Thank you for navigating to my Blog. You’ll find here news and updates around VMware Workspace ONE. The content in this blog doesn’t necessarily represent VMware’s positions, strategies or opinions. While Best Practices or Product related information are described in some post on this blog, they may not apply to your individual customer setup or be error free. In case of doubt, always engage your VMware contact.
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
Workspace ONE Access Services updates
Directory Sync Frequency Updates The interval between synchronization times has been made more flexible and will let administrators to choose between setting hourly synchronizations or synchronizations every 2, 6, or 12 hours. Administrators can also choose to set their sync frequency to be less often with daily or weekly intervals.
Shift-based conditional access policies in Workspace ONE Access to support Shift-based Access to Workspace ONE Digital Workspace Shift-based access control with Workspace ONE enables your company to deliver a digital workspace that is shift aware. Shift-based access control restricts the use of different product apps and features when a worker is not clocked-in for their shift. In the Workspace ONE Access console, you can configure Shift-based Auth as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift. The authorization is applied after workers are authenticated with a first factor authentication method based on your access policy rules.
UEM Token Device Enrollment Authentication Method The UEM Token authentication method allows customers to seamlessly change the source of authentication from Workspace ONE UEM to Workspace ONE Access for device enrollment of the Workspace ONE Intelligent Hub for iOS and Android. Devices that are on registered mode and Android devices, which do not have a Workspace ONE UEM certificate at time of enrollment, can be identified and authenticate with Workspace ONE Access. This feature addresses the previous problem of duplicate authentication and provides the most seamless transition for Workspace ONE UEM customers to Workspace ONE Access yet and does not impact existing enrolled devices.
Time-based One-Time Password (TOTP) Authentication Now Available in Workspace ONE Intelligent Hub iOS and Android Workspace ONE Intelligent Hub for iOS and Android brings support for adding and generating Time-based One-time Passwords or TOTP. End users with a QR code or the secret key for an account can register that secret key with Workspace ONE Intelligent Hub to allow for the generation of Time-Based One-Time Passwords. This does not require an internet connection. End users can find this functionality in the app’s Account screen under “Two Factor Authentication” by tapping on the icon at the top of the app in any of the screens, if users have Hub Services, and in the main screen if in UEM-only mode. This functionality is not supported for multi-staging users where the device is passed around for multiple users because of TOTP’s fundamental security feature of access to the device.
Bypass multipleauthn SAML attribute claims in WS-Fed active flows The multipleauthn SAML attribute will no longer be passed in active federation flows.
View End-user Notification Engagement Analytics in Workspace ONE Intelligence Admins can view notification engagement analytics of their end-users’ interactions of Intelligent Hub notifications in Workspace ONE Intelligence. This includes notification metrics like viewed, opened, dismissed, and actioned on. To enable this ability, authorize the Hub Services connector in Intelligence. You can then build dashboards to visualize the notification engagement analytics. You can also navigate to this website to leverage predefined notification analytics dashboard templates. Note: We currently collect notification analytics from Hub Web portal, Windows Hub, and macOS Hub.
Send Intelligent Hub Notifications from Workspace ONE Intelligence Automation Workflows Hub notification action is now available as an action when configuring automation workflows in Workspace ONE Intelligence. Leverage the Hub Services notification action to target and send Hub notifications to devices about apps, devices, remediation resources, updates, and more. The Hub notification will appear in the For You tab in Intelligent Hub.
Simplified Notification API in Beta We’re introducing a simplified Notification API that external systems can leverage to send Intelligent Hub notifications to users and devices. The new Notification API reduces integration steps by allowing external systems to send a notification by providing a well-known identifier – either a userGroup name or a SmartGroup name/id. If interested in testing this API, please reach out to your VMware contact to connect with the product team.
URL Content Redirection does not work for Third Party Application on macOS 13 Beta. (89470)
The input URL within Third Party Application can’t be redirected from Mac client to agent side on macOS 13 beta.[Reproduction Steps] 1. Launch Mac Client on macOS 13.0 Beta 2. Login to Horizon Server 3. Click using the URL Filter Application as the Third Party Application 4. Open the configured URL in the Notes 5. URL is not redirected to agent side
This article provides URL Content Redirection troubleshooting steps.
“Max session bandwidth” of the DEM Horizon Smart Policies does not work on first connection. (89526)
When you connect to VDI with “Max session bandwidth” configured in DEM Horizon Smart Policies, it does not take effect and uses the default value “1000000”.
However, when you reconnect to the session, it is working as configured.
This is a known issue.
Blast can only apply the MaxBandwidthKbps setting if the registry value is written before the session begins.
DEM won’t be able to provide Horizon Smart Policies before the session begins, as we process this config during login.
Jetzt Registrieren: Enduser Computing Webinare im September und Oktober
Live-Webinar: Mobile Threat Defense im Kontext von Workspace One Mittwoch, 28. September 2022, 10:00 Uhr Speaker: Yana Petrova
Live-Webinar: Ist VMware Horizon die bessere Plattform für Desktop & Applikationsvirtualisierung? Mittwoch, 05. Oktober 2022, 10:00 Uhr Speaker: Stefan Metzger
Live-Webinar: Innovation am Remote-Arbeitsplatz: ‚Work from Anywhere’ mit Virtual Reality und Workspace ONE Mittwoch, 12. Oktober 2022, 10:00 Uhr Speaker: Julius Lienemann
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
Getting Ready for Apple Fall 2022 Releases
On June 6th, 2022 Apple announced at their World Wide Developers Conference (WWDC) the upcoming releases of iOS 16, iPadOS 16, tvOS 16, and macOS Ventura (13.0). This document will provide guidance on all the upcoming Apple updates and any impacts this may have on Workspace ONE.
The anticipated release timeline for these updates is similar to previous years. We anticipate a mid to late September release for iOS 16, iPadOS 16, and tvOS 16, with macOS Ventura releasing shortly after in late September or early October. – iOS16 being available since Sep. 12th
The docs.vmware information is derived from Apple’s WWDC information sessions. These sessions are available on-demand through Apple’s Developer Program at developer.apple.com. This site also contains information on how test the upcoming releases.
The Workspace ONE AirLift tool will reach end-of-support (EoS) effective immediately and end-of-availability date (EoA) on October 31st, 2022. The Workspace ONE AirLift tool will be removed from the Workspace ONE portal on this date. Current Airlift installations will no longer be supported and no new updates will be made available.
The Workspace ONE AirLift tool was used to accelerate deployments off of SCCM by providing an easy way to migrate applications and policy into Workspace ONE. While this tool did provide some value in migrating applications, the value found in migrating Group Policy was limited. VMware is committed to supporting those applications and policy migrations through investment in advanced tooling hosted on VMware {code} and new Baseline policy configurations within Workspace ONE.
Customers who have Workspace ONE AirLift should no longer leverage the tool for application and policy migration.
For customer looking to migrate applications, VMware has made app upload scripts available on VMware {code}. This code leverages the same Workspace ONE APIs and will provides admins with an automated way to migrate a large number of applications. VMware has also written a step by step guide on using Workspace ONE APIs to upload Windows applications. For policy migrations, VMware recommends customer leverage Workspace ONE Baselines . Workspace ONE UEM curates industry-recommended settings into one Baseline configuration to simplify securing your devices. Baselines reduce the time it takes to set up and configure Windows devices. By moving to Baselines, customers will also avoid migrating legacy Group Policy that is prevalent in many legacy environments.
URL Content Redirection does not work for Third Party Application on macOS 13 Beta. (89470)
he input URL within Third Party Application can’t be redirected from Mac client to agent side on macOS 13 beta. [Reproduction Steps] 1. Launch Mac Client on macOS 13.0 Beta 2. Login to Horizon Server 3. Click using the URL Filter Application as the Third Party Application 4. Open the configured URL in the Notes 5. URL is not redirected to agent side
This article provides URL Content Redirection troubleshooting steps.
End user connection fails when WorkspaceONE only mode used for Horizon (89006)
The below error is seen: “This Horizon server expects to get your logon credentials from another application or server, not directly through the client login screen. If you usually access Horizon from another application, please launch that application.”
General troubleshooting: Check Horizon connection server debug logs for more error details. Sometimes it may fail at workspace connector end during SAML resolution. Check on below: Timestamp of WorkspaceONE appliance and Horizon are in sync
Jetzt Registrieren: Enduser Computing Webinare im September und Oktober
Live-Webinar: Was macht den Anywhere Workspace bei VMware aus? Ein Blick hinter die Kulissen Mittwoch, 21. September 2022, 10:00 Uhr Speaker: Arkadiusz KrowczynskiLive-Webinar: Mobile Threat Defense im Kontext von Workspace One Mittwoch, 28. September 2022, 10:00 Uhr Speaker: Yana PetrovaLive-Webinar: Ist VMware Horizon die bessere Plattform für Desktop & Applikationsvirtualisierung? Mittwoch, 05. Oktober 2022, 10:00 Uhr Speaker: Stefan MetzgerLive-Webinar: Innovation am Remote-Arbeitsplatz: ‚Work from Anywhere’ mit Virtual Reality und Workspace ONE Mittwoch, 12. Oktober 2022, 10:00 Uhr Speaker: Julius Lienemann
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Component: Workspace ONE Intelligent Hub for Android
New Release: 22.08
Changes:
Generate Time-based one-time password
Customers who have previously used VMware verify as their 2FA app will be able to use Intelligent Hub to get their Time-Based One-Time Password (2FA code).
Support for Survey Notifications
Users can now take surveys with different question types – NPS, free form text, multi choice etc. within Intelligent Hub app.
Survey will be sent as a notification to end users on Intelligent Hub and end users can find it in the For You tab.
AGGL-12899: Time mentioned in System Updates profile changes to AM from PM after save and publish, when UI Locale languages is Japanese, Chinese, or Korean.
AGGL-12887: URL Blocks & Exceptions in Chrome Browser Profile disappeared with data loss (upgrade from 2102 to 2203)
AGGL-12898: Time mentioned in System Updates profile changes to AM from PM after save and publish when UI locale languages is Japanese, Chinese, or Korean.
INTEL-42182: ETL-Design the ability to enable CDC based exports in AWS RDS.
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
Getting Ready for Apple Fall 2022 Releases
On June 6th, 2022 Apple announced at their World Wide Developers Conference (WWDC) the upcoming releases of iOS 16, iPadOS 16, tvOS 16, and macOS Ventura (13.0). This document will provide guidance on all the upcoming Apple updates and any impacts this may have on Workspace ONE.
The anticipated release timeline for these updates is similar to previous years. We anticipate a mid to late September release for iOS 16, iPadOS 16, and tvOS 16, with macOS Ventura releasing shortly after in late September or early October.
The docs.vmware information is derived from Apple’s WWDC information sessions. These sessions are available on-demand through Apple’s Developer Program at developer.apple.com. This site also contains information on how test the upcoming releases.
Deprecation of AirWatch Historical Widgets within Workspace ONE Intelligence (89394)
AirWatch Historical widgets are being deprecated within Workspace ONE Intelligence. Why is this being deprecated? The current implementation of AirWatch Historical only stores the full record of state changes. Storing the full record introduces a limitation as it tracks all changes to the state, including edits. As a result, historical widgets face data accuracy challenges due to its inability to truly track change events. For instance, when tracking the total number of apps installed per day, AirWatch Historical will count any changes to a currently installed app as a new installation due to the implementation method. This in turn, misrepresents the actual number of apps being installed a day, resulting in inaccurate data for the widget.
What does deprecation mean for users? Users will only be able to view or delete the impacted AirWatch Historical widgets. They will NOT be able to edit, copy, duplicate, or rename the impacted widgets. Additionally, users will NOT be able to create any new AirWatch Historical widgets. Which widgets are impacted? Widgets using data from the following list will be impacted:
Workspace ONE UEM -> Apps
Workspace ONE UEM -> Devices
Workspace ONE UEM -> Windows OS Updates
Workspace ONE UEM -> Device Risk Score
Workspace ONE UEM -> Device Summary Risk Score
Workspace ONE UEM -> User Risk Score
Impacted widgets will also be labeled with a ‘Deprecated’ pill to make it easier for users to identify.
Workspace ONE Email Notification Service 2 (ENS2) experiencing sporadic connection errors due to the unavailability of the RDS database (89432)
ENS2 Virginia Database was migrated on 27th August to a Multi-AZ configuration. After the migration, the Workspace ONE Team began seeing database connection errors due to a sporadic unavailability of the RDS database. While the Workspace ONE Team works with our partners to identify the root cause, the team will be reverting to a previous version of the database.
Since ENS2 relies on Exchange to maintain subscriptions and Exchange is prone to losing subscriptions frequently for unknown reasons, it is possible that many users may lose subscriptions due to the migration.
The team will be creating a mock API to keep sending acknowledgements back to the Exchange whenever there is an event pushed from Exchange to ENS2, to reduce chances of losing the active subscriptions.
HW-164237 Hotfix for 22.05.0.0 Workspace ONE Access Connector, Resolution for OpenJDK 11.0.5 does not work correctly with StartTLS protocol. Upgrade to OpenJDK 11.0.16. (89428)
Active Directory Connections using StartTLS option may not work as expected with Workspace ONE Access Connector 22.05.
The patch allows you to upgrade the packaged OpenJDK to version 11.0.16, in order to resolve the issue.
Known Issue in OpenJDK 11.0.5 packaged with Workspace ONE Access Connector 22.05.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Component: Workspace ONE Intelligent Hub for Android
New Release: 22.08
Changes:
Generate Time-based one-time password
Customers who have previously used VMware verify as their 2FA app will be able to use Intelligent Hub to get their Time-Based One-Time Password (2FA code).
Support for Survey Notifications
Users can now take surveys with different question types – NPS, free form text, multi choice etc. within Intelligent Hub app.
Survey will be sent as a notification to end users on Intelligent Hub and end users can find it in the For You tab.
Autonomous workspaces “proactive, data-driven automations that are self-driven by the digital workspace platform, better ensuring your organization’s desired state across management, security, and end-user experiences. Requiring limited to no manual interaction, autonomous workspaces will deliver self-configuring, self-healing, and self-securing outcomes for your workspace.”
Freestyle Orchestrator will be expanding to include support for mobile devices.
Windows multi-user support is currently in Tech Preview of Azure AD-based deployments, and will be extended to Active Directory-based deployments.
Updates for Workspace ONE XR Hub
Updates for thr integration between Intel vPro and Workspace ONE
Updates for desired state management for mobile
Updates for data-driven user interfaces in the UEM console
Updates for ChromeOS.
Announcing the Workspace ONE Cloud Marketplace, which will feature dashboards, widgets, reports, Freestyle Orchestrator workflows, and other resources that can be imported to help customers adopt additional solutions.
VMware Next-Gen Horizon Cloud was announced at VMworld 2021, went into Limited Availability in spring of 2022, and is now Generally Available for Horizon Cloud environments on Microsoft Azure.
unique “thin-edge” architecture that drastically reduces the amount of infrastructure deployed in your environment
enables several unique management capabilities, including out-of-band management for devices that are powered off or have operating systems that are not functioning
announcing a partner program to help customers take advantage of this integration.
MACOS-3266 – Workspace One UEM – WIFI profile with multiple credential payloads fails to install on macOS devices ( Error: 107 Invalid profile) (89423)
WIFI profiles for IOS MAC devices that are configured with more than one credential payload may fail to install on devices.
From the troubleshooting tab (device view -> more -> troubleshooting) for an affected device in the UEM Console the ‘install failed’ notification should show an error similar to:
Additionally in the device hub logs for the profile install event you may see the same error:
2022-30-08 16:47:05+0530 Error 20991 mdmclient: [com.apple.ManagedClient:MDMDaemon] [ERROR] [ErrorChain.0] (InstallProfile) [ConfigProfilePluginDomain:-107] Invalid profile: the PayloadUUID “86d0e0e6-ee0a-4881-b728-c6b08800a5a2” is used more than once in the profile.>
Version Identified: Workspace ONE UEM 22.06
This issue is resolved in version 22.06.02 (Existing profiles will need to be manually addressed – see workaround section below). On-Premise customers can download the latest patch in the resources portal here . SaaS customers can request for their environment to be patched.
CMEM-186691: PowerShell email management integration may not work with Workspace ONE UEM 2206 (89373)
With Workspace ONE UEM console 2206, PowerShell email Integration (MEM) may not function as intended. PowerShell Test Connection may not work. The following error can be observed in the UEM console log:EXCEPTION *** AirWatch.AirWatchException: User credential of the remote PowerShell server contains the special characters. At AirWatch
Workspace ONE UEM 2206
Newly enrolled devices may not be allowed to access email automatically through MEM PowerShell commands
The email configuration will be removed for any unenrolled device, but a block command will not be sent.
‘Sync Mailboxes’ and ‘Run Compliance’ actions will not work.
Devices with existing access to their mailbox will continue to work.
Our product team has been engaged and is actively working to resolve the issue. Please follow this KB for updates.
Administrators can initialize a manual PowerShell session and manage user or device access as desired. Please refer to this page for more information.
Provisioning of full clone encrypted VM’s fails on vSAN with default policies (89371)
When provisioning encrypted full clones through View on vSAN you see the following error message in vCenter: ““Changing or applying VM Storage Policies with Data Service capabilities during clone operations is disallowed. VM Storage Policies with Data Service capabilities can be assigned to the provisioned VM after the clone operation has been completed and before the VM has been powered on”
The reason for the error is due to the policies that View creates on vSAN environments. These policies by default do not take encryption into account and do not create with an encryption policy
When using encrypted full clones please enable encryption on the following storage policy created by View for vSAN environments:FULL_CLONE_DISK_FLOATING_uuid-value-goes-hereExample:FULL_CLONE_DISK_FLOATING_d960c469-594e-4e82-a345-8bebc0eea226This will allow for the VM to get the correct encryption key that was assigned to the template when creating the full clone.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Support for historical S/MIME certificates with DISA Purebred
This feature provides support for storing more than one S/MIME certificate when using PIV-D and Purebred.
End users can access older emails that were encrypted with different certificates.
To activate or deactivate the support for historical S/MIME certificates with DISA Purebred, use the Historical S/MIME toggle button in Settings > Advanced > Enable features. By default, this feature is activated.
Component: Workspace ONE Intelligent Hub for Linux
New Release: 22.06
Changes:
Web Enrollment: Users can now walk through a web-based wizard to streamline the WS1 Intelligent Hub download and enrollment process. This wizard also supports integrated authentication, so WS1 Access, SAML, or any other integrated modern auth can be used to enroll a user’s Linux device in WS1 UEM.
Application Sampling: The application tab in the Device Details view now reports on desktop applications that are installed on enrolled linux based endpoints, including the version information.
Disk Encryption Detection: Workspace ONE now identifies whether or not full disk encryption (using LUKS) is enabled on an enrolled Linux device.
Additional Sensor Triggers: In addition to triggering sensor retrieval during device check-ins, IT admins now have the option of triggering a sensor based on login, logout, startup or network changes on enrolled linux devices.
Automated Hub Upgrades: IT Admins now have the option of enabling Hub upgrades to occur automatically when new versions are released.
Remove Additional Dependencies on Puppet: Puppet open source is now only required for processing custom configuration profiles; not Wi-Fi or Credentials payloads as was the case previously.
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
Workspace ONE UEM FedRAMP: Upcoming Cipher Suite Update (89312)
Ensuring protection of data-in-transit is a key priority for all communication paths that integrate with Workspace ONE UEM (Unified Endpoint Management). To continue to deliver on that promise, VMware continually reviews and updates the associated cipher suites that are available within our SaaS hosted solutions. In an upcoming change window VMware will be restricting the available cipher suites used on all FedRAMP Workspace ONE UEM hosted endpoints.
Horizon 2206 Connection Server fails to validate the server certificate of a vCenter instance, preventing a successful connection. This can happen even if an older version of Horizon can connect successfully using the same certificate. In the Connection Server debug log, an SSLHandshakeException is logged due to “Certificates do not conform to algorithm constraints.”
In Horizon 2206, the list of acceptable certificate signature schemes has changed and may no longer include the algorithm used to sign the vCenter certificate.
The list of signature schemes can be modified by editing LDAP attribute pae-SSLClientSignatureSchemes under cn=common,ou=global,ou=properties. The format of this attribute is a single string that begins “\LIST:”, followed by one or more comma-separated scheme names. For example: pae-SSLClientSignatureSchemes = \LIST:rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512 It is not necessary to restart any service after making this edit. In the example above, “rsa_pkcs1_sha256” corresponds to SHA256withRSA, “rsa_pkcs1_sha384” to SHA384withRSA and “rsa_pkcs1_sha512” to SHA512withRSA. IMPORTANT: The new list must include at least rsa_pkcs1_sha256 and rsa_pkcs1_sha384 to avoid breaking other outgoing connections.
ESC-33274 – Elevated CPU usage on Workspace ONE UEM Database after upgrade to 2206 (89338)
Upon upgrading to Workspace ONE UEM 2206, your environment may exhibit elevated CPU usage on the database server. This can lead to latency in communications between Workspace ONE UEM and your managed devices
This can lead to performance degradation and latency in device and administrator interactions with Workspace ONE UEM.
Our Product team has been notified and is working to address this issue in a timely manner. Please subscribe to this article to be notified when an update is available. In the interim:
Shared SaaS and Dedicated SaaS (Latest Mode): the rollout of Workspace ONE UEM 2206 has been paused
Dedicated SaaS: The upgrade scheduler has been updated and scheduling an upgrade to Workspace ONE UEM 2206 is temporarily disabled. If you have previously scheduled an upgrade for your Dedicated SaaS environment, you may submit a support request to have the upgrade cancelled/postponed
On-premise: The installer for On-premise customers for this version has been retracted from the myWorkspaceONE portal temporarily
FCA-203819 – Workspace ONE UEM – Access error when navigating to Exports page (89334)
Navigating to the Monitor > Reports and Analytics > Exports page in the Workspace ONE UEM console while logged in with a custom or system role may result in the page not loading and showing a “This door is locked” error.
The Exports page in the Workspace ONE UEM console has been migrated to a new UI framework that requires a specific admin permission to view. Navigating to this page without the proper permission will result in a “This door is locked” error. By default, most system roles will already have this required permissions, but some custom and system roles may not.
Pages that are migrated to the new UI framework require a set of admin permissions to load the components of and give access to the page. Without the correct permissions in the current admin’s role, the page will show a “This door is locked” error.
Our product team has been engaged and is actively working to resolve the issue. Please subscribe to this article to be notified when an update is available.
MACOS-3206 certain Apple Silicon macOS devices leveraging a randomized managed administrator password cannot be accessed with the current password (89299)
This issue affects certain Apple Silicon macOS devices that are enrolled via Automated Device Enrollment with Apple Business or School Manager, if a managed administrator account is configured with a randomized password. In some cases, if you attempt to log into the administrator account with the current password, the log in attempt may fail with an incorrect password.
The Workspace ONE team has engaged Apple and is working to identify root cause and resolution.
If this issue occurs, rotating the password again appears to resolve this issue. This can be done in two ways:
Leverage the Workspace ONE UEM REST API to immediately rotate the managed administrator password for the target device. This can be done with one of the following API endpoints:
Alternately, simply by viewing the current managed administrator password for the target device in the Device Details page of the Workspace ONE UEM Console, a rotate command will automatically be issued to the device after a grace period of 8 hours. After this grace period occurs and you verify that the device has processed the command, attempt to log in using the new password.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Julius Lienemann 