VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 2001, a list of our resolved issues and known issues.

New Features in this Release

Workspace ONE UEM Console

  • Apply as many filters as you like with the new device filter.
    We've greatly improved the way filtering works on devices in the Device List View. You can now apply as many filters as you like and the device listing does not update until you select the Apply button. This saves you time waiting for the console to update with each filter selection.
  • Presenting Terms of Service (TOS) agreement for our SaaS customers.
    SaaS customers logging in to the console for the first time are now presented with a Terms of Service (TOS) agreement for VMware Cloud Service Offerings. After acceptance, subsequent logins by any administrator are not presented with the same TOS. For details about the contents of the agreement, see VMware Cloud Service Offerings.
  • View all your managed devices connected with the same Wi-Fi router in the Device List View Custom Layout.
    You can now include the Service Set Identifier (SSID), known commonly as the Wi-Fi network name, in the Device List View. This new column makes it easy to show all managed devices connected with the same Wi-Fi router. Enable this new column by selecting the custom layout option and select SSID from the list of available columns.
  • Your reports no longer consume excessive disk space.
    A hard limit of 4 GB has been placed on the size of your Workspace ONE UEM reports. This limit prevents potentially excessive processing cycles devoted to creating oversized reports. For more information, see Generate Reports.
  • It’s time to upgrade your .net framework to 4.8.
    For the VMware AirWatch Cloud Connector to auto-update, servers that have ACC installed needs .NET Framework 4.8.
  • Support for SaaS-based OAuth 2.0 Credential Flow.
    Shared SaaS and Dedicated SaaS UEM customers can integrate the industry-standard OAuth 2.0 protocol to enable secure authentication and authorization for Workspace ONE UEM REST API calls. Connect to the nearest token issuer service to use this protocol: North America (Virginia), Europe (Frankfurt), or Asia (Tokyo).


  • Enroll and manage your GMS and non-GMS Work Managed devices within the same organization group.
    In order to avoid having to create several organization groups to manage GMS and non-GMS devices, we've updated our QR code enrollment to include an option that forces AOSP/ Closed Network Enrollment. When this is enabled in the QR code enrollment settings, your device enrolls as AOSP/Closed Network, regardless of the Work Managed Enrollment Type set in the Android enrollment settings. For more information, see Generate a QR Code Using the Enrollment Configuration Wizard.

Chrome OS

  • Start configuring, renewing, and revoking your certificates from the UEM console.
    With the Workspace ONE UEM Extension for Chrome OS, you can fully manage user and device level certificates. For more information, see VMware Workspace ONE UEM Extension for Chrome OS.


  • Update your Apple Custom apps with a single click.
    You can now push updates to Apple Custom apps that are out of date.


  • Define your Baseline assignments with the new Exclusions feature.
    You can now exclude specific smart groups from an assignment when assigning Baselines to your Windows 10 devices. This feature allows you to assign the Baseline to a large smart group and then refine the assignment to exclude specific, smaller smart groups.
  • Ensure your data is protected on Windows 10 devices even after a device wipe.
    The Encryption profile now supports keeping the system encrypted at all times. This includes removing the profile, wiping the device, or any break in communication with Workspace ONE UEM to your Windows 10 devices.
  • We now support SCEP proxy for Windows 10 devices.
    If your certificate authority requires a proxy connection, the Device Services server acts as a proxy for communications between the CA and your Windows 10 devices with a SCEP profile. Decide where to store your SCEP private keys for Windows 10 devices. You can now select the Key Location for private keys in the SCEP profile for Windows 10 devices. For more information, see Configure a SCEP Profile (Windows Desktop).
  • Define your Baseline assignments with the new Exclusions feature.
    You can now exclude specific smart groups from assignment when assigning Baselines to your Windows 10 devices. This feature allows you to assign the Baseline to a large smart group and then refine the assignment to exclude specific, smaller smart groups.
  • Ensure your data is protected on Windows 10 devices even after a device wipe.
    The Encryption profile now supports keeping the system encrypted at all times. This includes after removing the profile, wiping the device, or any break in communication with Workspace ONE UEM to your Windows 10 devices.
  • We now support SCEP proxy for Windows 10 devices.
    If your certificate authority requires a proxy connection, the Device Services server acts as a proxy for communications between the CA and your Windows 10 devices with a SCEP profile. Decide where to store your SCEP private keys for Windows 10 devices. You can now select the Key Location for private keys in the SCEP profile for Windows 10 devices. For more information, see Configure a SCEP Profile (Windows Desktop).

Resolved Issues

The resolved issues are grouped as follows.

2001 Resolved Issues
  • AAPP-5341: Third-party apps option on iOS native email profile requires UI text update.

  • AAPP-7017: The "Allow Biometric ID modification" is dependent on the "Allow Biometric ID to unlock the device" key in the restrictions profile.

  • AAPP-7188: The allowPasswordSharing key in the iOS Restrictions payload translates to Allow sharing of Wi-Fi passwords in the UI.

  • AAPP-7735: DEP profile that is already assigned gets stuck in “Assignment in Progress” status and cannot be edited.

  • AAPP-7900: API that is used to create the macOS Encryption profile returns an error when the “ForceRestart” parameter is passed in the body.

  • AAPP-8165: Uploading an app with extension fails when the payload is not specified directly under IPA.

  • AAPP-8470: In a multi OG setup where an app has auto-update enabled if failure occurs at one OG, the process aborts.

  • AAPP-8477: Improved error handling for iOS devices during CheckIn.

  • AAPP-8493: The application name for the built-in Workspace ONE Productivity apps in the APNs for applications have incorrect and outdated names.

  • AAPP-8530: Unable to create a macOS Network profile with Multiple WiFi payloads.

  • AAPP-8554: VPP apps do not get installed on iPods even if supported devices include the iPhone and iPod touch.

  • AAPP-8556: Error when editing profiles with Network Usage Rules payload.

  • AAPP-8600: APNs for ProfileList and CertificateList commands does not work as expected.

  • AAPP-8611: We've made a few UI improvements to VPP app deletion. 

  • AAPP-8614: Support "apns-push-type" header for APNs via HTTP/2. 

  • AAPP-8618: VPP apps are not being installed on custom enrolled devices.

  • AAPP-8668: Students' devices show offline on teachers' devices.

  • AAPP-8674: "Allow managed apps to store data" restriction does not work as expected on iOS13 devices.

  • AAPP-8725: Incorrect IMEI reported on device details for iOS multi-SIM devices. 

  • AAPP-8960: DB Performance improvements for macOS devices. 

  • AAPP-9006: Entrust certificate installation fails on the device.

  • AAPP-9060: Roster sync performance improvements.

  • AGGL-5851: Hidden Network and Auto-Join checkbox states do not honor the edit profile.

  • AGGL-6562: Intermittent timeouts seen while running the sample history clear maintenance job

  • AGGL-6596: ChromeOS web request does not work as expected.

  • AGGL-6753: Profiles do not get assigned to Android legacy devices if credentials payload is assigned to one profile. 

  •  AGGL-6782: The Managed Play Account is not hidden in the personal side in the COPE enrollments.

  • AMST-20029: Remove unnecessary errors from the Provisioning Package logs.

  • AMST-20985: Unable to disable the Win Desktop Software Package Deployment setting.

  • AMST-21644: Devices hit the sample endpoint even though the devices are deleted from the Console.

  • AMST-21723: Device -> Device Updates -> Windows and Device details display GUID and not metadata.

  • AMST-21847: In the Firewall profile, when we configure 'Block' Firewall Rules Merge/ Connection Rules Merge, the SyncML generated has value 'AllowLocalPolicyMerge' = 'True' and vice versa.

  • AMST-21934: Cannot re-add a Path Exception in the Windows anti-virus profile once all the exception path is cleared and saved. 

  • AMST-22045: Wifi auto-connect does not work as expected for Windows desktops.

  • AMST-22047: Intelligence - unable to access sensors from child OG for Windows Devices.

  • AMST-22104: Windows Phone 10 app status does not reflect the correct install status in the console.

  • AMST-22146: Remote Address Ranges in the Firewall rules do not work as expected.

  • AMST-22198: Incorrect path for Dell Command Monitor causes installation to fail and other errors in the logs.

  • AMST-22432: Windows OOBE enrollment does not work as expected in the console and "pending hub" status is displayed.

  • AMST-22433: Assigned updates and approved updates device count mismatch for Windows updates.

  • AMST-22476: Windows Devices incorrectly honors the auto-logout setting. 

  • AMST-22751: Device Sensors not working due to Dataplatformservice exceptions

  • AMST-22863: Device Details View > Apps tab, radio button grays out for win BSP apps.

  • AMST-23164: DB upgrade fails from to 1909 with DeviceProfileSettingValue_UpdatePeakShiftToISO8601 error.

  • AMST-23157: Baseline Page Crashes in the Profiles & Resources Area. 

  • AMST-23420: Enable script detection does not work as expected.

  • ARES-7765: The deployment progress indicator does not work as expected when you create multiple smart groups and assign devices to different smart groups.

  • ARES-8564: Standalone catalog enrollment for iOS 12.2 devices does not work as expected.

  • ARES-8624: Event Log > InstallAppRequested displays incorrect app version.

  • ARES-10552: begininstall API returns internal server error.

  • ARES-9682: Unable to send install command for internal app android to devices where the app is reported as a system app.

  • ARES-10685: SDK app associated with Credential payload(SDK profile) fails to load due to DB Sproc failing and not populating any data.

  • ARES-10818: Violation of Primary Key constraint. 

  • ARES-10904: AirWatch Service Interrogator Queue does not work as expected.

  • ARES-10937: Unable to see the smart group option when we add or edit the assignment for the public applications under Apps & Books.

  • ARES-11113: Unable to send boxer app configs for older assignments where app configs are not saved in blob table.

  • CMSVC-10132: With Bulk import, the column "Enrollment Organization Group" in the advanced template, does not take the OG name, but takes the Group ID.

  • CMSVC-10894: Assign Tags does not work as expected in the Internet Explorer.

  • CMSVC-10964: User group when searched shows the GUID format and the user group does not save.

  • CMSVC-11002: Admin user attributes do not update in the Workspace ONE UEM console after sync.

  • CMSVC-11004: Saving Performance Tuning settings resets batchsizebysmartgroup setting value to 0.

  • CMSVC-11077: OU with 180K+ users syncs partially to the Workspace ONE UEM console.

  • CMSVC-11087: The AddTag API call fails if the special character contains "&" in the TagName field.

  • CMSVC-11117: Merge API does not show proper response code when the merge fails.

  • CMSVC-12757: API call made to fetch a list of administrator users uses PageSize 1000 lists only 21 users and the total count is incorrect.

  • CMSVC-12821: Unable to sync more than 1000 users in a user group when integrating with VDS.

  • CMSVC-12893: The 'Azure Active Directory Mapping Attribute' is mandatory when Directory is set to None and Azure AD For Identity Services is enabled on the Directory Services settings page.

  • CMSVC-12930: User status filter (active & inactive) does not work.

  • CMSVC-12957: Incorrect Server used when Adding Missing Users. 

  • CRSVC-7992: Platform-specific message template is not picked up while registering devices.

  • CRSVC-8623: Intermittent API failures occur after cors request to certain API’s.

  • ENRL-1572: Device friendly name of the last device in the list is gets updated as Delete in Progress. 

  • ENRL-1596: Resend Message option for the token in the "Enrollment Status" list view page extends the registration token when Token Authentication is enabled for enrollment. 

  • ENRL-1598: Token-based enrollment shows the issued date as the future date when whitelisting a device. 

  • ENRL-1740: Unable to enroll devices when "registered devices only" is selected.

  • FCA-189719: “user name” instances in the Workspace ONE UEM must be updated to “username” to modernize the end-user messaging.

  • FCA-191478: UEM console logouts automatically after 4 hours.

  • FCA-191523: Getting started page shows mismatch percentage value in the completed status.

  • FCA-191934: The organization details search API call gives blank results for location and country.

  • FCA-192112: Device Usage Details Report Query causes overflow.

  • INTEL-16242: "OS Version" gets appended with "OS Build/Revision Number".

  • INTEL-5248: Custom report with field device_eas_device_identifier missing data for Android devices.

  • PPAT-6200: Unable to load some Tunnel pages when deploying UEM with distinct Console and API URLs.

  • PPAT-6241: Tunnel configuration sometimes fails to load due to read/write permissions for the Airwatch Tunnel Service running on the UEM Console.

  • PPAT-6301: Tunnel configuration fails to save when an existing Certificate Authority matches the Organization Group ID.

  • RUGG-5294: Activate Icon is not displayed when editing an active product.

  • RUGG-6991: We've removed App Remote View as it has issues and has been deprecated. 

  • RUGG-7282: Held Commands do not release properly due to the Primary key violation for the Procedure DevicePolicyDevic_Delete.

  • RUGG-7369: On the Add Product page > Deployment tab, the "Server Date and Time" is shown incorrectly when the current admin account setting is configured with the non-GMT time zone.

  • RUGG-7493: Unable to add file with extension .bat or .PS1 in Add Files/Actions. 

  • RUGG-7558: MaintainProduct API calls to update products works as expected. However, when they try to use a smart group created a lower level than the product, the "404 invalid smart group" error is displayed in the console. Patch Resolved Issues
  • ARES-11559: iOS Outlook ExternalAppAssignment mapping removal issue.

  • RUGG-7703: Unable to download existing product provisioning application when the FileStorage is enabled. Patch Resolved Issues
  • AMST-24685: The UEM Console Shows "Hub Repair" option even if the feature is hidden under a feature flag.

  • CMSVC-13016: User attributes fail to update due to SQL Timeout and Multiple Concurrent Calls. 

  • CRSVC-9471: Certificate fails to install when multiple SANs of the same type are specified in the certificate template

  • FCA-192446: Unable to edit profiles after migration from AirWatch express to the full version of Workspace one UEM. 

  • AAPP-9324: Asset number is missing and the Device Friendly name gets overridden for DEP when custom enrollment is enabled. 

  • CRSVC-9096: Third-party Part CA Certificates are cached by device ID for SDK apps that cause issues with CICO. Patch Resolved Issues
  • AGGL-7139: CommandID 49 to push updated managed App Configs is not queued for Internal Apps on Work Managed Android devices

  • AMST-24861: BranchCache falling back to DS when no peers are available instead of CDN

  • AMST-24781 Baseline removed when applying any assignment (app/profile/compliance policies) exclusion. Patch Resolved Issues
  • CMSVC-13238: Manual User Attribute Sync fail due to SQL timeout for EnrollmentUser_UpdateAfterSync. 

  • CMSVC-13239: Manual User Attribute Sync takes over 12 hours to complete. 

  • CMSVC-13240: User active/inactive status is not updated during manual attribute sync due to SQL Timeouts for EnrolmentUserStatusUpdate. Patch Resolved Issues
  • AAPP-9471: IKEv2 profile has missing keys causing a connection failure. 

  • CRSVC-9957: [HMAC] Token revocation does not always log an associated event. Patch Resolved Issues
  • CRSVC-10010: Device compliance status save sproc fails to save the status due to concurrency ID change. Patch Resolved Issues
  • AAPP-9590: Make MDM Managed not prompting VPP Apps installed before the assignment. 

  • CRSVC-10207: Compliance policy that removes specific profiles fails to not remove profiles. Patch Resolved Issues
  • AGGL-7423: Update SendApplicationConfiguration API to handle per device and AndroidEnterprise. Patch Resolved Issues
  • CMSVC-13393: User details get double encrypted during parallel enrollment for the same user. 

  • FCA-192959: Device Delete on UEM Console does not update Intelligence correctly causing a mismatch between UEM and Intelligence device lists. 

  • INTEL-19285: ETL | Add Sequence in ordering for Device Delete. Patch Resolved Issues
  • RUGG-7964: Device is not going to the compliant state even though Job sample is received as completed. Patch Resolved Issues
  • AAPP-9752: Delete Device does not wipe the device in rare occurrences when device checks in right before the command is issued

  • AAPP-9789: VPP App Publish failure when the device included in two assigned SGs.

  • AAPP-9790: Add functionality to send basic config(server URL etc) every time managed app config is updated for public apps.

  • AMST-26441: Compliance policy evaluation is pending for Windows 10 devices. 

  • CMSVC-13446: Unable to remove existing users from particular custom user group with 1000+ users after upgrading the console. Patch Resolved Issues
  • AAPP-9876: Unable to assign apps with devices in status "WipeInitiated" exists.

  • AGGL-7611: Update to managed app config for Android apps are not pushed to the devices. Patch Resolved Issues
  • AGGL-7678: Check-in/Check-out API call does not take action on devices. Patch Resolved Issues
  • ARES-12941: Android Profiles are not removed on OG changes. 

  • FCA-193277: "Terms of use Acceptance Detail" report does not include devices/users from child OG's. Patch Resolved Issues
  • CMSVC-13662: Open LDAP integration unable to bring in users/groups. Patch Resolved Issues
  • AMST-27378: Device enrollment status is stuck in progress. Patch Resolved Issues
  • AMST-27528: DCM and app-deployment agent removal commands are queued when user switch happens from staging to check out users. Patch Resolved Issues
  • CMCM-188660: Unable to fetch the API results for content management categories. 

  • SINST-175702: Include ACC installer. Patch Resolved Issues
  • AGGL-8160 Force check-in action on UEM does not work if the launcher profile is also assigned to staging users.

  • AGGL-8161 Per-app VPN mapping is not queued for on-Demand Android Enterprise apps when the install is triggered via Work Play Store and app assignment is added post-enrollment via Tag resulting in disruption of tunnel access.

  • AGGL-8188 Saving Hub settings appear to be clearing the Knox license key. Patch Resolved Issues
  • ARES-14527: DeviceProfile_LoadVPNMappingsByDevice PRIMARY KEY constraint cannot insert duplicate key in object 'dbo.#tempAppVpnProfileVersionID'. Patch Resolved Issue
  • CMSVC-14076: Handle SQL exception thrown for duplicate device ID and tag when two parallel threads call add tag API.

  • AGGL-8552: APK metadata parsing failure. Patch Resolved Issues
  • AAPP-10940: iOS devices are checking in continuously while checking for available OS updates. Patch Resolved Issues
  • AAPP-11205: Device Management profile not getting removed from the device on an enterprise wipe. 

  • AAPP-11218: Wipe deleted devices hitting the Check-in endpoint. 

  • AGGL-8894: Web Apps added through iFrame for Android Enterprise devices are not reported as Installed. Patch Resolved Issues
  • CRSVC-18276: Addressing encryption/signing issues on Device Services, leading to device communication failures due to recent changes in .NET framework released as part of latest Windows updates. Patch Resolved Issues
  • CRSVC-19542: All certificates issued to a device by some CAs are in an unknown state.

Known Issues

  • AAPP-8699: Device Reported Name is wrongly displayed on Console UI.

    DeviceReportedName does not get updated on query when custom friendly name feature is set in Settings> All Settings > Devices and Users > General > Friendly name.

    Disable Friendly Name setting in Settings> All Settings > Devices and Users > General > Friendly name

  • AAPP-8799: Customer can misconfigure iOS Siri Profanity setting based on the text on Console.

    Help text is incorrect for iOS Siri Profanity Filter restriction

    Admin can check Apple's documentation for key -

  • AAPP-9004: Customer could experience slowness due to unwanted load caused by Schedule OS update command queued in bulk.

    Schedule OS Update from Device List View does not limit the bulk action to value set in Bulk management settings.

    Admin should not select a large number of devices to schedule OS update for iOS devices.

  • AAPP-9058: End users cannot use book catalog due to wrong URL.

    Book Catalog does not load when using {SecureDeviceUdid} in the URL.

    Passing DeviceUUID in the book catalog

  • AGGL-6074: Device blacklist, Whitelist and registration with serial number, IMEI does not work for Android Q Devices.

    Any restrictions applied on the basis of serial number, IMEI will not be executed during the device life cycle as the support to get these details from the device has been removed due to privacy concerns

    Use UDID instead of the serial number or IMEI

  • ARES-11178: Windows does not support the downgrading of apps.

    Here is the current design for retire and deactivate Windows applications given that windows do not support downgrade of apps:
    Retire the latest version: No action is taken since windows don't support downgrade. New enrollments will receive the older version but the existing devices that have the latest version installed will continue to have it.

    Admin triggers manual removal. We take this approach to avoid large downtimes between app removals and re-installation.

  • AMST-23768: Windows Internal app not able to download when uploaded via a link using SFD

    When uploading a link to send down a windows internal app and "Download & Distribute via WS1 UEM server" is unchecked the application install will fail

    If the admin checks "Download & Distribute via WS1 UEM server" option then the application will install

  • AMST-23975: If an application fails the status will display the incorrect reason.

    If an assume managed application is pushed to the device and fails to install, then the console will display that the application is "MDM Removed" instead of "Execution Failed".

  • AMST-24067: Office 365 app is reported as installed before installation completes

    When a customer is configuring office 365 application and pushing it to a windows device, the application install status will prematurely display as installed. If it fails to install the status will still show as installed but the last action will display as install command failed

  • AMST-42002: Force reboot happens immediately after app is installed where reboot is require

    When you upload any app that has force restart the reboot will happen immediately and not allow user to save their work when intelligent hub is not installed on the device

    Install intelligent hub on the device or edit the app reboot setting to user engaged restart and edit the deadline to 0 and then set it back to force restart.

  • CMCM-188366: Adding a version of AirWatch managed content fails with a blob error in certain situations.

    An admin may encounter the below issue for on-prem environments: Unable to add version of managed content in AirWatch for an existing document (.pdf, .txt etc). Generic errors display to the admin.

    • Open IIS settings on the console server.
    • Navigate to .NET Globalization.
    • Change the Culture and UI Culture to "Invariant Language(Invariant Country)"
    • Note: the success rate of this workaround is not 100%.
  • FCA-192253: Unable to upload a certificate in the Self-Service Portal which contains markup characters in the password.

     If user attempt to upload a certificate from SSP and the password for certificate contains markup characters a validation exception is thrown

    Use the certificate password without Markup Characters

  • FCA-192286: If the user is logged out of the console and then clicks on a report subscription link from within an email, the Report (legacy) doesn't download after signing back in.

    If the admin user is not logged into the UEM console and then the user clicks on a report subscription link in an email, the Console will open and prompt for a login. After successfully authenticating, the report does not begin to download, nor does the console redirect to the reports page.

    Admin Users can log into the console before clicking on the report subscription link.

  • FCA-192383: The user is unable to device wipe after performing a device wipe on another device and friendly name change on the current device.

    If the admin user enrolls two devices ( device A and B) and performs a device wipe on one of the devices (device A), the admin user can't device wipe the other device ( device B) if they have changed the friendly name of the device (device B) in the same session as the pin window to confirm the device wipe pops up momentarily and disappears.

    Admin Users can refresh the page and try again.

  • PPAT-6440: If AWCM isn't working properly at the OG level, it is possible for non-compliant devices to connect while waiting for revocation via API

    When Tunnel is configured is at parent OG and devices are enrolled at child OG, VPN cert AWCM message will not get delivered to Tunnel Server

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

  • CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

    Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on the UEM console. 

    As a workaround, set the date one day prior to your intended expiration date. 

check-circle-line exclamation-circle-line close-line
Scroll to top icon