check-circle-line exclamation-circle-line close-line

Workspace ONE UEM | July 18 2019

Check for additions and updates to these release notes.

What's in the Release Notes

1907 for On-Premises Customers: Workspace ONE UEM 1907 for on-premises customers contains all the features and resolved issues from the previous SaaS-only releases. For more information on the features and resolved issues from these releases, see VMware Workspace ONE UEM 1904 Release Notes and VMware Workspace ONE UEM 1905 Release Notes.

The release notes cover the following topics:

New Features in this Release

Workspace ONE UEM console

  • We've improved logging back into the console after your session times out.
    The console now remembers whether you are a SAML or non-SAML user. When timed-out, SAML users can log back in without any clicks. Non-SAML users, with a remembered user name and password, see their credentials auto-populated on the screen and can log back in with one click. This improvement is enabled by default.
    To learn more, see Logging In to the UEM Console
  • Know if your APNs certificates are connecting over the HTTP/2 protocol.
    We've given you an option to manually conduct the test and check whether your APNs certificates are connecting over the HTTP/2 protocol. 
    To learn more, see Checking APNs Connectivity over HTTP/2 Protocol.
  • Device tags no longer show the tag color and the tag type in the console.
    Options for the device tag color and the device tag type are removed from the console.
  • Unassign a device tag from multiple devices in a one sitting.
    You can now unassign device tags from multiple devices at the same time.
    To learn more, see Unassign Tags from Multiple Devices.
  • We offer a simplified integration with Adaptiva to support your peer-to-peer software distribution deployments.
    Workspace ONE UEM supports a new version of the Adaptiva server. For all existing customers, Workspace ONE UEM still supports the previous version of the Adaptiva server. To use the new integration, update your Adaptiva server and your AirWatch Cloud Connector to version 1907.
    To learn more, see Configuring Peer Distribution Software Setup with Adaptiva
  • AirWatch Express got a new name. It's now called Workspace ONE Express.
    Workspace ONE Express has all the same functionality as AirWatch Express, but with a new name. 
    To learn more, see Introduction to Workspace ONE Express.
  • We've improved privacy by adding a location data question to Workspace ONE Express.
    Privacy is important to our customers. Selecting Yes in the Getting Started survey prompts the user on their device if they choose to share the location data. If the user declines, then location data is not collected.
    To learn more, see Express Setup Survey.
  • Get a better idea of the batch import task status in Workspace ONE Express.
    You can now see the status of batch import tasks. Navigate to Accounts > Users > Batch Status to see the status of the batch import jobs you have already initiated.
    To learn more, see Batch Import Users or Devices.
  • Make the most out of your Telecom List View page with the new export option.
    We've given you an option to export your usage and roaming details in CSV and XLSX formats. The exported file is available for download in the Monitor > Reports and Analytics > Exports page. 
    To learn more, see Plan Usage Details for Telecom Assets.
  • We've enhanced our directory user status synchronization logic.
    The status of Administrator and Enrollment user accounts in the UEM console now syncs correctly with deactivations made to your Active Directory service provided the following assumptions. The user named in the Bind User Name option, located in Groups & Settings > All Settings > System > Enterprise Integration > Directory Services in the Server tab, must have Active Directory administrator privileges. The recycle bin must also be enabled using the Active Directory Administrative Center.
    To learn more, see Directory User Status Syncing.
  • LDAP configuration validation is now more comprehensive. Validate your LDAP configuration directly from the console. 
    Administrators can now, at the time of Directory Services setup, validate directory users and user groups, and their attributes, even before adding them to the UEM Console. The enhanced capability helps avoid bad configurations that might arise due to incorrect Directory Services setup.
    To learn more, see Map Directory Services User Information.
  • The Settings tab is removed from the Global Search results, which speeds up the search.
    If you choose to search for settings, initiate a search from the Configurations page. Navigate to Groups & Settings > Configurations and enter a keyword in the search text box.


  • The configuration experience for Android public apps now lets you set up complex configurations supported by the OEM.
    Our new updates include:
    • Support for nested bundle arrays.
    • A better and simplified design with useful tooltips. 
    • Choose to leave the unused application configuration options blank instead of deleting them from the UI.
      ​To learn more, see Assigning Applications for Android.
  • We've added programmatic migration workflows for moving your devices on legacy device administration to Work Profile.
    Migrate from your Android (Legacy) deployment to Android Enterprise(Formerly Android for Work) to gain more control and consistency across all OEM devices with the improved security and a better overall experience for employees with BYOD devices.
    To learn more, see  Android (Legacy) Device Administrator Migration
  • The improved Passcode profile provides better support for the native Android functionality.
    The Passcode profile for Android has been updated to support native features for Android 9.0. You can now: 
    • Force a separate passcode for the Work and personal side of the device.
    • Increased the maximum amount of days for password expiration from 180 to 9999.
    • Set additional biometric passcode options. 
      To learn more, see Enforce Passcode Settings (Android ).
  • Keep your Work Managed and Corporate Owned Personally Enabled devices secure with an initial passcode.
    With the Set Initial Passcode option in the Passcode profile, you can now set an initial passcode at the device level on all deployed devices. After the deployment, it is possible to reset the passcode at the device level.
    For more information, see Enforce Passcode Settings (Android) Enforce Passcode Settings (Android ).
  • The QR Code wizard now gives you more flexibility with system apps during device enrollment. 
    For all your work-managed devices, enable system apps to keep non-critical system applications installed on your work-managed device, or select disable to remove these apps.
    To learn more, see Generate a QR Code Using the Enrollment Configuration Wizard.

Chrome OS

  • Provide beta or development versions of Chrome OS and test the pre-release versions prior to general availability​.
    Determine if the devices will receive beta, development, or production builds of Chrome OS with the Release Channel field in the System Updates profile. This is useful for testing builds before pushing updates to your entire device fleet.
    To learn more, see Configure System Updates Profile(Chrome OS).


  • Enable data protection for your devices at all times. 
    We now give you an option whether or not to clear the device passcode when checking in a shared device.
    To learn more, see Configure Shared Devices
  • Automatically convert on-demand apps to managed, if you choose to enable "Make App MDM Managed if User Installed". 
    If you now install an app as unmanaged (e.g. through the App Store), the console automatically converts the app to managed when the Make App MDM Managed if User Installed setting is enabled regardless if the App Delivery Method is automatic or on demand. 
    To learn more, see Add Assignment and Exclusions to applications and Upcoming Enhancements to Managing User Installed iOS Apps


  • Rotate your recovery keys on-demand for better security compliance.
    A new security enhancement is added to the Device Details and Self Service Portal where the FileVault Personal Recovery Key (PRK) is automatically rotated 15 minutes after it is accessed by the user or the administrator.
    To learn more, see Personal Recovery Key Rotation
  • Control the restrictions for Smart card pairing on macOS 10.12.4 and later devices.
    We've now added a new profile payload to configure the settings and restrictions for the Smart Card usage.
    To learn more, see  Configure a Smart Card Profile
  • Restrict or allow capturing of screen recordings and screenshots.
    We added a new restriction key that disables the user's ability to take screenshots of the display or capture a screen recording.
    To learn more, see Configure a Restrictions Profile

Mobile Content Management

  • Select multiple files and delete them at the same time using the AirWatch Managed Content List View.
    AirWatch Managed Content List View now supports bulk file removal.
    To learn more, see Content Management List View.


  • We're getting ready for something new. The Workspace ONE Tunnel for Windows app needs a new framework and additional settings for its upcoming release.
    In the UEM console, you will see new settings referring to Workspace ONE Tunnel for Windows. Wait to use these additional settings till our new app is available.
    To learn more, see Configure Per-App Tunnel Profile for Windows Desktop App.
  • It's time to move your Safari Domains from iOS VPN Profile Payload to Device Traffic Rules setup.
    We've removed the Safari Domain section from the VPN Profile XML. If you are upgrading to 1907 from an older version, plan for a smooth migration strategy and move all your Safari Domains from iOS VPN Profile Payload to Device Traffic Rules setup. 


  • Looking to keep your Windows 10 devices configured to industry best practices? The Baselines feature is now available to all customers.
    Baselines allows you to keep your devices secure and aligned with industry standards such as CIS Benchmarks. With Baselines, you can set and manage your preferred configurations completely over the air without any dependency on VPN or your domain. You can also create custom baselines using GPO policies. New enhancements to Baselines include editing and deleting your custom baselines.
    To learn more, see Using Baselines

Resolved Issues

The resolved issues are grouped as follows.

1907 Resolved Issues
  • AAPP-6661: API that is used retrieves "use VPN flag" returns false for all the VPP applications.

  • AAPP-6868: Specific DEP devices are deleted from the Enrollment Status. 

  • AAPP-6884: DEP enrollment gets stuck in await configuration for macOS devices for various scenarios that involves a combination of a staging user and a directory user.

  • AAPP-6992: Incorrect XML gets pushed to a profile that contains more than one printer device in the printer payload.

  • AAPP-7087: User/SMIME certificates push to macOS devices does not work as expected.

  • AAPP-7129: Internal app install on supervised devices displays incorrect prompt.

  • AAPP-7130: APNs HTTP/2 client does not work as expected and results in the APNSOutbound queue.

  • AAPP-7138: Bluetooth-Managed Settings functionality does not work as expected.

  • AAPP-7212: iOS device SeedScript fails to display for iPad Mini 5 and iPad Air 3 devices.

  • AAPP-7228: APNs HTTP/2 client throws authentication exception error.

  • AAPP-7264: iOS12.2 devices are unable to switch encryption on or off per message. 

  • AAPP-7279: Applications do not install on macOS devices if the user creates a Fusion profile.

  • AAPP-7551: App installation and removal does not work as expected on iOS Check In/Check Out devices. 

  • AGGL-5025: ChromeOS User Profile fails to update device assignments.

  • AGGL-5500: Unable to clear app data on Samsung devices.

  • AGGL-5579: iOS Internal Applications does not honor the Per app VPN settings after 1904 upgrade.

  • AGGL-5605: DeviceManagement -> HmacAuthenticationHandler.TryValidate fails to resolve the IAndroidWorkWebAppBusiness type. 

  • AGGL-5609: While assigning Android Enterprise profiles, the preview devices page incorrectly displays legacy devices.

  • AGGL-5662: UEM application server experiences high CPU if the Memcached is not configured.

  • AGGL-5694: Application config save fails on the Chrome Browser application while selecting a couple of drop-down options.

  • AGGL-5698: Re-enrollment of these devices results in "Enrollment Blocked. You are not allowed to enroll your device" error. 

  • AGGL-5715: The UEM console fails to generate a profile XML with S/MIME certificate data when certificate is uploaded through SSP.

  • AGGL-5732: Proxy configuration using the PAC URL is incorrectly applied on Chrome for Android.

  • AGGL-5745: Sending push notification greater than 256 characters does not work as expected.

  • AMST-14538: Windows reset fails to delete old certificates.

  • AMST-15491: Restriction profile for Windows Desktop does not work as expected.

  • AMST-16332: Windows Protection Agent repeatedly logs "Logging HttpRequest for HMAC failure" error.

  • AMST-16344: Dell BIOS configuration profile configured with custom BIOS attributes fails to configure the attributes on devices.

  • AMST-16369: Device detail page fails to show a tooltip for installed status descriptions.

  • AMST-16548: The Bitlocker profile installation fails on devices. 

  • AMST-16577: Win10 Sensors Feature Flags are disabled after shared SaaS and dedicated SaaS UEM upgrade. 

  • AMST-16590: Health attestation sample for Windows devices does not work as expected.

  • AMST-16714: Console Device Details View fails to update with the Device-Friendly name for Windows 10.

  • AMST-16819: The new firewall profile launched with 1904 UEM console fails to remove firewall rules.

  • AMST-16994: App status in MAL changes to "User Removed" when the app is retired on the UEM console.

  • AMST-17054: Unable to Open or Edit Windows Data Protect Payload profile.

  • AMST-17058: Windows device health attestation Service does not work as expected. 

  • AMST-17081: BaseLineAdapter fails to resolve Service Locator Reference.

  • AMST-17082: WindowsCheckInRequestProcessor fails to resolve WindowsProfilePayloadBusiness.

  • AMST-17102: Windows Data Protection profile (desktop) containing desktop apps with file paths does not work as expected.

  • AMST-17106: Pushing Windows Update Profile to a 1607 machine using 365 days does not work as expected.

  • AMST-17398: Unable to install BSP applications on x86 devices. 

  • AMST-17560: The Windows sensor data is not reported on the Intelligence console.

  • AMST-17617: Device Services experiences High CPU post 1903 upgrade.

  • ARES-2524: Internal application grid view and devices tab displays inconsistent application counts.

  • AMST-18356 : Database connection failures may cause unenrollment of Windows 10 devices. 

  • ARES-2791: The Manage Devices menu allows the removal of rejected applications and incorrectly displays the status as Installed.

  • ARES-2831: Managed Application list displays invalid data.

  • ARES-5063: Application assigned to the device through the device tag fails to trigger the install command.

  • ARES-6830: Application Count for Workspace ONE Application on the UEM Console does not match with the database.

  • ARES-6859: No Records Found is shown as Installed devices in the Manage Devices screen, when the public application is Inactive.

  • ARES-7065: GetEulaContent() method does not work as expected.

  • ARES-7895: App details -> more ->events fails to display events.

  • ARES-7905: The UEM console incorrectly shows "VMware Browser" in the app security policies.

  • ARES-7946: Catalog setting in the UEM console does not work as expected.

  • ARES-7986: Lookup value does not work as expected for any value type other than String.

  • ARES-8284: Android internal application set to On-demand gets auto installed when the per app VPN is enabled.

  • ARES-8381: Inconsistent behavior is recorded while uploading new application versions.

  • ARES-8384: DLP settings for "Allowed Applications List" fails to retrieve the applications.

  • ARES-8414: Usage of AL to determine installed state does not contain the usermanaged apps case for some flows.

  • ARES-8579: Password is not displayed as characters while creating a new iOS profile.

  • ARES-8588: Retire Previous Version while uploading a new version of an internal app incorrectly retires the latest version.

  • CMCM-188185: POST/PUT categories or awcontents fails if the parameter contains Double Byte Character.

  • CMCM-188204: Content Dashboard Storage History diagram shows a different separation of the corporate storage versus private storage. 

  • CMEM-184489: Sync mailboxes status does not work as expected.

  • CMSVC-9924: User group membership count incorrectly shows 0 in the child OG for Directory User.

  • CMSVC-10004: Devices that are displayed in the User List View incorrectly shows devices from the sibling OGs. 

  • CMSVC-10178: Lotus Domino fails to sync user groups.

  • CMSVC-10250: Unable to edit assignment groups.

  • CMSVC-10268: Assign Tag Page does not work as expected.

  • CRSVC-3888: Logging tooltip in the SDK profile does not work as expected.

  • CRSVC-4672: Custom SDK profile settings are applied to the Browser if the device is under the overridden Child OG.

  • CRSVC-4906: Initial loading of payload while editing an iOS custom SDK profile assigned for web does work as expected.

  • CRSVC-5154: Android/iOS devices incorrectly display CertificateGuid in the subject name of the certificate template.

  • CRSVC-5272: Device wipe fails to revoke boxer client access certificates.

  • CRSVC-5472: Compliance check-in status results in sql exception error.

  • CRSVC-5525: Bluetooth data and USB data privacy settings incorrectly displays three asterisks.

  • CRSVC-6000: Privacy icon fails to localize as expected.

  • CRSVC-6024: Enrollment gets timed out on Android and iOS devices.

  • CRSVC-6094: Frequent device check-in causes a high memory usage on Device Services Server.

  • CRSVC-6130: Device Compliance policies get stuck in the in-progress state. 

  • CRSVC-6253: Device enrollment fails if the user name is an email address. 

  • CRSVC-6270: BlobHandler Stateless Tokens passed on the URLs fail to break the request upon token failure.

  • ENRL-1057: Incorrect OG name gets auto populated in the enrollment OG field while registering a device from the enrollment status page.

  • ENRL-1135: The UEM console enrollment settings fail to display the VMware Identity Manager product name.

  • ENRL-1147: End-user login fails to accept end-user license agreement if the domain is prefixed with the user-name.

  • ENRL-1172: Branding does not load as expected after the Intelligent HUB redirects to the device management.

  • ENRL-1222: Enrolling Android M Zebra TC51 and TC56 devices though Hub in the console results in the "Enrollment Blocked" error.

  • FBI-178096: Device Application Details Report does not work as expected.

  • FBI-178097: Admin user roles report shows incorrect Last Login Date.

  • FBI-178100: Blacklist or non-whitelist Application Details By Device report incorrectly contains whitelisted applications.

  • FCA-189489: Telecom > List view Export does not use Exports page logic and is causing Console App pool to crash/reset.

  • FCA-189553: Select the Language dropdown from the SSP Login Page fails to pick the languages that are selected for the specific OG.

  • FCA-189746: Groups & Settings resource text boxes shows Help Desk permissions in the 19.02 Console version and later.

  • FCA-189973: Unable to access the shared device log.

  • FCA-190033: Profile list view page does not let you move some of the labels and the page fails to return the original spot.

  • FCA-190204: /API/mdm/devices/search API call fails to populate user-name information if the user does not have a first name value in the Active Directory.

  • FCA-190396: Admins are unable to accept the Terms of Use after the console upgrade.

  • FCA-190542: Forgot Password email link flow does not honor two factor authentication.

  • FCA-190589: Swagger API example displayed for the /system/groups/id is incorrect.

  • FCA-191283: Deleting a OG results in FK error.

  •  FDB-2639: The Device Details page fails to load for a few devices.

  • PPAT-4820: TLS Handshake fails on overriding the Tunnel configuration.

  • PPAT-4825: Applications under the device traffic rules are not visible post override.

  • PPAT-5248: Internal Apps for Android with AFW Tunnel is not displayed under device traffic rules.

  • PPAT-5454: Proxy whitelist check fails if the console hostname string contains "VPN".

  • RUGG-6698: The UEM console incorrectly supports Product Condition edits.

  • RUGG-6718: Bookmarks are not listed under the Bookmarks option in the Launcher. 

  • CRSVC-7075 : Certificate Uniqueness does not enforce TLS Mutual Authentication for Android. Patch Resolved Issues
  • CRSVC-6712: Aweventlog MSMQ backs up and an exception is seen in the ChangeEventQueue log. 

  • INTEL-13485: Delta export failures in Intelligence due to missing object exception can cause data loss.

  • AAPP-7410: New basic DEP options needed for Apple's Fall 2019 releases

  • RUGG-6947: Database CSI Table experienes deadlock when five products with four file actions are pushed to 12000 devices.

  • RUGG-6951: Policy Engine Command Queue jobs are queued even if manifest is not install profile or install application.

  • RUGG-6964: Held Commands are not releasing properly due to Primary key violation observed in the ReleaseMultipleCommands for table dbo.DeviceQueueCommandsReleased. 

  • RUGG-6977: Relay Servers should deliver an already picked up app first before picking up any other app.

  •  RUGG-6133: Profile setting commands are unnecessarily created when activating relay servers at the Parent OG. Patch Resolved Issues
  • PPAT-5748: Dell Registry sync command is not issued along with install profile. 

  • RUGG-6906: Content Delivery Service stops abruptly causing problems with product pushes.

  •   FCA-191302: API call incorrectly checks for the fetch token from VidmOAuthTokenService. Patch Resolved Issues
  • AMST-19365: Baselines feature is not visible in the child location group. 

  • PPAT-5850: Device service in the application pool stops and results in 503 service unavailable error when you publish Tunnel Profile for 50k Android devices. 

  • PPAT-5874: Unnecessary calls are made to tunnel microservices.

  • RUGG-7025: Interrogator.ManagedApplicationList Database table experiences deadlocks

  • RUGG-7026: Creating events for custom attribute change does not honor app group changes. 

  • RUGG-6265: Policy Engine does not create device commands when the Relay Server has no work or dependency. Patch Resolved Issues
  • PPAT-5903: Safari Domains field is hidden from the VMware Tunnel VPN profile payload.

  • ENRL-1248: Enrollment restriction policy gets applied to UG if created for OG. 

  • AGGL-6166: App config not created on enrollment. 

  • CMSVC-10750: Database experiences a SQL Exception when updating smart group through Patch API. 

  • PPAT-5908: Applications under DTR rules are missing after upgrade from 1902 to 1907. 

  • ARES-9653: Database stored procedure deviceApplication.SyncAppsOnDevice experiencing deadlocks. 

  • RUGG-7059: Component PolicyEngineService experiencing deadlocks. Patch Resolved Issues
  • ARES-8483 : Database stored procedure devicecommandqueue.threshhold_updatedevicequeuestatusbythreshholdid times out for large device count. 

  • AGGL-3270: Application details does not show information from the Play Store on the Hub App. 

  • AAPP-7867: Scheduler Service queues application notification more than the current cap. 

  • ARES-9512 : Database stored procedure SelectiveApplicationList_Save experiences deadlocks. 

  • CMSVC-10747: Adding 10K or more users to the Smart Group using patch API times out. 

  • CRSVC-7061 : eventLog.EventLog_Save SPROC returns redundant data. 

  • RUGG-7067: Policy Engine does not log the right data or the context which makes it difficult to troubleshoot issues.

  • CRSVC-7186: DEP enrollment fails with NIAP configuration due to missing dependency.

  • FCA-191530: MDM Devices Search API loads User information instead of UserId property.

  •  CRSVC-7237: interrogator.savetransationinformation takes too long during multiple(10) product publish to 500K devices. Patch Resolved Issues
  • CMSVC-10638: Interrogator.SaveRestrictionsSamples stored procedure is CMSVC-10638called around 2000 times per minute.

  • AAPP-7936: Cannot clear passode for iOS/iPadOS 13 enrolled devices.

  • AGGL-6069: Database stored procedure interrogator.SaveRestrictionsSamples does not work as expected.

  • RUGG-7130: AWPolicyListSample queue backs up due to database waits.

  • RUGG-7139: DevicePolicyCompliance_DeleteByPolicyID strored procedure times out on deactivating a product assigned to 1 million devices. 

  • CRSVC-7353: Only Test Connection Messages are sent to the Syslog. Patch Resolved Issues
  •  AMST-19972: Change device passcode for Windows 10 devices with basic user accounts fails to change the device passcode.

  • ARES-9392: Time schedules do not work as expected for "All Day" increments. Patch Resolved Issues
  • AAPP-7835: DEP devices receive the incorrect token from a lower organization group.

  • AAPP-8178: Support "apns-push-type" for APNs via HTTP/2

  • FCA-191637: Unable to delete the devices in bulk under the device list view

  • PPAT-6095: Tunnel Proxy enabled applications will fail if server certs don’t comply with new Apple TLS cert policies for iOS 13 Patch Resolved Issues
  • CMSVC-10898: Build failure due to certificate expiry Patch Resolved Issues
  • CMSVC-10690: Deactivating user from user details page does not work as expected. 

  • ENRL-1437: Whitelisted device records with Enrollment status as Enrolled and Compliance status as Compliant gets removed. 

  • ARES-9912: api/mam/apps/internal/xxx/devices API returns 204 when MamCountsImprovementFeatureFlag is On. Patch Resolved Issues
  • AGGL-6284: During the DA to PO migration commands are not created and they get stuck in progress when migration is initiated for more than 200 devices. 

  • FCA-191605: WiFi IP Address must be ignored for the adapter name "dummy0".

  • PPAT-6192: SQL script fails with constraint error around Tunnel tables. Patch Resolved Issues
  • RUGG-7259: During product publish new jobs are getting created even though the product is marked compliant

  • AMST-21454: Device registration status is not in sync with the device enrollment status. Patch Resolved Issues
  • INTEL-13876: ETL | Resync fails to remove deleted entities from EntityList. 

  • INTEL-14177: ETL | CDC jobs fails due to datatype mismatch. Patch Resolved Issues
  • CRSVC-7487: Device Last Seen Compliance Policy does not work as expected. 

  • ARES-9529: SDK gets incorrect Bundle ID for the "EnableDataLossPrevention" payload from the console. Patch Resolved Issues
  • INTEL-15395: ETL | Refresh Entities job gets disabled after DB upgrade. Patch Resolved Issue
  • SINST-175504​: UpdateSQLServerInformation fails to update the Tunnel Microservice connection string and crashes the UEM Console Tunnel page. 

  • SINST-175506: File path for AirWatch.APIGateway web config is missing. Patch Resolved Issues
  • AGGL-6795: ApplicationSource of legacy Android apps does not override during import from the play/ App search. 

  • AMST-23342: Change the FPS Integration tests to save the ppkg to C drive. 

  • ARES-11181: Unable to install profiles as the commands are not getting generated due to the int32 limit. 

  • ENRL-1734: Unable to enroll devices when the "registered devices only" is selected. 

  • RUGG-7526: PE creates duplicate DevicePolicyJobs in the DevicePolicyJob. 

  • RUGG-7524: Prioritization logic for the RSCC contents does not work as expected. Patch Resolved Issues
  • AGGL-6886 'Android Default Settings' profile not queued for already enrolled Android devices Patch Resolved Issues
  • AMST-24111: Install Status is not updated in the UEM Console for new versions of W10 internal apps. 

  • CMSVC-13021: User attributes fail to update due to SQL Timeout and Multiple Concurrent Calls.

  • ENRL-1758: Device Activation Email is not sent if the template has QR code lookup and the child OG is selected. Patch Resolved Issues
  • CRSVC-9789: Add Event for Adding Device to Enrollment Whitelist and Apple DEP. Patch Resolved Issues
  • CMSVC-13328: While enrolling devices associated with a particular user the call to execute Sproc SmartGroupDeviceMap_UpdateByDevice_V2 results in a time out error.

  • CMSVC-13329: Devices being enrolled with a particular user do not get automatically assigned to Smart Groups. Patch Resolved Issues
  • CMSVC-13394: User details shows double encryption. Patch Resolved Issues
  • RUGG-7952: Violation of Primary Key Constraint during DeviceCapability_Save. Patch Resolved Issues
  • AAPP-9903: Delete Device does not wipe the device in rare occurrences when device checks in right before the command is issued. Patch Resolved Issues
  • AMST-27383: Device enrollment status is stuck in progress. Patch Resolved Issues
  • AAPP-10086: Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications.

Known Issues

  • AGGL-5484: Enrollment date gets updated to last sync time for the Chrome OS devices.

    Enrollment date and time gets updated to the latest sync time for Chrome OS devices when the devices are retrieved from Google Cloud. It should instead read the actual device enrollment time shared in the Google cloud response.

  • AGGL-5725​:App assignments cannot be saved when NSX is enabled.

    When NSX is enabled, application assignment security groups cannot be saved.

    As a workaround, disable NSX, add app assignments, and re-enable NSX.

  • AGGL-5744​: Approved Apps fails to get installed on the devices from Play Store intermittently on Xiaomi devices.

    The apps approved on the UEM server are not visible intermittently for Xiomi devices when enrolled in to the Android Enterprise. 

  • AGGL-5906​: Android Enterprise device creates device passcode instead of Work Profile passcode.

    The reason hub shows notification to set the device passcode when the work profile passcode is sent is because the profile XML has both device passcode policy( and the work passcode policy (

    Select the "Change Work App Passcode" notification and set the passcode for the work enrolled device.

  • AGGL-6014​: Single-user Staging does not work as expected.

    Single-user Staging does not complete due to HMAC errors.

  • AMST-17019 ​: Install context and detection criteria is not editable for new MSP version if previous version is deployed. 

    If a MSP is added to already deployed MSI, install context and detection criteria are not editable after saving despite being a new version in unknown status. 

  • AMST-17022: Application Install failures are not updated in the UEM console.

    Selective app list sample is not queued for app install failures and hence needs an app list sample to update the status. 

  • AMST-17581: App status changes to "Not Installed" and "Installing" in the Apps tab. After the app uninstall fails, the status changes to "Not Installed" and execution failure.

    SFD Client sends zero in the sample when the application uninstall is queued. This causes the app status on the console to change to not installed and subsequently install failure instead on uninstall failure.

  • AMST-17591: File Exists displays incorrect version number.

    File Exists criteria displays the version info that belongs to the "App Exists" criteria.

  • AMST-17881: Profile payload modification does not work as expected.

    If all configurations in new payloads are set to Not Configured, payload must revert to un-configured status. Currently we continue to show the payload highlighted in green bar, edit icon, trash icon, and so on.

  • AMST-18107​: Application deployment criteria fails if quotes are used in the configuration.

    Using the registry criteria or contingencies with quotation marks included in the configuration fails application deployment.

  • AMST-18160: Add Contingencies header shows Add Criteria.

    When adding contingencies the header / type text refers to "criteria." Ideally, the header  must display "Add Contingencies" and the type text would show "Contingency Type".

  • AMST-18221: Restrictions profile blocks all the third- party cookies even if the profile has the cookies set to allow. 

    When the user sets a restriction policy and allows browser cookies the edge browser still blocks third party cookies. 

    As a workaround, use any other browser.

  • AMST-18762 ​: Managed apps displays incorrect status message. 

    Assume managed apps with uninstallation failure remains in "pending removal" status. 

  • ARES-8578: Last Action Taken does not update on Microsoft Store for Business application removal with the MAM count feature flag ON.

    Application status does not update for BSP application.

  • ARES-8427​: Single-user Staging does not work as expected due to HMAC errors.

    Single-user Staging does not work as expected due to HMAC errors.

  • CMCM-188249​: AirWatch Managed Content download does not work as expected. 

    contentavailable_search takes too long to respond.

  • CMCM-188259: Content assigned to the child OG fails to get applied on the device if the category is created at the sibling OG.

    AW Content must not be assigned to the sibling OG's with categories created at other sibling OG's.

    As a workaround, assign content to other sibling OG's or create category at the assigned OG.

  • CMEM-185217: SEG configuration is displayed in the Admin panel

    SEG MemConfig is displayed under Monitor -> Admin Panel.

  • ENRL-1292: API event Notification fails to trigger on Device attribute change.

    Event notification subscription is not triggered when configured for device attribute change or while changing the Organization group for device

  • FCA-190413​: Hub configuration request cloud tenant ToS will not load or will delay while loading.

    Hub Configuration request cloud tenant ToS pdf is not loading in Firefox and Chrome browser takes lot of time to load

    As a workaround, use chrome browser to go through the Terms of Services.

  • PPAT-5464:Outbound proxies page in STR does not get refreshed automatically.

    Deleting an outbound proxy from the STR list creates a duplicate entry in the UI.

    As a workaround, close the page and reload.

  • PPAT-5730: Invalid Safari Domains prevents profile installation on device.

    Creating a profile with only a space or a comma as the rule, the resulting profile XML fails to install on devices. 

    As a workaround, add valid Safari Domains to profile payload.