VMware Digital Workspace Newsletter - Week 13

                 

    

Week 13 -  2022

 

 

 

 

 

 

Weekly highlight: 

 

Deprecation of Workspace ONE Boxer app passcode effective May 31st 2022 (87923)

  • Overview
    For end-users:
    If you are standalone enrolled (not enrolled through Workspace ONE Intelligent Hub, but your Workspace ONE credentials are entered directly into Boxer), Boxer will stop honoring the Boxer Passcode that is configured in Boxer’s application settings. The option for setting the passcode will be removed from Boxer settings.
    For administrators:
    Boxer will automatically enable AlwaysStartSDK (bool) and AppForceActivateSSO without the option to be disabled. Please make sure to enable the passcode in the Workspace ONE SDK settings in Workspace ONE UEM. Failure to update these settings will result in users not being required to use a passcode in Boxer.
    Note: Please note that the  AlwaysStartSDK (bool) KVP is only available in Workspace ONE Boxer for iOS.
    Please refer to: https://kb.vmware.com/s/article/80630
  • Impacted users
    • Customers who have AppForceActivateSSO ON but no SDK passcode/password set AND a Boxer passcode set
    • Customers who have AppForceActivateSSO OFF and no SDK passcode/password set AND a Boxer passcode set
    • Customers who have AppForceActivateSSO OFF and have a Boxer passcode set
  • Impact:
    • Boxer passcode settings will be ignored
    • Admins can find passcode settings in the UEM Console SDK settings
    • Admins will need to set passcode settings in the Workspace ONE SDK SSO password/passcode settings for their users to continue using a passcode/password on Boxer.

 

 

 

 

 

 

Week 13 Software Releases

System

Component

Release

Announcement

Release Date

Backend

UAG

2203

  • Added support for Horizon SAML authentication flows in the FIPS version of Unified Access Gateway. Earlier versions supported Horizon SAML authentication only for the standard version.


  • Improved protection to block URL Path Traversals for Horizon and Web Reverse Proxy based on proxy pattern definitions and a new configuration setting to enable canonical proxy pattern matching.


  • The OPSWAT endpoint compliance feature now supports optional flag values to determine how the downloaded on-demand OPSWAT agent is run. This is supported by newer 2203 Windows Horizon lients and can allow control of whether downloaded code runs on the client in the context of the user or system.


  • The CSRF feature for Horizon HTML Access introduced in Horizon 2006 did not support the combination of a pre-login message configured on Connection Server with Multi-Factor authentication configured on Unified Access Gateway. Unified Access Gateway 2203 now includes the CSRF protection requirements to support this combination.


  • Improved logging and communication of analysis data to Horizon brokers for cases where a Horizon Client is detected as idle, and for cases where misrouting of Horizon Client protocols occurs.


  • Improved audit logging when trusted certificates are added by the administrator. This includes comprehensive logging of the certificate details.


  • Unified Access Gateway syslog events can now be sent to an MQTT server using the MQTT IoT messaging protocol. This is in addition to existing support for standard syslog protocols using UDP, TCP or TLS. Improvements to Syslog Admin UI for simplifying configurations where multiple syslog and/or MQTT servers are used.


  • The UAG stats monitoring API now provides information on Unified Access Gateway uptime and version number.


  • Improved control over proxyPattern configuration for Horizon. This makes it possible to block Horizon Webclient reverse proxy forwarding to the Horizon broker if required. If Horizon edge service proxyPattern is configured with an empty expression "()", then requests to Horizon Webclient with /portal URLs will be blocked. This would not affect native Horizon Clients. By default, the proxyPattern for Horizon includes /portal to allow the use of the Horizon HTML Access Webclient.


  • Update Interval in Workspace ONE Intelligence Data settings are now pre-populated with the default value.


  • Console root login idle time auto-disconnect value is now configurable.


  • The Horizon Client HTTP 307 redirect feature now allows TCP port number to be used in addition to FQDN and IP address.


  • Added automatic disk space monitoring so that syslog events are automatically sent if disk usage is excessively high.


  • General improvements to the functionality for forwarding data to Workspace ONE Intelligence.


  • Added further validation checks of SSL server certificates presented to Unified Access Gateway. The new checks can be activated with the Extended Server Certificate Validation option in System Settings.


  • Enhanced certificate-based authentication for Content Gateway Repository to support all Active Directory (AD) entities. Earlier versions supported only UPN.


  • TLS_RSA ciphers have been removed by default on the Secure Email Gateway (SEG) service.


  • Updates to Photon OS package versions and Java component versions. These updates include openssl version updates to remediate a potential non-critical DoS attack vulnerability CVE-2022-0778.

https://docs.vmware.com/en/Unified-Access-Gateway/2203/rn/unified-access-gateway-2203-release-notes/index.html

29.03.22

iOS

Boxer

22.03

Native share sheet  

  • Native share sheets allow directly sending images, videos, links, files and text from any native iOS app to Boxer 
  • The feature displays the Boxer icon among the other sharing options every time the user taps the sharing icon for a particular content 
  • When the Boxer sharing option is selected the user is redirected to a Compose Email screen where the content he/she has selected to share is already placed   
  • Introduces new KVP - PolicyAllowNativeShare (bool) with default state False 
  • The feature has the following policy dependencies: 
    • Control Open In (PolicyAllowOpenIn KVP) - If there is no set value forPolicyAllowNativeShare we will get the PolicyAllowOpenIn value and use it as a guideline. 
    • Forward/Add Attachments (PolicyAllowAttachments KVP) - If the Native share sheet is allowed and this policy is restricted, the user is going to be informed that they are not allowed to share attachments upon starting a share action for files and images. 
    • Prevent Paste In (SDK) - If the Native share sheet is allowed and this policy is restricted, the user is going to be informed that paste in Boxer is disallowed and they can not share texts and links upon starting a share action for texts and links. 
    • If both Forward/Add Attachments and Prevent Paste In (SDK) are restricted the native sharing would be fully restricted too  

iOS Calendar Widget 

  • Pre-req: iOS 14 and above 
  • The widgets will present the upcoming events of the user 
  • They will be supported in three sizes – small, medium and large with variable information density 
  • The feature has automatic light and dark mode colors 
  • If enabled, users can view their events in a Workspace ONE Boxer Calendar widget, which they have added to their home screens.
  • To enable the feature in the case of a managed enrollment we need to add the following KVP in the console:
    PolicyAllowCalendarWidget (bool) true

Visual Scheduler Improvements  

  • Change in date and time selection. The Visual Scheduler now uses the new date and time pickers, introduced in iOS 15.  
  • Monochromatic colors in Visual Scheduler. This functionality could be enabled by the user with the following setting: Boxer - Settings - Calendar - More - VS monochromatic colors. When enabled, the event colors will be overwritten by monochromatic colors for better visualization of the available times.   

KVP for Item Operation sync for IRM templates  

  • Pre-req: managed account on Exchange server - On-Prem  
  • Pre-req: IRM enabled  
  • Introduces new KVP - PolicyRefetchRMSTemplateUsingItemOperations – Boolean. If set to True, Boxer will also store IRM template in Item Operations request. Тhe KVP is on account level.  
  • In case the IRM template is missing from the sync request from Boxer, Boxer will try to fetch it again using the Item Operations request. Until the request is completed: 
    • Boxer will set the email body to nil and will trigger Item Operation request. 
    • By default Boxer will apply all IRM restrictions (Reply, Reply All, Forward)  

Screenshots blocking for iOS 

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Boxer-for-iOS.html

30.03.22

iOS

Cards

22.03

  • Workspace ONE SDK upgrade to 22.02
  • Bug Fixes

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Cards-for-iOS.html

29.03.22

iOS

Notebook

22.03

  • Workspace ONE SDK upgrade to 22.02

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Notebook-for-iOS.html

29.03.22

Android

Boxer

22.03

Accessibility improvements

Deprecate support for Android 7

Bug Fixes

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Boxer-for-Android.html

30.03.22

(staged)

macOS

Workspace ONE Intelligent Hub for macOS

22.03

Troubleshooting enhancements: On initiating log collection from Workspace ONE Hub, DEEM logs will be collected and uploaded to UEM as a separate attachment.

Additional Technical Improvements

  • HUBM-5161: Update 3rd party libraries
  • HUBM-5084: Upload DEEM logs separately

Bug Fixes

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Intelligent-Hub-for-macOS.html

24.03.22

Android

Cards

21.06.2

Bug fixes and improvements.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Cards-for-Android.html

31.03.22

AGGL-11564: Android EMM Registration link to Google Workspace (formerly G Suite) is broken (87983)

  • When registering Android EMM with Google, the link to open the Google Admin Console for Google Workspace (formerly G Suite) customers lands on a missing page.
  • Google has changed the link that should be used to access the Google Workspace console to access the management token.
  • VMware product team is actively working on a resolution for this issue. Please subscribe to the KB article to receive further updates.
  • Workaround: Navigating to your Google Workspace portal directly can be used to get the token, or you can use the following link that will be replaced in a future version of the Workspace ONE UEM Console:

 

Web Enrollment for Windows Rugged Devices no longer supported (87461)

  • Devices running the Windows Mobile and Windows CE family of operating systems (collectively Windows Rugged) are running on extremely old technology. As of April 2021, Microsoft has officially ended extended support for all versions of these operating systems. The Workspace ONE team understands these devices are running mission critical applications for our customers and have continued to support them in the best manner possible for years. Portions of the technology outside of our control are becoming more difficult to support and maintain.
  • One of the features that we can no longer support as a result of some recent required upgrades to components of WS1 UEM is browser based enrollment into UEM also referred to as web enrollment. The dated browser on these devices presents some critical incompatibilities that have become impossible to maintain. For example, the browser on these devices do not support upgraded standards for TLS. As a result, effective April 1, 2022 and with v2203 of Workspace ONE UEM, Windows Rugged devices can no longer be enrolled via the web based enrollment wizard. On April 1, 2022 ONE UEM environments hosted by VMware will be disabling TLS version 1.0 & 1.1 as mentioned in the following KB article and communication provided to our customers. 
  • This announcement and product change will not affect already enrolled devices or the ability to enroll devices by other means, including Device Staging. This change will also not impact on-premise installations of Workspace ONE UEM until they are upgraded to version 2203 or later or choose to upgrade TLS.
  • Enroll devices using Device Staging (within Product Provisioning) or utilizing the AirWatch Cab Creator.
  • KB-Reference: https://kb.vmware.com/s/article/87461?lang=en_US

 

In Horizon sessions (Blast, PCoIP) on Windows 11 (RDSH install, Single/Multi session), explorer.exe keeps on crashing and restarting when Time zone redirection is enabled via GPO. (88086)

  • When the policy “Allow time zone redirection” is enabled on the guest VM and a horizon client creates a RDSH session using Blast or PCoIP.
    1. Explorer process crashes repeatedly. This can be verified with Task Manager.
    2. Visually, user may notice that Guest desktop does not show taskbar or Guest desktop display flickers.
  • This article provides a temporary workaround to stop the crash of explorer.exe.
  • This issue exists in Microsoft’s layer on Windows 11 (RDSH install, Single/Multi session) and cannot be fixed from VMware side. We have informed Microsoft about this issue and are working with them.
  • Time zone redirection will stop working after applying the resolution, i.e. client time will not be synced to the guest VM.
  • At this point we recommend turning off the GPO policy for time zone redirection.
    1. On the Active Directory server, open the Group Policy Management Console.
    2. Expand your domain and Group Policy Objects.
    3. Right-click the GPO that you created for the group policy settings and select Edit.
    4. In the Group Policy Management Editor, navigate to Computer Configuration Policies AdministrativeTemplates > Windows Components > Remote Desktop Services > Remote Desktop Session Host Device and Resource Redirection.
    5. Disable the setting Allow time zone redirection
  • KB-Reference: https://kb.vmware.com/s/article/88086?lang=en_US

 

FCA-201658: "Report Subscription" Next Execution date & time cannot be calculated properly because of difference in admin and local time zone (88011)

  • Admin Subscribe Reports for "WEEKLY" and "MONTHLY" recurrence in different time zones, (non-local time zones) leads to different execution dates based on the difference in admin and local time zone.
  • When admin with non-local time zone creates/modifies report subscriptions(WEEKLY and MONTHLY), report will be triggered based on the server time. Last and Next execution time will be calculated based on the server time zone.
  • Our product team has been engaged and is actively working to resolve the issue.
  • The issue is fixed for "WEEKLY" recurrence of Subscriptions type but not for "MONTHLY" recurrence which means subscriptions will be triggered corresponding to admin time zones for every recurrence except for MONTHLY.
    Our Product Team is still actively working on resolving the "MONTHLY" recurrence issue.
  • KB-Reference: https://kb.vmware.com/s/article/88011?lang=en_US

 

 

Horizon 2111 “Error during Provisioning Initial publish failed: Fault type is VC_FAULT_FATAL - An error occurred while communicating with the remote host.” or “provisioning successful but the provisioned machines go to an Error state" (87883)

  • Provisioning error - “Error during Provisioning Initial publish failed: Fault type is VC_FAULT_FATAL - An error occurred while communicating with the remote host.” for Instant Clone pools in their respective summary page or “pool provisioning completed but the provisioned machines directly go to an Error state with error message status – Customization operation timed out.” in Horizon Console.
  • Instant clone pool created with snapshots configured with NSX network facing provisioning and scheduled push image failures due to host communication issue was reported and this workaround will help resolve the issue.
  • This is due to the selected NSX network during Instant clone pool creation is not configured on all host transport nodes within the cluster that was also selected for the Instant clone pool creation. This mainly occurs for Instant clone pool created by selecting the network from the golden image snapshot.
  • Please note workaround only available in KB.
  • KB-Reference: https://kb.vmware.com/s/article/87883?lang=en_US

 

“Authentication method could not be configured” error when configuring RSA SecurID settings on UAG (88003)

  • When you attempt to configure RSA SecurID settings on UAG, you see the error:
    The authentication method could not be configured. The SecurID server did not accept the connection. Verify that you entered the correct values for the SecurID server hostname and communication port.
  • The authbroker.log on UAG shows:
    12/21 14:35:06,787[tomcat-http--41]ERROR utils.SecurIDRestClient: Connection refused by server: rsa-am2.example.int at port: 5555
  • This issue occurs because the Authentication API is not enabled in RSA AM Server.
  • By default, the Authentication API is not enabled.
    To resolve this issue, select the Enable Authentication API check box and click Apply Settings.
  • KB-Reference: https://kb.vmware.com/s/article/88003?lang=en_US

 

ENRL-2896-For OG configured with Single-Factor, Block Admin from accessing user enrollment details from console (87960)

  • Version Identified:
    Workspace One UEM 2107
  • Symptoms:
    A functional change has been introduced on console to mask the enrollment details of the User for OG configured with Single-Factor. Admin basically was able to access the enrollment details/access message sent by navigating to token's message tab and clicking on the Message link. By this means, Admin was able to enroll device on behalf of any other AD user without password by using Token Authorization. 
  • Since the token information in the message previews is removed, Admin cannot access the User's message link which has the enrollment details.
  • Workaround:
    • Admin cannot access the enrollment details but send email to end user which contains enrollment details. Email can be sent to User's email after device registration record is created. Admin can also Resend the token information using "Resend Message" action on UEM console.
    • Staging flows of enrollment can be leveraged for end user where end user can check-out. Single User (Advanced) Staging can be used to enroll device on behalf of other user.
  • KB-Reference: https://kb.vmware.com/s/article/87960?lang=en_US

 

Highlighting High Priority KBs

 

Recently updated KBs

 

Digital Workspace Techzone, Blog and YouTube Updates

 

Industry News and 3rd Party Blogs

 


 

March Software Releases

 

System

Component

Release

Announcement

Release Date

Backend

UAG

2203

https://docs.vmware.com/en/Unified-Access-Gateway/2203/rn/unified-access-gateway-2203-release-notes/index.html

29.03.22

iOS

Hub

22.02

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Intelligent-Hub-for-iOS.html

10.03.22

iOS

Boxer

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Boxer-for-iOS.html

30.03.22

iOS

Content

22.02.1

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Content-for-iOS.html

03.03.22

iOS

VM Tunnel

22.01

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Tunnel-for-iOS.html

02.03.22

iOS

Workspace ONE SDK SWIFT

22.3

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-SDK-for-iOS--Swift-.html

24.03.22

iOS

Notebook

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Notebook-for-iOS.html

29.03.22

iOS

Cards

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Cards-for-iOS.html

29.03.22

Android

Hub

22.02

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Introducing-VMware-Workspace-ONE-Intelligent-Hub-for-Android.html

10.03.22

Android

Boxer

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Boxer-for-Android.html

30.03.22

(staged)

Android

Assist

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Assist-for-Android.html

02.03.22

Android

PIV-D Manager

22.01

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-PIV-D-Manager-for-Android.html

07.03.22

Android

SDK

22.2

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-SDK-for-Android.html

02.03.22

Android

Cards

21.06.2

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Cards-for-Android.html

31.03.22

Windows

Assist

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Assist-for-Windows-10.html

02.03.22

macOS

Workspace ONE Intelligent Hub for macOS

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Intelligent-Hub-for-macOS.html

24.03.22

macOS

Assist

22.03

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Assist-for-macOS.html

02.03.22

Horizon

Horizon Cloud Service

2203

https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/rn/horizon-service-relnotes.html

10.03.22

Horizon

Horizon 7

7.7.13.2

https://docs.vmware.com/en/VMware-Horizon-7/7.13.2/rn/vmware-horizon-7-7132-release-notes/index.html

11.03.22

 

Patch & Seed Script Updates Week13-2022

  • OS Updates Seed Script 



  • Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console



  • Workspace ONE UEM 20.08
  • Workspace ONE UEM 20.11
  • Workspace ONE UEM 21.02
  • Workspace ONE UEM 21.05



  • Workspace ONE UEM 21.09
    • Patch Level: 21.9.0.29
    • INTEL-37305:  Intelligence - Recovery Key Escrowed value not matching UEM
    • CMCM-189669: Pass custom AD Attributes to CG for CBA Auth
    • AMST-35679: When editing the win32 application on console we get error “Identify Application By is a required field” even if we have the value-added
    • AMST-35628: XXX is facing issue with enrolling VDIs hosted in Azure. The hub gets stuck in the page "Hang on while we load your workspace" when launched.
    • AGGL-11577: Spaceman error while launching Android DDUI profiles
    • AGGL-11551: Android Clear Device Passcode Passcode commands are not working
    • AGGL-11524: Error while saving new/existing permission profile for android
    • AGGL-11416: Launcher Administrative Passcode
    • Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2109/rn/Workspace-ONE-UEM-2109-Release-Note.html#21-9-0-28-patch-resolved-issues-resolved
    • Last Update: CW13



  • Workspace ONE UEM 21.11

 

 

 

 

 


 

 

 

 

 

 

 

 

 

 

Comments