Workspace ONE UEM | August 2019

Check for additions and updates to these release notes.

What's in the Release Notes

What's in the Release Notes

The release notes cover the following topics:

New Features in this Release


  • Enroll devices into Android Enterprise Work Managed mode without a managed Google account. 
    You can Enroll devices into Android Enterprise Work Managed mode without a managed Google account under the following circumstances:
    • When you do not have connectivity to Google.
    • When you are operating on a closed network.
    • When your devices do not contain Google services (AOSP/Non-GMS).​ 
      The Android EMM Registration page now includes an option to select AOSP Closed Network as the Work Managed Enrollment Type. To learn more, see Android Device Enrollment
  • We allow Passcode reset on your work profile devices running Android 8.0+.
    You can now select the Clear Passcode and Reset Passcode commands for Work Profile devices running Android 8.0+. Clear Work Passcode removes the work security challenge on the device and the Reset Work Passcode prompts you to enter a new passcode. 
    To learn more, see  Device Management Commands.


  • We've added new network usage rules payload keys for all your iOS 13 devices.
    Set up the Wi-Fi assist capabilities of targeted physical and eSIM cards for iOS 13 devices.
    To learn more, see Configuring Network Usage Rules Profile
  • Skip all newly added Setup Assistant screens for iOS 13 devices.
    We let you skip newly added Setup Assistant screens for iOS 13 devices added to Apple Business Manager.
    To learn more, see Complete the DEP Enrollment Profile
  • We've added new Restrictions payload keys for iOS 13 devices.
    Prevent Wi-Fi toggling, QuickPath keyboard, Find My Friends, and Find My Device on iOS 13 devices. Also, we've added several existing options that requires supervision such as restricting Camera, Safari, iCloud backup, and explicit content.
    To learn more, see Restriction Profile Configurations
  • Stop the user toggle of the native Mail, Contacts, Calendar, Reminders, and Notes apps separately. 
    We've added new Exchange payload key for iOS 13 devices that allows configuring and preventing the user toggle of the native Mail, Contacts, Calendar, Reminders and Notes apps separately. 
    To learn more, see Configure EAS Mail Profile for the Native Mail Client



  • Simplify your peer distribution with the new Windows Desktop profile.
    We've moved the Workspace ONE Peer Distribution from Groups & Settings to a Device Profile for Windows Desktop. The new profile for Windows Desktop devices simplifies configuring the Workspace ONE Peer Distribution settings.
    Workspace ONE Peer Distribution now supports Distributed, Hosted and Local BranchCache modes along with additional configuration settings such as disk space percentage and max cache age.
    To learn more, see Peer Distribution with Workspace ONE
  • Provision your Windows 10 devices yourself with encrypted custom PPKGs.
    PPKGS allow you to provision your Windows 10 devices with the apps, profiles, and enrollment credentials you use. You can use this provisioning package as part of the Windows 10 Out of the Box Experience or later after the device is set up.
    To learn more, see Create a Provisioning Package for Windows 10 Devices
  • Springing from a partnership with Dell, VMware announces Workspace ONE Express+.
    Workspace ONE Express+ is a light management solution for small and mid-size businesses bringing support for Windows 10 devices and Office365 apps.​

Workspace ONE Express

  • Register your Google account with Workspace ONE Express and welcome devices with Android Enterprise.
    Workspace ONE Express now supports Android Enterprise, including support for Work Profile and Work Managed enrollment types, as well as support for Managed Google Play, Android Enterprise policies, and resources. Express support for Android Legacy continues unchanged.
    To learn more, see Enrollment
  • Workspace ONE Express now lets you add an application catalog to the home screen of your devices.
    When you set up Workspace ONE Express, you are now offered the chance to add an application catalog to the home screen of your devices. This option makes it easy to ensure your devices can download the optional apps you assign to them.
    To learn more, see Express Setup

Resolved Issues

The resolved issues are grouped as follows.

1908 Resolved Issues
  • AAPP-6228: iOS Profile with Custom VPN type and ADCS configuration for Certificate does not work as expected.

  • AAPP-7213: Apple Automated Enrollment (Apple Configurator) fails to enroll devices properly after the device is blocked by a restriction or blacklist.

  • AAPP-7217: Book installation status strings fail to localize.

  • AAPP-7236: The copy profile functionality does not work as expected for the macOS Privacy Preferences payload.

  • AAPP-7284: macOS App Install messages does not display the actual application behavior.

  • AAPP-7390: Exchange profile stays in the queue if the device is locked during install command.

  • AAPP-7487: While using automated Enrollment, iOS devices are enrolled to single user account even if they are registered to two different accounts.

  • AAPP-7518: Workspace ONE web installation status does not update when using iOS container enrollment.

  • AAPP-7543: While using automated Enrollment, macOS devices are enrolled to single user account even if they are registered to two different accounts.

  • AAPP-7561: SDK SSO authentication on iOS productivity apps does not work as expected. 

  • AAPP-7598: Adding version to a mac application does not work as expected.

  • AAPP-7734: "Managed Devices" page for the Microsoft Outlook VPP app fails to load.

  • AGGL-5006: SSP page does not work as expected when the Chrome book is enrolled.

  • AGGL-5499: Application Management role does not allow the Android Public app to be added to console.

  • AGGL-5705: Android For Work restriction profile displays an incorrect tool tip.

  • AGGL-5713: Internal application fails to download automatically when the user logs in to the launcher with multi-user enabled.

  • AGGL-5741: Google Play Store Proxy Settings does not work as expected.

  • AGGL-5774: System Updates policy Defer Update Notification(up to 30 days) does not work as expected.

  • AGGL-5825: Device data from Google is not received and the device fails to enroll. 

  • AGGL-5885: Android Work application configuration with look up values does not support Device UUID and custom attributes.

  • AGGL-5906: Android Enterprise device incorrectly prompts to create the device passcode instead of the Work Profile passcode.

  • AGGL-5944: Internal App does not install during the enrollment of rugged devices.

  • AGGL-5947: Enterprise password does not appear in the XML while adding a version of the wifi payload 

  • AGGL-5987: Legacy Android Migration page fails to load.

  • AMST-12776: Horizon Client fails to launch in Kiosk mode on Windows 10 devices.

  • AMST-14223: Enrollment status on the Windows desktop device displays incorrect display message.

  • AMST-14945: Windows Updates Profile installation fails on the RS6 device for branch "Semi Annual Channel". 

  • AMST-15584: The tooltip for Path when configuring a registry value for Success criteria, or create data contingencies for App deployments is incorrectly formatted.

  •  AMST-16317: Windows 7 enrollment does not work as expected and the Hub throws an error. 

  • AMST-16986: Wipe Confirmed event is no longer logged in event log for Windows 10 devices.

  • AMST-17352: Windows Passcode profile does not honor the complex character requirement.

  • AMST-17508: Devices get unenrolled with an error on the UEM console.

  • AMST-18062: Email is sent for the device lifecycle notifications when the protection agent settings enabled in the UEM console.

  • AMST-18272: Database connection failures may lead to unenrollment of Windows 10 devices.

  • AMST-18348: Specific custom zip stays in pending status in the UEM console.

  • AMST-18363: Removing an org encounters an error on the deviceSensor.TriggerMap table.

  • AMST-18783: Dell Command Monitor fails to apply BIOS password payload.

  • AMST-18797: Windows Updates (WSUS) metadata synchronization fails due to SOAP API exception

  • AMST-18805: Messaging service on the console server crashes intermittently.

  • CMCM-188173: Unable to view deleted files or folders in the SSP trash page. 

  • CMCM-188225: Content Locker fails to sync content from nested directories.

  • CMEM-185260: SEGv2 Run compliance check fails with Save Failed and Connection Fail error.

  • CMSVC-10301: Clicking a Tag accidentally removes profiles/apps from the device.

  • CMSVC-10344: Entries in syslog does not contain the CRUD Tag.

  • CMSVC-10349: User group sync fails from UEM to vIDM when the ImmutableID is mapped against the externalID.

  • CMSVC-10352: User sync from the UEM console to IDM fails due when the Admin and Enrollment User accounts share the primary key value in the UEM console.

  • CMSVC-10460: UEM to the IDM directory integration only syncs 20 user groups.

  •  CRSVC-5459: GPS is visible on the "what we do not see" section of the privacy webclip when we enroll a device with "collect and display" setting.

  • CRSVC-6084: MacOS Cert for profile is pulled from the cache when device is re-enrolled.

  • CRSVC-6365: Template that was associated with the CA cannot be edited after changing the enabled Restricted Enrollment Agent.

  • CRSVC-6371: Boxer OAuth on the Work profile enabled Android is unable to access certificate.

  • CRSVC-6481: Daily quota and calls per minute quota does not work as expected.

  • CRSVC-6595: Compliance policy created for blacklisted apps for Employee owned devices evaluates blacklisted apps for Corporate devices.

  • ENRL-896: Performing an enterprise wipe without deleting the device information displays the device friendly name of the previous user.

  • ENRL-1145: Device limit restriction for an OG gets disabled if that page is saved by administrator who does not have access to edit the device limit.

  • ENRL-1248: Enrollment restriction policy for OG is incorrectly applied to the user group.

  • ENRL-1278: Deleting a device record from the UEM console may result in failure to re-enroll the device for up to 24 hours.

  • ENRL-1279: Random devices take the device ownership type as Undefined even though we define the default ownership type as Corporate Dedicated.

  • FBI-178103: Reports configured with Reports storage fail to create file blobs under Reports Storage instead creates it in the File storage location.

  • FBI-178106: Event Data is missing in the SDK Analytics report.

  • FCA-190625: Discrepancy in results between Devices Litesearch and Search APIs.

  • FCA-191023: API documentation contains a few incorrect information.

  • FCA-191258: Batch values for API/mdm/devices?searchby={type} endpoint places the SQL calls in a loop.

  • FCA-191292: API Event Notification not triggered when the device OG changes. 

  • FCA-191302: API call incorrectly checks for the fetch token from the VidmOAuthTokenService. 

  • INTEL-13568: Discrepancies in the report numbers displayed in the UEM console  the intelligence reports.

  • PPAT-4565: Unable to clear sToken.

  • PPAT-5790: Adding empty lines or lines with a comma in the Device Traffic rules results in profile installation error. 

  • RUGG-6694: Administrators can incorrectly upload the application of same version code.

  • RUGG-6641: Launcher app fails to download, if the Setting of 'Service Application' is set to ‘Inherit'.

  • RUGG-6642: Products are un-mapped from the product set when the mapping API calls with more than 100 products.

  • RUGG-6750: Copying file/actions and deleting the file from copied file/actions impacts the original file actions.

  • RUGG-6754: Unable to create folder name in the multi app launcher profile with multibyte characters.

  • RUGG-6799: Android Launcher fails to download after 1905 upgrade. 

  • RUGG-6900: Hub Catalog blobhandler request fails with "method not found".

  • RUGG-6906: Content Delivery Service abruptly stops responding and causes problems with the product pushes.

  • AGGL-5932: Playstore default layout does not display Apps. Patch Resolved Issues
  • AAPP-7883: VPP integration test fails. 

  • AMST-19948: DS server CPU reaches 100% when the Passcode profile is pushed to 60K devices because of no throttling

  • CRSVC-7075: Certificate Uniqueness does not enforce TLS Mutual Authentication for Android. 

  • CRSVC-7186: DEP enrollment fails with NIAP configuration due to missing dependency.

  • FCA-191504: Terms of use EULA fails to load customer OG. 

  • FCA-191530 : MDM Devices Search API loads User information instead of UserId property. 

  • PPAT-5903 : Safari Domains field is hidden from the VMware Tunnel VPN profile payload. 

  • PPAT-5908: Applications under DTR rules are missing after upgrading the UEM console from 1902 to 1907. Patch Resolved Issues
  • AAPP-7936: Cannot clear passode for iOS/iPadOS 13 enrolled devices. Patch Resolved Issues
  • AGGL-6191: Android web application does not appear in the catalog when a new device is enrolled. 

  • AMST-19972: Change device passcode for Windows 10 devices with basic user accounts does not work as expected. Patch Resolved Issues
  • INTEL-11211: Re-enrolling a device to a different OG shows the record in the old OG

  • INTEL-14177: ETL | CDC jobs failure due to datatype mismatch

  • PPAT-6095: Tunnel Proxy enabled applications will fail if server certs don’t comply with new Apple TLS cert policies for iOS 13 Patch Resolved Issues
  • FCA-191842: SKUs fail to load for the Customer OG if there are SKUs with higher SKU IDs in the parent hierarchy.

  • PPAT-6192: SQL script fails with constraint error around Tunnel tables. Patch Resolved Issues
  • CRSVC-7487: Device Last Seen Compliance Policy does not work as expected. Patch Resolved Issue
  • SINST-175505: File path for AirWatch.APIGateway web config is missing. Patch Resolved Issues
  • RUGG-7420: Additional parameter with null value is sent for all the command types. Patch Resolved Issues
  • AMST-23341: Change the FPS Integration tests to save the ppkg to C drive. Patch Resolved Issues
  • AAPP-9901: Delete Device doesn't wipe the device in rare occurrences when device checks in right before the command is issued. Patch Resolved Issues
  • AMST-27382: Device enrollment status is stuck in progress. Patch Resolved Issues
  • AAPP-10085: Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications Patch Resolved Issues
  • AAPP-11209: Device Management profile not getting removed from the device on an enterprise wipe. 

  • AAPP-11222: Wipe deleted devices hitting the Check-in endpoint. 

Known Issues

  • AMST-18376​: The app status does not update to reflect the true state while the app installation is in progress.

    App status stays in "Awaiting install on device" while the app is in progress on device. Querying for the app list sample fails to update with the right status. For example, the status displays "download in progress" or "execution in progress". Status changes to either Managed or failure once the app execution is completed. 

  • AMST-18762​: The status of a failed app removal displays "pending removal" on the console.

    When the removal of an assume management SFD application fails, the first sample must update status to "Remove Application Failed" and the following sample must update it back to "Installed." The status remains in "Pending Removal" status even after multiple app list samples are consumed.

  • AMST-19280​: The app status is incorrect for apps that are retired. 

    Retired apps show up as "User Installed" on the console. 

  • AMST-19447​: The baseline status is incorrect when deleting a custom baseline. 

    After deleting the custom baseline, the status fails to reflect on the console.

    As a workaround, edit the baseline policy to correct the status. 

  • ENRL-1335​: Users created with both Single Standard or Advanced staging option can see ownership prompt while enrolling the device even if the prompt for the ownership is disabled. 

    Enrollment user must not be prompted with ownership when the prompt for Ownership is not enabled.

    If devices are enrolled with wrong ownership admins can choose to change the device ownership from the console.

  • FCA-191398​: Newly created cloud tenant detail fails to save in the Hub configuration page.

    Hub Configuration settings get inherited from the parent OG, and displays the following warning message is "Your Cloud Tenant was successfully created. To activate the Hub services, click Get Started to provide details about your VMware Identity Manager cloud tenant, which you should have received by email". 

    As a workaround, admins can choose not to use the JIT for hub configuration.

  • FCA-191385 ​: Android Web App does not appear in the catalog when a new device is enrolled via legacy for an existing blueprint in Express.

    In the Express OG, existing Web apps does not get added to the Catalog when a device is enrolled in the blueprint.

  • ARES-9652: MultipleTextBoxModel profile model does not work as expected. 

    User are not able to add multiple exclusions of proxy payload for mac OS profile. 

  • RUGG-6726​: Newly enrolled Winmo device fails to display the compliance status. 

    Device compliance status is not displayed correctly for all the Winmo devices.

  • PPAT-5629​: Changes made to the Tunnel configuration of the child OG does not save correctly if the global OG is deleted. 

    Incorrect error message is displayed while navigating to the Tunnel configuration page if the Tunnel is configured at a global OG level and deleted at a later stage.  

  • PPAT-5854​:Users cannot enter certain strings to specify Windows applications. 

    API used to create the windows application does not accept non-english characters in the device friendly name. 

  • PPAT-5721: NSX saves even if the configuration is disabled. 

    NSX should not save an invalid configuration when NSX is disabled. 

  • PPAT-5780​: If a customer disables NSX from the user interface, they need to restart the services on the server to fetch the changes.

    Disabling NSX does not trigger the automatic tunnel server reconfiguration. 

    As a workaround, restart the services. 

  • PPAT-5813 ​: NSX synchronization when the NSX certificate is not added to the server trust store results in an error message. 

    NSX security group error messaging is inappropriate for the SSL handshake error. 

  • ASCL-174960: Featured Content does not get updated on Android Devices

    After upgrade from 3.18 to 3.19, Featured Content fails to update. New installs or re-installs do not show Featured Content. 

  • CMEM-185406: Admin Panel page fails to load.

    When you navigate to Monitor > Admin Panel, the admin Panel page spins continuously never loads.

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

check-circle-line exclamation-circle-line close-line
Scroll to top icon