VMware Digital Workspace Newsletter - Week 50

 

Week 50 -  2022             Weekly highlight:   Workspace ONE Access Services updates New Admin Console Navigation Enabled for All Customers The Workspace ONE Access console has been migrated to the new navigation for all users. The toggle to revert to the older navigation will be removed from the console header for all customers. For an overview of the changed console, see the Workspace ONE Access Console Features and Settings topic, Navigating in the Workspace ONE Access Admin Console section. Updated Workspace ONE Access Cloud Default Password Policy for Local Users As VMware is committed to the highest security standards, Workspace ONE Access is hardening the default password policy for local users. The change impacts password length and number of numerical and special characters. Complexity requirements are enforced when passwords are changed or created. This update is applicable only to customers who use the default password policy for local users that are created in the Workspace ONE Access console. Shift-Based Access Control in Workspace ONE (in Tech Preview) The Shift-Based Access Control feature is available now as a Tech Preview. Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. In the Workspace ONE Access console, you can configure Shift-based Auth as an authorization method to manage when workers can launch specific Workspace ONE Access federated applications based on whether the worker is on-shift or off-shift. This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working. The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature. Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later. For more information, refer to this Release Notes   Workspace ONE Hub Services updates  Desktop Encryption Recovery Key Can Be Retrieved from Hub Support Tab Users can retrieve their desktop encryption recovery key from the Support tab in Workspace ONE Intelligent Hub for their macOS or Windows device. To enable this capability for end-users, admins should navigate to the Employee Self-Service tab in the Hub Services admin console and enable Encryption Recovery Key under Device Self-Service.  Note: This is currently supported on Hub Web portal and Windows Hub. This requires Workspace ONE UEM version 22.10 or later. For You Notification Hub Deep Links Support from Hub Services Admin Console Admins can add a Workspace ONE Intelligent Hub deep link to a notification action from the Hub Services admin console. When configuring an actionable notification, admins should select the Open In action button and provide the Hub deep link. When users click on that For You action, they will be brought to the Workspace ONE Intelligent Hub app view that the deep link directs to. Note: Hub deep links are currently only supported on Hub iOS and Android devices. Please refer to their documentation for more information about Hub deep link support. Shift-Based Access Control in Workspace ONE (in Tech Preview) The Shift-Based Access Control feature is available now as a Tech Preview. Shift-Based Access Control enables customers to configure Hub Services capabilities to be available when a shift-based worker is known to be working. This version of Shift-Based Access Control leverages working status information from customers’ WorkJam or Kronos time keeping systems and enables configurable restriction of Workspace ONE Intelligent Hub features such as notifications, app entitlements, and single sign-on when the user is not deemed to be working. The Shift-Based Access Control Tech Preview is an opportunity for you to preview the feature and give us feedback and functionality suggestions. This feature is not fully supported and cannot be used in a production environment. You can install the tech preview in your test environment. Please reach out to your Account team if you would like to enable this feature.   Note: This version of Shift-Based Access Control supports integration with WorkJam or Kronos time keeping systems and requires Workspace ONE Experience Workflows, Hub Services (Cloud only), Workspace ONE Access (Cloud only), Workspace ONE Intelligent Hub for iOS 22.08 or later, and Android 22.11 or later. For more information, refer to this Release Notes.               VMSA-2022-0032 - Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701) Impacted Products VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware Cloud Foundation (Cloud Foundation) Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system. To remediate CVE-2022-31700, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Find all details in linked VMSA. Also review: HW-165708 - Patch instructions to address CVE-2022-31700 and CVE-2022-31701 in Workspace ONE Access Appliance (VMware Identity Manager) (90399)   KB Highlights FAQ: Workspace ONE UEM App Publish Behavior (90400) This article discusses frequently asked questions regarding app publish behavior in Workspace ONE UEM. How App Publish works? When you publish an application, the process could be broken down into these major steps: First we saves your Smart Group (SG) Assignment Detail. This tells us which SG is mapped to the concerned application and what deployment parameters are set (e.g. "Auto/On-demand", "Make app MDM Managed if user installed", ..., etc). Then we reconcile the assignment mappings. This step is to calculate and update all Device to Application mappings. Finally we call an app sync to determine the action we need to perform on each assigned/mapped device, whether to: associate a VPP license, or queue an InstallApplication command, or queue an UninstallApplication command, or send a Google EMM API, or send app config, ..., etc The app sync's evaluation logic is based on: assignment mappings device app inventory info (app samples) deployment parameters All details in KB.   Dashboard alerts for unrecognized requests for XML Api protocol connection in Horizon 2209 (8.7) (90398) UI dashboard displays alert for unrecognized requests for XML API protocol connection. But there is no impact on the user's session. Logline similar to below is seen in the Horizon Connection Server logs: [ConnectionServerHandler] Incrementing the warning count : Reason : unrecognized request detected This is caused when a user is trying to connect to the connection server with an expired session cookie. These alerts are harmless and can be ignored.   Samsung S22 Android 13 Devices Cannot Enroll into Work Profile (90418) An issue has been discovered where Samsung S22 devices running Android 13 are unable to enroll into Work Profile mode. The user will see an error during Work Profile creation and will not be able to complete enrollment. The issue is caused by an older Google Play System Update running on the device. Please follow the resolution step below to update your device. Users will be unable to enroll devices into Work Profile mode. UPDATE 12/14:  Users may be able to resolve the issue by installing the "Android Device Policy" application from the Google Play Store: https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc  UPDATE: The below steps will correct the issue for some carrier variants of the S22 Ultra, such as Verizon, but it is not working for all S22 devices.  The article will be updated as more information becomes available. Users must perform a Google Play System Update.  On the device, navigate to Settings > About phone > Software Information and tap Google Play system update.  Update the device, and it will prompt to reboot.  Users may need to do this several times to ensure the device is on the latest update. After the Google Play system updates have been applied, users can proceed with Work Profile enrollment.   Hub Services App Catalog toggles will no longer determine if Hub Services is enabled or disabled on Intelligent Hub (90420) This article is relevant to customers who have Hub Services with any features configured and are using Intelligent Hub on iOS, Android, macOS and Windows. Today in the App Catalog page of the Hub Services admin console, if the app catalog toggle is disabled for a platform, Intelligent Hub will disable all Hub Services tabs/features (e.g. Apps, Favorites, People, Custom Tab, For You, Support tabs, etc.) and only the Account page will be displayed on those devices.  Hub Services and Intelligent Hub Clients will be making changes to the App Catalog toggles such that the toggles will no longer determine whether only the Account page should be shown. With this update, when the toggle is disabled, the app catalog will not show for that platform and if the toggle is enabled, the app catalog will show for that platform. Other tabs will not be impacted here. For new Intelligent Hub versions When the app catalog toggle is enabled, Intelligent Hub will show the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub. When the app catalog toggle is disabled, Intelligent Hub will hide the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub. For older Intelligent Hub versions, Intelligent Hub will maintain today’s behavior.  When the app catalog toggle is enabled, Intelligent Hub will show the app catalog tab. Other Hub Services features that are enabled will continue to be shown in Intelligent Hub. When the app catalog toggle is disabled, Intelligent Hub will only show the Account page and other Hub Services features that are enabled will not be shown. Both old and new Intelligent Hub versions’ behavior will be determined by the same app catalog toggle. Users and devices assigned a template with app catalog settings will also reflect this updated behavior. Note: Intelligent Hub iOS will be first to make this change in Q1 2023. Please refer to each Intelligent Hub client’s release notes for when this change occurs. For customers who wish for all Hub Services features to be disabled on a platform for newer client versions, please ensure that the app catalog and all other features (Notifications, Custom Tab, Employee Self-Service, People, etc.) are disabled from the Hub Services Admin Console before Intelligent Hub Client changes occur.   Highlighting High Priority KBs HW-156875 - Patch instructions to address CVE-2022-22972, CVE-2022-22973 in Workspace ONE Access Appliance (VMware Identity Manager) (88438) CVE-2022-22972, CVE-2022-22973 have been determined to impact Workspace ONE Access (VMware Identity Manager).  These vulnerabilities and their impact on VMware products are documented in the following VMware Security Advisory - VMSA-2022-0014 , please review this document before continuing Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971) To align with Google’s strategy and ensure VMware’s investment in the right long-term solution for Android, as of March 31st, 2022, VMware will no longer support device administrator-based management on Android (referred to as Android (Legacy) in the Workspace ONE UEM console).  VMware Tunnel Proxy End of Support Life Announcement (87345) VMware is announcing End of Support Life for the Tunnel Proxy component of the VMware Tunnel solution. This will be effective January 30, 2023. VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243) Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).   Recently updated or added KBs (Links) AAGNT-181079: Hub does not prompt end users to set new passcode on Android 8.0 devices (50121265) How to switch provisioning scheme for an Instant Clone Pool or Farm (81026) VDI users are unable to log in using SAML authentication (89890) Dashboard alerts for unrecognized requests for XML Api protocol connection in Horizon 2209 (8.7) (90398) VMware Horizon monthly top trending articles (2087257) VMware Workspace ONE UEM 2210 Shared SaaS and Latest Mode Deployment Schedule (80156) VC_FAULT_FATAL: An Index of Instant Clone Creation Errors returned by Vcenter (90411) VC_FAULT_FATAL - A Host Related Fault was thrown by the VC server Instant Clone Creation Error (90419) VC_FAULT_FATAL - A general system error occurred: Error in digest configuration The specified feature is not supported by this version (90415) VC_FAULT_FATAL: Cannot complete the file creation operation Instant Clone Creation Error (90412) VC_FAULT_FATAL - Unable to access the virtual machine configuration: Unable to access file [Datastore-Name] Instant Clone Creation Error (87884) VC_FAULT_FATAL: A specified parameter was not correct: spec.disk.backing.crypto Instant Clone Creation Error (90427) VC_FAULT_FATAL: The name already exists Instant Clone Creation Error (90426) VC_FAULT_FATAL - javax.xml.ws.soap.SOAPFaultException fault was thrown by the VC server Instant Clone Creation Error (90406) Limitations and Alternative Solutions with USB Redirection for Horizon 8 (90361) Redirecting a FAT32-format USB flash drive might take several minutes (1022836) Limitations and Alternative Solutions with USB Redirection for Horizon 8 (90361)   Digital Workspace Techzone, Blog and YouTube Updates Workspace Security and Digital Employee Experience, intertwined: Conclusions from VMware Explore 2022 Europe Amazon WorkSpaces Core with VMware Horizon Adding User Resources in VMware Horizon Cloud Service - next-gen Deploying Unified Access Gateways for VMware Horizon Cloud Service - next-gen Horizon Edge Gateway Deployment with VMware Horizon Cloud Service - next-gen Adding an Infrastructure Provider in VMware Horizon Cloud Service - next-gen Domain and Identity Configuration in VMware Horizon Cloud Service - next-gen Troubleshooting Windows Devices: Workspace ONE Operational Tutorial Compliance Integration with MS Office 365 using Workspace ONE Tunnel Elevating the VDI and DaaS experience with Digital Employee Experience Management for Horizon Compliance Integration with MS Office 365 using Workspace ONE Tunnel Horizon Cloud Service - next-gen Initial Setup & Configuration Workflow Zero Trust Network Access - Device Demos ZTNA Setup in Workspace ONE and Azure AD Zero Trust through Controlled Network Access - Architecture Understanding Windows Group Policies: VMware Workspace ONE Operational Tutorial Deploying Traditional Win32 Applications to Windows Devices: Workspace ONE Operational Tutorial   3rd Party Blog Updates & Industry News Mobile-Jon: Extending Okta Accounts to Workspace ONE via Just-in-Time Provisioning AskAresh: Install VMware Horizon Client using Winget Virtualization Blog: Configure Dynamic Environment Manager   VMware EUC Breakfast Briefings in January 2023 Jan 17: Employee Experience Jan 18: IT Experience Jan 19: Virtual Apps & Desktops Jan 20: Intrinsic Security Time: 8:15AM - 9:00 AM GMT Registration in German Registration in English   Patch & Seed Script Updates Week 50-2022 OS Updates Seed Script  Most recent update: iOS 16.2.0 (20C65), tvOS 16.2.0 (20K362), iOS 15.7.2 (19H218), macOS Ventura 13.1.0 (22C65) https://resources.workspaceone.com/view/rywydmj6ghb9nmch4ywq/en Last Update: CW50 Seed Script for latest Device Model Information Seed Script for latest Device Model Information ... Seed new ipad 10th generation device models https://resources.workspaceone.com/view/x8kn6bslt67vwvlgx4ld/en Last update: CW45   Workspace ONE UEM 21.05 Patch Level: 21.5.0.67 CMEM-186704: PowerShell failing: "User credential of the remote PowerShell server contains the special characters." https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html#21-5-0-66-patch-resolved-issues-resolved Last Update: CW39   Workspace ONE UEM 21.09 Patch Level: 21.9.0.47 AMST-37313: Device Identifier and UDID mismatch for any reason should not unenroll device. AAPP-14928: Cannot enable Device Assignment for certain VPP applications. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2109/rn/Workspace-ONE-UEM-2109-Release-Note.html#21-9-0-41-patch-resolved-issues-resolved Last Update: CW47   Workspace ONE UEM 21.11 Patch Level: 21.11.0.54 ARES-24023: Android Public Application assignment is not working as expected. AGGL-13505:Android Restriction "Allow user to modify Location Settings for Work Profile" not working. AGGL-13410: Unable to save entries in URLAllowlist / URLBlocklist for Chrome Browser Settings profile. Docs-Reference: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2111/rn/vmware-workspace-one-uem-powered-by-airwatch-2111-release-notes/index.html#resolved-issues-2111043-patch-resolved-issues Last Update: CW50   Workspace ONE UEM 22.03 Patch Level 22.3.0.36 AMST-37744: (P2P Branch-Cache) Peer to Peer download is not working. ARES-23911: Terms of Use page crashes in console. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2203/rn/vmware-workspace-one-uem-powered-by-airwatch-2203-release-notes/index.html#resolved-issues-223028-patch-resolved-issues Last Update: CW50   Workspace ONE UEM 22.06 Patch Level 22.6.0.20 UM-7779: AirWatch Purge expired Sample Data SQL job is failing. AMST-37720: (Factory Provisioning) Active Directory select is not working as expected. FCA-204392: Custom device activation template is not being sent to the devices that are enrolled through SSP. FCA-204431: Incorrect success message shows when changing the Organization Group of a device even when it is prevented by tenancy restriction. AMST-37746: (P2P Branch-Cache) Peer to Peer download is not working. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2206/rn/vmware-workspace-one-uem-powered-by-airwatch-2206-release-notes/index.html#resolved-issues-226011-patch-resolved-issues Last Update: CW50   Workspace ONE UEM 22.09 Patch Level 22.9.0.10 AAPP-15021: Increased DS memory usage after upgrade to 2209. AMST-37721: (Factory Provisioning) Active Directory select is not working as expected. AMST-37747: (P2P Branch-Cache) Peer to Peer download is not working. ARES-24026: Remove time taking DB script to update EventLog_UpdateCorrectEnrollmentUserInfo from Patches. RUGG-11642: Files downloaded from Files/Actions are empty after upgrade to 2206. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2209/rn/vmware-workspace-one-uem-2209-release-notes/index.html#resolved-issues-22904-patch-resolved-issues Last Update: CW50