Require Administrator-Approved Updates for Windows Updates can lead to a poor experience (88942)
On Windows 10 version 20H2 and above, and Windows 11 devices, using Administrator-Approved Updates could lead to issues with updates being inadvertently approved, updates hanging on install, or the download button not working as expected.
Microsoft has changed their recommendation on leveraging the Require Update Approval CSP. This policy can lead to a poor experience if used on Windows 10 and is no longer supported in Windows 11.
VMware's recommendation is to move devices to a phased deployment of updates leveraging deployment rings. By leveraging a ring deployment, you can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. VMware is actively working on a new Windows Update module that will greatly improve how customers managed Windows Updates. However, this new module will not include the ability to granularly approve updates.
For those customers that require the ability to approve updates by classification, VMware recommends leveraging Microsoft WSUS as the source of your devices' updates. By leveraging WSUS, you can control what updates the device can see, and thus prevent a particular update from being installed.
ABRW-174054: Support Web standalone secure browsing with CWS
This will enable the admins to extend the security capabilities of Workspace ONE Web application running in standalone mode by applying the web security policies configured through VMware Cloud Web Security service
Added SAML authentication for the Admin interface with the FIPS version.
Added support for additional security settings required for NIAP/CSfC compliance.
Provided additional security settings required to allow the FIPS version of Unified Access Gateway to be deployed with Photon OS DISA STIG compliance. DISA is the Defense Information Systems Agency and the Photon OS STIG is the published Security Technical Implementation Guide.
Added further ssh hardening configuration options.
Added setting to allow the Horizon Connection Server pre-login message to be skipped. This is often required when Unified Access Gateway is configured in a way that requires a Horizon user to authenticate with SAML or through VMware Workspace ONE first. In these cases, it is not appropriate to require the user to accept a pre-login disclaimer after they have already logged in.
Updates to Photon OS package versions and Java component versions.
Improved the Tunnel's vpnreport troubleshooting tool to include flow details based on device type and TCP/UDP, and a breakdown of most used apps.
Recommendations on upgrade path from Horizon 7.13.x to Horizon 8.x version (85517)
This article provides information on upgrade path from Horizon 7.13.x to Horizon 8.x. To determine the right version, refer to the release date of the 8.x version. If the release date of 8.x version is after the release of 7.13.x, the current environment can be upgrade.
It is recommended to upgrade the existing Horizon 7.13.x to the correct version of Horizon 8.x. The below table illustrates the upgrade path:
Workspace ONE applications should be updated to the latest version to utilize autodiscovery during enrollment. (88958)
Workspace ONE applications including Hub, Boxer, Web, Content, and PIV-D using older versions cannot use email-based autodiscovery during enrollment and will fall back to manual enrollment screen with server URL and Group ID.
The KB is to alert that Workspace ONE applications need to be updated to the latest Appstore versions to use email-based autodiscovery. If an older version of the applications is still used then autodiscovery will fail and the user is led to the manual enrollment screen with Server URL and Group ID and enrollment can still proceed from there.
We have to rotate the SSL certificate in our autodiscovery server discovery.awmdm.com, the new certificate is already embedded in our Workspace ONE SDK and consumed by all the Workspace ONE applications in advance, any Workspace one application that is older than the fixed version as per the below table will not be able to use autodiscovery during enrollment but can still enrol using manual enrollment screen with Server URL and Group ID.
Fixed Versions in KB
Any Workspace one application that is older than the fixed versions as per the table will not be able to use email-based autodiscovery during enrollment but can still enrol using manual enrollment screen with Server URL and Group ID.
[Action Required] Android Intelligent Hub 22.214.171.1241 Cannot Check In (86083) VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 126.96.36.1991 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub.
VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).