About Workspace ONE UEM Release Notes

VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features introduced in 2203 and resolved issues and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

  • Phase 1: Demo and UATs
  • Phase 2: Shared SaaS environments
  • Phase 3: Dedicated latest environments

Once our phased rollout is complete, we will announce general availability for on-premises and managed hosted customers. For more information, see the KB article.

New Features in this Release


  • Locate your VMware Workspace ONE Intelligence instance more easily in the Workspace ONE Cloud Admin Hub.

    The right navigation panel in the Workspace ONE Cloud Admin Hub now lets you to quickly locate your Workspace ONE Intelligence instance if you use Workspace ONE UEM and Workspace ONE Intelligence. Utilize the navigation menu to access your VMware Cloud Services (the square in the top right corner). To access the Workspace ONE Intelligence console, navigate to My Services and click the clearly labelled Workspace ONE Intelligence Enabled.

  • Introducing a new notification banner for smart group OG restrictions.

    The notification banner will keep you informed of any changes to smart group OG restrictions. When you navigate to Assignment Groups>List View, you are now greeted with the following notification: Creation of Smart Groups above Customer OGs will not be allowed in future releases.

  • The text "Registered" on the Device and Monitor dashboard is now read as "Pre-enrollment Registration Record."

    The number next to the text "Registered" misled users, as it refers to the registration record created on the console rather than the actual enrolled device in the registered mode of Enrollment. Therefore, we renamed "Registered" to "Pre-enrollment Registration Record" to avoid any ambiguity.


  • Want to reset the work passcode while the Work Profile is locked in direct boot? We can assist you.

    When a Work Profile is locked in direct boot, the Work Profile lock screen now prompts the user with the Forgot my Password button for Android 11 devices with a separate device and work profile password. For more information, see Android Device Management with Workspace ONE UEM.


  • Get notified when your Apple Business Manager tokens are about to expire.

    Admins in Workspace ONE UEM can now be notified by email or directly in the console 30 days before the expiration of an Apple Business Manager (ABM) app token or device token. Device tokens will also be able to notify admins when errors occur, such as the acceptance of new ABM Terms of Use. For more information, see Configure Console Notifications.

Application Management

  • Override the default device reboot behaviour for your win32 apps during installation.

    Workspace ONE UEM now provides you the flexibility to define the device reboot behaviour not just at the app configuration level but also at the app assignment level. You can set the device restart options by activating the newly introduced Override Reboot Handling setting at the app assignment level. The restart options you configure at the assignment level override the options configured at the app configuration level. For more information, see Upload and Configure Win32 Files for Software Distribution and Add Assignments and Exclusions to your Applications.

  • Track and report app installation status on Windows devices with accuracy.

    Workspace ONE UEM console now allows you to see the accurate installation status of applications on Windows devices. This enhancement aids in determining whether the user uninstalls the application manually. It also improves the user experience by displaying an accurate list of installed apps on the user's devices.

Content Management

  • Tweak the Acknowledge button to suit your company needs.

    You can configure the text that appears on the acknowledgement button and the time it takes for users to acknowledge a required document. To do so, navigate to Settings < Workspace ONE Content App < Document Acknowledgement and enable the Document Acknowledgement feature. For more information see the section, Document Acknowledgment in Workspace ONE Content.

Chrome OS

  • Are you concerned about the security of user data if a device is lost or stolen? We have come up with a solution for you.

    We've updated the management commands to include a Clear User Profiles command which logs out and deletes all users from the device. For more information, see Device Management Commands for Chrome OS.

  • You can no longer view the data that remains on your devices following an enterprise wipe.

    We've updated the Enterprise Wipe command for Chrome OS devices with a new option to ensure all stored data is deleted after deprovisioning. We've also added a Device Wipe command for clearing data without deprovisioning the device. For more information, see Device Management Commands.


  • We have enhanced the support for device Lock functionality.

    Starting with macOS 10.14 and later devices, admins can lock a device with Apple Silicon by a six-digit PIN and can provide a message that is displayed on the unlock screen. For more information, see Lock Devices.

  • We’ve added support for macOS Recovery Lock

    Starting from macOS 11.5, as an MDM administrator, you can set a password that must be entered before a user can restart an Apple Silicon macOS device into the recovery OS via API. The password can be set or removed only by the MDM solution. You can also view the recovery lock status in Event Logs. To know more, see Recovery Lock Status.


  • Product delivery to devices in a SaaS environment just got easier!

    To optimise performance and free up significant resources in UEM, use CDN to deliver products to devices. By default, we have set the provisioning setting for the organisation group that hosts devices to Enabled. You can check the Product Downloads Through CDN setting by navigating to Groups & Settings > All Settings > Admin > Product Provisioning.

Resolved Issues

2203 Resolved Issues

  • AAPP-12298: VPP store URL on vpp distribution page is pointing to old https://vpp.itunes.apple.com.

  • AAPP-11166: API/mdm/devices/Search api does not show correct value for EnrolledViaDEP.

  • AAPP-13049: Migration script failed.

  • AAPP-13052: Bundle IDs in Hide Apps section of the Restriction profile is empty after upgrade.

  • AAPP-13058: Unable to delete supervised iOS device from Device List View if enrollment status is Wipe Initiated.

  • AAPP-13022: App sync failing during check in/check out.

  • AAPP-13088: Error while saving the friendly name settings.

  • AAPP-13169: macOS DEP enrolled devices not installing Intelligent Hub when Custom Enrollment is Enabled.

  • AAPP-13149: Issue with Hiding iOS Apps on iOS 14.

  • AAPP-13104: Unable to view assigned VPP applications from the catalog after editing the device details.

  • AAPP-13194: Derived Credentials profiles not auto installing when a new version is added.

  • AAPP-13246: VPP Auto Update not working for some applications

  • AAPP-13281: Home Screen Layout search results display duplicate entries.

  • AAPP-13326: App Tunnel configuration is lost after changing 'Prevent Removal' setting in restrictions of app assignment.

  • AAPP-13298: Find device option not populating when device is turned off and then on

  • AAPP-13336: Issues Removing Apple Education Profile from iPads.

  • AAPP-13333: Classroom not showing updated classes.

  • AAPP-13345: Copying iOS Restrictions Profiles with Hide Apps payloads does not add the Hide Apps payload to new profile.

  • AGGL-10750: No Certificate batching when external CA (PKI) is used for Tunnel.

  • AGGL-8173: Catalog shows incorrect version when Prod and Beta tracks exist.

  • AGGL-10867: Unable to save value as unselected.

  • AGGL-10901: 'Lock Orientation' checkbox gets disabled upon save.

  • AGGL-10904: DDUI Android Launcher profile cannot modify assignments without adding version

  • AGGL-11012: Launcher profile configuration seems to be reverting to the older value when making any edits on the profile.

  • AGGL-11014: Permissions payload with certain applications generates invalid XM.

  • AGGL-10916: Model of Android devices are missing on the console and displayed as "Android" instead.

  • AGGL-10992: Devices not reporting feedback from App Feedback Channel.

  • AGGL-11064: Error while saving new or existing permission profile for android.

  • AGGL-11135: Launcher orientation is set to locked in XML when its not selected in the UI

  • AGGL-11142: Agent settings for gps sample interval is saving and displaying data incorrectly.

  • AGGL-11065: Android profiles cannot be viewed.

  • AGGL-11200: Custom script to add model Samsung SM-G781B.

  • AGGL-11242: Rocket man error when we add app for existing launcher profile.

  • AGGL-11265: Chrome OS Application control profile issues.

  • AGGL-11275: Page crashes when editing Launcher profile with Miscellaneous app added to pinned row.

  • AGGL-11277: Devices not reporting feedback.

  • AGGL-11352: Launcher Administrative Passcode.

  • AGGL-11278: Approved SIM details do not get updated on the latest UEM console.

  • AGGL-11353: Application details are not loading on Launcher layout configuration page.

  • AGGL-11354: Launcher Wallpaper Image Persists on Device after Removal from Design Screen

  • AGGL-11340: Spaceman error while launching Android DDUI profiles.

  • AMST-34527: Windows Desktop Firewall Profile does not allow editing of IP ranges after saving profile

  • AMST-34554: DS cluster under stress due to ApproveUpdate windows commands.

  • AMST-34661: Removal command targets incorrectly when the app is deleted from UEM

  • AMST-34911: Script and Sensor Role permissions.

  • AMST-35043: Encryption Type always switch back to TKIP for Windows Desktop WiFi Profile

  • AMST-35070: DM & HUB having race condition causing enrollment issues.

  • AMST-35069: Newly enrolled Windows 10 devices install x86 version of AppDeploymentAgent.

  • AMST-35172: Huge number of timeouts in interrogator.windowsinformationsample_save SP

  • ARES-20841: Internal app publish fails due to duplicate key inserted error.

  • ARES-20845: App Sync does not reconcile Internal applications for Shared devices.

  • ARES-21025: View devices page gives empty results.

  • ARES-21063: Denylist or Non-Allowlist Application Details By Device report gives details of the devices that are not selected as a part of the Device Model.

  • ARES-21167: Install application commands are not generated for Public Android apps when 50 or more devices are selected.

  • ARES-21597: Unable to load or edit profiles assigned to a deleted OG.

  • ARES-21600: DeviceProfile_SearchByDeviceDashboard_V3 causing tempdb contention.

  • CMCM-189498: Uploading large PDF files will cause the Web Console to become inaccessible.

  • CMEM-186566: Devices are getting blocked when turning on DX Mod.

  • CMCM-189509: Unable to access device details page for all Android devices.

  • CMSVC-15915: Unable to find the smart groups in the WS one hub services during assignment against templates.

  • CMSVC-15994: Special Characters such as &&...<> are allowed when creating Smart Group via REST API.

  • CRSVC-25200: Uptime DB Upgrade Failed.

  • CRSVC-25520: Subject line of email notification is not displaying the Umlaut (Ä ä Ü ü Ö ö) characters correctly.

  • CRSVC-25279: Compliance Policies only show Message Templates defined at the same OG as the Compliance Policy.

  • CRSVC-25535: 'Certificate Near expiration' report returns incomplete results.

  • CRSVC-25654: Install Compliance profile fails to reconcile assignment when SmartGroup is modified.

  • CRSVC-25837: Error when loading Certificate List View.

  • CRSVC-25745: Azure AD token revoke is not triggered by enterprise wipe.

  • CRSVC-25779: New enrollments of Boxer fail to connect to on-premises Exchange through SEG.

  • CRSVC-25866: Certificate Request Failed error while trying installing a profile with a certificate.

  • CRSVC-25970: API Framework XSS validation prevents double newline characters.

  • CRSVC-25994: Option to create message template type "Vendor Application Group Creation Notification" missing.

  • CRSVC-26308: About expected behavior for modification of Application Group(AllowList).

  • CRSVC-26530: Remove redundant call to activate vIDM connector during ACC installer build process.

  • CRSVC-26547: Unable to delete smart groups.

  • CRSVC-26373: SQL Blocked Processes on PROD DB.

  • CRSVC-26579: Event Purge for partitioned DBs not using RetentionDays for partition range.

  • CRSVC-26608: The Trust Service log does not output even though the log level is changed to "verbose".

  • CRSVC-26687: API devices/{deviceID}/commands requires customCommandModel query.

  • ENRL-3235: Lifecycle > Enrollment Status page shows no results after searching for a value and sorting by Enrollment Status.

  • ENRL-3309: Console page crashes while editing Group Policies.

  • ENRL-3311: Device friendly does not get updated immediately when enrolled with the device type, but gets updated with a delay.

  • FCA-199471: Compliance Policy for Cell Data Usage does not report correct status.

  • FCA-200503: SaaS Terms of Service (TOS) is not displayed properly when accessed from outside the VMware corporate network.

  • FCA-200674: Few admins were unable to assign already published apps | New app to be published are not impacted.

  • FCA-200222: User Account Denial of Service.

  • FCA-200792: UEM reports fail to run with 'try again' status.

  • FCA-200930: UEM console crash while navigating to Devices > Compliance Policies > Event Log.

  • FCA-200936: Console login failing for directory admin account with error "Invalid credentials".

  • FCA-201086: Unable to access User List tab in the UEM Console.

  • FCA-200942: Migration script Notification.UpdateNotificationUUID is causing failures in upgrades.

  • FCA-201088: Unable to see IP Address in the Device reports column named "Wi-Fi IP Address".

  • FCA-201263: DEP TOU Accept button requires scrolling on iPod touch.

  • FCA-201317: Customer is experiencing slowness in device search after upgrade to UEM version 21.09.

  • FCA-201427: UEM's API to retrieve Syslog settings is available on the API help page but does not work.

  • FCA-201419: Unable to save 'Edit Device' section on few devices.

  • FCA-201441: UEM Vulnerability.

  • INTEL-34748: DB upgrade failure.

  • MACOS-2705: SystemIntegrityProtectionEnabled is returned as false by device search API for MAC OS.

  • PPAT-10401: Internal SDK app throws Error Code:14 with Tunnel Proxy.

  • RUGG-10357: Unable to upload large files to the File/Actions menu.

  • RUGG-10364: Peripheral (Printer) File cannot be deleted from UEM Console.

  • RUGG-10368: macOS version information not visible in List View.

  • RUGG-10469: Provisioning/PoliciesViewDevices grid ‘Last Seen’ shows time 5 hours behind expected Admin time zone.

  • RUGG-10513: Custom Attribute XRef Batch Import Fails when using MAC Address.

  • RUGG-10589: Copying the existing provisioning profile creates the profile copy under Devices > Profiles & Resources section.

  • SINST-175943: Run Airwatch cloud connector installer in silent mode.

  • UM-401: Automatic LDAP group sync skipped for customer intermittently

  • UM-7183: Updating EnrollmentUser LocationGroupUUID is not batched.

  • UM-7212: Cannot modify an Admin Role on Child OG.

  • UM-7217: Error searching for oracleLDAP group on any Oracle environment.

  • UM-7237: User Group User List failing to load due to dbo.UserGroup_SelectUserGroupMembers sproc timing out

  • UM-7279: AdvancedLdapSyncJob Encounters Error

  • FCA-200853: Angular pages do not load unless role has minimum set of permissions.

  • AMST-35577: Spaceman error while navigating to Devices > Lifecycle > Staging > Windows.

  • CMCM-189443: Unable to Delete Managed Content through API if the file is downloaded on device.

  • ARES-20866: Android Enterprise - Failed to send managed app config. Patch Resolved Issues

  • AGGL-11654: Chrome URLWhitelist or URLBlacklist does not work on the latest Chrome Versions.

  • CRSVC-28101: Add intermediate certs to chain.

  • AMST-35785: Fix SOR client's base url in device services.

  • AGGL-11669: Chrome OS Device Profile - Kiosk - Managed Guest Session - App not sent down.

  • CRSVC-28447: ZDT upgrades making the environment inaccessible during the upgrade. Patch Resolved Issues

  • Issue AMST-35903: Domain join fails when Smart Groups evaluated before enrollment. Patch Resolved Issues

  • CRSVC-28385: Page fail for ADCS CA in aa.

  • AGGL-11680: DDUI is broken by a certificate date format in Android profiles.

  • CRSVC-28931: Unable to install S/MIME profile due to a "certificate is used more than once error."

  • AMST-35753: Windows OS build version shows different in device List View and device Summary page.

  • MACOS-2701: Add patch.sql to execute DeviceQueue_MigrateSeededMacOsProfileMacOs2629.

  • AMST-35882: Unable to run Selective App list API call on the certain enrolled Win 10 devices.

  • CRSVC-28397: Migration of few devices failing due to missing compliance_status value. Patch Resolved Issues

  • AMST-35879: Windows Application Deployment Commands are only cleared after a manual Query or App Sample Query from UEM console.

  • AMST-35916: Blobs being served by Device Services even when they are present in the CDN and StorageType is set to 1.

  • CRSVC-28588: GSX certification save failed with password invalid.

  • UM-7449: Admin Groups not updating after Automatic or Manual Sync.

  • UEM unenrollment does not send re-authentication to other user devices.

  • AMST-35971: Unable to update internal app assignments for some Windows applications.

  • FCA-202719: Unable to delete devices from UEM console.

  • CMSVC-16129: Tags update API fails when organization Group ID is not passed.

  • AMST-35867: Seed v2203.3 patch Hub to UEM. Patch Resolved Issues

  • CMEM-186613: Delay in adding the device to the allow list from email list view.

  • AMST-35969: Dropship Provisioning-Device Registrations never make it to through the Bulk Importer Service.

  • AAPP-13822: VPP licenses are not getting disassociated.

  • CRSVC-27265: Message Template notification type is not considered while sending token related email.

Known Issues


  • Adding a version to Launcher profile inside a product causes Launcher to stay on reload screen.

    When a Launcher profile is deployed through Products, it is updated with a new version. The profile is removed and reinstalled which leaves the device in reload state until the new version is installed.

    As a workaround, you can deploy the new version of Lauuncher through Profiles & Resources and not through updating the Provisioning profile.


  • Admin is able to override enrolled enrollment token records.

    Device registration records already consumed by enrolling devices can be updated to denylist/allowlist records via UI or via batch import by uploading an excel sheet.

    If we have to convert the consumed token to Allow Device type, then the consumed token must be deleted and the fresh Allow Device record should be added.

  • Devices unable to move to different Organization Groups based on UserGroup Mappings after Auto Sync.

    When User Group Membership changes happen on AD which is greater than 3000, the Auto Sync updates the membership on the console and DB, however some of the users with changed User Group Membership fail to move to different OG's as per User Group Directory Mappings.

    Use API to correct the mapping.

    There is an API which can help you to move a device to an OG:

    https://\ {env}/api/help/#Unable to render embedded object: File (/apis/10002?) not found./CommandsV1/CommandsV1_ChangeOrganizationGroupAsync*replace {env} with environment nameAPI request:/devices/{id}/commands/changeorganizationgroup/{organizationgroupid}

  • Unable to delete users with removable storage associated with account and no way to remove association

    UEM User Delete fails when Removable Drive encryption is associated with the user. 

    No known workaround.

  • Apps installing outside the assigned Time windows.

    If multiple Freestyle workflows each installing one to two apps are using Time windows, the apps may get installed outside the Time windows.

    You can install multiple apps in a single workflow.

  • Unsupported profiles are accessible in the workflow search.

    The unsupported profiles like Disk Encryption and Software Update hybrid profiles for MAC are searchable in Workflows profile search. If these profiles are used, the workflows can be stuck in 'In-progress' state.

    There are no workarounds for this issue.

  • Freestyle Orchestrator workflow identifier version is showing up in string format instead of the friendly version identifier

    Workflow identifier version on Intelligent Hub is displayed as a string format instead of an end user friendly format. This might lead to bad UI experience for end users but does not impact the functionality of workflows.

    There are no workarounds for this issue.

  • Donut Chart and Device List displaying inaccurate data

    On Workflow details page, the donut chart displaying the total number of impacted devices and the list of devices does not filter data by Organization Group and workflow version. So, the counts and list of devices on a parent or child OG level, are same. Also, the data does not consider the workflow version for which these details are currently displayed.

    There is no current workaround for count of devices. The device list can be identified by looking at the impacted devices by Organization Group level under Device menu.

  • Version comparison returns false if there is discrepancy in the decimal placement.

    For File & App conditions in Workflows, if a user does not provide all the decimal places for version field, the condition may be reported as Condition not met.

    There are no workarounds for this issue.

check-circle-line exclamation-circle-line close-line
Scroll to top icon