Learn about new features and the enhancements made to the Workspace ONE UEM console releases. Get quick access to the UEM console change log, interoperability matrix, and our important end of support announcements.

By allowing the gradual rollout of our software initially into the Shared SaaS environments, SaaS Ops together with Engineering is able to monitor the success of the updates prior to making the software generally available to on-premises customers. On-premises components will be made available to our customers within a few weeks after our SaaS release.

Want to see our latest SaaS and On-Premises documentation? Look at VMware Workspace ONE UEM Console Documentation.

To view full release notes with resolved issues and known issues, see 2111 Release Notes

Getting Ready for Apple Fall 2021 Releases

Learn more about the upcoming Fall 2021 releases for Apple. See Getting Ready for Apple Fall 2021 Releases for more information.

Upcoming Features and Tech Previews

Learn about the features and capabilities of Workspace ONE UEM that are in technical preview or will be released soon. Technical preview features are not fully tested, and some functionality might not work as expected. However, these previews help Workspace ONE UEM improve current functionality and develop future enhancements.

  • Workspace ONE Drop Ship Provisioning (Online) offers self-registration of Windows devices as a technical preview.

    As an alternative to the current Drop Ship Provisioning (Online) process where you work with your OEM to register your Windows devices, you can use this process to register and provision your devices yourself. This process is also helpful to test the provisioning of a few devices before you send your provisioning orders to your OEM. For self-registration, you work on the Windows device and in the Workspace ONE UEM console. You stage Windows devices with the Drop Ship Provisioning Generic PPKG and register your devices and configure their profiles in the console. For details about this technical preview, access Technical Preview: Self-Registration for Workspace ONE Drop Ship Provisioning (Online).

 

 

New Features in this Release

Console

  • Stay informed with our brand new console banner notifications.

    With the new console banner notifications that appear across the top of the UEM console, you can stay updated on maintenance issues, upgrades, outages, and product announcements. For more information, see Console Notifications.

  • Use Launcher devices without going through the entire authentication process.

    You can now designate a second Launcher profile as a Guest Session profile and enable users to skip directory authentication and quickly access installed applications. For more information, see VMware Workspace ONE Launcher.

  • Keep your workflow going with the improved Bulk Delete command.

    Previously when you issued a Bulk Delete command that triggered Wipe Protection, the Bulk Delete command would end and you had to manually delete the devices. We’ve improved the workflow so that Bulk Delete now resumes after resolving Wipe Protection. For more information, see Device List View.

  • Avoid abandoning devices and child OGs with our new OG deletion logic.

    Now when you attempt to delete an organization group in the UEM console, the system checks for child OGs and devices in the OG you are trying to delete. If it finds a child OG or a device anywhere in the OG tree, the deletion is cancelled. For more information, see Delete an Organization Group.

  • Add your operating system language to your DropShip Provisioning (Offline) encrypted PPKG packages.

    You can now add your operating system language when you configure encrypted packages for DropShip Provisioning (Offline). Enter a Microsoft approved BCP 47 Code in the Custom OS Language field. This setting ensures that your encrypted packages run in the correct date and time format. Find this new field in Devices > Lifecycle > Staging > Windows. Make a new provisioning package or edit an existing one. Select Encrypted PPKG and go to Configurations > OOBE Configuration > Operating System Language > Other. For more information, see Working with Provisioning Packages.

Freestyle

  • We've made a few enhancements to the Freestyle Orchestrator.

    Freestyle has been promoted from technical preview to limited availability for SaaS customers. The following improvements to Freestyle Orchestrator have been made in this release.

    • We have added a fast lane delivery of workflows to small device fleets. That is, workflows being deployed to <2000 devices, the devices will be notified immediately upon publishing.
    • Workflows in Windows can be retrieved by devices during device check-in even when no user is logged in. This behavior requires Windows Hub 21.11.
    • Workflow statuses will now be reported more frequently by devices to increase visibility to administrators, and this requires Windows Hub 21.11.
    • We have made changes to the Hub catalog and assignment statuses behavior when an app is assigned both from workflows and directly.
    • Additionally, admins can now add a change log to workflows and force them to execute.
  • Deploy resources to devices using workflows or direct resource assignments.

    To deploy resources to devices, select a smart group and directly assign any app, profile, or script to it. You can also create and assign a workflow with multiple resources to a smart group. Workspace ONE UEM now supports assignments from both the delivery systems.

Android

  • We’ve made performance enhancements to improve batching of Android public application deployment.

    These improvements will benefit larger app deployments, whether automated or on-demand.

  • We’ve made check-in check-out more flexible by introducing guest sessions for Launcher

    You can now designate a second Launcher profile as a Guest Session profile and enable users to skip directory authentication and quickly access installed applications. For more information, see VMware Workspace ONE Launcher.

  • Want to block enrollment for non Android Enterprise devices?

    If "Always Use Android" is enabled and device is not certified for Android Enterprise use, enrollment is blocked and user will see a "Android Enterprise enrollment is required to continue for this device" message on their device.

    For more information, see Android Device Enrollment.

  • Want to customize Launcher Settings without using Custom XML? We have a solution for you.

    We've simplified Workspace ONE Launcher configuration by adding UI controls for 14 features that previously required Custom XML. You can see these features implemented with the new data-driven user interface for Android. The Launcher profile configuration now includes the following Advanced Launcher Settings:

    • Use Legacy Launcher APIs
    • Default to Usage Access
    • Require Write Settings Permission
    • Enable App Data/Cache Clearing
    • Enable Admin Mode on CICO Screen
    • Allowlist Activities on Check-in Check-out Screen
    • Allowlist Specific Android Activities
    • Add Custom Device Settings
    • Customize Single App Floating Button
    • Add Launcher Branding
    • Enable Speed Lockdown
    • Set Launcher as Default after Reboot
    • Remove Floating Home Button Setting
    • Allow Popup Notifications

    For more information, see VMware Workspace ONE Launcher Profile Configuration.

iOS

  • Silently install your required App Store apps

    With iOS 15.1, you can set any single App Store app as a required app during enrollment. When installing the app using Workspace One UEM or Workspace ONE Intelligent Hub, the app deploys silently, even on unsupervised devices. For more information, see Configure Organization Settings.

  • Help users enroll their personal devices more easily with Account Driven User Enrollment.

    On iOS 15 and later devices, users can sign in with their Managed Apple ID directly in the iOS Settings app instead of navigating to a URL in Safari. This allows users to focus on setting up their enterprise account rather than switching between screens and multiple prompts. For more information, see Enroll an iOS Device Using Account Driven User Enrollment.

Scripts

  • We’ve deactivated the Scripts functionality for BYO devices.

    To preserve end-user privacy, macOS and Windows devices with Employee Owned ownership are now excluded from Scripts assignments.

     

Chrome OS

  • We've added support for SCEP Certificate Deployment

    From a Chrome User or Device Network (or Credentials) profile, you can now choose a SCEP certificate authority and template when adding a template-based certificate. For more information, see Supported Certificate Authorities

 

To view full release notes with resolved issues and known issues, see 2109 Release Notes

Workspace ONE UEM Console

  • Assigning the default SDK profile to your iOS Intelligent Hub just got easier.
    You no longer have to manually assign the default SDK profile to your iOS Intelligent Hub as Workspace ONE UEM assigns it for you. This improvement resolves several issues such as inconsistent push messages from the UEM console, SDK profiles stuck in a queued state, difficulties enrolling devices through the Intelligent Hub for iOS, and inconsistencies with enrollment prompts. The settings for the Intelligent Hub and the default SDK profile can be found in the Workspace ONE UEM console under Groups & Settings > All Settings > Devices & Users > Apple Apple iOS > Intelligent Hub Settings.
  • We’ve cleaned up the list of supported Launcher versions.
    We have now discontinued support for Workspace ONE Launcher v1 and v2. You will no longer be able to select these versions in the drop-down menu under Service Applications. To access all the new features, you must upgrade your Workspace ONE Launcher to the latest version. For more information, see VMware Workspace ONE Launcher Version Information
  • Maximize your search results with wildcards in the UEM global search.
    You can now use asterisk wildcards in your global searches to boost your search results. For more information, see Global Search.
  • Workspace ONE UEM and Workspace ONE Access no longer share configurations for SaaS Apps, Access Policies, and Virtual Apps. You can easily find these app management features in the Workspace ONE Access console. For more information, see Workspace ONE Access documentation
  • We’ve now restored the UEM Monitor link to access Workspace ONE Intelligence.
    If you have a Cloud Services account, you can now access Workspace ONE Intelligence through the Monitor button on the main menu. For more information, see Console Monitor.
  • Control certificate revocation based on certificate sampling.
    You can determine when to revoke device certificates if they are missing from the sample. If you choose to disable the setting, Workspace ONE UEM does not revoke certificates from devices whose certificates are missing from the sample. Moreover, manual revocation and revocation during un-enrolment will continue to work even if the setting is deactivated.
  • Coming Soon – Workspace ONE UEM support for Linux-based devices. 
    We are eager to get this new feature to you but will be enabling it in phases to ensure successful deployments. You can use this feature in the coming months as we roll it out to SaaS environments globally. When it is available, you will notice changes to your user interface, such as the addition of Linux as a platform in filters, smart groups, and settings. You will also have the option to select Linux when creating profiles in Workspace ONE UEM. In the coming weeks, we will announce the release of the corresponding Workspace ONE Intelligent Hub for Linux, along with all of the documentation necessary to assist you in utilizing this exciting new offering from the Workspace ONE team.
  • We've set the new data-driven user interface for Android and tvOS as the default profile experience.
    You can now easily and quickly configure and deploy Android and tvOS profiles using the new DDUI profile user experience. This new data-driven model includes new payload layouts, search capabilities, and profile summaries. The new data driven UI framework enables VMware to deliver new profile features faster. For information specific to Android profiles, see How to Configure Android Profiles and for Apple tvOS profiles, see Apple tvOS Profiles.
  • We've enhanced SafetyNet Attestation with Hardware_Backed check
    You can now choose which evaluation types from SafetyNet Attestation are trusted as part of Android Compromised Detection. For more information, see the topic Apps / Settings and Policies / Security Policies.

Windows

  • Configure your Windows 10 devices using the VMware Dynamic Environment Manager (DEM) integration with Workspace ONE UEM.
    We have now integrated DEM with Workspace ONE UEM, allowing you to deploy a DEM config profile to your managed Windows Desktop (Windows 10) devices using UEM. To use the DEM profile, install the DEM Management Console to create DEM config files and deploy the DEM FlexEngine to managed devices to apply the DEM config files. You can find the landing page for this integration in Workspace ONE UEM, by navigating to Groups & Settings > Configurations > Dynamic Environment Manager. The profile can be found in Workspace ONE UEM under Resources > Profiles & Baselines > Profiles > Add > Add Profile > Windows > Windows Desktop > Device Profile. For more information, see the Profiles for Windows Desktop topic and DEM documentation.
  • We've improved the device refresh mechanism for Windows Desktop.
    When you refresh and re-enroll previously enrolled devices in Workspace ONE UEM, the original device record is reused in the Workspace ONE UEM console. The reuse of the original device record eliminates the need for duplicate records in the console. This enhancement is applicable to physical devices but not to virtual machines.
  • We’ve made performance improvements when querying Windows Desktop devices for Windows Updates metadata.

To view full release notes with resolved issues and known issues, see 2107 Release Notes.

Console
  • We’ve increased the allowed internal app size. 
    You can now upload internal apps of up to 10GB to the Workspace ONE UEM console. This file size has been increased from the previous 200 MB. You must enable CDB to use the increased app size. In SaaS deployments, we’ve enabled CDNs by default. If your on-premises deployment uses CDN, your environment will also have these updated size limits. To know more, see Deploy Internal Applications as a Local File.

  • Get device information with the maximum page size limit of 500 using the /device/search API.
    The /device/search API now has a page size limit of 500. Each API call can have a maximum of 500 records. Users must iterate through pages if the page size exceeds the maximum limit to get all the records.

  • We've made a few enhancements to the Remote Management APIs (V1 and V2). 
    • The Remote Management APIs (V1 and V2) now support Role-based access controls. You can now restrict the level of access that a user must receive while using Workspace ONE Assist through the Remote Management APIs. Workspace ONE Assist allows the following functions to be restricted at a user-level role – Remote View, Remote Control, File Manager, Registry Editor, Remote Shell, Session Collaboration, and Unattended Access on desktops.
    • You can now use the Remote Management API (V2) to pass in additional parameters that allow users to choose specific remote management tools such as Share Screen, File Manager, and Remote Shell prior to a session. When using the Remote Management APIs, you can now easily specify which Workspace ONE Assist tool you want to connect to when starting a remote session. This functionality is already available when a session is initiated from the UEM console. We have enhanced the remote management APIs in this release to support the same.

macOS

  • Support for Apple Silicon in Smart Groups.
    Workspace ONE UEM now supports filtering by CPU Architecture in Smart Groups for macOS devices. You can define Smart Groups based on Intel (x86) or Apple Silicon (arm64) processor types. We have also updated the Device List View filter and the Device Details page to include the new CPU type. Support for filtering Windows devices by CPU type will be in a future release. For more information, see Support for Apple Silicon Macs.

Email Management

  • We’ve simplified the Email List View page.
    We removed the device details such as OS, model, platform, phone number, or IMEI from the Email > List view page. You can still see that information from the Device List View page.

Content Management

  • Want to delete your old Personal Content storage, but not sure how? We have a solution for you. 
    You can now easily remove the Personal Content storage from your Workspace ONE UEM console using the /V2/contents/groups/{organizationGroupUuid}/personal-content API. This API deletes all personal content repositories from the provided organization group and its children. You can access this API at Workspace ONE UEM API Explorer.

App Management

  • We've made a few modifications to the CDN configuration to improve ease of use.  
    We enhanced the test connection functionality of the CDN configuration to include checks for user account permissions. We have also published a CDN configuration tool that can be used independently of the Workspace ONE UEM console. The new tool makes it easier for on-premises customers to set up their origin servers. You can find the tool on My Workspace ONE. For more information, see Workspace ONE UEM and Akamai Integration Workflow.

Window

  • We've bid farewell to Windows Phone.
    As Windows Phone has reached the End of General Support, we have removed all instances related to it from the Workspace ONE UEM console. We no longer support the management of this phone model. To know more, see the End of support announcement.

  • Build your own baselines for Windows 10 without using a pre-configured template.
    You no longer need a template to create baselines in Workspace ONE UEM. You can now create baselines from scratch by simply selecting policies from our policy catalog. Select the appropriate Windows 10 version in the creation wizard, then select your policies from the policy catalog. Baselines can be found in Workspace ONE UEM under Resources > Baselines. For more information, see Using Baselines.

Rugged

  • Launcher Check In/Check Out added as an Event Action condition.
    Your Android device Launcher can now be polled by an Event Action, and execute its Run Intent based on whether Launcher is checked in or checked out. For more information, see Event Actions.

To view full release notes with resolved issues and known issues, see 2105 Release Notes.

Console

  • Coming Soon - Deploying Android and tvOS profiles is now faster and easier with the new data-driven user interface. 
    We are eager to get the new DDUI feature for you, but we want to make sure to resolve any issues that might affect usability. You can use this feature in the coming weeks as we roll it out. You will notice updates to your user interface when it is available. With the new data-driven user interface, you can configure profiles for Android and tvOS platforms. This data-driven model includes new payload layouts, search capabilities, and profile summaries. It also allows new keys and payloads released by Google and Apple to be added to Workspace ONE for admins to deploy much more rapidly. For information specific to Android profiles, see How to Configure Android Profiles and for Apple tvOS profiles, see Apple tvOS Profiles.
     
  • Technical Preview: Maximize your search results with wildcards in the UEM global search.
    You can now use asterisk wildcards in your global searches to boost your search results. Wildcard support in the UEM global search is a technical preview feature. Technical preview features are not fully tested, and some functionality might not work as expected. However, these previews help Workspace ONE UEM improve current functionality and develop future enhancements. For more information, see Global Search.
  • We've added a limit on bulk device deletions.
    To prevent you from accidentally deleting more devices than you intended from your tenant or organization group, we have implemented a limit on bulk device deletions. The new limit (100 devices) is enabled by default and does not require any changes to the system settings.

  • Enable or disable Hub Services experience at any child OG level in the OG tree.
    We've implemented Hub integration at the OG levelFor more information, see Configure Enrollment Options on Hub Integration.

Android

  • Are you having trouble accessing Launcher features when your devices are not connected to a network? We've got a solution. Designate your Launcher profile as an offline mode profile.
    Offline mode profiles can now be accessed when the device is offline and allows you to continue your work even when you are unable to log in. For more information, see Configure Launcher Profile.

  • Coming Soon - Introducing Data-Driven Profiles for your Android devices – A faster way to take advantage of the new MDM APIs. 
    You will see several changes within your Android profile configuration with new profile layouts, search capabilities, and summary pages.

    • The Single App Mode profile has been renamed to Lock Task Mode which allows you to lock a single or pre-determined set of apps to the foreground of the device launcher. You can add apps to an allow list and set specific actions such as the use of the Home button or Show Recents with global action.
    • You can now specify if your users can use the autofill feature with their devices. Some apps can fill out the views in other apps with data previously provided by the user. You can enable or disable this feature in the Restrictions profile.
    • The Date/Time profile has been added to allow you to configure the Date and Time settings on Android 9+ Work Managed devices as well as prevent the user from modifying the configuration.
    • Under the Restrictions profile, calendar apps running in the personal profile can now show events from the work profile calendar. There is a new option, Enable cross profile calendar access in the profile that allows you to set this permission. This is available for Android 10 or later devices and requires support by the calendar application to share the calendar data to the system.
  • We now support device-based accounts with Corporate Owned Personally Enabled (COPE) enrollments. ​
    For scenarios where devices are not associated with a specific user, the enrollment settings have been updated to include device-based enrollments. This is useful for single-user staging when devices are enrolled prior to being given to the end-user. If Device-Based is selected, unique device-based accounts are generated on enrollment rather than re-using an existing managed Google account if the user has already enrolled a previous device. For more information, see Android Device Enrollment.
  • Want to make sure your devices are secure? Perform security audits on Corporate Owned Fully Managed Android devices by collecting a Security Log. 
    The security logs report possible security breaches on the device by reporting certain pre and post-boot activity, such as authentication attempts, credential storage modifications, attempted ADB connections, and more. You can customize this request in the Device Details. For more information, see Android Device Management.
    Note: This requires a future version of Workspace ONE Intelligent Hub. 

  • Automatic seeding of Android Manufacturers and Models. 
    Android device manufacturers and models are now added to the console automatically upon enrollment or device sync.  The OEM and models can be used for enrollment restrictions, compliance policies, and the newly introduced Android OEM & Model filter in Smart Groups.

Chrome OS

  • Automatically place devices in the intended Organization Groups.
    Chrome OS devices can now be placed into the expected Organization Groups based on User Group Membership. The UEM Extension for Chrome OS will report the current logged-in user, and the device record is automatically moved into the respective Organization Group.

macOS

  • Simplify macOS device provisioning with a new post-enrollment onboarding experience. 
    Keep users informed on the device provisioning process after enrollment completes with the new onboarding experience built into Workspace ONE Intelligent Hub. After enrollment is finished, Intelligent Hub will display a new window, tracking all incoming application installs. Administrators can enable and customize the experience in the UEM Console. For more information, see Enable Post Enrollment Onboarding Settings
  • Streamline enablement of Intelligent Hub on macOS endpoints.
    The existing seeded Privacy Preferences profile for macOS Intelligent Hub now also includes the Notifications payload and System Extensions payload to automatically enable all Intelligent Hub functionality on endpoints without needing to create the profiles yourself.

  • Allow standard users access to privacy permissions on macOS Big Sur
    With new keys in the Privacy Preferences profile, administrators can now enable users with standard permissions on macOS Big Sur to allow video conference tools to Screen Recording and Input Monitoring services.

  • Trigger macOS Sensors based on network
    With the new Network Change trigger, administrators can now configure Sensors to run whenever the device's network status changes.
    For more information, see Create a Sensor for macOS Devices.

Tunnel

  • Ability to support Tunnel Device Traffic Rules for Samba Domains for iOS Platform. 
    You can now add a Rule for Samba Domains in the Tunnel Device Traffic Rules UI. This feature is only supported for the iOS platform. For more information, see Create Device Traffic Rules.

Windows

  • Welcome Windows app approvals. 
    If you are using Windows Hub Client version 21.05, you can now provide justification when requesting Windows apps from the Hub Catalog. For more information, see App Approvals

  • Introducing BitLocker To Go Support. 
    Use the Workspace ONE UEM to require the encryption of removable drives on your Windows 10 devices with BitLocker.
    Just select the Enable BitLocker To Go Support check box in your encryption policy. When you enable support, users are prompted for a password, encryption happens and Workspace ONE UEM escrows the recovery key for the drive. 
    Users enter this password every time they access the removable drive on their devices. Find the encryption profile in the console at Devices > Profiles & Resources > Profiles. If users forget their passwords, you can recover the drives using the recovery key stored in the console at  Devices > Profiles & Resources > List View > Removable Storage tab. If you see thousands of recovery IDs, use the available filter functions to find the exact key you need. 
    For details about this support, see Encryption

  • Suspend and resume BitLocker on Windows 10 devices from the console.
    Use the More Actions > Suspend BitLocker or Resume BitLocker menu item in your device records to help your Windows 10 users without permission to control BitLocker. Choose to suspend a device and allow 1-15 reboots to conduct maintenance on a system, or resume BitLocker if it was suspended previously.
    For details about this feature, access Windows Desktop Device Management > More Actions

  • Create a domain join configuration for a Workgroup, and optionally create a local administrator account with Workgroup Join for Windows.
    You can now use and Workspace ONE UEM to join your Windows devices to a Workgroup. For details, access How Do You Deploy Domain Join Configurations for Windows Desktop?.

  • Duplicate baselines and edit the copies without the risk of compromising the original baseline.
    Make duplicate copies of your baseline with the same policies and values and customize them as per your requirement. For more information, see Using Baselines.

  • Keep managed apps on your Windows 10 devices on Enterprise Wipe. 
    Accelerate the process of re-enrollment of your Windows 10 device to a different user. For more information, see Windows Desktop Device Management.

Went live on February 26, 2021. To view full release notes with resolved issues and known issues, see 2102 Release Notes

Android

  • We've made enhancements to the UEM console to enable the clear passcode capability using Direct Boot.
    Apps do not run during the Direct Boot mode by default, which is when the device has been powered on, but the user has not unlocked the device. We've made some modifications in the UEM Console that allows you to send a clear passcode command with Workspace ONE Intelligent Hub for Android while the devices are in the Direct Boot mode. Direct Boot is only available on Android 7.0 and above devices that support a specific type of file-based encryption. For more information, see Android Device Management
  • We have introduced a native experience to using your Android devices as shared devices.  Native Android using Check-In Check-Out for shared devices supports simpler use cases that do not require as much customization as Launcher. You can create secondary users, use simple branding, implement restrictions, and limit applications. For more information, see Configure Shared Android Devices for your Shift Workers.

Chrome OS

  • Let multiple users securely share the same device within your organization.
    With Managed Guest Sessions, you can now use your devices as shared devices among multiple users within the organization. It enables Chromebook to log in and out as a shared user, encouraging different users to securely share the same device for web browsing, inventory lookup, job applications, or school exams. Shared users have limited access to the device and data cannot be shared between sessions. For more information, see the Kiosk section of Chrome OS Profile Management

Freestyle

  • Technical Preview: ​Schedule Resource Installs At Your Convenience.
    The time it takes to update devices with downloadable content such as apps can be lengthy and the device's performance during this time is often poor, to say the least. The Time Window feature allows you to schedule those updates outside of peak work hours, using the device's local time. You no longer have to choose between keeping your device up to date and being productive.
    Note: Time Windows can be applied only on Freestyle Workflows. Technical preview features are not fully tested and some functionality might not work as expected. However, these previews help Workspace ONE UEM improve current functionality and develop future enhancements. For more information, see Technical Preview: Make a Time Window and Assign it to Devices

iOS

  • Purchase and deploy public apps to your managed tvOS devices.
    You can now sync, assign, and deploy tvOS app licenses in the Workspace ONE UEM console. All settings which are available for iOS apps, including installation, configuration, update, and deletion, are now also applicable to the deployment of public apps. For detailed information, see Public Application Management (tvOS).
  • Would you like to check which time zone is set on your Apple devices to evaluate any changes? You can now monitor the time zone of your Apple devices in the UEM console. 
    We let you track the time zone reported by the iOS, macOS, and tvOS devices in the Workspace ONE UEM console under Device Details.

Windows

  • Use the Autopilot integration in Workspace ONE UEM to deploy domain join for both cloud and on-premises users. 
    We've now integrated Microsoft Autopilot with Workspace ONE UEM to support Hybrid Domain Join. With the new integration, you can combine the on-premises domain join process in Workspace ONE UEM with your Autopilot device configurations that are set in Azure. For details on how to set up this integration, see Integration with Microsoft Autopilot

  • Get email and console notifications when a new version of an existing app in your catalog becomes available.
    You can now simply click "add application" from the console notification and it automatically takes you through the steps to update and distribute the new version of your application. You can also enable notifications for the existing EAR apps by editing them from your Apps and Books section. For more information, see Upload and Configure Win32 Files for Software Distribution.

Went live on January 22, 2021. To view full release notes with resolved issues and known issues, see 2101 Release Notes

Console

  • We've made a few changes to Intune App Protection Policy.
    Workspace ONE UEM now notifies you if the Intune App Protection policy has been deleted or modified. You will be notified upon the launch of the Microsoft Intune App Protection Policy in Workspace ONE UEM console.

Integrate with Azure AD Conditional Access Policies

Android

  • Would you like to know how much storage is available on the devices being managed by the UEM console?.
    The Device Details summary page now reports the internal storage and external storage for the enrolled devices. This is supported for devices enrolled as Fully Managed Mode.For more information, see Android Device Management

iOS

  • We're working on building a more-inclusive digital workspace.
    As part of our efforts around inclusion, we’re taking a close look to ensure we’re using a more inclusive language. We’re undergoing a process to review terms and replace some of those problematic terms with an alternative. You'll notice some of the terminology updates in our user interface.

Application Management

  • A better way to update and manage your new application versions.
    Your internal application version number can now have a 4th decimal field which makes it easier for you to upload new application versions. Also, we've made a few UI updates. The Actual Version is now called the App Version and the Internal Version is now called the UEM version. For more information, see Internal Application Versions.

Content Management

  • We've disabled syncing with the Corporate File Server.
    The overload on the Device Services server and the database caused by the constant auto-syncing of the Corporate File Server often causes performance issues. To reduce the overload, you can now disable the auto-sync of the corporate repositories on the Settings > Content > Advanced > Corporate File Servers page of the UEM console. You can also disable viewing of the corporate file server content displayed on the Content > List View page.
  • We've bid farewell to Personal Content.
    As Personal Content has reached the End of General Support, we have removed the obsolete code for all configurations related to Personal Content.

Rugged

  • Prioritize selected products and move them to the "front of the line".
    You can prioritize selected products, moving them to the "front of the line" and upload them to relay servers ahead of other products. This means prioritized products are installed on devices before non-prioritized products. This is useful for when you have an important update that must find its way to devices ASAP, such as a bug fix to a critical business app, security patches and OS updates, rollbacks of accidental deployments, and many other scenarios. For more information, see the Deployment tab of Create a Product.

Windows

  • Check out the updated Encryption Profile with enhanced support for native BitLocker encryption for Windows Desktop.
    We have updated our support for BitLocker to include the escrowing of recovery keys. If the drives cannot restart on your Windows 10 devices, Workspace ONE UEM has a recovery key for each drive. You can allow users to set PINs with more than numbers with the Allow Enhanced PIN at Startup setting. Users can set uppercase and lowercase letters, use symbols, numbers, and spaces. Note: Not all systems support non-numeric characters at startup, so please test carefully in your environment. We have also added more BitLocker statuses to the Device Details pages. Find statuses for Encrypted, Encryption in Progress, Suspended, and Partially Protected. These statuses correspond to rules in compliance policies so that you can configure policies to support the BitLocker encryption status you want to enforce. For more information, see Encryption Profile.
  • Use Workspace ONE UEM to join your On-premises domain during enrollment.
    You can now enable Workspace ONE UEM to create computer objects in your On-premises Active Directory and deliver the domain join configuration to your Windows devices, orchestrating the full provisioning process as part of enrollment. Leverage this feature with VMware Tunnel to deliver a fully ready-to-work, domain-joined Windows device directly to your remote end-users, allowing them to login directly to their fully configured desktop using their domain credentials and get productive in a matter of minutes. For more information, see Domain Join Configuration for Windows Desktop.

Went live on January 15, 2021. To view full release notes with resolved issues and known issues, see 2011 Release Notes

Console

  • Are you a new customer opting into Hub Services or Workspace ONE Access from UEM? You'll no longer see the VMware Terms of Service if you've already accepted the Terms of service in the UEM Console.
  • Update the Outbound Proxy Tooltip content to include restarting of all AirWatch services.
    When saving the global proxy setting all AirWatch services make outbound requests depending on the initiated flow as a result we updated the tooltip content to include restarting of all AirWatch services.

Chrome OS

  • Configure certificates with or without a wi-fi network.
    We have updated the profiles to split the certificates section of the Network profile into a new Credentials profile. After upgrade, all existing certificates are migrated to the Credentials profile and you can configure certificates with or without a wi-fi network. Want to know more? see Configure Credentials profile.
  • More easily migrate Chrome EMM Registration between consoles.
    To support migrating your Chrome EMM Registration from one environment to another, when you clear Chrome settings in the UEM console, all Chrome OS device records are cleared out, all Certificates pushed to Chrome users and/or devices from the console are revoked, and the UEM Extension is removed from devices. Want to know more? see Setup Chrome OS Configuration Settings. Want to know more? see Setup Chrome OS Configuration Settings.

Android

  • Did you know there have been changes to Android management using device administrator (Android Legacy)?.
    We have updated the UEM console to make Android enterprise the default deployment model for Android devices, and the legacy Android management model (also known as device administrator) will be accessible by exception. Android enterprise is custom-tailored for bring-your-own-device (BYOD), corporate-owned, and dedicated device modes, each with unique management controls and user experiences. For more information about this change, see Upcoming Changes to Android Management Using Device Administrator (Android Legacy). .

iOS

  • Monitor, logout, and delete the users on your Shared iPads.
    Admins with Shared iPads for Business can now track the users that exist on their devices as well as forcing these users to logout or even be deleted. Want to know more? See Monitor, Logout, and Delete a User.
  • Improve your device update experience by skipping some or all screens on iOS 14 and macOS Big Sur 11.0 devices.
    You can now deploy a Skip Setup Assistant payload and choose to the skip the setup screens after an OS update. For more information, see Configure a Setup Assistant Profile. For more information, see Configure a Setup Assistant Profile .

macOS

  • macOS 11 Big Sur updates to Bootstrap Token.
    Bootstrap Token has been enhanced to support macOS Big Sur. Bootstrap Token escrow status details can now be retrieved with Console APIs for Device Information, and Event Logs now display Bootstrap Token removals. For more information, see MDM Bootstrap Token.
  • macOS SSO Extension profile in User context.
    Starting from macOS Big Sur, admins can now create the SSO Extension profile in either device or user context based on deployment needs. Want to know more? see Configure an SSO Extension Profile.

Application Management

  • Sort your internal apps by the date-time they were created and filter them by the source they were added from.
    We've added two new columns to the internal app list view page. The CreatedOn column lets you sort the apps based on the app creation timestamp and the Source column lets you filter apps based on the application source.

Content Management

  • We've automated repository addition for you through APIs.
    You can now add repositories using APIs instead of adding repositories manually on the UEM console.
  • We've announced end of support for the Personal Content portion of the Workspace ONE Content solution.
    End of General Support for VMware Workspace ONE Personal Content.Want to know more? see End of support announcement.

Tunnel

  • Explicit Security with NSX-T.
    Tunnel NSX integration now supports NSX-T. With this, you can specify explicit paths between your apps on devices and services in your data center. For more information, see Integrating VMware Tunnel with NSX.
  • Smart Groups for Device Traffic Rules.
    Looking to enforce Zero Trust policies for application access? You can now create multiple policies for Device Traffic Rules and assign them to individual profiles, helping you achieve least-privilege based access policies. For more information, see Create Device Traffic Rules.

Went live on October 14, 2020. To view full release notes with resolved issues and known issues, see 2010 Release Notes

Documentation

  • Have you seen our new in-page Navigation interface? If not yet, see VMware Workspace ONE UEM Console Documentation.
    We’ve heard your feedback that the traditional nested table of contents (TOC) structure is difficult to use. Starting 2008, you can search and discover content by using our new navigation homepage that is organized according to how you use the product.

    Don't forget, we've removed release-based versioning in our left navigation sidebar. If you are looking for Cloud content, you can select services from the version selector drop-down menu. If you are looking for on-premises documentation, choose the version of Workspace ONE UEM you want to learn about when you land on our content on the VMware Docs site.

     

    Take a look at our new navigation homepage and tell us what you think. To leave a feedback, go to Workspace ONE UEM Console Documentation, jump to the bottom of our feedback section, and tell us what you like about the new experience.

Credential Escrow Gateway

  • Faster Windows 10 certificate delivery for escrowed SMIME certificates.
    Moving to an event driven model to notify UEM when certificates are uploaded to the Credential Escrow Gateway greatly enhances the speed with which we can deliver escrowed certificates to Windows 10 devices.
    Note: Any certificates uploaded to Escrow Gateway (EG) prior to version 1.2 are no longer compatible. After you have migrated Redis data to EG 1.2+, upload the certificates again using either a v1 or v2 endpoint to be retained for the entire length of your configured retention period.

Freestyle Orchestrator (Preview)

  • Introducing Freestyle Orchestrator (Preview).
    Freestyle Orchestrator is a low-code IT orchestration platform that gives you the flexibility to create workflows for resources such as apps, profiles, and scripts and apply them to devices based on granular criteria. This functionality provides customers the ability to define complex onboarding workflows, go through multi-step processes like upgrading BitLocker with a one-time setup and can additionally be used to target devices based on any device-related criteria. Want to know more? see What is Freestyle Orchestrator.

Android

  • View the "Last Reboot" timestamp in the UEM console under Device Details.
    Would you like to know the last reboot time of your devices as you are troubleshooting or viewing device details? You can now view the "Last Reboot" timestamp in the UEM console under Device Details. For more information, see Device Details.
  • Distribute Applications for closed testing.
    In the UEM console, you can now test and deploy custom internal test tracks of the application before releasing the production version. For more information, see Deploy Private Applications to a Testing Track.

iOS

  • Force log out users of Shared iPads for Business.
    You can now forcefully log out the current user of a Shared iPad to return it to the main lock screen. This allows a new user to pick up and begin using the device. For more information, see Manually Log Out a User.
  • Prevent your Apple devices from randomizing their MAC address.
    iOS 14 brings you a new privacy feature where the MAC address of devices connecting to Wi-Fi will be randomized instead of showing the true hardware MAC address. With Workspace ONE UEM, this can be prevented for targeted Wi-Fi networks.
  • Prevent users from removing any managed iOS applications.
    You can now set any managed apps on iOS 14 devices to be unremovable by users.
  • Set specific domains to be included or excluded in VPN configurations.
    In iOS 14 per-app VPN configurations can set specific domains and subdomains to leverage or avoid the VPN for connections.
  • Deploy your APNs traffic through an HTTP proxy.
    If you are leveraging an HTTP proxy for their Workspace ONE UEM environment, they can choose to send all traffic through the proxy for outbound APNs.

macOS

  • Defer software updates on macOS Big Sur.
    Previously, macOS devices could only defer major OS software updates. In macOS Big Sur, admins can now defer non-OS software updates on macOS devices.
  • Prevent your Apple devices from randomizing their MAC address.
    macOS 11 Big Sur brings you a new privacy feature where the MAC address of devices connecting to Wi-Fi will be randomized instead of showing the true hardware MAC address. With Workspace ONE UEM, this can be prevented for targeted Wi-Fi networks.
  • Set specific domains to be included or excluded in VPN configurations.
    In macOS Big Sur per-app VPN configurations can set specific domains and subdomains to leverage or avoid the VPN for connections.

Windows

  • Make your software deployments easier and more flexible when the installation complete criteria changes.
    You can now edit the When to Call Installation Complete criteria for Windows app deployments. For more information, see Configure Win32 Files for Software Distribution.
  • We've removed support for Windows Phone devices in the Workspace ONE UEM console.
    Windows Phone devices are no longer available in the Workspace ONE UEM console as of the Workspace ONE UEM 2010 release. You will not be able to manage, wipe, or reset the devices from the console. To remove any device management, initiate removal of our Work Account or factory reset the device. For more information, see our KB article on Windows Phone Management will be removed from Workspace ONE 2010.
  • Check out the Technical Preview for Workspace ONE Drop Ship Provisioning (Online).
    Workspace ONE Drop Ship Provisioning for OTA eliminates the need to create and share PPKGs with your hardware manufacturer. Simply assign your payloads to a tag in the Workspace ONE UEM console, and then place an order with your Windows 10 hardware manufacturer using that Workspace ONE UEM tag. Technical preview features are not fully tested and some functionality might not work as expected. However, these previews help Workspace ONE UEM improve current functionality and develop future enhancements. For more information, see our KB article on Technical Preview: Workspace ONE Drop Ship Provisioning for OTA.

Application Management

  • Block access to your Workspace ONE SDK apps when the apps are not managed by EMM on your end-user devices.
    While configuring the app assignment, if you set the EMM Managed Access flag as 'needs EMM management', then the SDK app tries to access the EMM managed app config on the device. If the app is unable to access this information, it indicates that the app is unmanaged and the access to it is blocked. For more information, see Add Assignments and Exclusions to your Applications.

Content Management

  • As part of our efforts around inclusion, we replaced a few offensive terms.
    We’ve implemented a process to evaluate and adopt alternatives for potentially offensive terms in Mobile Content Management console pages.

Email Management

  • The SEG custom settings are now available as key-value pairs in the Workspace ONE UEM console.
    You can now configure the SEG custom settings as key-value pairs in the Workspace ONE UEM console. The commonly used properties are seeded in the Workspace ONE UEM Console. For more information, see SEG Custom Gateway Settings.

Integrate Directory Services

Rugged

  • Queue Content to Relay Servers without assigning your devices.
    You can now add content to push and pull relay servers (including Relay Server Cloud Connectors) without requiring those servers to have devices enrolled in its associated organization group. This means you can get all the apps and content staged before devices are even enrolled. For more information, see Publish Product to Relay Server.

Scripts and Sensors

  • Use Scripts to automate endpoint configurations.
    Use the new Scripts feature for macOS and Windows Desktop devices to send code to devices to run processes. For example, push a script to macOS devices to reset printer configurations or push a script to Windows Desktop devices to remind users to reboot their machines. To keep sensitive data in your scripts safe, Workspace ONE UEM includes variables to obfuscate information such as email passwords and session tokens. If you integrate your Workspace ONE Intelligent Hub with Scripts, your device users can access these useful scripts any time they want. Scripts display in the Apps section of the Hub catalog. For information about Scripts for Windows Desktop, access Automate Endpoint Configurations with Scripts for Windows Desktop Devices. For details about Scripts on macOS, see Automate Endpoint Configurations with Scripts for macOS Devices
  • Find Sensors in its new place in the navigation and check out the updates.
    We've moved Sensors under Resources so that you can find it easier. And now, not only can you use Sensors with Windows Desktop, we've added support for macOS. Use scripts in your Sensors to collect all kinds of data that you can view for a single device in that device's Device Details page, on the Sensors tab. This new tab removes the need to use the VMware Workspace ONE Intelligence service. But don't worry, if you do use Intelligence, you can continue to enjoy viewing and interacting with data for multiple devices with reports and dashboards. For more information, see Collect Data with Sensors for Windows Desktop Devices. For details about Sensors for macOS, see Collect Data with Sensors for macOS Devices .

Went live on September 15, 2020. To view full release notes with resolved issues and known issues, see 2008 Release Notes

Documentation

  • Welcome the new navigation homepage that helps get you where you want to go.
    We are launching a new navigation homepage that speeds your documentation discovery. The page shows you what’s available in our documentation portal, sets you in the right direction, and helps you get started. We've grouped our documentation into logical buckets to help narrow down what you are looking for. Like to explore? See VMware Workspace ONE UEM Documentation.

iOS

  • Skip the latest iOS 14 and macOS Big Sur onboarding screens.
    You can now skip the latest Setup Assistant screens such as Accessibility, Update Complete, and Restore Complete screens.
  • Prevent users from accepting App Clips.
    You can now prevent iOS 14 devices from viewing a new feature called App Clips where a user can view and interact with a small portion of a larger app binary without downloading the full app itself.
  • Override existing passwords while configuring native mail.
    In iOS 14, you can now choose to override a previous password on a device when installing an Exchange ActiveSync email profile.
  • Control your apps notification previews in iOS 14.
    If an installed app is receiving push notifications displayed to the user, admins can prevent the content of the notification from being displayed if the device is locked or at all.

macOS

  • Onboard your macOS devices with true zero-touch.
    You can now simply plug in your new Mac computers into ethernet and power them on. With Auto Advance configured in Workspace ONE UEM, macOS devices will be automatically onboard, skipping all required screens with no user interaction.

Android

  • Detect and monitor network activity on your corporate owned devices.
    You can enable Network Logging for Android devices deployed through Work Managed enrollment. When active, Android records DNS requests and network connections from apps to a log file for the specified duration via the Request Device Log command. This option is only available for Work managed devices running Android 8 and higher.

Application Management

  • Configure Workspace ONE Boxer to support multiple managed accounts.
    You can now use the Boxer application to manage your multiple email accounts assigned with different settings. This capability comes with Boxer version 5.21 or later and requires SSO activation.

Content Management

  • Don't be surprised if the "Use Legacy Settings and Policies configuration" is not seen in the Content Legacy Settings.
    To avoid conflicts between the Content Legacy configuration settings and the other SDK settings, the Use Legacy Settings and Policies configuration setting under System Settings > Content > Applications > Workspace ONE Content App has been deprecated. The assigned SDK profile will now be the supported mechanism for delivering the DLP policies to the Workspace ONE Content app. For more information, see Configure VMware Workspace ONE Content.

Rugged

  • Workspace ONE Launcher now shows you the install status only if its relevant for the device record.
    We've made some user interface changes to Workspace ONE UEM Launcher. You will now only be able to see the install status of Launcher in the Workspace ONE UEM console Device Details if the device is assigned to a multi-user staging user or the Launcher profile is assigned to a device. For more information, see Workspace ONE Launcher Status.
  • We've added string comparison support to Product Provisioning.
    When making an assignment rule, comparisons using the less than (<) and greater than (>) operators (and their variants) continue to only be applicable to comparisons of strictly numerical values. The new exception is when you are comparing OEM build versions, you can apply < and > operators on non-numerical ASCII strings. An example is when an OEM update filename includes hyphens, periods, and other characters together with numbers. Such assignment rules must identify a device manufacturer in the rule logic and that comparison is deemed accurate when the format on the device matches the one specified on the server.

Tunnel

  • SDK Tunneling now supports 3rd party Certificate Authorities for Client Auth.
    Tunneling with the Workspace ONE Web app or any other apps you may build with the Tunnel component in SDK natively supports the secure SCEP CA integrated into your UEM services. Now we also support your other certificate authorities for use with Tunnel. For details about embedded tunneling with Workspace ONE Web. For more information, see AirWatch App Tunnel.
  • Reach internal SMB domains from Files on iOS through the Workspace ONE Tunnel app.
    You can now access internal SMB file shares through the Files app on iOS. The app is already seeded and available for configuration through the Device Traffic Rules on the Tunnel Configuration page. For details about configuring both mobile and desktops for app-tunneling rules.For more information, see Create Device Traffic Rules.

Went live on July 20, 2020. To view full release notes with resolved issues and known issues, see 2007 Release Notes

Android

  • Turn off secure start-up when you're setting a PIN for your Android devices.
    We've added a new field to the Passcode profile which allows you to disable secure startup for users when they are setting up a PIN on Android devices. When disabled, users are not prompted for a PIN to reboot the device, and devices can still be used as shared devices without any problems. This feature also supports Android and iOS boxer client. For more information, see Enforce Passcode Settings.

iOS

  • Sharing iPads for line of business and other enterprise got more more secure.
    Workspace ONE UEM now offers the ability to deploy Shared iPads for Business. Any compatible device enrolled via Apple Business Manager can now be deployed as a Shared iPad and create unique data partitions using their Managed Apple ID or a Temporary Session. User’s data is secured in their partition, and they will only see the apps and profiles assigned to them as they natively log in and out of the device. For more information, see Shared iPads for Businesss.

Certificates

  • Uploading the SMIME certificates to Workspace ONE UEM for our on-premises iOS and Android users just got even easier. Credential Escrow Gateway is now automated through Workspace ONE UEM.
    When a device is enrolled, an event is sent to your defined webhook, which tells the certificate provider to upload the user certificate to the Escrow Gateway. Once the certificate is available, the Escrow Gateway fills the profile with required information, encrypts the profile for the device, and the certificate gets deleted from the Escrow Gateway as per configured settings. For more information, see Credential Escrow Gateway.

Tunnel

  • Redirect traffic to a specified HTTPS proxy that resides behind Tunnel.
    You can now create a Tunnel connection and authenticate to an outbound proxy which is residing behind the Tunnel gateway. This feature is only supported by the Tunnel SDK on iOS as used by the Workspace ONE Web app. For more information, see Create Device Traffic Rules.

Windows

  • Disable user notifications while installing and removing applications on your Windows 10 Devices.
    When you deploy some applications, such as security, infrastructure, or frequently changing apps, you might want to prevent notifications from appearing to your end-users. You can now choose to hide the installation notifications for auto-deployed apps from the Action Center in Windows and the Installation Monitor in the Intelligent Hub and Workspace ONE app. For details, see Add Assignments and App Policies to your Win32 Applications.
  • We've updated the SCEP profile for Windows Desktop.
    To enhance our support of certificate authorities (CAs) for Windows 10, we've removed the requirement to enter an Issuer of your CA. Also, you can now use SCEP certificates that use SAN attributes with non-AirWatch Certificate Authorities. The system sends the added SAN attributes with the certificate request through the SCEP profile. Find the SCEP profile for Windows 10 devices in Devices > Profiles.
  • We've added support for Registered Mode for Windows 10 devices.
    Windows 10 devices that enroll with Workspace ONE Intelligent Hub or OOBE can also enroll without MDM management with Registered Mode. Registered Mode is also known as Management Mode and you can assign this enrollment method by organization group or by a smart group. Find the settings for Registered Mode in Devices > Devices Settings > Devices & Users > General > Enrollment > Management Mode. For details, see Enroll with Registered Mode.
  • Get your most popular enterprise applications added quickly and easily with Enterprise App Repository.
    Adding and assigning the most common windows applications just got easier with Enterprise App Repository. For details, see Add Applications from the Enterprise App Repository.

Went live on June 17, 2020. To view full release notes with resolved issues and known issues, see 2006 Release Notes

Console

  • Console event Logs now displays the product name.
    Console events only displayed Product ID, but now they show the product name.
  • Configurable Hint for Enrollment Log In.
    You can configure a friendly hint (or not so friendly, it's up to you) to end-users enrolling their devices. You can be as specific or generic as you like. For example, if their enrollment log in is the same as their Active Directory credentials, then say so. You can also include a link they can click to get help. This feature is currently supported by Windows devices only.
  • We now support Avi Networks (VMware NSX Advanced Load Balancer) for all Workspace ONE Services.
    We've integrated Avi Networks with Workspace ONE UEM deployments. For more information, see Avi Vantage and VMware Workspace ONE UEM.

Android

  • We've simplified your migration. You can silently and remotely migrate Zebra devices running Android 7 or later into Work Managed mode without a factory reset or a reboot.
    As we deprecate Device Administrator support, we want to provide you with easy ways to migrate your devices enrolled under Android (Legacy) to Android Enterprise. For more information, see Android Legacy Migration.
  • Gather location data without sacrificing your device battery life.
    Google has created the Fused Location Provider API. It is a simple and battery-saving location API for Android. We've added a new device setting to support this API, Location Data Accuracy, that allows you to gather location data more accurately without sacrificing battery life. For more information, see Devices & Users / Android / Hub Settings.

macOS

  • We now support MDM Bootstrap Token in macOS 10.15.
    For User Approved MDM enrolled devices on macOS 10.15 Catalina, a Bootstrap Token will be automatically generated and escrowed to Workspace ONE UEM on the next login by any user who is already SecureToken enabled. This Bootstrap Token will then be used to automatically grant a SecureToken to mobile account users and the optional managed administrator account created during Apple Business Manager enrollment. For more information, see MDM Bootstrap Token.

Mobile Content Management

  • Make use of the Device service to get the updated device status.
    To get the updated device status, use a device service endpoint instead of the existing dbo.Device table. The dbo.Device table is deprecated and is no longer updated with the device status.

Rugged

  • Introducing the Relay Server Cloud Connector.
    A Relay Server Cloud Connector (RSCC) is a hybrid solution that pulls content from a service endpoint and distributes it to your relay servers. This design initiates an outbound connection from your network to the VMware cloud to download content for distribution. Such an outbound connection represents a security advantage over other relay server designs. For more information, see Configure a Relay Server.

Windows

  • Workspace Intelligent Hub for Windows now supports enrollment with Workspace ONE Access..
    If you use Workspace ONE Access as your identity provider, you can now enroll Windows 10 devices with Intelligent Hub for Windows. When you configure the source of authentication for Intelligent Hub, select Workspace ONE Access. Configure these settings in Devices > Device Settings > Devices & Users > General > Enrollment. For details, see Configure Enrollment Option.

Went live on June 11, 2020. To view full release notes with resolved issues and known issues, see 2005 Release Notes

Android

  • We've changed the way enrollment restrictions work for Android 10+ devices.
    When you enroll Android 10 or later devices into Work Profile mode, they will be held in for an evaluation period until we can collect the IMEI and Serial number. The UEM console lists the device as "Enrollment Pending" until the UEM console confirms if the IMEI or Serial number is on whitelisted or black listed. This ensures that the work data (apps, profiles, etc.) are not sent to an Android 10 device until Enrollment Restrictions are evaluated. For more information, see Enrollment Restrictions for Android.

iOS

  • Deploy the latest iOS 10.15.4 restrictions.
    You can now restrict access to deprecated TLS versions, shared iPad temporary sessions, iPhone setup from a nearby iPhone, and password requests from a nearby device.

macOS

  • Streamline your SSO experience with macOS Identity & Certificate Preferences.
    If you deploy multiple client certificates, your users may be prompted at times to choose which certificate they should use for authentication. With this feature available in macOS User Certificate or SCEP profile payloads, you can define URL(s) which should automatically use this certificate, so that users do not need to select it each time they access the service. For details, see Configure a SCEP/Credentials Profile.
  • Retrieving Intelligent Hub logs for macOS just got easier.
    You can now remotely request Intelligent Hub log retrieval from macOS devices for troubleshooting from Device Details. If you are facing elevated privacy policies, this feature includes an optional setting to prompt the end-user for approval before collecting and transmitting the logs. This feature requires Workspace ONE Intelligent Hub 20.05. For details, see Request Device Log .
  • Deploy the latest macOS 10.15.4 restrictions.
    You can now restrict access to deprecated TLS versions, shared iPad temporary sessions, iPhone setup from a nearby iPhone, and password requests from a nearby device.

Apple Business Manager

  • Revoke your licenses automatically when you remove an Apple Business Manager iOS app.
    Apple Business Manager licenses for iOS apps that have been allocated but manually removed by the user will be automatically revoked and available for distribution. For details, see Revoke Licenses From Uninstalled Applications.

Windows

  • We let you enter your own application version for Windows SFD applications.
    You can now edit the actual application version and the version field for SFD applications of type EXE and Zip. This new feature is applicable only when you upload a new EXE or Zip file. For all the existing applications, you can add a new application version, and the version field appears as read only for the for the newer version you add. For details, see Configure Win32 Files for Software Distribution.
  • Re-establish communication between Windows 10 devices and the Workspace ONE Intelligent Hub for Windows.
    Certain events can cause communication problems like HMAC errors and failed upgrades of the Workspace ONE Intelligent Hub for Windows. You can fix these communication problems with the new Repair Hub action on the Device Details page of Windows 10 Devices. You can also use this action to re-install the Hub. Find this setting in Devices > List View > select the Windows Desktop Device > More Actions > Admin > Repair Hub. For details, see Windows Desktop Device Details Page.

SDK

  • We've made changes to User Certificate Credential Source behavior for SDK-built apps.
    When users are configured to receive SMIME certificates along with their other custom SDK configurations but they don't have an associated SMIME certificate, the system no longer stops other custom SDK configurations from processing. Find Certificates for the custom SDK profile in Groups & Settings > All Settings > Apps > Settings and Policies > Profiles > Add > SDK Profile > Credentials Payload.

Tunnel

  • Android Enterprise devices now support SCEP generation of Tunnel Client certificates with key length 4096 when using the AW (Default) Certificate Authority..
    To send a Tunnel client certificate for Android Enterprise devices via SCEP, re-save your Tunnel configuration. All new certificates generated will use SCEP with the increased key length. There is no immediate impact on the devices with existing profiles.

Went live on April 3, 2020. To view full release notes with resolved issues and known issues, see 2004 Release Notes

Android

  • Control how widgets work in a Work Profile.
    The Allow apps to utilize widgets in the Work Profile restriction controls whether users can use widgets from apps added to your work profile. When enabled, you can add public app widgets. For more information, see Configuring Restrictions for Android Device with Workspace ONE UEM.
  • Apply custom filters to know how your devices are enrolled in Workspace ONE UEM.
    We've added a custom filter to the List View that quickly lets you view how your devices are being managed. The new Custom View column indicates if the device is Android (Legacy), Work Profile, COPE, and/or Work Managed. For more information, see Android Device Management.

Chrome OS

  • Want to document why a Chromebook is being enterprise wiped? Now you can.
    When you enterprise wipe a Chromebook device, a new option displays that lets you select if you are wiping the device for replacement or deprecated device. For more information, see Device Management Commands for Chrome OS Devices.

Windows

  • Dell Provisioning for VMware Workspace ONE got a new name. It's now called Factory Provisioning.
    We've updated the name of Dell Provisioning for VMware Workspace ONE to Factory Provisioning. The functionality remains the same. For more information, see Factory Provisioning.
  • We've updated the Antivirus profile for Windows Desktop.
    The Antivirus profile that works with your Windows Defender Antivirus system now includes more options. Set levels for Cloud Protection, identify potentially unwanted applications, enable tamper protection, and prompt for user consent. Find the Antivirus profile for Windows Desktop in the console at Devices > Profiles > List View. See Configure an Antivirus Profile (Windows Desktop) for details.
  • Defer your application installation during app assignment.
    You can now defer app installation during the app assignment. You can make these changes while adding app assignments and policies to your Win32 Applications. For more information, see Add Assignments and App Policies to your Win32 Applications.
    Note: App deferrals is a tech preview feature and may not be available in all environments. Consider limiting your use of this feature for testing purposes only. App deferrals must not be used in a production environment. Features are not final and are subject to change at any time.

Rugged

  • We've made a few improvements to product provisioning deactivation.
    If you find yourself in a situation where you must cancel an ongoing product provisioning deployment (due to provisioning misuse or an issue with the product content), you can use the improved deactivation flow. In addition to clearing the device command queue, cancelling the in-progress jobs and clearing commands from content service table, the new deactivate flow checks whether the product is active before processing and deletes content items from the content service table.

App Management

  • App assignment has a fresh new look.
    Check out the new assignment experience for all your apps with complete API support. We've streamlined how our app configuration works with Smart Groups. For more information, see Add Assignments and Exclusions to your Applications.
  • Configuring Workspace ONE Boxer just got easier.
    Common configurations supported by Workspace ONE Boxer can now be configured from the Apps & Books section. You can also configure Boxer for internal app deployments. For more information, see Assign and Configure Workspace ONE Boxer.
  • Configure Notebook application from the Apps & Books section.
    Configure your Workspace ONE Notebook app for both managed and unmanaged devices using the app assignment in the Apps & Books section. This new feature is available if you are using Notebook version 1.4 or later. For more information, see Assign and Configure Workspace ONE Notebook.

Content Management

  • View the exact count of Smartfolio users who acknowledged your document.
    Smartfolio users can now acknowledge the documents that you assign to them as required content. On the Workspace ONE UEM console, you can view these acknowledgments in the Content List View and the Device Details pages. For more information, see Acknowledgement in Smartfolio.

Went live on March 6, 2020. To view full release notes with resolved issues and known issues, see 2003 Release Notes

Workspace ONE UEM Console​

  • See an on-screen notification if your report exceeds the size limit.
    If you request a report that is bigger than the size limit, it is now represented in Monitor > Reports and Analytics > Exports with a new status label called "File size exceeds limit". The new Exports status appears if your report needs more file space than the 4GB hard limit.
  • We've made a few updates to SAML and Directory Authentication in Workspace ONE Express.
    When setting up SAML on the Directory Services configurations page in Express, you can now export the service provider's settings without any issue. Also, directory authentication is enabled for Express organization groups, which means, you can now enroll devices with directory authentication.
  • Leverage the event data to consume Workspace ONE API's based on UUIDs.
    We've added the EnrollmentUUID and DeviceUUID attributes to event notifications. These additional identifiers are associated with the user and device.

Android

  • Retrieve feedback reported by OEM config applications for quick detection of errors.
    Use the feedback channel to get granular app feedback and troubleshooting information sent by apps. For more information, see Retrieve Feedback from OEM Config Applications.
  • Control which Google accounts can be used within the Managed Google Play Store.
    Sometimes you may want to allow people to add G-Suite accounts to access corporate email, or personal accounts (to read mail in Gmail for example) but do not want the unmanaged Google account to access an unrestricted Google Play. With the new Allowed Accounts in Google Play setting in the Restriction profile, you can choose whether to restrict or allow non-Managed Google Play Access. You can set a list of accounts people can use in Google Play. For more information, see Restriction Profile.
  • Restrict personal apps from sharing data with work applications.
    Allow personal apps to share data with work apps in the Restriction profile now lets you prevent personal apps from sharing files, pictures, and data into the managed profile. For more information, see Restriction Profile.

iOS

  • Convert all your Apple Business Manager licenses in a single click.
    You can now convert any user-based licenses synced from Apple Business Manager to device-based licenses by selecting one, multiple, or all the applications for a given organization group. For more information, see Configure Licenses and Assign with Flexible Deployment.
  • Keep your custom Apple apps up to date.
    You can now enable automatic updates for Apple Custom apps synced from Apple Business Manager. Any device that reports an app that is not on the latest version will have the app updated automatically.
  • Remote Assist Process Streamlined in Device List View and Details View.
    It now takes fewer clicks to start a Remote Assist session on a qualifying device from the UEM console's Device List View and Details View. Your remote sessions for troubleshooting and performing advanced configurations on devices in your fleet are initiated swiftly because you select the specific Remote Assist client tool before you connect. For more information, see Device List View.

Windows

  • Get access to your BranchCache performance data from both the device and the server.
    The new Peer Distribution Panel under Apps&Books > Native > List View > Application Details give you a heads-up on the number of devices that have downloaded the application using the peer distribution, the amount of data downloaded, and the source of the downloaded data. The application Devices tab now gives you individual BranchCache performance data for each of your devices. For more information, see Device List View.
  • The communication resiliency for Windows 10 got better with automatic HMAC recovery.
    Workspace ONE UEM automatically checks the HMAC on Windows 10 devices. If the system identifies a corrupt or missing HMAC, it triggers an HMAC recovery. It sends it through the native OMADM channel to the Workspace ONE Intelligent Hub to re-establish communication.
  • Keep your apps installed on your devices.
    With the new Desired State Management setting, you can now protect your managed apps from removal from your devices. For more information, see Add Assignments and App Policies to your Win32 Applications.
  • Deploy profiles with the new Windows - AAD Enrolled smart group category.
    Use the new Windows - AAD Enrolled category in smart groups when you want to exclude or include Windows 10 devices depending on their management status. For example, configure the General payload of a Credentials profile to exclude a Windows - AAD Enrolled smart group so you can deploy certificates to managed devices but not to OOBE devices. When creating smart groups, find the new Windows - AAD Enrolled category in Criteria Type > Enrollment Category. When configuring profiles, go to the General payload and select the group with Windows - AAD Enrolled configured for Smart Groups or enable Exclusions and select the same for Excluded Groups.
  • We've updated the integration of the Dell Command | Update (DCU) with the Workspace ONE UEM console that provides command-line interface (CLI) capabilities and alligns with the latest DCU 3.1 release from Dell.
    We've updated the integration of the Dell Command | Update with the Workspace ONE UEM console that provides command-line interface (CLI) capabilities. With the new version of Dell Command | Update, we'll have a few workarounds and scripts that maintain CLI use. Watch VMware's Tech Zone (https://techzone.vmware.com/) for news about the integration and next steps.

Content Management

  • Automate your content gateway settings in the UEM Console.
    Now you can create configuration files in the UEM console for UAG deployment. These files simplify deploying your content gateway servers deployed through UAG. For more information, see Configure Content Gateway on the UEM Console.

Rugged

  • Android Application Provisioning Supports Per-App VPN.
    Per-App VPN is now supported for provisioning applications to Android devices. When you configure an Android app to be provisioned with the per-app VPN option, a VPN automatically connects when that Android app is launched and routes all the app traffic through the VPN. For more information, see Create a Product.
  • Product Provisioning Now Supports CDN.
    The struggle for bandwidth in your provisioning environment just got a little easier now that support for Content Delivery Networks (CDN) has been introduced. With this option enabled and configured, CDN can lighten the distribution of product loads to offload traffic from your network. For more information, see Configure a CDN for Provisioning.

Tunnel

  • Configure detailed Unified Access Gateway settings from the UEM console.
    You can now set advanced configuration settings for the Tunnel gateway directly from the UEM console without needing to login to your UAG servers. For more information, see Configure Per-App Tunnel.

Went live on February 26, 2020. To view full release notes with resolved issues and known issues, see 2001 Release Notes

Workspace ONE UEM Console​

  • Apply as many filters as you like with the new device filter.
    We've greatly improved the way filtering works on devices in the Device List View. You can now apply as many filters as you like and the device listing does not update until you select the Apply button. This saves you time waiting for the console to update with each filter selection.
  • Presenting Terms of Service (TOS) agreement for our SaaS customers.
    SaaS customers logging in to the console for the first time are now presented with a Terms of Service (TOS) agreement for VMware Cloud Service Offerings. After acceptance, subsequent logins by any administrator are not presented with the same TOS. For details about the contents of the agreement, see VMware Cloud Service Offerings.
  • View all your managed devices connected with the same Wi-Fi router in the Device List View Custom Layout.
    You can now include the Service Set Identifier (SSID), known commonly as the Wi-Fi network name, in the Device List View. This new column makes it easy to show all managed devices connected with the same Wi-Fi router. Enable this new column by selecting the custom layout option and select SSID from the list of available columns.
  • Your reports no longer consume excessive disk space.
    A hard limit of 4 GB has been placed on the size of your Workspace ONE UEM reports. This limit prevents potentially excessive processing cycles devoted to creating oversized reports. For more information, see Generate Reports.
  • It’s time to upgrade your .net framework to 4.8.
    For the VMware AirWatch Cloud Connector to auto-update, servers which have ACC installed needs .NET Framework 4.8.

Android

  • Enroll and manage your GMS and non-GMS Work Managed devices within the same organization group.
    In order to avoid having to create several organization groups to manage GMS and non-GMS devices, we've updated our QR code enrollment to include an option that forces AOSP/ Closed Network Enrollment. When this is enabled in the QR code enrollment settings, your device enrolls as AOSP/Closed Network, regardless of the Work Managed Enrollment Type set in the Android enrollment settings. For more information, see Generate a QR Code Using the Enrollment Configuration Wizard.

Chrome OS

  • Start configuring, renewing, and revoking your certificates from the UEM console.
    With the Workspace ONE UEM Extension for Chrome OS, you can fully manage user and device level certificates. For more information, see VMware Workspace ONE UEM Extension for Chrome OS.

iOS

  • Update your Apple Custom apps with a single click.
    You can now push updates to Apple Custom apps that are out of date.

Windows

  • Define your Baseline assignments with the new Exclusions feature.
    You can now exclude specific smart groups from assignment when assigning Baselines to your Windows 10 devices. This feature allows you to assign the Baseline to a large smart group and then refine the assignment to exclude specific, smaller smart groups.
  • Ensure your data is protected on Windows 10 devices even after a device wipe.
    The Encryption profile now supports keeping the system encrypted at all times. This includes after removing the profile, wiping the device, or any break in communication with Workspace ONE UEM to your Windows 10 devices.

Went live on December 10, 2019. To view full release notes with resolved issues and known issues, see 1912 Release Notes

Workspace ONE UEM Console​

  • VMware Identity Manager is now Workspace ONE Access.
    Our Intelligent Access for the Digital Workspace is now called Workspace ONE Access.
  • We've enhanced the console response for deleted devices.
    When you delete a device from the console, the response you see no longer conceals the device's friendly name, allowing you to identify it.
  • It’s time to upgrade your .net framework to 4.8.
    For the VMware AirWatch Cloud Connector to auto-update, servers which have ACC installed needs .NET Framework 4.8.
  • The System help page under All settings > Admin > Diagnostics lost its home. But we’ve made sure to retain some of its functionality it served for the cloud connector.
    You can now check the cloud connector status by using Test Connection. It gives you the same information as the System health check page did.

Android

  • PIV-D Manager is not limited to Android Legacy devices anymore. PIV-D Manager now supports Android Enterprise devices.
    Push the PIV-D Manager to your Android Enterprise deployment. Use it with Workspace ONE Boxer, Web, Wi-Fi, and VPN systems along with your derived credential provider. This iteration does not support using Gmail with derived credentials on Android Enterprise. For details, access Use Profiles to Control How Android (Enterprise) Devices use Derived Credentials Certificates.

iOS

  • Keep your iOS devices up to date and running the latest, feature-rich iOS releases.
    Manage the operating system updates of your iOS devices with the new Updates framework. With the new framework, you can force devices to download and install any iOS update available for the device. You can also notify users when each step finishes. A new reporting dashboard allows you to track the rollout of each update to your devices and drill into specific devices for a more detailed list of updates for the device.
  • Experience a modern UI for User Enrollment and Custom Enrollment.
    Users enrolling with the newly released User Enrollment for BYOD and Custom Enrollment for devices added to Apple Business Manager will experience a modern and refreshed interface to align with Workspace ONE Intelligent Hub's enrollment view.
  • Provide additional controls to your corporate iOS 13+ devices for Wi-Fi and the Files app.
    You can now force on Wi-Fi for iOS 13 supervised devices as well as prevent connections to network drives from the Files app in the Restriction Profile.
  • Better deploy Custom Apps by seeing rich metadata in the Workspace ONE UEM console.
    You can now automatically sync in the metadata for Custom Apps being added via integration to Apple Business Manager similar to how public apps are achieved. For more information, see Activate Management of Custom Applications.

macOS

  • HelpDesk support just got easier with the cross-platform remote assist solution.
    Workspace ONE Assist is now available for macOS.For more information, see Remote View.
  • Enhanced security for managing local admin account with a unique randomized password for each device that can be viewed in the admin console.
    We've improved security for managing local admin account on macOS. Workspace ONE UEM also takes it a step further and automatically triggers a password rotation in 8 hours of when someone attempts to view the password in the console for a particular device.
  • We now automaticaly remediate devices missing the required certificates.
    We've improved the desired state management of macOS certificates by automatically remediating devices missing required certificates. To know more, see Certificate Profile Resiliency.

Windows

  • Control when your Windows 10 devices update with the improved Windows Update profile.
    We've enhanced the Windows Update profile to improve the user experience. We've condensed some fields, removed legacy options, and reorganized the layout a bit. We've also added the new Active Hours Maximum option that allows you to limit the number of active hours for device updates. You can also set reboot deadlines based on the type of update with the Engaged Restart Deadline options.
  • Creating Baselines is easier with our improved UI.
    We've improved the user experience for creating Baselines. Navigate custom policies easier with the new vertical layout. Reviewing additional policies is easier with the new collapsible layout.
  • Know the build your Windows 10 devices are using.
    We've improved the Device Details page to show the latest patch version or 4th decimal of the OS version of your Windows 10 devices under the Build Number field.

App Management

  • We've stopped collecting personal app information from your devices, even while enforcing app compliance or app control policies.
    We've made some changes to the personal app information collection when you set the privacy policy as ‘Do not collect'. For more information, see the Impact of Privacy Settings on the Application List Compliance and Application Control profile.
  • We’ve improved the user experience for all your Windows app installation.
    You can now choose to defer reboots until a more convenient time, or install multiple applications and reboot once they have all installed. For more information, see Device Restart.

Content Management

  • Managing your existing Manual Templates just got easier.
    You can now add links to an existing template.

Email Management

  • Rotate your G Suite Password without all the hassle as before.
    Rotate the Google Suite password for G Suite user accounts without having to enroll or unenroll a device.

Rugged

  • We've added support for domain usernames in Stage Now relay server credentials.
    You can now use domain-based usernames to authenticate Stage Now relay servers. Accepted formats for domain usernames are username@domain and domain\username. For more information, see Step 3 in Zebra Stage Now Special Characters, Android.
  • We're making your VMware launcher experience as close as possible to that of the native launchers. Pin icons to the hot seat bar and vice versa while using Workspace ONE Launcher.
    Add an app to the bottom bar while using Workspace ONE Launcher. This bar remains visible as users swipe to different launcher screens.

Compatibility Matrix

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components.

End of Support Announcements

Workspace ONE UEM console Release and End of General Support Matrix​ provides the general availability, end of availability and the end of support dates for all Workspace ONE UEM console Release.

 
check-circle-line exclamation-circle-line close-line
Scroll to top icon