VMware Digital Workspace Newsletter - Week 21



Week 21 -  2022







Weekly highlight:


Workspace ONE UEM 22.04 Released



  • Managed configuration for internal applications..

You can now apply Managed App Configurations to Android Internal Applications. When assigning Android Internal Applications through the Workspace ONE UEM console, Workspace ONE UEM displays all supported Managed App Configuration key-value pairs for the application under the Application Configuration tab. This feature requires Workspace ONE Intelligent Hub 22.04.


  • Deploying macOS profiles is now easier and faster with the new data-driven user interface..

Starting with macOS 10.14 and later devices, admins can lock a device with Apple Silicon by a six-digit PIN and can provide a message that is displayed on the unlock screen. For more information, see Lock Devices.

With the new Data-Driven User Interface (DDUI) user experience, you can now quickly add payloads, search, and view profile summaries. Keep an eye out for this new macOS user experience for shared SaaS. With the initial release of the new profile framework for macOS, we are adding new payloads and payload keys to the Workspace ONE Console UI. Newly supported keys can be found in the payloads listed below:

  • Associated Domains
  • Content Filter
  • DNSSetting
  • FileProvider
  • Firewall (Native)
  • Kernel Extension Policy
  • NSExtension
  • Restrictions
  • Certificate Transparency
  • Skip Setup Assistant
  • SSO Extension

We intend to add more payloads and keys released by Apple to Workspace ONE in the future, allowing administrators to deploy much more quickly. This functionality will have a gradual rollout across Shared SaaS. macOS Device Profiles


  • Deploying macOS profiles is now easier and faster with the new data-driven user interface.

The maximum file size you can upload for a product's Files or Action component is now determined by your server configuration, with the maximum size topping out at 5GB. For more information, see Create a Files-Actions Component.

  • We've introduced a new product provisioning condition and Event Action to strengthen security..

Device Offline is a new condition that detects if your Android device has not checked in with the console for a specified number of days. You can pair this condition with the new Event Action for Android, Device Wipe, to take a highly defensive security posture for lost devices. For more information see, Product Conditions and Event Actions, Android and WinRugg.

  • Get a better experience with expedited deployment of products..

We have improved the expedited deployment of products you create. Products with this prioritisation are now preferred for delivery and installation on devices ahead of others. For more information, see Prioritize Your Product With Expedited Deployment.

Full Release Notes: 






Workspace ONE UEM - iOS check-in/check-out SSO sessions may persist from one user to another (86375)

  • If devices are set up to use SSO, users checking out devices using Workspace ONE Intelligent Hub may see the previous user's session depending on the session timeout configured.
    For example:

1. User A checks out the device using the Hub
2. User A logs into App 1 using native SSO via SSO profile.
3. User A checks in the device using the Hub
4. User B checks out the device using the Hub
5. User B launches App 1

Customer Expectation: User B logs in via SSO
Customer Experience: User B sees User A's logged-in session

  • Depending on the settings of the app and the identity provider, this experience is expected and there is nothing WS1 UEM or Hub can do.
  • It is caused by the original SSO token for User A still being active. This is due to the authentication and token being handled by the operating system and not WS1 UEM or Intelligent Hub. Workspace ONE UEM provisions the SSO configuration and appropriate certificates but iOS is responsible for handling the SSO when an approved app is launched.
  • During the original SSO login, the identity provider provides an auth token for User A that is configured to expire at some point in the future. If that point in the future is not reached, the app may not reattempt authentication for User B and instead show User A's login session.
  • Workaround and further info in KB: https://kb.vmware.com/s/article/86375?lang=en_US&source=email


[Resolved] CRSVC-28467 - Uploading .pfx certificate fails with Invalid Password error (88422)

  • The purpose of this knowledge base article is to document the instruction on how to fix the invalid password error when uploading the .pfx certificate.
  • You see the below error when uploading the certificate 
    “Save failed: Password Invalid”
  • Workspace ONE UEM 2109 and above
  • There was a change in behavior in the Microsoft library regarding how the certificates are imported when we specify Ephemeral (in-memory) private keys. When the leaf certificate is duplicated in the PFX file, previously, all certificates were imported with the private key. But when we ask the library to load with Ephemeral keys, only the last certificate is given the private key. Traditionally we built the certificate chain ending with the first leaf certificate, which is now imported without its private key, eventually resulting in the “Password Invalid” error.
  • More information and resolution: https://kb.vmware.com/s/article/88422?lang=en_US&source=email


Horizon Agent reports Not enough free disk space when attempting to install from ISO (88539)

  • If you put the Horizon Agent on an ISO and mount it to a VM, and then attempt to run the installer from the virtual CD-ROM drive, you may encounter an error such as: 
    "There is not enough free disk space for setup to proceed. To continue, one drive must have at least 350 MB of free space. Otherwise, click Cancel to abort setup."
  • This may be from using a newer release of Windows 10 or an older Horizon Agent.
  • As a workaround, you can copy the Horizon Agent installer from the virtual CD-ROM over to a temp folder on the C: drive of the VM.
  • Otherwise, please use Horizon Agent 2111 (8.4) where this is resolved.
  • KB-Reference: https://kb.vmware.com/s/article/88539?lang=en_US&source=email


When logging on to the Horizon 2103 / 2106 / 2111 VDI in a MultiLingual environment, the Windows input locale is unexpectedly set to English (88502)

  • Logging on to Horizon Agent 2103 (8.2) / 2106 (8.3) / 2111 (8.4) VDI from Horizon Client 2103 (8.2) / 2106 (8.3) / 2111 (8.4) changes VDI keyboard locale to English
  • The audit registry event log confirms that pcoip_server_win32.exe and VMwareView-RdeServer.exe delete and do not recreate the following keys
\REGISTRY\USER\<User's SID>\Keyboard Layout\Preload
  • This issue is reported in Blast and PCoIP
  • VDI with Agent 2106 causes VMwareView-RdeServer.exe to delete the Preload registry key and issue even when "Extend the local IME to this desktop" is disabled on Horizon Client.
  • Horizon Agent versions 2103 through 2111 have the Keyboard locale synchronization enabled by default.
  • When the Keyboard locale synchronization is enabled, Horizon Agent removes all keyboard layouts on the VDI when connecting to a session and sets the same layout as the client.
    The layout is also restored when disconnecting.
  • Among the Win32 APIs used by the above operation, InstallLayoutOrTip and EnumEnabledLayoutOrTip of the Text Service Framework are involved.
    Due to the high load on InstallLayoutOrTip, EnumEnabledLayoutOrTip will fail if the above layout operation is performed each time a session is connected/disconnected.
  • More information, workaround and resolution: https://kb.vmware.com/s/article/88502?lang=en_US&source=email


Highlighting High Priority KBs


Recently updated KBs


Digital Workspace Techzone, Blog and YouTube Updates


3rd Party Blogs and Industry Updates


Beta, Lab and Tech Preview Updates

  • Workspace ONE Launcher 22.05 for Android
    • ALAU-171781: Orientation lock set for guest mode incorrectly persists on non-guest logins
    • ALAU-171675: List of applications is not updated when an app is removed from the 'Applications' Tab
    • ALAU-171859: Floating Button is incorrectly shown when inactivity timeout screen is configured
    • ALAU-171718: User cannot enable notification permission when none of the device settings are enabled in Launcher profile
    • ALAU-171499: Select devices experience disappearance of internal app icon in Launcher home screen
    • ALAU-171942: Access to Wi-Fi and select launcher settings are briefly available after a device reboot



Patch & Seed Script Updates Week21-2022







  • Workspace ONE UEM 22.03