EUC Newsletter - Week 4

Weekly highlight:

Cant miss these 3 EUC sessions next week!




Release Updates Week 04-24

New Apple Builds Are Now Available

New builds of the following software are now available:

  • iOS 17.4 Beta 1 (21E5184i)
  • iPadOS 17.4 Beta 1 (21E5184i)
  • tvOS 17.4 Beta 1 (21L5195h)

Additional content available:

Apple School Manager Beta Release Notes

VMware Horizon 8 2312

  • Horizon 8 2312 is an Extended Service Branch (ESB). Approximately once a year, VMware designates one VMware Horizon release as an Extended Service Branch (ESB). An ESB is a parallel release branch to the existing Current Releases (CR) of the product. By choosing to deploy an ESB, customers receive periodic service packs (SP) updates, which include cumulative critical bug fixes and security fixes. Most importantly, there are no new features in the SP updates, so customers can rely on a stable Horizon platform for their critical deployments. For more information on the ESB and the Horizon versions that have been designated an ESB, see VMware Knowledge Base (KB) article 86477.
    • Blast Secure Gateway

      • Blast Secure Gateway now supports the TLS 1.3 security protocol. This release drops support for TLS 1.0.

    • Virtual Desktops and Applications

      • Administrators can now use the Suspend Remote Machine Power Policy for NVidia vGPU enabled instant clone pools. This is enabled by ESXi which has support for suspend/resume power policies on VMs with Nvidia vGPUs.  Note only ESXi versions 6.7 or higher has this support.

      • Administrators can provide a method for launching a desktop or published application on a specific machine within the pool or farm, for testing and troubleshooting purposes.  To configure and use this feature, see the Desktops and Applications in Horizon 8 guide for details on the Allow Machine Name Selection setting, and the VMware Horizon Client for Windows guide for details on the -machineName command line option.

      • When scheduling maintenance for automated instant clone farms, and selecting the Wait for users to logoff option, Horizon will automatically disable RDS Hosts, thereby preventing new connections, to allow sessions to drain and maintenance to occur.  See the Schedule Maintenance for an Automated Instant-Clone Farm in Horizon topic in the Desktops and Applications in Horizon 8guide for more details.

      • Administrators can set the Used VM Policy setting in the UI within pool settings, eliminating the need for manual ADAM DB configuration, This will eliminate a desktop that is set to refresh or delete after logging off is reset, the desktop goes into the Already Used state, or possibly the Agent Disabled state.

      • The agent auto upgrade feature allows customers to automatically initiate upgrades without manual intervention. To utilize this feature, on-premises systems must have access to CDS servers. Customers without CDS access can establish their webserver, host the agent components, and then register the agent build with the connection server to upgrade agents in VDI/RDSH desktops.  This feature requires Horizon Plus or Horizon Universal License, and is available for Full Clone Desktops and RDSH Servers only.  To upgrade Horizon Agent in Instant Clone Desktop Pools or RDS Farms, upgrade Horizon Agent on the Golden Image and schedule maintenance to push the new image.

      • You can now configure a timeout value for the unprime task which is part of instant clone provisioning workflows. Use the new LDAP setting "cs-UnprimeImageTimeoutMins" to change the default timeout value of 30 minutes. This is useful in scenarios where you want to update the golden image on hundreds of vGPU-enabled instant clone VMs at the same time. This can lead to longer times for power on/power off operations resulting in extended duration of lock on a golden image during the unprime task and can cause a timeout error if the lock duration exceeds the current default of 30 minutes. Adjusting the timeout as needed can avoid such errors.

      • Horizon 8 now supports vSAN 8 Express Storage Architecture (ESA) for both full and instant clones.  For more information on vSAN 8 ESA, see the ESA FAQ.

    • Horizon Console

      • You can now personalize the reset client password message directly through the Connection Server Admin console. This enhanced feature allows administrators to tailor a specific message for end users attempting to reset their password, especially when the password policy requirements are not met.

      • Horizon 8 now provides a GUI for the forensics feature. This feature delivers Forensics Administrators user-related information and details on forensic actions directly within the machines section and is specifically designed for instant clone desktops.

    • Horizon Connection Server

      • Horizon Connection Server and Horizon Enrollment Server are no longer supported on Windows Server 2012 R2.  Please use Windows Server 2016 or later.

      • The Certificate Management feature now supports management of cluster level certificates ( from Horizon console. Earlier, this feature was limited to machine level certificates (vdm). With this addition, Admins can generate CSR and import CA-signed certificates into a certificate store on Connection Server. Admins can also view certificate information, export in-use certificates and delete certificates from Horizon console. This feature also adds a capability to temporarily remove certificates and then restore them when necessary allowing Admins to keep the certificates without permanently deleting them from the certificate store.

      • The tombstone-lifetime period for Horizon LDAP is decreased from 180 to 60 days for new and upgraded environments, thereby reducing the length of time that deleted objects remain in Horizon LDAP and improving replication performance.  This change affects both the local pod LDAP as well as the global LDAP used in CPA environments. For a description of the tombstone-lifetime attribute, see

    • Horizon Agent for Windows

      • DEEM agent integration was enhanced to support in-guest VM telemetry, including use cases for application resource utilization, usage, hang and crash information, and more.

      • Media Optimization for Microsoft Teams allow users to blur backgrounds, select effects, or select an available background image before or during a video call or meeting. Administrators can also specify a background image for users as part of a company mandate.

      • The TLS 1.3 security protocol is supported. This release drops support for TLS 1.0.

      • Horizon Agent no longer supports the Blast protocol EncoderSwitch. See for details.

      • Horizon Agent adds lossless support in the Blast protocol by introducing the Build to Lossless GPO setting and EncoderBuildToLossless registry key.

    • Horizon Agent for Linux

      • The new Easy Setup Tool ( simplifies the preparation of Linux machines by performing all required system configurations and agent installation steps.

      • The TLS 1.3 security protocol is supported. This release drops support for TLS 1.0.

      • Horizon Agent no longer supports the Blast protocol EncoderSwitch. See for details.

      • Horizon Agent adds lossless support in the Blast protocol by introducing the RemoteDisplay.buildToLossless configuration option in /etc/vmware/config.

    • Horizon GPO Bundle

      • You can configure file filter for drag and drop redirection when you set the group policy Configure file filter for drag and drop.

      • Blast uses build-to-lossless mode, which results in the highest display quality when you set the group policy Build to Lossless.

      • You can set the group policy Synthetic Keystroke Blocking to block client endpoints from sending potentially malicious, synthetic keystrokes to remote desktops and applications.

    • REST APIs

      Horizon 2309 release introduced a new variation of guest customization using sysprep where computer accounts are pre-created using Microsoft Sysprep and not by Horizon. This feature is useful for users facing instant clone customization errors in their multi-site and multi-domain environments as described in KB2147129. This release adds support for REST API for this feature.

Workspace ONE Tunnel for iOS 24.01

  • Trusted Network Detection:
    We are excited to introduce support for Trusted Network Detection for the iOS Tunnel client in managed mode starting with Workspace ONE UEM 2310.

    Trusted Network Detection is a mechanism by which the Tunnel client determines whether to establish a connection to the Tunnel Service based on the network the device is connected to. If the device is connected to a 'Trusted Network', the Tunnel client will not tunnel traffic.  For the iOS devices, the Tunnel application determines if the device is on an internal-Trusted network based on the device's ability to reach internal-trusted URLs as defined in the 'Trusted Network Detection' field within the iOS Tunnel profile. 

    See ‘How to configure Trusted Network Detection for the VMware Tunnel client’ for setup instructions.

  • Big Fixes

Workspace ONE Web for Android 23.12.1

  • Resolved Issues
    • ABRW-175689: Android Web does not show an actual favicon for specific Web pages on the bookmarks screen
    • ASDK-174978: Multiple ANRs from SDK related to OpenSSLCryptUtil
    • ASDK-174983: Black screen while opening Web app on Android 13 & 14 Devices
    • Localization bug fixes
    • Quality and performance enhancements

VMware EUC Security Advisories: 

--- no new EUC VMSA ---

EUC UX Research Opportunities  

  • Our goal is to gather insight into user behaviors, motivations, and goals, so we can use those insights to inform and strengthen product and design decisions.
  • Interested in giving your opinion and making your voice heard? Check out what’s available!
  • Bonus: We give VMware swag to Customers who participate (smile) 

Opportunity #1 

  • EUC Product/Feature: Horizon Cloud Service Next-Gen
  • Topic: Next Gen sends notifications/alerts within the app and via email – EUC Design wants to better understand how well that experience is going and whether those notifications are helpful. Do you want some muted or to opt-out of? Receive via Slack/Teams instead of email?
  • Opportunity Type: Variety of 60-minute, 1x1 conversations and focus groups via Zoom.
  • Sign Up Link: HERE

KB Highlights & Announcements Week 04-24: 

iOS 17.3 Stolen Device Protection blocks MDM Enrollment (96277)

  • iOS 17.3 introduces a new security feature for iPhone called Stolen Device Protection. Apple has designed this feature to add an extra layer of protection in the event an iPhone is stolen. 
    With Stolen Device Protection enabled, Face ID or Touch ID biometric authentication is required for certain actions and a delay will be imposed when changing critical security settings. 
    Stolen Device Protection is disabled by default. In order for Stolen Device Protection to be enabled, a number of requirements must be met. For more information on Stolen Device Protection and how to enable it, please refer to the Apple Support article, About Stolen Device Protection for iPhone

End of Support Life for VMware Workspace ONE Notebook (93850)

  • VMware is announcing the End of Support Life for the Workspace ONE Notebook application. This will be effective February 2nd, 2024. The support period will end on February 2nd, 2024, and the product will reach End of Support Life. Following this date, the Workspace ONE product team will not be servicing this product in any fashion. The app will be removed from Google Play, the App Store, and My Workspace ONE following the end of the support.

Enforcement of Enrollment Restriction Policies on Device Check-Out (96325)

  • Enrollment restriction policies configured as either Organization Group defaults or mapped to specific User Groups will now be enforced when end users check-out devices in a Check-in Check-out (CICO) scenario. In the past, these restrictions were applied only during the device staging process at enrollment, and they weren't enforced during the device check-out to end users. This posed security risks, allowing ineligible users to check-out devices and gain access to resources they were not entitled to.

Horizon View Agent html5server.exe will crash intermittently with New Teams 2.1 with Horizon View Agent versions below 8.11/2309 (95810)

  • Launching MS Teams 2.1 on a Horizon Agent Desktop will intermittently cause the html5server.exe process to crashThe logline will show minidump being written to html5server.dmp 

Horizon Blast Protocol : Deprecation of the Switch Encoder Feature from 2312 & onwards. (96214)

  • Users cannot see the VDI desktop they connect to over the blast protocol with a Horizon Desktop, typically seeing a white screen instead of the desktop when connecting with a Mac OS Client.
  • Using the SwitchEncoder for toggling between BlastCodec and H264 brings more downsides than upsides since both codecs are present in-memory all the time, increasing memory usage.
  • Screen Corruption and Artifacts may be seen with this enabled.
  • Users can accidentally toggle this feature leading to a subpar experience, using an incorrect codec for their situation

VMware Certified Advanced Professional – End-User Computing Design 2024

  • The VMware Certified Advanced Professional – End-User Computing Design 2024 (VCAP-EUC Design 2024) certification verifies an individual's advanced skills in designing VMware Horizon and VMware Workspace ONE solutions, including VMware Horizon, Workspace ONE, App Volumes, Unified Access Gateway, and other relevant solutions.  Job-roles associated with this certification include End-User Computing  architects and consultants.

High Priority KBs 

Recently updated or added KBs (Links) 

Digital Workspace Techzone, Blog and YouTube Updates 

3rd Party Blog Updates & Industry News 

Beta, Lab and Tech Preview Updates 

Intelligent Hub 24.01 for iOS.

  • HUBI-10220 Check-out device fails after first launch of Hub when device was previously enrolled to a different environment
  • HUBI-10800 Debug Logging turns off when device is locked
  • HUBI-10575 After stepping up, Device Identifiers screen is empty
  • HUBI-10803 Hub crashes every time when APNs message is sent while on Message Details screen
  • HUBI-10821  Account avatar zooms in when people segment is tapped
  • HUBI-10460 [OSSPI] Zip component update
  • HUBI-10799 ForYou Action link has nav bar transparency issues

Intelligent Hub 24.01 for Android.

  • If you are opting in to receive a beta build via Google Play, it will become available shortly.
  • What's New in This Build
  • AAGNT-199182  Hub Crash on Removal and Reapply of App control profile
  • Localization Updates

 DEEM/Horizon Agent Integration Beta

  • DEEM/Horizon Agent Integration Beta targets on enabling application resource consumption telemetry for Horizon Cloud Next-Gen VDI session, providing a drill down experience within Workspace ONE Intelligence that helps IT administrators understand the cause of high CPU/memory consumption, resulting in a bad experience for Horizon users.

Workspace ONE Tunnel 24.01 for macOS

  • Introducing Full-Device Tunnel mode for the macOS Tunnel client on MDM enrolled devices

Intelligent Hub 24.01 for macOS

  • [HUBM-7084] [HUBM-7585][HUBM-7594]- 3rd Party Integrations: Upgrade Firebase, Alamofire, MSAL, EULA[HUBM-7787] - EULA updates
  • Bug Fixes
    • [HUBM-7414] - macOS - Application gets upgraded to the latest version but console still shows the previous version installed
    • [HUBM-7566] - Weblink Icons are not getting modified on App Catalog
    • [HUBM-7764] - Multiple location permission prompts from macOS Hub on Sonoma

Sign up or LogIn [HERE] to get access to the latest Beta versions.

January Software Releases 

SystemComponentReleaseAnnouncementRelease Date
BackendWS1 Access SaaSJanuary 2024Release Notes18.01.24
AndroidWeb23.12.1Release Notes23.01.24
HorizonServer Components and Clients23.12Horizon Server23.01.24
iOSTunnel24.01Release Notes23.01.24

Patch & Seed Script Updates Week 04-24 

  • Workspace ONE UEM 23.06
    • Patch Level
    • CRSVC-45319: Syslog is no longer sending Application Published events after WS1 UEM version 2302.

    • AMST-40279: Windows credentials profile shows as installed in WS1 UEM even when certificates are not delivered to end devices.

    • AAPP-16848: Copying iOS DDUI profile where the context is unknown causes error.

    • AMST-40370: Wifi certificates were not getting auto renewed.

    • AGGL-16310: Fix data mismatch for user data in users and accounts segment of device state.

    • UM-8577: Admin role not auto filled in DDUI when adding an admin manually.

    • AAPP-16827: Fix duplicate entry for setting value creation in credential payload.

    • AAPP-16869: VppV2 deviceId changing to null on clicking sync assets after VppV2 migration is completed.

    • AAPP-16841: Native CICO not updating user list.

    • UM-8633: Unable to create admin groups if "&" is in the distinguished name.

    • AMST-40347: Sensor and Script - Remove SH dependency.

    • Last Update: CW04