Service – Week 26-2022 VMware Enduser Computing Updates

Important KB Articles and Release Updates

Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com

  • SINST-175987 Upcoming Expiration for Workspace ONE UEM AWCM Built-In Certificate (88871)
  • The Workspace ONE team has identified that the built-in Workspace ONE UEM AWCM certificate is expiring on July 2nd, 2022. This certificate is an installer selection option for AWCM that installs a self-signed non-publicly-trusted certificate to secure AWCM communications.
    Note: SaaS environments are utilizing SSL offloading and are not affected by this expiration. 
  • If you are using custom SSL certificates (Third Party) or SSL offloading this expiration does not apply to your deployment and no actions are needed
  • If you are utilizing the Built-In Workspace ONE UEM certificate for AWCM your environment will be impacted. The impact of this expiration would manifest in the form of AWCM services failing to restart. Additionally, devices, ACCs, and other services will fail to trust the AWCM connection causing service interruption. Lastly, 502s from the AWCM status page would be observed.
  • To confirm your environment is impacted, please navigate to the following URL (https://localhost:2001/awcm/status) on the AWCM local host machine and check the certificate published against that URL endpoint. If this certificate is the Air Watch Root CA with an expiration of July 2nd, 2022, please follow the resolution and workaround sections of this KB.
  • Resolution & Workaround in KB: https://kb.vmware.com/s/article/88871?lang=en_US&source=email
  • Impact of CVE-2021-26414 (KB5004442) on Workspace ONE UEM integration with ADCS DCOM (88859)
  • This KB article is with reference to Microsoft’s “KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)”. The Workspace ONE team has investigated CVE-2021-26414 (KB5004442) and has determined that the customers can remove the possibility of interruption by performing the steps detailed in the Workaround section of this article.
  • The changes to DCOM calls can affect calls specifically for Certificate Authority (CA) integrations with ADCS through ACC or direct CA integrations (Console/Device Services). Other CA integrations are not affected by this change Ex: SCEP.
    Impact manifests in the failure of test connections for CA integration and the failure to generate certificates.
  • Our product team has been notified and is working to address this issue in a timely manner. Please subscribe to this KB for updates as we progress on resolving this KB.
  • For short-term mitigation, you may apply the steps mentioned in the Microsoft KB article to disable the hardening changes to your ACC and Certificate Authority, or CN/DS/API and Certificate Authority. 
    Please contact your Microsoft support representatives if you need additional information about this vulnerability or the changes associated with the Microsoft KB.
  • KB-Reference: https://kb.vmware.com/s/article/88859?lang=en_US&source=email
  • AGGL-12119 – Enterprise Wipe action only wipes Work Profile in Android 11+ COPE (88821)
  • Devices wiped through the Enterprise Wipe actions in Devices > List View and Compliance Policies will not factory reset. Instead, only the Work Profile will be wiped.
  • One of the actions available in Compliance Policies for Android devices is Enterprise Wipe. The Enterprise Wipe action is also available for Android devices in the Workspace ONE UEM Console under the Devices > List View page. For Android 11+ devices enrolled in COPE mode, these actions should result in a factory reset.
  • Workspace ONE UEM 2204
  • Devices where only the Work Profile has been wiped will no longer be managed by Workspace ONE UEM. To re-enroll in COPE mode, devices must be factory reset and must go through the COPE enrollment flow. Devices registered in Knox Mobile Enrollment or Zero Touch Enrollment programs will continue to automatically re-enroll into Workspace ONE UEM on factory reset.
  • VMware is actively working towards a resolution, and updates will be posted on this article
  • You may initiate a factory reset of Android 11+ COPE devices by deleting the device from the Workspace ONE UEM Console.
  • KB-Reference: https://kb.vmware.com/s/article/88821?lang=en_US&source=email
  • Unable to renew APNs certificate when request uses .plist file extension (88830)Apple Push Notification service (APNs) certificate renewal will fail if the certificate request uses a .plist file extension.
  • The renewal process is outlined in the KB article titled How to renew an Apple Push Notification service (APNs) certificate (2960965).
  • KB-Reference: https://kb.vmware.com/s/article/88830
  • On some devices, macOS Intelligent Hub 22.04.x or 22.05.0 may not successfully autoupdate when a newer Intelligent Hub is available (88834)
  • Some macOS devices with Intelligent Hub 22.04.x or 22.05.0 installed may not successfully autoupdate when a newer Intelligent Hub is available in the UEM environment. The autoupdate will attempt to initiate based on the configured settings, but the new version of the Hub will not be successfully installed. For devices that experience the issue, newer versions of the Intelligent Hub can be deployed through methods where the install command is initiated through the UEM Console, see the Workaround section for some examples.
  • This issue has been resolved in macOS Intelligent Hub 22.05.1, which is also seeded into UEM 22.04.5.  This Hub is also available on myWorkspaceONE and https://getwsone.com.
  • This issue affects the autoupdate functionality initiated by the Hub, but should not effect any server-side initiate update commands.  Some of the following methods could be used to update the Intelligent Hub on an effected macOS device:
    • After Intelligent Hub 22.05.1 is available within your UEM environment, leverage the “Install Intelligent Hub for macOS” action available in the Device Details page of an affected device.
    • After Intelligent Hub 22.05.1 is available within your UEM environment, the Workspace ONE UEM API can be leveraged to issue an Intelligent Hub install command.  For example, the following command could be used to install the seeded Intelligent Hub to a target device:
      • https://{API_URL}/API/mdm/devices/{deviceID}/commands?command=InstallPackagedMacOSXAgent
    • Intelligent Hub 22.05.1 or greater can be deployed as a bootstrap PKG (by specifying “Expedited Delivery” as the Deployment Type after uploading the pkg as an Internal App).  This can then be deployed to enrolled devices.
  • KB-Reference: https://kb.vmware.com/s/article/88834?lang=en_US&source=email
  • Week 26 Software Updates
  • Component: Workspace ONE Intelligent Hub for Android
  • New Release: 22.06
  • Changes:
  • Removing the 3-Character Limit for People Search
    • People Search will allow searching with just one or two characters instead of the usual 3-character search. This enables support for searching names in logographic languages like Chinese, Japanese, etc. 
  • Android Enterprise
    • Workspace ONE UEM now supports management of Android GO devices enrolled in Work Managed mode (see documentation for restrictions).
    • In Work Profile devices, the Hub icon on the personal side is now hidden. A grayed-out icon will no longer be displayed in the Android launcher outside the Work Profile.
    • In Work Profile and COPE devices, Hub no longer requires Location permissions to install WiFi profiles. Users with Android 12 devices in these modes will only see the Location runtime permission prompt if the organization is collecting location data from the device. 
  • Bug Fixes
  • Release Date: 01.07.22 (staged)
  • Release Notes
  • Component: Workspace ONE Boxer for iOS
  • New Release: 22.06
  • Changes:
    • Allowed applications list for opening documents in Workspace ONE Boxersettings are merged with the list of allowed applications in SDK settingsEnd users are allowed to open documents in all the allowed applications specified both in SDK and Workspace ONE Boxer settings
    • If the administrator has activated Allow List in the Workspace ONE BoxerSettings (Boxer Assignment ? App Policies ? Data Loss Prevention ? Sharing ?Allow List) and entered the list of applications in Allowed Applications, then the end user can open documents in all the applications present in the allowed list.
    • If the administrator has activated Limit Documents to Open Only in Approved Apps in the SDK Admin settings (Groups & Settings ? All Settings ? Apps ? Settings and Policies ? Security Policies ? Data Loss Prevention ? Limit Documents to Open Only in Approved Apps) and entered the list of applications in the Allowed Applications List, then the end user can open documents in all the applications present in the allowed list.
    • If the administrator activated this feature in Workspace ONE Boxer and SDK Admin settings and entered the list of allowed applications in both the settings, then the lists are merged.
    • Support of device passcode for authenticationThis feature allows an end user to use device passcode for authentication instead of the SDK passcode.
    • This feature is available when “useDevicePinForAuthentication”, type bool, is added as a custom SDK setting in the Workspace ONE UEM console (Groups & Settings ? All Settings ? Apps ? Settings and Policies?Settings).
    • By default, the feature is deactivated. To activate this feature, the value of the custom setting must be set to true.
    • Bug Fixes
  • Release Date: 29.06.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 21.5.0.62
  • Changes:
    • UGG-11032: Delay in Products getting assigned to android devices
    • AGGL-12081: Approved SIM details do not get updated on the latest UEM console
  • Release Date: 28.06.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 21.11.0.38
  • Changes:
  • CRSVC-29627  Triggering the 5K API calls per minute limit even though it’s been longer than a minute
  • ARES-22164    [SPIKE] Slide Forced and Idle session timeout for blob upload use case
  • AMST-36289   Disable HardwareDeviceIdentifierForWindowsFeatureFlag
  • AGGL-12082    ‘Force YouTube Safety Mode’ and ‘Enable Touch to Search’ settings in Android Chrome Browser Settings profile are not saved with console v2111 and above.
  • AGGL-11944    Chrome URLWhitelist/URLBlacklist does not work on the latest Chrome Versions.
  • Release Date: 28.06.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 22.3.0.14
  • Changes:
    • CRSVC-29626: Triggering the 5K API calls per minute limit even though it’s been longer than a minute
    • AMST-36290: Disable HardwareDeviceIdentifierForWindowsFeatureFlag
  • Release Date: 28.06.22
  • Release Notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: