Workspace ONE UEM | 24 April 2019

Check for additions and updates to these release notes.

New Features in this Release

Workspace ONE UEM console

  • We are happy to provide you a better login experience.
    Administrators can now save their user name and passwords in the browser cache that can be used for subsequent logins.
  • Easily identify your devices. We added a new device identifier called Public IP Address in the Device Details and Device List View.
    Public IP Address is added to the Device Details, Device List View and the Privacy Settings page so you can limit access to it per your business and end-user needs.
    View the Public IP Addresses for your devices by navigating to Devices > List View, then select the Layout button and customize the column selections. You can find Public IP Address in the Network tab of Device Details view. Change privacy settings regarding your devices' Public IP Addresses by navigating to Groups & Settings > All Settings > Devices & Users > General > Privacy in the Network section.
  • The new My Services Selector gives you access to your Hub Services from the UEM console. 
    You can now access Hub Services from the Workspace ONE UEM console with the My Services Selector. The selector is available in the Header Menu of nearly every page of the console.
  • We now offer SAML authentication for multi-domain configurations.
    Administrators (only) can now use the SAML authentication in multi-domain environments for Workspace ONE UEM, expanding the utility of the already trustworthy authentication protocol beyond single-domain configurations. Support for multi-domain environments is enabled by default, and there is no system setting required.
  • AirWatch Express now gives another option to communicate with user devices with SMS messaging.  
    Start using SMS Messaging in AirWatch Express.The SMS configuration page is now available in AirWatch Express. To use the functionality, an account with a supported SMS provider is required. You can enable SMS messaging by navigating to Groups & Settings > Configurations > SMS, then complete the settings options including Gateway Type and Password.


  • It's time to get started with the Google's Firebase Cloud Messaging service.
    As of April 10, 2018, Google announced that they are deprecating Google Cloud Messaging in favor of a new cloud-messaging platform called Firebase Cloud Messaging (FCM). Once GCM has been deprecated, customers enrolling new devices into GCM enabled environments can experience extended delays in communication between the Workspace ONE UEM Console and Android devices. 
    All customers are encouraged to upgrade their VMware Workspace ONE UEM Console, Workspace ONE Intelligent Hub application, and Workspace ONE application to the versions that contains support for Firebase Cloud Messaging. 
    For more information, look for Upcoming Changes to Cloud Messaging Services in Environments Utilizing Android Devices in My WorkspaceONE portal.

Content Management

  • The new just-in-time content caching strategy that eliminates high memory usage.
    We have re-designed content cache for better performance.The new strategy caches only the folders and the content records that are accessed by the users. Folders are cached individually, as opposed to the old structure that caches the entire repository.

Email Management

  • Start customizing the attributes that are used in the API calls to Google Suite.
    We now offer the ability to change the user attribute for Google Suite Provisioning. Customize the attributes that are used in the API calls to Google Suite by specifying an alternate attribute instead of the user's email address. 


  • Stop your users from modifying the personal hotspot setting​s.
    You can now restrict your users from modifying the personal hotspot settings and prevent Siri from logging the data back to its servers on iOS 12.2+ devices.


  • We now support Hub Services on macOS Intelligent Hub 19.04.
    The UEM Console 1904 brings support for macOS Intelligent Hub 19.04 features that includes enhanced catalog, People, Notifications, and custom Home tab. 
  • New and improved FileVault Encryption profile.
    The Disk Encryption profile now supports MDM deferred enablement. The profile update also comes with more granular controls over Hub behavior for encryption enablement and recovery key escrow. 


  • Tighten the security of your Relay Server. Relay Server configuration now supports HTTPS protocol.
    You can now select the HTTPS protocol when you configure a relay server, including the configuration of a Stage Now barcode. Take advantage of this support by configuring an HTTPS endpoint using the web server config tool of your choice (for example IIS). You must also navigate to Devices > Provisioning > Relay Servers > List View, select Add, followed by Add Relay Server, then in the Device Connection tab, select 'HTTPS' as the Protocol.


  • Keep your Windows Desktop devices safe from harmful communications with the new Firewall profile.
    The new Firewall profile contains new settings for Windows 10 devices. Now you can configure different behaviors for domain, public, and private connections. You can also add your own custom firewall rules.
  • We made maintaining Dell Provisioning for VMware Workspace ONE provisioning packages easier with templates.
    Templates let you configure the settings for a provisioning package including the apps and save the settings for later use. We've also added the ability to edit and delete existing provisioning packages.
    If you have existing PPKGs when you upgrade to 1904, they will be removed as they no longer support the new workflow. You will need to recreate your existing PPKGs.
  • Give the users their apps. Add user context apps to your provisioning packages for Dell Provisioning for Workspace ONE UEM.
    You can now add user context apps to provisioning packages. These apps are installed when a user signs into a device for the first time.
  • Sometimes a baseline just needs a little tweaking.
    You can now customize the default ADMX settings in your Windows Desktop Baselines. This customization is in addition to adding additional ADMX policies.

Resolved Issues

The resolved issues are grouped as follows.

1904 Resolved Issues
  • AAPP-5436: Application version sort for the VPP application managed devices does not work as expected.

  • AAPP-6190: In a multi user scenario, the target that is used for installing the VPP application fails to update if a new user logs in.

  • AAPP-6390: Bootstrap package fails to delete when it is assigned a smart group with at least one device.

  • AAPP-6408: The Device Wipe menu fails to clear the activation lock if the device is moved to a child OG.

  • AAPP-6419: The UEM console incorrectly displays the Windows OS updates for an iOS device. 

  • AAPP-6617: The application version fails to save the fourth digit and results in a version hash mismatch error.

  • AAPP-6634: The managed license information fails to display in the UEM console

  • AAPP-6636: Apple devices fail to support the Private Key export option for .p12 or .pkcs or .cer files.

  • AAPP-6642: The purchased book inside the book catalog results in globalization errors and displays "description" as "description.plural".

  • AAPP-6748: Publishing iOS Restriction profile and assigning it to 200K devices does not work as expected and results in a Async Network IO wait and deadlock error.

  • AAPP- 6768: Inside the Hub Catalog, all the VPP applications that are deployed as On-Demand appear under the Recommended Section of the Hub Catalog.

  • AAPP-6795: iOS Hub wipes after the SDK setup.

  • AAPP-6801: AllowAllAppsAccess is not available for the Device context profiles.

  • AAPP-6824: Pre-registration fails for DEP enrollments if authentication is enabled in the profile.

  • AGGL-4679: Removing a public application from the device does not update the application status on the console.

  • AGGL-4694: Knox container disappears on restarting with the Dual Mode.

  • AGGL-4961 : Application assignment update for the public application that is already added to the UEM console fails to trigger the command 98.

  • AGGL-5170: Android EMM enrollment restriction that is based on the Smart Group does not work as expected for the G Suite integrations.

  • AGGL-5218: The UEM console accepts only 32 characters as the android UDID.

  • AGGL-5227: Public applications are not displayed under Device details View > app tab if the work profile device has the same the internal application assignment.

  • AGGL-5231: Per-App VPN-mapping commands are not generated when applications are assigned after enrollment.

  • AGGL-5253: Unable to view or download the QR codes when the UEM console language is set as French.

  • AGGL-5310: Unable to search for the public app in the app group if the Google account is not configured.

  • AGGL-5311: AL table fails to update for the public apps when the privacy setting is set to "do not collect".

  • AGGL-5365: Knox Restrictions profile shows duplicate entries in the UEM console for the Register Enterprise FOTA.

  • AMST-13756: Lifecycle> updates page loads "An error has occurred-Something unexpected happened".

  • AMST-14384: OS version in the UEM console fails to upgrade even after the Windows device version is upgraded.

  • AMST-14437: Device-based SCEP certificate fails to install on Windows 10 devices.

  • AMST-14947: ​Windows Defender Exploit Guard Profile does not work as expected. 

  • AMST-15013: Application shows the reason as "Failed" and Install Status as "Not Installed" for all the failed app uninstalls.

  • AMST-15224: Device does not enroll as expected and incorrectly report the enrollment status as enrolled.

  • ARES-6661: Internal app upload blob fails intermittently.

  • ARES-6878: Application catalog does not localize as expected.

  • ARES-7724: Boxer configuration does not work as expected on Android devices.

  • ARES-8204: Radio Button for Applications in the Device Details page cannot be selected.

  • CMCM-188068: SSP does not work as expected when you add or edit the repository using the Microsoft Edge and Internet Explorer browser.

  • CMCM-188106: AW-managed Content Category fails to sort the list in the alphabetical order.

  • CMCM-188107: The UEM console creates random duplicate managed content records.

  • CMSVC-8806: Application blacklist compliance does not process as expected on some of the devices.

  • CMSVC-9119: The Workspace ONE App catalog fails to load. 

  • CMSVC-9134: Custom Query Groups creation does not work as expected when you use the same logic with different custom base DN.

  • CMSVC-9144: IDM AirWatch compliance check fails on the devices that does not have a compliance rule.

  • CMSVC-9166: SAML authentication fails if the user has a multi domain set up.

  • CMSVC-9434: Endpoint api/system/users/{uuid} API removes the custom attribute values that are not specified in the API call.

  • CMSVC-9466: Adding an administrator role in the UEM console with Internet Explorer 11 browser does not work as expected and loads "Page not Found" error.

  • CMSVC-9472: The user activation email is garbled when the email is sent using the batch import.

  • CMSVC-9549: Administrators cannot update the "email username" with the null value using the API call.

  • CMSVC-9714: When this profile is pushed down to the device, instead of pushing down the user email address, the value 'Private' is pushed down to the device.

  • CMSVC-9729: Dell provisioning fails staging authentication and the Windows devices do not enroll as expected.

  • CRSVC-4971: Auto Renewal option does not display on the certificate template CA which has the authority type as ADCS and the protocol as SCEP.

  • CRSVC-5048: The UEM console fails to reset invalid login attempts.

  • ENRL-813: iOS devices fail to complete the enrollment in Workspace ONE UEM console when using vIDM auto discovery.

  • ENRL-889: Device limit per user is not honored when the device restriction is with OS version. 

  • ENRL-904: iOS devices fail to enroll in the unmanaged mode if the "Display MDM Installation" message is enabled under Optional Prompt in All Settings > Devices & Users > General > Enrollment.

  • ENRL-946: User ID validation step returns the error message "OG is not authorized".

  • ENRL-1010: Blacklist and Whitelist for Comma-separated values creates one record even with bulk values.

  • ENRL-1059: Device restriction policy fails to block the device enrollment if the locale of the message template differs from the user/OG locale.

  • FBI-178022: Application Details by Device report fails to fetch the information about the devices that has a prior version installed on the device.

  • FBI-178087: Report Subscription page does not work as expected and results in "Something unexpected happened. If the issue persists, please contact your system administrator" error.

  • FDB-2480: Compliance policies fail to get assigned to the devices as expected.

  • FDB-2481: Manage devices page fails to display devices for certain VPP applications.

  • HUBM-53: macOS Agent fails to fetch the network interfaces that are configured on the macOS device. 

  • HUBM-60: Agent fails to start encryption after the device is decrypted using diskutil command.

  • HUBM-68: Recovery key does not work as expected when the FDErecoveryagent is loaded on macOS devices below 10.13.

  • HUBM-146: macOS Agent crashes for some of the pre-deployed applications that does not have the timestamp record.

  • HUBM-156: macOS application in the Workspace ONE UEM console displays incorrect install status message.

  • HUBM-157: macOS Software distribution displays inconsistencies with App Install Statuses.

  • HUBM-246: Airwatch crashes if the SSID has an apostrophe in the name.

  • HUBM-407: Entering a email address into the Hub results in the "Invalid Email Address error".

  • HUBM-428: Hub fails to prompt the user for a restart after installing macOS 10.14.3 update.

  • HUBM-429: Software update message in Hub incorrectly directs the user to App Store on macOS Mojave.

  • HUBM-429: Software update message in Hub incorrectly directs the user to App Store on macOS Mojave.

  • HUBM-525: Disk encryption on a macOS 10.14.3 device does not get initiated even though the file vault encryption profile is installed on the device.

  • HUBM-795: The hub only executes the command in the new profile and does not report the changed status by executing the old profile.

  • RUGG-5576: The UEM console incorrectly activates a product even if the product has a deactivation date or time that has a past reference.

  • RUGG-6232: Linear Barcode generates incorrect information when adding certain Wi-Fi profiles as a Staging profile into the Staging package.

  • RUGG-6262: Files that are deleted from Provisioning>Files/Action fail to remove the blob record. Patch Resolved Issues
  •  RUGG-6338: The PolicyListSample_Save sproc updates an existing job on next sample even if the job is in terminal state and leads to incorrect failure try count. 

  • CMEM-185163: G Suite with password retention fails to provision password when the user is created through SSP registration.

  • FDB-2431: The DeviceApplication VPP storage procedure times out consistently.

  • RUGG-6601: Custom Attribute Sample Save results in primary key constraint error.

  • AAPP-7058: Workspace ONE Intelligent Hub 19.04.1 fails to seed into Workspace ONE UEM Console. Patch Resolved Issues
  • FCA-189665: Several configuration improvements have been made to AirWatch Express that impacts location collection, app catalog, and lost mode for the iOS devices.

  • AGGL-5459: Android Enterprise Enrollment Restrictions based on user groups does not work as expected.

  • AMST-16425: Windows firewall profiles installation fails when the connection rules are configured.


    CRSVC-5499: AirWatch Cloud Connector license file has missing information on the open source packages that are used in 1904. Patch Resolved Issues
  • AMST-16724: Performance Degradation due to Windows Usage Baseline Dependencies.

  • AMST-16725: Performance degradation due to improper handling of Windows Check In Requests. Patch Resolved Issues
  • AAPP-7183: macOS devices spam the database with CompromisedStatusReported and DeliveryCheckIn events. Patch Resolved Issues
  • INTEL-11495: Data export to Intelligence fails for records with blank Application Identifiers. 

  • ENRL-1155: Add Debug log entries for Enrollment Restriction Policy workflow. 

  • AAPP-7130: APNSOutbound MSMQ backing up due to performance degradation of APNs HTTP/2 Client. 

  • CRSVC-6093: Frequent Device Check Ins causing high Memory Usage on Device Services Server.

  • CRSVC-6094: SystemCodeBusiness instantiates a new instance of SystemCodeBusiness. Patch Resolved Issues
  • CMSVC-10102: Enrollment Users migration script to fix users does not contain the Authorized Organization Groups.

  • CMSVC-9306: Duplicate users get created while adding Directory users on the UEM console.

  • CMSVC-10180: Lotus Domino integration is unable to sync the Directory user group.

  • AGGL-5662: The UEM application server experiences high CPU when Memcached is not configured. Patch Resolved Issues
  • FCA-190396: Admins are unable to accept the Terms of Use after console upgrade.   

  • AAPP-7264: Post iOS 12.2 upgrade, Per-Message Switch Encryption is set to False for the iOS EAS profiles. Patch Resolved Issues
  • CRSVC-6253: Device Enrollment fails if the username is an email address due to an issue with the decoding on the IIS.

  • INTEL-12724: Windows Patch data export causes ETL thread starvation. 

  • INTEL-12761: Application data export in the CDC enabled environments does not honor Collect but Do Not Display privacy settings. Patch Resolved Issues
  • AMST-18797: Windows Updates (WSUS) metadata synchronization fails due to SOAP API exception.

  •   AMST-15945: Windows 10 devices are unable to update the location data in the console. Patch Resolved Issues
  •   AAPP-7936: Cannot clear passode for iOS/iPadOS 13 enrolled devices. Patch Resolved Issues
  • PPAT-6095: Tunnel Proxy enabled applications fails if the server certificates do not comply with new Apple TLS cert policies for iOS 13. 

  • RUGG-6964: Held Commands fails to release properly due to Primary key violation. Patch Resolved Issues
  • AGGL-6888 EFRP link in Console to get Google UserID broken Patch Resolved Issues
  • AAPP-9905: Delete Device does not wipe the device in rare occurrences when device checks in right before the command is issued. Patch Resolved Issues
  • AMST-27385: Device enrollment status is stuck in progress.

Known Issues

  • AAPP-6843: Asset Number value from the batch import file is not applied for DEP enrollments.

    Device record in the enrollment status page has the asset number value from the uploaded csv, but when the device enrolls, that value is overwritten with the device UDID. 

  • AAPP- 6811: End Users using the macOS Hub catalog see packages in the Recommended category.

    Hub catalog packages that are usually not intended for end user interaction are displayed in the Recommended category in the Hub catalog on macOS.

  • AGGL-5456: Android enterprise internal applications are unable to associate Android For Work VPN profile using API.

    Internal application association with the VPN profile in the Android Enterprise Device in the owner mode does not work as expected. 

    As this is a one time association per internal application, complete the association from the UEM console and push the application using API.

  • AMST-15223 : SCEP certification installation shows a failure in the OOBE screen.

    When the user signs in with OOBE flow and the device date time is wrong the certificates install shows a failure.

    As a workaround, set the date and time after the enrollment.

  • AMST-1544: Troubleshooting logs for Hololens device samples does not work as expected.

    Samples that are sent to a Hololens device does not work as expected. Administrators see errors for samples failing due to Hololens that are using the entire sample.

  • AMST-15198: Local user creation should not be allowed in the AAD Premium flow.

    When the user creates unattend xml, there is the option to create a local user. If they choose this option they are not able to enter the Azure credentials to sign in the first time.

    As a workaround, it is recommended that administrators remove the flow to avoid confusion.

  • AMST-16054: Customers cannot push Bios Profile unless DCM is already on the device.

    Customer must first ensure that the DCM is on the device before pushing down BIOS profile.

    As a workaround, install the latest DCM version from Dell via software distribution to the device before pushing the Bios profile.

  • ARES-7989: User is able to save invalid key value pair of the application configuration as there is no validation. 

    There is no validation check on the application configuration for boxer application on adding a blank entry at the end. 

  • ARES-7986:Administrators are unable to resolve the value with Array datatype in the application configuration of boxer for the lookup values.

    The values are no displayed in the application configuration xml for the Array type lookup values.

    As a workaround, administrators can send in without the look up values.

  • CMEM-185163: Email flow is affected for Google Password Provision deployment.

    If the customer is adding user using SSP, google password provision does not work as expected and the email flow gets impacted.

    As a workaround, add users using Active Directory sync.

  • CRSVC-5465: Targeted Logging cannot be stopped from the device details if more than one device is marked for the targeted logging on the environment. 

    Unable to disable targeted logging from the Device Details Page when the targeted logging is enabled for more than one Device.

    As a workaround, in the targeted logging page (admin -> diagnostics -> logging), remove the entry for the device you want to stop targeted logging for and save the settings. Targeted logging will now be disabled for the one particular device.

  • CRSVC-5457: Targeted Logging may fail at the device details on a brand new environment.

    Targeted logging for a single device does not work as expected if the logging settings page at global OG has never been touched.

    By saving the logging settings at the Global OG under All groups & settings -> Admin -> diagnostics -> logging, the systemcodegroupoverride for 127 is created and the targeted logging now works from the device details.

  • FCA-189523: The Monitor PDF is not fully legible.

    The PDF export of the Monitor Overview has formatting issues.

  • FCA-189553​: Users cannot reset the locale in SSP language setting.

    Select Language dropdown in the SSP Login Page picks the languages which are selected under Global level but not from the OG level and the Reset button does not work as expected.

    As a workaround, 

    • On Prem customers can include the locale at Global level.
    • Saas customers can reach out to administratrs for adding the locale at the Global level.
  • FDB-2516: Since we delete first and then insert the Custom Attributes (CA) while saving the CA sample, the deletion happens but the insertion fails. So, the device will be left with no CAs assigned to it.

    If any product is created with assignment rules and if these CAs are used in assignment rule, the product will be non-compliant. This issues occurs when Agent sends multiple CAs with the same CustomAttribute-ApplicationGroup pair. The insert into device custom attribute table fails because CA ID is the Primary key and we receive the same CA ID for the same CustomAttribute-ApplicationGroup pair.

  • PPAT-4820: Overriding the Tunnel configuration at Child OG results in VPN disconnect.

    When an administrator overrides the Tunnel configuration and Save, the new Certificate Authority is not getting created and the Tunnel configuration at the child is using Parent OG VPN certificate to issue the client certificate.

  • PPAT-4844: The UEM console allows same port for Per-App Tunnel and Proxy configuration.

    There should be a validation for not allowing same ports if the same server is being used for both Proxy and Per-App Tunnel.

    As a workaround, configure Per-App Tunnel and Tunnel Proxy with different ports.

  • PPAT- 4972: Child OG can override parent tunnel configuration when the Parent OG child permission setting is inherit only. 

    When Parent OG defines the child permissions on Tunnel Proxy page, child OGs do not respect the configured settings.

    As a workaround, set the inheritance of the Child OG Proxy configuration to match the settings of the Parent OG.

  • PPAT-3982: Customer can only have NSX configured at one OG at a time.

    Syncing NSX on the second OG will wipe the security group settings from the first OG.

  • RUGG-6570: Legacy and dotnetcore Pull Service fails to download content in the load balanced environment.

    This issue happens only in a environment with Load Balancer that has multiple Content Pull servers and the request goes to one server for get-manifest and other server to Get file data.

  • CRSVC-4391: Changes to Bluecoat VPN profiles fail with error "Save failed - unable to fetch trusted certificates".

    The integration between Workspace ONE UEM and Bluecoat leverages an authentication certificate seeded in the console and tenant identifier 'customer ID' input by an administrator in the VPN payload to initiate the integration. The seeded authentication certificate has expired which results in an error when the administrator attempts to make changes to the Bluecoat profile.

    At this time we have asked Bluecoat to provide a new certificate leveraging SHA-512 and we recommended that they offer tenant level certificates or vendor generated authentication certificates for added security. 

  • AGGL-5447: Configuring Pulse Secure while pushing a VPN profile does not work as expected.

    Unable to configure Pulse Secure while pushing a VPN profile if the authentication requires a certificate.

  • FCA-190396: Admins are unable to accept the Terms of Use after console update.

    For some admin accounts, after logging into the WS1 UEM for the first time after the environment upgrade to 1903, admins will not be able to accept the Terms of Use and proceed past that page, blocking them from accessing the Console.

    To avoid this issue, delete and recreate the admin account.

check-circle-line exclamation-circle-line close-line
Scroll to top icon