VMware Digital Workspace Newsletter - Week 20

                 

Week 20 -  2022             Weekly highlight:   Workspace ONE Hub Services & Workspace ONE Access updates:   Removing the 3-Character Limit for People Search People Search (on Hub Web) will now allow searching with just one or two characters instead of the usual 3-character search. This enables support for searching names in logographic languages like Chinese, Japanese, etc.   Workflows Error Handling – Email Alerts upon failures Workspace ONE Experience Workflows error handling has been improved to send email alerts directly to Administrators when a scheduled process fails to run successfully for any reason. All integration packs will now have an additional configuration parameter to include an email address to receive these notifications.   Saviynt Access Request Integration Pack for Workspace ONE Experience Workflows Hub Services customers with Workspace ONE Experience Workflows enabled can configure an integration with Saviynt to notify approvers when a task is pending. Approvers will be able to view the request and take action on the task, such as Approve or Reject, from within the Workspace ONE Intelligent Hub app.   BMC Helix Change Request Integration Pack for Workspace ONE Experience Workflows (Beta) Hub Services customers with Workspace ONE Experience Workflows enabled can configure an integration with BMC Helix to notify approvers when a Change Request is pending. Approvers will be able to view the request and take action on the change request, such as Approve or Reject, from within the Workspace ONE Intelligent Hub app.     For more information, refer to this Release Notes      Workspace ONE Access Services: Authenticator App for Multi-Factor Authentication Authenticator App is a new authentication method available for multi-factor authentication (MFA) that is supported directly by Workspace ONE Access. This MFA is ideal for users with unmanaged devices and requires no collection of personal identifying information (PII). Users can leverage any authenticator app of their choice–such as Google Authenticator, Microsoft Authenticator, Okta Verify, Authy, 1Password–that follows the time-based one-time passcode (TOTP) as defined in RFC 6238 on their own device. TOTP client support will be available on the Intelligent Hub iOS and Android App later this year in Q3. Continue-on-Failure Authentication Policy In this release, a new access policy configuration is introduced to control the rule policy execution. You can now create an access policy with rules that let the user authentication progress to the next rule if the authentication fails on the present rule. In the Workspace ONE Access service, regular policy execution terminates when the conditions in the first matching rule are executed. The new rule progression option allows you to progress rule execution to the next matching rule in the policy if the authentication fails on the present rule. A common use of this configuration includes password less authentication policy and alternative authentication rules for different sets of users. Refreshed Custom Branding Page When you choose to use the new navigation and the re-designed look of the Workspace ONE Access console, you will see a refreshed Branding page under Settings > Branding. The setting to change Favicon is no longer available in the re-designed console. The settings to customize branding for the VMware Verify application is now available on the Branding page.  Removed Settings Due to the End-of-Support-Life for the Workspace ONE application Several configuration and branding settings have been removed from user interface in the Workspace ONE Access console because of the end-of-support-life for the Workspace ONE application. Please refer to the End of Support Life for the VMware Workspace ONE Application KB article (80208) for more information on the End of Support Life for the Workspace ONE Application. Connector Support for Horizon Cloud Service on Microsoft Azure with Single-Pod Broker (Cloud only) The 22.05 release of the Workspace ONE Access Connector will include support for integrating with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud. This will allow for the legacy connectors that are used for virtual apps to be migrated from version 19.03 or 19.03.0.1 to version 22.05 connector. Both directories and virtual apps collections must be migrated together during this one-time process. FIPS Mode Support for the Connector (Cloud only) The 22.05 Workspace ONE Access Connector will have an option to enable FIPS mode during installation. FIPS mode will set the connector to run with data and encryption that is secure at a level of compliance encouraged by the United States government. The algorithms used are FIPS 140-2 compliant algorithms. Workspace ONE Access Connectors with FIPS mode enabled will not support integrating with Citrix, Horizon, Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, or Horizon Cloud Service on IBM Cloud. A Workspace ONE Access Connector with FIPS mode enabled will support integrating virtual apps that are running in Horizon Cloud Service on Microsoft Azure with Universal Broker. Note: The FIPS mode option is not available when you upgrade to a 22.05 connector. The option to enable FIPS mode is supported only in new connector installations. If you enable FIPS mode in the connector, to disable FIPS mode, you must reinstall the connector.     For more information, refer to this Release Notes.           Life of a ServiceDesk Admin + Workshop Signup The VMware EUC Research Team wants to better understand the ins and outs of the life of an IT pro in the Support/ServiceDesk space, so we can anticipate your needs and provide solutions that make your job easier. In this survey, you'll get to tell us about your top Helpdesk requests, challenges, and what metrics are important to you. At the end, you'll also have the opportunity to sign up for a virtual Workshop with fellow IT pros in the upcoming weeks where you’ll get to help design! This can take up to 10 minutes of your time. TAKE SURVEY    HW-156875 - Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE Access Appliance (VMware Identity Manager) (88438) CVE-2022-22972, CVE-2022-22973 have been determined to impact Workspace ONE Access (VMware Identity Manager).  These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory - VMSA-2022-0014 , please review this document before continuing Affected Versions VMware Workspace ONE Access Appliance: 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 VMware Identity Manager Appliance: 3.3.6, 3.3.5, 3.3.4, 3.3.3 Resolution Install the patch relevant to your version of WS1 Access, from the table in the KB, to address the vulnerabilities noted in the document. More information: https://kb.vmware.com/s/article/88438 What you need to know: https://blogs.vmware.com/security/2022/05/vmsa-2022-0014-what-you-need-to-know.html VMSA Announcement: https://www.vmware.com/security/advisories/VMSA-2022-0014.html   Generate Installation Token in Certificate Signing Portal (88462) New Workspace ONE (WS1) customers with an on premise deployment (perpetual licenses) must generate an installation token within the certificate signing portal (found within the My Workspace ONE portal) as part of their initial Workspace ONE UEM install.This token allows them to manually install WS1 UEM on their server. To go into further detail, the certificate signing portal allows customers to sign a public SSL certificate from their vendor with VMware's unique security key to ensure secure communication between their organization's devices and Workspace ONE UEM during device enrollment. KB: https://kb.vmware.com/s/article/88462?lang=en_US&source=email   Workspace ONE Windows Health Attestation Unknown Status (88478) Our Windows Devices are reporting a status of "Unknown" for Health Attestation This article provides a workaround to resolve an OS based reporting issue. KB-Reference: https://kb.vmware.com/s/article/88478?lang=en_US&source=email   Apple Business Manager now supports Google Workspace Apple Business Manager organizations that use Google Workspace can now take advantage of directory sync and federated authentication. With directory sync, user records and Managed Apple IDs are created automatically, saving IT admins both time and effort. And with federated authentication, end users can sign in to their Managed Apple ID with their Google Workspace account, making for a seamless login experience to apps like Pages, Numbers, Keynote, Apple Business Essentials, iCloud Drive, and more.  For more information, refer to the Apple Business Manager User Guide.   VMware Tunnel Client Update - Support for Standalone enrollment (88311) We are excited to share a major update to our VMware Tunnel solution. The Workspace ONE Tunnel clients on Windows and macOS platforms now support Standalone enrollment without Workspace ONE Intelligent Hub or any device management. As a result, there are two Tunnel clients available on macOS and Windows, one for supporting Standalone enrollment and one for existing Hub and MDM workflows. Please read ahead to understand these changes. macOS Tunnel Client: The VMware macOS Tunnel application 22.05 delivered through the Workspace ONE Resources Portal supports Standalone enrollment. Note that this client does not support existing MDM workflows or installation on a Workspace ONE managed device. Therefore, the 21.08 client is still available through Apple’s App Store. Please continue using the macOS Tunnel client delivered through the App Store for all MDM and Per-App use-cases/workflows. Windows Tunnel Client: There are now two versions of the Windows Tunnel client available on the Workspace ONE Resources portal. The current GA version (2.1.6) supports all existing workflows excluding Standalone enrollment. Client version 3.0 supports Standalone Enrollment and both full device and per-app Tunnel mode. Note that client version 3.0 does not support existing MDM workflows or installation on a Workspace ONE managed device. Next Steps: Enabling both the MDM and Standalone enrollment workflows into a single Tunnel client will be provided in an upcoming release version. Please refer to this KB for information on configuring the new Standalone enrollment feature. The official documentation will be updated shortly with the next UEM release. KB-Reference: https://kb.vmware.com/s/article/88311?lang=en_US&source=email   Configuring VMware Tunnel Client for Standalone enrollment (88457) This KB article outlines the the steps required for configuring the macOS and Windows Tunnel clients for Standalone enrollment and corresponding administrator actions to manage Tunnel access. Please review https://kb.vmware.com/s/article/88457?lang=en_US&source=email for more details.   AAGNT-194622 - Managed App Config for Internal Apps not working on Android 11+ (88463) Workspace ONE UEM 2204 introduces support for pushing managed application configurations for Internal Applications uploaded through the Apps & Books section of the Console. On Android 11 and 12 devices that are enrolled using Intelligent Hub 22.04.0.30, UEM fails to apply these managed configurations to Internal Applications. This does not affect Android 11 and 12 devices that upgrade from previous versions of the Intelligent Hub application. Our product team has been engaged and is actively working to resolve the issue. KB-Reference: https://kb.vmware.com/s/article/88463?lang=en_US&source=email   Unable to use the external mouse support feature after upgrading to iPadOS14 (83205) Cannot use the external mouse support feature after upgrade to iPadOS14 and enabled "Perform Touch Gestures". Host cursor cannot be hidden, left-click works like finger tap, etc. This issue started with iPadOS 14. Enable "Perform Touch Gestures" will convert the events from the pointer devices into which triggered by fingers. Then it will make the external mouse/trackpad not work properly on the remote desktop, but the finger operations are still the same as before without any problems. Therefore, we recommend that you turn off this option when using an external pointer device. Turn off the option "Perform Touch Gestures" in system settings while using an external pointer device on a remote desktop.  Settings > Accessibility > Touch > AssistiveTouch > Perform Touch Gestures. KB-Reference: https://kb.vmware.com/s/article/83205?lang=en_US&source=email   Highlighting High Priority KBs Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971) To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console).  [Action Required] Android Intelligent Hub 9.0.0.391 Cannot Check In (86083) VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 9.0.0.391 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub. VMware Tunnel Proxy End of Support Life Announcement (87345) VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023. VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022). [Resolved] CRSVC-25521 - Workspace ONE UEM - Guidance for addressing CVE-2021-22054 (87167) The Workspace ONE team has investigated CVE-2021-22054 and has determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article. This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0029 can be deployed.   Recently updated or newly added KBs iOS Microsoft Outlook application is crashing after updating to 4.2115 (83479) Monitoring health of Horizon Connection Server using Load Balancer, timeout, Load Balancer persistence settings in Horizon 7.x and 8 (56636) ETL Installer steps for On-Prem Federal WS1 UEM customers (84310) Events DB reporting as not connected with HTML5 console (80762) Device recognized by Operating system cannot be redirected to Chrome Native Client or Chrome browser (83208) VMware Workspace ONE Mobile Flows End of Life Announcement (85939) Microphone may not work during a meeting call in nested mode when disconnect/reconnect the first hop session (83234) Failure of recompose operations in view composer (84172) Debugging guide for VMware Integrated Printing (85280) Windows 10 Guest OS support FAQ for Horizon (YYMM/8) (84254) When using Microsoft Teams Optimization with Linux client, bluetooth headset microphones may not be displayed in device (88435) Understanding Horizon Licenses (87490) SSHD issue and remediation for cloud connector 2.0 (86364) HW-156875 - Workaround instructions to address CVE-2022-22972 in Workspace ONE Access Appliance (VMware Identity Manager) (88433) Keystrokes and mouse inputs are delayed with Horizon Agent 7.13 when connecting using PCOIP. (87163) Composer customization fails when persistent disk is used (84203) Error: View Composer Backup Failed for URL: https://lab-1.vmwaretest.com:18443 with error code: 403 (84180) Horizon console displays "An internal error occurred" message in various pages (85543) Continuous windows events are generated in the windows system logs while installing Horizon Composer Server (84204) Verification of CA certs during TrueSSO deployment (86195) Horizon Client Feature Matrix for Horizon 8 and Horizon Cloud on Azure (80386) Desktop Applications Discovery Failed when adding a Host Application Pool of UWP apps (84195) Load Balancing for VMware Horizon (2146312) Troubleshooting Intermittent Blast Connection Issues in Unified Access Gateway (UAG) (83088)   Digital Workspace Techzone, Blog and YouTube Updates VMware Horizon on Oracle Cloud VMware Services Reference Architecture now available – Here are the top use cases https://blogs.vmware.com/security/2022/05/vmsa-2022-0014-what-you-need-to-know.html   3rd Party Blogs & Industry Updates Targoon Siripanichpong: Top 10 Use Cases for Workspace ONE Intelligence for your Mobile Device Fleet (Part 1) Arkadiusz Krowczynki: VMware Tunnel for Standalone enrollment Patrick Zoeller: How to setup VMware Tunnel on Standalone macOS Devices Mobile-Jon: Workspace ONE Tunnel Standalone Mode: Powering the BYOD Story for Windows and MacOS       Patch & Seed Script Updates Week20-2022 OS Updates Seed Script  Most recent update: iOS 15.5.0 (19F77),tvOS 15.5.0 (19L570),macOS Monterey 12.4.0 (21F79) https://resources.workspaceone.com/view/rywydmj6ghb9nmch4ywq/en Last Update: CW20 Seed Script for latest Device Model Information Update Device Model details seed for iiPad Air (Gen 5), iPhone SE (Gen 3) models https://resources.workspaceone.com/view/x8kn6bslt67vwvlgx4ld/en Last update: CW14   Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console Agnostic script to update seed data to allow Android 12 enrollments into the Console. https://resources.workspaceone.com/view/rvfdv9s6mhsh4xgdxf7f/en Last Update: CW44   Workspace ONE UEM 20.11 Patch Level: 20.11.0.44 CRSVC-28747: Migrate UEM database table BlobMaster that were encrypted using kv0 CRSVC-28486: Update PasswordMigrationMetadata.json file to include Patch-2 tables and column details for migration CMSVC-16084: UEM discloses smart group details from other tenants https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html#20-11-0-42-patch-resolved-issues-resolved https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en Last Update: CW17 Workspace ONE UEM 21.02 Patch Level: 21.2.0.35 CRSVC-28747: Migrate UEM database table BlobMaster that were encrypted using kv0 CRSVC-28486: Update PasswordMigrationMetadata.json file to include Patch-2 tables and column details for migration CMSVC-16084: UEM discloses smart group details from other tenants https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html#21-2-0-31-patch-resolved-issues-resolved https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en Last Update: CW17   Workspace ONE UEM 21.05 Patch Level: 21.5.0.56 FCA-202609: MDM profile is not removed from iOS device(device switched off and turned on later) when admin delete the device from UEM console. CRSVC-29041: Unable to install S/MIME profile due to "Certificate is used more than once" error. CMCM-189752: Removing the ContentLockerSDKLibraryKey system code causes an override. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html#21-5-0-56-patch-resolved-issues-resolved Last Update: CW20   Workspace ONE UEM 21.09 Patch Level: 21.9.0.33 CRSVC-29040: Unable to install S/MIME profile due to "Certificate is used more than once" error. INTEL-38427: Intelligence - Recovery Key Escrowed value not matching UEM. CRSVC-28590:  GSX Cert save failed with password invalid. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2109/rn/Workspace-ONE-UEM-2109-Release-Note.html#21-9-0-33-patch-resolved-issues-resolved Last Update: CW20   Workspace ONE UEM 21.11 Patch Level: 21.11.0.30 AMST-35970: Dropship Provisioning-Device registrations never make it to through the Bulk Importer Service. AGGL-11879: Android DDUI Launcher profile 'Lock Orientation' checkbox gets disabled upon save. AAPP-13878: MDM profile errors 'Decryption key for the profile is not installed'. Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2111/rn/vmware-workspace-one-uem-2111-release-notes/index.html#resolved-issues-2111030-patch-resolved-issues Last Update: CW20   Workspace ONE UEM 22.03 Patch Level 22.3.06   CMEM-186613: Delay in adding the device to the allow list from email list view.   AMST-35969: Dropship Provisioning-Device Registrations never make it to through the Bulk Importer Service.   AAPP-13822: VPP licenses are not getting disassociated.   CRSVC-27265: Message Template notification type is not considered while sending token related email. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2203/rn/vmware-workspace-one-uem-powered-by-airwatch-2203-release-notes/index.html#resolved-issues-22303-patch-resolved-issues Last Update: CW20