Week 50-2022 VMware Enduser Computing Updates

Posted byJuliusLienemannPosted inWeekly ServiceTags:, , ,

Important KB Articles and Release Updates

Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com

Workspace ONE Access Services updates

  • New Admin Console Navigation Enabled for All Customers
    • The Workspace ONE Access console has been migrated to the new navigation for all users. The toggle to revert to the older navigation will be removed from the console header for all customers. For an overview of the changed console, see the Workspace ONE Access Console Features and Settings topic, Navigating in the Workspace ONE Access Admin Console section.
  • Updated Workspace ONE Access Cloud Default Password Policy for Local Users
    • As VMware is committed to the highest security standards, Workspace ONE Access is hardening the default password policy for local users. The change impacts password length and number of numerical and special characters. Complexity requirements are enforced when passwords are changed or created. This update is applicable only to customers who use the default password policy for local users that are created in the Workspace ONE Access console.
  • Shift-Based Access Control in Workspace ONE (in Tech Preview)
    • The Shift-Based Access Control feature is available now as a Tech Preview.
    • Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. In the Workspace ONE Access console, you can configure Shift-based Auth as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift.
    • This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working.
    • The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature.
    • Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later.

Workspace ONE Hub Services updates

  • Desktop Encryption Recovery Key Can Be Retrieved from Hub Support Tab
    • Users can retrieve their desktop encryption recovery key from the Support tab in Workspace ONE Intelligent Hub for their macOS or Windows device. To enable this capability for end-users, admins should navigate to the Employee Self-Service tab in the Hub Services admin console and enable Encryption Recovery Key under Device Self-Service.
    • Note: This is currently supported on Hub Web portal and Windows Hub. This requires Workspace ONE UEM version 22.10 or later.
  • For You Notification Hub Deep Links Support from Hub Services Admin Console
    • Admins can add a Workspace ONE Intelligent Hub deep link to a notification action from the Hub Services admin console. When configuring an actionable notification, admins should select the Open In action button and provide the Hub deep link. When users click on that For You action, they will be brought to the Workspace ONE Intelligent Hub app view that the deep link directs to.
    • Note: Hub deep links are currently only supported on Hub iOS and Android devices. Please refer to their documentation for more information about Hub deep link support.
  • Shift-Based Access Control in Workspace ONE (in Tech Preview)
    • The Shift-Based Access Control feature is available now as a Tech Preview.
    • Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working.
    • The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature.
    • Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later.

VMSA-2022-0032 – Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701)

  • Impacted Products
    • VMware Workspace ONE Access (Access)
    • VMware Identity Manager (vIDM)
    • VMware Cloud Foundation (Cloud Foundation)
  • Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
  • VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
  • A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system.
  • To remediate CVE-2022-31700, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
  • Find all details in linked VMSA.
  • Also review: HW-165708 – Patch instructions to address CVE-2022-31700 and CVE-2022-31701 in Workspace ONE Access Appliance (VMware Identity Manager) (90399)

FAQ: Workspace ONE UEM App Publish Behavior (90400)

  • This article discusses frequently asked questions regarding app publish behavior in Workspace ONE UEM.
  • How App Publish works?
    When you publish an application, the process could be broken down into these major steps:
    • First we saves your Smart Group (SG) Assignment Detail. This tells us which SG is mapped to the concerned application and what deployment parameters are set (e.g. “Auto/On-demand”, “Make app MDM Managed if user installed”, …, etc).
    • Then we reconcile the assignment mappings. This step is to calculate and update all Device to Application mappings.
    • Finally we call an app sync to determine the action we need to perform on each assigned/mapped device, whether to:
      • associate a VPP license, or
      • queue an InstallApplication command, or
      • queue an UninstallApplication command, or
      • send a Google EMM API, or
      • send app config, …, etc
    • The app sync’s evaluation logic is based on:
      • assignment mappings
      • device app inventory info (app samples)
      • deployment parameters
  • All details in KB.

Dashboard alerts for unrecognized requests for XML Api protocol connection in Horizon 2209 (8.7) (90398)

  • UI dashboard displays alert for unrecognized requests for XML API protocol connection. But there is no impact on the user’s session.
    Logline similar to below is seen in the Horizon Connection Server logs:
    [ConnectionServerHandler] Incrementing the warning count : Reason : unrecognized request detected
  • This is caused when a user is trying to connect to the connection server with an expired session cookie.
  • These alerts are harmless and can be ignored.

Samsung S22 Android 13 Devices Cannot Enroll into Work Profile (90418)

  • An issue has been discovered where Samsung S22 devices running Android 13 are unable to enroll into Work Profile mode. The user will see an error during Work Profile creation and will not be able to complete enrollment.
  • The issue is caused by an older Google Play System Update running on the device. Please follow the resolution step below to update your device.
  • Users will be unable to enroll devices into Work Profile mode.
  • UPDATE 12/14:  Users may be able to resolve the issue by installing the “Android Device Policy” application from the Google Play Store: https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc 
  • UPDATE: The below steps will correct the issue for some carrier variants of the S22 Ultra, such as Verizon, but it is not working for all S22 devices.  The article will be updated as more information becomes available.
    Users must perform a Google Play System Update.  On the device, navigate to Settings > About phone > Software Information and tap Google Play system update.  Update the device, and it will prompt to reboot. 
    Users may need to do this several times to ensure the device is on the latest update.
    After the Google Play system updates have been applied, users can proceed with Work Profile enrollment.

Hub Services App Catalog toggles will no longer determine if Hub Services is enabled or disabled on Intelligent Hub (90420)

  • This article is relevant to customers who have Hub Services with any features configured and are using Intelligent Hub on iOS, Android, macOS and Windows.
  • Today in the App Catalog page of the Hub Services admin console, if the app catalog toggle is disabled for a platform, Intelligent Hub will disable all Hub Services tabs/features (e.g. Apps, Favorites, People, Custom Tab, For You, Support tabs, etc.) and only the Account page will be displayed on those devices.
    Hub Services and Intelligent Hub Clients will be making changes to the App Catalog toggles such that the toggles will no longer determine whether only the Account page should be shown. With this update, when the toggle is disabled, the app catalog will not show for that platform and if the toggle is enabled, the app catalog will show for that platform. Other tabs will not be impacted here.
  • For new Intelligent Hub versions
    1. When the app catalog toggle is enabled, Intelligent Hub will show the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub.
    2. When the app catalog toggle is disabled, Intelligent Hub will hide the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub.
  • For older Intelligent Hub versions, Intelligent Hub will maintain today’s behavior.
    1. When the app catalog toggle is enabled, Intelligent Hub will show the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub.
    2. When the app catalog toggle is disabled, Intelligent Hub will only show the Account page and other Hub Services features that are enabled will not be shown.
  • Both old and new Intelligent Hub versions’ behavior will be determined by the same app catalog toggle. Users and devices assigned a template with app catalog settings will also reflect this updated behavior.
    Note: Intelligent Hub iOS will be first to make this change in Q1 2023. Please refer to each Intelligent Hub client’s release notes for when this change occurs.
  • For customers who wish for all Hub Services features to be disabled on a platform for newer client versions, please ensure that the app catalog and all other features (Notifications, Custom Tab, Employee Self-Service, People, etc.) are disabled from the Hub Services Admin Console before Intelligent Hub Client changes occur.
  • Highlighting High Priority KBs
    • VMware Tunnel Proxy End of Support Life Announcement (87345)
      VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023.
    • VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
      Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
  • Week 50 Software Updates
  • Component: Workspace ONE Intelligent Hub for iOS
  • New Release: 22.11
  • Changes:
    • Technical Preview: Support for Google Conditional Access
    • “Web Links” section is now called “My Web Links” to help indicate that these are configured by the end user.
    • Wizard for Intelligent Hub home screen Widgets
      • This release brings new First Time User Experience screens to show users how to add widgets to their home screens to see their personal bookmarks that are saved and synced in their Hub app.
    • TOTP is now available in the Self Support Tab
    • We are now showing additional device attributes in the Support Tab to help aid end users when they are providing information to their support teams.
    • We are now persisting and showing comments on Action Cards
    • Bug Fixes
  • Release Date: 14.12.22
  • Release Notes
  • Component: Workspace ONE Intelligent Hub for Android
  • New Release: 22.11
  • Changes:
    • Support for Shift-Based Access Controls (Tech Preview)
      • Shift-based access control enables admins to deliver a digital workspace that is shift aware. When a worker is off-shift, admins can configure to block access to Intelligent Hub app or restrict access to only specific features(Custom tab, Support, People etc.) in Hub, and restrict launch of web and native apps. This integration is enabled through VMware Workspace ONE Experience Workflows in Hub Services with WorkJam third-party time management and scheduling system to retrieve the data about the workers current on-shift or off-shift work status.
    • Terms of Use in Hub Apps Catalog
      • An admin can now define and apply Terms of Use (TOU) for the applications in the Hub Apps catalog. When an end user installs an application which is configured with TOU, Hub app presents the TOU which needs to be accepted by the end user to use the app. 
    • Simplified Password Complexity (Android 12+)
      • You can now set the minimum complexity or Device and Work passcodes to Low, Medium, and High. These basic complexity levels are pre-defined in Android and are meant to provide end users greater flexibility in how they lock their devices and work apps. Advanced controls to set minimum passcode content and length are still available. However, these advanced controls are not supported in the Device Passcode Policy for Android 12+ devices.
    • Bug Fixes
  • Release Date: 14.12.22
  • Release Notes
  • Component: Workspace ONE SDK Swift
  • New Release: 22.11
  • Changes:
    • Support for iOS and iPadOS version 13 has been withdrawn.
    • The Apple app attestation service will be used to verify the bundle identifier of custom SDK apps during enrolment.
    • The AWDefaultSettings.bundle can now be located anywhere in the app project, including in a framework or Swift package.
    • Organization group identifier and management console server address are accessible in a new SDK programming interface.
    • Bug fixes and stability improvements.
  • Release Date: 12.12.22
  • Release Notes
  • Component: Workspace ONE Web for iOS
  • New Release: 22.12
  • Changes:
    • IBRW-174697: Enable Data Collection for DEX through WS1 Web
      • This will enable the admins to monitor the usage and performance of Workspace ONE Web through Workspace ONE Intelligence.
    • Bug Fixes
  • Release Date: 13.12.22
  • Release Notes
  • Component: Workspace ONE Access On-Premise
  • New Release: 22.09.1.0
  • Changes:
    • Connector support for Windows Server 2022
    • Security improvements and other fixes
  • Release Date: 14.12.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: OS Updates Seed Script
  • Changes:
    • Most recent update: iOS 16.2.0 (20C65), tvOS 16.2.0 (20K362), iOS 15.7.2 (19H218), macOS Ventura 13.1.0 (22C65)
  • Release Date: CW50
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: Seed Script for latest Device Model Information
  • Changes:
    • Seed new iPad 10th generation device models
  • Release Date: 08.11.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 21.9.0.47
  • Changes:
    • AMST-37313: Device Identifier and UDID mismatch for any reason should not unenroll device.
    • AAPP-14928: Cannot enable Device Assignment for certain VPP applications.
  • Release Date: 22.11.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 21.11.0.54
  • Changes:
    • ARES-24023: Android Public Application assignment is not working as expected.
    • AGGL-13505:Android Restriction “Allow user to modify Location Settings for Work Profile” not working.
    • AGGL-13410: Unable to save entries in URLAllowlist / URLBlocklist for Chrome Browser Settings profile.
  • Release Date: 13.12.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 22.3.0.36
  • Changes:
    • AMST-37744: (P2P Branch-Cache) Peer to Peer download is not working.
    • ARES-23911: Terms of Use page crashes in console.
  • Release Date: 13..12.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 22.6.0.20
  • Changes:
    • UM-7779: AirWatch Purge expired Sample Data SQL job is failing.
    • AMST-37720: (Factory Provisioning) Active Directory select is not working as expected.
    • FCA-204392: Custom device activation template is not being sent to the devices that are enrolled through SSP.
    • FCA-204431: Incorrect success message shows when changing the Organization Group of a device even when it is prevented by tenancy restriction.
    • AMST-37746: (P2P Branch-Cache) Peer to Peer download is not working.
  • Release Date: 13.12.22
  • Release Notes
  • Component: Workspace ONE UEM
  • New Release: 22.9.0.10
  • Changes:
    • AAPP-15021: Increased DS memory usage after upgrade to 2209.
    • AMST-37721: (Factory Provisioning) Active Directory select is not working as expected.
    • AMST-37747: (P2P Branch-Cache) Peer to Peer download is not working.
    • ARES-24026: Remove time taking DB script to update EventLog_UpdateCorrectEnrollmentUserInfo from Patches.
    • RUGG-11642: Files downloaded from Files/Actions are empty after upgrade to 2206.
  • Release Date: 13.12.22
  • Release Notes

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: