Workspace ONE UEM | September 2019

Check for additions and updates to these release notes.

New Features in this Release

1909 for On-Premises Customers: Workspace ONE UEM 1909 for on-premises customers contains all the features and resolved issues from the previous SaaS-only release. For more information on the features and resolved issues from the previous SaaS-only release, see VMware Workspace ONE UEM 1908 Release

Workspace ONE UEM Console​

  • Participate in VMware's Customer Experience Improvement Program (CEIP).
    Workspace ONE UEM is now a participant of VMware's Customer Experience Improvement Program, which seeks to improve its products and services, to fix problems, and to advise you on how best to deploy and use our products. This program is only available to On-Premise Workspace ONE deployments.
    As part of the CEIP, VMware collects the technical information about your organization’s use of VMware products and services regularly in association with your organization’s VMware license key(s).  This information does not personally identify any individual. For details regarding the CEIP, visit the Trust & Assurance Center at
  • Automatic retry makes for a robust profile installation experience. 
    We've added a new retry logic for profiles that fail to install on your devices. The new logic retries to install the profiles when your devices check-in.
  • Meet the newly designed Message Templates.
    The redesigned Message Templates now provides a better globalization experience. With the new system, admins using message templates only see templates for the active language. For example, if an admin uses the Workspace ONE UEM console with Japanese, they will only see Japanese message templates.
  • Keep close tabs on your shared devices with the new API event notification for check-in/check-out.
    We've added an API event notification that allows you to see when shared devices check-in/check-out. The event notification enables you to recognize usage patterns and help you keep tabs on these multi user devices. 
  • UEM notifications available as messages within Intelligent Hub are now available under Notifications. 
    If you have activated Workspace ONE Intelligent Hub Services and enabled Notifications capability, UEM notifications, such as Compliance issues, will be sent through the Notifications Service. This enhancement allows your employees to get all their notifications within the Intelligent Hub notifications page thereby providing a consistent experience. You no longer have to go to Accounts > This Device > Messages page within Intelligent Hub app to view UEM related notifications.


  • Introducing the all new Dell Profile for your Dell-specific management capabilities. 
    With the launch of the Dell Enterprise Chromebook line, Dell has introduced some Dell-specific management capabilities with the new Dell Profile (Chrome OS)


  • Tighten your security posture with new USB drive access controls.
    You can now prevent the USB drive access to Files on iOS 13+ devices in the Restriction Profile
  • Specify how your iOS 13+ devices handle network traffic with the VPN profile.
    You can now set domains that Mail, Contacts, and Calendar accounts automatically connect to. Also, you can direct how the Virtual Private Network (VPN) client includes or excludes local network traffic.
  • Control how Voice Control works for iOS 13+ devices running in Single App Mode.
    Prevent or allow Voice Control capabilities for iOS 13+ devices when configuring the Single App Mode profile
  • Bring SSO functionality to your apps with the SSO Extension profile.
    The new Single Sign-On Extension profile for iOS 13+ devices let you provide targeted URLs for both redirect and credential-based SSO.
  • Customize the enrollment experience for devices synced from Apple Business Manager. 
    Deploy devices synced from Apple Business Manager (formerly DEP) with a set of customizable, branded web screens. These screens offer custom enrollment with advanced enrollment actions such as modern auth, multi-factor auth, and EULA acceptance.
  • We support a new privacy focused enrollment method that protects your personal data while still providing enterprise resources.
    Enroll all your iOS 13+ devices using Managed Apple IDs created in Apple Business Manager through federation to Azure AD. User Enrolled devices provide enhanced privacy focus that separates managed data from personal while still providing the core management capabilities such as installing apps, configuring Wi-Fi, and passcode requirement.
  • Refresh your eSIM configuration.
    Request iOS 13+ devices to refresh the eSIM configuration for a specific carrier by making changes in the Device Details page.  


  • Streamline the Setup Assistant experience with our new primary user account customization options. 
    Customize the primary user account information created in Setup Assistant on macOS 10.15 Catalina devices during an Automated Enrollment through Apple Business Manager. Make these changes when you create or edit the DEP Enrollment profile
  • Bring SSO and AD password syncing on your devices with the SSO Extension profile. 
    Configure app extensions that perform single sign-on with either the Generic or Kerberos SSO extension on macOS 10.15 Catalina devices with the SSO Extension payload

  • Simplifying your user experience by automating new System Extensions approval. 
    Control restrictions and settings for apps that use System Extensions by configuring the System Extensions profile

  • Prevent data leakage with the new Handoff restriction.
    Restrict  the ability to use Continuity Handoff capabilities on Macs running 10.15 by configuring the Handoff key in the Restrictions profile

  • Monitor the Secure Boot and External Boot statuses to ensure only approved operating systems can run. 
    View the Secure Boot and External Boot status for the Macs running 10.15 Catalina in the Device Details page. 

Mobile Content Management

  • Content Locker gets a new name. Let's welcome Workspace ONE Content.
    Workspace ONE Content has all the same functionality as Content Locker, but with a new name. To learn more, see VMware Workspace ONE Content


  • Keep Honeywell Android device enrollment simple with the Barcode Enrollment.
    You can simplify the enrollment experience for your users with the barcode enrollment for Honeywell Android devices. Users simply scan the barcode to enroll the devices


  • Everything is better together with Dell and the new Dell BIOS Attestation.
    Protect your Dell Windows Desktop Devices with the new Dell BIOS Attestation. This service analyzes the BIOS of your Dell devices and reports the status of the BIOS to Workspace ONE UEM. Using Workspace ONE UEM compliance policies, you can act quickly to reduce the risk a compromised device poses to your network.

Workspace ONE Express

  • Learn more about upgrading to Workspace ONE UEM.  
    You now have a simple path to understand what upgrading to Workspace ONE UEM can do for your organization. Get access to helpful videos, live demos, and documentation of Workspace ONE UEM's full feature set, not to mention an easy upgrade path for when you make the switch.
  • We've made migrating your legacy Android devices to the Android Enterprise easy. ​Try our new Android Migration Tool for Express.
    The Android Migration Tool walks you through the process step-by-step. Once you register Workspace ONE Express with Google as your Enterprise Mobility Manager, you can migrate your legacy Android devices. 
  • Troubleshooting your problematic devices got easy with the introduction of the Troubleshooting tab on Device Details. 
    The troubleshooting tab displays the Event Log and Commands listings including a filter and search capabilities, enabling you to perform troubleshooting on the device. To learn more, see the Troubleshooting tab on Device Details

Resolved Issues

The resolved issues are grouped as follows.

Resolved Issues
  • AAPP-6228: iOS Profile with Custom VPN type and ADCS configuration for Certificate does not work as expected.

  • AAPP-6922: Unable to save the device-friendly name settings when the device enrollment is in progress. 

  • AAPP-6997: Custom B2B VPP applications are not displayed under the given category.

  • AAPP-7000: Administrators can see both the parent and child default staging user while configuring the DEP and may unknowingly select the wrong one. 

  • AAPP-7088: Remediate macOS certificates that are missing from the login keychain. 

  • AAPP-7272: APNs messages are not queued for macOS devices if at least one of the devices in the batch does not have a User APNs token.

  • AAPP-7430: Unable to send the APNS certificate to the SDK-integrated application.

  • AAPP-7686: Authentication password clears when you edit the content filter profile.

  • AAPP-7695: macOS proxy profile fails to honor domain exceptions.

  • AAPP-7728: The tooltip for Collect Location Data on Intelligent Hub Settings does not display as expected. 

  • AAPP-7848: Fingerprint restriction on the UI displays incorrect default value.

  • AAPP-7885: iOS Custom XML payload does not work as expected.

  • AAPP-7936: Clear passcode for iOS/iPadOS 13 enrolled devices does nor work as expected. 

  • AAPP-7962: Enrolling a macOS or iOS device via DEP does not complete and the devices are stuck in the "Enrollment In Progress" state.

  •  AAPP-8024: Installing profile with new Privacy Preferences payload settings for macOS Catalina devices does not work as expected.

  • AAPP-8099: Fingerprint restriction in the macOS Security & Privacy payload displays incorrect default value. 

  • AGGL-3270: Application details do not show information from the Play Store on Hub App.

  • AGGL-4484: ChromeOS Device Network profiles with certificates fail to install. 

  • AGGL-5046: Targeted rollouts or pre-validation of internal apps for Android Enterprise delivered through Google Play for Work does not work as expected.

  • AGGL-5341: Google integration for the app Group search does not work as expected. 

  • AGGL-5984: Web link for Android Legacy shows the configuration type as "Work" under the device summary page > Profile > Configuration Type.

  • AGGL-6014: Single-user staging does not complete due to HMAC errors.

  • AGGL-6015: Unable to add more than 16 exception (whitelisted) URLs in the Chrome User-based URL access control profile.

  • AGGL-6017: Citrix SSO app configuration is not pushed to devices. 

  • AGGL-6065: Application source of legacy Android application does not update as expected while importing from play or application search. 

  • AGGL-6141: GB calls to the UEM console fails when trying to pull the public android apps for devices. 

  • AGGL-6163: Source of Authentication for Intelligent Hub changes from VIDM to UEM while changing tabs in the enrollment settings of child OG. 

  • AGGL-6166: When enrolling a new device to console, app configuration does not work as expected. 

  • AGGL-6209: Unable to clear the KNOX License Key from the Hub Settings.

  • AMST-17591: After pushing the app, file exists criteria shows the version information that belongs to the App exists criteria. 

  • AMST-18902: App install commands are getting queued in the console.

  • AMST-18862: PPKG data is leftover even after the Device Wipe. 

  • AMST-19365: Baselines Feature is not visible in child location group.

  • AMST-19371: Device with whitelist remains in "Enrollment in progress" while enrolling with a staging user.

  • AMST-19972: Change device passcode for Windows 10 machines with basic user accounts fails to change the device passcode.

  • AMST-20054: ApplicationTransforms fails to load during Application Search if no Applications exist in the OG. 

  • ARES-8483: Database stored procedure devicecommandqueue.threshhold_updatedevicequeuestatusbythreshholdid times out for large device count. 

  • ARES-8601: When attempting to save standalone catalog settings, performance degradation occurs preventing user from saving settings and user receives a timeout error.

  • ARES-8803: Internal applications get stuck in Pending release and do not create any batchjobs. 

  • ARES-9392: Profile time schedules do not honor "All day" increments. 

  • ARES-9680: Unable to access Windows Desktop Dependencies list view. 

  • CMSVC-10167: User Attribute Sync fails due to incorrect parsing of the lockout time attribute. 

  • CMSVC-10436: Admin APIs does not return the correct LastLoginTimeStamp.

  • CMSVC-10665: Disabled Status value under the directory service is not persistent with the database result.

  •  CMSVC-10697: Registering a device at a child OG with the tag associated from the parent OG incorrectly creates a tag. 

  • CMSVC-10732: "Default or Supplied Group Base DN details is not valid" exception error is displayed while searching for user groups from the test connection. 

  • CRSVC-6126: "CN=" is added upon the loading the template.

  • CMSVC-10799: Directory Services with OpenLDAP fail to Test Connection.

  • CRSVC-6503: DuplicateCertificate_Purge maintenance procedure encounters the duplicate key error. 

  • CRSVC-6548: Certificate Authority Password Does Not Accept '<' character.

  • CRSVC-7042: Unicode Characters fails to parse while sending the SMS using SMSGlobal due to lack of Triple Encoding.

  • CRSVC-7066: Interrogator Queue Monitor Service keeps crashing on all DS boxes. 

  • CRSVC-7353: Syslog data is only being sent though the test connection message. 

  • ENRL-1437: Whitelisted device records with Enrollment status as Enrolled and Compliance status as Compliant gets deleted.

  • ENRL-1445: User Group mapping with the Staging User does not work as expected after the console upgrade.

  • FCA-190387: HTML Title and breadcrumb changes while opening a new tab using the keyboard shortcut.

  • FCA-191290: Devices do not move to correct OG when an API call is made to Change the Organization Group.

  • FCA-191504: Terms of use EULA fail to load customer OG. 

  • FCA-191343: Location tab on the Device Detail page occasionally displays "Something unexpected happened" when the period is set to anything other than last known.  

  • FCA-191402: EnrollmentLocationGroupUsers_List_IncludeChildLGs timeout while running the console UI Test.

  • FCA-191455: Monitor>Overview>Compliance>Devices without Required Apps in the UEM console does not display data for the child OG.

  •  FCA-191468: Admin_LocationGroupEdit Proc results in deadlock.

  • FCA-191537: Bulk Management does not work when selecting 400+ devices. 

  • FCA-191549: Unable to delete the devices in bulk under the device list view.

  • FCA-191637: Unable to delete the devices in bulk under the device list view. 

  • FCA-191664: Device Traffic Rule and Server Traffic Rules rankings cannot be moved up and down while using the Google Chrome browser. 

  • PPAT-5730: Adding empty lines or lines with a comma in the Device Traffic rules results in profile installation error.

  • PPAT-5903: Safari Domains field is hidden from the VMware Tunnel VPN profile payload.

  • PPAT-6009: Airwatch Proxy certificate shows Expired on console.

  • PPAT-6095: Tunnel Proxy enabled applications to fail if the server certificate does not comply with the new Apple TLS cert policies for iOS 13.

  • RUGG-5722: Files or the Action gets deleted from the console without any end-user interaction.

  •  RUGG-7000: Application list fails to display in the install application drop-down in the Manifest Edit mode. Patch Release Notes
  • AAPP-8270: Fix errors in UAT Patch Resolved Issues
  • AMST-20890: Devices fails to dynamically change the smartgroups after upgrading to windows version.

  • AAPP-8178: Support "apns-push-type" for APNs via HTTP/2. 

  • INTEL-14177: ETL | CDC jobs fails due to datatype mismatch. Patch Resolved Issues
  • AAPP-8223: EULA acceptance is not honored for DEP custom enrollment. 

  • FCA-191842: SKUs fail to load for the Customer OG if there are SKUs with higher SKU IDs in the parent hierarchy.

  • CRSVC-7628: Enable SampleJobImprovementsFeatureFlag in the UEM Console. Patch Resolved Issue
  • AMST-21454: Device registration status is not in sync with the device enrollment status. 

  • AMST-21525: During OOBE enrollment, Hub prompts Admin level access during installation. Patch Resolved Issues
  • INTEL-13876: ETL | Resync does not remove deleted entities from EntityList. 

  •  AGGL-6067: SoftResetConfirmedUser device event does not get sent to Syslog on post 9.6 environments. 

  • AGGL-6055:  "Command not authorized or unavailable" exception is displayed on bulk checkout of Android rugged devices. Patch Resolved Issues
  • FCA-191865: GPS samples have been received and saved correctly by the console. However, there is an issue with loading the actual Bing maps interface. 

  • CRSVC-7487: Device Last Seen Compliance Policy does not work as expected.

  • INTEL-15395: ETL | Refresh Entities job gets disabled after the DB upgrade. Patch Resolved Issues
  •  ENRL-1568: User is not created real-time via HUB enrollment and the enrollment fails. 

  • ATL-2674: Missing AirWatch in the database description column causes the UDID creation issue. 

  •  SINST-175472 : Update ALL Installers (Linux + Windows) to use Java 8u231. 

  • INTEL-15395: ETL | Refresh Entities job gets disabled after the DB upgrade. 

  • CRSVC-7878: Sample Job does not pick up expected devices for check-in within the sample intervals.

  • CRSVC-7780: Privacy web clip does not show data on the device (iOS and Android). Patch Resolved Issues
  • CMEM-185462: Admin Panel page fails to load.

  • CRSVC-8135: The device service in the application pool stop. 

  • ENRL-1605: Specific device models do not populate in the Enrollment Restriction drop-down. Patch Resolved Issues
  • AMST-22485: Windows Devices does not honor the auto-logout setting.

  • AMST-22528: Manual sync on OMA-DM gives "The sync could not be initiated.( 0x82ac0008)" error. 

  • ARES-10888: Unable to hide comments on the legacy app catalog.

  • CMEM-185464: Guard Failure in GoogleTokenRevocationBusiness related to enrollmentUserId. Patch Resolved Issues
  • AAPP-8705: Deleting an enrolled user that has an associated DEP registration record incorrectly deletes the registration record. 

  • CMSVC-12675: The forgot passcode link does not have a strong authentication method.

  • RUGG-7421: Additional parameter with null value is being sent for all the command types. Patch Resolved Issues
  • AAPP-8828: DEP devices get the incorrect token from a lower Organization Group.

  • AMST-23028: Enrollment is stuck In Progress state when OOBE Provisioning settings are enabled.

  • AMST-23064: Commands are getting processed when logged in user signs out. Patch Resolved Issues
  • AAPP-8972: VPP apps are not installed on a device that is custom enrolled. 

  • ARES-11203: Unable to install profiles as the commands do not get generated due to the int32 limit. 

  • CRSVC-8915: DeviceComplianceStatus_InitializeByDevice fails to insert due to deadlock. Patch Resolved Issues
  • PPAT-6574 Tunnel Service unable to add new encryption key in registry to decrypt the connection string Patch Resolved Issues
  • AAPP-8974 AppleMDM CheckIn Call takes 160 secs during DEP enrollment Patch Resolved Issues
  • CONSVR-1723 Script to remove ContentCache FF Overrides for child OG Patch Resolved Issues
  • AGGL-6919: While enrolling a device with the old record on the console, the new enrollment date is not getting reflected.

  • CRSVC-9196: Platform-specific message template is not picked up while registering devices.

  • SINST-175559: Update ALL Windows Installers to JRE 8u241. Patch Resolved Issues
  • AAPP-9164: Device Sync is called when the App is removed and Apps Query is performed for iOS Devices.

  • AAPP-9165: Apple school manager's Leader and Member certificate violate the guidelines described by Apple.

  • CRSVC-9338: Multiple email notifications triggered for schedule-based compliance policies due to concurrent processing in threads. Patch Resolved Issues
  • CRSVC-9641 The First UDP Syslog messages are dropped by Winsock. 

  • AAPP-9325: Asset number is missing and Friendly name gets overridden for DEP when custom enrollment is enabled. Patch Resolved Issue
  • AGGL-7140: CommandID 49 to push updated managed App Configs is not queued for Internal Apps on Work Managed Android devices.

  • ARES-11561: iOS Outlook ExternalAppAssignment mapping removal does not work as expected. Patch Resolved Issues
  • CRSVC-10011: Device compliance status save sproc fails to save the status due to concurrency ID change. Patch Resolved Issues
  • CMSVC-13403: Inconsistent behavior between console and API while deleting a user. Patch Resolved Issues
  • AAPP-9767: Delete Device does not wipe the device in rare occurrences when device checks in right before the command is issued. 

  • AMST-26442: Compliance policy evaluation is pending for Windows 10 devices. Patch Resolved Issues
  • CMSVC-13621: Smart Group updates fail due to SQL timeouts for SmartGroupDeviceMap. Patch Resolved Issues
  • AAPP-10084: Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications.

  • AMST-27381: Device enrollment status is stuck in progress. Patch Resolved Issues
  • CRSVC-12661: Update Compliance Scheduler per policy evaluation. Patch Resolved Issues
  • ARES-14101: Introduce batching in InternalAppAssignment_ReconcileByApp sproc to create assignments in batches. Patch Resolved Issues
  • RUGG-8892: Unable to download existing product provisioning application when FileStorage is enabled. Patch Resolved Issue
  • AAPP-11208: Device Management profile not getting removed from the device on an enterprise wipe. 

  • AAPP-11221: Wipe deleted devices hitting the Check-in endpoint. Patch Resolved Issues
  • CRSVC-18277 Addressing encryption/signing issues on Device Services, leading to device communication failures due to recent changes in .NET framework released as part of latest Windows updates. Patch Resolved Issues
  • CRSVC-19545: All certificates are in an unknown state.

Known Issues

  • ARES-9588: ​Unmanaged application can send install application command. 

    Windows does not support the deployment of public applications, free or paid, through the console. However, when the MAM count is enabled, admins are given an option to deploy a free public app though the console. 

  • ARES-9890: Standalone catalog enrollment on Android 9 devices shows incorrect OS in the UEM console post enrollment. 

    On Android 9 devices such as Samsung S10, S8, OnePlus 7 pro, the UEM console shows OS version as 10 instead of 9 during standalone catalog enrollment. 

  • FCA-191677: Resetting the branding color fails to reset the "Highlight color" to default #007CBB.

    Resetting the branding colors to default in the Branding page under Settings → System → Branding, fails to reset the "Highlight color" to #007CBB. The color being set is #1270cd. However, the rest of the branding color settings such as "Header color", "Navigation color" resets to default.

    As a workaround, manually update the color hex code to #007CBB for the "Highlight Color. 

  • AMST-20261: Applications fail to display the correct status when the user is signed out. 

    When a user application is sent to a device and the user is signed out, the sample that is sent to the status on the console displays as managed but uninstalled.

    As a workaround, query the sample manually if you are signed in.

  • AGGL-6181: Network Profile page crashes when attempting to add Certificate without CA.

    Chrome OS profile does not save if a certificate is added without the CA. 

    As a workaround, add the CA details. 

  • AGGL-6275​: Help links on the Dell Profile page links to the incorrect documentation page. 

    The documentation link provided on the Dell profile page is incorrect. 

    As a workaround, search for the documentation in

  • AGGL-6284: Android legacy migration does not progress if the Smart Group that is created for migration has more than 200 devices. 

    Migration does not work as expected when migrating from Android legacy to the Android enterprise work profile through the migration tool, if the smart group that is selected has more than 200 devices. 

    As a workaround, you can create Smart Groups with less than 200 devices at a time and slowly increase the number in batches. 

  • RUGG-7199: The product that is with the assignment rule using the operators >,>=,<,<= and between for Agent version fails to consider the device as applicable.

    If the agent version reported by the device is '' and the product has an applicability rule which says the agent version > 19.07, even though the device is applicable the product is not assigned to the device.

    As a workaround, add applicability rule using the operators '=' or '<>' and then specify the exact agent versions.

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

  • CMCM-188952: The expiry date of a file is always one day more than what's set on the console. 

    Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on the console. 

    As a workaround, set the date one day prior to your intended expiration date.  

check-circle-line exclamation-circle-line close-line
Scroll to top icon