VMware Digital Workspace Newsletter - Week 11





Weekly highlight: 


Accelerated EOL of Legacy Workspace ONE experiences (Workspace ONE App and Web Portal EOL) on May 15, 2022 (87908)

  • We have announced and have been communicating the EOL of the legacy Workspace ONE experiences over the last few years. These legacy experiences include: 
    • Legacy Workspace ONE app on all platforms 
    • Legacy Workspace ONE Web Portal 
  • For several reasons listed below, we would like to accelerate the EOL of these legacy experience to May 15, 2022.  
  • Security first mindset - These experiences have been in End of Support Life period since Aug 11, 2021 and are in maintenance mode. This leaves room for new attacks and vulnerabilities to be discovered. 
  • Improved Experience is available - A lot of progress has been made with the Hub Experience (on all platforms) 
  • Low usage of legacy experiences - About 5% of all Customers are using these legacy experiences. 
  • Customers using Legacy Workspace ONE App 
    • Please take note of the following KB articles and take action to provide the improved Intelligent Hub experience to your end users
  • Additionally, we have built a feature that will block new enrollment/registration requests from the Workspace ONE App. If you would like to enable this for your tenant, please reach out to us via your Account team or through GSS.  
  • What will happen on May 15, 2022?  
    • The Workspace ONE App will be removed from the App store and the Play store.
    • ​​​​​​​After the VMware Workspace ONE app is removed from the stores, users with Apple/Google IDs who havepreviouslydownloaded AirWatch Containermaystill be able to re-download the latest available version (pending device compatibility). VMware Workspace ONE appwill notbe available to users with Apple/Google IDs who havenot previouslydownloaded the application, 
  • Customers who have the Workspace ONE apps deployed or utilizing the legacy Web Portal should begin planning the lateral migration to Workspace ONE Intelligent Hub and the new Hub Browser Experience. 
  • KB-Reference: https://kb.vmware.com/s/article/87908?lang=en_US






Workspace ONE Design Handbook - Free eBook


ENRL-3362 - Enrollment Blocked if the device that was Registered Earlier is now added to “Allow Device” (87921)

  • Device registration records already consumed by enrolling devices can later be updated to Allow/Deny records via UI or via batch import. When such a change is made, re-enrollment of the device is blocked even if an Allow record was created for it
  • Affecting: Workspace ONE UEM 2105
  • Unenroll the device which is registered and add the record to "Allow Device" list and try enrolling the device. Enrollment gets blocked for those devices.
    This issue has no affect on fresh device enrollment and it will only affect device re-enrollment.
  • Our product team has been notified and is working to address this issue in a timely manner. Please subscribe to this article to receive updates when they are available.
  • Before creating Allow/Deny records, you must search if the records for those attributes exist. If present, those records must be deleted before adding the Allow/Deny records.
  • KB-Reference: https://kb.vmware.com/s/article/87921?lang=en_US


VMware Horizon Cloud Service - Additional Service Details (87894)

  • Purpose: This KB aims to provide customers with additional service-related details as it pertains to the VMware Horizon Cloud Service.The details are available as a PDF document located in the attachment section of this KB Article. 
  • KB-Reference: https://kb.vmware.com/s/article/87894?lang=en_US



Workspace ONE Hub Services will be updating its CloudFront domain name on June 15th 2022 (87938)

  • Today Hub Services CloudFront Distribution Network (CDN) is using the domain name created by CloudFront in the format <random hash>.cloudfront.net. This requires customers to add *.cloudfront.net to their allowlist rules which may open them up to content hosted on CloudFront outside of VMware products. To improve security and ensure that the domain name will only allow for content from Hub Services specific CDN, Hub Services will provide a different domain URL with its destination as the CDN domain. We will be updating the domain name to *.hub-services.vmwservices.com. An example of this is us2.cdn.hub-services.vmwservices.com
  • This change will affect end users using Hub clients which are connected to networks with traffic rules to only allow specific URLs. In these cases, the Hub client will be blocked from the loading of resources required for certain pages in the Hub app to function. Clients connecting to networks which aren’t using traffic allowlist or denylist rules targeting the aforementioned URLs will not be affected.
  • In preparation of this update and to allow Hub Services to continue to load content, please add *.hub-services.vmwservices.com to your allowlist by June 15th 2022. Customers should also continue to have *.cloudfront.net in their allowlist until then. Customers can remove *.cloudfront.net from their allowlist after June 15th 2022 if desired.  
  • KB-Reference: https://kb.vmware.com/s/article/87938?lang=en_US


CRSVC-26588 - Unable to configure the Azure Conditional Access in Workspace ONE UEM (87882)

  • You may encounter the following error when saving Microsoft Conditional Access configuration in Workspace ONE UEM for the first time after 12th December 2021.

    “Save failed: An error has occurred. This error has automatically been saved for further analysis. Please contact technical support”
  • Workspace ONE UEM 20.07
  • When setting up the integration in Workspace ONE UEM, the system performs authentication against Workspace ONE Intelligence. Due to an invalid authorization token, the integration fails. VMware engineering identified an issue where an incorrect parameter was being used to issue this token.
  • If the integration has been set up before 12th December 2021, your environment is not impacted. If you are setting up the integration after 12th December 2021, you may see the above error, and will not be able to complete the integration.
  • Our Product team has been notified and is working to address this issue in an upcoming release of Workspace ONE UEM. Additionally, the issue is addressed in patches for existing versions of Workspace ONE UEM as noted in the KB.
  • KB-Reference: https://kb.vmware.com/s/article/87882?lang=en_US


AGGL-10936: Workspace ONE UEM Clear Device Passcode commands on Android Devices are not working (87786)

  • When an administrator attempts to clear the device passcode for an Android device, the command is not delivered properly due to an unhandled exception.
  • This impacts commands sent through the Workspace ONE UEM Console interface and any external systems using the Workspace ONE UEM REST APIs.
  • Workspace ONE UEM Console version 2105 or above
  • The Workspace ONE product team is actively working on a resolution for this issue.
  • Please follow: https://kb.vmware.com/s/article/87786?lang=en_US


Reduce security risks by closing applications launched during Workspace ONE Assist - Remote Shell session (87838)

  • With Workspace ONE Assist's Remote Shell client tool, you can remote into the PowerShell interface of connected Windows and macOS devices, enabling you to make detailed and precise configurations in a command-line environment. This functionality requires Remote Shell permission to be part of your assigned administrator role within Workspace ONE UEM.
    On the Windows platform, when a support admin connects to the Remote Shell tool, the remote tool and all processes invoked by it executes under the LOCAL_SYSTEM context. This enables the support admin to perform actions as a privileged user and execute commands that a local logged-in user might not have permissions to perform. Any UI application that might be launched during the remote shell session will be launched with System privileges as well. This could pose potential security concerns if UI applications opened during the remote shell session are left unclosed at the end of the session. The employee or end user of the remote device might be able to use the application to perform other actions with elevated permissions.
  • Our team is actively working to resolve this issue in the upcoming releases.
  • Workaround:
    As a workaround, it is highly recommended  that any UI application launched from the remote shell tool during an Assist session is closed before ending the remote session and their corresponding processes are killed.  This ensures that the Employee or user of the remote device is unable to perform any action with elevated permissions on the applications left open after the remote session.  
    For enhanced security, the remote shell tool can also be disabled within the UEM administrator roles. For more information, see Role-Based Access to Workspace ONE Assist.
  • KB-Reference: https://kb.vmware.com/s/article/87838?lang=en_US


HW-139378: Support Extension for VMware Identity Manager Connector (Windows) (83996)

  • VMware customers using Horizon Cloud Service on IBM Cloud or Horizon Cloud Service on Microsoft Azure with Single-Pod Broker Virtual App integrations with Workspace ONE Access are expected to be using either Identity Manager Connector 19.03 or Identity Manager Connector https://lifecycle.vmware.com covers the Lifecycle of Identity Manager Connector 19.03. This KB is to notify customers that the VMware Identity Manager Connector (Windows) will receive extended support until August 31, 2022.
  • VMware Identity Manager Connector (Windows) is compatible with Workspace ONE Access SaaS and Workspace ONE Access OnPremises 20.10 and later.
  • KB-Reference: https://kb.vmware.com/s/article/83996?lang=en_US


Workspace ONE Intelligent Hub Windows Post-Enrollment Onboarding screen popping up on already enrolled devices (87779)

  • On upgrading UEM to 21.09 or higher, already enrolled Windows devices will see Post-Enrollment Onboarding screen pop up, if the Hub was never launched on these devices previously.
  • Post-Enrollment Onboarding feature was enabled by default in UEM 21.09. This resulted in Post-Enrollment Onboarding screen popping up on already enrolled devices that were upgraded to 21.09 or higher, if the Hub was never launched on these devices previously.
  • This behavior will be improved in a future release of UEM so that the Post-Enrollment Onboarding screen would pop up only on devices that freshly enroll to UEM 21.09 or higher. In the interim, if needed, Post-Enrollment onboarding can be disabled as described here.
  • KB-Reference: https://kb.vmware.com/s/article/87779?lang=en_US


AHA SDKI-I-19: Workspace ONE SDK application workflow for SDK profile and configurations during the launch of the application. (87941)

  • The trigger to install an SDK profile associated with the Workspace ONE SDK application is done at the first launch of the application, If the SDK profile is not retrieved by the SDK app the SDK app will show an error will not open its UI until the SDK profile is retrieved and applied.
  • This KB details the SDK application workflow during the launch of the application, it highlights the dependencies and checks performed with the UEM server to authenticate the application before the SDK profile configuration is sent to the device.
  • More details in: https://kb.vmware.com/s/article/87941?lang=en_US


VMware Workspace ONE UEM Comparison operators in Windows Application Management (87777)

  • UEM Application Management for Windows supports EqualsNot equal toGreater than or equal toGreater thanLess than or equal to and Less than comparison operators for 
    • Version comparison under File Exists, Registry Exists and App Exists
    • Registry value data string comparison under Registry Exists
  • This is applicable to both Data Contingencies(under When To Install) and When To Call Install Complete(commonly referred to as detection criteria).
  • Before 2107 version of the UEM, Windows Application Management only supported Greater thanLess than and Equals comparison operators. However, in the background, Greater than (>) was functioning as Greater than or equal to (>=) & Less than (<) as Less than or equal to(<=).
  • In UEM 2107 release, support for additional comparison operators Greater than or equal toLess than or equal toand Not equal to was added.  This warranted the change in the behavior where in Greater than (>) comparison operator would now function correctly as Greater than (>) and not as Greater than or equal to (>=). Similarly for Less than and Less than or equal to.
  • For the apps that were already uploaded in the UEM prior to the 2107 upgrade, if Greater than (>) was used with the intention of achieving Greater than equal to (>=), then the detection criteria or the data contengency for such apps need to be updated as Greater than equal to (>=) to achieve the expected behavior.
    Similarly, if Less than (<) was used with the intention of achieving Less than or equal to (<=), then it needs to be updated as Less than or equal to (<=).
  • KB-Reference: https://kb.vmware.com/s/article/87777?lang=en_US


Highlighting High Priority KBs


Recently updated KBs


Digital Workspace Techzone, VMware EUC Blog and YouTube Updates


3rd Party Blog and Industry News




Patch & Seed Script Updates Week11-2022

  • OS Updates Seed Script 

  • Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console

  • Workspace ONE UEM 20.08
  • Workspace ONE UEM 20.11
  • Workspace ONE UEM 21.02
  • Workspace ONE UEM 21.05
    • Patch Level:
    • FCA-201546: Console login failing for directory admin account with error "Invalid credentials" in CN135 environment
    • FCA-201418: Unable to delete IOS device record for OG with APNS not configured
    • CRSVC-26918: Remove the index IX_DeviceExtendedProperties_RowVersion
    • CRSVC-26674: Optimization of the sp CoreAndDefaultAttributes_Update
    • CRSVC-26362: Implement PasswordMigration scheduler Job
    • AMST-35269: The Kiosk profile takes a longer time to install on the devices and sometimes days even though the device is checking in.
    • AMST-35262: Newly enrolled Windows 10 devices install x86 version of AppDeploymentAgent
    • AMST-35247: Delay in processing windows install/removal commands for apps & profiles
    • Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html#-21-5-0-44-patch-resolved-issues--resolved
    • Last Update: CW09

  • Workspace ONE UEM 21.09

  • Workspace ONE UEM 21.11
    • Patch Level:
    • FCA-201655: Console login failing for directory admin account with error "Invalid credentials" in CN135 environment.
    • FS-800: Update Workflow Re-Evaluate to 4 hrs as default in system code.
    • CRSVC-27664: Dataplatform service consumes messages from sensor queue on alternate instances
    • CRSVC-27631: Delete dead records from Device State that are deleted from canonical
    • AMST-35482: Unable to find "Allow Enhanced PIN at Startup" in Windows Encryption profile.
    • AGGL-11472: Model of Android devices are missing on the console and displayed as "Android" instead
    • AAPP-13556: VPP Book Syncs as Unknown Application
    • Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2111/rn/vmware-workspace-one-uem-2111-release-notes/index.html#resolved-issues-2111014-patch-resolved-issues
    • Last Update: CW11