check-circle-line exclamation-circle-line close-line

Workspace ONE UEM | 12 February 2019

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

New Features in this Release

Workspace ONE UEM console

  • Know when your password is going to expire with the new Email Notification of Password Expiration.
    The UEM console sends administrators an email five days (by default) before a password expires. On-premises administrators can change the default value of five days while shared SaaS administrators cannot. If eligible, change this default value by navigating to Groups & Settings > All Settings > Admin > Console Security > Passwords.
    The emails are only sent on the first and last day of the notification period.
  • Meet the new Organization Group picker.
    Several UI improvements have been made to the organization group picker, found in Add Smart Group, Add User Account, Add Admin Account > Role, and Add DEP Profile screens.
    An instant search function has been added: start typing in the OG text box and it immediately runs a search based on the string you enter, displaying the names of the OGs for which it finds matches. OGs that appear in the instant search results are presented with their full hierarchy path, with individual organization groups separated by forward-slashes. OG names and paths that are longer than the width of the OG picker window wrap around so you can see the entire name/path. No configuration is needed to use this feature, it's enabled by default.
  • Improve security by including a user's active directory Secure Identifier in the certificate SAN for ADCS CA Integration.
    You can now map the SID value certificate requests for ADCS certificate templates.
  • Control who you send your SMTP test connection emails to.
    We've added the ability to set the "To" email address when testing the SMTP connection. To use this new feature, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Email (SMTP).
  • Configure what's important with the Configurations page.
    The Configurations page is a curated list of critical system settings that are essential to setting up your business needs. You can search the configurations for the feature you are interested in, filter out features you do not want to see, and share your filtered list with other administrators. Take advantage of this feature by navigating to Groups & Settings > Configurations.
  • Getting Started with Workspace ONE Intelligent Hub.
    • Enhanced experience to define the Intelligent Hub configuration.
      You can now find a summary of Intelligent Hub settings around management mode, authentication type, and Hub catalog within the Intelligent Hub configuration page, and even configure those settings easily and quickly.
    • Activate Hub Services instantly even if you don’t have the Cloud VMware Identity Manager instance (SaaS only feature).
      The Intelligent Hub Configuration page now provides instant access to Hub Services so that you can start your journey towards the digital workspace. You no longer have to file a support ticket or contact your VMware representative to take advantage of Hub Services. You can click through a simple wizard to get the VMware Identity Manager Cloud tenant and auto activate Hub Services.
    • Seamless activation of Hub Services.
      If you already have a Cloud instance of VMware Identity Manager and want to use Hub Services features like the catalog, People, and Notifications, we have you covered. We refined the experience so you can just enter the tenant URL and credentials to active Hub Services.
  • Quickly configure VMware-hosted mobile flows connectors.
    Find and configure VMware-hosted mobile flows connectors without needing to deploy any connectors on your cloud or infrastructure. The UEM console compiles a list of available connectors for you to use.


  • Deliver messages to user devices with new Custom Messages profile. 
    We added Custom Messages profile for Android devices that allow admins to create custom messages to send to a user. The new profile will option to set lock-screen messages, set a message for blocked settings, or set a message for users to view in their device settings. This profile is available on Android 7.0+ Work Managed devices.  
    To configure this profile, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android and select the Custom Messages profile. 
  • Reinstall the applications you want on your shared Android devices with the Reinstall Apps on Logout command.
    A new option to Reinstall Apps on Logout has been implemented in Android Logout Settings for Shared device which determines if applications on Shared devices are automatically reinstalled when a user logs out (checks in) a device. Admins can decide whether to always or never reinstall apps. 
    If Clear App Data on Logout is enabled, a third option is available to reinstall apps only if app data cannot be cleared.  When enabled, Workspace ONE UEM will no longer require that apps be deleted and reinstalled when one user stops using a shared device and another user begins using the same device. This means users might have access to the previous user's data including personal information.
  • Choose whether to configure the SSID and password using the Enrollment Configuration Wizard.
    Admins were previously required to specify the SSID and password in the Enrollment Configuration Wizard which allows the user to skip this step during QR Code enrollment for Android devices using Work Managed device enrollment. The Password field is now optional since a password is not always required when connecting to a network.
    To configure QR Code enrollment using the Enrollment Configuration Wizard, navigate to Device > Lifecycle > Staging > List View > Configure Enrollment > Android > QR Code > Configure.
  • Out with the old and in with the new. We've added support for Google's Firebase Cloud Messaging service.
    Firebase Messaging implementation will replace Google Cloud Messaging (which is soon to be deprecated by Google) for Android device communication. 
  • We have removed Enterprise Wipe Device Command for Android Work Managed and Corporate Owned Personally Enabled device.
    Enterprise wipe is no longer supported on Android Work Managed and Corporate Owned Personally Enabled device as the admins would simply use the Device Wipe command to perform a factory reset on a device.
    The setting has been removed from the Workspace ONE UEM console.


  • Prevent the setup or editing of eSIM configurations on supported, supervised iOS devices.
    We've added a new restriction to the iOS Restriction profile. You can now prevent users from setting up or editing eSIM configurations on supported, supervised iOS devices.


  • Don't let malicious software infect your macOS devices by ensuring your devices are shielded with System Integrity Protection compliance policies.
    You can now make a compliance policy that detects whether macOS devices have System Integrity Protection disabled. Make a compliance policy that takes advantage of this support by navigating to Devices > Compliance Policies > List View, select the Add button, then select the macOS platform and choose "System Integrity Protection" in the left drop-down menu of the Rules tab.

Mobile Application Management

  • Upload Internal Apps without worrying about the later versions.
    Previously, admins could not upload lower versions of internal apps without incrementing the Workspace ONE UEM Version up one. Now, admins do not need to worry about the Workspace ONE UEM version and they can upload earlier versions of internal apps without error notifications.
    For example, if admins had two versions of an internal app stored in the UEM console, numbers 1.1 (previous version) and 1.5 (latest version), they can now upload 1.3 (new version) without an error notification and without the console guiding them to increase the Workspace ONE UEM version up a number. The console migrates the assignments from the previous version to the new version. The latest version remains the latest and devices that enroll in the assigned group still get this latest version of the app. Also, admins can still retire the previous version when adding a new version.
    An exception remains with Android apps. Android apps have a string called a versionCode that still controls the versioning in Workspace ONE UEM. If admins add a new version number of an Android app that has the same versionCode as the latest version in the console, the console still guides them to increment the Workspace ONE UEM version up one number.


  • Product Provisioning performance improvement.
    A performance improvement has been made to product provisioning. Outbound and inbound communication for multi chain-wide deployments has been optimized, which improves efficiency and scale. This improvement requires no setting, it is enabled by default.
  • Product persistence default disabled.
    The persistence setting for new products, previously defaulting to enabled, has been changed. The default setting for new products now features a disabled persistence setting. If you are interested in enabling persistence for a new product, you must manually enable it by navigating to Devices > Provisioning > Product List View, then select Add Product followed by the platform selection. Select Manifest, then Add, then select an action and the Persistent through enterprise reset checkbox displays.


  • Personalize your Windows Desktop devices just the way you want them with the new Personalization profile.
    We've added a new Windows Desktop profile so you can control the Personalization settings for your devices. The Personalization profile controls the background and lock screen images as well as the Start Menu policies for the device. In addition to these settings, you can upload a start layout XML. This XML overrides the default start menu layout and prevents users from changing it.
  • Create the Baseline you've always wanted. You can now add additional policies to your Baselines.
    You can now add additional policies to your Baselines to configure your devices the way you want them. Baselines already keep your devices secured and aligned with industry standards. Now you can add Microsoft ADMX policies to your baselines. Currently, this feature is in the technical preview.
  • Hide Custom Windows Desktop Files in the Catalog.
    Use the Display in App Catalog option when you assign an internal or public app to hide those files you want to deploy but not advertise in your catalog. This feature is useful for hiding files that perform backend processes.
  • Upload a Single APPX for Windows Desktop and Windows Phone.
    Workspace ONE UEM has removed the need to upload multiple app packages when using the APPX type. Now, when you add an internal, Windows, application, upload a single APPX file, no matter the architecture.
  • Choose the right app for your devices. You can now select transforms and patches (MST and MSP) when adding apps to a PPKG for Dell Provisioning for VMware Workspace ONE.
    The Provisioning Package Wizard now supports selecting a transform and a patch for apps. You must add the transforms and patches to the apps using the Edit App modal.

Resolved Issues

The resolved issues are grouped as follows.

1902 Resolved Issues
  • AAPP-6086: When a user enrolls an iOS device, any leading spaces in front of username are not trimmed off/ignored.

  • AAPP-6178: Incorrect country code is called when selecting a country outside the valid AppStore for app searches.

  • AAPP-6235: The device wipe command for iOS Supervised devices fails if the ClearActivationLockBypass command fails to send.

  • AAPP-6247: German translation error in the Device more actions page for "enable lost mode."

  • AAPP-6279: GSX Warranty Status API call errors out if soldTo and shipTo account numbers are different.

  • AAPP-6303: The macOS Ethernet profile prompts for credentials even though Authenticate with target machine's credentials option is enabled. 

  • AAPP-6311: User group mapping not taking effect for DEP devices with Authentication turned off and Staging mode set to None.

  • AAPP-6334: Unable to Remove VPP App Category.

  • AAPP-6339: Third-party LAN connections fail to display in the console for macOS devices.

  • AAPP-6369: Adding a version to the existing VPN profile removes the password.

  • AAPP-6611: DEP synchronization does not work as expected if the model for a device in the sync API is returns as Service Other.

  • AAPP-6533: Unable to publish Per-App-VPN profile to iOS devices due to already queued commands with CommandID 98.

  • AGGL-2924: When an Android device enters Doze mode, the GCM commands fails to get picked up by the device which causes commands, profiles and applications to get stuck in the queue.

  • AGGL-4254: Applications added with Tag Smart Group fail to receive the Per-App VPN command.

  • AGGL-4524: ChromeOS User Network profile installation with certs does not work as expected and results in "Error configuring network" error while attempting to connect to the network.

  • AGGL-4535: Unable to create an Android Date/Time profile.

  • AGGL-4612: Unable to send push notifications to Android devices through Applications > Details View.

  • AGGL-4689: GPS privacy data fails to save.

  • AGGL-4692: The Allow Data Roaming restriction is falsely enabled in Android Restriction profiles.

  • AGGL-4720: Android Restriction profile settings are reset after upgrading the UEM console to latest version.

  • AGGL-4735: Unable to clear app data for apps pushed as product.

  • AGGL-4813: Cannot go back to General payload for existing Android profiles.

  • AGGL-4934: Chrome OS devices fail to display in results for 'Device list per OG' through API calls.

  • AGGL-4936: Android autoupdatepolicy prevents app installations.

  • AGGL-4937: Profiles fail to respect excluded smart group assignments.

  • AGGL-4948: Telecom settings and GPS data in privacy settings fail to save.

  • AMST-7735: Windows Store for Business apps fail to install due to mismatched UPNs.

  • AMST-8596: Installation status incorrectly handles three or more "OR" statements for "When to call installation complete."

  • AMST-9867: Removing a Windows Updates profile fails to clear the Registry settings and UI settings from the device.

  • AMST-10014: Sending a GET request to an OG with no devices returns an internal sever error.

  • AMST-10440: Unable to enroll Windows devices using Azure AD integration due to enrollment restriction

  • AMST-11094: The Registry File Path field tooltip when adding criteria to an app displays extraneous quotation marks.

  • AMST-11729: Entrust User Cert gets revoked intermittently.

  • AMST-11825: The Wi-fi profile fails to apply if there is a space in the SSID.

  • AMST-11964: Windows Update Device profile not working as expected for Deferring Feature and Quality updates.

  • AMST-12391: App dependencies using custom script detection fail.

  • AMST-12397: The app catalog displays duplicate app icons on Windows 10 devices.

  • AMST-12408: OEM Updates for the Dell enterprise devices does not work as expected.

  • AMST-12423: Windows 10 Native Email profiles fail to install onto devices.

  • AMST-12656: The Edit App modal displays "Dependencies missing" warning even though all dependencies added for architecture files.

  • AMST-13308: Workspace ONE for Windows incorrectly displays successful installation of apps that failed to install when you relaunch Workspace ONE.

  • ARES-4236: Removing Windows Desktop from a Wi-Fi Resource fails to remove without error or notice.

  • ARES-5165: Auto-update  for apps fails on devices with previous versions queued but not installed.

  • ARES-5459: Un-retiring an app takes you back to the App List View instead of the App Details View.

  • ARES-6443: Unable to add VMware Boxer as an approved app to DLP settings.

  • ARES-6653: AirWatch Hub "Most Installed Apps" displays incorrect data.

  • ARES-6971: The catalog displays the incorrect number of Internal App rating reviews.

  • ARES-6984: BatchJob_CreateNextScheduledAppPublishBatchJobDetailList sproc does not work as expected. 

  • ARES-7033: The app catalog intermittently fails to render.

  • ARES-7074: The app catalog intermittently fails to load.

  • ARES-7116: vApprove app information consistently slow to load.

  • ARES-7182: Enrollment restrictions incorrectly block app upload API calls.

  • ARES-7354: Globalization errors specific legacy keys.

  • CMCM-187962: Unable to see content using Content Locker when a specific user group is added to the user.

  • CMCM-187991: On-premises content repositories throw exceptions when Content Gateway is not configured.

  • CMCM-187999: The Self-Service Portal fails to display Content.

  • CMCM-188047: Unable to share content to specic users using the Self-Service Portal.

  • CMEM-184745: The Email Management "Read Only" Admin role incorrectly allows users to migrate devices.

  • CMEM-184984: Issue where SEG node would show clustering status as both online and offline.

  • CMEM-185035: Issue where SEG would treat device as non-compliant when using IBM Verse app and no user value is provided in request.

  • CMSVC-5910: "Full Name" is not changed when a directory user's firstname/lastname is changed in AD and synced. 

  • CMSVC-7128: The test connection button for File Storage fails to detect service account permission issues.

  • CMSVC-7301: Compliance UI displays incorrect  profile information

  • CMSVC-8168: The User Activation Email fails to fetch the correct value for the {GroupIdentifier} variable.

  • CMSVC-8534: When adding Admin Users during Multi Domain setup, Child domain users recieve Parent domain.

  • CMSVC-8765: During a disaster recover scenario, the UEM console fails to fetch users for DNS SRV setup. 

  • CMSVC-8777: Child OG admins can add tags to devices enrolled in the parent OG using an API call.

  • CMSVC-8902: When processing a beacon payload, an exception occurs when resolving friendly names.

  • CMSVC-9028: The UEM console keeps spinning while attempting to save a new admin account.

  • CRSVC-4030: Targeted device logging fails in specific cases.

  • CRSVC-4351: Test connection failed when Microsoft Certificate Services is enabled in the UEM console under ESC advance setting.

  • CRSVC-4359: Event is not returned when enterprise wiped from List View and Syslog is setup at Child OG

  • CRSVC-4397: Unable to configure template for EJBCA setup.

  • CRSVC-4409: Proxy error after saving the Proxy page.

  • CRSVC-4543: REST API keys configured at Global did not include Child permission settings.

  • CRSVC-4564: Certificates fail to provision to Android devices when pushed to devices a second time.

  • CRSVC-4591: Certificate auto-renewal fails to push profiles after renewal period ends.

  • CRSVC-4691: Enrollment to Android Container is failing whenthe color for any text filed under branding is set to transparent.

  • ENRL-667: Event Data information is not present in Syslog.

  • ENRL-668: Workspace ONE registration on macOS devices fails after entering credentials.

  • ENRL-697: Employee-owned and unknown owner Terms of Use display when enrolling corporate-owned devices.

  • ENRL-700: Enrollment restriction with model rule is not honored for the manufacturer if 'Any' model restriction rule added following the rule.

  • ENRL-714: Unable to generate enrollment tokens for AD users if message template contains {Date} Tag.

  • ENRL-749: Enrollment whitelist not preventing the enrollment of some Android devices.

  • ENRL-783: Custom ​message template not sent to users during enrollment.

  • ENRL-892: Standalone app catalog enrollment does not work when SAML is enabled.

  • FBI-178040: Device Battery Log report fails to include all applicable devices.

  • FBI-178053: A globalization error caused  report subscriptions to fail.

  • FCA-186926: Device from device list view shows, "something unexpected happened.." error.

  • FCA-187968: Self Service Portal for Android Boxer Standalone Enrollment Devices shows unsupported actions.

  • FCA-187578: The new Terms of Use notification fails to prompt for acceptancein the Self-Service Portal but displays in the Self-Service Portal TOU tab.

  • FCA-187954: AirWatch Express OGs fail to enable Android Legacy support.

  • FCA-188078: Default SSP Page Does Not Redirect to SAML Page Properly

  • FCA-188167: Globalization errors occured when interacting with unsupported devices.

  • FCA-188493: Unable to send a push Notification for Windows Desktop devices.

  • FCA-188528: Internal CA Authority becomes corrupt when another OG with same name leverages something of the same sort.

  • FCA-188538: Unable to edit details of a customer type OG when logged in as console administrator.

  • FCA-188551: German Umlauts characters not rendered correctly in the UEM console.

  • FCA-188865: OG details page fails to load on upgrading the UEM console to 1811.

  • FDB-2374: Device Audit purges every 30 days.

  • RUGG-3947: Jobs displayed from the audit table are not ordered by the latest jobs

  • RUGG-5692: Deleting components fails to delete on relay server

  • RUGG-5802: Relay server errors when downloading XML files

  • RUGG-5859: "Create a Condition" under Product Provisioning documentation does not show details on "File" condition.

  • RUGG-5860: Unable to move apps to an existing folder in the second page of Android and Android (Legacy) launcher when editing the existing launcher profile.

  • RUGG-5861: Background image of application cannot be removed from Launcher template.

  • RUGG-5866: x86 Agent downloads instead of Advanced Remote Management for Windows Mobile web enrollment

  • RUGG-5960:  "Profile is invalid" displays when Template mode Launcher profile installs on the device when there is no app in the Canvas

  • RUGG-6025: Editing A Smart Group causes the console to crash Patch Resolved Issues
  • AMST-13963: Health attestation workflow process for windows devices does not work as expected.

  • ARES-7726: Managed Application List reason is not set to MDM removed from Pending removal for iOS samples. Patch Resolved Issues
  • AMST-13946: Unable to add version to an internal  iOS application.

  • AAPP-6614: iOS VPN Tunnel profile publish does not work as expected.

  • INTEL-10428: ADP app exports does not work as expected. Patch Resolved Issues
  • AMST-14437: Device based SCEP certificate fail to install on Windows 10 devices. Patch Resolved Issues
  • AGGL-5158: Publishing a public application for Knox devices does not work as expected. That is, while publishing a public application if there is a Knox enrolled device, none of the devices in the application batch gets the application.

  • ARES-7578: Syslog eventdata incorrectly returns profileID instead of profilename.

  • CRSVC-5081: Syslog incorrectly reads event data from the OldValue and NewValue part of the Event data and not from the OldValueLabel or the NewValueLabel. Patch Resolved Issues
  • ENRL-813: iOS Devices fail to complete the enrollment in Workspace ONE UEM console when using vIDM autodiscovery.

  • FDB-2459: Database CPU spikes up to 100% while reprocessing products from the device.

  • FDB-2470: DeviceUUID is not indexed on [dbo].[Device] which increases the ResolveID_ByUUID SP processing time.

  • INTEL-10694: The presence of the app_installed_version in the interrogatorapplicationlist_deltadexport output causes ETL failures.

  • INTEL-10580: Posting V2 events results in 400 Bad Request error.

  • RUGG-6328: Update product API does not honor the DeviceReprocess flag value while updating the product. Patch Resolved Issues
  • AAPP-6748: Publishing iOS Restriction profile does not work as expected. It results in Async Network IO wait and deadlock while publishing the profile to 200K devices.

  • AGGL-5023: Handlers/VIdmConfigDetailsEndpoint request fails and returns internal server error 500 for both iOS and macOS devices.

  • ENRL-946: During enrollment, the user ID validation step returns the error message "OG is not authorized".

  • FDB-2464: Maintenance.DevicePolicyJob_Purge sproc does not work as expected. The sproc gets stuck on the provisioningPolicy.DevicePolicyJob table for several attempts.

  • FDB-2468: maintenance.InterrogatorSystemSample_Purge sproc has performance issues.

  • FDB-2465: Maintenance.DevicePolicyStstus_Purge sproc has performance issues.

  • RUGG-6269: AutoRetry parameter does not honor the ProductProvisioningFailedJobRetryFeatureFlag. Patch Resolved Issues
  • AAPP-6545: Unable to copy iOS VMware Tunnel VPN Profile.

  • AGGL-5227: For work profile devices, public app fails to show under Device Details view > App tab if the device has the same internal app assigned. 

  • AMST-14580: ServiceLocator references does not work as expected for the Windows Device Check-ins.

  • CMSVC-9717: Reprocessing product from the device does not work as expected. 

  • FDB-2481: Manage devices page is not showing any devices for certain VPP applications.

  • FDB-2483: Publishing Purchased App to devices does not work as expected. 

  • INTEL-10743: Entity delete does not work as expected. 

  • RUGG-6426: Device reprocess results in duplicate values if the product is  assigned to multiple Smart Groups and the devices are a part of these smart groups.

  • RUGG-6464: AWCM throttle does not work as expected on publishing multiple products simultaneously. Patch Resolved Issues
  • RUGG-6473: Compliance-InProgress count fails to reset to zero on deactivating the product.

  • RUGG-6465 : Unable to insert duplicate key exception in PE logs.

  • AAPP-6812: Missing enrollment changes.

  • AAPP-6795: iOS Hub wipes after SDK setup.

  • AAPP-6877: iOS Hub wipes does not work as expected after the SDK setup.

  • FDB-2498: Profile List View sproc fail to load and results in timeout error. 

  • FDB-2521: EnrollmentLocationGroupUsers_List_IncludeChildLGs SP results in timeout error.

  • ARES-8014: Profile assignment reconcile fails on updating the smart group. Patch Resolved Issues
  • AAPP-6716: Extra Profile List and Certificate list samples are queued for all the Workspace ONE applications after the application responds to the install profile command Patch Resolved Issues
  • AAPP-6804: Unable to add/ delete smartgroup for VPP devices.

  • AAPP-6824: DEP devices do not check out to pre-registered end-user after authenticating with a staging user.

  • AAPP-6889: Add a version agnostic script to clean up commands in production.

  • AMST-13998: Health Attestation sample gives an error.

  • CMSVC-9729: Dell Provisioning enrollment fails staging authentication.

  • CRSVC-4816: Error occurs when trying to edit the Custom SDK Profile after upgrading to 1902.

  • CRSVC-5115: Interrogator Queue service stops automatically during performance test runs.

  • CRSVC-5219: App wrapping profile with "Proxy" payload configured fails to push to devices and app fails to launch.

  • FDB-2496: CMEM wait causing high CPU on SQL server on editing assignment to a product/profile.

  • INTEL-11207: Some application fields display as blank intermittently during app upgrades.

  • INTEL-11350: Console Database | On demand apps fail to be removed after unassignment.

  • INTEL-11428: Console Database | Handle delete event during purge to only send records that belong to deleted devices.

  • RUGG-6564: Deadlock while deactivating multiple products immediately after the jobs are queued. Patch Resolved Issues
  • FDB-2441: REST API call to search enrollment users results in "Error Code 500-Execution Timeout Expired. 

  • CRSVC-5330: Canonicalize URL causes Secure Channel CheckInEndpoint Response.

  • AGGL-5093: AFW Application configuration screen does not display nested configurations correctly.

  • RUGG-6601: Primary key constraint in Custom Attribute Sample Save.

  • CRSVC-5460: Multiple message queues gets backed up. Patch Resolved Issues
  • CRSVC-4725: AirWatch Agent service builder crashes.

  • FBI-178093: Blacklist or Non-Whitelist Application Details By Device report for Non Whitelisted application report includes whitelisted apps. Patch Resolved Issues
  • CRSVC-5031: UEM console internal API calls take more time to execute when authenticating using Active Directory accounts.

  • AGGL-5501: Serial Number lookup values is not displayed in the Android For Work Application configuration. Patch Resolved Issues
  • ARES-8284: Android internal app set to on-demand gets auto installed when the Per App VPN is enabled. Patch Resolved Issues
  • ENRL-929: Manufacturer Type HMD Global is missing From the Enrollment Restriction List in the UEM console.

  • FDB-2529: Device profiles cannot be removed through the Console UI due to stored procedure failure.

  • FCA-189905: Delete device exceptions are not being fully captured in the logs. Patch Resolved Issues
  •  AGGL-5447: Unable to configure Pulse Secure with the certs using the VPN profile.

  •   FBI-178100: Blacklist or Non-Whitelist Application Details By Device report contains Whitelisted apps. Patch Resolved Issues
  • AAPP-6886: API calls to migrate macOS devices from Staging to End User account does not work as expected. 

  • AAPP-7130: APNSOutbound MSMQ backs up due to performance degradation of the APNs HTTP/2 Client.

  • AAPP-7430: Unable to send APNS to the SDK-integrated application. Patch Resolved Issues
  • AAPP-8178: Support "apns-push-type" for APNs via HTTP/2. 

Known Issues

  • AAPP-6390: Unable to delete a bootstrap package when assigned to a device.

    Attempting to delete a bootstrap package when it is assigned a smart group with at least one device, throws an error occurs preventing the application from being deleted.

    As a workaround, unassign Smart Group prior to deletion.

  • AAPP-6408: Device Wipe option fails to clearing activation lock if the device was moved to a child OG.

    If a supervised iOS device is moved manually to a child OG and then if Device Wipe the attempted, the view does not allow administrators to clear the activation lock.

  • AAPP-6416: Unable to save SCEP settings for Apple Enrollment.

    Unable to enable SCEP certificate for enrollment under Settings > Apple > SCEP due to UseInEnrollment being set to False.

    As a workaround,manually update the SystemCodeOverride value to True.

  • AAPP-6418: Assigning applications from API endpoint api/mdm/education/classassignment deletes existing apps that are assigned via UI. 

    When assigning apps via Apple Education class assignment API, previously added UI app assignments are deleted.

    As a workaround, avoid assigning apps from both UI and via API.

  • ARES-7427: Workspace ONE UEM console fails to recognize the bundle id mismatch while adding a new application using the Add version option.

    Administrators can add a different application using the add version option, and the console fails to throw an error message if there is a bundle id mismatch using add version option.

  • ARES- 7578: Some of the Action Eventdata returns ID instead of the entityname.

    Administrators are unable to find the events on the entities as the entityname is not displayed. 

  • CMSVC-8780: Upon OG Decryption failure, the remaining users in queue are not processed for user list view page.

    If encryption is enabled on an organization group and a corrupted data item is introduced such as a junk value in the firstname internal or lastname internal, when the User List View is invoked, only those user devices before the corrupted device are displayed. The devices that appear after the corrupted device are omitted.

    You can view the event logs to find out the fields and users that are impacted and to handle the issue, select edit and re-enter the correct information for each of the affected user.

  • CMSVC-9154: The last notification of the password expiration email is sent per UTC time.

    The last password expiration email is not sent within the timezone from which it originates, rather it is sent based on coordinated universal time (UTC) time.

  • CMSVC-9187: Policy level details are not displayed in the event log data for unknown, compliantwithexceptions, and compliant statuses. 

    Policy level details are not displayed in the event log data for sdk report for the following application compliance statuses:

    • Unknown
    • Compliantwithexceptions
    • Compliant
  • CMSVC-9199: Compliance status-Unknown is reported under wrong eventname.

    If application compliance status "unknown" is reported by the device for SDK app compliance, it reports the event data under wrong eventname.

  • CMSVC-9335: Compliance Violation User Notification identifies the device as "0" in place of actual DeviceName/ID.

    In the automated user notification resulting from a compliance violation, the description identifies the device in question as "0" (zero) instead of the actual device friendly name or identifier.

  • CMSVC-9345: After migration, the default 'Password Expiry Notification' value showed as 0.

    Normally after migration, the Password Expiry Notification value defaults to 5 days no matter what the pre-migrated value is. While changing from 1811 to 1902, however, it defaults to 0 days.

    Administrators with global access can manually change the settings. 

  • CMSVC-9346: 'Admin Password Expiry Notification' job's default 24 hour schedule does not change to 2 hours upon migration from 1811 to 1902.

    During migration, the default schedule of 24 hours for the Admin Password Expiry Notification job normally changes to 2 hours. However, while migrating from from version 1811 to version 1902, it does not.

    Administrators with global access can manually change the settings. 

  • CMSVC- 9412: Application compliance report events are fired as per the device compliance evaluation time in the sdk report and are not based on the actual time when the event was fired.

    Event filtering gets difficult as the event firing time is based on device compliance evaluation and not the actual event time. 

  • CRSVC-4672: Custom SDK profile settings are applied to the Browser when a device is at overriden Child OG. 

    Currently when the admin saves the Security Policies page, Browser, or Intelligent hub settings, a command is queued for the specific app to check in and get the profile.This command is being queued for all the devices in that particular OG and the child OG as well, regardless of inherit or override. The problem arises when the custom profiles come into the picture, since we see the profile ID associated with the parent and queue up a command for all the devices with that particular profile ID. 

    Killing and relaunching the app after the cache has expired rectifies the issue. 

  • FCA-187834: Productivity app names from Getting Started Page does not match with the names in Store.

    Productivity app names from Getting Started Page need to be updated to match with the names in Store.

    As a workaround, users can add the apps from the Apps page.

  • FCA-188536: SSP account is not locked even after the maximum number of invalid login attempts are made.

    The console security settings also oversee the SSP lockout, though there is no indication of it in the UI. When the console lockout was made permanent and requiring security measures such as password security questions, it was decoupled from the SSP lockout. This results in the SSP not locking out users no matter how many times they enter their password incorrectly.

  • FCA-188925: Device List View export gets stuck when exporting custom Monitor filter with more than 1000 devices.

    Some graphs in the Monitor dashboard create custom graphs (Devices with Blacklisted Apps, for example). When there are more than approximately 1000 devices in the custom filter, attempting to export the list view results in a freeze.

  • FCA-188926: Self Service Portal uses mail value from custom attribute when adding a device.

    When registering a new device in the self service portal, you have an option to use an email address as the notification method. Instead, it is using the "mail" custom attribute instead of the user account's email.

  • FCA-188929: Log out from UEM console is not happening when admin clicks on the Reset button for Password Recovery Questions or Security PIN.

    When performing a restricted action that requires entering the admin's PIN, there is a link for "Forgot PIN" that leads to the Account Settings, where you can change your PIN, password, and password recovery question. This modal does not work when accessed via this link.

    As a workaround, access the account settings by clicking on the admin's username on the top-right corner of the console and then Manage Account Settings.

  • ENRL-889: Device limit per user is not being honored when the device restriction is with OS version.

    When you configure a device enrollment restriction that is based on OS version, the per user device limit is not being followed.

  • RUGG-5789: Custom Attribute values with colons are saved to the database and does not display in the Custom Attributes under the Device Details page. 

    Custom Attribute values with colons are restricted from the Workspace ONE UEM console side. Also, the CA sent from the device side is not saved due to restrictions.

  • CRSVC-5048: The UEM console fails to reset invalid login attempts.

    After you unlock an account and log in to the UEM console successfully for the first time and then try to enter an invalid credentials for the second time, fails to show a locked out message. A locked out message is shown on using the password recovery flow to unlock the account.

  • CRSVC-4391: Changes to Bluecoat VPN profiles fail with error "Save failed - unable to fetch trusted certificates".

    The integration between Workspace ONE UEM and Bluecoat leverages an authentication certificate seeded in the console and tenant identifier 'customer ID' input by an administrator in the VPN payload to initiate the integration. The seeded authentication certificate has expired which results in an error when the administrator attempts to make changes to the Bluecoat profile.

    At this time we have asked Bluecoat to provide a new certificate leveraging SHA-512 and we recommended that they offer tenant level certificates or vendor generated authentication certificates for added security. 

  • AGGL-5447: Configuring Pulse Secure while pushing a VPN profile does not work as expected.

    Unable to configure Pulse Secure while pushing a VPN profile if the authentication requires a certificate.