VMware Workspace ONE UEM Release Notes provide information on the new features and improvements in each release. This page includes a summary of the new features in 2306, issues resolved, and known issues.

When can I expect the latest version?

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

  • Phase 1: Demo, Shared SaaS UATs, and Latest Mode UATs

  • Phase 2: Shared SaaS environments

  • Phase 3: Latest Mode environments

This version is initialy available to our SaaS customers on the Latest mode. The features and improvements incorporated in this version will be available to our on-premises or managed hosted customers with the next on-premises release. For more information, see the KB article. Workspace ONE UEM for 2306 release will also be an on-premises release.

Getting Ready for Major OS Releases

Interested in learning about the latest major OS updates and their resulting implications on Workspace ONE? See the Getting Ready for Major OS Releases section in VMware Workspace ONE UEM Console Documentation for more information.

What's New


  • Let’s keep our request templates for SCEP certificates simple.

    We’ve changed the behavior for our SCEP certificates. Auto-renewed certificates no longer append sceprenew to the Subject. In prior releases, "sceprenew" was appended to the certificate Subject as a Common Name. With this modification, a sceprenew token is included in the certificate as a Subject Alternative Name (SAN).

  • Basic admin accounts now have better security hygiene.

    When you reset your account password, your Workspace ONE UEM console session used to reset the password continues, but we automatically log you out of any other active sessions. This feature applies only to basic administrator accounts. The third party authentication is not currently supported. This feature is enabled by default, there is no system setting. For more information, see Logging In to the Console.

  • We've added the Subject Alt Text (SAN) field to the EBJCA CA template.

    You can now add one or more SANs to the EBJCA CA template for unique certificate identification.

  • New Compliance Policy Rule: Device Tags

    You can now detect whether a device tag is present (or missing) on a device and mark the device as not compliant if it is present (or missing). All platforms are supported. For more information, see Compliance Policy Rules and Actions.


  • Add Web clips to your Home Screen Layout profiles.

    Manage the location of Web Clips when defining the layout of the device's home screens using the Home Screen Layout profile. You can place Web Clips on any home screen, on the Dock, or within Folders.

  • We've updated Volume Purchase Programm (VPP) to support Apple's latest API.

    To improve VPP app deployments, we have now implemented Apple's latest API suite. While this update is taking place behind the scenes, you will notice improved performance and scalability when deploying managed applications through VPP.

  • Are you missing various iOS profile keys? We’ve a solution for you!

    We have updated the profiles for Restrictions, Wi-Fi, VPN, and Skip Setup Assistant. As of iOS 16, these profiles now support all available configuration keys.

    Here are the specific updates per payload:

    • New Restrictions keys: Allow Cellular Plan Modification, Allow NFC, Allow Personalized Advertising, Allow Recovery Mode with Unpaired Device, Force On-Device Dictation, Allow Automatic Lock, Force On-Device Translation, Require Managed Pasteboard, Allow iCloud Private Relay, Allow Mail Privacy Protection, Allow Rapid Security Response Installation, Allow Rapid Security Response Removal.

    • New Wi-Fi keys: Enable IPv6, HESSID, TLS Certificate Required.

    • New VPN keys: Enforce Routes, Maximum Transmission Unit, SMB Domains, Prevent On Demand Override.

    • New Skip Setup Assistant keys: Terms of Address, Emergency SOS, App Store.

    For more information, see iOS Device Profiles.


  • Use the new macOS Device Updates dashboard to manage macOS updates.

    The new macOS Device Updates dashboard enables you to assign and deploy minor and major macOS updates to devices. This dashboard leverages Apple’s MDM protocol, supporting options such as the ability to download and stage the update to a device, notify the user that an update is available, or even force an update to take place without user interaction. The target macOS version and behaviour can be scoped to specific smart groups and assigned to devices, and Workspace ONE will automatically retry the commands periodically until the device confirms the update is successful. For more information, see macOS Update Management.

  • Introducing the new macOS Ventura keys.

    We’ve added several new configuration options for macOS profiles:

    • Login and Background Item Management: Prevent users on macOS Ventura from disabling background processing for specified apps.

    • SSO Extension: Support for third-party platform SSO Extension configuration.

    • Restrictions:

      • Allow the Deployment or Removal of Rapid Security Updates.

      • Allow Universal Control, USB Restricted Mode, and manual configuration profile installation.

    • Security & Privacy: More granularity around delaying major, minor, and non-OS updates.

    • Content Caching: Configure the native caching settings on macOS devices.

    • Firewall (Native): Updates to configuration options for the native system firewall.

    • Notifications: Configure the default notification settings for apps installed on macOS devices. For more information on the profile updates, see macOS Device Profiles.

  • Introducing a global Cloud Notification Service for delivering APNs notifications.

    APNs for applications communication uses Cloud Notification Service by default. For more information, see Cloud Notification Service.


  • Updating on-demand Windows apps to newer versions just got easier!

    You can now keep those on-demand apps up to date whenever you add a new version. When configuring the assignments for your app deployments, make sure to enable the Keep app updated automatically setting. For more information, see Assign Applications to your Windows Desktop.

  • Check out the fresh new Windows Security Baseline templates!

    We’ve added two new templates: Windows 11 versions 21H2 and 22H2. We have also included Windows 11 version 21H2 for creating a new CIS Windows Benchmarks template. For more information, see Using Baselines.

  • Customize your Online Drop Ship Provisioning Cache Serves.

    We now support custom cache servers. For more information, see Use a Custom Cache Server.

  • We enhanced the UEM console for user and device profiles.

    Enhancements for Windows Profiles:

    • Profile data will now be provided to the console through the Windows DDUI Profiles (Beta).

    • Around 150 native Microsoft CSP payloads are now available to be configured without using custom settings.

    • VMware Templates are behind a feature flag - Template payloads will provide three highly customized profiles (Windows Updates, Deliver Optimization, and Proxy) to simplify Windows configurations.

    Enhancements with Windows Update:

    • Windows Update information has been moved to the Intelligent HUB

    • New Device Update view shows the accurate installation status together with the Update installation source for easier troubleshooting.

    For more information on both of these, see Workspace ONE UEM Profiles for Windows.

  • Troubleshooting Windows update is now much simpler!

    We’ve introduced three buttons to help you troubleshoot Windows updates such as Pause, Rollback, and Resume. For more information on how these work please refer to: Workspace ONE UEM Profiles for Windows.

  • We no longer support the Tunnel Proxy Component.

    The Tunnel Proxy Component support period ended on January 30, 2023. See Migrating from Tunnel Proxy to Per-App Tunnel for information on how to switch to VMware Tunnel. The full end-of-support announcement can be found here: KB#87345.


  • Use Conditional Access for your shared android devices

    We’re excited to announce that VMware has integrated with Microsoft to extend our UEM conditional access capabilities for Microsoft Azure Active Directory (AD), with support for Android shared device mode. With this new integration, you will be able to provide shared devices with secure, conditional access to Microsoft 365 apps. For more information, see Configure Shared Android Devices for your Shift Workers.

  • Simplify certificate-based authentication for your Android applications.

    You can now silently grant applications access to client certificates provisioned by Workspace ONE UEM. VPN clients, browsers, and other applications will no longer have to prompt the device user to select a certificate for authentication. Supported on devices running Android 11 and higher.

Before You Begin

The Workspace ONE Unified Endpoint Management (UEM) console supports the latest stable builds of the following web browsers.

  • Chrome

  • Firefox

  • Safari

  • Microsoft Edge

Comprehensive platform testing has been performed to ensure functionality using these web browsers. If you run the UEM console with an older version browser or on a non-certified browser, you can experience minor issues.

Resolved Issues

Resolved Issues for 2306

  • CRSVC-37061: Filters on "Console Events" completely broken on console version

  • AGGL-14916: Android Enterprise WiFi Profile (WPA/WPA2 Enterprise) - Unable to save Domain field.

  • AGGL-14746: Custom Admin Role Permissions for Android Permissions Payload.

  • INTEL-48971: Intelligence Enrollment Users Not Syncing as Expected.

  • AAPP-16060: APNs OutBound queue being backed up.

  • AMST-38993: Wi-Fi IP Address of the windows device is displayed as in the Network tab.

  • PPAT-14564: Tunnel config/Cannot edit DTR application under certain circumstances.

  • CRSVC-37205: Admin details are missing while performing DELETE device API call on enrolled device.

  • AGGL-14628: Android Tunnel shows 'No Managed Applications' eventhough present.

  • UM-8007: Error prompted while trying to add LDAP Admin group in UEM console and save.

  • CMSVC-17033: Smart Group Migration banner is displayed even when there are no Smart Groups that need to be migrated in the OG.

  • MACOS-3836: FileVault rotate recovery key command is not working as expected.

  • AAPP-14625: SIM Card change compliance policy is being falsely marked as non-compliant for some devices.

  • AMST-38973: Migration of Windows Update (Legacy) payload fails if Locale set is other than English in Account Settings.

  • AAPP-15971: iOS compromised status compliance policy does not complete evaluation.

  • ARES-25505: Database upgrade failure due to the CREATE UNIQUE INDEX.

  • CMEM-186861: Sync Mailbox issue with Unmanaged/Blocked Records.

  • AAPP-13841: iOS Update filtering issues.

  • AAPP-15498: During iOs Native CICO, the devices do not get assigned to end user after logging in with AppleID on the device.

  • AAPP-15074: ABM device does not update with the second enrolled user status after re-enrollment from first user to second user.

  • AAPP-15653: APNsOutbound messages throttled and failure code "Unknown".

  • AAPP-15815: Mismatch app install status from device summary page with apps&books view.

  • AAPP-15878: Missing validation for Message Template in VPP Managed Distribution.

  • AAPP-15929: Renewed VPP stoken(ASM) does not sync the app details on the console.

  • AGGL-11827: Unbinding G-Suite Android EMM Registration fails.

  • AGGL-12919: Android 'Build Version' field is blank when exporting CSV/XLSX with custom layout.

  • AGGL-14222: Google seems to have increased oAuthToken length (AndroidWorkSetting AccessToken got truncated).

  • AGGL-13726: Apps not installing Apps on Share devices (Pixel 6).

  • AGGL-14249: Android apps not displaying in Hub catalog due to missing Google EMM registration.

  • AGGL-14366: VpnUUID is removed from a Workspace ONE Tunnel VPN profile XML when version is added.

  • AGGL-14488: Annual System Update Freeze Periods always goes back to default in Firefox and Safari.

  • AGGL-14532: Unable to add assignment to Android public applications, Spaceman error received on console.

  • AMST-38422: Intel vpro fails to sync devices.

  • AMST-38498: MacOS DDUI Network profile not saving PayloadCertificateAnchorUUID issue.

  • AMST-38770: Windows marked as compromised after UEM upgrade to 2302.

  • AMST-38822: Enrollment User deletion encounters FK error.

  • ARES-24494: Global search results screen shows garbled characters for double-byte names in UEM console 2209 or later.

  • ARES-24729: Unable to add a SG to a workflow for internal app.

  • ARES-24884: Send Configuration is set to disabled when a new app assignment is created by copying a published assignment that has Application Configuration enabled.

  • ARES-24942: AirWatch Database Purge expired Sample Data SQL job is failing.

  • ARES-24961: Using API to Exclude Smart Group from Option Profile is not Removing Profile from Devices.

  • ARES-25070: Unable to view device list from app assignment or export device list.

  • ARES-25303: App Config missing for Epic Rover after re-publishing the app.

  • ARES-25083: Profiles not getting assigned to iOS device.

  • ARES-24974: Application Crash Logs - Not purging.

  • ARES-25229: Invalid ApplicationEventSample from Android devices.

  • ARES-25309: Unable to delete applications.

  • ARES-25377: High Latency in Purge Expired Sample Data job execution.

  • CMSVC-16822: Lookout Tags fail to work as expected afterconsole upgrade.

  • CMSVC-16867: Intelligence Automation is not working as expected. 

  • CMSVC-16935: Unable to load Assignment and Organization groups list view and unable to load assignment groups in app assignments.

  • CMSVC-16973: Unable to load Assignment groups list view page and unable to load assignment groups in app assignments.

  • CRSVC-34061: Overview page shows incorrect data for Devices with Denied Apps.

  • CRSVC-35200: Re-provisioned Android device not installing profiles and apps.

  • CRSVC-34180: While creating new Compliance policy under view Device Assignment page pressing enter is saving the compliance policy.

  • CRSVC-35209: Unable to edit, delete or deactivate specific compliance policy.

  • CRSVC-35739: Android Hub UI - Privacy Details > Device Management information does not display.

  • CRSVC-36298: Interrogator service unable to save Certificate samples.

  • CRSVC-36361: Workspace ONE does not remove the token while deleting or enterprise wiping the devices.

  • CRSVC-36770: High CPU utilization post upgrade to 23.02.

  • CRSVC-37396: Certificates are not getting deployed to the devices.

  • ENRL-3527: UEM Unenrollment does not send re-authentication to User's other devices.

  • CRSVC-37402: Spaceman error while accessing Device summary page of windows Rugged devices.

  • ENRL-3718: Enrollment restrictions not being honored for ipads.

  • ENRL-3716: Authentication required twice during Intelligent Hub enrollment.

  • ENRL-3719: Unable to edit/view DEP profiles.

  • ENRL-3736:  DS servers CPU usage spiking to almost 100%.

  • FCA-205144:  Issues with Console TimeZone Guadalajara, Mexico City , Monterrey.

  • FCA-205160: Custom Admin Roles unable to load AA pages after upgrade to 2212.

  • FCA-204971: Restrict edit access for Enrollment Settings page.

  • FCA-205179: The error, “User name should not contain the following characters...” occurs at Username in "Trouble logging in" page for admin account if its username includes some special characters.

  • FCA-205220: Insecure storage of sensitive information in advanced settings page exposes all Org Groups.

  • FCA-205268: Post API/mdm/devices/id API call returning internal server error or duplicate results.

  • FCA-205221: Device List Export for Compromised Unknown not honored on Export.

  • FCA-205274: Missing Management Mode tab and no activation email for adding email domain.

  • FCA-205277: API V3 GET /devices/search doesn't return any device network information.

  • FCA-205416: A blue banner with the notification.

  • MACOS-3325: API to create MacOS DDUI Profile.

  • MACOS-3445: Unable to select SCEP certificate in Network Payload.

  • MACOS-3532: Global HTTP Proxy always shows Not Configured for captive portal bypass option.

  • MACOS-3540: macOS Login Window payload issue preventing Screen Saver customization.

  • MACOS-3691: macOS Compliance Policy false positive on Encryption status (round 2).

  • MACOS-3697: Missing Mac devices in seed script.

  • MACOS-3740: Hub 23.03 not seeded.

  • MACOS-3701: macOS devices not showing AirPlay option in More Actions menu.

  • RUGG-11913: Custom assignment rules do not apply correctly during device enrollment as the custom attribute data does not get pulled into the console as fast as product jobs gets queued up.

  • PPAT-14114: Post Migration to AWS CloudFront - Tunnel Configuration page does not load.

  • RUGG-11963: Adding Files/Actions eventually fails when clicking “SAVE” button again while a large file is being uploaded.

  • RUGG-12004: Files get corrupted when multiple files are added under Files/Actions.

  • UM-7887: Manual LDAP attribute sync fails with an error.

  • RUGG-12081: Product assignments are delayed.

  • UM-7948: Unable to modify existing Admin groups in UEM.

  • UM-7902: Administrator with two roles is unable to view user role that was created by himself.

Patch Resolved Issues

  • CMCM-190676: Adding content via API defaults to unknown "Paxar" value for customer, while the default should be N/A.

  • AMST-39542: Workaround for MSFT issue breaking SFD installation.

  • UM-8276: Inconsistency in the response of enrolled user details for Staging Mode and DeviceStagingEnabled fields.

  • MACOS-4007: Unable to setup admin account on a macOS device.

  • CMCM-190659: "Content Detail by Device" Report incorrect.

  • AAPP-16342: Resolve errors from OS update retry job.

  • CRSVC-39404: Globalize the new error message from Blind pirate(INTEL) service.

  • ARES-25957: Application-rule PUT API improvements.

  • FCA-205819: Improve Device Dashboard performance for large device count.

  • ARES-26207: Deploying internal apps is getting stuck in “Pending Release” status.

  • AAPP-16365: Query to validate Cellular APN as required field with DDUI activated.

  • AMST-39505: WNS disconnected for multiple Windows devices.

  • AMST-39308: Arm x64 agent is not getting installed on OOBE enrolled Windows devices.

  • CMCM-190660: Renaming Folder and trying to sync is giving 404 or and empty XML.

  • AAPP-16314: False APNS Notifications during Purchased App Sync.

  • FCA-205669: Horizontal scroll missing for Organization Group selector.

  • AGGL-14594: Clicking "Add version" at the Assignment page of an Application Control profile reverts the profile to default settings.

  • AMST-39479: The default 'Read Only' Admin role to view the Baseline is not working.

  • CRSVC-39367: Memcached uses only one server.

  • CRSVC-37865: Private key does not match public key for certificates from ADCS.

  • CRSVC-40112: Certificate Installer- Private Key not exportable in Manual Flow.

  • AGGL-15331: Remove EFOTA sample from microservices.

  • INTEL-51757: Update current device enrollment user delta export to include delete operation.

  • FCA-205645: Reset password for locked admin account is not working.

  • ARES-26030: Profile Installation status is not loading for profiles deployed to the entire environment.

  • CMCM-190665: Workspace ONE UEM console shows spaceman error when viewing security tab for most macOS devices.

  • PPAT-14872: Switch from AirWatch to Third party under Client Auth is broken.

  • AAPP-16388: iOS Device Updates Notification messages are automatically truncated.

  • CRSVC-39344: Unable to send custom commands.

  • CMCM-190685: Errors during blob sync/check status to CDN.

  • AMST-39652: Newly created baselines in 2302 has NULL values in databse for BaselineTemplatePlatformUUID.

  • CMSVC-17310: SG compilation failure on device event to SG service.

  • AMST-39697: Autopilot enrollment failing after Workspace ONE UEM update to 2306.

  • AMST-39589: Seed 23.02.7 patch to Workspace ONE UEM console master.

  • CMCM-190717: ZDT database upgrade failure for content map procedure.

  • AAPP-16051: "East iOS GP and MobileConnect" profile is going to not installed state on many devices.

  • AMST-39614: Smart group was not recognizing 32 bit devices from Workspace ONE UEM console version 2212.

  • AGGL-15448: Unable to create Android profile with a TimeSchedule, whose ScheduleListUUID is Null.

  • AMST-39633: API 'mdm/devices/security' endpoint fails with 500 internal server error for some devices.

  • MACOS-4064: macOS 14 ADE enrollment fails if the Custom Enrollment is off.

  • ARES-26352: Incorrect version while creating a copy of Workspace ONE UEM profile.

  • INTEL-51913: Intelligence Android Application app version code was not fetched correctly.

  • MACOS-4033: Workspace ONE UEM downloads the binaries from ESR every time the SeedSystemAppsJob runs.

  • RUGG-12328: Update the Linux pull service installer link within Settings > System > Enterprise Integration > Pull Service Installers.

Known Issues

  • AMST-39210: ARM x64 Agent is not getting installed on OOBE enrolled Windows devices.

    This is no workaround for this issue.

  • AGGL-14515: Selecting "Add version" on the Assignment page of an Application Control profile reverts the Application Control profile to default settings.

    You can avoid the issue by selecting "Add Version" in the first page of the Profile Edit flow where all Profile profiles are displayed and configured. If any profile settings have been deleted due to this issue, you must, add a new version to the profile (this time from the first page), correct the Profile settings, and republish the profile.

Support Contact Information

To receive support, access VMware Customer Connect. To learn more about the support policies, see Support Policies. For information about filing a Support Request in Customer Connect and using Cloud Services Portal, see the VMware knowledge base article at here.


To learn more about Workspace ONE UEM, you can browse VMware Workspace ONE UEM Console Documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon