Welcome to the Digital Workspace

Photo by Pixabay on Pexels.com

Thank you for navigating to my Blog. You’ll find here news and updates around VMware Workspace ONE. The content in this blog doesn’t necessarily represent VMware’s positions, strategies or opinions. While Best Practices or Product related information are described in some post on this blog, they may not apply to your individual customer setup or be error free. In case of doubt, always engage your VMware contact.

Featured and latest Posts:
Service – Week 17-2021 Workspace ONE Updates
Service – Week 16-2021 Workspace ONE Updates
Service – Week 15-2021 Workspace ONE Updates
A First look at: Android 12 — (German Version)
Looking Forward to 2021 – A small Outlook — (German Version)
VMware Workspace ONE – 2020 A Year in Review — (German Version)
VMware Boxer – Delegated, Shared and Multiple Managed Mailboxes
End User Computing News of Week 46 — (German Version)
Reporting: The Workspace ONE Excel Add-In — (German Version)
Workspace ONE Device Management Modes — (German Version)
Workspace ONE – Techzone, KB, Docs – When do I use what? — (German Version)
What is the „Freestyle Orchestrator“? — (German Version)
Changes with Android 11 and Workspace ONE — (German Version)

Archive: WEEKLY UPDATES

I hope you’ll enjoy the posts and that they have some useful content for you. Feel free to reach out to me on LinkedIn or comment the post.
Thanks!

Service – Week 17-2021 Workspace ONE Updates

• Important Releases and KB Updates
  • Announcing VMware Anywhere Workspace, a unique solution to manage multi-modal employee experience, better secure the distributed edge, and automate the workspace
    • We are excited to announce VMware Anywhere Workspace, a solution that enables distributed organizations to truly embrace work from anywhere.
    • VMware Anywhere Workspace brings together the innovative technologies of VMware Workspace ONE, VMware SASE, and VMware Carbon Black Cloud, empowering anywhere organizations to manage multi-modal employee experience, better secure the distributed edge, and automate the workspace.
    • Join the VMware Anywhere Workspace Launch Event – EMEA, May 5
  • AAGNT-192253: Android devices may initially use the Unassigned ownership privacy settings (83571)
    • After enrollment, Android devices may initially use the privacy settings for the Unassigned ownership type instead of the correct ownership type. This may cause some device information such as the public IP address to not be reported correctly.
    • Any Android device using Intelligent Hub version 19.04 or later
    • This occurs rarely during enrollment if the privacy settings are loaded prior to the ownership type from the Workspace ONE UEM Console
    • The Workspace ONE product team is actively working on a resolution for this issue.
  • Samsung Android 11 Devices Intermittently Fail to Enroll on a Closed Network (83568)
    • Samsung devices on Android 11 intermittently fail to complete enrollment when enrolling into Work Managed mode on a closed network, where there is no external internet access.
    • The OS will occasionally fail to set Hub as a Device Owner during Work Managed provisioning.
    • Samsung has fixed this issue in the latest Android 11 firmware update.  It may take some time for all affected device models to receive the update.
    • Workaround: Continued attempts to enroll the device will eventually succeed.
  • [HUBI-6060] – Workspace ONE Intelligent Hub for iOS incorrectly displaying enrollment prompts (83549)
    • Customers using the Check In / Check Out feature with iOS Intelligent Hub and who also have the Auto Logout feature enabled may notice that after the device is automatically logged out, the Hub displays the Enrollment prompt instead of the Check Out prompt.
    • This issue is caused due to a race condition between the iOS Hub SDK incorrectly deleting the Enrollment Details from the Hub when the device is automatically logged out. This will affect users trying to check out devices.
    • VMware engineering has identified the issue and is actively working to resolve it in a future version of Intelligent Hub.
    • Enter the Server URL and Group ID details when the Hub is in this state. This will allow Hub to go back to the Check Out screen.

• Techzone, Blog and Podcast Updates
  • Deploying VMware Carbon Black Cloud Sensor with Workspace ONE UEM
  • Introducing Managed Guest Sessions for Chrome OS with Workspace ONE
  • VMware Carbon Black Cloud on VMware Horizon VDI Installation Guide
  • Techzone Podcast: Experience Workflows
  • VMware Cloud on Dell EMC Horizon Deployment Guide
  • Horizon on VMware Cloud on Dell EMC Architecture
  • EUC vExpert Monthly Digest – April 2021
  • Check out the new Workspace ONE Adoption Kit Wizard – Customized Banners for Amazing Customers

• Industry News, external Blogs and links
  • Lessons Learned with UAG Deployments for Workspace ONE
  • Android Enterprise security delivers for flexible work

• Week 17 Software Updates

• Component: Workspace ONE Intelligence
• New Release: 28th April
• Changes:
  • In this release, we’ve made a few updates containing general quality and performance improvements with no new features.
• Release Date: 29.04.21
• Release Notes

• Component: Workspace ONE Tunnel for Windows 10
• New Release: 2.1
• Changes:
  • Full Device Tunnel
    VMware Tunnel now supports tunneling all device traffic regardless of the source application. This may be used by customers still transitioning to Zero Trust access architectures enabled with per-app tunneling.
  • IPv4 based routing for Device Traffic Rules
    Tunnel supports routing based on IP addresses, ranges, and subnets.
  • Simplified DNS configuration
    To simplify configuration for DNS resolution, Tunnel can pick up the internal domains directly from Device Traffic Rules
• Release Date: 28.04.21
• Release Notes

• Component: Workspace ONE Tunnel for macOS
• New Release: 20.12.1
• Changes:
  • In this release, we’ve made a few updates containing general quality and performance improvements with no new features.
• Release Date: 29.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.8.0.28
• Changes:
  • Patch Update
• Release Date: 27.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 21.2.0.8
• Changes:
  • Patch Update
• Release Date: 27.04.21
• Release Notes

Service – Week 16-2021 Workspace ONE Updates

• Important Releases and KB Updates
  • Announcing VMware Anywhere Workspace, a unique solution to manage multi-modal employee experience, better secure the distributed edge, and automate the workspace
    • Today, we are excited to announce VMware Anywhere Workspace, a solution that enables distributed organizations to truly embrace work from anywhere.
    • VMware Anywhere Workspace brings together the innovative technologies of VMware Workspace ONE, VMware SASE, and VMware Carbon Black Cloud, empowering anywhere organizations to manage multi-modal employee experience, better secure the distributed edge, and automate the workspace.
    • Join the VMware Anywhere Workspace Launch Event – EMEA, May 5
  • Dual Messenger is not Functional on Samsung Work Managed Devices (83482)
    • Samsung device users are unable to utilize Dual Messenger while enrolled in as Work Managed
    • This issue may occur due to limitations of the Samsung framework. This is not a VMware issue. Please contact your vendor.
    • Samsung Docs
  • Load balancer health monitoring of Unified Access Gateway 2012 can sometimes report incorrect health status (83365)
    • A load balancer monitoring the health of Unified Access Gateway using HTTP(S) GET /favicon.ico can sometimes receive an incorrect health status of “503 Service Unavailable” instead of “200 OK“. This can happen with Unified Unified Access Gateway version 2012 when configured for Horizon use and when the Horizon UDP Tunnel Server is enabled.
    • This issue is fixed in UAG version 2103.1 available at VMware Downloads.
    • Workaround: To work around this issue, Horizon UDP Tunnel Service can be disabled from the Admin UI in the Horizon edge service settings.
  • HW-132629: Transfer of logs to syslog server failing 20.10, 20.10.0.1, 3.3.3 and 3.3.4 (83470)
    • Transfer of logs to Syslog server is failing after entering the URL or the IP of the Splunk host in Workspace ONE Access console (Port 8443).
    • The new “enableRSyslog.hzn” attached has to be replaced in customer environment.
      If the syslog service config is already done, then remove or disable it from the :8443 configurator UI.
      Replace the new script attached in the following location: “/usr/local/horizon/scripts/”.
      Reconfigure the syslog service from the configurator UI.
  • Deploying Workflow Engine for macOS with Workspace ONE Intelligent Hub (83499)
    • Since the release of Workspace ONE Intelligent Hub 20.10 (October 2020) with the Tech Preview availability of Freestyle Orchestrator and Scripts, administrators have been required to deploy the additional Workflow Engine** component to macOS devices to use these new features.
    • Until now, administrators needed to upload the Workflow Engine component to the UEM Console as an Internal Application and assign to devices. The installer files can be found on the Resource Portal .
    • In the 21.04 release of macOS Intelligent Hub, a new setting can be enabled to automate the deployment and management of the Workflow Engine component.

• Techzone, Blog and Podcast Updates
  • Announcing VMware Anywhere Workspace, a unique solution to manage multi-modal employee experience, better secure the distributed edge, and automate the workspace
  • How VMware Anywhere Workspace helps secure the distributed edge
  • How Workspace ONE helps manage multi-modal experience in VMware Anywhere Workspace
  • Workspace ONE innovations to Automate the Workspace
  • How to Boost Supply Chain Resilience Through Digital Transformation
  • Achieving DISA STIG Compliance for Samsung Android 10: Workspace ONE Operational Tutorial
  • Techzone Podcast: Updates From the Week of April 12, 2021
  • What is Workspace ONE Intelligent Hub?
  • Providing Disaster Recovery for VMware Horizon

• Industry News, external Blogs and links
  • VMware bundles support for the branch-of-one workforce
  • Filling the Gaps in MacOS Management
  • Dell Spinning Off VMware as ‘Synergies Failed to Come to Fruition’
  • Certificate authentication for Workspace ONE API with PowerShell scripts
  • Integrating Workspace ONE reporting with PowerBI

• Week 16 Software Updates

• Component: Workspace ONE Boxer Intelligence
• New Release: 14th April
• Changes:
  • Introducing a built-in Email action for Intelligence Automation Workflows.
    Use HTML formatting, image attachment, fonts, and more to fully customize how messages are received from your Automations.
• Release Date: 19.04.21
• Release Notes

• Component: Workspace ONE Tunnel for iOS
• New Release: 20.12.1
• Changes:
  • In this release, we’ve made a few updates containing general quality and performance improvements with no new features.
• Release Date: 19.04.21
• Release Notes

• Component: Workspace ONE Tunnel for Android
• New Release: 21.03
• Changes:
  • In this release, we’ve made a few updates containing general quality and performance improvements with no new features.
• Release Date: 21.04.21
• Release Notes

• Component: Workspace ONE Intelligent Hub for macOS
• New Release: 21.04
• Changes:
  • Post-Enrollment Onboarding Experience  
    Keep users informed on the device provisioning process after enrollment completes with the new onboarding experience built into Intelligent Hub. (Console 21.05)
  • Restrict macOS Applications & Processes
    Using Apple’s Endpoint Security System Extension, Intelligent Hub can now detect apps or processes that you don’t want to run on your endpoints and block them with a customizable message. (Console 21.05)
  • Workflow Engine Deployment for Freestyle Orchestrator & Scripts (Tech Preview) 
    This version of Intelligent Hub includes a new feature to aid administrators in deploying the macOS Workflow Engine component, required for Freestyle Orchestrator and Scripts. 
  • Universal 2 Support (Beta) 
    The Workspace ONE Beta Portal contains a Universal build of 21.04, capable of running natively without Rosetta on Apple Silicon Macs. In an upcoming release of Intelligent Hub, this build will become the default.
• Release Date: 22.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.11.0.25
• Changes:
  • Patch Update
• Release Date: 20.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 21.2.0.7
• Changes:
  • Patch Update
• Release Date: 20.04.21
• Release Notes

Service – Week 15-2021 Workspace ONE Updates

• Important Releases and KB Updates
  • VMware Anywhere Workspace Launch Event – EMEA, May 5
    • Our event on May 5 will detail the business case, industry viewpoints and IT necessities to deliver a seamless, distributed ‘anywhere’ workforce.
    • We’ll reveal the VMware Anywhere Workspace, the industry-first, integrated architecture designed to help organisations manage and deliver secure, exceptional employee experiences – anywhere.
    • Register now: https://event.vmware.com/flow/vmware/workspace/reg/process
  • CRSVC-18390: ACC installer gets flagged by the antivirus and might get deleted (83423)
    • Airwatch Cloud Connector installer gets flagged by the antivirus and might get deleted. This has been first reported on WorkspaceONE UEM version 2003 but applies to all versions.
    • For a good installation experience, Airwatch Cloud Connector configuration data is packaged together with the actual Airwatch Cloud Connector installer into a single executable which extracts both and runs the real installer. To improve performance on the Console server, the installer and configuration are streamed as part of the self-extracting executable rather than compiled into it each time. Thus the executable size doesn’t match the metadata within it; antivirus software flags this structure as a potential virus.
    • To resolve this issue, update the installer download process so that the downloaded executable size is consistent with its metadata.
    • Workaround: Add an exception for Airwatch Cloud Connector installer in the antivirus or download the installer in a folder which has been added in the exceptions.
  • AAPP-11869: Derived Credential Authentication Failure With iOS DEP Custom Enrollment Using PIV-D Manager
    • ADFS error with Boxer authentication shown in KB article.
    • The Workspace ONE UEM iOS Custom DEP enrollment implementation doesn’t populate the required database table with the Mobile Device Management (MDM) Identity certificate. The PIV-D Manager app then cannot fetch the MDM Identity certificate if the device was enrolled using iOS Custom DEP enrollment.
    • VMware Product team have confirmed this issue and are working on a resolution.

• Techzone, Blog and Podcast Updates
  • Three ways to improve mobile app experience with Workspace ONE Intelligence User Flows
  • For Identity Management Day, learn from our top identity management and Workspace ONE Access resources
  • Simplifying IT Ops with New Integration Between Workspace ONE UEM and ServiceNow Service Graph Connector
  • How to Control MAC Randomization on Samsung Devices
  • Techzone Podcast: Security Resource on Tech Zone
  • Enabling BitLocker Encryption to Remote Windows 10 Devices: Workspace ONE Operational Tutorial
  • Horizon on Google Cloud VMware Engine Configuration
  • New App Capture Command-Line Tools Available in App Volumes 4
  • Dizzion Desktop as a Service brings advanced VMware Horizon capabilities to IBM Cloud
  • VMware Horizon Cloud on Microsoft Azure Cheat Sheet for Horizon 8 Administrators

• Industry News, external Blogs and links
  • A New Standard for Mobile App Security
  • Android Enterprise Security Paper – Updated Version
    Knox Platform for Enterprise free for customers

• Week 15 Software Updates

• Component: Workspace ONE UEM On-Premise GA
• New Release: 21.02
• Changes:
  • Workspace ONE Freestyle
    Technical Preview: ​Schedule Resource Installs At Your Convenience.
    The time it takes to update devices with downloadable content such as apps can be lengthy and the device’s performance during this time is often poor, to say the least. The Time Window feature allows you to schedule those updates outside of peak work hours, using the device’s local time.
  • Windows
    Use the Autopilot integration in Workspace ONE UEM to deploy domain join for both cloud and on-premises users.
    We’ve now integrated Microsoft Autopilot with Workspace ONE UEM to support Hybrid Domain Join. With the new integration, you can combine the on-premises domain join process in Workspace ONE UEM with your Autopilot device configurations that are set in Azure. 
    Support for the upcoming Full Device Tunnel on Windows 10
    Using the upcoming Tunnel for Windows 10 version 2.1, Win 10 devices can be configured to leverage a full device Tunnel.
  • Android
    We’ve made enhancements to the UEM console to enable the clear passcode capability using Direct Boot.
    Apps do not run during the Direct Boot mode by default, which is when the device has been powered on, but the user has not unlocked the device. We’ve made some modifications in the UEM Console that allows you to send a clear passcode command with Workspace ONE Intelligent Hub for Android while the devices are in the Direct Boot mode.
  • iOS
    Would you like to check which time zone is set on your Apple devices to evaluate any changes? You can now monitor the time zone of your Apple devices in the UEM console.
    We let you track the time zone reported by the iOS, macOS, and tvOS devices in the Workspace ONE UEM console under Device Details.

• Release Date: 14.04.21
• Release Notes

• Component: Workspace ONE Boxer for iOS
• New Release: 21.03
• Changes:
  • Due to customer feedback regarding the change of deprecating the AppForceActivateSSO Key (moving forward, Boxer will act like this key is always on as well as requiring an SDK passcode). The team has decided to hold this change until March 2021.
  • Disable Files Section
    • If you have a high-security use case where you need to disable the files section, this feature is for you.
  • Calendar Notes are now rendered in HTML
    • We are excited to introduce HTML notes for calendar invites. This allows users to see calendar invites as they are intended instead of just the plain text version of the calendar invite.
  • Add Microsoft Teams online meeting link to calendar invites
    • We are excited to introduce the ability to add Microsoft Teams online meeting links to calendar invites.
    • This does require EWS to be enabled.
    • Modern Authentication is also required.
    • You must be using Exchange Online (Office 365) to use this feature.
• Release Date: 14.04.21
• Release Notes

• Component: Workspace ONE Boxer for Android
• New Release: 21.03
• Changes:
  • Add Microsoft Teams online meeting link to calendar invites
    • We are excited to introduce the ability to add Microsoft Teams online meeting links to calendar invites.
    • This does require EWS to be enabled.
    • Modern Authentication is also required.
    • You must be using Exchange Online (Office 365) to use this feature.
  • Calendar Notes are now rendered in HTML
    • We are excited to introduce HTML notes for calendar invites. This allows users to see calendar invites as they are intended instead of just the plain text version of the calendar invite.
• Release Date: 14.04.21
• Release Notes

• Component: Workspace ONE Content for iOS
• New Release: 21.04
• Changes:
  • Allow user to delete and rename user repo without authenticating it.
  • User Interface changes on activities view.
  • Enhancements on add repository.
    • Add repository will be displayed only if templates are configured and present from the admin.
    • Rename repository page is available now.
  • View Configured repositories option has been added.
• Release Date: 15.04.21
• Release Notes

• Component: Workspace ONE SDK SWIFT
• New Release: 21.4
• Changes:
  • In this release, we’ve made a few updates containing general quality and performance improvements with no new features.
• Release Date: 15.04.21
• Release Notes

• Component: Workspace ONE App
• New Release: 3.3.9
• Changes:
  • In this release, we’ve made a few updates containing general quality and performance improvements with no new features.
• Release Date: 14.04.21
• Release Notes

• Component: Workspace ONE Web for Android
• New Release: 21.03
• Changes:
  • Support and Logging improvements
• Release Date: 14.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.11.0.22
• Changes:
  • Patch Update
• Release Date: 13.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.8.0.26
• Changes:
  • Patch Update
• Release Date: 13.04.21
• Release Notes

Service – Week 14-2021 Workspace ONE Updates

• Important Releases and KB Updates
  • General Availability of VMware Workspace ONE Intelligent Hub 21.03 for Android
    • Updates Include:
      • AAGNT-191895: Disable the WebSDK for 21.03
      • WebSDK is disabled for 21.03 due to issues seen in Tunneling and high battery and high storage usage (https://kb.vmware.com/s/article/83151)
      • HUB-5269: Support for more than 5 services: If an admin has enabled all 6 services (Apps, People, Favorites, Support, For You and Home), Hub will combine “Apps” and “People” into a new tab called “Explore” to adhere with mobile standards
      • HUB-4443: Take actions on P0 notifications without opening Hub
        • Hub now supports performing actions on P0 notifications removing the necessity to open Hub for all notifications that require actions.
      • AAGNT-190219: New restriction for Android 11 COPE devices to set a maximum number of days the user can disable the Work Profile
        • This requires a Workspace ONE UEM Console change, which is not yet complete, the only way to test this is to use Custom XML.
      • AAGNT-191574: Allow VPN Changes for Work Profile and Android 11 COPE (company-owned work profile)
        • This requires custom XML to test. 
      • AAGNT-189598: VPN Always On Lockdown Allow List – Grant certain apps ability to bypass VPN in the case that VPN is disconnected. Supported on Android 10+ in all AE enrollment modes.
        • Hub is always included in the Allow list and does not need to be included in the list of package IDs.
        • This requires custom XML to test.
      • AAGNT-190861: Enable “Draw over other apps” permission automatically for WS1 Assist on Zebra devices
      • Bug Fixes
  • General Availability of VMware Workspace ONE Intelligent Hub 21.03 for iOS
    • What’s New:
      • Attachment support in the For You Tab
        • Attachments added through the Workspace ONE Workflows or directly through the Notification Service such as Admin UI or API can now be accessed in the Intelligent Hub mobile app.
      • Support Tab design improvements
        • Containerization of the Support Tab landing page.
        • Clean-up of irrelative information. For example, if Support Email or Number is not provided, Hub will not display that in the list.
      • [Preview] Explore Tab: Support for more than 5 services
        • If an administrator has enabled all 6 services (Apps, People, Favorites, Support, For You, and Home tabs), Hub combines Apps and People into a new tab called Explore to adhere with mobile standards.
        • To enable this service, navigate to the Support tab, select your device > Preferences > Explore Tab.
  • Certain Samsung Android devices report an unexpected Serial Number (83348)
    • Samsung devices that released with Android 9 prior to Q4 2018 report a 16-digit serial number instead of the expected 11-character serial number following an Android 10 security patch released in late 2020.
    • On affected device models, the Android API to collect the device serial number returns a 16-digit number rather than the 11-character serial number. Additionally, a system property that was previously used by Workspace ONE Intelligent Hub to collect the serial number on these devices was made inaccessible by a late 2020 Samsung security update to enhance privacy and data protection.
    • The customer impact is dependent on their use of serial numbers. If a customer does not rely on device serial for any operations, then there is no impact. However, if the customer uses serial number for any operations, then a portion of their devices will be impacted due to the reporting of the unexpected serial number.
    • A Samsung Knox API is available to collect the 11-character serial number on affected devices in Work Managed, COPE, and Android Legacy modes.  VMware will leverage this API in an upcoming release of Workspace ONE Intelligent Hub, after which devices will begin reporting the expected serial number.
    • Unfortunately, this issue cannot be fixed for devices enrolled in Work Profile.  Those devices will continue to report the 16-digit serial number.
  • Workspace ONE UEM enrollments on macOS devices with multiple partitions (83311)
    • Macs containing multiple partitions and installations of macOS will be unable to correctly enroll to the same Workspace ONE UEM environment. However, each partition can be enrolled to different environments from each other. For example, one partition can be enrolled to your production environment and the other partition can be enrolled to your UAT.
    • If you have enrolled multiple partitions to the same environment, you may experience issues:
      • MDM APNS communication will only work for the most recent partition enrolled. This means even Enterprise Wipe commands cannot be sent to previous partitions that were enrolled.
      • Despite MDM communication being severed on the existing partitions, Intelligent Hub (if installed) will still be able to communicate with the server. This may result in unexpected behavior from the app.
    • VMware recommends manually removing the MDM profile and uninstalling Intelligent Hub from partitions in this state.
  • Android lockscreen overlay setting in passcode profile gets removed when the profile is reapplied (83336)
    • When a passcode profile containing a lockscreen overlay image configuration is reapplied, Hub removes the entire overlay, but fails to reapply the settings, resulting in the overlay to disappear.  The issue also occurs if the profile is removed and then reapplied.
    • Hub tries to download the lockscreen overlay image again on reapply.  However, the download fails, causing the profile to fail to apply.  
    • Devices will be left without a lockscreen overlay if the profile becomes reapplied.
    • Our Product Team is actively engaged and working on a fix in an upcoming release.
  • CMSVC-9328: ObjectGUID required in Workspace ONE UEM SAML response during authentication (2961261)
    • Previously, Administrators could bypass the SAML authentication flow and access the UEM Console by entering their Active Directory credentials. This gap has been addressed. Workspace ONE UEM 1811 enforced SAML authentication flow if it was configured at the Organization Group where the Administrator’s account exists. Now, however, in order to truly support SAML authentication in a multi-domain setup, the ObjectGUID attribute must be configured on the Identity Provider settings page.
    • To support SAML authentication in a multi-domain setup, it is required to configure the ObjectGUID attribute on the Identity Provider settings page. Within the Workspace ONE UEM Console, this attribute must be mapped to the Object Identifier user attribute on the Workspace ONE UEM Directory Services settings page at Groups & Settings > All Settings > System > Enterprise Integration > Directory Services > User > Advanced.
  • Work Managed Enrollment using G-Suite may get stuck on Android 11 Devices (83319)
    • Devices enrolling into Fully Managed mode with a G-Suite account may experience a stalled enrollment on the ‘Configuring something spectacular’ screen.
    • This is caused by Google’s account registration activity not returning a result to Hub regarding the success or failure of account registration to proceed with enrollment.
    • The Workspace ONE product team is working closely with Google on resolving this issue.
    • Once the device is stalled on the ‘Configuring something spectacular’ screen, rebooting the device will allow the user to proceed with enrollment.
  • “Enrollment Blocked” error when enrolling Android 11 devices in COPE mode using ‘afw#hub’ identifier (82574)
    • When you try to enroll an Android 11 device in COPE(Corporate Owned Personally Enabled) mode using the ‘afw#hub‘ identifier, you see an “Enrollment Blocked” error.
    • Android 11 enrollments in COPE(Corporate Owned Personally Enabled) mode using ‘afw#hub‘ identifier is no longer supported. It is recommended to use any of the following methods to enroll Android 11 devices in COPE mode:
    • Enrollment using QR code
    • Enrollment using Zero-Touch Portal
    • On Android 8, 9, and 10, the Workspace ONE Intelligent Hub would operate on the work and personal side of the device. The Intelligent Hub instance running within the work profile handled management operations within the work profile, while the Intelligent Hub instance running on the personal side of the device handled device-wide policy management.
  • Workspace ONE Web for Android withdrawal of support for Kerberos over HTTP (83367)
    • Support for Kerberos authentication over HTTP will be withdrawn from the VMware Workspace ONE Web browser app for Android. The June 2021 release of the Web app will not support this type of authentication.
    • The use cases that required support for this type of authentication can now be supported by other mechanisms.
    • The Web app is compatible with Kerberos Constrained Delegation (KCD) in the VMware Unified Access Gateway (UAG). 
    • The Web app is compatible with Kerberos authentication by a single sign-on (SSO) Android Enterprise client, such as Hypergate Authenticator. 
    • The Web app supports NTLMv2 authentication.
  • CRSVC-20047 – Client Certificates delivered through Workspace ONE UEM are malformed or fail to install on devices after upgrade to 2102 if template Subject Name contains commas (83355)
    • If you are pushing client certificates through a profile with a template containing commas in the lookup values (in {UserDistinguishedName}, for example) via Credential Payload for ADCS DCOM or any SCEP CA, the profile will fail to install on the device with the following error:
    • Exception occurred generating certificate request.
    • In previous version, if the template contained commas like {UserDistinguishedName} CN=Tom,Sawyer , OU=EUC, O=VMware we updated the string to CN= ”Tom,Sawyer”, OU=EUC, O=VMware while generating the CSR and install it on the device. In 2102 we identified a bug where we append double-quotes twice if there is a comma in the UserDistinguishedName CN=””Tom,Sawyer””, OU=EUC, O=VMware.
    • Our Product team is actively working to resolve this issue in a timely manner. Please subscribe to this KB article for updates.

• Techzone, Blog and Podcast Updates
  • How Workspace ONE Intelligence Event and Trend widgets help you achieve your UEM goals
  • Techzone Podcast: Modern Management – Perspective From The Field
  • Horizon Configuration

• Industry News, external Blogs and links
  • Zero Trust: What is it and MDM Role
  • VMware Workspace One delivers automated scripting, increased macOS security & a unified app catalog for enterprise Macs

• Week 14 Software Updates

• Component: Workspace ONE Intelligence
• New Release: 6th Apr
• Changes:
  • We made improvements to the Digital Employee Experience Management (DEEM) Solutions technical preview by letting admins drill further to find which user is impacted and what are the reasons.
• Release Date: 07.04.21
• Release Notes

• Component: VMware Unified Access Gateway
• New Release: 2103.1
• Changes:
  • VMware Unified Access Gateway 2103.1 includes a bug fix, which is documented in the Resolved Issues section.
  • Security and other updates to Photon OS package versions. This includes an update to nxtgn-openssl 1.1.1 to address security vulnerabilities (CVE-2021-3449 and CVE-2021-3450).
• Release Date: 06.04.21
• Release Notes

• Component: Workspace ONE Intelligent Hub for Android
• New Release: 21.03
• Changes:
  • Details above
• Release Date: 05.04.21
• Release Notes

• Component: Workspace ONE Intelligent Hub for iOS
• New Release: 21.03
• Changes:
  • Details above
• Release Date: 07.04.21
• Release Notes

• Component: Workspace ONE Relay
• New Release: 5.5
• Changes:
  • Compatibility with Android Hub 21.03
• Release Date: 07.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.1.0.45
• Changes:
  • Patch Update
• Release Date: 06.04.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.18.0.25
• Changes:
  • Patch Update
• Release Date: 06.04.21
• Release Notes

Service – Week 13-2021 Workspace ONE Updates

• Important Releases and KB Updates
  • New permission is added to Multi-tenant app for Microsoft Conditional Access (83252)
    • If you have Microsoft Conditional Access integrated with Workspace ONE UEM, 3rd Party compliance updates to Azure will fail for Workspace ONE UEM devices after 21st June 2021 if admins have not accepted the new permission Workspace ONE Conditional Access.
    • The Microsoft Intune ‘/serviceEndpoints’ graph API will require that all Azure AD Applications that call either: 
    • https://graph.windows.net/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints
    • https://graph.microsoft.com/v1.0/servicePrincipals/0000000a-0000-0000-c000-000000000000/serviceEndpoints
      have assigned certain API permissions.
  • Android devices using SafetyNet Attestation may be incorrectly marked as Compromised (83272)
    • Android devices using SafetyNet Attestation as part of Compromised Detection may experience false positives, causing devices to incorrectly be marked as Compromised.
    • This is currently a known issue with the SafetyNet Attestation API. The Workspace ONE product team is working closely with Google to resolve this issue.
    • Once a device is marked Compromised, the only way to correct the device is through re-enrollment. It is recommended to disable SafetyNet Attestation if this issue is experienced frequently.
  • Google Data Privacy Notification For Workspace ONE Boxer Personal Gmail Account Users (2961334)
    • In an effort to strengthen end-user security and privacy, Google has introduced stronger controls and policies requiring third-party apps, such as Workspace ONE Boxer for Android and iOS, that access consumer-level Gmail accounts to comply with the new standards that are focused on Gmail APIs.
    • Starting March 30th, 2021, Workspace ONE Boxer users with personal Gmail accounts may be presented with an Unverified app warnings screen when setting up, or configuring Workspace ONE Boxer on their device.
    • This notification only impacts users that have setup personal Gmail accounts using the VMware Workspace ONE Boxer app. More details are in the KB Article.
    • VMware is working closely with Google to ensure that there is minimal service disruption for our end users.
    • For more information, see Google Knowledge Base 7454865.
  • [Resolved] AGGL-8957 – Bulk operations from the Device List View do not honor Android Management filter
    • When using the Android Management filter in Device List View to perform bulk actions, bulk operations will be executed for all devices irrespective of the Android Management filter applied, only respecting the other filters.
    • This may cause unintended messages, deletions, or other behavior based on the bulk operation that was used.
    • Workspace ONE UEM Console version 2005
    • This has been resolved in the Workspace ONE UEM Console version 2102.
    • Additionally, fix has also been backported as a patch for the following versions:
      • Workspace ONE UEM 2005 – 20.5.0.35 and above
  • No apps found in the personal Play Store in COPE mode on Android 11 (83292)
    • On Android 11 devices enrolled in COPE mode, when a personal Google account is added to the personal Play Store, observe ‘No results found’ on the Play Store home-screen and no applications can be found or installed from Play Store.
    • Google has identified and acknowledged this as a product defect in Play Store versions below 22.8.04.
    • No applications can be found and installed from Play Store on the personal side of the COPE enrolled devices
    • Only affects Android 11 devices
    • Navigate to Play Store > Settings > Play Store Version and tap to update the Play Store version to 22.8.04 or above.
  • New KB: Workspace ONE Enrollment Error Catalog (81557)
    • This resource provides common enrollment errors, information on where they can be viewed, their resolutions, and relevant documentation.
    • Check the KB for an overview of enrollment errors.
  • Upgrading iOS device to iOS 14.X can occasionally cause devices to stop communicating with MDM server (82793)
    • VMware has received a small number of reports that after a device is upgraded to any minor version of iOS 14.0 or above, some devices will cease to check in to the MDM server.
    • The impact of this issue is that devices will not be able to check-in and receive new commands from the MDM server. This includes, information samples (OS Version), install resources, remote wipe, etc.
    • There currently is no resolution for this issue. This issue has been reported to Apple with FB9010428. If a customer has an enterprise AppleCare agreement and representative, you may provide this number to them for tracking.
    • There is currently no 100% reliable workaround. However, on occasion, a “Reset all network settings” and device reboot has resolved the issue for some impacted devices and return communication.
  • AAPP-11079 – Workspace ONE iOS Exchange (EAS) and other accounts remain on the device after the profile is removed if a profile contains two or more of the same payload type (83192)
    • Many customers are deploying Exchange Active Sync and other account profiles based that contain two or more account payloads (e.g. 2 email accounts). Accounts on devices configured via these profiles will not be removed when the underlying profile is removed or the device is enterprise wiped.
    • After the profile is removed and the account remains on the devices, users are unable to remove the account but still receive emails (in the example of EAS payloads).
    • The root cause of this has been mentioned by Apple in their latest iOS beta release notes. Any customer with access to Apple Seed for IT is able to review these notes for more information. We are not able to distribute them ourselves.
    • No resolution has been publicly released by Apple but there may be resolution coming in iOS 14.5 which is still in beta. If the customer has access to Apple Seed for IT, they can review the beta notes for more info.
    • The current workaround is to avoid placing two account payloads within a single profile and instead configure each payload in its own profile.
    • In addition to the changes in iOS 14.5 to resolve the failure to remove the email accounts, a new requirement has been added to require the payload ID to be unique for the two or more payloads within the same profile or the profile will fail to install entirely. The Workspace ONE UEM team is working to make this change in a future release.
  • AAPP-2968: VPP app not installed on iOS devices due to existing public app (2960673)
    • Upon pushing a VPP application to supervised iOS devices, the application may not install if the existing public application has already been installed by Workspace ONE. The following error may display:
    • Error 12026: “The app [application name here] is already scheduled for management”
    • We have informed Apple of the issue and this article will be updated once we confirm a resolution in iOS.  If you have Apple Care Support you may wish to reach out directly to Apple to learn more details around the status of this issue.
  • Certificate auto-renewal is not supported on printers. (83277)
    • Printers that were previously connected become disconnected from Wi-Fi network and therefore are unable to communicate to Workspace ONE UEM upon expiration of certificate.
    • Certificate auto-renewal is not supported for printers. Printers do not currently report a certificate sample back to UEM, therefore we cannot leverage UEM’s ability to automatically generate a new certificate prior to expiration.
    • To avoid certificates expiring on devices, and devices losing connectivity, a new certificate or wifi profile containing a new certificate payload needs to be sent to replace the expiring certificates manually, prior to the expiration. This would typically be accomplished by copying the existing profile, but replacing the certificate with an updated payload.

• Techzone, Blog and Podcast Updates
  • Techzone Learning Path: Understanding Windows 10 Management
  • Horizon on VMware Cloud on AWS Configuration
  • Deploying Unified Access Gateway on Google Cloud Platform – Feature Walkthrough
  • VMware Unified Access Gateway 2103: What’s New
  • Announcing: Newly Updated Understanding Windows 10 Activity Path
  • Register now for Leading Change: Build Trust with the Anywhere Workspace – May 5 and 6, 2021
  • VMware Workspace ONE is at Okta Oktane21 – Here’s what you need to know.
  • Techzone Podcast: Windows 10 Domain Join and Horizon 8 (2013)

• Industry News, external Blogs and links
  • Evaluating Intune against Workspace ONE UEM: MacOS Edition
  • Mobinergy Blog: Your Digital Workplace – Simply achieve more
  • The latest news and insights from Google on security and safety on the Internet

• Week 13 Software Updates

• Component: Secure Email Gateway
• New Release: 2.19
• Changes:
  • Updated JRE to version 11.0.10.
  • Ability to hide build information from the health monitoring endpoints.
  • CMEM-186229 – Links with the pattern ‘www-‘ do not properly match hyperlink transform rules.
• Release Date: 31.03.21
• Release Notes

• Component: Workspace ONE Intelligence
• New Release: 31st Mar
• Changes:
  • We made improvements to the Digital Employee Experience Management (DEEM) technical preview. 
    • We added the ability to sort desktops and apps scores using an Impact column.
    • We added a way to navigate through donut charts that represent experience scores at the organization level to get to a specific user’s  scores.
  • You now have the ability to download stack traces for apps that use the Workspace ONE Intelligence SDK.
• Release Date: 01.04.21
• Release Notes

• Component: Workspace ONE SDK Swift
• New Release: 21.3
• Changes:
  • We’ve packaged the Workspace ONE SDK for iOS (Swift) as XCFramework.
  • We’ve upgraded the Open SSL.
• Release Date: 30.03.21
• Release Notes

• Component: Workspace ONE Send for iOS
• New Release: 21.04
• Changes:
  • In this release, we have made a few updates containing general quality and performance improvements with no new features.
• Release Date: 31.03.21
• Release Notes

• Component: Workspace ONE Piv-D Manager for iOS
• New Release: 21.03
• Changes:
  • Adhering to Intercede headless APIs.
  • Support universal type identifier (UTI) values in Purebred 2021 release.
  • Bug fixes and stability improvements.
• Release Date: 30.03.21
• Release Notes

• Component: Workspace ONE Send for Android
• New Release: 21.04
• Changes:
  • In this release, we have made a few updates containing general quality and performance improvements with no new features.
• Release Date: 31.03.21
• Release Notes

• Component: Workspace ONE Piv-D Manager for Android
• New Release: 21.03
• Changes:
  • Send Logs option within PIVD
  • Bug fixes
• Release Date: 30.03.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.1.0.31
• Changes:
  • Patch Update
• Release Date: 29.03.21
• Release Notes

• Component: Workspace ONE UEM
• New Release: 20.11.0.20 + 20.11.0.21
• Changes:
  • Patch Update
• Release Date: 29.03.21
• Release Notes