VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 2010 and a list of the resolved issues and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

  • Phase 1: Demo and UATs
  • Phase 2: Shared SaaS environments
  • Phase 3: Dedicated latest environments

This version is only available to our SaaS customers on the Latest mode. The features and improvements incorporated in this version will be available to our on-premises or managed hosted customers with the next on-premises release. For more information, see the KB article

New Features in this Release


  • Have you seen our new in-page Navigation interface? If not yet, see VMware Workspace ONE UEM Console Documentation.
    We’ve heard your feedback that the traditional nested table of contents (TOC) structure is difficult to use. Starting 2008, you can search and discover content by using our new navigation homepage that is organized according to how you use the product.

    Don't forget, we've removed release-based versioning in our left navigation sidebar. If you are looking for Cloud content, you can select services from the version selector drop-down menu. If you are looking for on-premises documentation, choose the version of Workspace ONE UEM you want to learn about when you land on our content on the VMware Docs site.

    Take a look at our new navigation homepage and tell us what you think. To leave a feedback, go to Workspace ONE UEM Console Documentation, jump to the bottom of our feedback section, and tell us what you like about the new experience.

Credential Escrow Gateway

  • Faster Windows 10 certificate delivery for escrowed SMIME certificates.
    Moving to an event driven model to notify UEM when certificates are uploaded to the Credential Escrow Gateway greatly enhances the speed with which we can deliver escrowed certificates to Windows 10 devices.
    Note: Any certificates uploaded to Escrow Gateway (EG) prior to version 1.2 are no longer compatible. After you have migrated Redis data to EG 1.2+, upload the certificates again using either a v1 or v2 endpoint to be retained for the entire length of your configured retention period.

Freestyle Orchestrator (Preview)

  • Introducing Freestyle Orchestrator (Preview).
    Freestyle Orchestrator is a low-code IT orchestration platform that gives you the flexibility to create workflows for resources such as apps, profiles, and scripts and apply them to devices based on granular criteria. This functionality provides customers the ability to define complex onboarding workflows, go through multi-step processes like upgrading BitLocker with a one-time setup and can additionally be used to target devices based on any device-related criteria. Want to know more? see What is Freestyle Orchestrator.


  • View the "Last Reboot" timestamp in the UEM console under Device Details.
    Would you like to know the last reboot time of your devices as you are troubleshooting or viewing device details? You can now view the "Last Reboot" timestamp in the UEM console under Device Details. For more information, see Device Details.
  • Distribute Applications for closed testing.
    In the UEM console, you can now test and deploy custom internal test tracks of the application before releasing the production version. For more information, see Deploy Private Applications to a Testing Track.


  • Force log out users of Shared iPads for Business.
    You can now forcefully log out the current user of a Shared iPad to return it to the main lock screen. This allows a new user to pick up and begin using the device. For more information, see Manually Log Out a User.
  • Prevent your Apple devices from randomizing their MAC address.
    iOS 14 brings you a new privacy feature where the MAC address of devices connecting to Wi-Fi will be randomized instead of showing the true hardware MAC address. With Workspace ONE UEM, this can be prevented for targeted Wi-Fi networks.
  • Prevent users from removing any managed iOS applications.
    You can now set any managed apps on iOS 14 devices to be unremovable by users.
  • Set specific domains to be included or excluded in VPN configurations.
    In iOS 14 per-app VPN configurations can set specific domains and subdomains to leverage or avoid the VPN for connections.
  • Deploy your APNs traffic through an HTTP proxy.
    If you are leveraging an HTTP proxy for their Workspace ONE UEM environment, they can choose to send all traffic through the proxy for outbound APNs.
  • Deploy profiles directly to users of Shared iPads for Business.
    Shared iPads for Business can now install profiles directly to users using the user channel for configuring settings like Exchange accounts and SSO extension.


  • Defer software updates on macOS Big Sur.
    Previously, macOS devices could only defer major OS software updates. In macOS Big Sur, admins can now defer non-OS software updates on macOS devices.
  • Prevent your Apple devices from randomizing their MAC address.
    macOS 11 Big Sur brings you a new privacy feature where the MAC address of devices connecting to Wi-Fi will be randomized instead of showing the true hardware MAC address. With Workspace ONE UEM, this can be prevented for targeted Wi-Fi networks.
  • Set specific domains to be included or excluded in VPN configurations.
    In macOS Big Sur per-app VPN configurations can set specific domains and subdomains to leverage or avoid the VPN for connections.


  • Make your software deployments easier and more flexible when the installation complete criteria changes.
    You can now edit the When to Call Installation Complete criteria for Windows app deployments. For more information, see Configure Win32 Files for Software Distribution.
  • We've removed support for Windows Phone devices in the Workspace ONE UEM console.
    Windows Phone devices are no longer available in the Workspace ONE UEM console as of the Workspace ONE UEM 2010 release. You will not be able to manage, wipe, or reset the devices from the console. To remove any device management, initiate removal of our Work Account or factory reset the device. For more information, see our KB article on Windows Phone Management will be removed from Workspace ONE 2010.
  • Check out the Technical Preview for Workspace ONE Drop Ship Provisioning (Online).
    Workspace ONE Drop Ship Provisioning for OTA eliminates the need to create and share PPKGs with your hardware manufacturer. Simply assign your payloads to a tag in the Workspace ONE UEM console, and then place an order with your Windows 10 hardware manufacturer using that Workspace ONE UEM tag. Technical preview features are not fully tested and some functionality might not work as expected. However, these previews help Workspace ONE UEM improve current functionality and develop future enhancements. For more information, see our KB article on Technical Preview: Workspace ONE Drop Ship Provisioning for OTA.

Application Management

  • Block access to your Workspace ONE SDK apps when the apps are not managed by EMM on your end-user devices.
    While configuring the app assignment, if you set the EMM Managed Access flag as 'needs EMM management', then the SDK app tries to access the EMM managed app config on the device. If the app is unable to access this information, it indicates that the app is unmanaged and the access to it is blocked. For more information, see Add Assignments and Exclusions to your Applications.

Content Management

  • As part of our efforts around inclusion, we replaced a few offensive terms.
    We’ve implemented a process to evaluate and adopt alternatives for potentially offensive terms in Mobile Content Management console pages.

Email Management

  • The SEG custom settings are now available as key-value pairs in the Workspace ONE UEM console.
    You can now configure the SEG custom settings as key-value pairs in the Workspace ONE UEM console. The commonly used properties are seeded in the Workspace ONE UEM Console. For more information, see SEG Custom Gateway Settings.

Integrate with Azure AD Conditional Access Policies


  • Queue Content to Relay Servers without assigning your devices.
    You can now add content to push and pull relay servers (including Relay Server Cloud Connectors) without requiring those servers to have devices enrolled in its associated organization group. This means you can get all the apps and content staged before devices are even enrolled. For more information, see Publish Product to Relay Server.

Scripts and Sensors (Preview)

  • Use Scripts to automate endpoint configurations (Preview).
    Use the new Scripts feature for macOS and Windows Desktop devices to send code to devices to run processes. For example, push a script to macOS devices to reset printer configurations or push a script to Windows Desktop devices to remind users to reboot their machines. To keep sensitive data in your scripts safe, Workspace ONE UEM includes variables to obfuscate information such as email passwords and session tokens. If you integrate your Workspace ONE Intelligent Hub with Scripts, your device users can access these useful scripts any time they want. Scripts display in the Apps section of the Hub catalog. For information about Scripts for Windows Desktop, access Automate Endpoint Configurations with Scripts for Windows Desktop Devices. For details about Scripts on macOS, see Automate Endpoint Configurations with Scripts for macOS Devices
  • Find Sensors in its new place in the navigation and check out the updates (Preview).
    We've moved Sensors under Resources so that you can find it easier. And now, not only can you use Sensors with Windows Desktop, we've added support for macOS. Use scripts in your Sensors to collect all kinds of data that you can view for a single device in that device's Device Details page, on the Sensors tab. This new tab removes the need to use the VMware Workspace ONE Intelligence service. But don't worry, if you do use Intelligence, you can continue to enjoy viewing and interacting with data for multiple devices with reports and dashboards. For more information, see Collect Data with Sensors for Windows Desktop Devices. For details about Sensors for macOS, see Collect Data with Sensors for macOS Devices.

Resolved Issues

The resolved issues are grouped as follows.

2010 Resolved Issues
  • AAPP-10648: iOS devices are checking in continuously while checking for available OS Updates. 

  • AAPP-10660: VPP apps Auto Update prompt does not come up when there is an actual update for the app available in the store.

  • AAPP-10665: Unable to see both phone numbers for multi-SIM devices when e-sim is the primary SIM. 

  • AAPP-10677: Some of the iPhone 11 models missing from the latest seed script. 

  • AAPP-10706: Unable to delete peripherals/printers while on the console while navigating to Devices>Peripherals>List View>Device details>more>Admin(Delete device). 

  • AAPP-10808: Unable to set Machine Authentication to “None”.

  • AAPP-10810: Unable to delete Smart Group from the VPP assignment groups page. 

  • AAPP-10859: DEP devices are not prompted for TOU if a specific platform is selected in TOU settings.

  • AGGL-7219: Web Apps added through iFrame for Android Enterprise devices are not reported as Installed. 

  • AGGL-8194: Device wipe does not honor enterprise factory reset protection.

  • AGGL-8345: Web Links Add to Homescreen Tooltip needs to be updated for Android.

  • AMST-26955: Kiosk profile does not allow comma in the Executable path and hence we are unable to set the correct application exe path for Kiosk profile.

  • AMST-28425: Windows Updates Tab missing from multiple devices.

  • AMST-28536: Azure AD user search error logs do not have sufficient context. 

  • AMST-28857: Superseded Cumulative Updates (Monthly) are not reported as 'Replaced'/'Removed' in Workspace ONE UEM Console.

  • AMST-28980: Windows VM Serial Number shortened on console. 

  • AMST-29079: Enrollment Terms Of Use Text is not displayed During Azure AD OOBE.

  • AMST-29083: A large number of "Approve Updates" commands are moved to the queued state. 

  • AMST-29277: 'Remove Application' for Device context apps (Windows) not processed when the device is checking in Machine Mode. 

  • AMST-29572: Windows update commands not generated until the tag is removed from the device. 

  • ARES-8485: If an iOS profile with Cellular payload is configured and the Password field contains a value, when the profile is then copied, the admin will not be able to save the copied profile without re-entering the password.

  • ARES-11738: Changing OG and changing the ranking of the Smart group does not queue the right app configs. 

  • ARES-12342: The deployment option should be defaulted to On-demand and should be disabled when ios public app is uploaded via a link on the console

  • ARES-12992: Profiles and Resources>View XML incorrectly shows device information in the web console window. 

  • ARES-13132: Internal app reconcile fails when Smart Group is modified by adding devices. 

  • ARES-13322: Unable to send push notifications when filtered by a Smart group. 

  • ARES-13327: Getting missing rating image when the app store rating is not a multiple of 0.5.

  • ARES-13552: Hide EMM Managed Access flag on the assignment summary page for VPP apps. 

  • ARES-14109: Unable to pull app details by using Application Details by Device report if the application is added via Devices / Provisioning/components/ Application on the console.

  • ARES-14149: Double-byte characters are garbled with “?” in the application terms of use that appear when opening App Catalog.

  • ARES-14324: The date shown for the "Updated" value is incorrect on the installed status page.

  • ARES-14398: Devices with Application and User Details report > Not Installed as application status is not showing data for any app type.

  • ARES-14456: App control profile not taking effect if the app group assignment is Corporate. 

  • ARES-14457: When publishing Android Internal App, the Preview Devices page shows work profile devices.

  • ARES-14508: Geofenced Restriction Profile does not work as expected.

  • ARES-14533: The API documentation for GET /devices/app status is insufficient.  

  • CMCM-188721: Enterprise Content Sprocs or Workflows causes extended Database CPU Spikes. 

  • CMCM-188723: Box content repository fail to sync if the collaborator on a shared folder is removed. 

  • CMCM-188745: enterpriseContent.LoadManagedContent_ByDeviceID results in a Timeout error.

  • CMEM-185999: Foreign key constraints from Legacy tables are blocking database upgrade.

  • CMSVC-13755: Handle SQL exception thrown for duplicate device ID and tag when two parallel threads call add tag API.

  • CMSVC-13900: Deleting a tenant OG results in time our error.

  • CMSVC-13923: The console is not mapping the manager details (name and email) to the end-user and the compliance email notification is not being sent. 

  • CMSVC-13929: Scheduling the device update for iOS devices,  with the smart group that includes "<" or ">" symbols do not work as expected.

  • CMSVC-13981: Admin_Role_Requires_Passcode stored procedure is missing.

  • CMSVC-13982: Device user info API returning encrypted values when encryption enabled. 

  • CMSVC-14075: Updating admin account values via API disables two factor authentication. 

  • CMSVC-14039: Assignment Groups based on the OG do not update for app assignments when the OG name is changed. 

  • CRSVC-10460: YATS Auth Middleware throws error on tokens with the mismatched issuer. 

  • ARES-13246: Smartgroups get removed from an internal app upon editing the assignment.

  • ARES-14149: The double-byte characters in EVENT DATE of device event log sent from Workspace ONE to Syslog are garbled with "?".

  • CRSVC-13326: Twilio SMS integration does not work as expected. 

  • CRSVC-13692: WorkflowAssignment_RemoveMultipleAssignment sproc does not work as expected. 

  • CRSVC-13698: After the upgrade to the 2007 UEM console, the assigned baselines move to a pending removal status.

  • CRSVC-14556: Device summary page does not work as expected. 

  • CRSVC-14634: User activation email is not being sent from UEM console 2010.

  • CRSVC-14920: Device Event for Profile related commands displays Application name and vice versa.

  • ENRL-2157: The status of the device shows up as MDM managed when doing a web enrollment or DEP enrollment of iOS devices.

  • FCA-193012: Terms of Use language is always shown in English when logging in to SSP.

  • FCA-193237: Telecom report export does not display the "Message" count header. 

  • FCA-193884: API call modifying the Organization Group name fails when the new OG name contains a less-than character ( < ) followed by a-zA-Z or characters such as "?!/". 

  • FCA-194019: Automatic Updates Status Unknown on Windows 10 Devices in the summary page. 

  • FCA-194393: When Do Not Disturb is turned on in an iOS device, Workspace ONE UEM incorrectly displays as 'AW Do Not Disturb Until'. 

  • FCA-194403: High latency during dashboard loading when you upgrading to the 2005 console from 1907. 

  • MACOS-1347: Bootstrap package reports back as “Out of date. App assigned but not installed”.

  • MACOS-1490: Fix FK references in the assignment group table when deleting the OG.

  • RUGG-7733: Duplicated Contacts and Phone apps are displayed as a choice when the Multi app launcher profile is created in a non-English locale. 

  • RUGG-8846: The Device Summary page for windows shows incorrect count from the profile. 

  • RUGG-8867: Begininstall change breaks the uploadChunk flow. 

  • RUGG-8867: Begininstall call fails with error "Attached application file is not of valid module type for Provisioning Enabled application".

  • SAWCM-497: Intermittent latency is observed in response from AWCM. Patch Resolved Issues
  • CRSVC-15597: Make turning off DeviceStateMigrationFeatureFlag optional. Patch Resolved Issues
  • AGGL-8832: Android devices are blocked from enrollment as Exception thrown during ConcludeDeviceEnrollment. 

  • AMST-29860 Install context switches from user to device when admin updates When to call install complete registry criteria.

  • ARES-15829: Performance improvement of Device Sync for Profiles flow.

  • ARES-15831: Performance improvement of processing Application list sample save. 

  • CMSVC-14198: High reads on enrollment user load for OG. 

  • CMSVC-14200: EnrollmentUser_DetailsLoadByEmail performance issue. 

  • CRSVC-15651: Degraded performance interrogator.SelectiveApplicationList_Save_V2 sproc.

  • ENRL-2299: Device Record creation in device state for standalone app enrollment. 

  • FCA-194954: Performance improvement to reduce reads and scans for API DevicesBySearchCriteria. Patch Resolved Issues
  • AAPP-11190: Messaging service quits processing messages in APNSOutbound queue. 

  • CMCM-188861: Managed Content files not displaying in the Content app. Patch Resolved Issues
  • AAPP-11198: Device Management profile not getting removed from the device on an enterprise wipe. 

  • AAPP-11211: Wipe deleted devices hitting the Check-in endpoint. 

  • ARES-16460: Force installs action should not go to DSM until ProfileDeliveryAtScaleFeatureFlag enabled. 

  • CRSVC-16375: RunActivityLoop issue during enrollment. Patch Resolved Issues
  • AAPP-11299: Stored Procedure deviceApplication.VppLicenseReconcileByDeviceOnUnEnrollment impacting DB Server.

  • AMST-30245: DeviceQuery Command queues up 8 FastLaneWNSOutbound messages.

  • CRSVC-16561: Workflow in freestyle does not get updated with the latest version of the app.

  • CRSVC-16637: Reduce the impact of expensive App Catalog calls for Windows. 

  • INTEL-25646: Profile Installation Status is not reported correctly.

  • MACOS-1713: Sensor Assignment only shows the top 500 Smart Groups. Patch Resolved Issues
  • AGGL-9091: Apps API is returning 500 status code when invoked for Android device.

  • CMSVC-14465: Admin List View page is not loading. Patch Resolved Issue
  • AMST-30440: Unable to create Windows Application via API with Actual File Version. 

  • LUEM-187: Arithmetic overflow errors due to data type inconsistency in Device Load. 

  • PPAT-8340: DTR is missing when the customer upgraded the environment from 2003 (or above) to the latest console. Patch Resolved Issues
  • CRSVC-17284: Create additional logging around Event Log business. Patch Resolved Issues
  • AGGL-9332: Compliance status remains in Pending Compliance Check. Patch Resolved Issues
  • AMST-31370: Certificate sample processed even when some certificate query returns errors leading to certificate revocation. Patch Resolved Issues
  • AAPP-11730: Device name is not set to the friendly name on enrollment. 

  • CRSVC-18456: Addressing encryption/signing issues on Device Services, leading to device communication failures due to recent changes in the .NET framework released as part of latest Windows updates.

  • CRSVC-18743: Memcached services fail to start due to one of the configured Memcached nodes went down. Patch Resolved Issues
  • AGGL-9646 Compliance status shows "Not available" on device list view which is causing issues with SSO on Access.

  • AGGL-9647: TempDB Drive is getting full due to smartGroup.AppsForAndroidWorkAppPublishAffectedSmartGroups_Load. Patch Resolved Issues
  • CRSVC-19535: All certificates are in an unknown state. 

  • RUGG-9666: Product List View search queries overwritten in the filtered view. 

  • ENRL-2762: User input validation and error handling during web enrollment steps. Patch Resolved Issues
  • AAPP-11908: Workspace ONE Intelligent Hub fails to send location data. Geofencing does not work as expected.

  • AAPP-11910: Generate a unique PayloadIdentifier in the configuration profile on push. Patch Resolved Issues
  • INTEL-30006: Checksum is leaving out applications that are not in MAL but are in IAL.

  • INTEL-30007: Managed Applications missed in initial export. Patch Resolved Issues
  • FCA-197651: Incorrect count on confirmation modal after selecting all devices. Patch Resolved Issues
  •  AAPP-11910: Generate unique PayloadIdentifier in the configuration profile on push. Patch Resolved Issues
  • AGGL-10586: DA to DO Migration does not honor user registration account type. Patch Resolved Issues
  • AGGL-10761: "An error has Occurred" while accessing Enrollment Restriction(AFW). Patch Resolved Issues
  • CRSVC-25529: Remove the usage of the encrypted URL query parameter Patch Resolved Issues
  • FCA-200868: Update SKUORDER update API to allow Freestyle basic SKU to be added to older UEM versions. Patch Resolved Issues Patch Resolved Issues
    • CRSVC-27152: Update the Claim "org_location_group_id" to use customer OrganizationgroupId where opt in happens instead of Global OrganizationgroupId.

    Known Issues

    The known issues are grouped as follows.

    • AAPP-10591: Reporting and customer automation is impacted

      When enrolling a DEP device with Custom Enrollment ON, OSPlatform and OSPlatformString are not being populated.

      As a workaround, disable custom enrollment. 

    • AAPP-10869: Managing Updates iOS ‘Deployment Start date' saves incorrectly.

      Device Updates iOS - Managing Updates iOS ‘Deployment Start date' saves incorrectly.

    • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

      The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

      As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

    • FCA-194884 : You can bookmark freestyle page multiple times and upon deletion of duplicate bookmark freestyle page breaks.

      In an OG admin is allowed to bookmark any page only once but if the freestyle page is set as the initial landing page then using the bookmark icon admin can bookmark the freestyle page multiple times.


      As a workaround, instead of icon admin should use the bookmark button for freestyle page bookmarking.

    • FCA-194720​: Admin can perform create and edit action in workflow with freestyle read only resource.

      Admin can add/delete/edit resources like apps, profile & scripts in workflow with custom admin role who has only access to view and navigate through freestyle page.

    • FCA-194795​: Admin will not be able to see all available action items from workflow steps if it's listed in bottom of the page.

      Add workflow using multiple steps and condition so that admin reaches till bottom of the page, from last step if admin clicks on ellipsis then all available actionable items are not seen.

      As a workaround, admin can access last step actionable items by collapsing the previous step of workflow.

    • FCA-194585​: In If-Then-Else block, Else step is not getting deleted from the workflow upon deletion of If step.

      Admin creates workflow using If-Then-Else step and after that admin deletes If step. With If Step Then steps are getting removed but else step remains as it is in workflow.

      As a workaround, admin can individually delete the else step from workflow.

    • FCA-194661: In Workflow admin panel script resource is appearing twice.

      Create workflow and add script resource under else group condition. Now, if admin clicks on the main condition block then in admin panel two script steps are getting shown. It's not affecting the functionality of workflow however it gives wrong visual impression that script steps are added twice.

      As a workaround, admin can verify the steps from workflow details page.

    • ENRL-2278: Device FriendlyName displays device storage and model number.

      Device FriendlyName is having device storage and model number until the Done button in Hub is clicked 

    • PPAT-7896​: VPN Profile installation fails if the customer moves from the third party to AirWatch CA for the client authentication. 

      Signing cert won't get generated & updated while migrating from Third Party Client Authentication to AirWatch, which would cause the VPN profile to fail on iOS,macOS & AFW devices

      As a workaround, click the regenerate option for under the client authentication section under the Tunnel configuration page and publish the profile

    Mobile Content Management
    • CMCM-188782​: Delay in renaming a folder on SP. 

      Renaming Folder in Sharepoint and trying to sync returns a 404 error or an empty XML

      As a workaround, wait for sometime after renaming the folder and wait for the sync to complete. 

    • CMCM-188551: Unable to edit and save user repositories from the "User Repositories" page. 

      Redundant edit settings for user repository. 

      As a workaround, The repository can be edited from the main page. 

    • CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

      Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on console. 

      As a workaround, set the date one day prior to your intended expiration date.  

    • RUGG-9133​: Unable to enroll rugged device after console upgrade to 2010

      If  you generate the new barcode with old package in Console, the enrollment fails.

      As a workaround, please save the package first and then generate the barcode.

    • AMST-32922: Windows Desktop App added via BSP is failing to install on the device.

      The issue arises when BSP apps are imported for Windows Phone and the same app is supported on the Windows Desktop platform and admin imports for Windows Desktop. In such a case, the BSP app installation on Windows Desktop fails.

    check-circle-line exclamation-circle-line close-line
    Scroll to top icon