VMware Digital Workspace Newsletter - Week 50

 

             

 

 

                

      

Week 50 -  2022

 

 

 



 

 

 

Weekly highlight:

 

Workspace ONE Access Services updates

New Admin Console Navigation Enabled for All Customers

  • The Workspace ONE Access console has been migrated to the new navigation for all users. The toggle to revert to the older navigation will be removed from the console header for all customers. For an overview of the changed console, see the Workspace ONE Access Console Features and Settings topic, Navigating in the Workspace ONE Access Admin Console section.

Updated Workspace ONE Access Cloud Default Password Policy for Local Users

  • As VMware is committed to the highest security standards, Workspace ONE Access is hardening the default password policy for local users. The change impacts password length and number of numerical and special characters. Complexity requirements are enforced when passwords are changed or created. This update is applicable only to customers who use the default password policy for local users that are created in the Workspace ONE Access console.

Shift-Based Access Control in Workspace ONE (in Tech Preview)

  • The Shift-Based Access Control feature is available now as a Tech Preview.
  • Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. In the Workspace ONE Access console, you can configure Shift-based Auth as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift.
  • This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working.
  • The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature.
  • Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later.

For more information, refer to this Release Notes

 

Workspace ONE Hub Services updates

 Desktop Encryption Recovery Key Can Be Retrieved from Hub Support Tab

  • Users can retrieve their desktop encryption recovery key from the Support tab in Workspace ONE Intelligent Hub for their macOS or Windows device. To enable this capability for end-users, admins should navigate to the Employee Self-Service tab in the Hub Services admin console and enable Encryption Recovery Key under Device Self-Service.
  •  Note: This is currently supported on Hub Web portal and Windows Hub. This requires Workspace ONE UEM version 22.10 or later.

For You Notification Hub Deep Links Support from Hub Services Admin Console

  • Admins can add a Workspace ONE Intelligent Hub deep link to a notification action from the Hub Services admin console. When configuring an actionable notification, admins should select the Open In action button and provide the Hub deep link. When users click on that For You action, they will be brought to the Workspace ONE Intelligent Hub app view that the deep link directs to.
  • Note: Hub deep links are currently only supported on Hub iOS and Android devices. Please refer to their documentation for more information about Hub deep link support.

Shift-Based Access Control in Workspace ONE (in Tech Preview)

  • The Shift-Based Access Control feature is available now as a Tech Preview.
  • Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working.
  • The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature.
  •  
  • Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later.
  • For more information, refer to this Release Notes

 

 

 

 

 

  

VMSA-2022-0032 - Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701)

  • Impacted Products
    • VMware Workspace ONE Access (Access)
    • VMware Identity Manager (vIDM)
    • VMware Cloud Foundation (Cloud Foundation)
  • Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
  • VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
  • A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system.
  • To remediate CVE-2022-31700, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
  • Find all details in linked VMSA.
  • Also review: HW-165708 - Patch instructions to address CVE-2022-31700 and CVE-2022-31701 in Workspace ONE Access Appliance (VMware Identity Manager) (90399)

 

KB Highlights

FAQ: Workspace ONE UEM App Publish Behavior (90400)

  • This article discusses frequently asked questions regarding app publish behavior in Workspace ONE UEM.
  • How App Publish works?
    When you publish an application, the process could be broken down into these major steps:
    • First we saves your Smart Group (SG) Assignment Detail. This tells us which SG is mapped to the concerned application and what deployment parameters are set (e.g. "Auto/On-demand", "Make app MDM Managed if user installed", ..., etc).
    • Then we reconcile the assignment mappings. This step is to calculate and update all Device to Application mappings.
    • Finally we call an app sync to determine the action we need to perform on each assigned/mapped device, whether to:
      • associate a VPP license, or
      • queue an InstallApplication command, or
      • queue an UninstallApplication command, or
      • send a Google EMM API, or
      • send app config, ..., etc
    • The app sync's evaluation logic is based on:
      • assignment mappings
      • device app inventory info (app samples)
      • deployment parameters
  • All details in KB.

 

Dashboard alerts for unrecognized requests for XML Api protocol connection in Horizon 2209 (8.7) (90398)

  • UI dashboard displays alert for unrecognized requests for XML API protocol connection. But there is no impact on the user's session.
    Logline similar to below is seen in the Horizon Connection Server logs:
    [ConnectionServerHandler] Incrementing the warning count : Reason : unrecognized request detected
  • This is caused when a user is trying to connect to the connection server with an expired session cookie.
  • These alerts are harmless and can be ignored.

 

Samsung S22 Android 13 Devices Cannot Enroll into Work Profile (90418)

  • An issue has been discovered where Samsung S22 devices running Android 13 are unable to enroll into Work Profile mode. The user will see an error during Work Profile creation and will not be able to complete enrollment.
  • The issue is caused by an older Google Play System Update running on the device. Please follow the resolution step below to update your device.
  • Users will be unable to enroll devices into Work Profile mode.
  • UPDATE 12/14:  Users may be able to resolve the issue by installing the "Android Device Policy" application from the Google Play Store: https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc 
  • UPDATE: The below steps will correct the issue for some carrier variants of the S22 Ultra, such as Verizon, but it is not working for all S22 devices.  The article will be updated as more information becomes available.
    Users must perform a Google Play System Update.  On the device, navigate to Settings > About phone > Software Information and tap Google Play system update.  Update the device, and it will prompt to reboot. 
    Users may need to do this several times to ensure the device is on the latest update.
    After the Google Play system updates have been applied, users can proceed with Work Profile enrollment.

 

Hub Services App Catalog toggles will no longer determine if Hub Services is enabled or disabled on Intelligent Hub (90420)

  • This article is relevant to customers who have Hub Services with any features configured and are using Intelligent Hub on iOS, Android, macOS and Windows.
  • Today in the App Catalog page of the Hub Services admin console, if the app catalog toggle is disabled for a platform, Intelligent Hub will disable all Hub Services tabs/features (e.g. Apps, Favorites, People, Custom Tab, For You, Support tabs, etc.) and only the Account page will be displayed on those devices. 
    Hub Services and Intelligent Hub Clients will be making changes to the App Catalog toggles such that the toggles will no longer determine whether only the Account page should be shown. With this update, when the toggle is disabled, the app catalog will not show for that platform and if the toggle is enabled, the app catalog will show for that platform. Other tabs will not be impacted here.
  • For new Intelligent Hub versions
    1. When the app catalog toggle is enabled, Intelligent Hub will show the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub.
    2. When the app catalog toggle is disabled, Intelligent Hub will hide the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub.
  • For older Intelligent Hub versions, Intelligent Hub will maintain today’s behavior. 
    1. When the app catalog toggle is enabled, Intelligent Hub will show the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub.
    2. When the app catalog toggle is disabled, Intelligent Hub will only show the Account page and other Hub Services features that are enabled will not be shown.
  • Both old and new Intelligent Hub versions’ behavior will be determined by the same app catalog toggle. Users and devices assigned a template with app catalog settings will also reflect this updated behavior.
    Note: Intelligent Hub iOS will be first to make this change in Q1 2023. Please refer to each Intelligent Hub client’s release notes for when this change occurs.
  • For customers who wish for all Hub Services features to be disabled on a platform for newer client versions, please ensure that the app catalog and all other features (Notifications, Custom Tab, Employee Self-Service, People, etc.) are disabled from the Hub Services Admin Console before Intelligent Hub Client changes occur.

 

Highlighting High Priority KBs

 

Recently updated or added KBs (Links)

 

Digital Workspace Techzone, Blog and YouTube Updates

 

3rd Party Blog Updates & Industry News

 

VMware EUC Breakfast Briefings in January 2023

  • Jan 17: Employee Experience
  • Jan 18: IT Experience
  • Jan 19: Virtual Apps & Desktops
  • Jan 20: Intrinsic Security
  • Time: 8:15AM - 9:00 AM GMT

Registration in German
Registration in English

 

Patch & Seed Script Updates Week 50-2022

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

 

Comments