VMware EUC Newsletter - Week 19



Weekly highlight:




Education updates

VMware Horizon: Deploy and Manage [V8.8]

This five-day course gives you the hands-on skills to deliver virtual desktops and applications through a single virtual desktop infrastructure platform. You build on your skills in configuring and managing VMware Horizon® 8 through a combination of lecture and hands-on labs. You learn how to configure and deploy pools of virtual machines and how to provide a customized desktop environment to end-users. Additionally, you learn how to install and configure a virtual desktop infrastructure platform. You learn how to install and configure VMware Horizon® Connection Server™, VMware Unified Access Gateway™, how to configure a load balancer for use with Horizon, and how to establish Cloud Pod Architecture.

Audience: Tier 1 Operators, administrators, and architects for VMware Horizon
Length: 5 Days

Register Now

On Demand


VMware Workspace ONE: Advanced Integration [V22.x] – On Demand

In this course, equivalent to 5 days of training, you build on the foundations learned in VMWare Workspace ONE: Deploy & Manage to accelerate the advancement of your deployment and management systems with VMware Workspace ONE® UEM and VMware Workspace ONE® Access™.

Through a series of hands-on labs, simulations, and interactive lectures, you effectively evaluate your organization’s current practices and discover opportunities to target improvements in identity, authentication, and access management. Additionally, you learn the strategies and techniques necessary to construct an integrated management strategy, utilizing a comprehensive set of VMware Workspace ONE® services, including Hub Services, the Unified Catalog, Intelligence, and the API.

Audience: Workspace ONE UEM operators and administrators, account managers, solutions architects, solutions engineers, sales engineers, and consultants, Workspace ONE Access operators and administrators, account managers, solutions architects, solutions engineers, sales engineers, and consultants.

Register Now

VMware Horizon Cloud Service Next Gen on Microsoft Azure: Deploy and Manage

This five-day, hands-on training provides you with the knowledge, skills, and abilities to achieve competence in deploying and managing VMware Horizon® Cloud Services™ Next Gen on Microsoft Azure. This training also teaches you how to use the VMware Horizon Cloud administration console and Microsoft Azure portal. Through a combination of hands-on labs and interactive lectures, you learn how to import and manage images for VDI and RDSH assignments. You also learn how to configure and use the Universal Broker function, VMware App Volumes™, VMware Workspace ONE® Access™, and VMware Dynamic Environment Manager™ in the Horizon Cloud Service on Microsoft Azure deployment

Audience: Horizon Cloud Service on Microsoft Azure administrators, system integrators, account managers, solutions architects, solutions engineers, sales engineers, and consultants.

Register Now







Release Updates Week 19:

New Apple Builds Are Now Available.

New builds of the following software are now available:

  • iOS 16.5 RC (20F65)
  • iPadOS 16.5 RC (20F65)
  • macOS 13.4 RC (22F62)
  • watchOS 9.5 RC (20T562)
  • tvOS 16.5 RC (20L562)

For additional information, known issues, and installation instructions, please review the release notes available in Feedback Assistant and on the AppleSeed web portal.


Workspace ONE Intelligent Hub for Linux 23.04

  • Introduced new WS1HubtUtil command line options
    Added more device side command line options to improve troubleshooting and enhance end user visibility.
  • Added Root Cert Deployment to the Browser Cert Store
    Now, when using Network Security Services (NSS) libraries, Workspace ONE UEM writes a root cert to Linux devices using Firefox and Chromium based browsers. NSS libraries are a prerequisite. Necessary components are automatically installed when using the Workspace ONE Intelligent Hub installer.
  • Private keys are encrypted by default
    When private keys are generated for Linux devices, they will be AES256 encrypted by default using the password configured in the certificate.
  • Enabled the Device Lock command
    Use this command to lock a selected device, making it unusable until it's unlocked. Any signed in user must reauthenticate. If the user's credentials are valid, then they can log in.
    Note: This feature requires Workspace ONE UEM 2304. Workspace ONE UEM 2304 is scheduled for release early summer 2023.


Workspace ONE Intelligent Hub for Android 23.04 (STAGED)

  • Support for management of Zebra devices on Android 13
  • Configuration to hide Apps and Favorites Tab: Admins can now hide the Apps and/or Favorites tab in the Hub Android app if their use-case requires it, which was not supported earlier.  
  • Additional Device Attributes: The end users can now view additional device information like device model, device name, enrollment date, etc. for each of their enrolled devices from the device details screen. This features make it easy for the end users to share this information with their IT support when diagnosing/debugging an issue.  
  • Ability to Install Web Clips: Hub apps catalog now supports installing a web clip on to the user's device for faster access to the web application. 
  • Bug Fixes


Workspace ONE Launcher for Android 23.04 (STAGED)

  • Device check-In when device is docked in Guest Mode
    • As part of our continued efforts to enhance Launcher Guest Mode, we are extending the capability for a device to check-in when it is docked. Please note this requires Hub version 23.04.
  • Added Vendor Mode
    • We have introduced another mode called Vendor Mode. This mode works exactly the same as Guest Mode and allows a different user to login that do not have credentials to login normally, or through Guest Mode.
  • Bug Fixes


Workspace ONE Tunnel for Android 23.01

  • Session MFA - Technical Preview
    We are happy to announce an exciting update to our Workspace ONE Tunnel solution. Workspace ONE Tunnel on Android now supports Session MFA with SAML in Managed Mode.
    To facilitate user-interactive authentication for Tunnel, in addition to the existing certificate-based authentication, VMware is pleased to extend our Session Authentication feature to the Android Tunnel client in Managed mode. This leverages your enterprise Identity Provider where you may also configure additional entitlement restrictions and Conditional Access policies.
    Session MFA is available for the Windows client in both Managed and Unmanaged modes and for the macOS client in Unmanaged mode. 
    This feature is also in Technical Preview for the iOS client in Managed mode. 
  • Workspace ONE Mobile Threat Defense - Integrated Phishing & Content Protection
    This Tunnel release supports a new feature, Phishing and Content Protection, which will be made available as part of the upcoming Android HUB release.
  • Resolved Issues:
    • PPAT-13666: Fixed printer plugin issue on Android 12 and higher devices


Workspace ONE Intelligent Hub for iOS 23.04

  • Ability to Hide the Apps & Favorites Tabs
    • We are removing the requirement to have the Apps tab enabled when customers would like to use Hub Services. Previously admins had to enable the Apps tab in order to enable Hub Services and any of the other tabs (Favorites, People, For You, Support, Custom, etc)
    • We are introducing the ability for customers to enable the tabs that they need for their specific use cases.
    • To hide the Apps and/or the Favorites tab, turn off the toggles in the Hub Services console for those tabs.
    • If you have any of the other tabs configured like People, For You, Support etc., those other tabs will show without the Apps and Favorites Tab needing to be shown.
  • Encryption Recovery Key
    • In this release we are bringing the ability for end users to get their Encryption Recovery Key for their macOS (FileVault) and Windows (Bitlocker, etc) devices from their mobile device.
    • To use this functionality, please view your Mac or Windows device from your support tab and tap on the Encryption field.
    • This must be enabled by your admin
  • Mobile Threat Defense Improvements
    • Improved threat detection and notification mechanisms for Workspace ONE Mobile Threat Defense


EUC UX Research Updates & Opportunities 

Our goal is to gather insight into user behaviors, motivations, and goals, so we can use those insights to inform and strengthen product and design decisions.

Upcoming Opportunities - Who Wants To Join?

Interested in giving your opinion and making your voice heard? Check out what’s available!

  • Digital Employee Experience Workspace: Device Profile / Timeline
    • Play with a prototype of a NEW design for Device Profile. How easy is it to use? What is missing?
      • Feature that introduces a timeline to view events/history like application usage, system errors, and network activity, so Admins have a more complete picture of a device’s behavior/performance
    • 60-minute 1x1 conversation via Zoom
    • Relevant for:
      • Admins involved in Helpdesk/ServiceDesk
      • Admins using Digital Employee Experience (DEEM, Surveys, Insights, etc.)  
    • Fielding: Week of 5/15
    • Admins will receive VMware swag upon completing the 1x1 Zoom conversation!



KB Highlights & Announcements Week 19:

AGGL-14089 : Application status is stuck at 'Installing' on the hub catalog once the apps are uninstalled from the zebra devices (92275)

  • The current situation is that when we uninstall the application from the device end, on the hub catalog we can see the status of the application as 'Installing';
    The status does not come to the normal state until device synchronization happens (The time interval is located “Setting \ Devices & Users\ Android \ Intelligent Hub Settings).


Impact of Microsoft security update (KB5008383) on Instant clones (92215)

  • This Microsoft update (KB5008383) will impact the User account used for instant clone operations. If this account does not have domain administrator rights in the active directory, then computer account creation will be blocked when Microsoft activates the enforcement mode (currently planned for Jan 2024).
    If you have applied this update, please monitor the Directory Service event log for 3044-3056 events on domain controllers as suggested by Microsoft. Any logged events indicate that a user might have excessive privileges to create computer accounts with arbitrary security-sensitive attributes. 


[AAGNT-197206] Android 10- COPE devices lose communication with Workspace ONE UEM (92308)

  • With Android Intelligent Hub 23.03, devices running Android 10 or lower and enrolled in Corporate Owned Personally Enabled mode may lose communication with Workspace ONE UEM. Affected devices can no longer report updated device information to Workspace ONE UEM, and administrators will be unable to take further administrative actions on these devices. Devices must be re-enrolled in order for communication with Workspace ONE UEM to be re-established. This can affect both new COPE Android 10- devices enrolled using Intelligent Hub 23.03 and existing ones upgraded to this version.


Workspace ONE Intelligent Hub for Linux auto-upgrade fails in v23.04 (92320)

  • Version 22.06 of the Workspace ONE Intelligent Hub for Linux introduced the option for enrolled devices to periodically check for a new version and upgrade if/when one is available. In version 23.04 (build of the WS1 Intelligent Hub there is a bug that prevents this functionality from working correctly.


Important information regarding Zebra Android 13 Update (91896)

  • On Zebra Android SDM660 platform device models, during the update to Android 13, an Enterprise Reset is performed by the device.  If Workspace ONE UEM enrollment is not backed up and persisted properly on the device, then enrollment data will be wiped after the upgrade, and the devices will need to be re-enrolled.

Additionally, StageNow enrollment barcodes generated through Workspace ONE UEM are not yet compatible with Android 13 (all Zebra models).  


High Priority KBs

  • VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
    Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
  • Support Access Policies for Customers with Expired SaaS EUC Licenses (89494)
    In alignment with VMware's Corporate Standards and those of the industry as a whole, VMware customers who have purchased SaaS (Software-as-a-Service) licenses for EUC (End-User Computing) products can expect the behavior outlined in the KB regarding Support access when their subscription has a status of Active Pending Cancellation or Expired/Cancelled.
  • Supported Operating Systems, Microsoft Active Directory Domain Functional Levels, and Events Databases for VMware Horizon 8 (78652)
    Hybrid Domain Join:
    We are pleased to announce the testing phase for hybrid domain join has been completed and all Horizon 8 editions now support Hybrid join with the caveats outlined below
    • Horizon 8 now supports hybrid Microsoft AD / Azure AD - virtual desktops can now join both MSFT AD and AAD for unmanaged machines, automated full clones and instant clones.​​​​​​​
      • Prompt Azure PRT issuance: Azure PRT on VDI desktops enables end users to SSO into Azure AD assigned applications, hence timely issuance of Azure PRT is important.
        • Recommendation for Instant Clone Performance - ADFS: Azure Primary Refresh Token (PRT) issuance is much quicker (of the order of 2-3 minutes) when on-prem AD is connected to Azure AD using ADFS as compared to Azure AD Connect
        • Recommendation for persistent clones: Both ADFS and Azure AD Connect methods of connecting on-prem AD to Azure AD are suitable.
      • Hybrid Join Certificates are handled outside of the Horizon Suite by the chosen connectivity mechanism (ADFS or Azure AD connect)


Recently updated or added KBs (Links)


Digital Workspace Techzone, Blog and YouTube Updates


3rd Party Blog Updates & Industry News



May Software Releases





Release Date




Release Notes



Photon OS


Release Notes





Release Notes





Release Notes





Release Notes





Release Notes





Release Notes





Release Notes





Release Notes



Patch & Seed Script Updates Week 19-2023








  • Workspace ONE UEM 22.10
    • Patch Level
    • AAPP-15424: Post Console Upgrade from 22.06 to 22.09 VPP Assignment is not working as expected.
    • AAPP-15427: Beacon sample should trigger Device Info Sample but should not save OS data.
    • AMST-38336: Baseline compliance report generation on fully compliant devices refreshes the baseline policies and switches the status to Pending Install.
    • ARES-24501: Enterprise Application Repository is no longer able to add iTunes application.
    • FCA-204247: Console app pool is terminating with unhandled exception.
    • FCA-204891: Show success for change og of device even when it is prevented by tenancy restriction.
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2210/rn/vmware-workspace-one-uem-2210-release-notes/index.html
    • Last Update: CW10