Workspace ONE Intelligence for Horizon delivers insights on health, performance, and usage visibility for your Horizon environment. With the support for Horizon, Workspace ONE Intelligence delivers end-to-end visibility across physical and virtual endpoints, enabling you to monitor environment health and performance, and ensure end-user experience in a centralized location, within the Workspace ONE Intelligence console!
SINST-175987 Upcoming Expiration for Workspace ONE UEM AWCM Built-In Certificate (88871)
The Workspace ONE team has identified that the built-in Workspace ONE UEM AWCM certificate is expiring on July 2nd, 2022. This certificate is an installer selection option for AWCM that installs a self-signed non-publicly-trusted certificate to secure AWCM communications. Note: SaaS environments are utilizing SSL offloading and are not affected by this expiration.
If you are using custom SSL certificates (Third Party) or SSL offloading this expiration does not apply to your deployment and no actions are needed
If you are utilizing the Built-In Workspace ONE UEM certificate for AWCM your environment will be impacted. The impact of this expiration would manifest in the form of AWCM services failing to restart. Additionally, devices, ACCs, and other services will fail to trust the AWCM connection causing service interruption. Lastly, 502s from the AWCM status page would be observed.
To confirm your environment is impacted, please navigate to the following URL (https://localhost:2001/awcm/status) on the AWCM local host machine and check the certificate published against that URL endpoint. If this certificate is the Air Watch Root CA with an expiration of July 2nd, 2022, please follow the resolution and workaround sections of this KB.
The changes to DCOM calls can affect calls specifically for Certificate Authority (CA) integrations with ADCS through ACC or direct CA integrations (Console/Device Services). Other CA integrations are not affected by this change Ex: SCEP. Impact manifests in the failure of test connections for CA integration and the failure to generate certificates.
Our product team has been notified and is working to address this issue in a timely manner. Please subscribe to this KB for updates as we progress on resolving this KB.
For short-term mitigation, you may apply the steps mentioned in theMicrosoft KB articleto disable the hardening changes to your ACC and Certificate Authority, or CN/DS/API and Certificate Authority. Please contact your Microsoft support representatives if you need additional information about this vulnerability or the changes associated with the Microsoft KB.
AGGL-12119 - Enterprise Wipe action only wipes Work Profile in Android 11+ COPE (88821)
Devices wiped through theEnterprise Wipe actions in Devices > List View andCompliance Policieswill not factory reset. Instead, only the Work Profile will be wiped.
One of the actions available inCompliance Policiesfor Android devices isEnterprise Wipe. TheEnterprise Wipeaction is also available for Android devices in the Workspace ONE UEM Console under the Devices > List Viewpage. For Android 11+ devices enrolled in COPE mode, these actions should result in a factory reset.
Workspace ONE UEM 2204
Devices where only the Work Profile has been wiped will no longer be managed by Workspace ONE UEM. To re-enroll in COPE mode, devices must be factory reset and must go through the COPE enrollment flow. Devices registered in Knox Mobile Enrollment or Zero Touch Enrollment programs will continue to automatically re-enroll into Workspace ONE UEM on factory reset.
VMware is actively working towards a resolution, and updates will be posted on this article
You may initiate a factory reset of Android 11+ COPE devices by deleting the device from the Workspace ONE UEM Console.
On some devices, macOS Intelligent Hub 22.04.x or 22.05.0 may not successfully autoupdate when a newer Intelligent Hub is available (88834)
Some macOS devices with Intelligent Hub 22.04.x or 22.05.0 installed may not successfully autoupdate when a newer Intelligent Hub is available in the UEM environment. The autoupdate will attempt to initiate based on the configured settings, but the new version of the Hub will not be successfully installed. For devices that experience the issue, newer versions of the Intelligent Hub can be deployed through methods where the install command is initiated through the UEM Console, see the Workaround section for some examples.
This issue has been resolved in macOS Intelligent Hub 22.05.1, which is also seeded into UEM 22.04.5. This Hub is also available on myWorkspaceONE andhttps://getwsone.com.
This issue affects the autoupdate functionality initiated by the Hub, but should not effect any server-side initiate update commands. Some of the following methods could be used to update the Intelligent Hub on an effected macOS device:
After Intelligent Hub 22.05.1 is available within your UEM environment, leverage the "Install Intelligent Hub for macOS" action available in the Device Details page of an affected device.
After Intelligent Hub 22.05.1 is available within your UEM environment, the Workspace ONE UEM API can be leveraged to issue an Intelligent Hub install command. For example, the following command could be used to install the seeded Intelligent Hub to a target device:
Intelligent Hub 22.05.1 or greater can be deployed as a bootstrap PKG (by specifying "Expedited Delivery" as the Deployment Type after uploading the pkg as an Internal App). This can then be deployed to enrolled devices.
[Action Required] Android Intelligent Hub 22.214.171.1241 Cannot Check In (86083) VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date,Android devices running Intelligent Hub 126.96.36.1991 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).