Workspace ONE UEM | 30 May 2019

Check for additions and updates to these release notes.

New Features in this Release

Workspace ONE UEM console

    Get the most out of AirWatch Express with the new default configurations​.
    • Location collection is now turned on by default for new AirWatch Express deployments. . End users will now receive a confirmation prompt on their devices asking for permission to collect location data. If granted, location data appears in Device Details on the UEM console.
    • App Catalog is now enabled by default for new AirWatch Express deployments. After enrollment, the App Catalog webclip appears on the device home screen and allows end users to see all assigned apps.
    • Quickly unlock iOS devices placed in Lost Mode from the actions toolbar on the Device Details view.
  • Several configuration improvements have been made to AirWatch Express that impacts location collection, app catalog, and lost mode for the iOS devices.
  • Retrieve your user accounts and groups with the all new SCIM API.
    A new SCIM API helps retrieve all the groups that a user belongs to. 
  • Auto-approve your applications from the Office 365 Getting Started wizard.
    The Office 365 Getting Started Wizard lets you automatically approve Office 365 apps for Android Enterprise. This is now the normal flow.
  • Export your reports to XLSX files, just like CSV files.
    In addition to exporting CSV files, you can now export list views and reports as XLSX files. With this new choice, you can avoid the formatting issues caused by CSV formats.

Workspace ONE Intelligent Hub

  • Easily activate your Hub Services if you are already using VMware Identity Manager and Workspace ONE UEM.
    You can now easily enable Hub Services if you are already using VMware Identity Manager and Workspace ONE UEM.
    Just enter your existing VMware Identity Manager URL to activate Hub Services. No need to reenter the admin user credentials again. We use the one you already provided to link VMware Identity Manager and Workspace ONE UEM.


  • Start reporting on both physical SIMs and eSIMs with the new dual SIM support.
    Admins can now report on both physical SIMs and eSIMs configured on supported iOS devices like the iPhone XR, XS and XS Max.

Mobile Content Management

  • Add wildcard values to stop your users from creating manual repositories and sub folders.
    You can now use the wildcard character (*) at the beginning and the end of the file path to stop your users from creating manual repositories and sub folders using the manual template.


  • Add apps to the Launcher profile with the ease of automation.
    You can now create dynamic rules to automatically whitelist apps added to a Launcher profile. These rules support wildcard characters in the App Field. After you add a wildcard, the app icon displays as a bundle of apps and appear in the Launcher in the available space. You do not need to republish the app every time you add a new app.
  • We've extended Content Delivery Network (CDN) to VMware Workspace ONE Launcher.
    Content Delivery Network (CDN) is now extended to VMware Workspace ONE Launcher. During enrollment, when the Launcher is pushed to the device it is pushed through CDN instead of Device Services. This improves the performance of Launcher delivery to devices and reduces the server load when new version of Launcher is deployed.


  • Make the most out of your Dell devices with the updated BIOS profile and Dell Command | Monitor integration.
    You no longer need to manually push Dell Command | Monitor to your Windows Desktop devices to use the BIOS profile. When you push the profile to your devices, Workspace ONE UEM automatically pushes Dell Command | Monitor to the devices.
  • Give knowledge to the users. Enable a progress display for Windows Desktop devices enrolling using the Out of the Box Experience (OOBE) workflow.
    The new progress display informs the user what is happening behind the screen during the OOBE enrollment. You can also allow your users to skip OOBE after a specific timeout period.

  • End-user devices no longer require Intelligence Hub to use the Windows Desktop Antivirus profile.
    Now it is easier than before to keep your Windows Desktop devices secure with the Windows Defender as we no longer require agent with the updated Antivirus profile for Windows Desktop devices.

  • Devices have a huge number of attributes associated. Harness the power of Sensors to target the specific devices you want.
    Windows Desktop devices have tons of attributes to remember such as hardware, OS, certificates, patches, apps, and more. To track all these attributes, we created Sensors. Now you can create a sensor for a specific attribute and view this data in Workspace ONE Intelligence by creating visualizations on dashboards and customizing reports.”

Resolved Issues

The resolved issues are grouped as follows.

1905 Resolved Issues
  • AAPP-2103: Array value type unavailable for the VPP application configuration.

  • AAPP-5525: Administrators are unable to publish macOS Wireless Profile.

  • AAPP-6094: Clear activation lock does not work as expected.

  • AAPP-6108: DEP devices that have more than one existing enrollment Token record creates a discrepancy in the actual number of DEP devices. 

  • AAPP-6140: iOS public app added through the URL is not displayed under apps tab on the device details page. 

  • AAPP-6744: SDK-integrated app fails to load on iOS devices when pushed as a managed VPP application.

  • AAPP-6843: Asset Number from the batch import does not get applied to DEP enrollments.

  • AAPP-6845: Renewing the iOS provisioning profile does not work as expected.

  • AAPP-6859: End user license agreement for the VPP apps is not updated.

  • AAPP-6882: Unable to change the DEP profile assignment for a device that has been registered through the API call and not the batch import.

  • AAPP-6886: Device search API calls or any calls that return the network sample fails for macOS devices.

  • AAPP-6903: Custom B2B VPP applications are not displayed under the given category.

  • AAPP-6905: UEM incorrectly responds to Network User authenticate messages when the device is enrolled to an end-user.

  • AAPP-6969: On-Demand File or Action Products fail to deploy from the macOS Intelligent Hub catalog.

  • AAPP-7020: Uninstalling purchased app API fails indicating that the application or the user does not have access.

  • AGGL-192: Server API system/users/enrolleddevices/search fails to return the organization group.

  • AGGL-4544: Android Enterprise devices do not honor Enrollment Restriction settings. 

  • AGGL-4940: Disabling FRP while initiating a device wipe for Work-Managed devices does not work as expected.

  • AGGL-5024: System applications on Android for work devices fail to manage automatically when assigned through the console during post enrollment.

  • AGGL-5306: Unable to search android applications in the application group when AFW is enabled.

  • AGGL-5363: Device-based Lookup values used in the application configuration are not pushed to devices.

  • AGGL-5366: System application ( Chrome ) is unable to get the VPN profile when enrolled through Android For Work.

  • AGGL-5411: The application configuration lookup values are not clickable for Android Enterprise devices.

  • AGGL-5447: Unable to configure Pulse Secure when pushing a VPN profile if the authentication requires a certificate.

  • AGGL-5456: Android enterprise internal applications are unable to associate Android for Work VPN profile using API.

  • AGGL-5459: Android Enterprise Enrollment does not honor the restrictions based on the user groups.

  • AGGL-5501: Serial Number lookup values fail to populate for the Android For Work application configuration.

  • AMST-14774: Data contingencies in the "When to Install" section does not work as expected.

  • AMST-14843: Windows Desktop VPN profile fails with the Invalid DNS Server error.

  • AMST-15004: InterrogatorDataHandler results in the OverflowException error.

  • AMST-15094: If the Dell Bios profile is already installed on the Win-10 device, re-pushing the profile after making changes to the Bios Profile fails.

  • AMST-15198: Local user creation is allowed in the AAD Premium flow.

  • AMST-15203: Profiles are incorrectly applied on the Dell Command Suite apps.

  • AMST-15744: Troubleshooting logs for Hololens device sample does not work as expected.

  • AMST-16054: Customers cannot push Bios Profile unless DCM is already on the device.

  • AMST-16345: DCM App is not queued when we push a fresh Auto- BIOS profile for already enrolled devices.

  • ARES-2791: Manage Devices menu allows the removal of rejected applications and incorrectly displays the status as Installed.

  • ARES-2831: Managed Application List displays Invalid data.

  • ARES-6830: Application Count for Workspace ONE Application on the UEM Console does not match with the database.

  • ARES-6832: Application Status Endpoint is Returning Not Supported / Not Assigned for Old App Versions.

  • ARES-6859: "No Records Found" is displayed as Installed devices in the Manage Devices screen, when the public application is Inactive.

  • ARES-7989: User can save the invalid key value pair of the application configuration as there is no validation. 

  • ARES-8162: Search field in the Workspace ONE app catalog does not search by app description for native applications contrary to the message displayed to the end-user.

  • ARES-8171: Mismatch in the Application Name under Devices & Users / Apple / Apple iOS / Intelligent Hub Settings.

  • CMCM-187739: Distributed Files System is not compatible with the Content gateway.

  • CMEM-185163: G Suite with the Password retention fails to install on the device with SSP.

  • CMSVC-9154: The last notification of the password expiration email is incorrectly sent based on the UTC time.

  • CMSVC-9155: Cannot insert the NULL value into the 'UserName' column.

  • CMSVC-9624: Notification email is not sent while updating an admin user item using the REST API.

  • CMSVC-9933: Child admins unable to edit the user group.

  • CMSVC-9974: Smart group updates fail and does not work as expected.

  • CMSVC-10016: Azure AD images and examples in the UEM console are old. 

  • CMSVC-10037: Smart group assignment edit does not work as expected. Clicking the white-space beside the check boxes 
    results in enabling or disabling the selection.

  • CRSVC-4729: OCSP selects made on the certificate returns incorrect status if the serial number starts with zero.

  • CRSVC-5465: Targeted Logging cannot be stopped from the device details if more than one device is marked for the targeted logging on the environment. 

  • ENRL-308: User group-mapping system settings fail to allow an administrator to leave the user groups out of the configuration.

  • ENRL-1084: If a customer runs a script to delete devices from the database without leaving a trace, the devices remain enrolled and continue to check-in. Since the devices are now untraceable, it is difficult to identify them and re-enroll.

  • ENRL-1119: Enrollments failing after environment upgrade.

  • ENRL-1193: User login fails on on accepting EULA if the domain is prefixed with the user name.

  • ENRL-1120: Device enrollment does not work as expected.

  • FBI-178092: Device Security Posture report shows erroneous data for column Security Patch Level.

  • FBI-178093: When generating Blacklist or Non-Whitelist Application Details By Device report for Non-Whitelisted apps, the report incorrectly includes whitelisted apps.

  • FCA-186959: Multi-byte character in the exported csv file gets garbled if you open it with Excel that runs on Japanese Windows operating systems.

  • FCA-188925: Device List View export does not work as expected if the custom Monitor filter has more than 1000 devices.

  • FCA-189086: Improvements made to secure access to the settings pages. 

  • FCA-189092: Application version number mismatch in the UEM console and database.

  • FCA-189523: The PDF export of the Monitor Overview has formatting issues.

  • FCA-189839: VMware Identity Connector Installer link fails to point to the installer download.

  • FCA-189930: Enrollment fails to save and an error message is displayed when the UEM console language is set to French.

  • FCA-189969: Administrators are unable to delete an OG.

  • FCA-190245: Privacy App shows a incorrect telecom data collection for iOS and Android devices.

  • FDB-2326: Unable to insert the duplicate key row in the object mobileManagement.EnrollmentUser with unique index IX_EnrollmentUserID.

  • FDB-2497: Monitor page takes a significant amount of time to load compared to other pages in the console.

  • INTEL-11312: Applications published through the products does not get picked for the data export. 

  • INTEL-11730: Workspace ONE Intelligence displays incorrect number of enrolled devices.

  • PPAT-4887: Re-configuring theTunnel proxy after deleting the Tunnel configuration does not clear old SSL certificate.

  • PPAT-5073: Unable to edit or modify the Device Traffic Rules.

  • PPAT-5305: Internal Apps for Android do not display in Device Traffic Rules.

  • RUGG-5615: Staging Package gets incorrectly transferred to all the OGs.

  • RUGG-5857: Administrators can incorrectly save the time that is earlier than the start time.

  • RUGG-5965: Deleting files on a Brick FTP relay server does not work as expected. 

  • RUGG-6231: Product name that contains the double-byte character saves successfully even though it displays an error. 

  • RUGG-6373: Staging profile does not list child Wi-Fi profiles while generating a barcode.

  • RUGG-6430​: Policy Engine throws a Primary Key Violation exception error.

  • RUGG-6525: Orientation lock check box is not saved in the launcher profile.

  • RUGG-6601: Primary key constraint in Custom Attribute Sample Save.

  • RUGG-6626: Unmanaged wipe protection check toggle for android and rugged platform does not work as expected. 

  • AGGL-4492: The Last Seen field under the Summary tab in device details has been improved to give a more accurate timestamp. Patch Resolved Issues
  • AGGL-5662: UEM application server experiences high CPU usage if Memcached is not configured. Patch Resolved Issues
  • ARES-8588: Selecting “Retire Previous Version” while uploading a new version of an internal application leads to the latest version being retired. Patch Resolved Issues
  • CMSVC-10004: Devices that are displayed in the User List View incorrectly shows Devices from the Sibling OGs. Patch Resolved Issues
  • CRSVC-6253: Device enrollment fails when the username is an email address. 

  •  AAPP-7264: Post iOS 12.2 upgrade, Per-Message Switch Encryption is set to False for all the iOS EAS profiles.

  • CRSVC-6002: SystemCode API  is not BG (Blue/Green) compatible.

  • INTEL-12761: ETL | CDC application export does not consider privacy settings for personal applications.

  • INTEL-12724: Console Database | Windows Patch data does not contain the ETL thread. Patch Resolved Issues
  • RUGG-6799: Unable to download Launcher post 1905 migration.

  • PPAT-5317: Grandchild OG inherits DTR from Grandparent not from the parent OG. 

  • AGGL-5663: Per-App-VPN commands get queued multiple times for devices.

  •  AMST-18272: Database connection failures may lead to unenrollment of Windows 10 devices.

  •  AAPP-7487: Devices are enrolled only to one user account.

  • INTEL-12509: Products category is exported to the entity type list. Patch Resolved Issues
  • AAPP-7561: iOS Web application results in "Failed to retrieve application status" error while launching 19.5 patch 5 environments with SSO on in the SDK. Patch Resolved Issues
  • RUGG-6900: Hub Catalog incorrectly presents black icons for all apps.

  • AAPP-7543: Mac devices get enrolled only to one user account. Patch Resolved Issues
  • CMSVC-10349: User group sync fails from the UEM console to vIDM when the ImmutableID is mapped against the externalID.

  • CMSVC-10352: User sync from the UEM console to IDM fails when the Admin and the Enrollment User accounts share the same primary key value in the UEM console.

  •   CMSVC-10460: UEM to IDM directory integration only synchronizes 20 user groups.

  • ARES-8700: AppStatus Endpoint fails to honor the standard JSON response format. Patch Resolved Issues
  •  AMST-18797: Windows Updates (WSUS) metadata synchronization fails due to SOAP API exception. Patch Resolved Issues
  • RUGG-6750: Copying file/actions and deleting file from copied file/actions impacts the original file actions. 

  • INTEL-13179: Unmanaged applications are displayed in the reports when the device is unenrolled. Patch Resolved Issues
  • AAPP-7936: Cannot clear passode for iOS/iPadOS 13 enrolled devices. Patch Resolved Issues
  • PPAT-6095: Tunnel Proxy enabled applications fails if the server certs do not comply with new Apple TLS cert policies for iOS 13.

1905 Patch Resolved Issues
  • AAPP-9904: Delete Device doesn't wipe the device in rare occurrences when device checks in right before the command is issued. Patch Resolved Issues
  • AMST-27384: Device enrollment status is stuck in progress. Patch Resolved Issues
  • AAPP-10087: Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications

Known Issues

  • PPAT-3982: Customer can only have NSX configured at one OG at a time.

    Syncing NSX on the second OG will wipe the security group settings from the first OG.

  • PPAT-4817: Tunnel configuration is not displayed correctly while switching OGs.

    When switching OGs, user interface shows incorrect tunnel configuration.The UI displays configuration from the original OG.

  • PPAT-5382: Device traffic rules for Workspace ONE application is duplicated if the user sets the device traffic rules for Workspace ONE application and then runs Mobile SSO wizard from the getting started track.

    Device Traffic Rules for Workspace ONE is duplicated instead of being skipped. 

    As a workaround, you can delete the duplicate entry. 

  • PPAT-5388: Device Traffic rules can be misleading in a child OG that is not overridden if there are any rules for apps that exists at the parent level.

    Applications do not show as they are managed by the parent.

  • PPAT-4844: The UEM console allows same port for Per-App Tunnel and Proxy configuration.

    There should be a validation for not allowing same ports if the same server is being used for both Proxy and Per-App Tunnel.

    As a workaround, configure Per-App Tunnel and Tunnel Proxy with different ports.

  • AMST-17342​: Unable to remove FW rules. 

    Customers are unable to remove FW rules off of their devices on edit.

    As a workaround, delete or remove any profiles with rules to erase the configuration from the devices.

  • ARES-6552: Application version sort does not work as expected. 

    Other versions -> Sort By version number in the UEM console does not work as expected.

  • CMEM-185217: SEG MemConfig is displayed under Monitor -> Admin Panel.

    SEG configuration should not be shown in the Admin panel.

  • CMEM-184489: Sync Mailboxes status popup does not appear fine on the user interface. 

    Status popup is cut off from the user interface. 

  • AMST-17297​: Customers are unable to edit the registry criteria as the app status remains  "Install command dispatched". 

    Install command gets processed when registry criteria has hkey_local_machine instead of HKLM. Ideally in such cases the install command is expected to fail.

    As a workaround, delete the application from the UEM console and add it back with appropriate detection criteria.

  • AMST-17107: SFD task scheduler does not work as expected.

    SFD task scheduler remains in the running status after the client upgrade. Any applications that gets queued after the upgrade is not processed till the SFD task scheduler is restarted.

    As a workaround, kill and restart the SFD task scheduler. This particular issue is an edge case since not all applications get stuck in the download in progress.

  • AMST-17391: OOBE Blocking screen doesn't move automatically to the next page for RS3 devices.

    The OOBE blocking screen fails to move automatically to the next page for RS3 devices. However users can click Got It button to continue with the w​orkflow. Also the setting 'Provision entities on windows OOBE enrollment' under 'Optional Prompt' does not work for RS3 devices.

  • FCA-190511​: Mobile SSO wizard displays VMware tunnel setting status as "setup" instead of "Edit settings". 

    Even though the Mobile SSO wizard setup completes all the tunnel related configuration, the task status on the summary page does not show as "Edit settings".

  • FCA-190415 : Bookmarks do not work as expected. 

    Favorite icon successfully adds a page to the bookmark list but fails to appear in the drop down. 

    As a workaround, refresh the page. 

  • FCA-190417​: Navigation from the blueprint review tiles does not work as expected.

    Administrator is navigated to the incorrect section from the AW Express blueprint review tiles.

    As a workaround,you can navigate using the breadcrumbs from the review page.

  • AAPP-7212 ​: iOS Device SeedScript does not display the generation number.

    Devices show as "iPad mini" and iPad Air" and does not display the generation number.

  • AAPP- 7000: DEP page allows admins to choose Default Staging User managed at the Customer OG.

    Administrators are able to see both the parent and child default staging user while configuring the DEP and may unknowingly select the wrong one. 

    As a workaround, Change the OG of any impacted devices, or re-enroll the device.

  • AAPP- 6997: Custom B2B VPP applications is not displayed under promotions. 

    Search API does not currently return Custom B2B type for apps.

  • CRSVC-4391: Changes to Bluecoat VPN profiles fail with error "Save failed - unable to fetch trusted certificates".

    The integration between Workspace ONE UEM and Bluecoat leverages an authentication certificate seeded in the console and tenant identifier 'customer ID' input by an administrator in the VPN payload to initiate the integration. The seeded authentication certificate has expired which results in an error when the administrator attempts to make changes to the Bluecoat profile.

    At this time we have asked Bluecoat to provide a new certificate leveraging SHA-512 and we recommended that they offer tenant level certificates or vendor generated authentication certificates for added security. 

  • FCA-190396: Admins are unable to accept the Terms of Use after console update.

    Administrators are unable to log into the console.

  • PPAT-5730: Invalid Safari Domains prevents profile installation on device.

    Creating a profile with only a space or a comma as the rule, the resulting profile XML fails to install on devices. 

    As a workaround, add valid Safari Domains to profile payload.

check-circle-line exclamation-circle-line close-line
Scroll to top icon