VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 2003, a list of our resolved issues, and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

• Phase 1: Demo and UATs
• Phase 2: Shared SaaS environments
• Phase 3: Dedicated latest environments

This version is only available to our SaaS customers on the Latest mode. The features and improvements incorporated in this version will be available to our on-premises or managed hosted customers with the next on-premises release. For more information, see the KB article. 

New Features in this Release

Workspace ONE UEM Console

• See an on-screen notification if your report exceeds the size limit.
  If you request a report that is bigger than the size limit, it is now represented in Monitor > Reports and Analytics > Exports with a new status label called "File size exceeds limit". The new Exports status appears if your report needs more file space than the 4GB hard limit.
• We've made a few updates to SAML and Directory Authentication in Workspace ONE Express.
  When setting up SAML on the Directory Services configurations page in Express, you can now export the service provider's settings without any issue. Also, directory authentication is enabled for Express organization groups, which means, you can now enroll devices with directory authentication.
• Leverage the event data to consume Workspace ONE API's based on UUIDs.
  We've added the EnrollmentUUID and DeviceUUID attributes to event notifications. These additional identifiers are associated with the user and device.

Android

• Retrieve feedback reported by OEM config applications for quick detection of errors.
  Use the feedback channel to get granular app feedback and troubleshooting information sent by apps. For more information, see Retrieve Feedback from OEM Config Applications.
• Control which Google accounts can be used within the Managed Google Play Store.
  Sometimes you may want to allow people to add G-Suite accounts to access corporate email, or personal accounts (to read mail in Gmail for example) but do not want the unmanaged Google account to access an unrestricted Google Play. With the new Allowed Accounts in Google Play setting in the Restriction profile, you can choose whether to restrict or allow non-Managed Google Play Access. You can set a list of accounts people can use in Google Play. For more information, see Restriction Profile.
• Restrict personal apps from sharing data with work applications.
  Allow personal apps to share data with work apps in the Restriction profile now lets you prevent personal apps from sharing files, pictures, and data into the managed profile. For more information, see Restriction Profile.

iOS

• Convert all your Apple Business Manager licenses in a single click.
  You can now convert any user-based licenses synced from Apple Business Manager to device-based licenses by selecting one, multiple, or all the applications for a given organization group. For more information, see Configure Licenses and Assign with Flexible Deployment.
• Keep your custom Apple apps up to date.
  You can now enable automatic updates for Apple Custom apps synced from Apple Business Manager. Any device that reports an app that is not on the latest version will have the app updated automatically.
• Remote Assist Process Streamlined in Device List View and Details View.
  It now takes fewer clicks to start a Remote Assist session on a qualifying device from the UEM console's Device List View and Details View. Your remote sessions for troubleshooting and performing advanced configurations on devices in your fleet are initiated swiftly because you select the specific Remote Assist client tool before you connect. For more information, see Device List View.

Windows

• Get access to your BranchCache performance data from both the device and the server.
  The new Peer Distribution Panel under Apps&Books > Native > List View > Application Details give you a heads-up on the number of devices that have downloaded the application using the peer distribution, the amount of data downloaded, and the source of the downloaded data. The application Devices tab now gives you individual BranchCache performance data for each of your devices.
• The communication resiliency for Windows 10 got better with automatic HMAC recovery.
  Workspace ONE UEM automatically checks the HMAC on Windows 10 devices. If the system identifies a corrupt or missing HMAC, it triggers an HMAC recovery. It sends it through the native OMADM channel to the Workspace ONE Intelligent Hub to re-establish communication.
• Keep your apps installed on your devices.
  With the new Desired State Management setting, you can now protect your managed apps from removal from your devices. For more information, see Add Assignments and App Policies to your Win32 Applications.
• Deploy profiles with the new Windows - AAD Enrolled smart group category.
  Use the new Windows - AAD Enrolled category in smart groups when you want to exclude or include Windows 10 devices depending on their management status. For example, configure the General payload of a Credentials profile to exclude a Windows - AAD Enrolled smart group so you can deploy certificates to managed devices but not to OOBE devices. When creating smart groups, find the new Windows - AAD Enrolled category in Criteria Type > Enrollment Category. When configuring profiles, go to the General payload and select the group with Windows - AAD Enrolled configured for Smart Groups or enable Exclusions and select the same for Excluded Groups.
• We've updated the integration of the Dell Command | Update (DCU) with the Workspace ONE UEM console that provides command-line interface (CLI) capabilities and alligns with the latest DCU 3.1 release from Dell.
  We've updated the integration of the Dell Command | Update with the Workspace ONE UEM console that provides command-line interface (CLI) capabilities. With the new version of Dell Command | Update, we'll have a few workarounds and scripts that maintain CLI use. Watch VMware's Tech Zone (https://techzone.vmware.com/) for news about the integration and next steps.

Content Management

• Automate your content gateway settings in the UEM Console.
  Now you can create configuration files in the UEM console for UAG deployment. These files simplify deploying your content gateway servers deployed through UAG. For more information, see Configure Content Gateway on the UEM Console.

Rugged

• Android Application Provisioning Supports Per-App VPN.
  Per-App VPN is now supported for provisioning applications to Android devices. When you configure an Android app to be provisioned with the per-app VPN option, a VPN automatically connects when that Android app is launched and routes all the app traffic through the VPN. For more information, see Create a Product.
• Product Provisioning Now Supports CDN.
  The struggle for bandwidth in your provisioning environment just got a little easier now that support for Content Delivery Networks (CDN) has been introduced. With this option enabled and configured, CDN can lighten the distribution of product loads to offload traffic from your network. For more information, see Configure a CDN for Provisioning.

Tunnel

• Configure detailed Unified Access Gateway settings from the UEM console.
  You can now set advanced configuration settings for the Tunnel gateway directly from the UEM console without needing to login to your UAG servers. For more information, see Configure Per-App Tunnel.

Resolved Issues

The resolved issues are grouped as follows.

• 2003 Resolved Issues
• 20.3.0.1 Patch Resolved Issues
• 20.3.0.2 Patch Resolved Issues
• 20.3.0.3 Patch Resolved Issues
• 20.3.0.4 Patch Resolved Issues
• 20.3.0.6 Patch Resolved Issues
• 20.3.0.7 Patch Resolved Issues
• 20.3.0.8 Patch Resolved Issues
• 20.3.0.9 Patch Resolved Issues
• 20.3.0.10 Patch Resolved Issues
• 20.3.0.11 Patch Resolved Issues
• 20.3.0.12 Patch Resolved Issues
• 20.3.0.13 Patch Resolved Issues
• 20.3.0.14 Patch Resolved Issues
• 20.3.0.15 Patch Resolved Issues
• 20.3.0.16 Patch Resolved Issues
• 20.3.0.18 Patch Resolved Issues
• 20.3.0.19 Patch Resolved Issue
• 20.3.0.20 Patch Resolved Issues
• 20.3.0.21 Patch Resolved Issues
• 20.3.0.22 Patch Resolved Issues
• 20.3.0.23 Patch Resolved Issue

2003 Resolved Issues

• AAPP-7126: The auto-update does not work when the VPP app version starts with a letter instead of a number.

•  AAPP-8699: DeviceReportedName' is not updated in the database for the table dbo.device unless the Friendly name is disabled in Console UI.

• AAPP-8718: Installing books from Device Details fails.

• AAPP-8799: iOS Siri Profanity Filter restriction displays incorrect help text.

• AAPP-8826: Unable to complete the installation of Custom B2B applications.

• AAPP-8897: Unable to DEP enroll devices if they have been previously blocked from enrollment.

• AAPP-8953: DB performance spike due to invalid sample for macOS device below 10.11. 

• AAPP-8973: Device page under the app details view is broken for macOS devices when Hub and app are on different versions. 

• AAPP-8976: iOS Credentials Profile does not install.

• AAPP-9004: Schedule OS Update from Device List View does not limit the bulk action to value set in Bulk management settings.

• AAPP-9013: Roster sync is failing due to a SQL timeout exception.

• AAPP-9124: Upgrading to UEM console 1912+ triggers re-install of macOS Certificate profiles.

• AAPP-9152: The devices grid only shows 10 devices with no additional pages.

• AGGL-5503: Per-app VPN mapping is not queued for on-Demand Android for work apps when install is triggered via Work Play Store and app assignment is added post-enrollment via Tag. This results in disruption of tunnel access.

• AGGL-6308: Android Default Settings' profile is not queued for already enrolled Android devices. 

• AGGL-6638: Selected App name in Android profile Permissions payload has issues if the application has double-byte characters.

• AGGL-6654: Managed Play Account is not hidden in the COPE enrollments.

• AGGL-6666: Deleted device via an API gets added to the console UI with a new device ID.

• AGGL-6678: Find Device alarm rings continuously on newer Android devices.

• AGGL-6748: Public App Auto-Update Profile incorrectly marked as "Removed" on UEM Console but stays on the device.

• AGGL-6752: Profiles does not get assigned to Android legacy devices if credentials payload is assigned to another profile payload.

• AGGL-6855: Deploying network “user” profiles to ChromeOS devices does not work as expected.

• AGGL-6870: Improved performance to reduce SQL timeouts when syncing devices for Application publishing. 

• AGGL-6976: Android for Work enrollment does not work as expected. 

• AMST-20689: Enable script detection does not work as expected in the elevated mode. 

• AMST-21426: SCEP Airwatch CA Certs goes to Intermediate Store instead of Trusted Root store on enrollment of windows 10 devices.

• AMST-21542: Compliance Status is displayed as Not Available even when there is no compliance policy assigned to the device. 

• AMST-21985: UI does not display published apps in Adaptiva

• AMST-22334: Application Retry Interval fails to honor the retry settings

• AMST-22539: Device friendly name switches between English and Japanese locales. 

• AMST-22727: Unable to remove Windows Defender Profile when combined with Exploit Guard Payload

• AMST-22754: The Windows Desktop Personalization profile does not set the correct value for HideAppList.

• AMST-23109: DB upgrade fails from 19.7.0.1 to 1909.

• AMST-23199: Zip applications containing script detections fails to install.

• AMST-23336: Delivery Optimization settings for Windows Updates profile does not apply as required.

• AMST-24139: DB upgrade fails with duplicate key errors. 

• AMST-24232: Windows Update count mismatch on Ws1 Console for Windows Desktop 1803,1809,1903 devices.

• AMST-24305: Use Proxy for Local (Intranet) Addresses in Windows Proxy profile does not work as expected.

• AMST-24682: Baseline gets removed from devices when adding exclusions to the windows profile.

• AMST-24710: BranchCache falls back to DS when no peers are available instead of CDN.

• AMST-24791: MEM Device records are not being created for Windows 10 Desktop native client.

• ARES-6754: Credential payload browsing for more than 20 certificates does not work as expected.

• ARES-7508: App Monitor Graph displays an incorrect date after changing the timezone.

• ARES-8513: Web Clips profile shows incorrect install status on Catalog and console.

• ARES-10955: Unable to load SDK analytics page 

• ARES-11026: Unable to view the device summary page from the device list view for devices having redemption code based CustomB2B apps with Null BundleID.

• ARES-11179: App Removal Protection does not work as expected during the Smart group edit.

• ARES-11180: Unable to install profiles as the commands fail to generate due to the in32 limit.

• ARES-11183: When creating a Weblink (for iOS/Android, under Apps & Books > Applications > Web > Web Links), a URL with "AWB" or "abs" protocol results in "Protocol is Required" error. 

• ARES-11237: App Details View > Devices List View returns access denied error.

• ARES-11323: Device Details > Books tab displays assigned applications instead of assigned books

• ARES-11325: Few GET API calls that use app UUID returns a 404 error (/devices, /deploymentcounts, /actioncounts, /reasoncounts)

• ARES-11510: iOS Outlook ExternalAppAssignment mapping removal does not work as expected. 

• CMCM-188366: Adding a version for AirWatch Managed Content does not work as expected.

• CMEM-185585: The PowerShell command is not being sent out to EXO during migration.

• CMEM-185609: Unable to rotate the user's Google password through the User Details page.

• CMSVC-11003: Unable to remove existing users from a particular custom user group after upgrading the console.

• CMSVC-11060: SAML enabled admin accounts are unable to authenticate after IsActive OG deleted from the console. 

• CMSVC-11097: REST API call made to mainly /system/users/adduser with the content type set to application/XML results in the "argument cannot be null" error message.

• CMSVC-12842: Admins/Search V2 API does not work as expected.

• CMSVC-12858: Import Admin Users Template displays Airwatch instead of VMware.

• CMSVC-12870: The 'Azure Active Directory Mapping Attribute' is mandatory when Directory is set to None and Azure AD For Identity Services is enabled on the Directory Services settings page.

• CMSVC-12879: Assigning a Profile to an Assignment Group from the Assignment Group Page does not work as expected.

• CMSVC-12885: Manage Tags option is missing from the custom role.

• CMSVC-12892: User status filter (active & inactive) does not work as expected.

• CMSVC-12941: When the device OS is updated, the assignment mapping is not updated unless the admin republishes the new application version.

• CMSVC-12947: Incorrect server details get picked when adding missing users.

• CMSVC-12965: Console user interface includes extra space character on User Details > Email Address value.

• CMSVC-13158: Dell Latitude 5300 & 7300 are not available in the drop-down list in Smart Group even though the device is enrolled.

• CRSVC-6596: ACC client request does not work as expected.

• CRSVC-7398: Secure Channel page contains references of Airwatch. 

• CRSVC-7474: AirWatch is displayed as the default sender name in SMTP settings.

• CRSVC-7495: Generating a certificate request fails when Subject Name has a comma.

• CRSVC-7495: Certificate request fails when Subject Name has a comma. 

• CRSVC-7719: Unable to select restrictions profile in iOS compliance policy when 1000 characters limit exceeds.

• CRSVC-7871: VMware AirWatch has a swagger console implemented which is vulnerable to DOM XSS.

• CRSVC-8619: The information Icon on the Privacy page is not aligned as expected. 

• CRSVC-8620: Application tooltip on the Privacy Settings page has a few alignment issues.

• CRSVC-8690: Certificate fails to install when multiple SANs of the same type are specified in the certificate template.

• CRSVC-9031: Third-Party CA Certificates are cached by device id for SDK apps causing issues with Check-in/Check-out flows.

• CRSVC-9140: Multiple emails are triggered to end-users when the MDM terms of use is updated.

• ENRL-1716: Unable to enroll devices when "registered devices only" is selected. 

• ENRL-1722: Device Activation Email is not being sent if the template has QR code lookup and child OG is selected

• ENRL-1732: User is not created in real-time via HUB enrollment.

• FCA-192166: SSP language set to German causes incorrect message of decline in Terms of Use. 

• FCA-192229: Devices/Search API fails with SQL data truncation error. 

• FCA-192230: UEM console shows multiple/duplicate SIM card entries under the Network tab in the Device Summary page.

• FCA-192249: Auto Update Notification Link Results in Access Denied Error.

• FCA-192252: The configuration link between Workspace One Access and the UEM server does not work as expected. 

• FCA-192286: Automatic Report downloads do not work as expected.

• FCA-192383: Admin pin prompt for wipe action closes before entering the pin.

• RUGG-7428: "Undefined" error is displayed when the editing product rules.

• FCA-192413: Unable to edit profiles after migration from AirWatch express to the full version of Workspace one UEM.

• PPAT-6440: When Tunnel is configured at parent OG and devices are enrolled at child OG, VPN cert AWCM message will not get delivered to Tunnel Server.

• RUGG-7485: Duplicate content CSI items found in the database.

• RUGG-7488: Unable to edit a product from an active product set.

• RUGG-7489: Cannot push Products to a smart group at lower OG using API.

• RUGG-7490: Changing the managed by profile to a sibling OG when inside of a product allows product edits.

• RUGG-7554: Incorrect value for page size parameter in launcher profile XML.

• RUGG-7723: Apps API does not return Elective Products for macOS Hub Catalog.

• RUGG-7768: The Zebra printer wifi profile does not work as expected.

• RUGG-7701: Unable to download existing product provisioning application when FileStorage is enabled. 

20.3.0.1 Patch Resolved Issues

• CMSVC-13306: User active/inactive status is not updated during manual attribute sync due to SQL Timeouts for EnrolmentUserStatusUpdate.

• CMSVC-13307: Manual User Attribute Sync takes over 12 hours to complete.

• CMSVC-13308: Manual User Attribute Sync failures due to SQL timeout for EnrollmentUser_UpdateAfterSync.

• CRSVC-10009: Device compliance status save sproc fails to save the status due to concurrency ID change.

• INTEL-18419: Add API URL to LocationGroup_Initial Export and Perform OG Resync.

20.3.0.2 Patch Resolved Issues

• AMST-25643: Windows desktop devices are getting incorrectly reported as Windows Phone Model

• SINST-175615: Bundle AWCM 6.6.1 with console installer. 

20.3.0.3 Patch Resolved Issues

• AMST-26043: Unable to provision Digital Employee Experience Management Telemetry agent with WS1 Intelligence SKU

• FCA-192897: REST API for devices search by alternate identifier fails with Internal Server Error.

• FCA-192958: Device Delete on the UEM Console does not update Intelligence correctly causing a mismatch between UEM and Intelligence device lists. 

• INTEL-19284: ETL | Add Sequence in ordering for Device Delete.

• RUGG-7936: DynamicPDF DLL version changed resulted in the usage of the unlicensed version of DLL.

20.3.0.4 Patch Resolved Issues

• AAPP-9768: Unable to open the 'purchased' tab of the application page. 

• AGGL-7515: UEM API call gives 500 internal server error in Sandbox. 

• AMST-26263: Active Hours set in profile does not match the device settings.

• APF-3128: Unable to save Mobile Flows connector. 

• FCA-193016: "Terms of use Acceptance Detail" report does not include devices/users from child OG's. 

20.3.0.6 Patch Resolved Issues

• AAPP-9764: Delete Device does not wipe the device in rare occurrences when device checks in right before the command is issued. 

20.3.0.7 Patch Resolved Issues

• AMST-26815: Internal App version does not get updated in the console after the App version update. 

20.3.0.8 Patch Resolved Issues

• MACOS-1173: Certificate resiliency check for missing certificates errors out when there is more than one missing certificate for a single profile. 

• RUGG-8155: High Memory usage in machines where the Policy engine is running. 

• RUGG-8213: Unable to generate Rapid Deployment barcodes on upgrading to 2003 UEM console. 

20.3.0.9 Patch Resolved Issues

• AMST-27377: Device enrollment status is stuck in progress. 

20.3.0.10 Patch Resolved Issues

• AMST-27573: Device List View reporting compliance status as Not Available. 

20.3.0.11 Patch Resolved Issues

• AGGL-7910: Unable to use Access for Work Profile authentication on enrollment.

20.3.0.12 Patch Resolved Issues

• AAPP-10476: iOS legacy catalog deployment fails to send APNs to devices. 

20.3.0.13 Patch Resolved Issues

• CRSVC-12990: Extend UDID hash validation in Beacon Payload to account for UDIDs in lower case. 

20.3.0.14 Patch Resolved Issues

• CRSVC-13417: User-Friendly Privacy portal is displaying a blank page.

20.3.0.15 Patch Resolved Issues

• AAPP-10939: iOS devices are checking in continuously while checking for available OS Updates.

• AGGL-8636: Android for work public application publish fails Intermittently when adding new Smart group.

20.3.0.16 Patch Resolved Issues

• RUGG-9245: Manually seeded launcher APK via seed script goes missing in the database after a day. 

20.3.0.18 Patch Resolved Issues

• AAPP-11204: Device Management profile not getting removed from the device on an enterprise wipe. 

• AAPP-11217: Wipe deleted devices hitting the Check-in endpoint. 

20.3.0.19 Patch Resolved Issue

• PPAT-8346: DTR is missing when the customer upgrades the environment from 2003 (or above) to the latest console.

20.3.0.20 Patch Resolved Issues

• ATL-5609: Timestamp missing from older patches causing signing checks to fail. 

20.3.0.21 Patch Resolved Issues

• CRSVC-18460: Addressing encryption/signing issues on Device Services that are causing device communication failures because of recent changes in the .NET framework released as part of the latest Windows updates.

20.3.0.22 Patch Resolved Issues

• CRSVC-19541: All certificates are in an unknown state

20.3.0.23 Patch Resolved Issue

• ENRL-2768: User input validation and error handling during web enrollment steps. 

Known Issues

The known issues are grouped as follows.

• Workspace ONE UEM Console
• Android
• iOS
• Windows
• App Management
• Content Management
• Apple

Workspace ONE UEM Console

• FCA-192439​: Unable to navigate to specific online help topics from the UEM console and the In Product Support tool does not work as expected. 

  Workspace ONE UEM Information experience team has changed the online help documentation URL to point to 'Services' instead of the console version. The contextual online help and the In-Product Support tools rely on the version that is mentioned in the URL to navigate to the correct content. Until the R&D team changes the tools to point to 'Services' as well, the contextual online help tool takes you to the online help documentation home page and the In-Product support displays an error message. 

  As a workaround, find the documentation content through other means, such as searching the docs page, navigating through the menu or using a search engine.

• FCA-192411: Page not found error screen is displayed when you accept the Bing Eula for the first time.

  After accepting the bing location EULA, you will see a "Page not found" error page and you are not directed to the Device location page.

  As a workaround, close the error modal and click again on the location tab to see the device location.

• FCA-192507​: While entering the security PIN in the safari browser with the Romaji keyboard, input box autofocus does not work as expected.

  Security PIN input box autofocus does not work while performing any restricted action such as delete or deactivate the app from the safari browser using the Romaji keyboard.
   

  As a workaround, for the autofocus to work you can use the English keyboard or Chrome browser.

Android

• AGGL-7177: When a device OG changes and the child OG has app config with different values, the new configuration is not pushed down to the devices

  Managed app config updates for Android public apps are not pushed to the devices.

  As a workaround, the app config can be pushed explicitly from the device details tab

iOS

• AMST-25035​: Legacy app catalog deployment fails.

  When the legacy catalog publishing is enabled on the console, it doesn't deploy on devices that were enrolled prior to this change unless we query the device. 

  As a workaround, the device needs to be queried and checked at regular intervals.

• AAPP-9280: Home Screen Layout payload displays undefined for specific apps added under the dock and additional pages.

  Home Screen Layout payload displays undefined for specific apps added under the dock and additional pages due to the lack of exception handling for the iTunes Lookup API

  As a workaround, you can edit the Profile XML manually.

• AAPP-9400: Support number and email are not displayed when enrolling devices via DEP with Custom Enrollment.

  When users enroll via DEP, the support number and email fields are blank on UI which causes them to not know how to contact their admin in case of failures.

• AAPP-9378: VPP books with two license types (STDQ + PLUS license types) will have only PLUS licenses claimed by users.

  VPP Books with both STDQ and PLUS license types will result in licenses being saved as PLUS and claimed as PLUS only. This could result in PLUS licenses being exhausted unintentionally while STDQ licenses remain unclaimed by users.

Windows

• AMST-19845: When an admin loads an unattended XML file into the provisioning tool, the error: "file does not appear to be a valid XML doc" message when the staging account contains an ampersand.

  Unattend XML doesn't support the use of ampersand by design and this is used in FPS flow to enroll the devices in factory and we admin tries to load the unattended XML, we get a validation error.

  The staging user and password is auto-generated and can include special characters, like "&".

  As a workaround, make sure that the staging user password doesn't contain the "&" in it. Reset the password if it does.

App Management

• ARES-11173: CDN cannot be overridden to disabled for Apps and Books and enabled for Products.

  When CDN for apps feature is overridden in the console to disabled at the customer OG; the CDN configuration gets disabled for entire customer OG.

  As a workaround, do not enable CDN for products if you wish to disable CDN for Apps & Books.

Content Management

• CMCM-188415: Unable to export a Content list view with a large number of device assignments.

  Exporting from Content List View fails with the message 'An error has occurred'.

• CMCM-188408: Duplicates folders are displayed in the repo folder.

  Several documents are available for download.

  As a workaround, you can re-add the repository.

• CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

  Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on the UEM console. 

  As a workaround, set the date one day prior to your intended expiration date. 

Apple

• MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

  The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

  As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.