VMware EUC Newsletter - Week 37


Weekly highlight:


Automated Device Enrollment fails on macOS 14 Sonoma if Custom Enrollment is disabled (94577)

  • When attempting an Automated Device Enrollment (formerly referred to as DEP enrollment) on macOS 14 Sonoma, enrollment will fail if the setting "Custom Enrollment" is disabled in the DEP Profile in Workspace ONE UEM.  When the device is first turned on and proceeds in the Setup Assistant to the "Remote Management" screen, the device will receive the error "Enrolling with management server failed." before user authentication takes place.

AMST-39683 - Workspace One UEM - Windows Autopilot enrollment fails to complete (stuck in Pending hub) (94496)

  • Windows Enrollment to Workspace One UEM via Autopilot enrollment fails to complete.
    Symptoms can include, but not limited to:
    1. Devices will succesfully join Azure AD tenant but will fail to complete enrollment to Workspace One UEM.
    2. Workspace One Intelligent Hub will not land on the device.
    3. Devices will show as 'pending hub' in the UEM console, as a result assigned profiles, baselines, apps etc will not install.
    4. Other OOBE provisioning methods may also be affected. 
    Affected Version(s):
    Workspace One UEM 2302+ 
  • VMware product team is aware of the issue and are currently investigating. 
  • Workaround in KB






Release Updates Week 37: 

Workspace ONE Content for iOS 23.09

  • Support additional number of tabs for viewing files
  • Support multiple attachments in MSG file


Workspace ONE Tunnel for iOS 23.06.1

  • Bug Fixes
    • PPAT-15009: Tunnel client prompts user for credentials on application launch.


EUC UX Research Opportunities   

  • Our goal is to gather insight into user behaviors, motivations, and goals, so we can use those insights to inform and strengthen product and design decisions.
  • Interested in giving your opinion and making your voice heard? Check out what’s available!
  • Bonus: We give VMware swag to Customers who participate 


KB Highlights & Announcements Week 37: 


HubUI fails to upgrade / install (94150)

  • The components of the HUB UI will fail to load on Windows Devices.
  • Adhering to the steps below will ensure a successful upgrade of the HUB UI, allowing it to load seamlessly and without encountering any problems.

·         Check if GPO is blocking the installation,

  • In Windows, search for Edit Group Policy or right-click the Windows Key and select Run > type "gpedit.msc".
  • This opens the Local Group Policy Editor screen.
  • Go to Go to Computer Configuration > Administrative Templates > Windows Components > App package Deployment to check settings for these policies:
  • Prevent non-admins users from installing packaged Windows apps
  • Allow all trusted apps to install


VMware Workspace ONE Intelligent Hub for macOS to end support for macOS versions prior to macOS 11 Big Sur (94552)

  • The upcoming release of Intelligent Hub 23.09 for macOS will be the final version of the Intelligent Hub to support macOS 10.15 Catalina. All versions of macOS 11 or greater will continue to be supported by the Intelligent Hub for macOS.  You can refer to the release notes of each Intelligent Hub version for specific macOS version support information.
  • Administrators who want to take advantage of features in future releases of Intelligent Hub for macOS must ensure that their macOS devices are running macOS 11 Big Sur or later.  
    Devices that are currently on macOS 10.15 Catalina will be able to continue using Intelligent Hub 23.09 or earlier.
    NOTE: There will not be any patches/updates to earlier versions of Intelligent Hub, and these should be used only as a stop-gap until devices can be upgraded to macOS 11 Big Sur or greater.



Autopilot Hybrid Join Best Practices (94477)

  • If you plan to deploy Windows devices with Autopilot Hybrid Join, you should follow the following guidelines. Every other configuration can cause deployment issues, timeouts, or errors.
    • Don’t deploy other resources than Domain Join configuration and VPN application / profile in the customer OG. 
      Devices enrolled via Autopilot, always getting enrolled into the customer OG. If there are other resources assigned to the device, the Autopilot Hybrid Join process might time out.
    • Pre-stage VPN application. 
      If your deployment requires a VPN connection because the end-user is outside the company network, you should consider Drop-Ship Provisioning (Online or Offline) to pre-stage the VPN application. 
      Due to the Microsoft limitations in the Autopilot process, VMware Workspace ONE does not have any ability to wait for the VPN application installation. As soon as the Offline Domain Join blob was applied to the device, the device will reboot. 
      This might cause devices to be AD joined but don’t have the VPN application installed and might need additional time and reboots to apply those changes.
    • Ensure the enrollment User is in the customer OG
      If the enrollment user is not part of the customer OG, an additional User object might get created, or the deployment fails.
    • Turn off Status Tracking Page
      Autopilot Hybrid Join with VMware Workspace ONE, does not support showing the status tracking page. 
    • Disable all optional pages and Token enrollment
      Due to a Microsoft bug, Autopilot Hybrid Join cannot show any additional pages, like MDM Welcome Screen or Token request page.
    • Use VMware Workspace ONE Intelligence to move the device to target OG
      Due to the current design, devices getting enrolled in the customer OG. To move the devices automatically to the target OG, consider VMware Workspace ONE Intelligence automations.
    • Delete AD computer objects before re-enrollment
      If you are using a unique device serial number as a computer name in the Offline Domain Join configuration, you need to delete the AD computer object before re-enrolling the device. 
      The current design does not support overwriting the existing AD computer object.


High Priority KBs  


Recently updated or added KBs (Links) 


Digital Workspace Techzone, Blog and YouTube Updates 


3rd Party Blog Updates & Industry News 



Beta, Lab and Tech Preview Updates 

Android Management API Feature - Beta Launch

  • Android Management API (AMAPI) is a new way of managing Android Enterprise devices. The way Workspace ONE supports Android Enterprise today is called Custom DPC. In it, Intelligent Hub acts as a Device Policy Controller (DPC) on the device or Work Profile.
  • In Android Management API, a native Android application called Android Device Policy serves as the Device Policy Controller (DPC) for the device or Work Profile. Workspace ONE UEM pushes device policies to Android Management API, which in turn transmits these policies to Android Device Policy to be applied to the device. For more information, please see the AMAPI Beta Tester Guide in the Early Access Community.
  • This Beta is a first step in Workspace ONE UEM fully supporting Android Management API. The first management mode which will be supported with AMAPI is Work Profile.


Intelligent Hub 23.10 for Linux (upcoming)

  • Ability to send a device wipe command
  • ws1HubUtil Enhancements
    • Added Linux symbolic link
    • Removed sudo requirement for status and version
    • Proper error handling if other commands aren't run with sudo permissions
  • Resolved Issues
    • LAGNT-706 Web enrollment fails when enrolling to serial number registered device OG
      LAGNT-777 Update to latest version of SQLite
      LAGNT-785 Remove cert password after profile install
      LAGNT-786 After failure to install latest puppet, Hub defaults to puppet version 5
      LAGNT-794 Add Priority field in debian control file
      LAGNT-798 Remove Action for Apps is not being handled properly
      LAGNT-802 Remove triggering profile list sample after profile install
      LAGNT-804 Application packages are failing to download intermittently
      LAGNT-808 Remove ApplicationType field in the app list sample
      LAGNT-815 Token Based Authentication not prompting for token
      LAGNT-818 Support Two Factor Token Authentication for Linux Hub enrollment
      LAGNT-822 Fix Failure to remove /usr/bin/ws1HubUtil error message during Hub removal
      LAGNT-823 Replace the deprecated ioutil package
      LAGNT-824 Hub fails to process apps when fetching the profile resource fails
      LAGNT-825 Remove usage of c libraries in processutil


WS1 Boxer 23.09 for Android 

  • Quality improvements and crash fixes
    • BINXA-18597 [Email] Inline images don't visualise correctly due to insecure links
    • BINXA-18824 [Calendar] Recurring event with end date 20 years from the current moment is not displayed correctly
    • BINXA-18878 [Configuration] The app gets stuck intermittently on launch screen when started for first time on specific environments


WS1 Boxer 23.09 for iOS

  • RSVP from email hero card redesign 
    • Users can now respond to their meeting invites with ease, thanks to a new, streamlined interface.
    • Meeting invites are now displayed directly in the visual scheduler, along with the rest of your events. This makes it easy to see all of your upcoming meetings at a glance and respond to the invite accordingly.
    • Users can now add reply messages at the same screen as the invite is. This makes it quick and easy to accept, decline, or tentatively accept an invite and add a message with a single click.

Dynamic text size for email body 

    • Users with vision problems would be able to read their emails without manually zooming in or out them
    • Email body is resized following the user's device accessibility settings

Health Check Improvements 

    • Users can be more informed about the state of their app the actions they can take in order to resolve the issues they are facing by themselves
    • Push notifications health check is improved and made more actionable for the user
    • Check for throttling is now available. It will let the users know if there are some delays in the communication with the server and advice them about possible resolution steps
    • Zoom service health is also going to be tracked when adding of Zoom meetings is enabled for the users' organization.
  • Bug Fixes
    • BINXI-22525 [Calendar] Some UI elements are misplaced after tab switch and orientation change
    • BINXI-22542 [Calendar] Event reappears after cancellation when invitee responds to it
    • BINXI-22543 [Calendar] Fields are empty when editing an event with Teams Meeting
    • BINXI-22577 [Email] Some sensitivity labels appear as Default template and have not correct restrictions list
    • BINXI-22581 [Email Forward] Attachment is not included when forwarding email sent in rich text format from Outlook for Windows
    • BINXI-22582 [Calendar] An event disappears from the calendar when another event of recurring series is accepted
    • BINXI-22586 [Email SMIME] SMIME certificates cannot be fetched when the old ones are still valid
    • BINXI-22596 [Delegated Mailbox] Email fails to be send when a delegate tries to forward an email from their main mailbox on behalf of the delegator
    • BINXI-22598 [Calendar] Events for different accounts or events in the same hour overlap in the calendar on iPad


Sign up or LogIn [HERE] to get access to the latest Beta versions.


September Software Releases 





Release Date




Release Notes



Horizon Cloud Service Next Gen


Release Notes





Release Notes



App Volumes 


Release Notes





Release Notes





Release Notes



VM Tunnel


Release Notes



Patch & Seed Script Updates Week 37-2023 



  • Workspace ONE UEM 22.06
    • Patch Level
    • AMST-39537: Workaround for Microsoft issue, breaking SFD installation.
    • CMEM-186888: Powershell script and Workspace ONE UEM side changes for EXO V3 Module.
    • SINST-176130: Install .NET Core 6 with UEM Installer.
    • PPAT-14516: .NET Core version upgrade to 6 for Tunnel Microservice.
    • CRSVC-40044: Only save public key component of certificate to database.
    • CRSVC-39363: Memcached uses only one server.
    • CRSVC-38315: Create non-clustered index on certificate table based on observations on Kroger.
    • RUGG-12322: Add Show Search bar toggle in the Layout widget.
    • CRSVC-40108: [Certificate Installer] Private key was not exportable in manual flow.
    • AGGL-15443: Unable to create Android profile with a time schedule, whose UUID is NULL.
    • AAPP-16309: False APNS notifications during Purchased App Sync.
    • AGGL-15326: Remove EFOTA sample from microservices.
    • AGGL-13376: Event data is empty for the Remove Application Requested event.
    • SINST-176171: Fixed issues with DDUI profile screen.
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2206/rn/vmware-workspace-one-uem-powered-by-airwatch-2206-release-notes/index.html#resolved-issues-226011-patch-resolved-issues
    • Last Update: CW37


  • Workspace ONE UEM 22.09
    • Patch Level
    • SINST-176170: Fixed issues with DDUI profile screen.
    • AGGL-15327: Remove EFOTA sample from microservices.
    • ARES-25473: App Publish for Android fails due to duplicate key error.
    • AAPP-16310 : False APNS Notifications during Purchased App Sync.
    • AGGL-15440: Unable to create Android profile with a Time Schedule whose UUID is NULL.
    • ARES-26330: Inactive update profiles getting removed from machines automatically causing the devices unnecessary upgrade to Win 11.
    • CRSVC-40045: Only save public key component of certificate to database.
    • ARES-26449: Modify the sync sp to queue commands if not present when ADS Action ID is 1.
    • AGGL-15530: Google seems to have increased oAuthToken length (AndroidWorkSetting AccessToken got truncated)
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2209/rn/vmware-workspace-one-uem-2209-release-notes/index.html#resolved-issues-22904-patch-resolved-issues
    • Last Update: CW37


  • Workspace ONE UEM 22.10
    • Patch level
    • AAPP-16311: False APNS Notifications during Purchased App Sync.
    • AGGL-15328 : Remove EFOTA sample from microservices.
    • AGGL-15445: Unable to create Android profile with a Time Schedule whose UUID is NULL.
    • AMST-39476: The default 'Read Only' Admin role to view the Baseline is not working.
    • AMST-39539: Workaround for MSFT issue breaking SFD installation.
    • CMCM-190662:Workspace ONE UEM console shows spaceman error when viewing security tab for most macOS devices.
    • CMEM-186890: Powershell script and UEM side changes for EXO V3 Module.
    • CRSVC-39278: Certificate password is null.
    • FCA-205773: AirWatchSSP is terminated with Unhandled Profile Installation Exception.
    • FS-2212: Not able to get the App in Edit workflow screen for the existing workflow.
    • INTEL-51754: Update current device enrollment user delta export to include delete operation.
    • MACOS-3991: MacOS profile repeatedly encounters Device Profile Corrupted error.
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2210/rn/vmware-workspace-one-uem-2210-release-notes/index.html
    • Last Update: CW37


  • Workspace ONE UEM 22.12
    • Patch Level
    • AMST-39540: Workaround for Microsoft issue, breaking SFD installation.
    • CRSVC-39277: Certificate password was null.
    • FCA-205774: AirWatchSSP was terminated with unhandled ProfileInstallationException.
    • INTEL-51755: Update current device enrollment user delta export to include delete operation.
    • AMST-39507: WNS disconnected for multiple Windows devices.
    • AAPP-16312: False APNS notifications during purchased app sync.
    • CRSVC-40110: Private key was not exportable in manual flow.
    • CMCM-190663: WS1 UEM console shows spaceman error when viewing security tab for most macOS devices.
    • AMST-39477: The default 'Read Only' Admin role to view the Baseline was not working.
    • AAPP-16315: Internal iOS app details display incorrect BundleID.
    • CMCM-190635: Managed content was not showing up on newly enrolled devices.
    • MACOS-4002: Unable to setup an admin account on a macOS device.
    • FCA-205680: Horizontal scroll missing for Organization Group picker.
    • RUGG-12326: Update the Linux pull service installer link within Settings > System > Enterprise Integration > Pull Service Installers.
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2212/rn/vmware-workspace-one-uem-2212-release-notes/index.html#Resolved%20Issues-
    • Last Update: CW37


  • Workspace ONE UEM 23.02
    • Patch Level
    • AAPP-16414: Home Screen Layout: Not all the apps are listed in the dropdown.
    • CMCM-190639: Uploading large file to external repositories fails.
    • ARES-26320: Device logs not uploaded to console.
    • ARES-26321: Incorrect version while creating copy of UEM profile.
    • AMST-39632: API 'MDM/devices/security' endpoint fails with 500 internal server error for some device
    • AMST-39613: Smart Group is not recognizing 32-bit devices from console v2212.
    • FCA-205976: Unable to send the Push Notifications/Email notifications using Bulk Management.
    • UM-8112: Increase ACC timeouts for directory service to 300 seconds.
    • AMST-39306: Arm x64 Agent is not getting installed on OOBE enrolled Windows devices.
    • CRSVC-39342: Unable to send custom commands.
    • RUGG-12432: Products are showing in progress after UEM upgrade.
    • RUGG-12327: Update the Linux Pull Service Installer Link within Settings > System > Enterprise Integration > Pull Service Installers.
    • UM-8318: Password spray against Workspace One UEM.
    • AAPP-16416: "East iOS GP and MobileConnect" profile is going to not installed state on many devices.
    • AGGL-15447: Unable to create Android profile with a Time Schedule whose UUID is NULL.
    • CRSVC-40111: [Certificate Installer] Private Key not exportable in Manual Flow.
    • CRSVC-39366: Memcached uses only one server
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2302/rn/vmware-workspace-one-uem-2302-release-notes/index.html#Resolved%20Issues
    • Last Update: CW37


  • Workspace ONE UEM 23.06
    • Patch Level
    • CRSVC-40112: Certificate Installer- Private Key not exportable in Manual Flow.
    • AGGL-15331: Remove EFOTA sample from microservices.
    • INTEL-51757: Update current device enrollment user delta export to include delete operation.
    • FCA-205645: Reset password for locked admin account is not working.
    • ARES-26030: Profile Installation status is not loading for profiles deployed to the entire environment.
    • CMCM-190665: Workspace ONE UEM console shows spaceman error when viewing security tab for most macOS devices.
    • PPAT-14872: Switch from AirWatch to Third party under Client Auth is broken.
    • AAPP-16388: iOS Device Updates Notification messages are automatically truncated.
    • CRSVC-39344: Unable to send custom commands.
    • CMCM-190685: Errors during blob sync/check status to CDN
    • https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2306/rn/vmware-workspace-one-uem-2306-release-notes/index.html#Patch%20Resolved%20Issues
    • Last Update: CW37






VMware, Inc. 3401 Hillview Ave. Palo Alto CA 94304 USA

Copyright © 
2023  VMware, Inc. All rights reserved. VMware is a registered trademark of VMware, Inc. The content and links in this email contain information intended solely for its named recipients and are not to be shared with third parties unless otherwise specified. Any information that you provide to VMware will be treated in accordance with our Privacy Policy.

To unsubscribe please reply to this email.