Went live on January 22, 2021

VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced for 2101 and a list of the resolved issues and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

  • Phase 1: Demo and UATs
  • Phase 2: Shared SaaS environments
  • Phase 3: Dedicated latest environments

This version is only available to our SaaS customers on the Latest mode. The features and improvements incorporated in this version will be available to our on-premises or managed hosted customers with the next on-premises release. For more information, see the KB article

New Features in this Release


  • We've made a few changes to Intune App Protection Policy.
    Workspace ONE UEM now notifies you if the Intune App Protection policy has been deleted or modified. You will be notified upon the launch of the Microsoft Intune App Protection Policy in Workspace ONE UEM console.

Integrate with Azure AD Conditional Access Policies


  • Would you like to know how much storage is available on the devices being managed by the UEM console?
    The Device Details summary page now reports the internal storage and external storage for the enrolled devices. This is supported for devices enrolled as Fully Managed Mode. For more information, see Android Device Management.


  • We're working on building a more-inclusive digital workspace.
    As part of our efforts around inclusion, we’re taking a close look to ensure we’re using a more inclusive language. We’re undergoing a process to review terms and replace some of those problematic terms with an alternative. You'll notice some of the terminology updates in our user interface.

Application Management

  • A better way to update and manage your new application versions.
    Your internal application version number can now have a 4th decimal field which makes it easier for you to upload new application versions. Also, we've made a few UI updates. The Actual Version is now called the App Version and the Internal Version is now called the UEM version. For more information, see Internal Application Versions.

Content Management

  • We've disabled syncing with the Corporate File Server.
    The overload on the Device Services server and the database caused by the constant auto-syncing of the Corporate File Server often causes performance issues. To reduce the overload, you can now disable the auto-sync of the corporate repositories on the Settings > Content > Advanced > Corporate File Servers page of the UEM console. You can also disable viewing of the corporate file server content displayed on the Content > List View page.
  • We've bid farewell to Personal Content.
    As Personal Content has reached the End of General Support, we have removed the obsolete code for all configurations related to Personal Content.


  • Prioritize selected products and move them to the "front of the line".
    You can prioritize selected products, moving them to the "front of the line" and upload them to relay servers ahead of other products. This means prioritized products are installed on devices before non-prioritized products. This is useful for when you have an important update that must find its way to devices ASAP, such as a bug fix to a critical business app, security patches and OS updates, rollbacks of accidental deployments, and many other scenarios. For more information, see the Deployment tab of Create a Product.


  • Check out the updated Encryption Profile with enhanced support for native BitLocker encryption for Windows Desktop.
    We have updated our support for BitLocker to include the escrowing of recovery keys. If the drives cannot restart on your Windows 10 devices, Workspace ONE UEM has a recovery key for each drive. You can allow users to set PINs with more than numbers with the Allow Enhanced PIN at Startup setting. Users can set uppercase and lowercase letters, use symbols, numbers, and spaces. Note: Not all systems support non-numeric characters at startup, so please test carefully in your environment. We have also added more BitLocker statuses to the Device Details pages. Find statuses for Encrypted, Encryption in Progress, Suspended, and Partially Protected. These statuses correspond to rules in compliance policies so that you can configure policies to support the BitLocker encryption status you want to enforce. For more information, see Encryption Profile.
  • Use Workspace ONE UEM to join your On-premises domain during enrollment.
    You can now enable Workspace ONE UEM to create computer objects in your On-premises Active Directory and deliver the domain join configuration to your Windows devices, orchestrating the full provisioning process as part of enrollment. Leverage this feature with VMware Tunnel to deliver a fully ready-to-work, domain-joined Windows device directly to your remote end-users, allowing them to login directly to their fully configured desktop using their domain credentials and get productive in a matter of minutes.For more information, see Domain Join Configuration for Windows Desktop.

Resolved Issues

The resolved issues are grouped as follows.

2101 Resolved Issues
  • AAPP-8229: OS updates have an incorrect expiration date.

  • AAPP-10610: Default Scheme does not populate for our iOS productivity apps when deployed as Purchased.

  • AAPP-10869: Deployment Start date always saves as Eastern Standard time via UI and displays/saves un-intuitively via the user interface. 

  • AAPP-10963: Additional logging and lock changes for messaging service for APNSOutboundQueue backup. 

  • AAPP-10976: Administrators name is not captured on the event when we enable/disable lost mode. 

  • AAPP-11061: Categories assigned to a VPP app that has more than one word have an extra space inserted between words in the Hub. 

  • AAPP-11064: DEP sync fails if an error occurred during fetch. 

  • AAPP-11078: Managed Settings from a different OG sent to the iOS device when checked out via Hub.

  • AAPP-11136: Deleting Internal Book throws Error. 

  • AAPP-11157: DEP registration records with a custom attribute are not removed by sync/fetch. 

  • AGGL-6949: Temdatabase Drive is getting full due to smart group.AppsForAndroidWorkAppPublishAffectedSmartGroups_Load. 

  • AGGL-8496: Inherited App Security Policy settings cannot be saved.

  • AGGL-8626: Unable to enroll in AOSP mode with staging user account. 

  • AMST-29134: Unable to import BSP Apps. 

  • AMST-29620: "Mobile Broadband" in a Firewall profile is cleared after we perform to add a version to the profile.

  • AMST-29848: Windows Anti Virus UI Lockdown Enable/Disable options have incorrect CSP values assigned. 

  • AMST-29942: Bitlocker Encryption profile cannot be updated, and cannot be removed from the device due to Force Encryption. 

  • AMST-30064: App Deployment Agent status not reported on multiple devices. 

  • AMST-30171: Custom Friendly Name format with Custom attributes does not work as expected. 

  • AMST-30281: OEM update sample is causing an SQL exception on the console. 

  • ARES-15714: Unable to Add, Edit, or Modify VPP or Public Applications when Assignment Groups has Special Characters. 

  • ARES-15714: Unable to Add, Edit, or Modify VPP or Public Applications when Assignment Groups has Special Characters. 

  • ARES-15778: App 'description' in iOS Hub Catalog is not localized. Language is set to 'Japanese' but still shows in English.

  • ARES-15779: Unable to run Application Details by Device report for one public Android Application. 

  • ARES-15860: App Tunnel URLs configured for Proxy payload for custom SDK profile is missing after saving the profile. 

  • ARES-16172: Admin with French locale cannot view/edit/create profiles. 

  • ARES-16207: ios Boxer app policy settings > "application update source" options' wording is inconsistent from the old KVP definition.

  • ARES-16239: Android Default Settings Profile is not getting pushed to the devices when Hub is added as an internal app in the OG hierarchy. 

  • ARES-16444: Sync Tunnel configuration' button disappears when any data is searched for through the search box.

  • ARES-16502: Username Enumeration. 

  • ARES-16681: SCEP profile for Windows does not work when enabled proxy.

  • ARES-16711: DB Upgrade failure due to Timeout Issue. 

  • ARES-16872: "Release to devices" Action on App Removal logs for few apps errors with the message "Access Denied, Door is locked" for All admins.

  • CMCM-18855: Unable to edit and save user repositories from the "User Repositories" page.

  • CMEM-186136: Email clients are blocked incorrectly due to Inactivity Compliance Policy.

  • CMSVC-13901: Profiles getting removed from user devices and not able to access certain profiles.

  • CMSVC-13947: Update API to set user for staging does not work as expected.

  • CMSVC-14342: User Attribute sync is not trimming ManagersDN while syncing the user attributes. 

  • CMSVC-14458: Admin List View page does not load as expected. 

  • CRSVC-14118: A long time is taken (25 seconds+) to load only approx 400+ events in troubleshooting logs of a device summary page.

  • CRSVC-15586: SCEP certificate subject name is not updated even after lookup value updates.

  • CRSVC-15674: Certificate Listview export downloads empty file after timeout exceeded. 

  • CRSVC-16021: CertificateStatus_LoadBySerialNumber causing high waits and CPU resulting in overall slowness. 

  • CRSVC-16126: AirWatch CA OCSP returns revoked status when the device is queried as soon as the certificate/SCEP profile is installed.

  • CRSVC-16256: REST API Event Notification sending empty auth headers. 

  • CRSVC-16306: Excessive Appcatalog calls from Hub for windows devices. 

  • CRSVC-16324: Duplicate calls are being made to API.

  • CRSVC-16423: DSM continues to run even if the device is no longer part of the Assignment.

  • CRSVC-16423: DSM continues to run even if the device is no longer part of the Assignment.

  •  CRSVC-16470: Read-only role has access to actions that shouldn't be there

  • CRSVC-16890: Last compromised scan policy is showing iOS devices non-compliant in the UEM console. 

  • CRSVC-17039: Log rotation for stdout logs does not work as expected.

  • ENRL-2249: Android enrollment restriction policy not being honored when OS Version and Manufacturer policy combination is created.

  • ENRL-2327: Updating the Source of Authentication at Parent OG with Child OG overriding the configuration, Source of Authentication at Child OG is not reflecting the change. 

  • FCA-194908: Unable to update Asset Number for devices without an existing AssetHeader entry. 

  • FCA-195082: Sproc Telecom.DeviceMonthlyUsage_Save executing for longer durations

  • FCA-195088: Company logo gets stretched vertically while accessing configurations and tunnel page in console branding.

  • FCA-195119: Database SP API_DeviceSearchByLGID_V3 creates CPU spike on the DB server.

  • INTEL-23692: Intelligence does not report devices with Secure Boot Status "true".

  • INTEL-25519: Script execution failure with a TimeOut error. 

  • MACOS-1552: Disk encryption sample save is failing for MacOS. 

  • MACOS-1673: Inconsistent behavior is seen when trying to update assignment for a script.

  • MACOS-1823: The “Workspace ONE Mobileconfig Importer” Fling stopped working in UEM 20.11. 

  • PPAT-7992: Unable to Delete OG if the VPN certificate template/authority is already deleted.

  • PPAT-8407: Unable to copy VPN profile and throws an error Something Unexpected happened. 

  • RUGG-9028: The Product/Search API doesn't include Description value in response

  • RUGG-9143: Push relay server does not work as expected. 

  • RUGG-9314: mdm/productfiles/exportProductZip API does not work as expected. Patch Resolved Issues
  • AMST-31069: Unable to create Windows Application via API with Actual File Version. 

  • ARES-17181: Profile assignment is not created for devices assigned to workflow deleted SG's. 

  • ATL-5675: Android enrollments do not work as expected. Patch Resolved Issues
  • AAPP-11600: Device Details Update tab crashes for Apple devices. 

  • CRSVC-17944: Error Observed for DS and API server during performanceTest of AppAtScale. Patch Resolved Issues
  • ARES-17322: /api/mdm/smartgroups/bulkquery 500 SGs Limitation. 

  • PPAT-8560: Tunnel configuration does not save as expected. Patch Resolved Issues
  • AMST-31394: BitLocker key missing from the UEM console.

  • MACOS-1949: Seed macOS Hub 2102 in the 2101 UEM console. Patch Resolved Issues
  • AMST-31444: After you upgrade UEM console from 2010 to 2101, devices have user context commands stuck in the queue. 

  • CMEM-186222: AW.Meg.Queue.Service shows a consistent increase in the DS Memory Usage. Patch Resolved Issues
  • AMST-31490: Sensor results not showing on sensors tab due to Sensors PATCH call not being respected. 

  • CMCM-188961: Corporate file servers not visible with MCM licensing. 

  • MACOS-1988: AvailableOSUpdate query preventing updates to macOS 11.2. 

  • MACOS-1996: Sensors not returning data to UEM console (Possible assignment issue) Patch Resolved Issues
  • AAPP-11729: Class Sync failing due to SQL timeout. 

  • CRSVC-18455: Addressing encryption/signing issues on Device Services, leading to device communication failures due to recent changes in the .NET framework released as part of latest Windows updates.

  • CRSVC-18642: Entitlement service query path requires a feature flag-based toggle. Patch Resolved Issues
  • ARES-17613: Performance improvement of Internal application and Purchased application deployment.

  • AMST-31714: Compliance Encryption Policy for Windows 10 devices fails only for already enrolled devices when the BitLocker policy is upgraded to the latest version. 

  • PPAT-8698: Error thrown while saving Tunnel configuration due to Tunnel Microservice errors. Patch Resolved Issues
  • CMSVC-14762: Enrollment Users are created or updated with the domain as an empty string rather than a null value.

  • FCA-196340: Delete device fails when there is no associated Enrollment user. Patch Resolved Issues
  • AGGL-9766: Bulk delete did not honor configured bulk limit due to Android Management filter. 

  • CRSVC-19533: All certificates are in an unknown state. 

  • CRSVC-19619: Add allowed list in security settings for API documentation page. Patch Resolved Issues
  • ARES-17984: Custom SDK Profile not triggering install profile command queue after save and publish the change. Patch Resolved Issues
  • ARES-18251: Lookup variable "{EmailAddressPrompt}" for iOS EAS profile not pick the value specified in SSP. 

  • ENRL-2760: User input validation and error handling during web enrollment steps. 

  • CMEM-186325: AllowList/DenyList does not work properly on Unmanaged records on the Email list view. Patch Resolved Issues
  • CMEM-186332: Operation failed while performing Sync mailbox. Patch Resolved Issues
  • CRSVC-21579: Unable to load the Device List View. Patch Resolved Issues
  • AAPP-12305: Friendly name showing up as lookup value {emailaddress} when queried with Hub closed.

  • AAPP-12302: Profiles with multiple payloads of the same type may fail to install on iOS 15. Patch Resolved Issues
  • AAPP-12377: No updates appear in the device details for an iOS device. Patch Resolved Issues
  • ARES-19696: Unable to publish application due to stored procedure timing out.

  • INTEL-31569: Bitlocker field enhancements for Windows devices. Patch Resolved Issues
  • ARES-19878: Stored Procedure is causing high CPU load on DB Server.

  • RUGG-10071: Length of LOB data to be replicated exceeds configured maximum 65536. Patch Resolved Issues
  • AAPP-12515: Intelligent Hub deployed through VPP is not auto-installing on DEP enrolled Devices. Patch Release Notes
  • AMST-34004: The 'Install' button on the web catalog is unresponsive.

  • AMST-33891: The Recovery Keys are being appended for different devices with the same Volume Identifier.

  • INTEL-33440: Interrogator.SecurityInformationSample delta export updates encryption status to 0 for devicetype 12. Patch Resolved Issues
  • CRSVC-24321: Time schedule option is not available when logged in via role admin having all write access. Patch Resolved Issues
  • AAPP-13053: Device name is not set to the friendly name for enrollment.

  • ENRL-3227: Unable to enroll macOS Big Sur devices when an OS version restriction policy is configured. Patch Resolved Issues
  • CRSVC-25527: Remove the usage of the encrypted URL query parameter.

  • ARES-21065: Existing app metadata info overridden by the new uploaded version. Patch Resolved Issues
  • FCA-200866: Update SKUORDER update API to allow Freestyle basic SKU to be added to older UEM versions. Patch Resolved Issues

  • FCA-200969: [AA] [SmartGroup] Reduce extra calls from smart group component. Patch Resolved Issues
  • CRSVC-26866: Update the Claim "org_location_group_id" to use customer OrganizationgroupId where Opt in happens instead of  Global OrganizationgroupId. Patch Resolved Issues
  • PPAT-10691:  Process the tenant code as Case insensitive in Tunnel Microservice Code. Patch Resolved Issues
  • CRSVC-30571: Fix stored procedure deadlocks.

Known Issues

The known issues are grouped as follows.

  • FCA-195085: Admin can't set application default Policy from workflow steps page.

    If the application doesn't have a default assignment and the admin adds the same app in the workflow then an error shows sup in the workflow step and the admin can set the assignment by clicking on the set default policy. But the set default policy link is not working and upon click, admin is taken to the error page.

    As a workaround, admins can navigate to the URL <environment url>/AirWatch/#/Apps/List/Internal?provisioningEnabled=False and set assignment for the application.

  • FCA-195177: Required field error message and error icon for incomplete workflow step is not getting displayed.

    If the admin moves out the focus from the workflow step without completing it and comes back to the same step then the error icon, an error message is not getting displayed.

    As a workaround, if you move out of the step then the error icon will start showing up for the incomplete step.

  • ARES-17539: The lookup filed will not be resolved while accessing SSP.

    The profile entity with all the resolved lookup values was discarded and the entity is loaded again from DB. Because of this, the EAS profile is not populated with user details.

    As a workaround, install from the admin console.

  • AAPP-11285 - Public application resources prevent editing the assignments for purchased applications. 

    Custom administrator roles that limit the editing of public application assignments also limit the editing of purchased application assignments as well When creating custom roles the public application role rights affect the purchased application's ability to assign applications and vice versa. The 'Public Application Edit' and 'Public Application Edit Assignment' roles affect the purchased VPP applications. (and vice versa).   

  • AAPP-11689: IKEv2 VPN profile not configured correctly. 

    iOS VPN Profile of type IKEv2 fails to save EAP checkbox.

  • MACOS-1887: Unable to deploy Intelligent Hub (automatic installation post-enrollment), Bootstrap Packages, and Apple Business Manager (VPP) apps on macOS 11 Big Sur

    The "Require admin password to install or update apps" (restrict-store-require-admin-to-install) key has been deprecated in macOS 10.14. In macOS 11 Big Sur, installing a profile with this key will, unfortunately, cause apps deployed via native MDM commands to fail. 

    As a workaround, clear the setting for "Require admin password to install or update apps" in any macOS Restrictions profile being deployed to a macOS 11+ device.

Content Management
  • CMCM-188854: Renaming Folder in Sharepoint and trying to sync results in 404 and empty XML error. 

    Renaming child folders in SharePoint and then opening them in the Content app doesn't seem to reflect immediately. 

  • CMCM-188926: Discard Checkout option does not show up after Checkout. 

    SharePoint check-in/Check-out with Content App does not work as expected.

    As a workaround, users can check files back in on the web.

  • CMCM-188952: The expiry date of a file is always one day more than what's set on the console.

    Set an expiry date for any file in the Managed Content section on the console. Sync the device and check the info of that file. The expiry date of a file is always one day more than what's set on console. 

    As a workaround, set the date one day prior to your intended expiration date.  

  • AMST-30973​: Editing of the Detection criteria will delete the patch. 

    If detection of an app with the patch is edited and resaved, the patch is deleted, absent both in the UI and in the content manifest. Additionally, because the app already has a patched version, the admin cannot reupload the patch on the edit

    As a workaround, the admin can re-upload the main application with the patch.

  • AMST-32922: Windows Desktop App added via BSP is failing to install on the device.

    The issue arises when BSP apps are imported for Windows Phone and the same app is supported on the Windows Desktop platform and admin imports for Windows Desktop. In such a case, the BSP app installation on Windows Desktop fails.

  • ARES-17497: When a customer wraps commands in an <atomic> element for a custom payload, the workflow status is not reported as complete. The profile installation, on the other hand, is successful. In such a case, this only impacts workflow status reporting.

    The issue is specific to DeviceServices' SyncMl generation logic. To determine whether the OmaDM profile is installed, the SyncML is updated with node cache commands containing the profile UUID. The implementation adds a node cache entry if the <atomic> element is present at the start of the SyncML, but we are executing this add a node cache entry in SyncML even if the <atomic> element is present anywhere in the SyncML.

    As a workaround, check the custom payload SyncML for any <atomic> elements and remove them If such an issue occurs.

check-circle-line exclamation-circle-line close-line
Scroll to top icon