Thank you for navigating to my Blog. You’ll find here news and updates around VMware Workspace ONE. The content in this blog doesn’t necessarily represent VMware’s positions, strategies or opinions. While Best Practices or Product related information are described in some post on this blog, they may not apply to your individual customer setup or be error free. In case of doubt, always engage your VMware contact.
General Availability of Workspace ONE Access OnPrem 21.08.0.0
VMware Workspace ONE® Access 21.08.0.0 is GA as of September 7, 2021!
What’s New?
Connector Support for Virtual Apps In the 21.08 release, the Workspace ONE Access Connector includes a new Virtual App service that supports integrating VMware Horizon and Citrix virtual apps. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or 19.03.0.1 to version 21.08. Both directories and virtual apps collections must be migrated together during this one-time process.
RSA SecurID Updates We have updated the way we integrate with RSA SecurID by using REST APIs. If you are currently using RSA SecurID as an authentication method, then a new connector for the User Auth service can be added before migration for minimal downtime to RSA SecurID logins.
Encrypted Connection to External DatabaseYou can now add encryption when you configure a Microsoft SQL database for the first time or later. An encrypted connection to the database increases the security of data transmitted across networks. To enable encryption, the Microsoft SQL server must be configured with a root or intermediate certificate.
Syslog over TCP or UDP Now you can choose between two standard protocols for connection to Syslog servers: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). To use TCP, TLS (Transport Layer Security) has to be enabled for data encryption to provide secure communication. TCP over TLS is the default option.
Updated Password Complexity Rules for admin Users Password complexity rules have changed to incorporate a minimum of 8 characters and password complexity standards. See Manage Your Workspace ONE Access Appliance Passwords.
OpenJDK 8 SupportThe Workspace ONE Access appliance and connector have been migrated to OpenJDK 8 and no longer support Oracle JDK.
Disabled Break-Glass URL endpoint by default The break-glass URL endpoint, https://<;fqdn>.com/SAAS/login/0, allows system domain administrators to authenticate into Workspace ONE Access. To ensure a higher standard of security, this endpoint will be disabled by default starting in version 21.08. To re-enable this endpoint during emergency situations, see Workspace ONE Access Security Settings Guidelines.
On-Premises Support for Hub Services Capabilities
Hub Templates With Hub Templates you can control assignment of Hub Services capabilities to groups of users. This means you can now plan a slow rollout of Hub Services and its capabilities to your users. You no longer are required to enable Hub Services in one go for your entire workforce. Some examples of use cases where Hub Template will come in handy:
Different custom tab URL for Sales versus R&D users
Different branding for a subsidiary company
Notifications capability only for R&D and Sales in North America
Custom Tab for Web A Custom tab can be configured and enabled for the Workspace ONE Intelligent Hub on the Web browser view. Admins can add a custom tab that links to their company website or to another resource that they want to share with users. To add a custom tab on the Web, navigate to Custom Tab on the Hub Services console. Enable the Custom Tab feature and then enable it for Web. Admins can define the tab’s title, add the URL of the destination, and select whether the custom tab displays in the first or last position in the Workspace ONE Intelligent Hub Web navigation bar. Admins can also choose to open the link in a new browser tab or in an iFrame embedded inside the Intelligent Hub Web. If admins choose to open the link in an embedded iFrame, a preview of that view is provided to allow admins to ensure that the link will load correctly in an iFrame.
Mobile App Icon Option in Branding Page Admins can now customize the Hub app icon color by picking from a list of curated colors to match your company branding. To customize the color of the icon, go to Hub Services console > Branding > Logos> Mobile App Icon and select an option from the color presets. Once the change is saved, users will see the new Hub icon color on the next launch of the Hub app.
Support Tab on Windows Hub Windows Hub now offers support for the Support Tab. When Employee Self-Service is enabled on the admin console, Windows Workspace ONE Intelligent Hub will display a tab for it. From the Employee Self-Service or Support tab in Workspace ONE Intelligent Hub, users can access resources and information in the Helpful Links section and view and manage their devices.
Dark Mode Branding Configuration Admins can configure their company dark mode logo and accent color on the Hub Services admin console. When dark mode is enabled through the user’s device settings, users can browse Workspace ONE Intelligent Hub in a dark theme view. Note: Dark mode is not available on all platforms currently. The Workspace ONE Intelligent Hub web browser does not support dark mode for on-premises Hub Services.
Retiring Workspace ONE Assist 21.07 for Android agents from My Workspace ONE (resources portal) (85688)
Workspace ONE Assist recently released an Android agent v21.07. This release contains a critical issue that affects our backend systems when new devices are enrolled to the Assist servers.
To mitigate this issue and prevent further damage, we will be retiring the v21.07 of the Assist agent from the My Workspace ONE portal (resource portal).
Customers who have already downloaded and installed the Assist agent v21.07 can continue to use it. The Workspace ONE Assist team will remediate any backend issues that result from these installations.
For customers who are still using Assist agent v21.03 or older, we recommend upgrading to the next version of Assist when available.
Intelligent Hub app name changing from “IntelligentHub” to “Intelligent Hub” to align with other productivity apps (85669)
As of Jan 2020, the Workspace ONE team has been updating the Intelligent Hub app name from “IntelligentHub” to “Intelligent Hub” in the Workspace ONE UEM console to align with other productivity apps. This change will be completed in Q3 when all environments have had this change made.
There is no action required by customers and most organizations will not be impacted by this change.
The purpose of this page is to inform admins in case there are any custom external systems or integrations looking for the Intelligent Hub by its legacy name, “IntelligentHub”.
If your organization is using “IntelligentHub” for any custom 3rd party integrations or API requests, this could cause failures successfully targeting the Intelligent Hub.
While most customers will not be impacted by this change, any organization using “IntelligentHub” should update their integrations to use the new the updated string – “Intelligent Hub”.
Please contact VMware Support if you require further assistance.
AMST-32438 – Older PPKGs incompatible with Windows 10 v2004+ (84395)
Devices running Windows 10 v2004+ cannot be provisioned using the Drop Ship Provisioning (Offline) process using older PPKGs. Older PPKGs cause a reboot loop during the provisioning process.
PPKGs generated using the Factory Provisioning Service v2011.1 and older are not compatible with Windows 10 v2004+. Devices that attempt to apply older PPKGs run into a reboot loop and do not complete provisioning.
This issue also applies when attempting to restore a device to factory settings after upgrading to Windows 10 v2004+, since the original PPKG is backed up to the folder location: C:\Recovery\Customizations. The Enterprise Reset & Device Reset actions will also attempt to reapply the backup PPKG and will cause the device to enter a reboot loop.
VMware has released Factory Provisioning Service v2011.02 to resolve this issue. SaaS customers do not need to take any action to update their service, since the hosted service will be upgraded automatically. On-premises customers can download the installer from My Workspace ONE to update the service in their environment.
Support Opening Attachments in For You Page Intelligent Hub will now support opening attachments appended to a notification in the For You tab. This updated flow allows admins to be able to attach files to notifications and end users will be able to download those attachments from Intelligent Hub.
End of Support for macOS 10.13 In this release of Intelligent Hub for macOS, VMware will no longer support OS versions below macOS 10.14 Mojave. All versions of macOS 10.14 or greater will continue to be supported. For more information, refer to this KB article.
Python Upgrade The Python framework has been upgraded from version 3.9.5 to the latest version 3.9.6.
Improvements to deep linking into HubCompanies using deep linking using the bundle id for a new internal app would see the old details. Now the new updated details will be shown.
Improvements to the-enrollment process when restoring from an iOS backup
Dark Mode improvementsDark mode will be enabled if end users have dark mode enabled on their device, if no logo and accent color have been setup by the admin, the default Hub branding will be used.
Confirm opening external linksPre-req: managed account on Exchange server – on-prem or Office 365
Introduces new KVP – ExternalLinksAllowlist.
The administrator is able to enter multiple domains. All subdomains and directories are treated as part of the main domain. Administrators should not enter subdomains separately. IP addresses are supported as well. When user taps on a link in Boxer email and if the link is not in the allowlist, then the user will see a warning message. The user can dismiss the warning message and continue to the link.
CBA for Modern Auth in Standalone modePre-req: unmanaged account on Exchange server – on-prem or Office 365
Pre-req: CBA is enabled
KVPs:AccountUseOauth: True
AccountUseWebviewForOauth: True
AuthenticationType: CertificateWhen the user starts the authentication process in Modern Auth, this feature automatically enables CBA as part of the flow and authenticates the user.
VMware Named a Leader in 2021 Gartner® Magic Quadrant™ for UEM Tools and Received Highest Scores in 3 out of 4 Use Cases in 2021 Gartner® Critical Capabilities for UEM Tools
We’re thrilled to announce that for the FOURTH year in a row VMware has been named a LEADER in the 2021 Gartner® Magic Quadrant™ for Unified Endpoint Management (UEM) Tools. VMware also scored HIGHEST in three out of four use cases in the 2021 Gartner® Critical Capabilities for UEM Tools.
In this year’s Magic Quadrant™, Gartner® recognized VMware as a Leader for overall ability to execute and completeness of vision, positioned furthest to the right for completeness of vision. In Gartner®’s corresponding Critical Capabilities report, VMware received the highest scores for the Security-Centric Management (4.22/5.0), Modern Windows PC (3.64/5.0) and Remote Worker (4.06/5.0) Use Cases and second highest score for the Nonstandard PC (3.25/5.0) Use Case.
Workspace ONE Assist Enrollment Certificate Update tool (83730)
To ensure trust and security between the Workspace ONE Assist server and the Assist agent, the Assist server contains an Enrollment Certificate that expires at regular intervals. This certificate gets updated automatically when the Assist server is upgraded to a newer version. This is also handled by the Assist team for all SaaS customers
However, for customers who might be on versions of Assist 20.07 or older, their Enrollment certificate will expire on Oct 4th, 2021. If impacted customers do not wish to upgrade immediately, a new cert update tool will be provided to ensure that the enrollment cert can be updated without a server upgrade. The following article contains details on how to use this new certificate update tool.
Scoped Storage on Android 11+ with WS1 UEM (85573)
Scoped Storage is a change in the file system on Android 10 and above to increase the security and integrity of device storage. Before scoped storage, each application had access to its own file directory as well as access to shared directories, such as the Downloads folder. In Android 10+, apps have a restricted level of access to these folders..
Below are the file restrictions in Android 10 and 11. All apps are bound by these limitations, even Device or Profile Owners like Workspace ONE Intelligent Hub. Android 9 and below is not affected.
Change in the behavior of Tag API for Workspace ONE UEM (85567)
In upcoming releases of Workspace ONE UEM, there will be change in the behavior of Tag API “tags/{tagId}/devices?LastSeen={lastSeen}” to consider Device Last Seen instead of Tag Added Date.
The only change with this API is LastSeen parameter which was considering Device TAG date. It will be considering device last seen date with this change in future releases.
[Resolved] AMST-33356 Device Setup timing out during Windows OOBE enrollment when Status Tracking Page is enabled (85564)
During Windows OOBE enrollment, you will notice assigned resources (profiles/apps) not coming down. If Status Tracking Page is enabled, you will eventually see “Device Setup Failed” when the maximum time allowed for provisioning is reached.
Impacting WS1 UEM 21.05
Upon the ‘Device Enrollment Complete’ event, the UEM console triggers the ‘Smart Group Change’ event to calculate all applicable resources (like Profile, apps, etc.).
However, In OOBE flow, this happens before enrollment completion as well, resulting in resources not being queued up in some scenarios. Thus, whenever status tracking is enabled, devices keep waiting for tracked resources to come down and eventually time out, displaying ‘Device Setup’ or ‘Account setup’ failure behavior.
The issue has been resolved in Workspace ONE UEM 21.05.0.9.
VMware Workspace ONE Intelligent Hub will allow end-user choice for Dark Mode (85581)
VMware Workspace ONE Intelligent Hub will allow end-users device/OS level settings for Dark Mode for the following platforms:
VMware Workspace ONE Hub for Android 21.08+,
VMware Workspace ONE Hub for iOS 21.07+
VMware Workspace ONE Hub Web 21.07+
VMware Workspace ONE Administrators no longer have to enable or toggle on Dark Mode in the Workspace ONE Hub Services Administrators Console for users to view Workspace ONE Intelligent Hub in Dark Mode.
Dark Mode has always been an end-user preference, and we would like to stay in line with that expectation when delivering this feature.
To provide end-users with the best Dark Mode experience that aligns with your company’s branding, Administrators should configure their company’s Dark Mode logo and accent color in the VMware Workspace ONE Hub Services Branding page.
If Dark Mode assets are not set up by admins, VMware Workspace ONE Intelligent Hub will utilize the default Workspace ONE Intelligent Hub Dark Mode logo and accent color.
NOTE: Workspace ONE Intelligent Hub will default to this behavior regardless of whether the Workspace ONE Intelligent Hub Services is or is not enabled. For curation of the logo and accent color, Workspace ONE Intelligent Hub Services will be required.
Compare application data between Workspace ONE UEM and Workspace ONE Intelligence (84102)
Workspace ONE Intelligence and Workspace ONE UEM show different count of managed app installations when compared for an application.
The difference in counts can be due to couple of reasons as listed below – The filters used to make the comparison in Workspace ONE UEM and Workspace ONE Intelligence is not the same, hence returning different results. Follow the steps mentioned below to ensure you are accurately doing the comparison.
Check the privacy settings in Workspace ONE UEM console for your tenant and corresponding child organization groups. If the privacy setting is enabled and set to ‘collect & do not display’ for personal application, any personal app records are not published to Workspace ONE Intelligence. This is by design.
Workspace ONE Intelligence can continuously monitor the health of the Workspace ONE UEM > Apps data imported into the system and autocorrect the data when there is a mismatch. In the above case, if the application installation counts are off, Intelligence will be able to reimport data for the selected devices.
This feature has been implemented in Workspace ONE UEM release v2102 and back-ported to Workspace ONE UEM v2101, 20.11.0.27 and 20.10.0.18 behind a feature flag. Please use the version agnostic script posted here to enable the feature flag in Workspace ONE UEM v2101, 20.11.0.27 and 20.10.0.18. To learn more about this feature, please visit this article for details.
Dark Mode supported with Android 10+ With this release, Hub will allow end-users device/OS level settings for Dark Mode. It doesn’t any more need administrators to enable or toggle on Dark Mode in the Hub Services Console. Administrators can configure Dark Mode logo and accent colors in the Hub Services branding page to provide end-users with the best Dark Mode experience that aligns with their Organization branding. Note: Dark Mode is already supported on iOS/iPadOS 13+ versions.
Native UI for the For You Tab along with other notification enhancements Native UIWe are introducing a revamped For You Tab experience. In this version, we switched from a web-rendered notifications to a native notifications experience. This means that the experience in the For You Tab is now more responsive and consistent with Android UI framework. Also, the data is cached locally so you can still view received notifications and those in the History section offline.
Persistent Notification (Sticky Card) We heard from many of you about the need for daily corporate communication during this pandemic. To cater to this need, we are introducing a new type of notification called persistent notification. A persistent notification is a sticky notification card that will persist on top of the For You page in the Intelligent Hub for a defined duration of time. Once the duration of time defined by you expires, this sticky notification card will be moved to the History page automatically.
Rebranded Passport to Digital Badge The admin console and user mobile experience have been updated to state “Digital Badge”. The current functionality of the feature remains unaffected.
Decrease Knox License Activation Time Available on Xcover Pro devices running G715U1UEU8BUE7 or later (Android 11 build released in late May), and will be available on other devices in a future OS update.
Security Logging for Fully Managed Devices Steps to configure:
In the WS1 UEM Console, go to Device Details and send a Request Device Log command
Select Security as the log source
Once logs have been reported by the device (this can take up to 120 minutes), they will be available in Device Details > More > Attachments > Documents
Important Notes:This feature is supported on Android 7 and higher, fully managed devices
The console currently shows 90 minute increments for the duration options, but Security Logs work in 120 minute increments. This is a known issue which will be fixed in a future console release.
If the device was enrolled via ADB (using set-device-owner) or via Zebra StageNow, then the device will require a reboot before Security Logging can be enabled.
Usage of ‘EMM Managed Access’ Flag to allow/block access to Workspace ONE SDK apps on Android (85501)
Today, there is a gap on Android devices with COPE and Work Profile enrollment, where end-users can install SDK apps like Boxer, Content, Web, and Notes on the personal container. When this happens, the device does not report these apps as ‘unmanaged’ to Workspace ONE UEM. In this scenario, these SDK applications continue to access corporate resources.
To overcome this gap, SDK applications will now receive the ‘EMM Managed Access’ flag configuration. If the ‘EMM Managed Access’ flag is enabled for these applications and if theese apps are unmanaged by sideloading or downloading from the play store on the personal container, then access to these apps will be blocked. SDK apps inside the work container are not affected.
You can control access to all SDK apps, except Intelligent Hub, using the ‘EMM Managed Access’ flag when the applications are in an ‘unmanaged’ state on Android devices. This capability is available with Workspace ONE UEM console version 20.10 and SDK apps using SDK version 21.07 or higher.
If you have Android devices with COPE or Work Profile enrollment and are deploying Workspace ONE SDK applications (other than Intelligent Hub), you can restrict access to these apps on the personal container of the devices, with apps using Workspace One SDK version 21.07 (or higher) and with UEM Console version 20.10 (or higher).
You can selectively configure from the App Assignment screens which Smart Groups would be enforcing the “EMM Managed Access” flag (as depicted in the screenshot below). The SDK apps will receive this config and compare it with the management mode of the app on the device.
If the flag is enabled and the app is inside the work container(managed), the end-users can access the corporate content. If the flag is enabled and the app is in the personal container (unmanaged), end-users can’t access the application.
HUBI-6678 – Shared devices are unable to log out of Hub and are seeing a network error (85545)
Users on shared devices may see “Error Network Connection Lost” when trying to check a device back in
Our product team has been engaged and a fix is scheduled to be released in an upcoming release. To get early access please make sure you join the Intelligent Hub beta at beta-ea.vmware.com/key/getbeta
Workaround: If you are unable to wait until our next release, and are on AirWatch only / UEM only environments, you can disable Intelligent Hub Catalog/Hub Services related settings in UEM. This can be found under AirWatch Catalog under Apps Settings in UEM. If this does not work, please wait until our next release.
Workspace ONE Intelligent Hub 21.07 for Android continues to prompt with “Hub settings have been updated” screen (85508)
Workspace ONE Intelligent Hub 21.07 for Android continuously prompts with a “Hub settings have been updated” screen.
If the Access/Hub Services URL has a trailing slash in the Workspace ONE UEM environment, Workspace ONE Intelligent Hub 21.07 for Android is doing a URL comparison and the comparison incorrectly detects a change.
When a change is detected, Hub presents the “Hub settings have been updated” screen.
The comparison fails because the stored URL is sanitized (i.e. trialing slash is removed when saved) while the received URL from the server contains a slash.
[Resolved] AGGL-10465: User based accounts are always used when migrating Zebra devices to Work Managed using the Android Enterprise migration tool (85202)
When utilizing the migration tool to migrate Zebra devices from device administrator/ Android (legacy) to Work Managed, the Google accounts created on the device are always ‘user based’. This occurs even if “Google Account Generation for Corporate devices” is set to “Device Based” under Settings > Devices & Users > Android > Android EMM Registration > Enrollment Settings.
On the device, this leads to the Google account on the device getting expired. An error message that states “Work Managed Expired” will be seen in the Intelligent Hub, as shown below:
There are limits on how many devices can use a “user based” account (<=10 devices). If the same enrollment user is used on many devices (>10), public app management will not work on devices past the limit, as the Google Accounts on these devices can be invalidated.
The issue is resolved in Workspace ONE UEM Console 2107 (patch to previous versions pending) and Intelligent Hub for Android v21.07. It is recommended to upgrade to these versions of the UEM Console and Intelligent Hub prior to migrating devices. The fixes in these versions are to ensure this issue does not occur for future migrations. If devices have already been migrated prior to these versions and have run into this issue, please open a support ticket to correct the account on these devices.
We’ve added the Users tab for mobile apps using Workspace ONE Intelligence SDK.
If you’ve set user names on the app details page, you can now view your complete list of users and get a summary for each user. Refer to our SDK documentation on how to set user names. For every user and associated device, you can track the following:Errors users have experienced (crashes, network errors, handled exceptions)
User flow data
App usage
Workspace ONE Intelligence no longer supports viewing the console in Internet Explorer 11.
A denial of service vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
VMware Workspace ONE UEM REST API contains a denial of service vulnerability. VMware has evaluated this issue to be of ‘Moderate‘ severity with a maximum CVSSv3 base score of 5.3.
A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting.
Fixes for CVE-2021-22029 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ in the VMSA.
Workspace ONE on iOS (Boxer, Content, Web) showing “App access denied” screen when “EMM Managed Access” flag is enabled. (85512)
Usage of the ‘EMM Managed Access’ Flag to allow/block access to unmanaged SDK apps was introduced in Workspace ONE UEM version 20.10 and above. When the “EMM managed access flag” is enabled in Workspace ONE UEM console 20.10 and above, check if WS1 apps (Boxer, Content, Web) are installed directly from the App Store (not from the HUB app catalog). If apps are unmanaged, they will present an “App access denied” screen.
What are managed apps?
If applications are installed from the HUB App Catalog, the applications will be managed and no issue will be seen.
What are unmanaged apps?
If WS1 applications (Boxer, Content, Web) are installed and configured directly from the App Store or side-loaded without the HUB App Catalog, these applications become unmanaged.
Workspace ONE Hub Services updates include (Workspace ONE Cloud updates available in few weeks)
Pre-Hire Prompt to Install Workspace ONE Intelligent Hub App
Pre-hire users who are using Workspace ONE Intelligent Hub via a web browser for onboarding will start seeing a banner prompting them to install the Workspace ONE Intelligent Hub native app.
This will take the user through the process of installing the app and getting logged in.
This feature is enabled by default, if you do not want your pre-hire users to see this banner, you can disable it on the Onboarding templates page using the “Hub Install Promo Banner” setting in the Hub Services console.
Once again, Apple virtualized its Worldwide Developer Conference (WWDC) and announced the fall release of iOS/iPadOS 15, macOS Monterey (12.0), and tvOS 15. This document will be your guide to all of the updates and any preparations to make for your organization’s Workspace ONE environment.
The anticipated release timeline for these updates is likely similar to past years. This means it is reasonable to expect a mid to late September release for iOS/iPadOS 15 and tvOS 15, with macOS Monterey following shortly after in late September or early October.
Learn more about known issues, changes and compatibility requirements.
VMware Workspace ONE UEM End of Availability for Samsung E-FOTA (85472)
With the introduction of Samsung Knox E-FOTA One, management of Samsung firmware updates has moved into a separate console, which is offered and maintained by Samsung. Knox E-FOTA One offers many capabilities and granular configurations that were not available with the integrated E-FOTA for MDM solution in VMware Workspace One UEM.
Because E-FOTA One is currently available, and Samsung has published the End-of-Service notification for E-FOTA on MDM, linked below, VMware will be removing the Samsung E-FOTA for MDM integration from the VMware Workspace One UEM console in July 2022.
Customers using Samsung E-FOTA for MDM in the VMware Workspace One UEM Console can check the Migration Guide, linked below, or reach out to Samsung about migrating to Knox E-FOTA One. Per Samsung’s End-of-Service notification, after July 31, 2022, customers will no longer be able to manage Samsung firmware updates in Workspace One UEM.
Customers using Samsung E-FOTA for MDM in the VMware Workspace One UEM Console can check the Migration Guide, linked below, or reach out to Samsung about migrating to Knox E-FOTA One.
The VMware Workspace ONE Launcher Version Information (85488)
The VMware Workspace ONE team’s goal is to ensure we have the broadest coverage on the existing install-base of devices in the ecosystem while ensuring customers operate in the most secure environments possible. Therefore, it is always recommended to deploy the latest software version to ensure you have the most current security vulnerability fixes.
Starting with Workspace ONE UEM 21.09, seeded Launcher versions starting with 1.* and 2.* will be hidden from the seeded Launcher list. If an environment currently has a Launcher version 1.* or 2.* selected, there will be no change to the selection until you choose a new version. Once you choose a new version 3.0+, you will no longer be able to select versions 1.* or 2.*. Note, this action cannot be undone.
End of support for unencrypted HTTP in Workspace ONE Intelligent Hub for Android (85430)
In order to continue the Workspace ONE’s commitment to securing our applications and the enterprise data of our customers, unencrypted HTTP traffic will be globally blocked in a future release of Intelligent Hub after March 1st 2022.
Currently, Workspace ONE Intelligent Hub for Android supports unencrypted HTTP traffic in some configurations.
The default policy for Intelligent Hub is to always use HTTPS, where available, but the application allows the administrator to selectively configure HTTP for a small set of features. It is highly recommended to ensure any features utilizing HTTP are secured with HTTPS instead.
The Intelligent Hub for Android release in March 2022 will globally block unsecured HTTP connections.
The below behavior changes may be seen in the release of Intelligent Hub for Android that begins to block unencrypted HTTP traffic, this list is not exhaustive and it is recommended to ensure any manually configured URLs are secured with HTTPS.
Managed Android applications hosted on the Workspace ONE UEM Console and distributed as “Internal Apps” can be downloaded by Intelligent Hub over a Content Distribution Network (CDN) over HTTP if configured to use HTTP by the administrator. If CDN is configured to use HTTP instead of HTTPS, applications will not be downloaded and installed by Intelligent Hub.
By default, CDN is setup to use HTTPS and there would be no impact to this functionality.
Using a Date/Time profile for Android devices can connect to a time server over HTTP to sync the Date/Time settings, if using unencrypted HTTP to sync the time is configured in the profile any new sync request would fail.
Any product provisioning downloads from Relay Servers over unencrypted FTP will fail.
In addition to the above features, any general redirects using HTTP will be blocked by Intelligent Hub.
Device data between discrepancies Workspace ONE UEM and Workspace ONE Intelligence (83857)
Workspace ONE Intelligence and Workspace ONE UEM display different counts of devices installations when compared.
The difference in counts can be due to the following reasons:
The query used to make the comparison in Workspace ONE UEM and Workspace ONE Intelligence is not the same, which can result in different results populating.
The Workspace ONE UEM Device List View does not include peripheral devices like Printers, however Workspace ONE Intelligence does.
Device management commands on Android devices may fail when using Workspace ONE Intelligent Hub 21.07 for Android (85438)
When pushing multiple apps and profiles to a device at the same time (for example, during a new enrollment, or when a user checks out a shared device), some or all of the app and profile installation commands might fail. This issue is specifically seen when one of the apps being pushed to the device is in an internal app.
From Device Details View > Troubleshooting, you will see Install Commands acknowledged however the concerned resources remain not installed.
The product team is engaged and working on a resolution. The staged rollout for Intelligent Hub 21.07 for Android has currently has been halted at 50%.
The console action to individually push an app or a profile to a device can be used to force install the concerned app or profile on the device.
Pre-req: managed account on Exchange server – On-Premises or Office 365
Pre-req: email classification is enabled and configured in the UEM console
Introduces new value for KVP PolicyClassMarkingsRequired (enum)2 – for external messages only
When PolicyClassMarkingsRequired is set to 2 (enabled) and when the recipient is outside the organization:if no classification is selected, the send button will be disabled
If the user tries to send a message to external recipients and they haven’t applied a classification, the user will see a notification message
All recipients who are outside the external recipients allowlist will be treated as external recipients
Announcing SaaS Availability of VMware Workspace ONE UEM Console 2107 Cloud Only
VMware Workspace ONE UEM Console 2107 Cloud Only is available to Shared SaaS and Dedicated Latest SaaS customers as of August 12, 2021!
What’s New?
Support for Apple Silicon in Smart Groups. Workspace ONE UEM now supports filtering by CPU Architecture in Smart Groups for macOS devices. You can define Smart Groups based on Intel (x86) or Apple Silicon (arm64) processor types. We have also updated the Device List View filter and the Device Details page to include the new CPU type. Support for filtering Windows devices by CPU type will be in a future release. For more information, see Support for Apple Silicon Macs.
We’ve made a few modifications to the CDN configuration to improve ease of use. We enhanced the test connection functionality of the CDN configuration to include checks for user account permissions. We have also published a CDN configuration tool that can be used independently of the Workspace ONE UEM console. The new tool makes it easier for on-premises customers to set up their origin servers. You can find the tool on My Workspace ONE. For more information, see Workspace ONE UEM and Akamai Integration Workflow.
We’ve bid farewell to Windows Phone. As Windows Phone has reached the End of General Support, we have removed all instances related to it from the Workspace ONE UEM console. We no longer support the management of this phone model. To know more, see the End of support announcement.
Build your own baselines for Windows 10 without using a pre-configured template. You no longer need a template to create baselines in Workspace ONE UEM. You can now create baselines from scratch by simply selecting policies from our policy catalog. Select the appropriate Windows 10 version in the creation wizard, then select your policies from the policy catalog. Baselines can be found in Workspace ONE UEM under Resources > Baselines. For more information, see Using Baselines.
Launcher Check In/Check Out added as an Event Action condition. Your Android device Launcher can now be polled by an Event Action, and execute it’s Run Intent based on whether Launcher is checked in or checked out. For more information, see Event Actions
AGGL-10579: Android Permission Profile crashes when saved within DDUI Profiles (85424)
The Workspace ONE UEM console crashes when trying to save Android permission profiles created using the new Data Driven UI (DDUI) profile framework. This happens as soon as an admin selects Save & Publish. The behavior also occurs regardless of what is configured in the profile.
Note: This issue occurs only when using the new Data Driven User Interface (DDUI) for Android profiles, which is currently in rollout across Workspace ONE UEM 2105 SaaS environments.
Permissions profile for Android Enterprise devices cannot be created and published to devices.
The Product Team is engaged and is working on a resolution. The DDUI profile rollout across SaaS has been paused until the issue is resolved.
HUBI-6587: Workspace ONE Intelligent Hub 21.07 for iOS may get stuck on “Configuring Hub” screen (85372)
iOS end users may get stuck on “Configuring Hub” as they attempt to enroll into Workspace ONE UEM using Workspace ONE Intelligent Hub 21.07 for iOS.
One cause of this is when Hub application does not handle select transitional enrollment states.
Additionally, the Hub application may get into such a state if there is no SDK profile assigned to the Hub application in the Workspace ONE UEM console (i.e. SDK Profile set to None).
Our product team has been engaged and is actively working to resolve the issue.
Additionally, Workspace ONE UEM Administrators should ensure that a SDK Profile is assigned to Hub by navigating to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS > Intelligent Hub Settings > SDK Profile > SDK Profile
ESC-24178: Addition of iOS public applications and books fails intermittently (77545)
Workspace ONE UEM environments may experience the following issues:
Adding an iOS application under Apps & Books > Native > Public, may fail with an “undefined” error shown in the console
Syncing iOS applications procured through Apple’s Volume Purchase Program (VPP) to Workspace ONE UEM may result in them shown as “Unknown” with App Type set to “Custom B2B”
This issue is intermittent in nature.
Customers may not be able to add and deploy new iOS Public applications (pre-21.5.0.9 only)
Customers may not be able to sync and deploy new iOS VPP applications (pre-2102 only)
Previously added or synced applications are not impacted.
This issue is resolved for VPP applications in the 2102 release of Workspace ONE UEM. This issue has been resolved for public applications in the patched release of 21.5.0.9 of Workspace ONE UEM.
If you are on an environment between 2102 and 2105, the current workaround is to deploy Apple applications using VPP in Workspace ONE UEM.
Support standalone enrolment for Workspace ONE Web.
Web can now be used in standalone enrolment mode and doesn’t necessarily require Hub to be installed on the device.
Support to send Workspace ONE Web application logs from device to UEM.
End user will now get an option to send the Web application logs to UEM console through the new option ‘Send logs to administrator’ on the support page. This is particularly helpful in extracting logs from Web for diagnostic purposes when Web is used in single app mode.
Added the ability to override device traffic rules for split DNS. Internal DNS resolution can now be specified through the use_internal_dns_for_domains key-value pair. The domains specified here are resolved internally and all other domains are resolved externally.
Component: Workspace ONE Assist for VMware Horizon 21.06 Windows 10 Agent
New Release: 21.06
Changes:
Download the Assist for Horizon – Windows 10 Agent from the Resource Portal in My Workspace ONE by using the following link. Ensure that the application is installed on your Windows 10 Virtual devices.
