VMware EUC Newsletter - Week 23

Weekly highlight:


What’s new in Apple platform deployment

Deployment and mobile device management (MDM) introduce new features for iPhone, iPad, Mac, and Apple TV devices. These updates, detailed below, include the following operating systems:

  • iOS 17
  • iPadOS 17
  • macOS 14
  • tvOS 17
  • watchOS 10

You can participate in testing these features using beta versions of the operating systems by signing up for AppleSeed for IT. For more information see the AppleSeed for IT website. For additional details about the features below, see the What’s New for Education and Enterprise WWDC23 documentation on the AppleSeed for IT website.

For more information, see the WWDC23 video What’s new in managing Apple devices.

Account-driven Device Enrollment

Account-driven Device Enrollment will make it easier for users to enroll their organization-owned iPhone, iPad, and Mac devices into management using their work account. The resulting enrollment is similar to profile-based Device Enrollment, but separates work and personal content. In macOS, it also enables supervision.

watchOS management

Apple Watch can be enrolled and managed by MDM when paired to a supervised iPhone, allowing organizations to create solutions that improve productivity, support wellness, and provide additional safety to their employees. Enrollment requires a declarative configuration on the iPhone and enables the use of configuration profiles, app management, MDM commands, and declarations.

Setup Assistant enforcements

To help ensure their requirements are met before a device is put into production, organizations using Automated Device Enrollment can require devices to have a minimum operating system version prior enrollment. On macOS, they can also enforce FileVault in Setup Assistant and require a user to enroll the Mac into management when registered in Apple School Manager or Apple Business Manager.

Managed Apple ID updates

Additional iCloud and Continuity services are enabled for Managed Apple IDs. This includes support for iCloud Keychain and Apple Wallet. New access management controls allow organizations to restrict access to specific services and define which management state a device should be in when a user signs in with their Managed Apple ID.

Passkeys at work

With the addition of iCloud Keychain and access management to Managed Apple IDs, organizations can securely deploy and enable password-less authentication for their internal services with passkeys.

Custom identity provider support for federation

To allow even more organizations to automatically create Managed Apple IDs, integration is supported with public and in-house identity providers supporting OpenID Connect, SCIM, and the OpenID Shared Signals and Events Framework.

Platform single sign-in (SSO) updates for macOS

With additions to platform SSO, developers can extend their SSO extension to create local user accounts on a shared Mac using credentials from an organizational’s Identity Provider (IdP). In addition, permissions and group membership of those users can be managed with MDM. This also extends to users managed by the IdP who don’t have a local account for use at authorization prompts.

Declarative device management updates

Software update management is added to declarative device management and provides new options for when and how an update should be enforced, including increased transparency to the user. New declarations also enable management of service configuration files for third-party—and the built-in system services on macOS—apache, bash, cups, pam, sudo, sshd, and zsh.

To make the transition even easier and more seamless, an MDM solution can migrate an already deployed configuration profile into a declarative legacy configuration without the need for redeployment and potential user disruption.

Managed Device Attestation for macOS

Managed Device Attestation is available on macOS and provides strong assurances about the security posture and properties of a device.

802.1X for Ethernet on iPhone, iPad, and Apple TV

iPhone, iPad, and Apple TV support the configuration of 802.1X for Ethernet to connect to restricted networks that require authentication.

Private 5G and LTE networks

iOS 17 and iPadOS 17 now support Private 5G and LTE networks. Administrators can automatically activate private SIMs when an iPhone enters a geofence and allows administrators to prioritize Cellular over Wi-Fi for these networks.

5G Network Slicing

5G Network Slicing allows mobile network operators to customize traffic through a 5G Standalone network with specific quality of service requirements for network latency, throughput, and packet loss.

In addition, managed apps can be assigned to a 5G network slice provided by supporting carriers. This can be used to provide specific quality of service parameters to the app when using one of the following models:

  • All iPhone 14 and iPhone 14 Pro models
  • iPad Pro 11-inch (4th generation)
  • iPad Pro 12.9-inch (6th generation)

Network relays in iOS, iPadOS, macOS, and tvOS

A new built-in relay can be used to secure traffic using an HTTP/3 or HTTP/2 tunnel as an alternative to VPN. The configuration is domain-based and can be applied to managed apps, domains, or the entire device.


WWDC 2023 sessions to watch


You can participate in testing these features using beta versions of the operating systems by signing up for AppleSeed for IT. For more information see the AppleSeed for IT website. For additional details about the features below, see the What’s New for Education and Enterprise WWDC23 documentation on the AppleSeed for IT website.

For more information, see the WWDC23 video What’s new in managing Apple devices.

Press release articles:





Upcoming EUC Events 



Start Date


Intel® Vision 2023 - Amsterdam



GID & VMware on Tour - Cologne



Workspace ONE - What is DEX?



vEUC TechCon (NL)



How to Optimize Your XR Device Deployments with Workspace ONE



German UserCon - Frankfurt



VMware Explore US



Apps on Demand: Mastering the Eight Activities of Modern App Management


UPCOMING: Look out for your invitation to the next VMware EUC Tech Insight Session!

VMware Explore EU




Release Updates Week 23: 



Workspace ONE Intelligent Hub for iOS 23.05


Workspace ONE Intelligent Hub for Android 23.05 (staged)

  • Hub FAQ integration: Users now have access to Hub FAQ (frequently asked questions) from within the Hub app to get any product help or information about the various capabilities of Hub. Users can get access to the FAQ from the 'Get Help' option on the account page.
  • Due Alerts for Notifications: Notifications that require end-users' attention and have a due date are now marked with a due alert icon along with the information about the time remaining for the user to take action on the notification. This helps to visually indicate to the users that they need to either take an action or acknowledge the notification soon.
  • Support for Workspace ONE Mobile Threat Defense Integrated Phishing and Content Protection (PCP) with Workspace ONE Tunnel: For more information see: https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-MTD/GUID-MTD-Overview.html
  • Disable Chrome on Devices running Android 9.0: Historically, organizations have only been able to suspend the Chrome application on Android 9 devices through the "Allow Chrome Browser" setting in Restrictions Profiles. However, doing so prevents the Android System Webview from receiving updates. Organizations can now completely disable Chrome on Android 9 devices by setting an additional flag during device enrollment. Supported for Fully Managed and COPE devices. This allows Android System Webview to be updated. For more information, see https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Android_Platform/GUID-AndroidEnrollmentAdditionalEnrollmentFlags.html
  • Bug Fixes


EUC UX Research Updates & Opportunities   

Our goal is to gather insight into user behaviors, motivations, and goals, so we can use those insights to inform and strengthen product and design decisions.

Upcoming Opportunities - Who Wants To Join?

Interested in giving your opinion and making your voice heard? Check out what’s available!

  • WS1 Intelligence & Experience Mgmt/DEX: LANDING PAGE REFRESH 
    • Check out and test the usability of a new design for a landing page and tell us what you think about it
    • 45-minute 1x1 conversation via Zoom
    • Relevant for: WS1 Intelligence Admins
    • Fielding: Mid-June
    • Admins will receive VMware swag upon completing the 1x1 Zoom conversation!


    • Tell us about how you evaluate your IT environment and what metrics you want to compare with peers; also get a sneak peek at a potential new tool in this space
    • 60-minute 1x1 conversation via Zoom
    • Relevant for: WS1 Intelligence and/or DEEM/DEX Admins
    • Fielding: the week of 6/12
    • Admins will receive VMware swag upon completing the 1x1 Zoom conversation!



KB Highlights & Announcements Week 23:  

Workspace ONE UEM enrolled devices are getting enterprise wiped automatically on iOS 17 Beta 1 (92815)

  • Once the Workspace ONE UEM enrolled iOS mobile devices are upgraded with iOS 17 Beta 1, the Workspace ONE mobile SDK is auto-detecting these devices as compromised and performing the enterprise wipe. This process erases all enterprise data from these devices and un-enrols them from the system. 


Workspace ONE UEM : Windows 2012 + 2012 R2 (End of General Support for SaaS) (92774)

  • We have identified that specific versions of Microsoft's Windows Server OS will not meet the minimum technology and security requirements for the Workspace ONE UEM SaaS platform. As such, VMware will deprecate Workspace ONE UEM SaaS platform support for the following versions of Microsoft software: Windows Server 2012 R2 (and lower).


Activation Time and Grace Period for Horizon Subscription License in Horizon Cloud Service (92788)

  • This article provides information about the activation time required for a Horizon subscription license and discusses the grace period in the event of license synchronization failure between the Horizon pod and the cloud control plane. It also highlights the flexibility of using Horizon subscription licenses with a pod, even if no cloud-hosted services are utilized.


On macOS, in some cases removing a Credentials or SCEP payload containing Identity Preferences may not remove the certificate from the device (92832)

  • This issue specifically affects scenarios where a Credentials or SCEP payload is deployed to macOS devices if an Identity Preference is also specified in the format of a webpage or URL. In some cases, if the profile is deployed to a device and later removed, the certificate itself may still be present on the device.


Unable to load certain websites with Workspace ONE Web 23.04/23.05. New tab shows about://blank (92840)

  • Workspace ONE Web has recently updated the user agent to resolve hard dependency on system web view ... VMware Workspace ONE Unable to load certain websites with Workspace ONE Web 23.04/23.05.


AAGNT-196924: Disable Hub instance in personal side with Application Level Enablement API (92575)

  • Administrators can normally block Android applications from being automatically updated through the Play Store via:
    • The Public App Auto Update Profile, which acts as a global policy for all applications on the device
    • The Auto Update Priority setting that is set during assignment of Public Apps, which is a per-application setting.
  • On Android Work Profile (BYOD) devices running Intelligent Hub 23.03 and lower versions, these restrictions fail to prevent Android Intelligent Hub from being updated automatically.
  • This issue does not affect corporate-owned Android devices enrolled in COPE (Corporate Owned Personally Enabled) and Work Managed modes. 


High Priority KBs  

  • VMware Workspace ONE UEM New Control Plane SaaS Deployment Schedule (86243)
    Workspace ONE UEM has undergone a complete re-architecture to modernize the platform using microservices and containers to enable increased scalability and performance and increase the rate of innovation. Now after having conducted significant and careful testing, these architecture updates, including a new control plane, will be deployed to UEM SaaS environments over the next several weeks, with options available to on-premise customers after this roll-out (Later in 2022).
  • Support Access Policies for Customers with Expired SaaS EUC Licenses (89494)
    In alignment with VMware's Corporate Standards and those of the industry as a whole, VMware customers who have purchased SaaS (Software-as-a-Service) licenses for EUC (End-User Computing) products can expect the behavior outlined in the KB regarding Support access when their subscription has a status of Active Pending Cancellation or Expired/Cancelled.


Recently updated or added KBs (Links)  


Digital Workspace Techzone, Blog and YouTube Updates  


3rd Party Blog Updates & Industry News  


June Software Releases  





Release Date




Release Notes





Release Notes





Release Notes





Release Notes



Patch & Seed Script Updates Week 23-2023