Weekly highlight: Announcing General Availability of VMware Workspace ONE UEM Console 2203 - VMware Workspace ONE UEM Console 2203 is available to Shared SaaS customers as of April 7, 2022! Rollouts to Shared SaaS environments will begin next week.
- What's New?
- Console
Introducing a new notification banner for smart group OG restrictions.
The notification banner will keep you informed of any changes to smart group OG restrictions. When you navigate to Assignment Groups>List View, you are now greeted with the following notification: Creation of Smart Groups above Customer OGs will not be allowed in future releases. - Android
Want to reset the work passcode while the Work Profile is locked in direct boot? We can assist you.
When a Work Profile is locked in direct boot, the Work Profile lock screen now prompts the user with the Forgot my Password button for Android 11 devices with a separate device and work profile password. For more information, see Android Device Management with Workspace ONE UEM. - Apple
Get notified when your Apple Business Manager tokens are about to expire.
Admins in Workspace ONE UEM can now be notified by email or directly in the console 30 days before the expiration of an Apple Business Manager (ABM) app token or device token. Device tokens will also be able to notify admins when errors occur, such as the acceptance of new ABM Terms of Use. For more information, see Configure Console Notifications. - Windows
Track and report app installation status on Windows devices with accuracy.
Workspace ONE UEM console now allows you to see the accurate installation status of applications on Windows devices. This enhancement aids in determining whether the user uninstalls the application manually. It also improves the user experience by displaying an accurate list of installed apps on the user's devices. - macOS
We’ve added support for macOS Recovery Lock
Starting from macOS 11.5, as an MDM administrator, you can set a password that must be entered before a user can restart an Apple Silicon macOS device into the recovery OS via API. The password can be set or removed only by the MDM solution. You can also view the recovery lock status in Event Logs. To know more, see Recovery Lock Status. - Rugged
Product delivery to devices in a SaaS environment just got easier!
To optimise performance and free up significant resources in UEM, use CDN to deliver products to devices. By default, we have set the provisioning setting for the organisation group that hosts devices to Enabled. You can check the Product Downloads Through CDN setting by navigating to Groups & Settings > All Settings > Admin > Product Provisioning.
VMworld is now VMware Explore - VMware is a company that thrives on profound reinvention. With a hyper-focus on customer innovation, we’re defining a new market category—with apps and multi-cloud at the center of everything we do. This transformation communicates that we are a strategic leader in multi-cloud, shaping its future, from public to private to edge. To help effectively express that, we need to revolutionize the VMworld experience as the center of the multi-cloud universe—VMware Explore.
- With a focus on solving the problems faced in this multi-workload, multi-cloud, and multi-workspace IT environment, VMware Explore will show you how to build and operate your cloud native platform, accelerate your cloud transformation, and secure your hybrid workforce.
- VMware Explore will remain familiar to previous attendees in many ways-but will offer numerous new opportunities for discovery. There will also be more non-VMware-led content and speakers—fresh, distinct voices and points of view—gathered in one place like never before. You’ll hear from community leaders, developers, executives, VMware customers, and VMware partners in keynotes, breakout sessions, small group sessions, gamified sessions, hands-on labs and more.
- Find out more: https://www.vmware.com/explore.html
VMSA-2022-0011: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. - Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.
- Description
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. - Known Attack Vectors
A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. - Resolution
To remediate CVE-2022-22954, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. - Master KB: https://kb.vmware.com/s/article/88130?lang=en_US
- Please review https://www.vmware.com/security/advisories/VMSA-2022-0011.html for more details.
- Additional information in: https://kb.vmware.com/s/article/88098?lang=en_US
VMSA-2022-0012 - VMware Horizon Client for Linux update addresses multiple vulnerabilities (CVE-2022-22962, CVE-2022-22964) - Multiple vulnerabilities in VMware Horizon Client for Linux were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
- Description
VMware Horizon Client for Linux contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. - Known Attack Vectors
A low-privileged malicious actor with local access to Horizon Client for Linux may be able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file. - Resolution
To remediate CVE-2022-22962 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. - Additional Information: https://www.vmware.com/security/advisories/VMSA-2022-0012.html
'Directory.ReadWrite.All' permission removed from AirWatch By VMware app on Azure portal (86061) - The following permissions have been assigned to the "AirWatch By VMware" app in the Azure portal. The below permissions are required to support different feature integrations between Workspace ONE UEM and Azure/Intune.
-
- The following features that need the AirWatch By VMware app to be added to the Azure portal:
- Windows enrollment
. Out of the Box Enrollment a. Work and School Account Enrollment - Intune App Protection Policies
- Microsoft Conditional Access for Windows use cases
- "Directory.ReadWrite.All - Read and write directory data" has been identified as the highest privileged permission and is not required for these integrations. As of 7th April 2022, we are removing this permission for Microsoft Graph and Windows Azure Active Directory.
- We have identified no customer impact as of this moment. Please contact support if any of your integrations with VMware Workspace ONE UEM and Azure/Intune are impacted.
- Find more information in KB https://kb.vmware.com/s/article/86061?lang=en_US
IBRW-174186: Fix Cut/Copy/Paste functionality for O365 web Applications opened in WS1 WEB (88110) - Customers running web versions of Microsoft O365 applications like Excel and Word in Workspace ONE iOS Web App cannot perform Cut/Copy/Paste functionality. The issue is seen on iPad with an on-screen soft touch keyboard and also with the physical keyboard attached to the iPad using the copy/paste shortcut keys (Ctrl C/Ctrl V, Cmd C/Cmd V).
- In VMware Workspace ONE Apps SDK does swizzling for clipboard methods which uses SDK clipboard object (AWClipboardEnabled), this is how we control enterprise clipboard within Workspace ONE apps.
- For the Microsoft Excel web application opened in Workspace ONE iOS Web, SDK is able to read the copied text. But while pasting the copied content, all the data belonging to a cell is part of dynamic JavaScript and the SDK clipboard cannot paste this content.
- For the resolution, please check: https://kb.vmware.com/s/article/88110?lang=en_US
Unable to view/select datastore when creating Desktop Pool (88151) - In environments with many datastores (100+), the Desktop Pool creation wizard may not display all available datastores for selection.
- This article provides troubleshooting steps to enable you to view and select the desired datastore(s).
- Workaround:
Announcing End of Life for Hub Services IBM Watson Chatbot (87895) - On April 28th, the Virtual Assistance feature in Hub Services for integrating with the IBM Watson chatbot will be discontinued.
- Once the End of Life date has been reached, the following will happen:
- The Virtual Assistance page in the Hub Services admin console will be removed (and any configurations will be deleted
Week 14 Software Releases
Announcing General Availability of VMware Workspace ONE UEM Console 2203 - VMware Workspace ONE UEM Console 2203 is available to Shared SaaS customers as of April 7, 2022! Rollouts to Shared SaaS environments will begin next week.
- What's New?
- Console
Introducing a new notification banner for smart group OG restrictions.
The notification banner will keep you informed of any changes to smart group OG restrictions. When you navigate to Assignment Groups>List View, you are now greeted with the following notification: Creation of Smart Groups above Customer OGs will not be allowed in future releases. - Android
Want to reset the work passcode while the Work Profile is locked in direct boot? We can assist you.
When a Work Profile is locked in direct boot, the Work Profile lock screen now prompts the user with the Forgot my Password button for Android 11 devices with a separate device and work profile password. For more information, see Android Device Management with Workspace ONE UEM. - Apple
Get notified when your Apple Business Manager tokens are about to expire.
Admins in Workspace ONE UEM can now be notified by email or directly in the console 30 days before the expiration of an Apple Business Manager (ABM) app token or device token. Device tokens will also be able to notify admins when errors occur, such as the acceptance of new ABM Terms of Use. For more information, see Configure Console Notifications. - Windows
Track and report app installation status on Windows devices with accuracy.
Workspace ONE UEM console now allows you to see the accurate installation status of applications on Windows devices. This enhancement aids in determining whether the user uninstalls the application manually. It also improves the user experience by displaying an accurate list of installed apps on the user's devices. - macOS
We’ve added support for macOS Recovery Lock
Starting from macOS 11.5, as an MDM administrator, you can set a password that must be entered before a user can restart an Apple Silicon macOS device into the recovery OS via API. The password can be set or removed only by the MDM solution. You can also view the recovery lock status in Event Logs. To know more, see Recovery Lock Status. - Rugged
Product delivery to devices in a SaaS environment just got easier!
To optimise performance and free up significant resources in UEM, use CDN to deliver products to devices. By default, we have set the provisioning setting for the organisation group that hosts devices to Enabled. You can check the Product Downloads Through CDN setting by navigating to Groups & Settings > All Settings > Admin > Product Provisioning.
- Full Release Notes: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2203/rn/vmware-workspace-one-uem-powered-by-airwatch-2203-release-notes/index.html
VMworld is now VMware Explore - VMware is a company that thrives on profound reinvention. With a hyper-focus on customer innovation, we’re defining a new market category—with apps and multi-cloud at the center of everything we do. This transformation communicates that we are a strategic leader in multi-cloud, shaping its future, from public to private to edge. To help effectively express that, we need to revolutionize the VMworld experience as the center of the multi-cloud universe—VMware Explore.
- With a focus on solving the problems faced in this multi-workload, multi-cloud, and multi-workspace IT environment, VMware Explore will show you how to build and operate your cloud native platform, accelerate your cloud transformation, and secure your hybrid workforce.
- VMware Explore will remain familiar to previous attendees in many ways-but will offer numerous new opportunities for discovery. There will also be more non-VMware-led content and speakers—fresh, distinct voices and points of view—gathered in one place like never before. You’ll hear from community leaders, developers, executives, VMware customers, and VMware partners in keynotes, breakout sessions, small group sessions, gamified sessions, hands-on labs and more.
- Find out more: https://www.vmware.com/explore.html
VMSA-2022-0011: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. - Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.
- Description
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. - Known Attack Vectors
A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. - Resolution
To remediate CVE-2022-22954, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. - Master KB: https://kb.vmware.com/s/article/88130?lang=en_US
- Please review https://www.vmware.com/security/advisories/VMSA-2022-0011.html for more details.
- Additional information in: https://kb.vmware.com/s/article/88098?lang=en_US
VMSA-2022-0012 - VMware Horizon Client for Linux update addresses multiple vulnerabilities (CVE-2022-22962, CVE-2022-22964) - Multiple vulnerabilities in VMware Horizon Client for Linux were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
- Description
VMware Horizon Client for Linux contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3. - Known Attack Vectors
A low-privileged malicious actor with local access to Horizon Client for Linux may be able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file. - Resolution
To remediate CVE-2022-22962 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. - Additional Information: https://www.vmware.com/security/advisories/VMSA-2022-0012.html
'Directory.ReadWrite.All' permission removed from AirWatch By VMware app on Azure portal (86061) - The following permissions have been assigned to the "AirWatch By VMware" app in the Azure portal. The below permissions are required to support different feature integrations between Workspace ONE UEM and Azure/Intune.
-
- The following features that need the AirWatch By VMware app to be added to the Azure portal:
- Windows enrollment
. Out of the Box Enrollment a. Work and School Account Enrollment - Intune App Protection Policies
- Microsoft Conditional Access for Windows use cases
- "Directory.ReadWrite.All - Read and write directory data" has been identified as the highest privileged permission and is not required for these integrations. As of 7th April 2022, we are removing this permission for Microsoft Graph and Windows Azure Active Directory.
- We have identified no customer impact as of this moment. Please contact support if any of your integrations with VMware Workspace ONE UEM and Azure/Intune are impacted.
- Find more information in KB https://kb.vmware.com/s/article/86061?lang=en_US
IBRW-174186: Fix Cut/Copy/Paste functionality for O365 web Applications opened in WS1 WEB (88110) - Customers running web versions of Microsoft O365 applications like Excel and Word in Workspace ONE iOS Web App cannot perform Cut/Copy/Paste functionality. The issue is seen on iPad with an on-screen soft touch keyboard and also with the physical keyboard attached to the iPad using the copy/paste shortcut keys (Ctrl C/Ctrl V, Cmd C/Cmd V).
- In VMware Workspace ONE Apps SDK does swizzling for clipboard methods which uses SDK clipboard object (AWClipboardEnabled), this is how we control enterprise clipboard within Workspace ONE apps.
- For the Microsoft Excel web application opened in Workspace ONE iOS Web, SDK is able to read the copied text. But while pasting the copied content, all the data belonging to a cell is part of dynamic JavaScript and the SDK clipboard cannot paste this content.
- For the resolution, please check: https://kb.vmware.com/s/article/88110?lang=en_US
Unable to view/select datastore when creating Desktop Pool (88151) - In environments with many datastores (100+), the Desktop Pool creation wizard may not display all available datastores for selection.
- This article provides troubleshooting steps to enable you to view and select the desired datastore(s).
- Workaround:
Announcing End of Life for Hub Services IBM Watson Chatbot (87895) - On April 28th, the Virtual Assistance feature in Hub Services for integrating with the IBM Watson chatbot will be discontinued.
- Once the End of Life date has been reached, the following will happen:
- The Virtual Assistance page in the Hub Services admin console will be removed (and any configurations will be deleted)
- The chatbot option will no longer appear for end users in the Intelligent Hub app across all platforms.
- KB-Reference: https://kb.vmware.com/s/article/87895?lang=en_US
Best Practices for Global Entitlements with VM Hosted Applications running on Desktop Pools (87939) - You can create a windows 10 pool to expressly host applications, The business case for this type of configuration is to allow a transition period for legacy applications that cannot be hosted on a RDSH server. More use cases are outlined here within Documentation .
- This is a distinct feature from multi-session support with windows 10.
- Multi-session capabilities are not used by this feature.
- General Best Practices are outlined here in TechZone:
- More info at: https://kb.vmware.com/s/article/87939?lang=en_US
Highlighting High Priority KBs - Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971)
To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console). - [Action Required] Android Intelligent Hub 9.0.0.391 Cannot Check In (86083)
VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 9.0.0.391 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub. - VMware Tunnel Proxy End of Support Life Announcement (87345)
VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023. - VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022). - [Resolved] CRSVC-25521 - Workspace ONE UEM - Guidance for addressing CVE-2021-22054 (87167)
The Workspace ONE team has investigated CVE-2021-22054 and has determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article. This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0029 can be deployed.
Recently updated KBs Digital Workspace Techzone, Blog and YouTube Updates 3rd Party Blogs and Industry News Beta, Lab and Tech Preview Updates - WS1 Intelligent Hub 22.03 for Android
- Samsung Fully Managed and COPE devices will now more strongly enforce users to meet password requirements.
- Android Experience
- Hub Template changes will update upon App Relaunch
- Support custom error messages with Experience Workflows notification card actions in For You tab
- WS1 Content 22.04 for iOS
- PDF Edit
Advanced pdf editing capabilities like organising pages, moving, rotating and removing pages. Also, support for splitting and merging the pdfs. - 7zip support
Ability to extract 7zip file, and save the contents of the archive. - Updated Navigation carousel experience for pdf
Improved the experience of navigation carousel for pdf so that it can be fixed and allows seamless working with iOS home bar. - Updated Open In experience
improved the experience of opening file from Content app to other applications by removing additional screen before native open in screen. - Bug Fixes
- WS1 Content 22.04 for Android
- Digital Signing
Content app allows users to digitally sign the documents using PIV-D based derived credentials. - Pdf Edit
PDF edit feature allows user to split the pages of pdfs, also allows user users to merge various pdfs together. - Open-in option in file overflow menu for opening in third party apps
- Bug Fixes
April Software Releases Patch & Seed Script Updates Week14-2022 - Seed Script for latest Device Model Information
- Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console
- Patch Level: 21.9.0.29
- INTEL-37305: Intelligence - Recovery Key Escrowed value not matching UEM
- CMCM-189669: Pass custom AD Attributes to CG for CBA Auth
- AMST-35679: When editing the win32 application on console we get error “Identify Application By is a required field” even if we have the value-added
- AMST-35628: XXX is facing issue with enrolling VDIs hosted in Azure. The hub gets stuck in the page "Hang on while we load your workspace" when launched.
- AGGL-11577: Spaceman error while launching Android DDUI profiles
- AGGL-11551: Android Clear Device Passcode Passcode commands are not working
- AGGL-11524: Error while saving new/existing permission profile for android
- AGGL-11416: Launcher Administrative Passcode
- Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2109/rn/Workspace-ONE-UEM-2109-Release-Note.html#21-9-0-28-patch-resolved-issues-resolved
- Last Update: CW13
· across all platforms.
April Software Releases
Patch & Seed Script Updates Week14-2022 - Seed Script for latest Device Model Information
- Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console
- Patch Level: 21.9.0.29
- INTEL-37305: Intelligence - Recovery Key Escrowed value not matching UEM
- CMCM-189669: Pass custom AD Attributes to CG for CBA Auth
- AMST-35679: When editing the win32 application on console we get error “Identify Application By is a required field” even if we have the value-added
- AMST-35628: XXX is facing issue with enrolling VDIs hosted in Azure. The hub gets stuck in the page "Hang on while we load your workspace" when launched.
- AGGL-11577: Spaceman error while launching Android DDUI profiles
- AGGL-11551: Android Clear Device Passcode Passcode commands are not working
- AGGL-11524: Error while saving new/existing permission profile for android
- AGGL-11416: Launcher Administrative Passcode
- Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2109/rn/Workspace-ONE-UEM-2109-Release-Note.html#21-9-0-28-patch-resolved-issues-resolved
- Last Update: CW13
|
Comments
Post a Comment