VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 1910, a list of our resolved issues and known issues


New Features in this Release

Workspace ONE UEM Console

  • We've made enhancements to the /users/ API.
    The GET /users/{uuid} and POST /users/ APIs now include new attributes such as aadMappingAttribute, department, employeeIdentifier, costCenter, customAttribute1, customAttribute2, customAttribute3, customAttribute4, and customAttribute5.
  • We've added a new API that automatically syncs User groups and Admin groups into the Console from the Active Directory or LDAP.
    Previously, administrators had to manually log in to the console to perform a group sync. We now have an API for the group sync action that enables automation. The new GET /GroupSyncActions/{uuid} API grabs the approval status of a group with the access token and a link to merge that group. The result also includes the details of members added to and removed from the group. The new POST /GroupSyncActions API merges the User groups or the Admin groups that are in the "Approval Request Pending" state.
  • The System help page under All settings > Admin > Diagnostics lost its home. But we’ve made sure to retain some of its functionality it served for the cloud connector.
    You can now check the cloud connector status by using Test Connection. It gives you the same information as the System health check page did.


  • Display a personalized message when removing a work profile on an end user’s device.
    You can now choose to show your end-users a personalized message when you decide to remove a work profile.
  • We've increased security around non-strong authentication methods and passcode change notifications.
    The Passcode profile provides better security around non-strong authentication methods and passcode change notification.The Passcode Required Range lets you specify how much time elapses after the device has been unlocked with the non-strong authentication before the user is prompted to enter the passcode. The Passcode Change Alert text box lets you specify the amount of time prior to the passcode expiration that the user is notified to change their passcode.
  • We've upgraded the Launcher profile with additional configurations.
    You can now enable/disable Home and enable/disable Keyguard option in the Android Enterprise Launcher Profile.


  • Securely manage user and device level certificates with the Workspace ONE UEM Extension for Chrome OS.
    The Workspace ONE UEM Extension for Chrome OS automatically installs on managed devices to provide secure provisioning of both user and device-based Microsoft ADCS certificates,and seamless connectivity to WiFi and web applications. Additionally, direct communication with the UEM console enables a faster device sync after enrollment and enhanced device visibility.
  • Remotely disable devices that have been lost or stolen with Lost Mode for Chrome OS.
    Lost mode for Chrome OS allows you to remotely disable devices that have been lost or stolen, and allows them to set a custom message displayed on the lock screen through the Chrome OS device profile. While disabled, the device cannot be used for any purpose. Devices can be re-enabled remotely once they are found.


  • Empower your apps with additional capabilities by remotely associating domains.
    Configure any domains that need association with their in-house or the third-party apps without manually including them in the app's entitlements file. This association can be used for advanced capabilities like SSO extension, universal links, and shared credentials. To know more, see Add Assignments and Exclusions to Applications.
  • Avoid the delays of accepting prompts and quickly get your students engaged with their apps.
    Students with Managed Apple IDs created in the Apple School Manager are no longer required to accept any prompts to install apps and books. Workspace ONE silently accepts these prompts on the Managed Apple ID's behalf with no admin interaction.
  • Take advantage of the latest communication standards for Apple Push Notifications.
    Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications.


  • Use Sensors to monitor your 64-bit Windows 10 devices.
    Sensors for Windows Desktop Devices now supports controlling when PowerShell scripts execute based on the device architecture. You can limit a script to 32-bit or 64-bit only or force a script to run as 32-bit regardless of the device architecture. This enhancement reduces errors when using Sensors for 64-bit devices.
  • Know how your devices comply with your Baselines.
    The UEM console now reports a device's compliance to a specific Baseline. See the current compliance status of devices to the published policies of a baseline. Baseline compliance reporting uses a 15% compliance threshold before marking a device non-compliant.
  • Our Smart Groups are not just smart, they are flexible too. Start creating OEM-specific Smart Groups for your Windows Desktop Devices.
    We've added Windows Desktop OEM and Model Support to Smart Groups.
  • We’re working on a technical preview for Digital Employee Experience Management for Windows 10 deployments.
    Digital Employee Experience Management is a collaboration between Workspace ONE UEM and Workspace ONE Intelligence. With this feature enabled, the Workspace ONE Intelligent Hub for Windows sends telemetry data to Intelligence about OS and app stability and usage.
    In a soon-to-be-released version of Intelligence, you can see your data in dashboards to know what is working and what needs fixing. Use the dashboards to focus on specific analytics and use automations to mitigate possible issues and to fix problems when they happen.
    If you’re interested in starting to collect data, call your customer service representative to turn on this feature.

App Management

  • Experience consistent application status tracking on all your devices.
    We've enhanced different areas of the UEM console that deal with application deployment monitoring. The Workspace ONE UEM console now monitors apps and provides detailed application status based on the device reports and logs the actions taken in the UEM console.


  • We've added Device Traffic Rules support for Workspace ONE Tunnel on macOS.
    Create granular policies for use-cases like split-tunneling and domain filtering for macOS applications. Add apps and policies from the Tunnel's Device Traffic Rules and deliver them as a part of existing profiles.

Resolved Issues

The resolved issues are grouped as follows.

1910 Resolved Issues
  • AAPP-790: Deleting an enrollment user that has an associated DEP registration record incorrectly deletes the registration record

  • AAPP-4364: Unable to enroll DEP devices when the username or password contains special characters such as g€ràdö^, åäö123.

  • AAPP-7382: Intermittent issues with exception handling for bulk macOS profile installation

  • AAPP-7435: Modifying or deleting carts removes external tags from the Shared EDU iPads.

  • AAPP-7568: macOS Device Lock action from List View does not support the required PIN code for the command. 

  • AAPP-7719: 'Show Apps' and 'Hide Apps' input textbox incorrectly displayed.

  • AAPP-7835: DEP devices get an incorrect token from a lower OG. 

  • AAPP-7841: apps/purchased/search? API returns an incorrect value for "IsAutoUpdateEnabled". 

  • AAPP-7854: Deploying Single App Mode profile to iOS devices causes excessive CPU usage on Device Services.

  • AAPP-7882: The tool tip for "Allow FaceTime" in the iOS Restriction payload displays incorrect information.

  • AAPP-7956: The prompt that confirms if admin wants to enable Device Based Assignment doesn't contain the name of the application.

  • AAPP-8223: EULA acceptance is not honored for the DEP custom enrollment. 

  • AAPP-8434: iOS SDK integrated internal app fails to get token during initialization. 

  • AGGL-5486: Unable to make changes to Android Enrollment Setting in the console as the options are disabled. 

  • AGGL-5951: Enrolled Android Enterprise device does not receive the public application if the Enrollment restriction is set to Always use Legacy. 

  • AGGL-6202: Device Inventory report shows as MDM Managed Yes for some of the Android Devices.

  •  AGGL-6213: Android EMM Registration page has instances of Airwatch and requires rebranding. 

  • AGGL-6287: IPsec protocol is not set correctly in the Android AnyConnect when the VPN payload profile is used. 

  • AMST-20030: OOBE status screen incorrectly shows "Failed" on the security policies section when a Firewall profile is applied.

  • AMST-20890: Devices fail to change the smart groups after upgrading the windows version.

  •  AMST-21028: Updated version of the Bitlocker profile does not land on devices.

  • AMST-21382: beginInstall command fails on a Windows app when the Install timeout is greater than 60 mins.

  • AMST-21579: Removing Firewall Profile from Devices -> Details View -> Profiles page results in 'Install Failed' status.

  • ARES-9499: Key values for the Standalone boxer enrollment do not update on the console for iOS.

  • ARES-9502: Key values do not get updated on the console during Android Standalone boxer enrollment.

  • ARES-9659: The app catalog login page returns an executionTime field that can indicate to an attacker the time it takes for the application to process a valid user ID versus an invalid user ID. 

  • ARES-9706: Check-in/Check-out devices fail to receive VPN profile. 

  • ARES-9912: API api/mam/apps/internal/xxx/devices returns 204 error when MamCountsImprovementFeatureFlag is turned On. 

  • ARES-10501: Standalone catalog enrollment on Android 9 devices shows incorrect OS information.

  • ARES-10637: Profiles search does not work as expected and throws an error if the platform is not specified. 

  • CMEM-185421: Monitor > Admin Panel fails to load. 

  • CMSVC-10375: User migration action under Users --> Advanced --> User Migration does not work as expected. 

  • CMSVC-10716: System/Users/Search API does not include CustomAttribute2 through CustomAttribute5.

  • CRSVC-6795: The exported events from the HUB do not show up in the admin locale as well as the one exported from Device Details View.

  • CRSVC-7417: Web Console does not to honor proxy setting when attempting connections to AWCM. 

  • CRSVC-7487: Device Last Seen Compliance Policy does not work as expected. 

  • CRSVC-7713: Reports Subscription receives multiple emails requests.

  • ENRL-150: Devices can be added to inactive users.

  • FCA-191374: Disabling the "Getting Started" option does not remove the icon from the console. 

  • FCA-191412: Devices > List View page errors out with the message "Something unexpected happened".

  • FCA-191454: Failed login attempts are not logged in the history events for directory admin accounts. 

  • FCA-191605: WiFi IP Address is displayed for the adapter name "dummy0".

  • INTEL-14177: ETL | CDC jobs fail due to datatype mismatch.

  • INTEL-15348: Entity List does not honor device resync.

  • PPAT-5908: Applications under DTR rules are not displayed after upgrading the console from 1902 to 1907. 

  • PPAT-6195: Tunnel Gateway TLS certificates must align with new Apple standards.

  • RUGG-5789: Custom attribute Value restricts '/ | :' characters. 

  • RUGG-5865: Product with both smart group assignment and assignment settings fail to save. 

  • RUGG-7271: The "Staging Profile" Field does not provide any WiFi Profiles that were created as "Android" profiles.  It does show profiles created as "Android Legacy" profiles. Patch Resolved Issues
  • AAPP-8504: Unable to send push notifications to any Workspace ONE productivity apps. Patch Resolved Issues
  • FCA-191865: GPS samples have been received and saved correctly by the console but there is an issue with loading the actual Bing maps interface. 

  • CRSVC-7878: Sample Job does not pick up expected devices for check-in within the sample intervals. Patch Resolved Issues
  • CMEM-185462: Admin Panel page fails to load.

  • CRSVC-8135: The device service in the application pool stops. 

  • ENRL-1605: Specific device models do not populate in the Enrollment Restriction drop-down. Patch Resolved Issues
  • CRSVC-8073: Privacy Webclip does not display the information details for each heading. 

  • AAPP-8604: Cell data usage compliance policy remains in the pending state. 

  • AAPP-8629: Editing profiles does not work as expected. Patch Resolved Issues
  • AAPP-8620: Support "apns-push-type" for APNs via HTTP/2. Patch Resolved Issues
  • AMST-22482: Authmode for windows Wifi Profile does not work as expected.

  • AMST-22484: Windows Devices does not honor the auto-logout setting

  • AMST-22517: Remote Address Ranges in the Firewall rules do not allow string values. 

  • AMST-22520: Firewall rules inaccurately maps the UI to SyncML

  • ARES-10887: App Catalog Comments does not honor admin configuration.

  • INTEL-16289: Create a migration script to enable the new User Export Category. Patch Resolved Issues
  • AMST-22685: Device enrollment gets stuck In Progress state when OOBE Provisioning settings are enabled. 

  • AMST-22706: All the user context apps on console move to Managed but uninstalled state when you query for the app while the user is signed out. Patch Resolved Issues
  • AGGL-6677: Chrome OS devices consume the Google daily limit API quota that results in error logs. 

  • INTEL-16555: Refresh Entities and settings job is failing due to PK violation error. Patch Resolved Issues
  • AAPP-8975: Device Sync is called when the App is Removed and the Apps Query is performed for iOS devices.

  • CRSVC-8731: API causes Internal Server Error. 

  • CRSVC-8826 Platform-specific message template is not picked up while registering devices.

  • ENRL-1727: Device Activation Email is not being sent if the template has QR code lookup and child OG is selected. Patch Resolved Issues
  • AGGL-6873: ChromeOS sync process attempts to publish an extension to users without email addresses. Patch Resolved Issues
  • PPAT-6785: Tunnel Service unable to add a new encryption key in the registry to decrypt the connection string. Patch Resolved Issues
  • AAPP-9766: Delete Device does not wipe the device in rare occurrences when device checks in right before the command is issued. Patch Resolved Issues
  • AAPP-10083: Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications.

  • AMST-27380: Device enrollment status is stuck in progress. Patch Resolved Issues
  • AMST-27574: Compliance Status stays in pending status on the console for Windows 10 devices. Patch Resolved Issues
  • FCA-194953: View Devices or Users in terms of use not listing the devices. Patch Resolved Issues
  • AAPP-11220: Wipe deleted devices hitting the Check-in endpoint. 

  • AAPP-11207: Device Management profile not getting removed from the device on an enterprise wipe. Patch Resolved Issues
  • CRSVC-18462: Addressing encryption/signing issues on Device Services, leading to device communication failures due to recent changes in .NET framework released as part of latest Windows updates. Patch Resolved Issues
  • CRSVC-19544: All certificates are in an unknown state. 

Known Issues

  • AAPP-8343 ​: iOS 13 profiles with Allow removal set to "with authorization" fails to land on the device. 

    With iOS 13 release, the key "Allow removal" is valid for supervised devices only. UI needs to be updated with the tag. 

    As a workaround, edit the profile to uncheck the "Allow removal" key on the General Payload. 

  • AAPP-8165: Uploading an app with extension fails when payload is not specified directly under IPA.

    Uploading an app with extension fails when specifying the payload in the swift support folder instead of having it directly under IPA.

    As a workaround, remove the swift support folder and archive the payload into IPA directly. 

  • AAPP-7814: Cannot install paid apps using redemption codes. 

    Redemption code based paid apps to fail to install on the device.

  • AAPP-7500: macOS FileVault Payload Fails with French Language. 

    macOS FileVault Payload Fails with French Language. 

  • AGGL-6437: After clearing the Android Enterprise end-user to wipe the message on the AE settings page and saving, the message does not get deleted.

    After clearing the Android Enterprise end-user wipe message on the AE settings page and saving, the message does not get deleted.

    As a workaround, add an empty space or a character when clearing the message. 

  • AGGL-6286: During the DA to PO migration, commands 148 are not deleted in the command queue table when Admin cancels the Migration. 

    During a huge migration of Android devices from DA to PO, canceling the migration when in flight does not clear the command to initiate migration. 

  • AMST-21640 ​: Un-approval action breaks for the updates which are approved by classification.

    Update fails to un-approve, also the status gets updated to "Approve By Revision and classification" whereas it should be changed to unapproved. 

  • AMST-21542: The compliance policy displays "Not Available" on the device list view for certain users.

    If staging enrollment is used and no compliance policy is set, then the compliance policy is always displayed as not available on the device list view page.

    As a workaround, set a compliance policy and the status will update correctly. 

  • CMCM-18831: Auto-refresh does not work as expected. 

    Multiple File Delete doesn't always pick up on auto-refresh. 

    As a workaround, refresh the page manually. 

  • CMEM-185433: Automatic Password Provision Setting for Google with SEG is not displayed. 

    For Google with SEG, the 'Automatic Password Provision' option is not displayed on the 'Deployment' tab of the MEMconfig wizard, on selecting 'Google with SEG'.

  • CMSVC-11001: While using the new user or admin group merge API (POST /GroupSyncActions), the response is received as "204 No content" if the changes fail to merge. 

    Incorrect status is shown when the merge fails. 

    As a workaround, check the merge status using the GET API (GET /GroupSyncActions/{Uuid}) to confirm the merge status.

  • CMSVC-11016: If the max invalid attempt set for SDK apps action is set to greater than the max invalid attempt set for enrollment user, then the enrollment user gets locked out before the enterprise wipe. 

    Validation/Warning to set the SDK apps setting (Max invalid attempt) less than or equal to the enrollment user setting is missing.

  • ENRL-1542: Edit Registration and Resend message button does not work as expected in device registration details page. 

    Resend message and Edit registration buttons do not work as expected. 

    As a workaround, edit or resend the message from the device registration list.

  • PPAT-5862: Unable to fetch the VPN client certificate for unmanaged flow. 

    When the enrollment user is created without the UPN and if the user tries to enroll to that account via a browser app, the SCEP token is created for this user & where the UPN name is missing. The same SCEP token will be requested again even when the UPN is added to the user.

    As a workaround, wait for a day for the purge script to delete older token values or delete the user account and recreate with UPN details.

  • PPAT-6111: Adding an NSX host address on VMware Tunnel configuration results in page crashes with the error "An error has occurred". 

    Manually entering the NSX hostname results in a console error in the NSX configuration card,

    As a workaround, copy/paste NSX hostname URL.

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

  • CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

    Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on the UEM console. 

    As a workaround, set the date one day prior to your intended expiration date.  

check-circle-line exclamation-circle-line close-line
Scroll to top icon