check-circle-line exclamation-circle-line close-line

VMware Workspace ONE UEM™ Powered by AirWatch 1811 Release Notes

Workspace ONE UEM | 28 November 2018

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

New Features in this Release

Workspace ONE UEM Console

  • No more editing the login URL for your admins. Workspace ONE UEM now supports automatic SAML authentication.
    When you have SAML login enabled in system settings, the system supplies the OG-specific login screen, that adheres to the standards of Identity Federation, when you enter the Admin username. You now no longer need to edit the login URL to get the login screen you want.
    Enable SAML login for administrators by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services. Select the Server tab and in the LDAP section, enable the Use SAML For Authentication setting and select the relevant options.
  • Your Feedback Matters Still. We've enhanced the optional survey to better process your responses.
    The optional survey introduced in the previous release gathered valuable feedback based on your experiences with our software. Together with the data collected at the time you created your admin account, VMware processes these survey responses with third-party assistance to facilitate a closed loop feedback system. This system helps us understand our users better and allows us to improve our products based on your needs.
  • Track basic admin account activity better with new Console Event Logging additions.
    Two new events have been added to the console event logger: 'admin account locked' and 'admin account unlocked'. These events should assist you in researching basic administrator login problems, which you can do by navigating to Monitor > Reports & Analytics > Events > Console Events. The new login events are of the Module: Administration and of the Category: Login.
  • We are getting better at telling you what went wrong through some improved error messages.
    We understand that it is frustrating when things don't work. To help reduce some frustration, we are looking at our error messages to see where we can improve them.
  • We have removed Data Samples Settings page in the console.
    We deprecated the ability to configure and store historic sample data related to device hardware, device network data, profile information, telecom data, restrictions, security information in the UEM console. You could make these changes from All Settings> Admin> Data Samples.
  • We've deprecated several APIs so make sure you use the new replacements.
    For more information on what APIs were deprecated and their replacements, see


  • Configure more features for your Android devices.
    We've updated the Workspace ONE UEM console to include additional support for Wi-Fi Proxy, Bluetooth, Backup service, and Update Information.
    • The Wi-Fi profile includes a new section called Proxy for you to configure Proxy settings for Android devices. (Android 8.0+). 
    • The Device Details page includes a section named Pending System Update which shows information on available or last updates for Android 8.0+ devices.
    • The restrictions profile has been updated with a new restriction, "Allow Backup Service"
    • Support new restrictions available for preventing Bluetooth and Bluetooth sharing. 
  • You can now enable Knox for Android devices without using Android Legacy settings.
    Under Intelligent Hub Settings the Knox license key field is no longer dependent on the Enable Containers setting.  This means you can enter a Knox license key, without turning on Enable Containers (which only applies to Android Legacy). If Enable Containers is checked and Android EMM Registration is configured, this turns on Knox Play for Work (Android legacy enrollment mode).

    To see these settings, navigate to Group & Settings > All Settings > Devices & Users> Android > Intelligent Hub Settings

  • Manage how your Android devices update apps with the new Update Policy profile.
    We added a new Auto Update Policy profile for Android devices that allow admins to configure auto updates and schedule maintenance windows for public Android apps. Once pushed, the applications will only auto-update during the specified start and end times.

    To configure the Auto Update Policy, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > and select the Auto Update profile. 

  • Configure additional capabilities in the Restrictions profile.
    The Restrictions profile now supports additional capabilities specific to Android Enterprise. On Work Managed devices and COPE enrollment, you can now Prevent System UI (Toasts, Activities, Alerts, Overlays) which blocks additional windows from opening on the device. For all enrollment types (Work Managed Device, Work Profile, and COPE) you can enable Skip user tutorial and introductory hints to force apps to skip user tutorials and introductory screens.

  • Verify that your apps are safe for your devices with Safetynet App Verification.
    A new system setting, Safetynet App Verification, enables app verification which scans apps installed on the device before they are downloaded to detect potentially harmful apps. 


  • Enhanced the macOS Network profile to support configuring multiple ethernet interfaces.
    We added options to configure multiple ethernet interfaces as needed.

  • Enhanced macOS Privacy Preferences profile so you can add multiple Apple Event rules for a given app.
    To help administrators manage data access consent on behalf of the user, we enhanced the Privacy Preferences profile. Now you can multiple Apple Events to a given app.


  • Keeping your Windows Desktop devices configured and up-to-date with best practices is difficult. Workspace ONE UEM curates these best practices into configurations called Baselines.
    This new feature allows you to keep your devices secure and aligned with industry standards such as CIS Benchmarks. With Baselines, you can set and manage your preferred configurations completely over the air without any dependency on VPN or your domain. Currently, this feature is offered as a technical preview.

  • Track your Windows Desktop devices without needing the legacy AirWatch Agent.
    We've enhanced our GPS support for Windows Desktop devices. Workspace ONE UEM now gets location data through OMA-DM instead of relying on the AirWatch Agent from the Microsoft Store. Windows Phone devices still need to use the legacy method.

  • Send your Windows 10 device traffic through a proxy with the new Proxy profile.
    This profile allows you to configure the native system proxy settings on your Windows 10 devices to direct network traffic through a proxy server.

  • Devices have a huge number of attributes associated. Harness the power of Sensors to target the specific devices you want.
    Windows Desktop devices have tons of attributes to remember such as hardware, OS, certificates, patches, apps, and more. To track all these attributes, we created Sensors. Now you can create a sensor for a specific attribute and combine the sensor with smart groups to target specific devices for profiles, updates, and more.

  • We've made Dell Provisioning for VMware Workspace ONE easier to use.
    A new wizard in the UEM console provides a single place to create a configuration file for the various use-cases and export your Win32 apps. You no longer need to use the external configuration tool.

    Additionally, we've expanded app support to include OMA-DM and user context apps. To use the new wizard, navigate to Lifecycle > Staging > Windows.

  • Control the level of device diagnostic and usage telemetry data your devices send to Microsoft.
    We have updated the Restrictions profile to control the level of data sent to Microsoft. The level of data ranges from Security, which limits the data to only what is necessary to keep the device safe and secure, to Full.

  • Collect important device details through the Request Device Log action.
    We added this functionality so you can request the logs from the device to troubleshoot and provide support. To request a log, simply navigate to the device and select Request Device Log from the More Actions list.

  • Wipe your devices just the way you want to.
    We enhanced the Device Wipe device action so you can choose the level of Device Wipe. In addition to the original Device Wipe, you can now perform a Wipe Protected that can't be circumvented by users. Finally, you can perform a Wipe and Persist Provisioning Data action that will back up the provisioning data and reapply it after wiping the device.

  • Reset your devices back to their factory settings with the Enterprise Reset device action.
    We added this functionality to corporate-owned Windows Desktop devices. Now you can reset a device to factory settings while keeping the device enrolled in Workspace ONE UEM.

App Management

  • Keep your per-app VPN profile associated with native apps updated.
    You can edit the App Tunneling configuration by selecting another Per-App VPN profile in the flexible deployment assignment. This associates the changed profile when the applications publishes. Also with the flexible deployment assignment, you can change the priority of an assignment. Move it higher in the list, and assigned groups receive those associated configurations that include the per-app VPN profile.

    You can also deselect the App Tunneling setting in the flexible deployment assignment. The system removes the per-app VPN off devices in the assigned smart group. Another option is to change the smart group of a device to one that is assigned to an application that has the desired per-app VPN profile associated to it.

  • Distribute internal application packages from Workspace ONE UEM instead of redirecting users to a link.
    This feature is useful for deployments that use APIs for continuous delivery integrations and UI actions. 

  • Control the cost of licenses for your software distribution and OMA DM applications with the new App Approvals workflow.
    This process allows you to approve who can consume application licenses, thus controlling the cost to manage these resources. This workflow integrates your existing deployments of ServiceNow, VMware Identity Manager, VMware Workspace ONE UEM, and VMware Workspace ONE Intelligence. Currently, this feature is offered as a technical preview.

  • Updated software distribution by working to support distributing Win32 applications without a content delivery network (CDN) for on-premises deployments.
    At this time, one of two systems is still necessary for distribution, a content delivery network or a file storage system. VMware Workspace ONE UEM supports up to 5GB of storage on CDN for on-premises. If more than 5GB is needed, then use a file storage system.

Email Management

  • Revoke access for Google accounts if an account violates compliance with the Token Revocation option on the Email Settings page.
    We offered a similar feature for Office 365 and now we support it for Google accounts. If you revoke a token, users lose access to their Google accounts. Workspace ONE then evaluates compliance before issuing a new token.


Resolved Issues

  • AAPP-2695: Enrollment Status as 'Registered' changed to 'Enrolled'.

  • AAPP-5887: Specific VPP apps fail to download to devices.

  • AAPP-5922: Uploading an application fails using API calls.

  • AAPP-5927: The Book catalog only loads 24 books with rendering issues.

  • AAPP-5929: The iOS Notifications profile uses the wrong key in the XML.

  • AAPP-5938: The Bluetooth Managed setting is always sent as false when iOS devices are moved to a different OG

  • AAPP-6018: Cryptographic errors in settings endpoint for macOS devices

  • AAPP-6040: IOS vpn profile with connection type IKE v2  and Machine Authentication type Certificate not working.

  • AAPP-6073: The grouping of exception handling for email notifications inside the MDMEnrollmentComplete method causes additional commands to fail even if only one has an issue.

  • AAPP-6112: Console appends an empty string array to Kernel Extension profile that causes it to fail to install on devices

  • AAPP-6115: Managed settings are not sent to Apple TVs enrolled in DEP

  • AAPP-6156: Apple seeded system profiles display in Device Details profile list

  • AGGL-3910: Unable to update the Play Store with assigned apps

  • AGGL-4152: In Android Exchange Active Sync profiles, S/MIME fields remain when switching the Mail Client from a client that supports S/MIME to a client that does not support S/MIME.

  • AGGL-4209: Enrollment Users not available when creating a QR Code for AE Enrollment

  • AGGL-4283: Device Sync fails for ChromeOS devices enrolled with specific super-admin accounts

  • AGGL-4340: Smart Groups fail to update for Android devices after upgrading UEM console versions

  • AGGL-4413: The Playstore fails to update with assigned apps due to a timeout error.

  • AGGL-4444: The ChromeOS Network profiles fails to push to devices if more than 2 certificates are attached.

  • AGGL-4462: The Android VPN app mapping fails to apply to applications when a device is checked out in specific circumstances.

  • AGGL-4617: Android token enrollment fails when whitelisting by device manufacturer

  • AMST-9303: API calls with the content type is set to  application\XML fail with a 1000 error.

  • AMST-9425: Messaging Service logs are spammed with WNSClient Errors

  • AMST-10159: Uninstall internal app API failing for Windows Phone and Windows Desktop devices.

  • AMST-10606: Windows 10 Kiosk Profile does not render list of available applications.

  • AMST-10769: Product code is evaluated during detection even when admin has opted for other criteria

  • AMST-11049: Device Details fails to update app status after uninstalling an internal Windows 10 application.

  • AMST-11623: The PPKG for one user is deleted when a different user in the same OG exports a new PPKG.

  • AMST-11797: Health Attestation fails to display in the Device Details page and an error displays.

  • AMST-11870: PPKG that successfully applied during Audit mode re-applies itself during OOBE mode resulting in numerous flashes and delay.

  • ARES-6454: Adding specific Key Value Pairs to a public Boxer app throws a "Non Unique App Configuration Keys" error.

  • ARES-6477: Access Denied when requesting app installation from device details view > app tab (app update)

  • ARES-6494: Syslog EventData is showing the Profile/Application ID from the Database unexpectedly.

  • ARES-6656: Associated resource profiles display in global search results.

  • ARES-6684: API_InternalApplicationSearch errors out due to a filename error after saving a new app version.

  • ARES-6766: App versions are not sorted in the app summary page.

  • ARES-6929: App-level Managed devices display in the Preview Devices screen when publishing a profile.

  • ARES-6975: Uploading an app fails when the locale is set to French.

  • CMCM-187871: Unable to bulk delete file versions from SSP.

  • CMCM-187959: The Device Detail Require Content tab View History option fails to sort by event time and exports an empty file.

  • CMEM-184768: Classic Seg targetted logging does not work.

  • CMEM-184859: MEG Queue service requires excess system memory and fails to a bad state.

  • CMSVC-7894: Users are created in UEM console even though the user does not exist in the AD after SAML authentication.

  • CMSVC-8038: Bulk deactivation of users results in unexpected error due to SPROC issue.

  • CMSVC-8058: Unable to modify Enrollment Organisation Group Uuid via PUT api

  • CMSVC-8115: Mail access is not revoked from MEM dashboard for a device after removing Block Mail Access action through compliance policy.

  • CMSVC-8400: Content Locker sync fails to logout if admin deactivates the user from the UEM console

  • CMSVC-8437: Devices/Users added to a assignment group through Additions fail to assign to the group assignment

  • CMSVC-8454: Unable to edit default smart groups

  • CMSVC-8520: CDN fails when using Epoch with UTC

  • CRSVC-3271: Location Header in API responses returns HTTP instead of HTTPS

  • CRSVC-4129: Battery level shows XX00 while making an API call

  • CRSVC-4211: SDK Settings say that Biometric Mode is only supported for iOS

  • CRSVC-4302: Global Sign certificate fails to revoke when enterprise wipe is executed from device list view

  • ENRL-324: Enrollment status page device export takes a long time

  • ENRL-347: Devices are getting assigned the wrong ownership type after enrollment due to a corrupt enrollment token

  • ENRL-374: Console events do not log Enrollment Settings modifications

  • ENRL-411: Unable to generate enrollment tokens for AD users if message template contains {Date} Tag.

  • ENRL-505: Shared DEP device passcode expires before predefined 90 days.

  • ENRL-608: Enrollment restrictions not working for Samsung devices

  • ENS-1832: Devices recieve Boxer notifications but do not play a sound when using ENSv1 with FedRAMP CNS

  • FBI-178029: Legacy Reports throws an error when "Application Type" is changed to "Public Apps-Managed" from "Public Apps-Unmanaged."

  • FBI-178037: Running Device Usage Details Report creates massive files but all are blank. (3GB +)

  • FCA-187478: SPROC API_DeviceSearchByLGID only returns top 1 Asset number

  • FCA-187549: Syntax Error when issuing a shutdown command to a device: "Device shutdownf success"

  • FCA-187613: Admins can create a customer OG as a child to a customer OG

  • FCA-187635: Console Admins Cannot See Privacy Officer Role

  • FCA-187671: UDID is not retured as part of /mdm/devices/id POST api

  • FCA-187736: interrogator.AppDataUsage_Save fails when setting AppName to NULL

  • FCA-187752: Bulk deletion of unenrolled device records fails.

  • FCA-187753: Adding a policy in the Enrollment > Restriction settings page fails when the locale is set to Korean

  • FCA-187823: Bulk actions from the Device List View fail and crash the browser due to a JavaScript error.

  • FCA-187830: Console Event not generated when the endpoint "v1/mdm/devices/serialnumber/$serial/editdevice" is fired for Asset Number update

  • INTEL-7350: The Bitlocker encrypted device number is inaccurate when compared to the console data.

  • LOC-10445: The Workspace ONE UEM VPP license list was incorrectly translated

  • RUGG-5113: In the Android Launcher the 'Add' and 'Save' buttons are unresponsive for miscellaneous apps

  • RUGG-5548: App Attributes Button Does Not Work in Android Launcher Profile

  • RUGG-5568: GET /api/mdm/relayservers/ switches the staging and production OG in the response

  • RUGG-5624: REST API calls to get network information on some MC32 devices and is returning a blank IP address

  • RUGG-5662: Profiles created under Provisioning can be assigned using Assignment Groups throughout the UEM console.

  • RUGG-5670: The Policy Engine does not display any information on who pushed a product

  • RUGG-5697: Products not assigned to newly-enrolled devices with assignment rule attribute using OR operator

  • RUGG-5701: Incorrect Product is installed from the Product set

  • RUGG-5707: Job not existing throws exception in the Device Job Policy

  • RUGG-5717: New file server feature test connection fails on subsequent tests after initial save is successful.

  • RUGG-5749: Unable to get job XML for inactive products and the commands get stuck in queue

Known Issues

  • AAPP-5805 - VPP applications that are unassigned or assigned to different a Organization Group can be installed if the application license is shared between devices.

    Unassigned VPP applications may be installed if a license is shared for the application assigned at another OG.

  • AAPP-6152 - Activation Lock bypass code is not saved for devices with unseeded model information.

    The UEM console cannot save the activation lock bypass code when the model of the device has not yet been seeded. New model data is seeded immediately when available, so customers should not be impacted.

  • AAPP-6259: Bulk deleting devices will occasionally get stuck on “Delete in Progress”

    Deletion of devices will occasionally get stuck on “Delete in Progress” when performing the deletion in bulk. As a workaround, perform the delete device action from the device details page.

  • AGGL-4524 - "Error configuring network" on ChromeOS devices for User Network profile with certificates.

    This issue occurs when installing a ChromeOS User Network profile with certificates. Users see "Error configuring network" when attempting to connect to the network.

  • AGGL-4676 - Device enrolled at Customer OG has child OG apps in the Play Store.

    When you have a device enrolled at a parent OG, public applications managed and assigned to a child OG are appearing in the devices Play Store.

  • AGGL-4648 - Workspace ONE Android Profiles are not available after stepping up to Workspace Services.

    This issue occurs when Workspace One enrollment with adaptive enrollment does not present Android profiles after stepping up to Workspace services.

  • AGGL-4679 - Profile Owner public app removal does not update the app status in the UEM console.

    When an admin removes a public app from the device it is not updating the app status in the UEM console.

  • AGGL-4685 - Corporate - Dedicated devices intermittently fail to enroll into OGs with Samsung Knox configured.

    Intermittently, Corporate - Dedicated devices fail to enroll using Intelligent Hub. The device hangs at the "configuring something spectacular screen." This issue occurs in OGs with Samsung Knox configured.

  • AMST-12187 - Admins cannot create an app PPKG if they use the Select All button.

    This issue occurs when an admin uses the "Select All" button for apps in the PPKG creation page. The apps will duplicate and fail to create a PPKG

    Select the applications individually when building an application PPKG.

  • ARES-6832 - Application Status Endpoint is Returning Not Supported / Not Assigned for Old App Versions

    When app V1 and V2 are uploaded on console and when we try to hit application status endpoint for app v1, it returns status as not supported(2).

  • CMCM-187991 - On-premises content repository is throwing exceptions when Content Gateway is not configured.

    This issue happens because the on-premises content repository is configured without configuring Content Gateway. The scheduler job tries to sync on periodically and fails to sync.

    You must configure Content Gateway or delete the content repository.

  • ARES-6661 - Internal app upload blob fails intermittently when you use Mozilla Firefox as a browser.

    If you upload a large-size application, the upload fails intermittently when you use Mozilla Firefox.

    Use Google Chrome to overcome this issue.

  • ARES-6976 - The View Devices page for a profile errors out if the profile has auto assignment but is not yet published to any device.

    If you view the profiles assigned to a device using the View Devices page from the Profiles List View, the View Devices page errors out when the device uses auto assignment but is not yet published to devices.

  • ENRL-700 - Enrollment restrictions using device model rules are not honored.

    This issue happens when a rule set specific device models is followed by a rule for "Any" device model from a manufacturer.

  • FCA-187578 - When updated Terms of Use are pushed, users are not getting the notification to accept the TOU in the Self-Service Portal but you can see the new terms under the TOU tab.

    This issue happens when a Terms of Use created or updated in a Parent Organization Group, a user is present at either the Parent or Child OG, and a device is enrolled at sub-child OG. After logging into the SSP in the Child OG, users are not notified to accept the TOU. If the user logs into the SSP in the Parent OG or a sub-child OG, the user is notified to accept the TOU.

    On login to SSP at Child OG user's are not getting notified to accept the TOU, however if user's logs into SSP at Parent or sub-child OG user's gets notified to accept TOU.

  • FCA-188060 - Customer is presented with a generic error message in console when Identity Manager fails to configure due to a missing group ID.

    This issue happens when configuring Identity Manager using the "Connect to VMware Identity Manager" wizard (Getting started > Workspace ONE> Connect to VMware Identity Manager). Identity Manager fails to configure due to the OG not having a group ID added to it.

    Ensure that a group ID is added to the OG.

  • CMCM-187940 - Uploading larger videos to a SharePoint repository through Content Locker fails intermittently.

    When you upload larger (over 20MB) video files to a SharePoint repository using Content Locker, the upload fails intermittently.

  • FCA-188078 - The Default Self-Service Portal page does not direct users to SAML login.

    This issue occurs only when SAML is configured on an OG and the same OG is set as the default for SSP login (SSP auth type - Dedicated).

    When user accesses the SSP URL(https://[environment]/mydevice), user is not directed to the SAML page. If a user provides the group ID in the URL, the user is directed to the SAML page.

    Provide the group ID in the URL. For example: https://[envirnoment]/MyDevice/Login?ac=[groupid].

  • FCA-187518 - Specific ChromeOS profile pages do not display globalized content.

    If you change the globalization in the UEM console, specific ChromeOS profiles pages do not display globalized content.

  • FCA-188149 - An error displays when an admin tries to switch an application's authentication type from WSFed 1.2 to a different type.

    This issue occurs while adding a SaaS app to the UEM console. If the admin selects WSFed 1.2 as the authentication type then switches the type in the same Add Application modal, an error displays.

    Before changing the app authentication type, close the existing Add Application modal and open a new modal to add a SaaS app.

  • HW-90872 - Admin cannot open a add or edit SaaS applications to the UEM console.

    Selecting the New or Edit button on the SaaS app page then immediately closing the Add App or Edit App screen breaks those pages. The page becomes unresponsive and the buttons do not open pages.

    Refresh the SaaS app page to open the Add App or Edit App screens.

  • CMCM-187977 - Selecting the repository type SP O365 ADFS and performing a test connection will fail.

    Perform the test connection with repository type ODFB ADFS and the appropriate link example: https://<company>

  • ARES-7116: Delay while loading legacy app catalog or hub catalog for large environments (all platforms)

    In Workspace ONE UEM 9.6 and above, a delay of 10 - 20 secs is observed while loading legacy app catalog or hub catalog for large environments on all platforms.

  • ARES-6867: Font color of the navigation bar deviates from the configured branding theme on the legacy App Catalog

    On console version 9.4 or above, font color of the navigation bar deviates from the admin configured branding theme on the legacy App Catalog

  • ARES-7033: Legacy App Catalog CSS does not render intermittently

    On all supported console versions (9.2 and above), intermittently CSS does not render. As a result, end-users see a distorted page that is difficult to navigate.

  • ARES-7074: App Catalog fails to load intermittently on iOS devices

    On iOS 12 or higher OS version devices, legacy App Catalog is stuck after launch with just the branding logo and spinning icon, intermittently.

    Closing and relaunching the catalog should address the issue.

  • ARES-6971: Incorrect number of reviews displayed to end-users on Legacy App Catalog

    In Workspace ONE UEM 9.6 and above, incorrect number of reviews displayed to end-users on Legacy App Catalog when they navigate to details of the applications.