Service – Week 34-2022 VMware Enduser Computing Updates

Important KB Articles and Release Updates

Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com

  • Workspace ONE UEM FedRAMP: Upcoming Cipher Suite Update (89312)
  • Ensuring protection of data-in-transit is a key priority for all communication paths that integrate with Workspace ONE UEM (Unified Endpoint Management). To continue to deliver on that promise, VMware continually reviews and updates the associated cipher suites that are available within our SaaS hosted solutions. In an upcoming change window VMware will be restricting the available cipher suites used on all FedRAMP Workspace ONE UEM hosted endpoints.
  • KB-Reference: https://kb.vmware.com/s/article/89312?lang=en_US&source=email
  • Horizon 2206 fails to connect to vCenter (89331)
  • Horizon 2206 Connection Server fails to validate the server certificate of a vCenter instance, preventing a successful connection.
    This can happen even if an older version of Horizon can connect successfully using the same certificate.
    In the Connection Server debug log, an SSLHandshakeException is logged due to “Certificates do not conform to algorithm constraints.”
  • In Horizon 2206, the list of acceptable certificate signature schemes has changed and may no longer include the algorithm used to sign the vCenter certificate.
  • The list of signature schemes can be modified by editing LDAP attribute pae-SSLClientSignatureSchemes under cn=common,ou=global,ou=properties.
    The format of this attribute is a single string that begins “\LIST:”, followed by one or more comma-separated scheme names.
    For example: pae-SSLClientSignatureSchemes = \LIST:rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512
    It is not necessary to restart any service after making this edit.
    In the example above, “rsa_pkcs1_sha256” corresponds to SHA256withRSA, “rsa_pkcs1_sha384” to SHA384withRSA and “rsa_pkcs1_sha512” to SHA512withRSA.
    IMPORTANT: The new list must include at least rsa_pkcs1_sha256 and rsa_pkcs1_sha384 to avoid breaking other outgoing connections.
  • More Info in KB: https://kb.vmware.com/s/article/89331?lang=en_US&source=email
  • ESC-33274 – Elevated CPU usage on Workspace ONE UEM Database after upgrade to 2206 (89338)
  • Upon upgrading to Workspace ONE UEM 2206, your environment may exhibit elevated CPU usage on the database server. This can lead to latency in communications between Workspace ONE UEM and your managed devices 
  • This can lead to performance degradation and latency in device and administrator interactions with Workspace ONE UEM.
  • Our Product team has been notified and is working to address this issue in a timely manner. Please subscribe to this article to be notified when an update is available.
    In the interim:
    • Shared SaaS and Dedicated SaaS (Latest Mode): the rollout of Workspace ONE UEM 2206 has been paused
    • Dedicated SaaS: The upgrade scheduler has been updated and scheduling an upgrade to Workspace ONE UEM 2206 is temporarily disabled. If you have previously scheduled an upgrade for your Dedicated SaaS environment, you may submit a support request to have the upgrade cancelled/postponed
    • On-premise: The installer for On-premise customers for this version has been retracted from the myWorkspaceONE portal temporarily
  • Please follow: https://kb.vmware.com/s/article/89338?lang=en_US&source=email
  • FCA-203819 – Workspace ONE UEM – Access error when navigating to Exports page (89334)
  • Navigating to the Monitor > Reports and Analytics > Exports page in the Workspace ONE UEM console while logged in with a custom or system role may result in the page not loading and showing a “This door is locked” error.
  • The Exports page in the Workspace ONE UEM console has been migrated to a new UI framework that requires a specific admin permission to view. Navigating to this page without the proper permission will result in a “This door is locked” error. By default, most system roles will already have this required permissions, but some custom and system roles may not.
  • Pages that are migrated to the new UI framework require a set of admin permissions to load the components of and give access to the page. Without the correct permissions in the current admin’s role, the page will show a “This door is locked” error.
  • Our product team has been engaged and is actively working to resolve the issue. Please subscribe to this article to be notified when an update is available.
  • Workaround in KB https://kb.vmware.com/s/article/89334?lang=en_US&source=email
  • MACOS-3206 certain Apple Silicon macOS devices leveraging a randomized managed administrator password cannot be accessed with the current password (89299)
  • This issue affects certain Apple Silicon macOS devices that are enrolled via Automated Device Enrollment with Apple Business or School Manager, if a managed administrator account is configured with a randomized password. In some cases, if you attempt to log into the administrator account with the current password, the log in attempt may fail with an incorrect password.
  • The Workspace ONE team has engaged Apple and is working to identify root cause and resolution.
  • If this issue occurs, rotating the password again appears to resolve this issue.  This can be done in two ways:
    1. Leverage the Workspace ONE UEM REST API to immediately rotate the managed administrator password for the target device.  This can be done with one of the following API endpoints:
      1. /mdm/devices/{deviceId}/commands?command=RotateDEPAdminPassword
      2. /mdm/devices/commands/RotateDEPAdminPassword/device?searchBy={searchByParam}&id={Id}
    2. Alternately, simply by viewing the current managed administrator password for the target device in the Device Details page of the Workspace ONE UEM Console, a rotate command will automatically be issued to the device after a grace period of 8 hours.  After this grace period occurs and you verify that the device has processed the command, attempt to log in using the new password.
  • KB-Reference: https://kb.vmware.com/s/article/89299?lang=en_US&source=email
  • Week 34 Software Updates
  • Component: Workspace ONE UEM
  • New Release: 22.3.0.23
  • Changes:
    • CMCM-190024: DB Server CPU spiking to 100% multiple times a day
    • AGGL-12338: DDUI profiles cannot be created or edited
    • AAPP-14462: Delay in OS seed script deployment is causing data inconsistency
  • Release Date: 23.08.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 21.9.0.42
  • Changes:
    • RUGG-11334: Delay in Products getting assigned to android devices
    • CRSVC-31085: ProvisioningProfile tries to remove expiring profiles when none exist
  • Release Date: 23.08.22
  • Release Notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: