Week 25 Software Releases
Workspace ONE Access Services update coming soon
Continue-on-Failure Authentication Policy In this release, a new access policy configuration that offers flexibility to control how rule policy execution is introduced. You can now create an access policy with rules that let users progress to the next rule if the authentication fails on the present rule. In the Workspace ONE Access service, regular policy execution terminates when the conditions in the first matching rule are executed. The new rule progression option allows you to progress rule execution to the next matching rule in the policy if the authentication fails on the present rule. Common use cases of this configuration include password less authentication flows and flexible alternative authentication rules for different sets of users.
For more information, refer to this Release Notes.
Workspace ONE Hub Services update June
Branding Background Image Support on Workspace ONE Intelligent Hub Web Background Image is back! Admins can upload a background image from Hub Services Branding Settings and have that image rendered on the Hub end user UI. This capability builds on our existing branding settings and enables customers to deliver a more modern and stylish Hub experience.
Note: This is available only on Workspace ONE Intelligent Hub web with this release.
Configure Due Dates for Actionable For You Notifications Admins can assign due dates to actionable notifications from the Hub Services admin console. Select the day, time, and time zone that a notification action should be due by. A due date icon displays on the notification card in For You so employees can easily see what notifications need their attention and when they are required to complete a notification action by.
Note: This is available only on Workspace One Intelligent Hub web and Windows with this release.
Users can Change Their Primary Device for Two-Factor Authentication from Workspace ONE Intelligent Hub When the Verify (Intelligent Hub) authentication method is enabled in Workspace ONE Access, users have the ability to select and change their primary device for two-factor authentication from the Support tab in the Workspace ONE Intelligent Hub app.
Note: This is supported on Workspace One Intelligent Hub web and Windows.For more information, refer to this Release Notes.
New permissions required for UsersBatches and ExportedReports APIs in Workspace ONE (WS1) UEM (88595)
Workspace ONE UEM admin role permissions have been added for some UserBatches and ExportedReports REST APIs in order to mitigate a security risk in which all APIs must have an authorization check.
The following APIs will no longer be accessible without the appropriate admin role permissions:
UsersBatchesV1
[POST] /users/batches/report
[POST] /users/batches/{userBatchUuid}/details/report
ExportedReportsV1
[POST] /groups/{organizationGroupUuid}/exported-reportsThis change impacts Workspace ONE UEM versions 21.11 and above.
To grant access to these APIs, the following permissions must be added to an admin role. To add a permission to an existing role, navigate to Accounts > Administrators > Roles within the Workspace ONE UEM Console. Search for a role in the list and click on Edit (pencil icon). Search for and select the permissions you want to add to the role, then click Save.
More info in: https://kb.vmware.com/s/article/88595?lang=en_US&source=email
BitLocker and BitLocker to Go Best Practices and Considerations (88620)
BitLocker and BitLocker to Go (BL2Go) are technologies designed to encrypt data and provide recovery capabilities as needed in the UEM console. There are some situations where changing GPO settings might conflict with BitLocker settings, resulting in unexpected results. Other best practices can be followed to ensure the highest recovery capabilities for hardware issues or forgotten passwords.
This article is intended to track recent issues identified with BitLocker and BL2Go and help guide you on the best experience with these technologies.
Review KB https://kb.vmware.com/s/article/88620?lang=en_US&source=email for latest updates.
PPAT-11109 - Tunnel service on Unified Access Gateway 2111 causes error “AllowListManager Query returns Bad Response” (88753)
Tunnel service on Unified Access Gateway 2111 causes error “AllowListManager Query returns Bad Response”
In UAG 2111 we introduced API pagination improvements for how the Tunnel service interacts with UEM APIs to fetch the AllowList of devices that are trusted by Tunnel. An error was discovered that would cause only the first page to be returned, and the tunnel.log will log
ERROR: API: Bad connection to API. Check connection to API service
ERROR: API: AllowListManager Query returns Bad Response
ERROR: AllowListManager AsyncAPIQuery: OnErrorThe Tunnel service will not be able to pull in the complete device allowlist, but will instead rely on individual queries to UEM for each device. Due to the individual queries, the impact should be minimal. However, there is a chance for delays under heavy load as well as increased traffic with UEM APIs.
UAG 2203.1 introduced a fix for this issue and is the recommended version of UAG for Tunnel customers to use. The Tunnel service will automatically create a new TLS connection for every page in the API response.
KB-Reference: https://kb.vmware.com/s/article/88753?lang=en_US&source=email
Horizon Agent installed on Windows 10 physical machine remains stuck during machine restart. (88126)
Physical PC machines with Horizon agent installed hang upon reboot/ restart. Once this issue occurs subsequent reboot attempts also fail.
This article provides workaround for the mentioned system hang issue on reboot issue.
The root cause for this issue is under joint investigation with Microsoft.
Customer need to manually power cycle the Physical PC machine.
Workaround:
There are two potential workarounds for this issue.
Option 1 to set verbosestatus works under most circumstances and is the preferred method.
Option 2 to disable the IDD driver is limited to certain OS versions and may increase CPU consumption slightly.
1. Set Windows diagnostic key verbosestatus. (requires reboot)
Set the following registry value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"verbosestatus "=dword:00000001
OR
2. - Disable the IDD driver on the physical machine. (requires reboot)
Set The following registry value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations]
"LoadWddmIDDDriver"=dword:00000000
Note: This method is limited to Windows 10 versions 1909 and older. This method will not work for Windows 11.
Workspace ONE UEM Unique Identifier for Windows Feature Removal (88754)
A feature was added to Workspace ONE UEM 2109 for Windows systems which was designed to reuse device records for physical devices upon re-enroll of a device, rather than create a new device record. After the release of this feature, issues were identified with the implementation that rendered virtual systems susceptible to device records being inadvertently reused. Other situations occurred with physical devices that supposed to be unique were enrolled seen as the same device, thus reusing an existing device record.
In order to correct the implementation of the feature, the Unique Identifier feature will be removed from Workspace ONE UEM 2206. A different approach to handling cleanup of device records, which was the intended purpose of the Unique Identifier feature will be designed and implemented in an upcoming release of Workspace ONE UEM.
Due to this change, devices which are reenrolled will return to the pre-2109 behavior of adding a new device record each time it enrolls. This is true of physical devices and virtual machines.
A future Workspace ONE UEM release will allow a different approach to device records cleanup.
KB-Reference: https://kb.vmware.com/s/article/88754?lang=en_US&source=email
CRSVC-29893 - Mobile Single Sign-On through Workspace ONE Access may fail when using Device Compliance or Device Trust (88741)
Single Sign-On (SSO) through Workspace ONE Access may fail when used in conjunction with the following authentication methods:
Device Compliance (with Workspace ONE UEM)
Device Trust with Okta
Single Sign-On can be included in the following authentication methods:
Certificate Cloud Deployment
Mobile SSO (for iOS)
Mobile SSO (for Android)
You may see the following error under the Workspace ONE Access > Dashboards > Reports when a device fails to authenticate.
[{\"reason\":\"AUTHENTICATION_FAILURE\",\"authMethod\":\"identityProvider.embedded.authMethod.airwatchCompliance\",\"failureMessage\":\"Invalid value provided for unique device id.\"}]",
"authMethods" : "identityProvider.embedded.authMethod.airwatchCompliance",
"message" : "Authentication failed."
Please follow: https://kb.vmware.com/s/article/88741?lang=en_US&source=email
Highlighting High Priority KBs
HW-156875 - Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE Access Appliance (VMware Identity Manager) (88438)
CVE-2022-22972, CVE-2022-22973 have been determined to impact Workspace ONE Access (VMware Identity Manager). These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory - VMSA-2022-0014 , please review this document before continuingAnnouncing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971)
To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console).[Action Required] Android Intelligent Hub 9.0.0.391 Cannot Check In (86083)
VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 9.0.0.391 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub.VMware Tunnel Proxy End of Support Life Announcement (87345)
VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023.VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Recently updated and added KBs
VMware Workspace ONE UEM 2204 Shared SaaS and Latest Mode Deployment Schedule (80156)
Black screen or other graphics-related issues with Horizon session on a physical machine. (88748)
VPN connections to Horizon Client 5.x encounter a long delay (75282)
Unable to access Connection Server due to java.lang.OutOfMemoryError in ws_MessageBusService (60213)
The event database cleanup task fails with the SQL timeout exception (77568)
Digital Workspace Techzone, Blog and YouTube Updates
Announcing the Evaluation Guide: Setting Up Cloud-Based VMware Workspace ONE
VMware’s CRADA with NIST’s NCCoE for Zero Trust Architecture Implementations
Best Practices for Delivering Microsoft Office 365 in VMware Horizon
Announcing the Evaluation Guide: Setting Up Cloud-Based VMware Workspace ONE
Upgrading Horizon from Security Servers to Unified Access Gateways
3rd Party Blogs and Industry Updates
June Software Releases
Patch & Seed Script Updates Week25-2022
OS Updates Seed Script
OS Updates Seed Script ... Most recent update: ... macOS Big Sur 11.6.7 (20G630)
https://resources.workspaceone.com/view/rywydmj6ghb9nmch4ywq/en
Last Update: CW25
Seed Script for latest Device Model Information
Update Device Model details seed for iiPad Air (Gen 5), iPhone SE (Gen 3) models
https://resources.workspaceone.com/view/x8kn6bslt67vwvlgx4ld/en
Last update: CW14
Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console
Agnostic script to update seed data to allow Android 12 enrollments into the Console.
https://resources.workspaceone.com/view/rvfdv9s6mhsh4xgdxf7f/en
Last Update: CW44
Workspace ONE UEM 20.11
Patch Level: 20.11.0.46
CMCM-189755: Remove ContentLockerSDKLibraryKey system code and its overrides
AMST-35843: Purge hardcoded keys from config files
Last Update: CW24
Workspace ONE UEM 21.02
Patch Level: 21.2.0.35
CRSVC-28747: Migrate UEM database table BlobMaster that were encrypted using kv0
CRSVC-28486: Update PasswordMigrationMetadata.json file to include Patch-2 tables and column details for migration
CMSVC-16084: UEM discloses smart group details from other tenants
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en
Last Update: CW17
Workspace ONE UEM 21.05
Patch Level: 21.5.0.61
AGGL-12015: Public Android Apps published with 600k+ devices assigned does not land on the devices.
AGGL-11996: Enrollment users not available when searching during QR code creation.
INTEL-40017: Intelligence missing data with resync failure.
Last Update: CW25
Workspace ONE UEM 21.09
Patch Level: 21.9.0.35
CRSVC-29795: S/MIME certificates seemingly corrupted on DB.
AMST-36171: AuthenticationToken_Load times out during enrollment.
Last Update: CW24
Workspace ONE UEM 21.11
Patch Level: 21.11.0.37
AGGL-12049: Android Auto Seed: Model of Android devices are missing on the console and displayed as "Unknown" instead ofscript correction.
AMST-36170: AuthenticationToken_Load times out during enrollment.
MACOS-3153: Blank screen on macOS Web enrollment.
CRSVC-29794: S/MIME certificates seemingly corrupted on DB.
FCA-203017: Unauthorized endpoint in MVC > Angular migration: Account > Administrators > System Activity > batch Status.
Last Update: CW24
Workspace ONE UEM 22.03
Patch Level 22.3.11
UM-7478: Devices unable to move to different OG's based on UserGroup Mappings after Auto Sync.
MACOS-3173: Add support for mac studio set of devices in UEM
FCA-203016: Unauthorized endpoint in MVC -> Angular migration : Account → Administrators → System Activity → batch Status
CRSVC-29793: S/MIME certificates seemingly corrupted on DB
ARES-22163: [SPIKE] Slide Forced and Idle session timeout for blob upload use case
AGGL-12047: Android Auto Seed: Model of Android devices are missing on the console and displayed as "Unknown" instead - script correction
AAPP-14003: Username not visible in the tvOS "Wi-Fi" payload (DDUI)
Last Update: CW25
Comments
Post a Comment