Weekly highlight:
VMware Workspace ONE UEM Console 2203 is General Available as of April 29, 2022!
· Get notified when your Apple Business Manager tokens are about to expire.
Admins in Workspace ONE UEM can now be notified by email or directly in the console 30 days before the expiration of an Apple Business Manager (ABM) app token or device token. Device tokens will also be able to notify admins when errors occur, such as the acceptance of new ABM Terms of Use. For more information, see Configure Console Notifications.
· Override the default device reboot behavior for your win32 apps during installation.
Workspace ONE UEM now provides you the flexibility to define the device reboot behavior not just at the app configuration level but also at the app assignment level. You can set the device restart options by activating the newly introduced Override Reboot Handling setting at the app assignment level. The restart options you configure at the assignment level override the options configured at the app configuration level. For more information, see Upload and Configure Win32 Files for Software Distribution and Add Assignments and Exclusions to your Applications.
· We’ve added support for macOS Recovery Lock
Starting from macOS 11.5, as an MDM administrator, you can set a password that must be entered before a user can restart an Apple Silicon macOS device into the recovery OS via API. The password can be set or removed only by the MDM solution. You can also view the recovery lock status in Event Logs. To know more, see Recovery Lock Status.
· Product delivery to devices in a SaaS environment just got easier!
To optimize performance and free up significant resources in UEM, use CDN to deliver products to devices. By default, we have set the provisioning setting for the organization group that hosts devices to Enabled. You can check the Product Downloads Through CDN setting by navigating to Groups & Settings > All Settings > Admin > Product Provisioning.
· KB: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2203/rn/vmware-workspace-one-uem-powered-by-airwatch-2203-release-notes/index.html
Download Link:
o 2203 - Full Installer
Workspace ONE Access Services updates include
Week 17 Software Releases
The automated DEP enrollment of Mac Studio into Workspace ONE MDM fails (88315)
The automated DEP enrollment of Mac Studio into Workspace ONE MDM fails.
You see the error similar to:
Enrolling with management server failed. Unexpected error (MDMResponseStatus:500)
This issue occurs because the Mac Studio devices represent a new Apple Device Model Family, and the normal device model seeding process cannot be used to enable support.
This is a known issue affecting automated DEP MDM enrollments involving Apple MAC Studio hardware. Currently, there is no user-based resolution.
VMware's Development team is working to add these designations to UEM, and will be addressing this in future releases.
To work around this issue, manually enroll the Apple MAC Studio hardware machine into Workspace ONE UEM.
More information: https://kb.vmware.com/s/article/88315?lang=en_US
[AAGNT-194517] Some Samsung COPE devices unexpectedly unenroll (88267)
Some Samsung devices enrolled in Corporate-Owned Personally Enabled (COPE) mode and running Android 11+ may unexpectedly unenroll from Workspace ONE UEM. When this occurs, a "Break MDM" event is seen in the UEM Console for the affected device.
This issue should be resolved in Android Intelligent Hub 22.03.0.14. If you continue to experience unexpected device un-enrollments, please contact Workspace ONE Support.
KB-Reference: https://kb.vmware.com/s/article/88267?lang=en_US
Email Notification Service 2 for on-premises v1.11 and older support notice (86338)
All customers of Email Notification Service 2 (ENS2) for on-premises v1.11 and older are advised to migrate to a more recent versions before October 2022. Per VMware Workspace ONE UEM support release policy, on-premises releases are supported for 18 months after general availability.
Older versions of ENS2 on-premises distributions rely on the older VMware Workspace ONE Cloud Notification Service and should be upgraded at the earliest convenience to take advantage of the more robust notification framework afforded by VMware Workspace ONE Cloud Notification Service 2, available starting in ENS2 v21.04.
Customers using on-premises ENS2 have several upgrade options:
Customers preferring to stay with an on-premises ENS2 deployment can upgrade to the latest version of ENS2 on-premises.
Customers may also select to migrate to a SaaS-hosted version of ENS2 at no extra charge.
High security US Federal Government customers now have an option of SaaS-hosted ENS2 deployed in a FedRAMP High environment.
KB-Reference: https://kb.vmware.com/s/article/86338?lang=en_US
VMware RemoteHelp and CVE-2021-44228 (87188)
Workspace ONE Assist for Horizon and CVE-2021-44228 (87189)
Access Denied when authenticating via 3rd party IDP via SAML with HTML5 (83160)
To outline a scenario when logging in via unified access gateway (UAG) with a 3rd party IDP .
Access Denied when attempting access over HTML5 with SAML based Authentication configured.
Access is granted when a thick client is used to connect.
A disclaimer is configured on the connection server.
With SAML, a disclaimer should be part of the 3rd party SAML IDP login and not on the Connection Server.
Note, if configured on the connection server, The disclaimer from the connection server will be cached on the UAG. Please see documentation on this connection server option .
When implementing SAML with a 3rd party IDP and an existing UAG , A restart of the UAG will make sure the disclaimer cache is cleared after migrating the disclaimer prompt from the broker to the IDP.
KB-Reference: https://kb.vmware.com/s/article/83160?lang=en_US
SNMP Configuration with Unified Access Gateway (83677)
Workspace ONE UEM SSRF CVE-2021-22054 Patch Alert
CRSVC-28928: How to replace the Workspace ONE UEM static master key (88323)
The purpose of this knowledge base article is to document the instructions to remove the static master key referred to in the VMware security blog post found here .
The patches listed in the KB will implement a new Scheduler job which can be used to replace the static master key with an instance-specific key and use it to re-encrypt information stored in Workspace ONE UEM.
Action Required:
Shared SaaS: None. This change is being deployed by VMware Cloud Operations with zero downtime.
Dedicated Latest: None. These changes are being deployed by VMware Cloud Operations with zero downtime. If you wish to have this change deployed to your environment at a specific date/time, please contact Workspace ONE Support.
Dedicated SaaS customers: If you wish to have this change deployed to your environment, please contact Workspace ONE Support and specify a date/time. This is a zero-downtime change.
On-Premise customers: Please refer to the Resolution section for steps to deploy this change to your environment
Additional instructions in KB.
KB-Reference: https://kb.vmware.com/s/article/88323?lang=en_US
Accelerated EOL of Legacy Workspace ONE Experiences (Workspace ONE App and Web Portal EOL) on May 15, 2022
For several reasons listed in https://kb.vmware.com/s/article/87908, we are accelerating the EOL of these legacy experiences to May 15, 2022, which includes removing the Workspace ONE app from the App Store and Play Store. Customers who have the Workspace ONE Apps deployed should migrate immediately to the Workspace ONE Intelligent Hub app.
When the Workspace ONE app is EOL, new user enrollments for the Workspace ONE app will be blocked. Additionally, all login attempts to the Workspace ONE app will be detected and might be blocked as part of access policy rules with the Device Enrollment device type.
Workspace ONE Access Services updates include
Hub Services Notification Admin Console UX Improvements
Highlighting High Priority KBs
Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971)
To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console).
[Action Required] Android Intelligent Hub 9.0.0.391 Cannot Check In (86083)
VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 9.0.0.391 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub.
VMware Tunnel Proxy End of Support Life Announcement (87345)
VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
[Resolved] CRSVC-25521 - Workspace ONE UEM - Guidance for addressing CVE-2021-22054 (87167)
The Workspace ONE team has investigated CVE-2021-22054 and has determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article. This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0029 can be deployed.
Recently updated KBs
Digital Workspace Techzone, Blog and YouTube Updates
Beta, Lab and Tech Preview Updates
Workspace ONE Tunnel 3.0 for Windows Beta
Workspace ONE Tunnel 22.05 for macOS Beta
Horizon Clients 2206 Beta Release
WS1 Intelligent Hub 22.04 for Android Beta
Apply Managed Configurations to Internal Applications
New Enterprise Wipe for Android 11+ COPE devices
Automated Device Wipe for Offline Devices
Workspace ONE Content 22.05 for iOS Beta
More Version specific information will be available upon the beta launch.
ISCL-181210 Revised tabbed view experience change for opened documents
ISCL-180968 Archive format experience improvements
Improved document Sync performance
Workspace ONE Content 22.05 for Android Beta
3rd Party Blogs & Industry Updates
April Software Releases
Patch & Seed Script Updates Week17-2022
Comments
Post a Comment