I wonder if that loss of disk performance is to be expected, or should the VM perform better?

If the performance for read / write on the PC directly is set as 100% what performance could be expected within the VM?
80% or maybe just 60%? Or did I do something wrong?

If the disk performance in the VM can be improved, how so?

Thanks in advance,
Thomas

Hello everyone

I installed a network card with Realtek 8111G chip in my Pc with Esxi 7.0

From the shell of Esxi 7.0 I can see the network cards (see image01.png)

But from the management interface of Esxi 7.0 I can't see the network cards

I see only the main network card (see image02.png)

I have deduced that the drivers must be installed, probably.

Where can I retrieve the drivers to install on Esxi 7.0 and how to install them?

Thank you

HI All,

I've the below script that works across a range of vCenters, except for one.

All vCenters are VCSA 6.5.0.32400

I realize this probably isn't a PowerCLI question but, don't understand why the script will not work when run on this one VCSA

foreach ($line in $targetList){

    Write-Progress -Activity "Collecting details on provided VMs" -Status "Working on $line" -PercentComplete (($i*100)/$count.Lines)

    try {

        write-host "inside TRY, working on $line"

        $script:target = Get-VM $line -ErrorAction SilentlyContinue

        $powerState = $script:target.PowerState

        $ip = $script:target.guest.IPAddress[0]

        $memory = $script:target.memoryGB

        $hddSize = [math]::Round(((Get-HardDisk -VM $script:target).CapacityGB | Measure-Object -Sum).Sum)

        $vraManaged = $script:target.customFields.Item("vrmManagedMachine")

        $vraOwner = $script:target.customFields.Item("VRM Owner")

        $script:vmProperty = [ordered] @{

            'vCenter' = $script:target.Uid.Split('@')[1].Split(':')[0]

            'Cluster' = $script:target.VMHost.Parent.Name

            'VM Name' = $script:target.Name

            'IP Address' = $ip

            'PowerState' = $powerState

            'Memory (GB)' = $memory

            'Disk Capacity (GB)' = $hddSize

            'Attribute: vRA Managed' = if ($vraManaged) {"True"} else {"False"}

            'Attribute: vRA Owner' = $vraOwner

        }

        $script:vm_Found_YES += New-Object -TypeName psobject -Property $Script:vmProperty

        $i++

    }

    catch {

        Write-Host "inside CATCH working on $line"

        $script:notFound = [ordered] @{

            'VM Name' = $line

            'VM Exists' = "NO"

        }

        Write-Host -ForegroundColor Red "$line does not exist on the vCenter being searched"

        $vm_Found_NO += New-Object -TypeName psobject -Property $script:notFound

    }

}

$script:vm_Found_YES | Sort-Object -Property 'VM Name' | Export-Excel -Path $vm_Found_YES_ReportPath -AutoFilter -AutoSize -TableStyle Light2 -Show

if ($vm_Found_NO){

    $vm_Found_NO | Export-Excel -Path $vm_Found_NO_ReportPath -AutoFilter -AutoSize -TableStyle Light3 -Show

}

I can confirm that the VM's in the $targetList do exist on this particular vCenter.

When outputting the contents of the variables, they are all populated except for the $script:vmProperty hashtable, which is blank.

For the output of this script, i would expect the $script:vm_Found_YES to ve exported to Excel and, have all the relevant fields populated. Instead, it opens as an empty spreadsheet.

the $vm_Found_NO on the other hand is populated with the VM Names. Even though these VM's do exist in this VCSA.

As i've said, this script works as expected across a lot of other 6.5 VCSA's. Just one is giving this issue and i can't figure it out.

I thought it may be the Inventory Service on the VCSA but, all variables except the Hash table are populated.

thanks

Hello forum,

I was trying to watch a movie on iTunes in a virtual Windows installation. Unfortunately it doesn't seem to be working. iTunes gives this error message:

The "movie" cannot be played in HD.

To play the movie in HD, you must have a computer with a built-in display or have it connected to a display that supports HDCP.

I'm aware this is a known issue but is it n not possible to just set the display of the virtual windows to HD resolution, and make it work?

Thank you.

Hi all,

I'm trying to use vVols datastore to deploy OVF template from a java application. I could do deployOvfTemplate from vCenter but when I'm doing it from java the operations is failed with error "vim.fault.CannotCreateFile Please see the server log to find more detail regarding exact cause of the failure".

ManagedObjectReference morLease = context.getService().importVApp(morRp, ovfImportResult.getImportSpec(), dcMo.getVmFolder(), morHost);

I digged a little more on all possible logs and find the following relavant errors. But I could not find the exact issue and fix to make.

I believe importVApp method from management SDK is datastore type independant.

Can any one help me in this regard,

hostd.log

2020-08-05T09:53:37.187Z info hostd[2098595] [Originator@6876 sub=Default opID=78ac9244-01-01-01-29-9112 user=vpxuser:VSPHERE.LOCAL\Administrator] AdapterServer caught exception: N7Hostsvc20OsfsCannotCreateFile9ExceptionE(Fault cause: vim.fault.CannotCreateFile

vvold.log

2020-08-05T09:53:36.268Z info vvold[2283420] [Originator@6876 sub=Default] VVolUnbindManager::UnbindIdleVVols called                                                                                      

2020-08-05T09:53:36.268Z info vvold[2283420] [Originator@6876 sub=Default] VVolUnbindManager::UnbindIdleVVols done for 0 VVols

2020-08-05T09:53:37.173Z info vvold[2283394] [Originator@6876 sub=Default] Came to SI::BindVirtualVolume: esxContainerId bac3b586-36dc-498d-ac49-7147bfd7f4c9 VVol Id 17a12f9e6eb0329b83e754762976599c bindType

2020-08-05T09:53:37.173Z info vvold[2283394] [Originator@6876 sub=Default]                                     

--> VasaOp::BindVirtualVolume [#132249]: ===> Issuing 'bindVirtualVolume' to VP SolidFire (#outstanding 0/10) [session state: Connected]

2020-08-05T09:53:37.181Z error vvold[2283394] [Originator@6876 sub=Default]                                    

--> VasaOp::ThrowFromSessionError [#132249]: ===> FINAL SUCCESS bindVirtualVolume VP (SolidFire) Container (bac3b586-36dc-498d-ac49-7147bfd7f4c9) timeElapsed=8 msecs (#outstanding 0)

2020-08-05T09:53:37.182Z error vvold[2283394] [Originator@6876 sub=Default] SI:BindVirtualVolume@3536 VASA bind for VVol (17a12f9e6eb0329b83e754762976599c) returned error : INVALID_ARGUMENT ()

2020-08-05T09:53:37.184Z info vvold[2283404] [Originator@6876 sub=IpcSvc] VVoldIpcConn object freed (0)                          

osfsd.log

2020-08-05T09:53:37.170Z 5792189:Lookup:660: Got lookup request for "17a12f9e6eb0329b83e754762976599c"

2020-08-05T09:53:37.170Z 5792189:Provider_Lookup:469: Found matching driver for ID [    vvol]       

2020-08-05T09:53:37.170Z 5792189:VVolMount:2464: VVolMount@2464:Lookup was sent UUID based name 17a12f9e6eb0329b83e754762976599c

2020-08-05T09:53:37.171Z 5792189:5792189:VVOLLIB : VVolLib_Open:8955: container Id passed: bac3b586-36dc-498d-ac49-7147bfd7f4c9 Normalized: bac3b586-36dc-498d-ac49-7147bfd7f4c9

2020-08-05T09:53:37.171Z 5792189:5792189:VVOLLIB : VVolLib_Open:8995: created devFS node '17a12f9e6eb0329b83e754762976599c' (objType 3)

2020-08-05T09:53:37.182Z 5792189:5792189:VVOLLIB : VVolLib_IpcStorageFaultToVVolLibError:767: Storage Fault INVALID_ARGUMENT (9):

2020-08-05T09:53:37.182Z 5792189:5792189:VVOLLIB : VVolLib_BindVVol:4145: failed with error (1) Bad Parameter for Config VVol 17a12f9e6eb0329b83e754762976599c

2020-08-05T09:53:37.182Z 5792189:5792189:VVOLLIB : VVolLib_Open:9241: Could not bind VVol 17a12f9e6eb0329b83e754762976599c failed with error (Bad Parameter)                             

2020-08-05T09:53:37.183Z 5792189:VVolMount:2526: VVolMount@2526:Could not open the VVol '17a12f9e6eb0329b83e754762976599c' (No such file or directory)

vpxa.log

2020-08-05T09:53:37.203Z info vpxa[5691664] [Originator@6876 sub=Default opID=78ac9244-01-01-01-29] [VpxLRO] -- ERROR lro-7007 -- vpxa -- vpxapi.VpxaService.reserveName: vim.fault.CannotCreateFile:        

--> Result:                                                                                                                                                                                                  

--> (vim.fault.CannotCreateFile) {                                                                                                                                                                           

-->    faultCause = (vmodl.MethodFault) null,                                                                                                                                                                

-->    faultMessage = (vmodl.LocalizableMessage) [                                                                                                                                                           

-->       (vmodl.LocalizableMessage) {                                                                                                                                                                       

-->          key = "com.vmware.esx.hostctl.default",                                                                                                                                                         

-->          arg = (vmodl.KeyAnyValue) [                                                                                                                                                                     

-->             (vmodl.KeyAnyValue) {                                                                                                                                                                        

-->                key = "reason",                                                                                                                                                                           

-->                value = "17a12f9e6eb0329b83e754762976599c (Cannot Create File)"                                                                                                                           

-->             }                                                                                                                                                                                            

-->          ],                                                                                                                                                                                              

-->          message = "Operation failed, diagnostics report: 17a12f9e6eb0329b83e754762976599c (Cannot Create File)"                                                                                         

-->       }                                                                                                                                                                                                  

-->    ],                                                                                                                                                                                                    

-->    file = "17a12f9e6eb0329b83e754762976599c (Cannot Create File)"                                                                                                                                        

-->    msg = "Received SOAP response fault from [<cs p:0000007718306350, TCP:localhost:8307>]: CreateDirectory                                                                                               

--> Cannot complete file creation operation."                                                                                                                                                                

--> }                                                                                                                                                                                                        

--> Args:                                                                                                                                                                                                    

-->                                                                                                                                                                                                          

--> Arg spec:                                                                                                                                                                                                

--> (vpxapi.VmLayoutSpec) {                                                                                                                                                                                  

-->    vmLocation = (vpxapi.VmLayoutSpec.Location) null,                                                                                                                                                     

-->    multipleConfigs = <unset>,                                                                                                                                                                            

-->    basename = "17a12f9e6eb0329b83e754762976599c",                                                                                                                                                        

-->    baseStorageProfile = "<ns1:storageProfile xmlns:ns1="http://profile.policy.data.vasa.vim.vmware.com/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns1:StorageProfile"><ns1:const

-->    disk = (vpxapi.VmLayoutSpec.Location) [                                                                                                                                                               

-->       (vpxapi.VmLayoutSpec.Location) {                                                                                                                                                                   

-->          url = "ds:///vmfs/volumes/vvol:bac3b58636dc498d-ac497147bfd7f4c9/",                                                                                                                             

-->          key = <unset>,                                                                                                                                                                                  

-->          sourceUrl = "ds:///vmfs/volumes/vvol:bac3b58636dc498d-ac497147bfd7f4c9/",                                                                                                                       

-->          urlType = "rootDirPath",                                                                                                                                                                        

-->          storageProfile = "<ns1:storageProfile xmlns:ns1="http://profile.policy.data.vasa.vim.vmware.com/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns1:StorageProfile"><ns1:con

-->       }                                                                                                                                                                                                  

-->    ],                                                                                                                                                                                                    

-->    reserveDirOnly = true                                                                                                                                                                                 

--> }       

After an update to 2.5, the AD group used for authentication is not found. The specified principal was not found. Please make sure you have specified the correct Domain Controller address.

Our group is valid and is found 4 levels deep from the AD root.  Perhaps this is the issue??

I see the requests going through the firewall to 2 local domain controllers and if I change to an IP address of a non-domain controller the error is different and does indicate a lack of connectivity to a domain controller.

Also, did the requirement for anonymous access ever get resolved?

Hello all,

can i use VSAN Enterprise license with ESXI Standard for vSphere 6.7 environment or does VSAN Enterprise require ESXI Ent+ license?

Does VSAN Enterprise license brings vDS support to the host?

Hello Experts ,

I have some questions about our Migration from 5.5 to 6.5 .we will replace  our virtuel datacenter equipements with new ones .

our Vcenter 5.5  is in our old domain x.local and the new one will be in our new domain y.com.

our ESXi 5.5 are not joined to the Domain .the authentication is locally and they use the DNS of our old domain x.local myloweslife

before migrating to 6.5 with new Domain y.com , i would migrate our Vcenter 5.5 from x.local to y.com

Could you tel me the steps please ? i'm afraid if there will an impact to our VMS

Regards

I'm running a vRA8.1 instance with embedded vRO.

I have a Powershell action that I've gotten to work, but I'm trying to move a hard-coded value out of the code and into a Configuration Element/Asset. However, I'm struggling to figure out how to access the Configuration via Powershell.

I've considered creating another action (this one Javascript) to pull the Configuration data and return it to the main Powershell action, but I've also not figured out how to execute other actions from Powershell yet either.

If I need to access something like a vRO REST API to do this, then so be it, but I'm struggling to find documentation on a vRO REST API on vRA8.

Any help would be appreciated.

We have five vCenter servers in linked mode running vCenter 6.7 U3g.  I'm preparing to update next week to vCenter 6.7 U3j. 

Is it best practice to shut down all five vCenter servers at once, then take snapshots of all five vCenter servers?  Or, is it ok to shut down one vCenter, take the snapshot, power up and update that vCenter server, then go on to the next?  I wasn't sure if due to replication, it would be best to snapshot them all at about the same time, in case all five vCenter servers would need to be rolled back due to issues.

For updates on this blog and other blogs: Follow @SteveIDM

There are times during troubleshooting where you like to see a particular attribute in Workspace ONE Identity (VMware Identity Manager) and its not displayed in the web portal or times when you would like to update a particular attribute or delete a JIT user.

DISCLAIMER:  Please use the API with caution as this can potentially cause issues if not used appropriately. Please do NOT use in Production. Please use at your own risk.

In this blog we'll walk through a few useful API calls to help in your troubleshooting. For a complete list of API calls and documentation:

VMware Identity Manager API - VMware API Explorer - VMware {code}

Please download and install the latest version of Postman.

In this blog we'll go use the following API's:

• Get Specific User Details
• Update SCIM User
• Delete SCIM User
• Create SCIM User

Step 1: Getting your OAuth Token

In order do use the SCIM based API you need an OAuth token. I'm going to walk through two different ways of getting a token to use in your environment.

If you are going to access a particular environment quite often using postman I would suggest you go with Option 1. If its unlikely you will access a particular environment that often then you should go with Option 2.

Option 1: Creating an OAuth Application

1. Log into Workspace ONE Identity Admin Console
2. Click on the Catalog (down arrow) and select Settings
   
3. Click "Remote App Access"
4. Click Create Client
   
5. Select "Service Access Token" from the Drop down menu
6. Provide a Client ID ie. Postman
7. Expand Advanced
8. Click Generate Shared Secret (or provide one)
9. Click Add
   
10. We will configure Postman in the next section.

Option 2: Using your browser cookies

1. Make sure you have a way of accessing your browser cookies. I use a Chrome plugin called "Edit this cookie"
   
2. Log into your Workspace ONE Identity Admin Console
3. Click the Cookie Icon in the chrome address bar
4. Search for the "HZN" cookie
   
5. Copy the value for HZN.
6. We will configure Postman in the next section.

Step 2: Configure Postman to use your OAuth Token

Depending which option you chose in the previous step, follow the instructions below to add your OAuth Token

Option 1: Creating an OAuth Application

1. Open a new Tab in Postman
2. In the authorization section, select "OAuth 2.0" as the type:
   
3. Click Get New Access Token
   
4. Provide a Token Name (ie. Workspace ONE)
5. Under "Auth URL", enter https:[Tenant URL]/SAAS/auth/oauth2/authorize
   ie. https://dsas.vmwareidentity.com/SAAS/auth/oauth2/authorize
6. "Under Access Token URL", enter https:[Tenant URL]/SAAS/auth/oauthtoken
   ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken
7. Under Client ID, enter your Client ID from step 1.
8. Under Secret, enter your secret from step 1.
9. Under Scope, leave blank.
10. Under Grant Type, select "Client Credentials"
    
11. Click Request Token
12. Click on WorkspaceONE under Existing Tokens
13. Select Use Token
    
14. If you click on the headers tab you will see the "Authorization" header has been added with the correct token.

Option 2: Using your browser cookies

1. Open a new Tab in Postman
2. Click on the Headers Section
3. Add the Header Key "Authorization"
4. In the Value, type "Bearer" then paste the value of the HZN cookie.
   

Getting User Details

Now that you have your OAuth token, we can use this token to query Workspace ONE Identity.

1. For the HTTP Method, select "GET"
2. Enter the following for the URL: https://[TENANTURL]/SAAS/jersey/manager/api/scim/Users?filter=username%20eq%20%22MyUserID%22
3. Replace MyUserID with a username in your environment
   ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/scim/Users?filter=username%20eq%20%22sdsa%22
4. This will return a complete result set of attributes for the particular user.
   

Updating User Details

In order to update user details via the API, you will need to collect some information from the Get User Details.

In my example, I'm going to update the "userPrincipalName" in Workspace ONE Access for one of my users.

1. Perform a "Get" on the particular user and retrieve the schema information. Please note, this will be different for each tenant as the tenant name is part of the schema.
   
2. Copy this section to notepad.
3. Retrieve the section which contains the attribute(s) you want to update
   
4. Copy the ID of the User
   
5. Open a new Tab in Postman
6. Add the Authorization Header as per the previous section.
7. For the HTTP Method, select "PATCH"
8. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/scim/Users/[ID]
   Replace the Tenant URL with your URL
   Replace the ID with the ID from the step 4 in this section.
   ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users/884b7e7d-6a7b-4985-b113-56235826e8a6
9. Select Body
10. Enter the JSON in raw text that we'll post to Workspace ONE
11. Select "JSON (application/json)" as the Content-Type
    
12. Click Send
13. You should receive a "204 No Content" response
    
14. If you perform a GET User again you should see the value has changed.

Delete Users

If you are using JIT to onboard users into Workspace ONE Identity you've probably noticed there is no way to delete users in the web portal. They only way to delete is with the API.

1. Perform a "Get" on the particular user and retrieve the ID
   
2. Open a new Tab in Postman
3. Add the Authorization Header as per the previous section.
4. For the HTTP Method, select "DELETE"
5. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/scim/Users/[ID]
   Replace the Tenant URL with your URL
   Replace the ID with the ID from the step 4 in this section.
   ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users/f6f89782-0a2a-4cc8-84a8-057f1da6ecde
6. Click Send
   
7. You should receive a "204 No Content" response
   
8. If you perform a GET User again you should see no results found.
   

Create Users

Creating Users in Workspace ONE Access require a lot more steps. I reluctantly decided to document the steps as this should really be done by the out of the box connectors. The process is slightly different between System Directory, Local Directory, and Other.  The "Other" directory is created automatically when setting up the UEM/WS1 Integration.

Creating Users in the System Directory

1. Open a new Tab in Postman
2. Add the Authorization Header as per the previous section.
3. For the HTTP Method, select "POST"
4. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/scim/Users
   Replace the Tenant URL with your URL
   Replace the ID with the ID from the step 4 in this section.
   ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users
5. Set the Content-Type to "application/json"
6. Use the following as a sample:

{  "schemas": [    "urn:scim:schemas:core:1.0",    "urn:scim:schemas:extension:workspace:tenant:sva:1.0",    "urn:scim:schemas:extension:workspace:1.0",    "urn:scim:schemas:extension:enterprise:1.0"  ],  "userName": "testing4@mydomain.com",  "name": {    "givenName": "first4",    "familyName": "last4"  },  "emails": [    {      "value": "testing4@mydomain.com"    }  ],  "password": "Password$!"
}

Creating Users in a Local Directory

1. Open a new Tab in Postman
2. Add the Authorization Header as per the previous section.
3. For the HTTP Method, select "POST"
4. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/scim/Users
   Replace the Tenant URL with your URL
   Replace the ID with the ID from the step 4 in this section.
   ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users
5. Set the Content-Type to "application/json"
6. Use the following as a sample:

{  "schemas": [    "urn:scim:schemas:core:1.0",    "urn:scim:schemas:extension:workspace:tenant:sva:1.0",    "urn:scim:schemas:extension:workspace:1.0",    "urn:scim:schemas:extension:enterprise:1.0"  ],  "userName": "testing5@mydomain.com",  "name": {    "givenName": "first5",    "familyName": "last5"  },  "emails": [    {      "value": "testing5@mydomain.com"    }  ],  "password": "Password$!",   "urn:scim:schemas:extension:workspace:1.0": {        "internalUserType": "LOCAL",        "domain": "mydomain.com"      }


}

Creating Users in an Other Directory

The steps to create a user in an other directory is almost identical to the local directory except that we need to know the "domain" associated with the directory and we need an ExternalID. The External ID should be a unique value. It is recommended that you use a GUID for this value.  See Online UUID Generator Toolas a example of a proper GUID. Note: In Postman you can use the function " {{$guid}}" to automatically generate one.

1. Open a new Tab in Postman
2. Add the Authorization Header as per the previous section.
3. For the HTTP Method, select "GET"
4. For the URL, enter: https://[TENANT URL]/SAAS/jersey/manager/api/connectormanagement/directoryconfigs?includeJitDirectories=true
   Replace the Tenant URL with your URL
   Replace the ID with the ID from the step 4 in this section.
   ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs?includeJitDirectories=true
5. Click Send
6. In the response, search for your "Other Directory" and copy the userStoreID
8. Open a new Tab in Postman
9. Add the Authorization Header as per the previous section.
10. For the HTTP Method, select "POST"
11. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/scim/Users
    Replace the Tenant URL with your URL
    Replace the ID with the ID from the step 4 in this section.
    ie. https://dsas.vmwareidentity.com//SAAS/jersey/manager/api/scim/Users
12. Set the Content-Type to "application/json"
13. Use the following as a sample and don't forget to create a Unique External ID.

{  "schemas": [    "urn:scim:schemas:core:1.0",    "urn:scim:schemas:extension:workspace:tenant:sva:1.0",    "urn:scim:schemas:extension:workspace:1.0",    "urn:scim:schemas:extension:enterprise:1.0"  ],  "externalId": "c58085e6-c97a-4df3-8e4a-e376913fab17",  "userName": "testing6@mydomain.com",  "name": {    "givenName": "test6",    "familyName": "last6"  },  "emails": [    {      "value": "testing6@mydomain.com"    }  ],  "urn:scim:schemas:extension:workspace:1.0": {        "internalUserType": "PROVISIONED",        "domain": "1dsavm.com",        "userPrincipalName": "testing6@mydomain.com"      }
}

Creating an Other Directory

When you configure UEM to integrate with Identity Manager an "Other" Directory should be automatically created. If in the case it is not created, you can create one via the API as well.

1. Open a new Tab in Postman
2. Add the Authorization Header as per the previous section.
3. For the HTTP Method, select "POST"
4. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
   Replace the Tenant URL with your URL
   Replace the ID with the ID from the step 4 in this section.
   ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
5. Set the Content-Type to "application/vnd.vmware.horizon.manager.connector.management.directory.other+json"
6. Use the following as a sample

{
"type":"OTHER_DIRECTORY",
"domains":["SteveTestDomain2"],
"name":"SteveTest2"
}

Troubleshooting

It would be impossible to discuss every combination of errors that can be returned using the API. Here are a few common ones:

1. If you receive the error "User is not authorized to perform the task.".
   This error typically means that your Oauth Token has expired. Regenerate your OAuth Token.  If you have used the browser cookies method to get your token, ensure that your HZN cookie is from the administrative interface.
2. When doing an update user, you receive the error ""???UNSUPPORTED_MEDIA_TYPE???""
   This error means that you are sending a blank or incorrect Content-Type. Check to make sure the content-type is set to "application/json"