Weekly highlight: Workspace ONE Intelligence for Horizon now available
SINST-175987 Upcoming Expiration for Workspace ONE UEM AWCM Built-In Certificate (88871) - The Workspace ONE team has identified that the built-in Workspace ONE UEM AWCM certificate is expiring on July 2nd, 2022. This certificate is an installer selection option for AWCM that installs a self-signed non-publicly-trusted certificate to secure AWCM communications.
Note: SaaS environments are utilizing SSL offloading and are not affected by this expiration. - If you are using custom SSL certificates (Third Party) or SSL offloading this expiration does not apply to your deployment and no actions are needed
- If you are utilizing the Built-In Workspace ONE UEM certificate for AWCM your environment will be impacted. The impact of this expiration would manifest in the form of AWCM services failing to restart. Additionally, devices, ACCs, and other services will fail to trust the AWCM connection causing service interruption. Lastly, 502s from the AWCM status page would be observed.
- To confirm your environment is impacted, please navigate to the following URL (https://localhost:2001/awcm/status) on the AWCM local host machine and check the certificate published against that URL endpoint. If this certificate is the Air Watch Root CA with an expiration of July 2nd, 2022, please follow the resolution and workaround sections of this KB.
- Resolution & Workaround in KB: https://kb.vmware.com/s/article/88871?lang=en_US&source=email
Impact of CVE-2021-26414 (KB5004442) on Workspace ONE UEM integration with ADCS DCOM (88859) - This KB article is with reference to Microsoft’s “KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)”. The Workspace ONE team has investigated CVE-2021-26414 (KB5004442) and has determined that the customers can remove the possibility of interruption by performing the steps detailed in the Workaround section of this article.
- The changes to DCOM calls can affect calls specifically for Certificate Authority (CA) integrations with ADCS through ACC or direct CA integrations (Console/Device Services). Other CA integrations are not affected by this change Ex: SCEP.
Impact manifests in the failure of test connections for CA integration and the failure to generate certificates. - Our product team has been notified and is working to address this issue in a timely manner. Please subscribe to this KB for updates as we progress on resolving this KB.
- For short-term mitigation, you may apply the steps mentioned in the Microsoft KB article to disable the hardening changes to your ACC and Certificate Authority, or CN/DS/API and Certificate Authority.
Please contact your Microsoft support representatives if you need additional information about this vulnerability or the changes associated with the Microsoft KB. - KB-Reference: https://kb.vmware.com/s/article/88859?lang=en_US&source=email
AGGL-12119 - Enterprise Wipe action only wipes Work Profile in Android 11+ COPE (88821) - Devices wiped through the Enterprise Wipe actions in Devices > List View and Compliance Policies will not factory reset. Instead, only the Work Profile will be wiped.
- One of the actions available in Compliance Policies for Android devices is Enterprise Wipe. The Enterprise Wipe action is also available for Android devices in the Workspace ONE UEM Console under the Devices > List View page. For Android 11+ devices enrolled in COPE mode, these actions should result in a factory reset.
- Workspace ONE UEM 2204
- Devices where only the Work Profile has been wiped will no longer be managed by Workspace ONE UEM. To re-enroll in COPE mode, devices must be factory reset and must go through the COPE enrollment flow. Devices registered in Knox Mobile Enrollment or Zero Touch Enrollment programs will continue to automatically re-enroll into Workspace ONE UEM on factory reset.
- VMware is actively working towards a resolution, and updates will be posted on this article
- You may initiate a factory reset of Android 11+ COPE devices by deleting the device from the Workspace ONE UEM Console.
- KB-Reference: https://kb.vmware.com/s/article/88821?lang=en_US&source=email
Unable to renew APNs certificate when request uses .plist file extension (88830) - Apple Push Notification service (APNs) certificate renewal will fail if the certificate request uses a .plist file extension.
- The renewal process is outlined in the KB article titled How to renew an Apple Push Notification service (APNs) certificate (2960965).
- KB link: https://kb.vmware.com/s/article/88830
On some devices, macOS Intelligent Hub 22.04.x or 22.05.0 may not successfully autoupdate when a newer Intelligent Hub is available (88834) - Some macOS devices with Intelligent Hub 22.04.x or 22.05.0 installed may not successfully autoupdate when a newer Intelligent Hub is available in the UEM environment. The autoupdate will attempt to initiate based on the configured settings, but the new version of the Hub will not be successfully installed. For devices that experience the issue, newer versions of the Intelligent Hub can be deployed through methods where the install command is initiated through the UEM Console, see the Workaround section for some examples.
- This issue has been resolved in macOS Intelligent Hub 22.05.1, which is also seeded into UEM 22.04.5. This Hub is also available on myWorkspaceONE and https://getwsone.com.
- This issue affects the autoupdate functionality initiated by the Hub, but should not effect any server-side initiate update commands. Some of the following methods could be used to update the Intelligent Hub on an effected macOS device:
- After Intelligent Hub 22.05.1 is available within your UEM environment, leverage the "Install Intelligent Hub for macOS" action available in the Device Details page of an affected device.
- After Intelligent Hub 22.05.1 is available within your UEM environment, the Workspace ONE UEM API can be leveraged to issue an Intelligent Hub install command. For example, the following command could be used to install the seeded Intelligent Hub to a target device:
- https://{API_URL}/API/mdm/devices/{deviceID}/commands?command=InstallPackagedMacOSXAgent
- Intelligent Hub 22.05.1 or greater can be deployed as a bootstrap PKG (by specifying "Expedited Delivery" as the Deployment Type after uploading the pkg as an Internal App). This can then be deployed to enrolled devices.
Highlighting High Priority KBs - HW-156875 - Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE Access Appliance (VMware Identity Manager) (88438)
CVE-2022-22972, CVE-2022-22973 have been determined to impact Workspace ONE Access (VMware Identity Manager). These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory - VMSA-2022-0014 , please review this document before continuing - Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971)
To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console). - [Action Required] Android Intelligent Hub 9.0.0.391 Cannot Check In (86083)
VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 9.0.0.391 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub. - VMware Tunnel Proxy End of Support Life Announcement (87345)
VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023. - VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Recently updated and added KBs Digital Workspace Techzone, Blog and YouTube Updates 3rd Party Blogs and Industry Updates Step 1. Federate Office 365 to Workspace ONE https://blog.simonelberts.nl/2022/01/federate-office-365-domain-to-third.html Step 2. Certificate prompt https://blog.simonelberts.nl/2022/06/certificate-prompt-certificate.html Step 3. Certificate Authentication https://blog.simonelberts.nl/2022/06/passwordless-sso-with-workspace-one.html June Software Releases Patch & Seed Script Updates Week26-2022 - OS Updates Seed Script
- Seed Script for latest Device Model Information
- Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console
- Workspace ONE UEM 21.11
- Patch Level: 21.11.0.38
- CRSVC-29627 Triggering the 5K API calls per minute limit even though it's been longer than a minute
- ARES-22164 [SPIKE] Slide Forced and Idle session timeout for blob upload use case
- AMST-36289 Disable HardwareDeviceIdentifierForWindowsFeatureFlag
- AGGL-12082 'Force YouTube Safety Mode' and 'Enable Touch to Search' settings in Android Chrome Browser Settings profile are not saved with console v2111 and above.
- AGGL-11944 Chrome URLWhitelist/URLBlacklist does not work on the latest Chrome Versions.
|
Comments
Post a Comment