Weekly highlight: Require Administrator-Approved Updates for Windows Updates can lead to a poor experience (88942) - On Windows 10 version 20H2 and above, and Windows 11 devices, using Administrator-Approved Updates could lead to issues with updates being inadvertently approved, updates hanging on install, or the download button not working as expected.
- Microsoft has changed their recommendation on leveraging the Require Update Approval CSP. This policy can lead to a poor experience if used on Windows 10 and is no longer supported in Windows 11.
- VMware's recommendation is to move devices to a phased deployment of updates leveraging deployment rings. By leveraging a ring deployment, you can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time.
VMware is actively working on a new Windows Update module that will greatly improve how customers managed Windows Updates. However, this new module will not include the ability to granularly approve updates. - For those customers that require the ability to approve updates by classification, VMware recommends leveraging Microsoft WSUS as the source of your devices' updates. By leveraging WSUS, you can control what updates the device can see, and thus prevent a particular update from being installed.
- KB-Reference: https://kb.vmware.com/s/article/88942?lang=en_US&source=email
Week 28 Software Releases System | Component | Release | Announcement | Release Date | Android | Web | 22.07 | - ABRW-174054 : Support Web standalone secure browsing with CWS
- This will enable the admins to extend the security capabilities of Workspace ONE Web application running in standalone mode by applying the web security policies configured through VMware Cloud Web Security service
- ABRW-174055: Enable in-app Play Store rating prompt
- This will enable the end users to rate Workspace ONE Web experience from within the application through the in-app Play Store rating prompt.
- Bug fixes and stability improvements
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Web-for-Android.html | 13.07.22 | Windows | Tunnel Win10 | 2.1.7 | - General quality and performance improvements with no new features.
- PPAT-10732: Fixed automatic Tunnel connection issue on device unlock from sleep mode.
- PPAT-11689: Improved UDP port management to resolve niche server port exhaustion issue.
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Tunnel-for-Windows.html | 14.07.22 | macOS | macOS Tunnel | 22.04.1 | - Improved implementation of Device Traffic Rules for applications that natively cache IP addresses from DNS responses.
- Added Dark Mode support.
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-Tunnel-for-macOS.html | 14.07.22 | Backend | UAG | 2207 | - Added SAML authentication for the Admin interface with the FIPS version.
- Added support for additional security settings required for NIAP/CSfC compliance.
- Provided additional security settings required to allow the FIPS version of Unified Access Gateway to be deployed with Photon OS DISA STIG compliance. DISA is the Defense Information Systems Agency and the Photon OS STIG is the published Security Technical Implementation Guide.
- Added further ssh hardening configuration options.
- Added setting to allow the Horizon Connection Server pre-login message to be skipped. This is often required when Unified Access Gateway is configured in a way that requires a Horizon user to authenticate with SAML or through VMware Workspace ONE first. In these cases, it is not appropriate to require the user to accept a pre-login disclaimer after they have already logged in.
· - Updates to Photon OS package versions and Java component versions.
- Improved the Tunnel's vpnreport troubleshooting tool to include flow details based on device type and TCP/UDP, and a breakdown of most used apps.
https://docs.vmware.com/en/Unified-Access-Gateway/2207/rn/unified-access-gateway-2207-release-notes/index.html | 15.07.22 |
Recommendations on upgrade path from Horizon 7.13.x to Horizon 8.x version (85517) - This article provides information on upgrade path from Horizon 7.13.x to Horizon 8.x. To determine the right version, refer to the release date of the 8.x version. If the release date of 8.x version is after the release of 7.13.x, the current environment can be upgrade.
- It is recommended to upgrade the existing Horizon 7.13.x to the correct version of Horizon 8.x. The below table illustrates the upgrade path:
- Note: The composer feature has been deprecated in Horizon 8.x. If you wish to continue to use composer feature, it is recommended to remain on 7.13.x.
For more information on upgrade path, refer to VMware Product Interoperability Matrix/Upgrade Path - KB-Refernce: https://kb.vmware.com/s/article/85517?lang=en_US&source=email
Workspace ONE applications should be updated to the latest version to utilize autodiscovery during enrollment. (88958) - Workspace ONE applications including Hub, Boxer, Web, Content, and PIV-D using older versions cannot use email-based autodiscovery during enrollment and will fall back to manual enrollment screen with server URL and Group ID.
- The KB is to alert that Workspace ONE applications need to be updated to the latest Appstore versions to use email-based autodiscovery. If an older version of the applications is still used then autodiscovery will fail and the user is led to the manual enrollment screen with Server URL and Group ID and enrollment can still proceed from there.
- We have to rotate the SSL certificate in our autodiscovery server discovery.awmdm.com, the new certificate is already embedded in our Workspace ONE SDK and consumed by all the Workspace ONE applications in advance, any Workspace one application that is older than the fixed version as per the below table will not be able to use autodiscovery during enrollment but can still enrol using manual enrollment screen with Server URL and Group ID.
- Fixed Versions in KB
- Any Workspace one application that is older than the fixed versions as per the table will not be able to use email-based autodiscovery during enrollment but can still enrol using manual enrollment screen with Server URL and Group ID.
- KB-Reference: https://kb.vmware.com/s/article/88958?lang=en_US&source=email
Highlighting High Priority KBs - HW-156875 - Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE Access Appliance (VMware Identity Manager) (88438)
CVE-2022-22972, CVE-2022-22973 have been determined to impact Workspace ONE Access (VMware Identity Manager). These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory - VMSA-2022-0014 , please review this document before continuing - Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971)
To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console). - [Action Required] Android Intelligent Hub 9.0.0.391 Cannot Check In (86083)
VMware will start requiring SNI in Workspace ONE UEM Dedicated SaaS environments starting January 16th, 2022. After this date, Android devices running Intelligent Hub 9.0.0.391 or lower may no longer communicate with Workspace ONE UEM. Affected devices may have to be re-enrolled with a supported version of Intelligent Hub. - VMware Tunnel Proxy End of Support Life Announcement (87345)
VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023. - VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
Recently updated and added KBs Digital Workspace Techzone, Blog and YouTube Updates 3rd Party Blogs and Industry Updates July Software Releases Patch & Seed Script Updates Week28-2022 - OS Updates Seed Script
- Seed Script for latest Device Model Information
- Custom Script to Allow Android 12 enrollments into Workspace ONE UEM Console
|
Comments
Post a Comment