Thank you for navigating to my Blog. You’ll find here news and updates around VMware Workspace ONE. The content in this blog doesn’t necessarily represent VMware’s positions, strategies or opinions. While Best Practices or Product related information are described in some post on this blog, they may not apply to your individual customer setup or be error free. In case of doubt, always engage your VMware contact.
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
HW-156875 – Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE Access Appliance (VMware Identity Manager) (88438)
CVE-2022-22972, CVE-2022-22973 have been determined to impact Workspace ONE Access (VMware Identity Manager). These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory – VMSA-2022-0014 , please review this document before continuing
Affected VersionsVMware Workspace ONE Access Appliance: 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
The VMware EUC Research Team wants to better understand the ins and outs of the life of an IT pro in the Support/ServiceDesk space, so we can anticipate your needs and provide solutions that make your job easier. In this survey, you’ll get to tell us about your top Helpdesk requests, challenges, and what metrics are important to you.
At the end, you’ll also have the opportunity to sign up for a virtual Workshop with fellow IT pros in the upcoming weeks where you’ll get to help design!
Generate Installation Token in Certificate Signing Portal (88462)
New Workspace ONE (WS1) customers with an on premise deployment (perpetual licenses) must generate an installation token within the certificate signing portal (found within the My Workspace ONE portal) as part of their initial Workspace ONE UEM install.This token allows them to manually install WS1 UEM on their server.
To go into further detail, the certificate signing portal allows customers to sign a public SSL certificate from their vendor with VMware’s unique security key to ensure secure communication between their organization’s devices and Workspace ONE UEM during device enrollment.
Workspace ONE Windows Health Attestation Unknown Status (88478)
Our Windows Devices are reporting a status of “Unknown” for Health Attestation This article provides a workaround to resolve an OS based reporting issue.
Apple Business Manager now supports Google Workspace
Apple Business Manager organizations that use Google Workspace can now take advantage of directory sync and federated authentication. With directory sync, user records and Managed Apple IDs are created automatically, saving IT admins both time and effort. And with federated authentication, end users can sign in to their Managed Apple ID with their Google Workspace account, making for a seamless login experience to apps like Pages, Numbers, Keynote, Apple Business Essentials, iCloud Drive, and more.
For more information, refer to the Apple Business Manager User Guide.
VMware Tunnel Client Update – Support for Standalone enrollment (88311)
We are excited to share a major update to our VMware Tunnel solution. The Workspace ONE Tunnel clients on Windows and macOS platforms now support Standalone enrollment without Workspace ONE Intelligent Hub or any device management. As a result, there are two Tunnel clients available on macOS and Windows, one for supporting Standalone enrollment and one for existing Hub and MDM workflows. Please read ahead to understand these changes.
macOS Tunnel Client:
The VMware macOS Tunnel application 22.05 delivered through the Workspace ONE Resources Portal supports Standalone enrollment. Note that this client does not support existing MDM workflows or installation on a Workspace ONE managed device. Therefore, the 21.08 client is still available through Apple’s App Store. Please continue using the macOS Tunnel client delivered through the App Store for all MDM and Per-App use-cases/workflows.
Windows Tunnel Client:
There are now two versions of the Windows Tunnel client available on the Workspace ONE Resources portal. The current GA version (2.1.6) supports all existing workflows excluding Standalone enrollment. Client version 3.0 supports Standalone Enrollment and both full device and per-app Tunnel mode. Note that client version 3.0 does not support existing MDM workflows or installation on a Workspace ONE managed device.
Next Steps:
Enabling both the MDM and Standalone enrollment workflows into a single Tunnel client will be provided in an upcoming release version.
Please refer to this KB for information on configuring the new Standalone enrollment feature. The official documentation will be updated shortly with the next UEM release.
Configuring VMware Tunnel Client for Standalone enrollment (88457)
This KB article outlines the the steps required for configuring the macOS and Windows Tunnel clients for Standalone enrollment and corresponding administrator actions to manage Tunnel access.
AAGNT-194622 – Managed App Config for Internal Apps not working on Android 11+ (88463)
Workspace ONE UEM 2204 introduces support for pushing managed application configurations for Internal Applications uploaded through the Apps & Books section of the Console. On Android 11 and 12 devices that are enrolled using Intelligent Hub 22.04.0.30, UEM fails to apply these managed configurations to Internal Applications. This does not affect Android 11 and 12 devices that upgrade from previous versions of the Intelligent Hub application.
Our product team has been engaged and is actively working to resolve the issue.
Unable to use the external mouse support feature after upgrading to iPadOS14 (83205)
Cannot use the external mouse support feature after upgrade to iPadOS14 and enabled “Perform Touch Gestures”. Host cursor cannot be hidden, left-click works like finger tap, etc.
This issue started with iPadOS 14. Enable “Perform Touch Gestures” will convert the events from the pointer devices into which triggered by fingers. Then it will make the external mouse/trackpad not work properly on the remote desktop, but the finger operations are still the same as before without any problems.
Therefore, we recommend that you turn off this option when using an external pointer device.
Turn off the option “Perform Touch Gestures” in system settings while using an external pointer device on a remote desktop.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Authenticator App is a new authentication method available for multi-factor authentication (MFA) that is supported directly by Workspace ONE Access. This MFA is ideal for users with unmanaged devices and requires no collection of personal identifying information (PII). Users can leverage any authenticator app of their choice–such as Google Authenticator, Microsoft Authenticator, Okta Verify, Authy, 1Password–that follows the time-based one-time passcode (TOTP) as defined in RFC 6238 on their own device. TOTP client support will be available on the Intelligent Hub iOS and Android App later this year in Q3.
Continue-on-Failure Authentication Policy
In this release, a new access policy configuration is introduced to control the rule policy execution. You can now create an access policy with rules that let the user authentication progress to the next rule if the authentication fails on the present rule. In the Workspace ONE Access service, regular policy execution terminates when the conditions in the first matching rule are executed. The new rule progression option allows you to progress rule execution to the next matching rule in the policy if the authentication fails on the present rule. A common use of this configuration includes password less authentication policy and alternative authentication rules for different sets of users.
Refreshed Custom Branding Page
When you choose to use the new navigation and the re-designed look of the Workspace ONE Access console, you will see a refreshed Branding page under Settings > Branding. The setting to change Favicon is no longer available in the re-designed console. The settings to customize branding for the VMware Verify application is now available on the Branding page.
Removed Settings Due to the End-of-Support-Life for the Workspace ONE application
Several configuration and branding settings have been removed from user interface in the Workspace ONE Access console because of the end-of-support-life for the Workspace ONE application. Please refer to the End of Support Life for the VMware Workspace ONE Application KB article (80208) for more information on the End of Support Life for the Workspace ONE Application.
Connector Support for Horizon Cloud Service on Microsoft Azure with Single-Pod Broker (Cloud only)
The 22.05 release of the Workspace ONE Access Connector will include support for integrating with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or 19.03.0.1 to version 22.05 connector. Both directories and virtual apps collections must be migrated together during this one-time process.
FIPS Mode Support for the Connector (Cloud only)
The 22.05 Workspace ONE Access Connector will have an option to enable FIPS mode during installation. FIPS mode will set the connector to run with data and encryption that is secure at a level of compliance encouraged by the United States government. The algorithms used are FIPS 140-2 compliant algorithms.
Workspace ONE Access Connectors with FIPS mode enabled will not support integrating with Citrix, Horizon, Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, or Horizon Cloud Service on IBM Cloud. A Workspace ONE Access Connector with FIPS mode enabled will support integrating virtual apps that are running in Horizon Cloud Service on Microsoft Azure with Universal Broker.
Note:
The FIPS mode option is not available when you upgrade to a 22.05 connector. The option to enable FIPS mode is supported only in new connector installations.
If you enable FIPS mode in the connector, to disable FIPS mode, you must reinstall the connector.
People Search (on Hub Web) will now allow searching with just one or two characters instead of the usual 3-character search. This enables support for searching names in logographic languages like Chinese, Japanese, etc.
Workflows Error Handling – Email Alerts upon failures
Workspace ONE Experience Workflows error handling has been improved to send email alerts directly to Administrators when a scheduled process fails to run successfully for any reason. All integration packs will now have an additional configuration parameter to include an email address to receive these notifications.
Saviynt Access Request Integration Pack for Workspace ONE Experience Workflows
Hub Services customers with Workspace ONE Experience Workflows enabled can configure an integration with Saviynt to notify approvers when a task is pending. Approvers will be able to view the request and take action on the task, such as Approve or Reject, from within the Workspace ONE Intelligent Hub app.
BMC Helix Change Request Integration Pack for Workspace ONE Experience Workflows (Beta)
Hub Services customers with Workspace ONE Experience Workflows enabled can configure an integration with BMC Helix to notify approvers when a Change Request is pending. Approvers will be able to view the request and take action on the change request, such as Approve or Reject, from within the Workspace ONE Intelligent Hub app.
ABRW-173842: Allow upload of files from Workspace ONE Content repositories
Users will now be able to upload files/documents present in WS1 Content repositories or local storage to web applications opened in the Workspace ONE Web browser
IBRW-173496: Support WS1 Web URL authentication use case via PIV-D using Yubike – This enables the end users to authenticate into the web applications opened in Workspace ONE Web browser using a Yubikey accessory via PIV-D Manager application.
IBRW-174091 – Ability to fetch iOS Web app logs from UEM console without requiring app relaunch
IBRW-174293: Support download with HTTP POST request
We are excited to share a major update to our VMware Tunnel solution. The Workspace ONE Tunnel client on Windows platform now supports Standalone enrollment without Workspace ONE Intelligent Hub or any device management.
Note that this client does not support existing MDM workflows or installation on a Workspace ONE managed device. Therefore, the 2.1.6 client is still available. Enabling both the MDM and Standalone enrollment workflows into a single Tunnel client will be provided in an upcoming release version.
Please refer to this KB for information on configuring the new Standalone enrollment feature.
The official documentation will be updated shortly with the next UEM release.
We are excited to share a major update to our VMware Tunnel solution. The Workspace ONE Tunnel client on macOS platform now supports Standalone Enrollment without Workspace ONE Intelligent Hub or any device management.
Note that this client does not support existing MDM workflows or installation on a Workspace ONE managed device. Therefore, the 21.08 client is still available through Apple’s App Store. Enabling both the MDM and Standalone enrollment workflows into a single Tunnel client will be provided in an upcoming release version.
The new macOS Tunnel 22.05 application is delivered through the Workspace ONE Resources Portal and supports Standalone enrollment and full device Tunnel mode. Please continue using the macOS Tunnel client delivered through the App Store for existing MDM and per-app Tunnel features.
Please refer to this KB for information on configuring the new Standalone enrollment feature.
The official documentation will be updated shortly with the next UEM release.
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
HUBM-5175: On macOS Monterey for Intel devices, the “Force Reboot” functionality in the Software Update profile does not function correctly (88416)
For Intel-based macOS devices on macOS 12.0 or higher, the “Force Reboot” functionality in the Software Update payload does not function correctly. If the Workspace ONE Intelligent Hub identifies that an update is available, the user will receive a notification that the update is available and, depending on the configured settings, an option to defer or begin the install. Ultimately, if the user chooses to begin the install, the softwareupdated process will be initiated, but the device will not actually install the OS update.
The Workspace ONE team is currently investigating the issue with Apple.
Workspace ONE UEM Windows SCEP Profile certificate request fails when using Certificate Authority with Static Challenge (85956)
The Windows SCEP Profile payload fails to successfully install a certificate when using a Certificate Authority that is either:
Configured to use Static Challenge
Configured to use Dynamic Challenge with a Request Template that is missing EKU Attributes
Workspace ONE UEM 21.09 and older
When using a Certificate Authority with Static Challenge, the certificate payload must contain the CA Thumbprint. Unfortunately, the Certificate Authority configuration does not include a field to add a Root Certificate. This will be addressed with AMST-27570.
Windows SCEP profiles also require the configuration of EKU attributes in the Certificate Request Template. The Windows SCEP profile does not validate the Request Template configuration in the profile UI. This will be addressed with AMST-27570.
To deploy a Windows SCEP profile, you must create a Certificate Authority configured to use Dynamic Challenge and a Request Template that contains EKU Attributes.
The Workspace ONE team is currently working to implement the required changes to support the use of SCEP profiles for Windows
As a workaround, you can use the Dynamic Challenge configuration for Certificate Authorities, making certain to add the relevant EKU attributes in the Request Template as required by Windows.
Generate Installation Token in Certificate Signing Portal (88462)
New Workspace ONE (WS1) customers with an on premise deployment (perpetual licenses) must generate an installation token within the certificate signing portal (found within the My Workspace ONE portal) as part of their initial Workspace ONE UEM install. This token allows them to manually install WS1 UEM on their server.
To go into further detail, the certificate signing portal allows customers to sign a public SSL certificate from their vendor with VMware’s unique security key to ensure secure communication between their organization’s devices and Workspace ONE UEM during device enrollment.
Best practices for re-enrolling Windows Desktop devices in Workspace ONE UEM (84350)
The following are the best practices for re-enrolling a Windows Desktop device into Workspace ONE UEM.
There are three different clients on Windows Desktop devices.
Native Device Management Client. (OMA-DM Client)
VMware Software Distribution Agent (VMware SfdAgent)
Workspace ONE Intelligent HubEach of the aforementioned client handles different mobile device management (MDM) tasks. You need to make sure associated records are removed for a clean re-enrollment.
HW-145794: How to deploy the VMware Identity Manager Connector in Legacy Mode (88033)
This article explains how to deploy the connector virtual appliance in legacy mode. Legacy mode requires allowing inbound connections to the connector appliance installed on-premises.
VMware Identity Manager Connector for Windows 19.03.0.1
The VMware Identity Manager connector is an on-premises component of VMware Identity Manager that provides directory integration, user authentication, and integration with resources such as Horizon 7. The connector is delivered as a virtual appliance that is deployed on site and integrates with your enterprise directory to sync users and groups to the VMware Identity Manager service and to provide authentication.
Connection Server fails to send machine identifiers information to Horizon Agent and it becomes unreachable. (88439)
Connection server debug logs have log lines similar to: DEBUG (18D4-1CB4) <HARequestMsgThread> [PendingOperationSet] com.vmware.vdi.desktopcontroller.VirtualCenterDriver@2a4cbc2 Rejecting Prepare from ConnectionServer03 for DeletingNGVC on /DEVDI/vm/InstantCloneTest/SSDS-Pool2/ssds2-8(/DEVDI/vm/InstantCloneTest/SSDS-Pool2/ssds2-8) as operation underway (collision) DEBUG (18D4-1CB4) <HARequestMsgThread> [PendingOperationSet] com.vmware.vdi.desktopcontroller.VirtualCenterDriver@2a4cbc2 Rejecting Prepare from ConnectionServer03 for Configuring on /DEVDI/vm/ManualDesktops/GPU/display-gpu-02(vm-11881) as operation underway (collision) DEBUG (18D4-1CB4) <HARequestMsgThread> [PendingOperationSet] com.vmware.vdi.desktopcontroller.VirtualCenterDriver@2a4cbc2 Rejecting Prepare from ConnectionServer03 for RecomputeDigests on /DEVDI/vm/ManualDesktops/NavySW/NavySW-Rhap01(vm-17591) as operation underway (collision
Pending Operations on connection server has become unstable and paticipating connection server nodes started rejecting the operations.
One of the cause is network related issues which were present intermittently leading to this type of issue. Failing to send the Configure Pending Operation to persist the machine information in VMX settings marks the agent as unreachable.
A cleaner way to restore the environment is to shutdown all the connection servers and perform a rolling reboot operation.
End of Availability for VMware Horizon Standard Subscription (88256)
VMware is announcing the End of Availability (EOA) of the VMware Horizon Standard Subscription edition, effective April 30th, 2022. After this date, Horizon Standard Subscription will no longer be available for purchase. The EOA will not impact existing entitlements to functionality delivered for existing Horizon Standard Subscription customers through the term of their existing subscription.
We are excited to announce that existing Horizon Standard Subscription customers can renew on Horizon Standard Plus Subscription upon their existing term renewal. Horizon Standard Plus Subscription entitles customers to deploy VDI and apps on a single private or public vSphere-based cloud while consuming new SaaS services built for TCO reduction of Horizon environments.
Customers may also choose to upgrade to Horizon Enterprise Plus Subscription, which provides enhanced functionality over Horizon Standard Plus Subscription. Additionally, customers may also upgrade to Horizon Universal Subscription if they are consuming multi-cloud SaaS services and/or deploying desktop and apps through Horizon Cloud on Microsoft Azure. For more information on Horizon Standard Plus Subscription, Horizon Enterprise Plus Subscription, and Horizon Universal Subscription, visit http://vmware.com/go/horizon.
VMware Workspace ONE Mobile Flows End of Life Announcement (85939)
We are announcing end of availability for new sales of the VMware Workspace ONE mobile flows service. Mobile flows will reach end of general support on August 30, 2022.
This means that any out-of-the-box or custom integrations that have been set up for Workspace ONE Intelligent Hub or Workspace ONE Boxer with mobile flows will no longer be supported after August 30, 2022.
The Experience Workflows product will be the replacement for 3rd party system integration for micro-apps in Intelligent Hub. You will need to purchase the add-on for the upcoming product release, Experience Workflows for Workspace ONE.
You can also request a beta of Experience Workflows through the EUC Beta Portal or through your VMware account representative.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
Getting Ready for Android 13 (88379)
As of April 26th, 2022, the Android 13 public beta 1 is available for users on Pixel devices.
What’s new in Android 13 To review new Android Enterprise features on Android 13, clickhere. For Android app developers, please review behavior changes that may affect your apps:
In order to ensure that users maintain the same experience after upgrading to Android 13, it is recommended to use the Android Permissions profile to grant this permission to any apps that need to send notifications.
More details will be added as testing continues for Workspace ONE applications.
Digital Workspace Office Hours – Virtual Customer Event
Our mission is to ensure you get the most out of your Workspace ONE and Horizon investments. These office hours provide you direct access to VMware experts and enable you to leverage all of the capabilities of VMware’s Digital Workspace solutions.
During 60-minute, interactive sessions, you’ll engage with VMware experts and explore:
Common pitfalls
Frequently asked questions
Best available resources
Register for future sessions or view previous ones on-demand to get onboarding and optimizing tips from VMware Workspace ONE and Horizon experts.
Next Session: May 12th, 17:00 CET → Automate the deployment of Applications and Configurations with Workspace ONE UEM Freestyle Orchestrator
Hosted by Patrick Zöller and Grischa Ernst
Join this webinar session to learn the latest from our Expert Customer Success Architects on the following:
Learn how you can use Freestyle to take your Deployment of Applications, Profiles and Scripts to the next Level
See how you can effectively leverage Sensors and Device Attributes and Time Window in Workflows.
Best Practices for using Freestyle Orchestrator for Windows and macOS. Introduction of Freestyle for mobile.
Workspace ONE UEM – Device Friendly Name and Enrollment User hyperlinks are disabled on the Device Events page (88380)
Hyperlinks in the Device Friendly Name and Enrollment User columns are disabled on the Device Events page in the Workspace ONE UEM console. Administrators will not be able to redirect to the Device Details or User Details pages directly from the Device Events page.
Admins will not be able to redirect to the Device Details or User Details pages directly from the Device Events page.
Our product team has been engaged and will be working to resolve this issue as soon as possible.
Workaround: Admins can view and copy the Device Friendly Name and/or Enrollment User from the Device Events page then manually navigate to the Device List View or Users List View pages and perform a search to view the details.
HUBW-6320 – Workspace One UEM – Windows Baselines show as failed in the console for devices with Windows Hub 21.07.x (88377)
New or updated baselines may fail to apply when pushed to windows devices that have Windows Hub version 21.07.x installed.
From the Workspace ONE UEM Console, Windows baselines may show a status of failed.
Task Scheduler and Baselines logs from the device hub logs will show an error similar to the one below.”@mt”:”Failed to reapply the baseline {Exception}”,”@l”:”Error”,”Exception”:”Newtonsoft.Json.JsonSerializationException: Error convertin
Workspace ONE UEM Windows Hub 21.07.x
This issue has been addressed in Workspace ONE UEM 2203. The fix has also been backported to Workspace ONE UEM Windows Hub 21.07.9
Teams optimization becomes unavailable after network interruption on HTML Access and Chrome client (85761)
When use Teams in VDI/RDSH by HTML Access and Chrome Client with Teams optimization ON, client has short network interruption, teams optimization becomes unavailable even horizon session has recovered. User cannot make video/audio call or join meeting at that time.
When there is short-time network break(similarly as refresh), the VDI session(based on blast) will use the old token to reconnect and both side will consider this VDI session continuous.
But at the same time, the VVC channel through which the Html5MMRServer and the Html5MMRClient communicate with each other will be broken down and to reconnect as brand new one. So the old WebRTC instance will destroy and pending for the new one to be created.
The WebRTC instance(consider as the initialization of all WebRTC Redirection) will only be created by the command from MS Teams client. Since MS Teams client only listen to the event of VDI session, it will treat this situation as session continuously connected and won’t trigger a new command to create new WebRTC instance.
Since the root cause is that MS Teams client and Html5MMRServer are out-of-sync of the WebRTC Redirection status at this case.
We need to work with MS to figure out some way to let Html5MMRServer tell MS Teams client that “WebRTC Redirection session was broken, and there is a new session just connected. You could send a new command to create new WebRTC Instance.”
Workaround:
Option1: Quit and relaunch MS teams app.
Option2: Disconnect/logoff current session then reconnect it.
Error “Session Handle null, Hence we are initiating to disconnect” occurs when attempting to remotely access device (84128)
When attempting to remotely access a device, the following error message appears: “Session Handle null, Hence we are initiating to disconnect.”
The Assist Agent prints this error when it checks in with the ARM server to verify if there is an active session, and the ARM servers say “no”. Even in successful attempts to start a remote management session, this error may be viewed several times before the ARM servers say “yes” and return a handle for the session.
To resolve, please restart the AetherPal services in the following order and check that they are functioning as expected:
Customer would like to change the way Boxer reports Phishing Emails, so the configured email address will receive the reported email as a forward email.
Product working as desinged, a feature request should be open.
Currently Boxer sends an email to the configured email address for phishing reporting, the email has an attachment file with extension .EML (email extension).
Is not possible to change the way Boxer sends the report, so a Feature Request (AHA request) should be suggested.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
ASDK-173031 : SDK tracks passcode expiration and provides preemptive notification to apps
ASDK-173346 : User friendly Error message will be displayed when HUB app is removed and customer SDK app is launched on Android devices ” If you have uninstalled Workspace ONE Hub, reinstall it. Then reinstall Application through Hub, and try launching it “
We are very excited to expand the capabilities of our experience management offering for the macOS platform. Leveraging Workspace ONE beyond device management for hybrid desktop communities is a focus and priority for customers and the team behind this offering. This release adds official support for Apple silicon and M-based mac hardware as well as optimizing resource consumption of the telemetry component.
Component: Workspace ONE Intelligent Hub for macOS
New Release: 22.04
Changes:
Introducing support for Workspace ONE Mobile Threat Defense which protects your devices from application, malware, device, and network threats.
Apply Managed Configurations to Internal ApplicationsIn Workspace ONE UEM Console 2109 through 2203, AndroidInternalAppManagedConfigurationFeatureFlag feature flag must be enabled.
Feature flag automatically enabled in Workspace ONE UEM 2204
Wipe the Work Profile only for Android 11+ COPE devicesEnterprise Wipe will now only remove the Work Profile and corporate resources from Android 11+ devices enrolled in COPE mode.
Changes require Workspace ONE UEM Console 2204
Automated Device Wipe for Offline DevicesIntelligent Hub now supports automatically wiping offline devices through Event/Actions.
Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com
The automated DEP enrollment of Mac Studio into Workspace ONE MDM fails (88315)
You see the error similar to: Enrolling with management server failed. Unexpected error (MDMResponseStatus:500)
This issue occurs because the Mac Studio devices represent a new Apple Device Model Family, and the normal device model seeding process cannot be used to enable support.
This is a known issue affecting automated DEP MDM enrollments involving Apple MAC Studio hardware. Currently, there is no user-based resolution.
VMware’s Development team is working to add these designations to UEM, and will be addressing this in future releases.
To work around this issue, manually enroll the Apple MAC Studio hardware machine into Workspace ONE UEM.
[AAGNT-194517] Some Samsung COPE devices unexpectedly unenroll (88267)
Some Samsung devices enrolled in Corporate-Owned Personally Enabled (COPE) mode and running Android 11+ may unexpectedly unenroll from Workspace ONE UEM. When this occurs, a “Break MDM” event is seen in the UEM Console for the affected device.
This issue should be resolved in Android Intelligent Hub 22.03.0.14. If you continue to experience unexpected device un-enrollments, please contact Workspace ONE Support.
Email Notification Service 2 for on-premises v1.11 and older support notice (86338)
All customers of Email Notification Service 2 (ENS2) for on-premises v1.11 and older are advised to migrate to a more recent versions before October 2022. Per VMware Workspace ONE UEM support release policy, on-premises releases are supported for 18 months after general availability.
Older versions of ENS2 on-premises distributions rely on the older VMware Workspace ONE Cloud Notification Service and should be upgraded at the earliest convenience to take advantage of the more robust notification framework afforded by VMware Workspace ONE Cloud Notification Service 2, available starting in ENS2 v21.04.
Customers using on-premises ENS2 have several upgrade options:
Customers preferring to stay with an on-premises ENS2 deployment can upgrade to the latest version of ENS2 on-premises.
Customers may also select to migrate to a SaaS-hosted version of ENS2 at no extra charge.
High security US Federal Government customers now have an option of SaaS-hosted ENS2 deployed in a FedRAMP High environment.
Access Denied when authenticating via 3rd party IDP via SAML with HTML5 (83160)
To outline a scenario when logging in via unified access gateway (UAG) with a 3rd party IDP .
Access Denied when attempting access over HTML5 with SAML based Authentication configured.
Access is granted when a thick client is used to connect.
A disclaimer is configured on the connection server.
With SAML, a disclaimer should be part of the 3rd party SAML IDP login and not on the Connection Server.
Note, if configured on the connection server, The disclaimer from the connection server will be cached on the UAG. Please see documentation on this connection server option .
When implementing SAML with a 3rd party IDP and an existing UAG , A restart of the UAG will make sure the disclaimer cache is cleared after migrating the disclaimer prompt from the broker to the IDP.
If you have not deployed the Workspace ONE Console patches or workarounds of December 2021 documented in VMSA-2021-0029, now is the time to do so. These workarounds and patches prevent exploitation of CVE-2021-22054. Details of this issue have now become available, which makes exploitation in the wild more likely.
CRSVC-28928: How to replace the Workspace ONE UEM static master key (88323)
The purpose of this knowledge base article is to document the instructions to remove the static master key referred to in the VMware security blog post found here . The patches listed in the KB will implement a new Scheduler job which can be used to replace the static master key with an instance-specific key and use it to re-encrypt information stored in Workspace ONE UEM.
Action Required:
Shared SaaS: None. This change is being deployed by VMware Cloud Operations with zero downtime.
Dedicated Latest: None. These changes are being deployed by VMware Cloud Operations with zero downtime. If you wish to have this change deployed to your environment at a specific date/time, please contact Workspace ONE Support.
Dedicated SaaS customers: If you wish to have this change deployed to your environment, please contact Workspace ONE Support and specify a date/time. This is a zero-downtime change.
On-Premise customers: Please refer to the Resolution section for steps to deploy this change to your environment
Accelerated EOL of Legacy Workspace ONE Experiences (Workspace ONE App and Web Portal EOL) on May 15, 2022
For several reasons listed in https://kb.vmware.com/s/article/87908, we are accelerating the EOL of these legacy experiences to May 15, 2022, which includes removing the Workspace ONE app from the App Store and Play Store. Customers who have the Workspace ONE Apps deployed should migrate immediately to the Workspace ONE Intelligent Hub app.
When the Workspace ONE app is EOL, new user enrollments for the Workspace ONE app will be blocked. Additionally, all login attempts to the Workspace ONE app will be detected and might be blocked as part of access policy rules with the Device Enrollment device type.
Workspace ONE Access Services updates include
Introducing the Redesigned Workspace ONE Access Navigation
The redesigned Workspace ONE Access admin console improves your ability to navigate and edit key settings, helping you achieve your business goals. A new toggle at the header in the console will help you switch to the redesigned console and you can switch back for easy comparison. Pages are grouped under five tabs – Monitor, Accounts, Resources, Integrations, and Settings, with menus located on the left side panel. The former Manage and Setup buttons were removed to simplify the configuration process.
We made the following enhancements to the Notifications tab in the Hub Services console.
The notification preview in the notification builder is now sticky. As you configure notification elements, the preview will always remain in view to easily see how they reflect on the notification card.
The time zone expiration field for Return-to-Work notifications supports a combo-box option to allow you to search and select your desired time zone
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
At the last VMworld (2021), VMware announced that it would support a range of VR/AR glasses in the future. A few days ago I had the opportunity to test HTC Vive Focus 3 VR glasses. At this point, thanks to HTC for providing the test unit.
First of all, the difference between VR and AR glasses should be briefly explained again. VR stands for ‘Virtual Reality’ and completely covers the field of vision for a 360° experience. The user dives almost completely into the virtual environment. Augmented Reality, on the other hand, still enables the user to see the actual world, so it is only an overlay in which information about the actual field of view is displayed or supplemented.
The areas of application therefore differ significantly. VR can be used, for example, in the area of training and collaboration for virtual interaction – completely virtual worlds are created, as are then also planned in the consumer area with the ‘Metaverse’ in the future. AR, on the other hand, can be used more in practical production, for example in factories where the user works on an assembly line or a production site and is shown additional information with help of the glasses. In the private sector, the best-known example of AR use would be Google Glass glasses.
In the corporate sector, in areas where AR/VR glasses are already being used, there are typically challenges with general administration, the installation of apps and content, security and, above all, initial provisioning.
The Workspace ONE XR Hub is currently available in beta for the following models:
HTC VIVE Focus Plus™
HTC VIVE Focus 3
Pico Neo 2
Pico Neo 2 Eye
Pico Neo 3
Pico G2 4k
Oculus Quest 2
Please check the documentation in advance and get in touch with the VMware contact person if necessary.
The technical approach: In practice, I only tested the HTC Vive Focus 3, but it can be used for other Android-based glasses. The basic concept of how the glasses are managed is the same. VMware offers the Workspace ONE XR Hub for VR/AR glasses – currently still available as a beta version at https://beta-ea.vmware.com. However, the XR Hub does not replace the classic Workspace ONE Intelligent Hub. The breakdown is as follows:
The Workspace ONE Intelligent Hub is the classic device agent as a 2D app, just like on all other (frontline) Android devices, including the well-known user interface with the well-known Hub Services Notifications, For You Tab, Support and of course the App Catalog.
The Workspace ONE XR Hub can be seen as the portal for enterprise applications. THE XR Hub is designed for VR applications and thus offers the 360° view. The apps and services I make available here are based on the App Catalog in Workspace ONE Access.
The device is generally managed via the Intelligent Hub, while the XR Hub takes over the visual representation of the virtual working environment.
The combination of the following components is therefore recommended for managing the VR glasses:
Workspace ONE UEM >>> Management of devices
Workspace ONE Access >>> Authentification, App-Catalog, SSO
Workspace ONE Intelligent Hub >>> Device Agent
Workspace ONE XR Hub >>> VR Business Portal for Enterprise-Apps
Optional: Workspace ONE Assist >>>Remote-Control and Support
Optional: Workspace ONE Tunnel with Unified Access Gateway >>> Zugriff to internal resources
Optional: VMware Horizon for publishing virtual Apps or VDIs
In general, the XR Hub and Workspace ONE Access are also optional if I only want to manage devices and do not want to rely on AR/VR content and applications.
Enabling the HTC Vive Focus 3 How the individual devices are provisioned is explained in the documentation in the beta portal and I do not need to repeat it in detail. Where the individual glasses from the manufacturers differ is how the basic setup works. In other words: How do I put the respective glasses into Enterprise mode and how do I bring the Workspace ONE Intelligent Hub to the device (the Play Store is not available) to start the actual enrollment. With the Focus 3, this is done via a batch file, which I provision, including a key, via HTC’s enterprise business portal (https://business.vive.com) and afterwards downloaded to your PC. This batch file contains my basic configuration and the Workspace ONE Intelligent Hub, as well as other applications that I would like to include directly with the initial staging. However, I can, or maybe I should, roll out my enterprise applications apart from the Intelligent Hub via Workspace ONE, since I can then preconfigure and update them via App Config. I copy the downloaded batch file and the key to a micro SD card that is inserted into the glasses and after a factory reset the batch file takes effect accordingly and puts the glasses in Enterprise mode and installs the Workspace ONE Intelligent Hub . The Workspace ONE XR Hub is not yet installed at this point.
I now start the classic device enrollment via the Workspace ONE Intelligent Hub, which initially does not work any differently than on other Android Enterprise devices.
From this point on, I can basically manage the VR glasses like any other Android frontline or rugged device:
In the next step, however, I still want to get the benefits of the Workspace ONE XR Hub. The basic procedure for this is as follows, although there are certainly variations:
Upload the XR Hub .apk to Workspace ONE as an enterprise app and push to the device
Adjust settings in Workspace ONE Access to enable authentication and recognize the XR Hub as a trusted client.
Customize the JSON configuration file for the XR Hub. The XRHubClientConfig.json can be used to customize the appearance and behavior of the XR Hub for the needs of each company or application area.
Creating a provisioning product that pushes the JSON configuration file to the correct location on the device.
Provision of content in the WS1 Access or Workspace ONE UEM Catalog – Enterprise .apks and web apps.
Details on the required steps are available in the documentation on the Beta Portal (https://beta-ea.vmware.com/). Customizing the JSON file requires a bit of practice or background knowledge. In general, the options are well explained in the documentation. It is only important to mention that the URL of the Workspace ONE Access Tenant must be specified under “Workspace ONE URL”:
Once the XR Hub and the product for the .json configuration file are installed, the XR Hub can be launched. In my case, for the first start of the XR Hub, I stored in the config file that an info video should be played, which I also pushed onto the glasses via a product:
After the video, the XR Hub including the preconfigured content is available:
Personal Conclusion and opinion:
AR/VR is with a very high degree of certainty part of the future of work and is already finding its way into some areas. From conversations with my customers, however, I can say that it is still mostly limited to research, innovation or niche areas. However, the possibilities that AR/VR use cases offer are almost unlimited and could change the way we work in the future. It is not yet enough for a classic breakthrough and application in the masses. This is due to various points, which in most cases are related to the hardware and the fact that each provider of the glasses currently still relies on its own ecosystem of accounts and provisioning solution. In the enterprise environment, for example, it is a deterrent if, as with the Oculus Meta glasses, a Facebook account is required to even put the device into operation.
Another issue is application availability. I can certainly run practically any Android app on the VR glasses. However, the user experience is limited when I simply use a 2D app on VR glasses. VR requires a 360° view and an application must be adapted to this in order to enable the spatial user experience. The development of apps in this direction is currently still complex and implemented by only a few providers, so there is a lack of availability of corresponding applications. At this point it should be said that no apps can be installed directly from the Play Store, since the VR glasses are the AOSP version of Android (Android Open Source), so the classic Google Managed Services are missing (GMS), which excludes the Play Store. The Android OS has been too much customized by the manufacturers, so it cannot get certification for the GMS. So, as a company, I have to have the .apk files of the relevant apps that I want to use on the VR glasses. It is therefore not possible to use common communication and collaboration solutions such as Microsoft Teams, WebEx or Zoom – here you have to resort to offers from the manufacturers of the glasses. For a not too small number of customers, this is a knockout criterion.
From a management perspective, the combination of Workspace ONE Intelligent Hub and Workspace ONE XR Hub already offers a high level of possibilities, as has been known from the management of Android devices for years. The supported devices are primarily an Android frontline device, of the kind known from Zebra and Honeywell – the management then works accordingly. The XR Hub then offers ‘on top’ a visually and functionally successful portal for access to the collected enterprise applications.
In conclusion, it can be said that the experience of VR glasses in general and with the XR Hub in particular is very impressive and fun. The 360° view conveys a new type of spatial perception and potentially puts me back in a shared space with my colleagues when working remotely. The breakthrough for mass use cases is still a long way off, but it seems likely that solutions of this type will have a strong impact on the way we work in the future. The Workspace ONE XR Hub can be seen a bit as the ‘Next Level Anywhere Workspace’ at this point.
Julius Lienemann 