VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 2008 and a list of the resolved issues and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

  • Phase 1: Demo and UATs
  • Phase 2: Shared SaaS environments
  • Phase 3: Dedicated latest environments

Once our phased rollout is complete, we will announce general availability for on-premises and managed hosted customers. For more information, see the KB article

New Features in this Release



  • Welcome to the new navigation homepage that helps get you where you want to go.
    We are launching a new navigation homepage that speeds your documentation discovery. The page shows you what’s available in our documentation portal, sets you in the right direction, and helps you get started. We've grouped our documentation into logical buckets to help narrow down what you are looking for. Like to explore? See VMware Workspace ONE UEM Documentation.


  • Migrate your existing catalog settings from Workspace ONE UEM to Workspace ONE Hub services.
    Starting September 2020 with Hub Services Cloud instance, you can migrate your existing catalog settings from Workspace ONE UEM to Workspace ONE Hub services. For more information, see Setting Up the Hub Catalog.
    Note: Currently we do not support Hub Templates capability to on-premise Hub Services customers. It will be made available at a future time, and we will keep you informed.


  • Skip the latest iOS 14 and macOS Big Sur onboarding screens.
    You can now skip the latest Setup Assistant screens such as Accessibility, Update Complete, and Restore Complete screens.
  • Prevent users from accepting App Clips.
    You can now prevent iOS 14 devices from viewing a new feature called App Clips where a user can view and interact with a small portion of a larger app binary without downloading the full app itself.
  • Override existing passwords while configuring native mail.
    In iOS 14, you can now choose to override a previous password on a device when installing an Exchange ActiveSync email profile.
  • Control your apps notification previews in iOS 14.
    If an installed app is receiving push notifications displayed to the user, admins can prevent the content of the notification from being displayed if the device is locked.


  • Onboard your macOS devices with true zero-touch.
    You can now simply plug in your new Mac computers into ethernet and power them on. With Auto Advance configured in Workspace ONE UEM, macOS devices will be automatically onboard, skipping all required screens with no user interaction.


  • Detect and monitor network activity on your corporate owned devices.
    You can enable Network Logging for Android devices deployed through Work Managed enrollment. When active, Android records DNS requests and network connections from apps to a log file for the specified duration via the Request Device Log command. This option is only available for Work managed devices running Android 8 and higher.

Application Management

  • Configure Workspace ONE Boxer to support multiple managed accounts.
    You can now use the Boxer application to manage your multiple email accounts assigned with different settings. This capability comes with Boxer version 5.21 or later and requires SSO activation.

Credential Escrow Gateway

  • Credential Escrow Gateway now supports Multi Managed Account and Single Account for iOS and Android Boxer.
    You can now upload a list of encryption certificates and/or a list of signing certificates (with each certificate used by a single email account or multiple managed accounts) to Escrow Gateway using a new endpoint for uploading certificates (v2). This extends our support to full Boxer functionality and native mail clients.

Content Management

  • Don't be surprised if the "Use Legacy Settings and Policies configuration" is not seen in the Content Legacy Settings.
    To avoid conflicts between the Content Legacy configuration settings and the other SDK settings, the Use Legacy Settings and Policies configuration setting under System Settings > Content > Applications > Workspace ONE Content App has been deprecated. The assigned SDK profile will now be the supported mechanism for delivering the DLP policies to the Workspace ONE Content app. For more information, see Configure VMware Workspace ONE Content.


  • Workspace ONE Launcher now shows you the install status only if its relevant for the device record.
    We've made some user interface changes to Workspace ONE UEM Launcher. You will now only be able to see the install status of Launcher in the Workspace ONE UEM console Device Details if the device is assigned to a multi-user staging user or the Launcher profile is assigned to a device. For more information, see Workspace ONE Launcher Status.
  • We've added string comparison support to Product Provisioning.
    When making an assignment rule, comparisons using the less than (<) and greater than (>) operators (and their variants) continue to only be applicable to comparisons of strictly numerical values. The new exception is when you are comparing OEM build versions, you can apply < and > operators on non-numerical ASCII strings. An example is when an OEM update filename includes hyphens, periods, and other characters together with numbers. Such assignment rules must identify a device manufacturer in the rule logic and that comparison is deemed accurate when the format on the device matches the one specified on the server.


  • SDK Tunneling now supports 3rd party Certificate Authorities for Client Auth.
    Tunneling with the Workspace ONE Web app or any other apps you may build with the Tunnel component in SDK natively supports the secure SCEP CA integrated into your UEM services. Now we also support your other certificate authorities for use with Tunnel. For details about embedded tunneling with Workspace ONE Web. For more information, see AirWatch App Tunnel.
  • Reach internal SMB domains from Files on iOS through the Workspace ONE Tunnel app.
    You can now access internal SMB file shares through the Files app on iOS. The app is already seeded and available for configuration through the Device Traffic Rules on the Tunnel Configuration page. For details about configuring both mobile and desktops for app-tunneling rules.For more information, see Create Device Traffic Rules.

Resolved Issues

The resolved issues are grouped as follows.

2008 Resolved Issues
  • AAPP-10208: ScheduleOSUpdateResult_Save_V4 fails on multiple saas environments.

  • AAPP-10248: Vpp 'Valid Until' date and time does not change as per the time zone.

  • AAPP-10250: "Valid To" date of APNs for MDM shows date and the server OS time zone. 

  • AAPP-10307: iOS device notification about provisioning profile expiry does not work as expected. 

  • AAPP-10567: Unable to delete old device records from UEM 2006 console.

  • AAPP-10571: Non-supervised devices with enabled Activation Lock should not be handled by the workflow. 

  • AAPP-10598: View Feedback errors out for Public, VPP app. 

  • AAPP-10612: Whitelisting or Blacklisting a DEP registration record after syncing removes DEPAuthenticationID.

  • AAPP-10620: Unable to Accept Terms of Use for Custom B2B applications. 

  • AAPP-10627: iOS Profiles not "Installing/Removing" via scheduler job if the previous cycle "Install/Removal' job was not successful.

  • AGGL-7736: Force checking the action on UEM does not work if the launcher profile is also assigned to staging users.

  • AGGL-7918: Chrome OS payload for Application Control for Chrome Apps not applying correctly. 

  • AGGL-8043: When an iOS device is registered using Hub, Web Links do not get automatically assigned to the device.

  • AGGL-8061: Saving Hub settings appear to be clearing the Knox license key.

  • AGGL-8071: RemoveAllManagedApps Compliance Action fails with 404 on making Google APIs impacting the performance of the Compliance Engine. 

  • AGGL-8272: Compliance policy Action 'Disable All Managed Apps' does not work as expected. 

  • AMST-26955: Kiosk profile does not allow comma in the Executable path and hence we are unable to set the correct application exe path for Kiosk profile. 

  • AMST-27488: Intelligent Hub Settings Privacy Options user interface error for Windows Desktop.

  • AMST-27764: The interrogator sample system saves incorrect data or failing to save data on certain environments.

  • AMST-28226: Sensors not getting reported in intelligence for the canonical build. 

  • AMST-28390: Failed to execute DeviceModelDetailAndDeviceManufacturer_RemoveOrphan procedure.

  • AMST-28315: Windows update tab is missing from the device details page.

  • AMST-28404: The first product of enrollment stays in the queued state with Status Tracking Page feature activated. 

  • AMST-28410: Windows EAS profile re-install fails with error "Command response from device contains error".

  • AMST-28481: WUA not seeded in CDN. 

  • ARES-11650: Admin cannot distinguish between the two assignment groups with similar, long names in the auto-complete drop-down.

  • ARES-11670: ExternalApplicationSearch API results in a timeout error. 

  • ARES-11926: App Config, Multi-select is not working as expected. 

  • ARES-12590: Passing the application category in the /apps/internal/begin install API does not map the category on the console.

  • ARES-12874: Unable to delete the inactive profiles from the UEM console and it throws an error “Cannot delete the profile because commands are pending for devices”. 

  • ARES-13080: interrogator.CompositeApplicationList_SearchByDeviceID execution from one DS is blocking all other executions of the same from other DS. 

  • ARES-13419: Parent SDK profile is not pushed to the device when moved from child to parent OG.

  • ARES-13919: Uptime database upgrades failure with Lock request time out error.

  • ARES-14008: Seed Values getting overridden/removed for DeviceApplication.ApplicationGroupLocationGroupMap table upon upgrading to a higher database version. 

  • ARES-14182: Android Public App Publish lead to Product > Application removal. 

  • ARES-14202: Monitor>> Overview page takes1.5-2 minutes to load in UEM console.

  • CMCM-188659: Unable to fetch the API results for the mobile content management categories.

  • CMCM-188713: Multi-User Group assignments to contents, resulting in duplicate records inserted in the temp table.

  • CMSVC-13314: The tag list does not have OG associated when creating smart groups.

  • CMSVC-13830: Unable to send push notification to iOS Hub from UEM if notification is enabled under Hub services. 

  • CMSVC-13839: Update Enrollment User API does not work as expected. 

  • CMSVC-13925: After upgrade to 2006, directory binding fails with bind usernames either in UPN format or DN format having @ character. 

  • CRSVC-8032: Certificates_Search_ByUsageTypeAll results in time out error. 

  • CRSVC-11973: User-Friendly Privacy portal displays a blank page.

  • CRSVC-12054: Scroll bar missing when a compliance policy has multiple escalation actions. 

  • CRSVC-12085: File type for dependency app and custom scripts is returned incorrectly from app metadata API. 

  • CRSVC-12255: Removal of ApplicationTelemetryFeatureFlag from 2005 Causing issue with the upgrade. 

  • CRSVC-13700: Device summary>Compliance tab in iOS devices throws an error.

  • CRSVC-12708: Change Debug to Error level for logging host validation information. 

  • CRSVC-12841: Certificates details are not showing up in the device summary screen on the console.

  • FCA-192099: Extra quotes for MAC Device model on the device Inventory report.

  • FCA-193019: Console menu on the internet explorer does not match those in Chrome.

  • FCA-193170: Terms Of Service page does not load when you upgrade to the UEM console 2004. 

  • FCA-193492: Network information page does not show the wifi IP address for iOS and Android devices. 

  •  FCA-193510: Device List view export displays incorrect "Management" type.

  • FCA-193581: Setting granular permissions at Device Management > Dashboard > Dashboard > Details to restrict access to the various dashboard portlets do not work.

  • FCA-193688: Firefox browser becomes unresponsive when the admin selects all the devices from the device list view page. 

  • FCA-193995: OG cannot be deleted if the admin has feedback survey results.

  • INTEL-19160: Delete events are being sent by the ETL process for personal applications even when there is a corresponding record for it in the interrogator.applicationlist table with IsInstalled = 1.

  •  INTEL-21948: Several MacBooks are showing in Intelligence as not encrypted while in UEM console they are showing as encrypted. 

  • MACOS-1309: deviceProfile.UpdateStatusForAllDeviceProfiles blocking deviceProfile.DeviceProfile_macOSProfilesWithMissingCertificates_Update during heavy contention

  • MACOS-1348: During the device wipe of a macOS device, the "Find My Mac PIN" is not sent along with the EraseDevice command which results in not triggering the complete local device-wipe.

  • MACOS-1376: The security api when used by mac book causes a CPU spike on the environment's API nodes. 

  • MACOS-1379: Incorrect OS version being detected during enrollment.

  • MACOS-1393: Multiple mac apps are not installing.

  • PPAT-7582: Tunnel Client Root is invalid/undefined when exported. 

  • PPAT-7677: Android Enterprise devices fail to fetch SCEP cert for Tunnel VPN config. 

  • RUGG-7588: Misleading labeling of supported models and OS for "Allow status bar" and "Allow power options" in Legacy launcher profile. 

  • RUGG-8446: The custom attribute not working as expected when using batch import using Device Custom Attribute Values for the custom attribute database on the Workspace ONE UEM.

  • SINST-175716: When you upgrade the UEM console from 1909 to 2001, the UEIP is enabled. Patch Resolved Issues
  • AGGL-8321: Stored procedure interrogator.SaveTransactionInformation is called more than 100 times a second and also has a huge difference between working time and elapsed time. 

  • AMST-28783: Enable Archived Cert Support through Escrow Service. 

  • AMST-288: Hololens friendly name not updating post-enrollment. 

  • AMST-28870: Device friendly name not set correctly upon enrollment. 

  • ARES-14395: SmartGroup_LoadPreviewDeltaForFlexibleDeployment should consider OS version instead of DeviceOperatingSystemID. 

  • ARES-14459: Not able to select and assign SDK profile to any of the applications due to the DeviceProfile_SearchConsole_V2 sproc time out issues. 

  • ARES-14460: Unable to disable app Tunnel proxy in the custom SDK Profile under proxy settings. Patch Resolved Issues
  • AGGL-8391: Revert EnhancedWorkProfile condition to fetch android enrollment details using GetAndroidEnrollmentDetailsByDeviceId. 

  • RUGG-8921: Printers stopped checking in after the 2007 UEM console upgrade. Patch Resolved Issues
  • AMST-29059: Seed software distribution to the 2008 UEM console. Patch Resolved Issues
  • AMST-29166: Improve command queuing logic for Approval and Unapproval of windows updates.

  • AMST-29167: Performance issue on osUpdate.UpdateDeviceAssignMent_Save. 

  • ARES-14676: Appwrapping profile is not getting fetched.

  • MACOS-1486:Seed macOS Intelligent Hub 20.08.1 to Workspace ONE UEM. Patch Resolved Issues
  • AMST-29116: Seed SFD 3.14.13 & Hub 20.08.02 to 2008. 

  • ARES-14774: Internal Proximity APK (beta) is not configuring with the SDK profile. Patch Resolved Issue
  • CRSVC-14956: Device Event and Event data information inconsistency. Patch Resolved Issues
  • AAPP-10836: HTTP proxy support for APNs.

  • AAPP-10934: iOS devices are checking in continuously while checking for available OS Updates.

  • AAPP-10946: Prevent MAC address randomization for Apple device Wi-Fi. Patch Resolved Issues
  • AAPP-11077: Additional logging and lock changes for messaging service for APNSOutboundQueue backup. 

  • ARES-15830: Performance improvement of Device Sync for Profiles flow. 

  • ARES-15832: Performance improvement of processing Application list sample save.

  • CMSVC-14199: Modify the device count for OG in enrollment user load stored procedure.

  • CMSVC-14201: EnrollmentUser_DetailsLoadByEmail performance issue. 

  • CRSVC-15653: Performance improvements in processing of selective app list sample.

  •  FCA-194955: API_DevicesBySearchCriteria sproc does not work as expected. 

  • INTEL-24649: Inconsistency in Encryption Data Patch Resolved Issues
  • AAPP-11080: Install Profile command for Single App Mode not being released. 

  • INTEL-24445: ETL | Add checksum exports in the database. 

  • INTEL-24446: Handle devices do not work as expected. Patch Resolved Issues
  • AGGL-8815: Certain APK metadata parsing failure. 

  • AGGL-8816: Android Enterprise Application push should not be invoked if Google Device ID is not present. 

  • ARES-16151: Unable to delete Geofence Areas. Patch Resolved Issue
  • AAPP-11199: Device Management profile not getting removed from the device on an enterprise wipe. 

  • AAPP-11212: Wipe deleted devices hitting the Check-in endpoint. Patch Resolved Issues
  • FCA-195201: Bulk notifications not working when sending messages to devices through the console. 

  • FCA-195217: Purge Expired Sample Data job Step 1 takes 11+ hours to complete. Patch Resolved Issues
  • PPAT-8341: DTR is missing when the customer upgraded the environment from 2003 (or above) to the latest console. 

  • FCA-195343: Notification_LoadCount times out when executed by API. Patch Resolved Issues
  • CRSVC-17411: Multi-tenancy updates in Workspace ONE UEM Console. 

  • ARES-17022: api/mdm/smartgroups/bulkquery has a 500 smart group limitation. Patch Resolved Issues
  • AMST-30824: Certificate sample processed even when some certificate query returns errors leading to certificate revocation. Patch Resolved Issues
  • AGGL-9330: Compliance Status remains in 'pending compliance check' . 

  • ARES-17080: Geofencing profile payload is not removed when the device profile and geofencing area are deleted. Patch Resolved Issues
  • CRSVC-18272: Addressing encryption/signing issues on Device Services, leading to device communication failures caused by Microsoft bug that's part of latest Windows updates.

  • FCA-195833: Network tabs for some Android devices do not load and we get the error "Something unexpected happened. If the issue persists, please contact your IT administrator"

  • PPAT-8580: DTR inheritance for individual rules is not working applying to the profile XML. 

  • RUGG-9533: UEM does not send detailed Workspace ONE Assist session events to UEM or Syslog. Patch Resolved Issues
  • CMEM-186225: Run email compliance policy doesn't complete. 

  • CRSVC-18507: Cert uploads via uploadSmimeCerts API fails regularly. 

  • CRSVC-18593: Add allowed list in security settings for api documentation page Patch Resolved Issue
  • CRSVC-18757: Addressing the gap in encryption/signing issues fix that was provided in the previous patch. Patch Resolved Issues
  • CRSVC-19536: All certificates are in an unknown state. Patch Resolved Issues
  • AAPP-11890: Activation Lock cannot be disabled for cellular-enabled iOS devices. 

  • CRSVC-20185: Certificate Near Expiration report based on auto-renewal period in individual CA template. Patch Resolved Issues
  • AAPP-11912: PIV-D Cannot Pull Down Xtec Derived Credentials (iOS). 

  • MACOS-2130: XML generated has an empty array for the key OnDemandRules for F5 Access VPN type. Patch Resolved Issues
  • AAPP-11968: DEP registration records with a tag are not removed by sync/fetch. 

  • CMCM-189034: Time out seen for enterprise content list view results

  • ENRL-2763: User input validation and error handling during web enrollment steps. Patch Resolved Issues
  • AAPP-12017: Push notifications for iOS updates are not working. Patch Resolved Issues
  • AAPP-11744: Unable to delete a supervised iOS device if the enrollment status is wipe initiated.

  • RUGG-9876: Not able to generate the Honeywell barcode. Patch Resolved Issues
  • CMSVC-15333: Devices added to an assignment group through additions are not correctly assigned to the group assignment. Patch Resolved Issues
  • FCA-198257: Workspace ONE UEM API '/admins/session' has been removed. Patch Resolved Issues
  • AGGL-10604: App Catalog profile does not land after DA->PO migration.

  • LUEM-350: Arithmetic overflow errors due to data type inconsistency in Device_Load. Patch Resolved Issues
  • AAPP-12516: When you push a configuration profile, it will generate a unique PayloadIdentifier. Patch Resolved Issues
  • AGGL-10739: Legacy app catalog is not available in Hub when a device changes OGs.

  • AGGL-10711: DA to DO Migration does not honor user registration account type.

  • AAPP-12656: Unable to request iOS App Logs until App is relaunched.

Known Issues

The known issues are grouped as follows.

  • AAPP-10604​: When tags are associated with the enrollment token of an Apple Business Manager device, the device cannot be enrolled.

    When the device enrollment mode is set to "registered devices only," "require registration token" is enabled, and Apple Business Manager is configured and enrollment records are created for these devices, they may fail to enroll if a tag has been associated to these records.

    As a workaround, remove tags from these records and assign post-enrollment.

  • AAPP-10660​: VPP auto-update fails when iTunes API is called for country "HK"

    When the VPP s-token is created with HK as the country, auto-update will fail for device-based VPP applications.

  • AAPP-10322​: When Do Not Disturb is turned on in an iOS device, UEM wrongly displays as 'AW Do Not Disturb Until'

    When Do Not Disturb is turned on in an iOS device, UEM wrongly displays as 'AW Do Not Disturb Until' on the device details summary page

  • AAPP-10665​: Unable to see the phone number of iOS multi-sim devices (e-sim phone number).

    When an iOS multi-sim device is enrolled, one phone number is displayed for both the physical and e-sim numbers.

  • AAPP-10556​: Install profile command for iOS single app mode is not released immediately after the application list sample is received. 

    The install profile command for single app mode is not released immediately after the scheduled application list sample is received upon DEP enrollment and will remain in held status until the next scheduled application list sample is received (few hours to a day).

    As a workaround, query the device from the device list view or device details view to trigger single app mode installation command immediately.

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

  • AGGL-8311: The metadata related to the name, bundle ID, and version of the internal android application APK is not parsed while uploading into UEM console.

    When APKs are built using the latest build tool, there is a change in the encoding of the Android Manifest file, resulting in a failure to parse the metadata values. The end-user can manually enter the values and process with the publish which goes through fine

    As a workaround, manually enter the application identifier, version, and name details.

  • CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

    Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on console. 

    As a workaround, set the date one day prior to your intended expiration date.  

  • AMST-32922: Windows Desktop App added via BSP is failing to install on the device.

    The issue arises when BSP apps are imported for Windows Phone and the same app is supported on the Windows Desktop platform and admin imports for Windows Desktop. In such a case, the BSP app installation on Windows Desktop fails.

check-circle-line exclamation-circle-line close-line
Scroll to top icon