Week 37-2023 VMware Enduser Computing Updates

---

Release Updates Week 37

Workspace ONE Content for iOS 23.09

• Support additional number of tabs for viewing files
• Support multiple attachments in MSG file

Workspace ONE Tunnel for iOS 23.06.1

• Bug Fixes
  • PPAT-15009: Tunnel client prompts user for credentials on application launch.

---

Important KB Articles and Announcements

Please note: KBs may get updated after being referenced here. Please always follow the link to the original post in kb.vmware.com

---

Automated Device Enrollment fails on macOS 14 Sonoma if Custom Enrollment is disabled (94577)

• When attempting an Automated Device Enrollment (formerly referred to as DEP enrollment) on macOS 14 Sonoma, enrollment will fail if the setting “Custom Enrollment” is disabled in the DEP Profile in Workspace ONE UEM.  
• When the device is first turned on and proceeds in the Setup Assistant to the “Remote Management” screen, the device will receive the error “Enrolling with management server failed.” before user authentication takes place.

Android Management API Feature – Beta Launch

• Android Management API (AMAPI) is a new way of managing Android Enterprise devices. The way Workspace ONE supports Android Enterprise today is called Custom DPC. In it, Intelligent Hub acts as a Device Policy Controller (DPC) on the device or Work Profile.
• In Android Management API, a native Android application called Android Device Policy serves as the Device Policy Controller (DPC) for the device or Work Profile. Workspace ONE UEM pushes device policies to Android Management API, which in turn transmits these policies to Android Device Policy to be applied to the device. For more information, please see the AMAPI Beta Tester Guide in the Early Access Community.
• This Beta is a first step in Workspace ONE UEM fully supporting Android Management API. The first management mode which will be supported with AMAPI is Work Profile.

HubUI fails to upgrade / install (94150)

• The components of the HUB UI will fail to load on Windows Devices.
• Adhering to the steps below will ensure a successful upgrade of the HUB UI, allowing it to load seamlessly and without encountering any problems.
• Check if GPO is blocking the installation,
• In Windows, search for Edit Group Policy or right-click the Windows Key and select Run > type “gpedit.msc”.
• This opens the Local Group Policy Editor screen.
• Go to Go to Computer Configuration > Administrative Templates > Windows Components > App package Deployment to check settings for these policies:
• Prevent non-admins users from installing packaged Windows apps
• Allow all trusted apps to install

VMware Workspace ONE Intelligent Hub for macOS to end support for macOS versions prior to macOS 11 Big Sur (94552)

• The upcoming release of Intelligent Hub 23.09 for macOS will be the final version of the Intelligent Hub to support macOS 10.15 Catalina. All versions of macOS 11 or greater will continue to be supported by the Intelligent Hub for macOS.  You can refer to the release notes of each Intelligent Hub version for specific macOS version support information.
• Administrators who want to take advantage of features in future releases of Intelligent Hub for macOS must ensure that their macOS devices are running macOS 11 Big Sur or later. 
  Devices that are currently on macOS 10.15 Catalina will be able to continue using Intelligent Hub 23.09 or earlier.
  NOTE: There will not be any patches/updates to earlier versions of Intelligent Hub, and these should be used only as a stop-gap until devices can be upgraded to macOS 11 Big Sur or greater.

AMST-39683 – Workspace One UEM – Windows Autopilot enrollment fails to complete (stuck in Pending hub) (94496)

• Windows Enrollment to Workspace One UEM via Autopilot enrollment fails to complete.
  Symptoms can include, but not limited to:
  1. Devices will succesfully join Azure AD tenant but will fail to complete enrollment to Workspace One UEM.
  2. Workspace One Intelligent Hub will not land on the device.
  3. Devices will show as ‘pending hub’ in the UEM console, as a result assigned profiles, baselines, apps etc will not install.
  4. Other OOBE provisioning methods may also be affected. 
  Affected Version(s):
  Workspace One UEM 2302+ 
• VMware product team is aware of the issue and are currently investigating. 
• Workaround in KB

Autopilot Hybrid Join Best Practices (94477)

• If you plan to deploy Windows devices with Autopilot Hybrid Join, you should follow the following guidelines. Every other configuration can cause deployment issues, timeouts, or errors.
  • Don’t deploy other resources than Domain Join configuration and VPN application / profile in the customer OG. 
    Devices enrolled via Autopilot, always getting enrolled into the customer OG. If there are other resources assigned to the device, the Autopilot Hybrid Join process might time out.
  • Pre-stage VPN application. 
    If your deployment requires a VPN connection because the end-user is outside the company network, you should consider Drop-Ship Provisioning (Online or Offline) to pre-stage the VPN application. 
    Due to the Microsoft limitations in the Autopilot process, VMware Workspace ONE does not have any ability to wait for the VPN application installation. As soon as the Offline Domain Join blob was applied to the device, the device will reboot. 
    This might cause devices to be AD joined but don’t have the VPN application installed and might need additional time and reboots to apply those changes.
  • Ensure the enrollment User is in the customer OG
    If the enrollment user is not part of the customer OG, an additional User object might get created, or the deployment fails.
  • Turn off Status Tracking Page
    Autopilot Hybrid Join with VMware Workspace ONE, does not support showing the status tracking page. 
  • Disable all optional pages and Token enrollment
    Due to a Microsoft bug, Autopilot Hybrid Join cannot show any additional pages, like MDM Welcome Screen or Token request page.
  • Use VMware Workspace ONE Intelligence to move the device to target OG
    Due to the current design, devices getting enrolled in the customer OG. To move the devices automatically to the target OG, consider VMware Workspace ONE Intelligence automations.
  • Delete AD computer objects before re-enrollment
    If you are using a unique device serial number as a computer name in the Offline Domain Join configuration, you need to delete the AD computer object before re-enrolling the device. 
    The current design does not support overwriting the existing AD computer object.

---

High Priority KBs

• Introducing Workspace ONE (WS1) UEM Next-Gen SaaS
• VMware is excited to announce that the resource management & tracking improvements, the first major feature-based milestone in the Workspace ONE UEM Modernization Journey, is now available for customer testing. These improvements will be enabled in limited testing environments (CN135) starting on Thursday August 24, 2023.
• [Resolved] SINST-176145 – Multiple Workspace ONE UEM application pools and services may not start once stopped (93877)
• Workspace ONE UEM services and application pools may fail to start once stopped. This issue is typically observed alongside the following error message in the service’s log[RESOLVED] SINST-176160 – Workspace One UEM – Unable to edit existing or create new DDUI profiles. (93911)
• Upon deploying the patches noted in KB 93877, you may experience an error when creating or editing DDUI device profiles (iOS, macOS, Android Enterprise) in the Workspace ONE UEM Console. 
• Getting Ready for Android 14 (2023)
• Getting Ready for Apple Major OS Releases 2023 

---

Recently updated or added KBs (Links)

• Automated Device Enrollment fails on macOS 14 Sonoma if Custom Enrollment is disabled (94577)
• HubUI fails to upgrade / install (94150)
• VMware Workspace ONE Device Compromise Protection (88966)
• VMware Workspace ONE Intelligent Hub for macOS to end support for macOS versions prior to macOS 11 Big Sur (94552)
• [Resolved] iOS Tunnel client 23.06 in Managed mode may prompt for user credentials on application launch (94260)
• Horizon Agent 8.5 onwards installation fails with 1603. (94510)
• Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. (85801)
• Horizon Server 2212: When Editing a pool, Unable to set a specific OU and AD settings are blank and not displayed when an OU Object is in Katakana (94489)
• AMST-39683 – Workspace One UEM – Windows Autopilot enrollment fails to complete (stuck in Pending hub) (94496)
• Black screen when opening IRM documents after Horizon agent upgrade to 2212 (94020)
• VMware Integrated Printing : Certain Legacy Published Desktop Applications are unable to set the configured default printer (94373)
• RDSH Apps do not redirect/map Printers with VMware Integrated Printing (94372)
• UAG cannot receive Access-Accept form the Radius server unexpectedly, when the reply delays 30+ seconds after the request (93796)
• Autopilot Hybrid Join Best Practices (94477)
• Supported Windows 10 and Windows 11 Guest Operating Systems for Horizon Agent and Remote Experience, for VMware Horizon 8.x (2006 and Later) (78714)
• Collecting diagnostic information for App Volumes (2095974)
• [Resolved] AMST-39527 – Workspace ONE UEM Windows Software Distribution Agent fails to install on Win 22H2 (94088)
• Horizon 8: Best Practices When Removing Cloud Pod Architecture (94101)
• Factors that affect resolution time with Appvolume Appcapture Issues (82582)
• [AAGNT-197206] Android 10- COPE devices lose communication with Workspace ONE UEM (92308)
• Microsoft Teams: A screenshare shows a black screen instead of shared contents when using Horizon Client for Windows 2206 when optimized (89741)
• App Volume writable deleting with instant clone (93541)
• Unable to login to Horizon Admin Console. Error: “Page failed to load. Please refresh the browser to reload again” (94217)
• Horizon 8.10 Persistent Disk: Persistent Drive Mounts to an Incorrect Drive Letter (92825)
• Horizon 8.10 Persistent Disk: Limitations when archiving Persistent Disks to the Root Level of a Datastore (92823)
• Horizon 8.10 Persistent Disk: Best Practices and Troubleshooting (92881)
• Network tab in iOS WS1 Intelligent Hub shows as “Not connected” (81957)
• Troubleshooting Device Compliance failures in Workspace ONE Access (83592)
• HubUI fails to upgrade / install (94150)
• AHA SDKI-I-46 HUBI-I-142 VMware Workspace ONE Device Compromise Protection (88966)
• Upcoming changes to APNs for Applications for On-Premises Workspace ONE UEM (91116)
• Workspace ONE UEM Windows 10 Command-Line Enrollment Arguments (78733)
• Autopilot Hybrid Join Best Practices (94477)

---

Digital Workspace Techzone, Blog and YouTube Updates

• Blocking Unwanted Apps on Managed iOS Devices
• Horizon Cloud Service – next-gen Architecture
• Evaluation Guide for VMware Horizon Cloud Service – Next-Gen
• VMware rolls out extensive iOS declarative device management capabilities in Workspace ONE tech preview
• Bulk Deploy Unified Access Gateway

---

3rd Party Blog Updates & Industry News

• Mobile-Jon: Workspace ONE Delivery Optimizations are Coming
• theDXT: VMware Horizon GPO Templates

---

September Software Releases

System	Component	Release	Announcement	Release Date
Windows	Hub	23.02.7	Release Notes	31.08.23
Horizon	Horizon Cloud Service Next Gen	2308	Release Notes	01.09.23
Backend	UAG	2306.1	Release Notes	31.08.23
Horizon	App Volumes	2212.7	Release Notes	05.09.23
Android	Hub	23.08	Release Notes	07.09.23
iOS	Content	23.09	Release Notes	12.09.23
iOS	VM Tunnel	23.06.1	Release Notes	12.09.23

---

Upcoming EUC Events

Event	Start Date	Details
VMware Empower Frontline Workers Webinar	https://www.vmware.com/learn/2140000_REG.html	19-09-2023
Apps on Demand: Mastering the Eight Activities of Modern App Management	UPCOMING: Look out for your invitation to the next VMware EUC Tech Insight Session!	New date tbc
EUC Customer Success Quarterly Webcast Series	Next EUC Customer Success Quarterly Webcast Coming Soon!Watch our latest webcasts: •Managing, Automating, and Supporting a Frontline Device Fleet •What’s New with Horizon Cloud Service next-gen and Improving VMware Horizon User Experience with Workspace ONE Intelligence •Windows 10 Multi-User Support for UEM & Revolutionize your IT Environment with Freestyle OrchestratorWatch all additional previous webcasts On-Demand here.
VMware Digital Workspace Virtual Customer Success Roundtable	Next VMware Digital Workspace Virtual Customer Success Roundtable Coming Soon!
VMware Explore 2023	VMware Explore USWatch 2023 EUC session replays here. VMware Explore Europe Barcelona | Fira Gran ViaRegister NowWatch replays from VMware Explore Europe 2022 here.	6-9 November 2023
VMUG	Watch On-Demand webcasts here.Register for upcoming live webcasts here.Register for Regional VMUG events here.
End User Computing Webinars	Sign up for upcoming webcasts and watch VMware On-Demand webcasts here.

---

EUC UX Research Opportunities  

• Our goal is to gather insight into user behaviors, motivations, and goals, so we can use those insights to inform and strengthen product and design decisions.
• Interested in giving your opinion and making your voice heard? Check out what’s available!
• Bonus: We give VMWare swag to Customers who participate  

EUC Product / Feature	Topic	Opportunity Time	Signup Link
WS1 UEM Devices > List View Devices > Dashboard Resources > App  Resources > Profile	EUC Research recently collected Admin feedback on Devices + Resources. We took that feedback to the EUC Design Team and guess what? UPDATES HAVE BEEN MADE.	Focus Groups / 1x1s Whiteboard/Miro activities Testing wireframe + prototypes of potential tool	Here
WS1 Marketplace > Templates OPEN TO WS1 Intelligence Admins	How are you utilizing Marketplace? What do you think about a Community?	Focus Groups / 1x1s Whiteboard/Miro activities Testing wireframe + prototypes of potential tool	Here
WS1 Intelligence > Dashboards > Widgets	How do you build widgets and dashboards? How do you use filters? How easily can you use these?	Focus Groups / 1x1s Whiteboard/Miro activities Testing wireframe + prototypes of potential tool	Here

---

Latest Patch & Seed Script Versions

• OS Updates Seed Script
  • Most recent update: Apple Seed Scripts iOS 16.6.1 (20G81),macOS Ventura 13.5.2 (22G91)
  • Last Update: CW37
    
• Seed Script for latest Device Model Information
  • Seed new MacBookPro16,4 and MacBookPro15,3 models
  • Last update: CW28

• Workspace ONE UEM 22.03
  • Patch Level 22.3.0.52
  • SINST-176199: Update Installer to fix issues with DDUI profile screen.
  • Last Update: CW36

• Workspace ONE UEM 22.06
  • Patch Level 22.6.0.43
  • AMST-39537: Workaround for Microsoft issue, breaking SFD installation.
  • CMEM-186888: Powershell script and Workspace ONE UEM side changes for EXO V3 Module.
  • SINST-176130: Install .NET Core 6 with UEM Installer.
  • PPAT-14516: .NET Core version upgrade to 6 for Tunnel Microservice.
  • CRSVC-40044: Only save public key component of certificate to database.
  • CRSVC-39363: Memcached uses only one server.
  • CRSVC-38315: Create non-clustered index on certificate table based on observations on Kroger.
  • RUGG-12322: Add Show Search bar toggle in the Layout widget.
  • CRSVC-40108: [Certificate Installer] Private key was not exportable in manual flow.
  • AGGL-15443: Unable to create Android profile with a time schedule, whose UUID is NULL.
  • AAPP-16309: False APNS notifications during Purchased App Sync.
  • AGGL-15326: Remove EFOTA sample from microservices.
  • AGGL-13376: Event data is empty for the Remove Application Requested event.
  • SINST-176171: Fixed issues with DDUI profile screen.
  • Last Update: CW37

• Workspace ONE UEM 22.09
  • Patch Level 22.9.0.39
  • AMST-39537: Workaround for Microsoft issue, breaking SFD installation.
  • CMEM-186888: Powershell script and Workspace ONE UEM side changes for EXO V3 Module.
  • SINST-176130: Install .NET Core 6 with UEM Installer.
  • PPAT-14516: .NET Core version upgrade to 6 for Tunnel Microservice.
  • CRSVC-40044: Only save public key component of certificate to database.
  • CRSVC-39363: Memcached uses only one server.
  • CRSVC-38315: Create non-clustered index on certificate table based on observations on Kroger.
  • RUGG-12322: Add Show Search bar toggle in the Layout widget.
  • CRSVC-40108: [Certificate Installer] Private key was not exportable in manual flow.
  • AGGL-15443: Unable to create Android profile with a time schedule, whose UUID is NULL.
  • AAPP-16309: False APNS notifications during Purchased App Sync.
  • AGGL-15326: Remove EFOTA sample from microservices.
  • AGGL-13376: Event data is empty for the Remove Application Requested event.
  • SINST-176171: Fixed issues with DDUI profile screen.
  • Last Update: CW37

• Workspace ONE UEM 22.12
  • Patch Level 22.12.0.30
  • AMST-39540: Workaround for Microsoft issue, breaking SFD installation.
  • CRSVC-39277: Certificate password was null.
  • FCA-205774: AirWatchSSP was terminated with unhandled ProfileInstallationException.
  • INTEL-51755: Update current device enrollment user delta export to include delete operation.
  • AMST-39507: WNS disconnected for multiple Windows devices.
  • AAPP-16312: False APNS notifications during purchased app sync.
  • CRSVC-40110: Private key was not exportable in manual flow.
  • CMCM-190663: WS1 UEM console shows spaceman error when viewing security tab for most macOS devices.
  • AMST-39477: The default ‘Read Only’ Admin role to view the Baseline was not working.
  • AAPP-16315: Internal iOS app details display incorrect BundleID.
  • CMCM-190635: Managed content was not showing up on newly enrolled devices.
  • MACOS-4002: Unable to setup an admin account on a macOS device.
  • FCA-205680: Horizontal scroll missing for Organization Group picker.
  • RUGG-12326: Update the Linux pull service installer link within Settings > System > Enterprise Integration > Pull Service Installers.
  • Last Update: CW37

• Workspace ONE UEM 23.02
  • Patch Level 23.2.0.21
  • AAPP-16414: Home Screen Layout: Not all the apps are listed in the dropdown.
  • CMCM-190639: Uploading large file to external repositories fails.
  • ARES-26320: Device logs not uploaded to console.
  • ARES-26321: Incorrect version while creating copy of UEM profile.
  • AMST-39632: API ‘MDM/devices/security’ endpoint fails with 500 internal server error for some device
  • AMST-39613: Smart Group is not recognizing 32-bit devices from console v2212.
  • FCA-205976: Unable to send the Push Notifications/Email notifications using Bulk Management.
  • UM-8112: Increase ACC timeouts for directory service to 300 seconds.
  • AMST-39306: Arm x64 Agent is not getting installed on OOBE enrolled Windows devices.
  • CRSVC-39342: Unable to send custom commands.
  • RUGG-12432: Products are showing in progress after UEM upgrade.
  • RUGG-12327: Update the Linux Pull Service Installer Link within Settings > System > Enterprise Integration > Pull Service Installers.
  • UM-8318: Password spray against Workspace One UEM.
  • AAPP-16416: “East iOS GP and MobileConnect” profile is going to not installed state on many devices.
  • AGGL-15447: Unable to create Android profile with a Time Schedule whose UUID is NULL.
  • CRSVC-40111: [Certificate Installer] Private Key not exportable in Manual Flow.
  • CRSVC-39366: Memcached uses only one server
  • Last Update: CW37

Workspace ONE UEM 23.02

• Patch Level 23.6.0.2
  • CRSVC-40112: Certificate Installer- Private Key not exportable in Manual Flow.
  • AGGL-15331: Remove EFOTA sample from microservices.
  • INTEL-51757: Update current device enrollment user delta export to include delete operation.
  • FCA-205645: Reset password for locked admin account is not working.
  • ARES-26030: Profile Installation status is not loading for profiles deployed to the entire environment.
  • CMCM-190665: Workspace ONE UEM console shows spaceman error when viewing security tab for most macOS devices.
  • PPAT-14872: Switch from AirWatch to Third party under Client Auth is broken.
  • AAPP-16388: iOS Device Updates Notification messages are automatically truncated.
  • CRSVC-39344: Unable to send custom commands.
  • CMCM-190685: Errors during blob sync/check status to CDN
• Last Update: CW37