VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 2007 and a list of the resolved issues and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

  • Phase 1: Demo and UATs
  • Phase 2: Shared SaaS environments
  • Phase 3: Dedicated latest environments

This version is only available to our SaaS customers on the Latest mode. The features and improvements incorporated in this version will be available to our on-premises or managed hosted customers with the next on-premises release. For more information, see the KB article

New Features in this Release


  • Sharing iPads for line of business and other enterprise got more more secure.
    Workspace ONE UEM now offers the ability to deploy Shared iPads for Business. Any compatible device enrolled via Apple Business Manager can now be deployed as a Shared iPad and create unique data partitions using their Managed Apple ID or a Temporary Session. User’s data is secured in their partition, and they will only see the apps and profiles assigned to them as they natively log in and out of the device. For more information, see Shared iPads for Businesss.


  • Turn off secure start-up when you're setting a PIN for your Android devices.
    We've added a new field to the Passcode profile which allows you to disable secure startup for users when they are setting up a PIN on Android devices. When disabled, users are not prompted for a PIN to reboot the device, and devices can still be used as shared devices without any problems. This feature can be implemented with a Custom XML and the UEM console user interface will be updated with a profile update in a later version. For more information, see Enforce Passcode Settings.

Credential Escrow Gateway

  • Uploading the SMIME certificates to Workspace ONE UEM for our on-premises iOS and Android users just got even easier. Credential Escrow Gateway 1.3.0 is now automated through Workspace ONE UEM.
    When a device is enrolled, an event is sent to your defined webhook, which tells the certificate provider to upload the user certificate to the Escrow Gateway. Once the certificate is available, the Credential Escrow Gateway 1.3.0 fills the profile with required information, encrypts the profile for the device, and the certificate gets deleted from the Escrow Gateway as per configured settings. For more information, see Credential Escrow Gateway. For more information, see Credential Escrow Gateway.


  • Redirect traffic to a specified HTTPS proxy that resides behind Tunnel.
    You can now create a Tunnel connection and authenticate to an outbound proxy that resides behind the Tunnel gateway. This feature is only supported by the Tunnel SDK on iOS as used by the Workspace ONE Web app. For more information, see Create Device Traffic Rules.


  • Disable user notifications while installing and removing applications on your Windows 10 Devices.
    When you deploy some applications, such as security, infrastructure, or frequently changing apps, you might want to prevent notifications from appearing to your end-users. You can now choose to hide the installation notifications for auto-deployed apps from the Action Center in Windows and the Installation Monitor in the Intelligent Hub and Workspace ONE app. For details, see Add Assignments and App Policies to your Win32 Applications.
  • We've updated the SCEP profile for Windows Desktop.
    To enhance our support of certificate authorities (CAs) for Windows 10, we've removed the requirement to enter an Issuer of your CA. Also, you can now use SCEP certificates that use SAN attributes with non-AirWatch Certificate Authorities. The system sends the added SAN attributes with the certificate request through the SCEP profile. Find the SCEP profile for Windows 10 devices in Devices > Profiles.
  • We've added support for Registered Mode for Windows 10 devices.
    Windows 10 devices that enroll with Workspace ONE Intelligent Hub or OOBE can also enroll without MDM management with Registered Mode. Registered Mode is also known as Management Mode and you can assign this enrollment method by organization group or by a smart group. Find the settings for Registered Mode in Devices > Devices Settings > Devices & Users > General > Enrollment > Management Mode. For details, see Enroll with Registered Mode.
  • Automatically source, package and deploy the most popular Enterprise Apps in a few simple clicks with the new Enterprise App Repository.
    Adding and assigning the most common windows applications just got easier with Enterprise App Repository. For details, see Add Applications from the Enterprise App Repository.

Resolved Issues

The resolved issues are grouped as follows.

2007 Resolved Issues
  • AAPP-10007: Device Details View Books Tab does not load when more than one purchased book is assigned to an iOS device. 

  • AAPP-10023: Multiple Custom Commands cannot be created for one device.

  • AAPP-10251: Fix the API logic for calculating the total number of available licenses.

  • AAPP-10530: Saving Friendly Name settings page after enabling  "Set Device Name to Friendly Name" gives error in 2005 console & above. 

  • AGGL-7119: Android Passcode profile throws Save Failed if a version is added without making a change to the passcode payload.

  • AGGL-7219: Web Apps coming from Google Play are not reported as installed within device details and/or the device list on the app details page.

  • AGGL-7307: Enrollment User (currently logged in user) is overwritten when the console does device sync. 

  • AGGL-7387: Android App Publish Intermittent failure when adding a new smart group.

  • AGGL-7690: New line characters (\n) are not working as expected for API call to send emails to enrolled devices.

  • AGGL-7915: Enrollment is getting blocked for all the models of Zebra devices.

  •  AGGL-8059: Android enrollments are intermittently failing to install profiles.

  • AMST-25699: Assume Managed App status goes to Managed when the app install is still in download retry state on the device.

  • AMST-27418: Bios Samples data is not purged when devices are deleted.

  • AMST-27501: Repair hub functionality fails to start to AirWatch service when the end-user disables it. 

  • AMST-27634:  Multiple profiles publish for WinRT devices resulted in service unavailable error. 

  •  AMST-27748: Network Tab under device details reports multiple IPs for a device and does not purge the old data.

  • AMST-27763: Apps/Profiles are not pushed from the Console. 

  • AMST-27782: Upgrading UEM console from 1909 to 2005 fails with the error. 

  • AMST-27816: Device friendly names are not updated with Device Reported name.

  • AMST-27882: All Windows command line enrollments with basic staging users fail with the 2006 UEM console. 

  • ARES-11712: Exporting profile list view shows incorrect "Configuration Type" values. 

  • AMST-28057: Device>Device updates do not work as expected. The page takes time to load and errors out in "Something unexpected happened. If the issue persists, please contact your IT administrator."

  • ARES-11844: api/mam/apps/internal/{applicationid}/uninstall triggers removal commands for all installed devices. 

  • ARES-11892: Email Settings tab on the Boxer App assignment page displays an error message. 

  • ARES-12009: Unable to log in to the catalog even when you provide valid credentials. 

  • ARES-12133: Unable to add a VPN and EAS resource.

  • ARES-12447:  Application Details API intermittently throws internal server error.

  • ARES-12480: App removal log shows incorrect "Last Modified" time in the console.

  • ARES-12635: External Recipient Domain List does support wildcard and have a length limit.

  • ARES-12729: Unable to access the Security Policies page at an OG where conflicting Geofencing policies are configured 

  • ARES-12878: Date format not localized for internal apps with Spanish, German and Australian locales.

  • ARES-13051: Assignment Page fails to show not any assignments if one of them has an inactive VPP license pool record associated.

  • ARES-13194: The Install Status for profiles does not show Records when clicking on the Install, Not Installed, or Assigned numbers.

  • ARES-13268: Multiple entries created for an app in the Interrogator.application list table causing data discrepancies in Intelligence. 

  • ARES-13332: Boxer configuration does not land on devices when the signature character limit is exceeded. 

  • ARES-13555: Performance Improvement for RecommendedExternalApplication_Search Procedure. 

  • ARES-13366: deviceProfile.UpdateStatusForAllDeviceProfiles blocks during heavy contention.

  • ARES-13367: deviceProfileDevicePoolSample_Save blocked during heavy contention.

  • CMCM-188557: Fix the spelling of Workspace One in the Content Gateway section of the Workspace ONE UEM console.

  • CMSVC-13334: AirWatch Admin account can be deleted by Console Admin via API. 

  • CMSVC-13443: Open LDAP integration unable to pull in users/groups. 

  • CMSVC-13706: Exception on CICO flow when un-assigning tags. 

  • CMSVC-13744: UEM Console UI includes extra space character on User Details > Email Address value. 

  • CRSVC-11681: In the compliance policy action tab, profile list dropdown for Block/Remove Profile action will not populate with exiting profiles if added multiple times.

  • CRSVC-11853: Generic SCEP template missing the renewal checkbox.

  • CRSVC-12219: Event notifications do not send the Authorization header when sending the post commands. 

  • CRSVC-12352: DeviceActivationLockBypass_Load is one of the most CPU consuming procedure considering the TotalWorkerTime.

  • CRSVC-12816: File type for dependency app and custom scripts is returned incorrect from app metadata API.

  • ENRL-2048: If shared device end users decide to change their passcode in the SSP before it expires, the device adopts the expiration time of the OG the shared device is managed from instead of the OG the user is managed from. 

  • FCA-192873: Search filter based on the OG of Telecom plan for device assignment does not work as expected. When you start typing OG name it doesn't populate matching OGs. Other filters such as user groups work fine.

  • FCA-193672: Device List View is slow to load during the start of Business hours. 

  • FCA-193718: Application Install count on Device Summary page and App tab does not match.

  • INTEL-17261: Android/iOS encryption reports does not return value.

  • INTEL-19229: Console Database | Entities being left out of InitialQueue/EntityList by refresh entities job. 

  • MACOS-61: macOS app metadata reporting incorrectly when the app does not have a bundle identifier. 

  • MACOS-962: Commands V2 API now supports the required "unlock_pin" key for macOS Device Lock and Device Wipe. 

  • MACOS-1285: Install Bootstrap package command not being queued up. 

  • PPAT-7523: App Management issue Public apps not getting deleted when Tunnel Service is configured. 

  • PPAT-7358: Encountering internal server errors during send to microservice from tunnel client

  • RUGG-7199: Devices are not considered applicable even if the rule is satisfied for a few Operators. 

  • RUGG-8609: Change Temp Tables to Table Variable in PolicyProductListSample_save Sproc. 

  • RUGG-7235: Folders and bookmarks do not show up inside the Launcher profile after re-saving the profile.

  • RUGG-7809: Create Folder Manifest Command does not allow a period as a special character. 

  • SINST-175714: On a manual upgrade of the cloud connector from any version of 20.5 to 20.7, the service fails to start with a 1067 error. Patch Resolved Issues
  • ARES-13963 Multiple entries created for an app in the IAL table causing data discrepancies in Workspace ONE Intelligence.

  • ARES-14000 Move the Device state load method from SecureChannelEndpoint.ProcessSettingEndpoint.

  • ARES-14002: Assignments get removed if you click Save before loading the assignment.

  • CRSVC-13024: deviceState.GpsLogSample_Load stored procedure results in a Timeout error.

  • CRSVC-13025: Replace temp table to table variable in device state sproc. 

  • CRSVC-13138: Move GPS information out of the system information segment. 

  • CMSVC-13932: After upgrade to UEM Console 2006, directory binding fails with bind usernames either in UPN format or DN format. 

  • FCA-193849: Procedure mobileManagement.EnrollmentUser_DeviceGridSearch duration takes 30 seconds. Patch Resolved Issues
  • AMST-28342: maintenance.HealthAttestationCerts_Purge takes about 3 hours and times out.

  • AMST-28418: Failed to execute DeviceModelDetailAndDeviceManufacturer_RemoveOrphan procedure.

  • ARES-14091: Production Performance Issue for deviceProfile.DeviceProfileDevicePoolSample_Save. 

  • CMSVC-13951: Production Performance Issue for mobilemanagement.EnrollmentUser_Load_ByDeviceID

  • CRSVC-13139: Include sample table results in Device_Load stored procedure for default attribute.

  • CRSVC-13315: Database | Device load adapters takes a long time to load. 

  • ENRL-2139: Production Performance Issue for dbo.Device_LoadExtendedDetails.

  • FCA-194005: Optimize DeviceMonthlyUsage_Save performance. Patch Resolved Issues
  • MACOS-1407: The security API when used by mac book causes a CPU spike on the environment's API nodes. Patch Resolved Issues
  • AGGL-8298: Android Work public application delete is causing excessive remove application commands to get queued. 

  • ARES-14155: Parent SDK profile is not pushed to the device when moved from child to parent OG.

  • FCA-194216: Internet Explorer shows duplicate options in Devices List View page. 

  • INTEL-22085: Delete events are being sent by the ETL process for personal applications even when there is a corresponding record for it in the interrogator.applicationlist table with IsInstalled = 1 

  • MACOS-1412: Find My Mac PIN is not being sent with an EraseDevice command. Patch Resolved Issues
  • AAPP-10699: Performance Issue with FindApplicationsByDevice stored procedure.

  • AAPP-10700: Performance Issue with Scheduler_LoadByUnique stored procedure.

  • AGGL-8322: Performance Issue with interrogator.SaveTransactionInformation stored procedure. 

  • AMST-28782: Enable Archived Cert Support through Escrow Service. 

  • CRSVC-14052: Add telemetry so we can create a dashboard to monitor the types of payloads coming into the secure channel endpoint. Patch Resolved Issues
  • AGGL-8384: Enable EnhancedWorkProfileFeatureFlag. 

  • FCA-194538: High Latency during console UI load (Dashboards, List Views) post-upgrade to UEM 2005 console. Patch Resolved Issues
  • AAPP-10935: iOS devices are checking in continuously while checking for available OS updates. Patch Resolved Issues
  • AAPP-11200: Device Management profile not getting removed from the device on an enterprise wipe. 

  • AAPP-11213: Wipe deleted devices hitting the Check-in endpoint. Patch Resolved Issues
  • PPAT-8342: DTR is missing when the customer upgraded the environment from 2003 (or above) to the latest console. Patch Resolved Issues
  • ATL-5605: Timestamp missing from older patches causing signing checks to fail. Patch Resolved Issuesi=
  • CRSVC-18457: Addressing encryption/signing issues on Device Services, leading to device communication failures due to recent changes in .NET framework released as part of latest Windows updates. Patch Resolved Issues
  • CRSVC-19537 : All certificates are in unknown state Patch Resolved Issues
  • ENRL-2764: User input validation and error handling during web enrollment steps. Patch Resolved Issues
  • FCA-198258: Externally reported security vulnerability (Workspace ONE REST API Endpoint DDoS). Patch Resolved Issues
  • AAPP-12679: Generate unique PayloadIdentifier in configuration profile on push. Patch Resolved Issues
  • CRSVC-25531: Remove the usage of the encrypted URL query parameter.

Known Issues

The known issues are grouped as follows.

  • ARES-13419: Parent SDK profile not pushed to the device when moved from child to parent OG. 

    Moving a device enrolled at Child OG with SDK Profile to Parent OG with SDK Profile does not push the Parent SDK Profile to the device. Hub is also not reflecting the updated SDK profile

    As a workaround, edit the profile and re-publish.

Chrome OS
  • AGGL-7863​: Migration of DA devices in to PO devices using the DA2PO tool does not save Google userID for closed network customers where only device owner is set to AOSP(closed network)

    When using DA2PO tool in closed network UEM console to migrate legacy android devices to android enterprise, the Google userID is populated for profile owner devices when device owner setting is configured to use AOSP(closed network). As a result, all PO devices migrating in a closed network scenario will not have public applications deployed

Content Management
  • CMCM-188709: Add media information description is displayed under notes. 

    Add new media information description is displayed under notes and not description field. 

  • CMCM-188713: Multi-User Group assignments to contents, resulting in duplicate records inserted in the temp table.

    Managed content fails on edge case user group assignments. 

    As a workaround, disable ContentDeviceStateIntegrationFeatureFlag. 

  • CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

    Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on console. 

    As a workaround, set the date one day prior to your intended expiration date.  

  • AMST-26955​: Kiosk profile does not respect comma in the Executable path.

    Kiosk profile does not respect a comma in the Executable path and hence we are unable to set the correct application exe path for Kiosk profile. If Application Executable Path includes comma "," the path is divided into two and the part after comma appears in a new tab 

    As a workaround, you can use the XML import for the profile.

  • AMST-32922: Windows Desktop App added via BSP is failing to install on the device.

    The issue arises when BSP apps are imported for Windows Phone and the same app is supported on the Windows Desktop platform and admin imports for Windows Desktop. In such a case, the BSP app installation on Windows Desktop fails.

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

check-circle-line exclamation-circle-line close-line
Scroll to top icon