To view full Release Notes with Resolved Issues and Known Issues, see 1912 Release Notes

Workspace ONE UEM Console​

• VMware Identity Manager is now Workspace ONE Access.
  Our Intelligent Access for the Digital Workspace is now called Workspace ONE Access.
• We've enhanced the console response for deleted devices.
  When you delete a device from the console, the response you see no longer conceals the device's friendly name, allowing you to identify it.
• It’s time to upgrade your .net framework to 4.8.
  For the VMware AirWatch Cloud Connector to auto-update, servers which have ACC installed needs .NET Framework 4.8.
• The System help page under All settings > Admin > Diagnostics lost its home. But we’ve made sure to retain some of its functionality it served for the cloud connector.
  You can now check the cloud connector status by using Test Connection. It gives you the same information as the System health check page did.

Android

• PIV-D Manager is not limited to Android Legacy devices anymore. PIV-D Manager now supports Android Enterprise devices.
  Push the PIV-D Manager to your Android Enterprise deployment. Use it with Workspace ONE Boxer, Web, Wi-Fi, and VPN systems along with your derived credential provider. This iteration does not support using Gmail with derived credentials on Android Enterprise. For details, access Use Profiles to Control How Android (Enterprise) Devices use Derived Credentials Certificates.

iOS

• Keep your iOS devices up to date and running the latest, feature-rich iOS releases.
  Manage the operating system updates of your iOS devices with the new Updates framework. With the new framework, you can force devices to download and install any iOS update available for the device. You can also notify users when each step finishes. A new reporting dashboard allows you to track the rollout of each update to your devices and drill into specific devices for a more detailed list of updates for the device.
• Experience a modern UI for User Enrollment and Custom Enrollment.
  Users enrolling with the newly released User Enrollment for BYOD and Custom Enrollment for devices added to Apple Business Manager will experience a modern and refreshed interface to align with Workspace ONE Intelligent Hub's enrollment view.
• Provide additional controls to your corporate iOS 13+ devices for Wi-Fi and the Files app.
  You can now force on Wi-Fi for iOS 13 supervised devices as well as prevent connections to network drives from the Files app in the Restriction Profile.
• Better deploy Custom Apps by seeing rich metadata in the Workspace ONE UEM console.
  You can now automatically sync in the metadata for Custom Apps being added via integration to Apple Business Manager similar to how public apps are achieved. For more information, see Activate Management of Custom Applications.

macOS

• HelpDesk support just got easier with the cross-platform remote assist solution.
  Workspace ONE Assist is now available for macOS.For more information, see Remote View.
• Enhanced security for managing local admin account with a unique randomized password for each device that can be viewed in the admin console.
  We've improved security for managing local admin account on macOS. Workspace ONE UEM also takes it a step further and automatically triggers a password rotation in 8 hours of when someone attempts to view the password in the console for a particular device.
• We now automaticaly remediate devices missing the required certificates.
  We've improved the desired state management of macOS certificates by automatically remediating devices missing required certificates. To know more, see Certificate Profile Resiliency.

Windows

• Control when your Windows 10 devices update with the improved Windows Update profile.
  We've enhanced the Windows Update profile to improve the user experience. We've condensed some fields, removed legacy options, and reorganized the layout a bit. We've also added the new Active Hours Maximum option that allows you to limit the number of active hours for device updates. You can also set reboot deadlines based on the type of update with the Engaged Restart Deadline options.
• Creating Baselines is easier with our improved UI.
  We've improved the user experience for creating Baselines. Navigate custom policies easier with the new vertical layout. Reviewing additional policies is easier with the new collapsible layout.
• Know the build your Windows 10 devices are using.
  We've improved the Device Details page to show the latest patch version or 4th decimal of the OS version of your Windows 10 devices under the Build Number field.

App Management

• We've stopped collecting personal app information from your devices, even while enforcing app compliance or app control policies.
  We've made some changes to the personal app information collection when you set the privacy policy as ‘Do not collect'. For more information, see the Impact of Privacy Settings on the Application List Compliance and Application Control profile.
• We’ve improved the user experience for all your Windows app installation.
  You can now choose to defer reboots until a more convenient time, or install multiple applications and reboot once they have all installed. For more information, see Device Restart.

Content Management

• Managing your existing Manual Templates just got easier.
  You can now add links to an existing template.

Email Management

• Rotate your G Suite Password without all the hassle as before.
  Rotate the Google Suite password for G Suite user accounts without having to enroll or unenroll a device.

Rugged

• We've added support for domain usernames in Stage Now relay server credentials.
  You can now use domain-based usernames to authenticate Stage Now relay servers. Accepted formats for domain usernames are username@domain and domain\username. For more information, see Step 3 in Zebra Stage Now Special Characters, Android.
• We're making your VMware launcher experience as close as possible to that of the native launchers. Pin icons to the hot seat bar and vice versa while using Workspace ONE Launcher.
  Add an app to the bottom bar while using Workspace ONE Launcher. This bar remains visible as users swipe to different launcher screens.

Workspace ONE UEM Console​

• We've made enhancements to the /users/ API.
  The GET /users/{uuid} and POST /users/ APIs now include new attributes such as aadMappingAttribute, department, employeeIdentifier, costCenter, customAttribute1, customAttribute2, customAttribute3, customAttribute4, and customAttribute5.
• We've added a new API that automatically syncs User groups and Admin groups into the Console from the Active Directory or LDAP.
  Previously, administrators had to manually log in to the console to perform a group sync. We now have an API for the group sync action that enables automation. The new GET /GroupSyncActions/{uuid} API grabs the approval status of a group with the access token and a link to merge that group. The result also includes the details of members added to and removed from the group. The new POST /GroupSyncActions API merges the User groups or the Admin groups that are in the "Approval Request Pending" state.

Android

• Display a personalized message when removing a work profile on an end user’s device.
  You can now choose to show your end-users a personalized message when you decide to remove a work profile.
• We've increased security around non-strong authentication methods and passcode change notifications.
  The Passcode profile provides better security around non-strong authentication methods and passcode change notification.The Passcode Required Range lets you specify how much time elapses after the device has been unlocked with the non-strong authentication before the user is prompted to enter the passcode. The Passcode Change Alert text box lets you specify the amount of time prior to the passcode expiration that the user is notified to change their passcode.
• We've upgraded the Launcher profile with additional configurations.
  You can now enable/disable Home and enable/disable Keyguard option in the Android Enterprise Launcher Profile.

Chrome OS

• Securely manage user and device level certificates with the Workspace ONE UEM Extension for Chrome OS.
  The Workspace ONE UEM Extension for Chrome OS automatically installs on managed devices to provide secure provisioning of both user and device-based Microsoft ADCS certificates,and seamless connectivity to WiFi and web applications. Additionally, direct communication with the UEM console enables a faster device sync after enrollment and enhanced device visibility.
• Remotely disable devices that have been lost or stolen with Lost Mode for Chrome OS.
  Lost mode for Chrome OS allows you to remotely disable devices that have been lost or stolen, and allows them to set a custom message displayed on the lock screen through the Chrome OS device profile. While disabled, the device cannot be used for any purpose. Devices can be re-enabled remotely once they are found.

iOS

• Empower your apps with additional capabilities by remotely associating domains.
  Configure any domains that need association with their in-house or the third-party apps without manually including them in the app's entitlements file. This association can be used for advanced capabilities like SSO extension, universal links, and shared credentials. To know more, see Add Assignments and Exclusions to Applications.
• Avoid the delays of accepting prompts and quickly get your students engaged with their apps.
  Students with Managed Apple IDs created in the Apple School Manager are no longer required to accept any prompts to install apps and books. Workspace ONE silently accepts these prompts on the Managed Apple ID's behalf with no admin interaction.
• Take advantage of the latest communication standards for Apple Push Notifications.
  Communicate with Apple devices over HTTP/2 for Device Management and delivering push notifications to VMware Productivity Applications.

Windows

• Use Sensors to monitor your 64-bit Windows 10 devices.
  Sensors for Windows Desktop Devices now supports controlling when PowerShell scripts execute based on the device architecture. You can limit a script to 32-bit or 64-bit only or force a script to run as 32-bit regardless of the device architecture. This enhancement reduces errors when using Sensors for 64-bit devices.
• Know how your devices comply with your Baselines.
  The UEM console now reports a device's compliance to a specific Baseline. See the current compliance status of devices to the published policies of a baseline. Baseline compliance reporting uses a 15% compliance threshold before marking a device non-compliant.
• Our Smart Groups are not just smart, they are flexible too. Start creating OEM-specific Smart Groups for your Windows Desktop Devices.
  We've added Windows Desktop OEM and Model Support to Smart Groups.
• We’re working on a technical preview for Digital Employee Experience Management for Windows 10 deployments.
  Digital Employee Experience Management is a collaboration between Workspace ONE UEM and Workspace ONE Intelligence. With this feature enabled, the Workspace ONE Intelligent Hub for Windows sends telemetry data to Intelligence about OS and app stability and usage.
  In a soon-to-be-released version of Intelligence, you can see your data in dashboards to know what is working and what needs fixing. Use the dashboards to focus on specific analytics and use automations to mitigate possible issues and to fix problems when they happen.
  If you’re interested in starting to collect data, call your customer service representative to turn on this feature.

App Management

• Experience consistent application status tracking on all your devices.
  We've enhanced different areas of the UEM console that deal with application deployment monitoring. The Workspace ONE UEM console now monitors apps and provides detailed application status based on the device reports and logs the actions taken in the UEM console.

Tunnel

• We've added Device Traffic Rules support for Workspace ONE Tunnel on macOS.
  Create granular policies for use-cases like split-tunneling and domain filtering for macOS applications. Add apps and policies from the Tunnel's Device Traffic Rules and deliver them as a part of existing profiles.

Workspace ONE UEM Console​

• Participate in VMware's Customer Experience Improvement Program (CEIP).
  Workspace ONE UEM is now a participant of VMware's Customer Experience Improvement Program, which seeks to improve its products and services, to fix problems, and to advise you on how best to deploy and use our products.  As part of the CEIP, VMware collects the technical information about your organization’s use of VMware products and services regularly in association with your organization’s VMware license key(s).  This information does not personally identify any individual. For details regarding the CEIP, visit the Trust & Assurance Center at http://www.vmware.com/trustvmware/ceip.html.
• Automatic retry makes for a robust profile installation experience. 
  We've added a new retry logic for profiles that fails to install on your devices. The new logic retries to install the profiles when your devices check-in.
• Meet the newly designed Message Templates.
  The redesigned Message Templates now provides a better globalization experience. With the new system, admins using message templates only see templates for the active language. For example, if an admin uses the Workspace ONE UEM console with Japanese, they will only see Japanese message templates.
• Keep close tabs on your shared devices with the new API event notification for check-in/check-out.
  We've added an API event notification that allows you to see when shared devices check-in/check-out. The event notification enables you to recognize usage patterns and help you keep tabs on these multi user devices. 
• UEM notifications available as messages within Intelligent Hub are now available under Notifications. 
  If you have activated Workspace ONE Intelligent Hub Services and enabled Notifications capability, UEM notifications, such as Compliance issues, will be sent through the Notifications Service. This enhancement allows your employees to get all their notifications within the Intelligent Hub notifications page thereby providing a consistent experience. You no longer have to go to Accounts > This Device > Messages page within Intelligent Hub app to view UEM related notifications.

Chrome

• Introducing the all new Dell Profile for your Dell-specific management capabilities. 
  With the launch of the Dell Enterprise Chromebook line, Dell has introduced some Dell-specific management capabilities with the new Dell Profile (Chrome OS). 

iOS

• Tighten your security posture with new USB drive access controls.
  You can now prevent the USB drive access to Files on iOS 13+ devices in the Restriction Profile. 
• Specify how your iOS 13+ devices handle network traffic with the VPN profile.
  You can now set domains that Mail, Contacts, and Calendar accounts automatically connect to. Also, you can direct how the Virtual Private Network (VPN) client includes or excludes local network traffic.
• Control how Voice Control works for iOS 13+ devices running in Single App Mode.
  Prevent or allow Voice Control capabilities for iOS 13+ devices when configuring the Single App Mode profile. 
• Bring SSO functionality to your apps with the SSO Extension profile.
  The new Single Sign-On Extension profile for iOS 13+ devices let you provide targeted URLs for both redirect and credential-based SSO.
• Customize the enrollment experience for devices synced from Apple Business Manager. 
  Deploy devices synced from Apple Business Manager (formerly DEP) with a set of customizable, branded web screens. These screens offer custom enrollment with advanced enrollment actions such as modern auth, multi-factor auth, and EULA acceptance.
• We support a new privacy focused enrollment method that protects your personal data while still providing enterprise resources.
  Enroll all your iOS 13+ devices using Managed Apple IDs created in Apple Business Manager through federation to Azure AD. User Enrolled devices provide enhanced privacy focus that separates managed data from personal while still providing the core management capabilities such as installing apps, configuring Wi-Fi, and passcode requirement.
• Refresh your eSIM configuration.
  Request iOS 13+ devices to refresh the eSIM configuration for a specific carrier by making changes in the Device Details page.  

macOS

• Streamline the Setup Assistant experience with our new primary user account customization options. 
  Customize the primary user account information created in Setup Assistant on macOS 10.15 Catalina devices during an Automated Enrollment through Apple Business Manager. Make these changes when you create or edit the DEP Enrollment profile. 

• Bring SSO and AD password syncing on your devices with the SSO Extension profile. 
  Configure app extensions that perform single sign-on with either the Generic or Kerberos SSO extension on macOS 10.15 Catalina devices with the SSO Extension payload. 

• Simplifying your user experience by automating new System Extensions approval. 
  Control restrictions and settings for apps that use System Extensions by configuring the System Extensions profile. 

• Prevent data leakage with the new Handoff restriction.
  Restrict  the ability to use Continuity Handoff capabilities on Macs running 10.15 by configuring the Handoff key in the Restrictions profile. 

• Monitor the Secure Boot and External Boot statuses to ensure only approved operating systems can run. 
  View the Secure Boot and External Boot status for the Macs running 10.15 Catalina in the Device Details page. 

Mobile Content Management

• Content Locker gets a new name. Let's welcome Workspace ONE Content.
  Workspace ONE Content has all the same functionality as Content Locker, but with a new name. To learn more, see VMware Workspace ONE Content. 

Rugged

• Keep Honeywell Android device enrollment simple with the Barcode Enrollment.
  You can simplify the enrollment experience for your users with the barcode enrollment for Honeywell Android devices. Users simply scan the barcode to enroll the devices

Windows

• Everything is better together with Dell and the new Dell BIOS Attestation.
  Protect your Dell Windows Desktop Devices with the new Dell BIOS Attestation. This service analyzes the BIOS of your Dell devices and reports the status of the BIOS to Workspace ONE UEM. Using Workspace ONE UEM compliance policies, you can act quickly to reduce the risk a compromised device poses to your network.

Workspace ONE Express

• Learn more about upgrading to Workspace ONE UEM.  
  You now have a simple path to understand what upgrading to Workspace ONE UEM can do for your organization. Get access to helpful videos, live demos, and documentation of Workspace ONE UEM's full feature set, not to mention an easy upgrade path for when you make the switch.
• We've made migrating your legacy Android devices to the Android Enterprise easy. ​Try our new Android Migration Tool for Express.
  The Android Migration Tool walks you through the process step-by-step. Once you register Workspace ONE Express with Google as your Enterprise Mobility Manager, you can migrate your legacy Android devices. 
• Troubleshooting your problematic devices got easy with the introduction of the Troubleshooting tab on Device Details. 
  Troubleshooting tab displays the Event Log and Commands listings including a filter and search capabilities, enabling you to perform troubleshooting on the device. To learn more, see Troubleshooting tab on Device Details

Android

• Enroll devices into Android Enterprise Work Managed mode without a managed Google account. 
  You can Enroll devices into Android Enterprise Work Managed mode without a managed Google account under the following circumstances:
  • When you do not have connectivity to Google.
  • When you are operating on a closed network.
  • When your devices do not contain Google services (AOSP/Non-GMS).​ 
    The Android EMM Registration page now includes an option to select AOSP Closed Network as the Work Managed Enrollment Type. To learn more, see Android Device Enrollment. 
• We allow Passcode reset on your work profile devices running Android 8.0+.
  You can now select the Clear Passcode and Reset Passcode commands for Work Profile devices running Android 8.0+. Clear Work Passcode removes the work security challenge on the device and the Reset Work Passcode prompts you to enter a new passcode. 
  To learn more, see  Device Management Commands.

iOS

• We've added new network usage rules payload keys for all your iOS 13 devices.
  Set up the Wi-Fi assist capabilities of targeted physical and eSIM cards for iOS 13 devices.
  To learn more, see Configuring Network Usage Rules Profile. 
• Skip all newly added Setup Assistant screens for iOS 13 devices.
  We let you skip newly added Setup Assistant screens for iOS 13 devices added to Apple Business Manager.
  To learn more, see Complete the DEP Enrollment Profile. 
• We've added new Restrictions payload keys for iOS 13 devices.
  Prevent Wi-Fi toggling, QuickPath keyboard, Find My Friends, and Find My Device on iOS 13 devices. Also, we've added several existing options that requires supervision such as restricting Camera, Safari, iCloud backup, and explicit content.
  To learn more, see Restriction Profile Configurations. 
• Stop the user toggle of the native Mail, Contacts, Calendar, Reminders, and Notes apps separately. 
  We've added new Exchange payload key for iOS 13 devices that allows configuring and preventing the user toggle of the native Mail, Contacts, Calendar, Reminders and Notes apps separately. 
  To learn more, see Configure EAS Mail Profile for the Native Mail Client. 

macOS

• Our first look of macOS 10.15 Catalina is ready.
  We've completed the first phase of support for macOS 10.15 Catalina that includes Supervision status, Privacy Preferences profile updates, Associated Domains profile, and the ability to extract private keys of certificates deployed via Credentials payload.
  To learn more, see: 
  • Configure a Privacy Preferences Control Profile. 
  • Device Details Page for macOS Devices.
  • Configure Associated Domains Profile. 
  • Configure a SCEP/Credentials Profile. 
• Skip all newly added Setup Assistant screens for macOS Catalina devices.
  We let you skip newly added Setup Assistant screens for macOS Catalina devices added to Apple Business Manager.

Windows

• Simplify your peer distribution with the new Windows Desktop profile.
  We've moved the Workspace ONE Peer Distribution from Groups & Settings to a Device Profile for Windows Desktop. The new profile for Windows Desktop devices simplifies configuring the Workspace ONE Peer Distribution settings.
  Workspace ONE Peer Distribution now supports Distributed, Hosted and Local BranchCache modes along with additional configuration settings such as disk space percentage and max cache age.
  To learn more, see Peer Distribution with Workspace ONE. 
• Provision your Windows 10 devices yourself with encrypted custom PPKGs.
  PPKGS allow you to provision your Windows 10 devices with the apps, profiles, and enrollment credentials you use. You can use this provisioning package as part of the Windows 10 Out of the Box Experience or later after the device is set up.
  To learn more, see Create a Provisioning Package for Windows 10 Devices. 
• Springing from a partnership with Dell, VMware announces Workspace ONE Express+.
  Workspace ONE Express+ is a light management solution for small and mid-size businesses bringing support for Windows 10 devices and Office365 apps.​

Workspace ONE Express

• Register your Google account with Workspace ONE Express and welcome devices with Android Enterprise.
  Workspace ONE Express now supports Android Enterprise, including support for Work Profile and Work Managed enrollment types, as well as support for Managed Google Play, Android Enterprise policies, and resources. Express support for Android Legacy continues unchanged.
  To learn more, see Enrollment. 
• Workspace ONE Express now lets you add an application catalog to the home screen of your devices.
  When you set up Workspace ONE Express, you are now offered the chance to add an application catalog to the home screen of your devices. This option makes it easy to ensure your devices can download the optional apps you assign to them.
  To learn more, see Express Setup. 

Workspace ONE UEM console

• We've improved logging back into the console after your session times out.
  The console now remembers whether you are a SAML or non-SAML user. When timed-out, SAML users can log back in without any clicks. Non-SAML users, with a remembered user name and password, see their credentials auto-populated on the screen and can log back in with one click. This improvement is enabled by default.
  To learn more, see Logging In to the UEM Console. 
   
• Know if your APNs certificates are connecting over the HTTP/2 protocol.
  We've given you an option to manually conduct the test and check whether your APNs certificates are connecting over the HTTP/2 protocol. 
  To learn more, see Checking APNs Connectivity over HTTP/2 Protocol.
   
• Device tags no longer show the tag color and the tag type in the console.
  Options for the device tag color and the device tag type are removed from the console.
   
• Unassign a device tag from multiple devices in a one sitting.
  You can now unassign device tags from multiple devices at the same time.
  To learn more, see Unassign Tags from Multiple Devices.
   
• We offer a simplified integration with Adaptiva to support your peer-to-peer software distribution deployments.
  Workspace ONE UEM supports a new version of the Adaptiva server. For all existing customers, Workspace ONE UEM still supports the previous version of the Adaptiva server. To use the new integration, update your Adaptiva server and your AirWatch Cloud Connector to version 1907.
  To learn more, see Configuring Peer Distribution Software Setup with Adaptiva. 
   
• AirWatch Express got a new name. It's now called Workspace ONE Express.
  Workspace ONE Express has all the same functionality as AirWatch Express, but with a new name. 
  To learn more, see Introduction to Workspace ONE Express.
   
• We've improved privacy by adding a location data question to Workspace ONE Express.
  Privacy is important to our customers. Selecting Yes in the Getting Started survey prompts the user on their device if they choose to share the location data. If the user declines, then location data is not collected.
  To learn more, see Express Setup Survey.
   
• Get a better idea of the batch import task status in Workspace ONE Express.
  You can now see the status of batch import tasks. Navigate to Accounts > Users > Batch Status to see the status of the batch import jobs you have already initiated.
  To learn more, see Batch Import Users or Devices.
   
• Make the most out of your Telecom List View page with the new export option.
  We've given you an option to export your usage and roaming details in CSV and XLSX formats. The exported file is available for download in the Monitor > Reports and Analytics > Exports page. 
  To learn more, see Plan Usage Details for Telecom Assets.
   
• We've enhanced our directory user status synchronization logic.
  The status of Administrator and Enrollment user accounts in the UEM console now syncs correctly with deactivations made to your Active Directory service provided the following assumptions. The user named in the Bind User Name option, located in Groups & Settings > All Settings > System > Enterprise Integration > Directory Services in the Server tab, must have Active Directory administrator privileges. The recycle bin must also be enabled using the Active Directory Administrative Center.
  To learn more, see Directory User Status Syncing.
   
• LDAP configuration validation is now more comprehensive. Validate your LDAP configuration directly from the console. 
  Administrators can now, at the time of Directory Services setup, validate directory users and user groups, and their attributes, even before adding them to the UEM Console. The enhanced capability helps avoid bad configurations that might arise due to incorrect Directory Services setup.
  To learn more, see Map Directory Services User Information.
   
• The Settings tab is removed from the Global Search results, which speeds up the search.
  If you choose to search for settings, initiate a search from the Configurations page. Navigate to Groups & Settings > Configurations and enter a keyword in the search text box.

Android

• The configuration experience for Android public apps now lets you set up complex configurations supported by the OEM.
  Our new updates include:
  • Support for nested bundle arrays.
  • A better and simplified design with useful tooltips. 
  • Choose to leave the unused application configuration options blank instead of deleting them from the UI.
    ​To learn more, see Assigning Applications for Android.
• We've added programmatic migration workflows for moving your devices on legacy device administration to Work Profile.
  Migrate from your Android (Legacy) deployment to Android Enterprise(Formerly Android for Work) to gain more control and consistency across all OEM devices with the improved security and a better overall experience for employees with BYOD devices.
  To learn more, see  Android (Legacy) Device Administrator Migration. 
   
• The improved Passcode profile provides better support for the native Android functionality.
  The Passcode profile for Android has been updated to support native features for Android 9.0. You can now: 
  • Force a separate passcode for the Work and personal side of the device.
  • Increased the maximum amount of days for password expiration from 180 to 9999.
  • Set additional biometric passcode options. 
    To learn more, see Enforce Passcode Settings (Android ).
• Keep your Work Managed and Corporate Owned Personally Enabled devices secure with an initial passcode.
  With the Set Initial Passcode option in the Passcode profile, you can now set an initial passcode at the device level on all deployed devices. After the deployment, it is possible to reset the passcode at the device level.
  For more information, see Enforce Passcode Settings (Android) Enforce Passcode Settings (Android ).
   
• The QR Code wizard now gives you more flexibility with system apps during device enrollment. 
  For all your work-managed devices, enable system apps to keep non-critical system applications installed on your work-managed device, or select disable to remove these apps.
  To learn more, see Generate a QR Code Using the Enrollment Configuration Wizard.

Chrome OS

• Provide beta or development versions of Chrome OS and test the pre-release versions prior to general availability​.
  Determine if the devices will receive beta, development, or production builds of Chrome OS with the Release Channel field in the System Updates profile. This is useful for testing builds before pushing updates to your entire device fleet.
  To learn more, see Configure System Updates Profile(Chrome OS).

iOS

• Enable data protection for your devices at all times. 
  We now give you an option whether or not to clear the device passcode when checking in a shared device.
  To learn more, see Configure Shared Devices. 
• Automatically convert on-demand apps to managed, if you choose to enable "Make App MDM Managed if User Installed". 
  If you now install an app as unmanaged (e.g. through the App Store), the console automatically converts the app to managed when the Make App MDM Managed if User Installed setting is enabled regardless if the App Delivery Method is automatic or on demand. 
  To learn more, see Add Assignment and Exclusions to applications. 

macOS

• Rotate your recovery keys on-demand for better security compliance.
  A new security enhancement is added to the Device Details and Self Service Portal where the FileVault Personal Recovery Key (PRK) is automatically rotated 15 minutes after it is accessed by the user or the administrator.
  To learn more, see Personal Recovery Key Rotation. 
   
• Control the restrictions for Smart card pairing on macOS 10.12.4 and later devices.
  We've now added a new profile payload to configure the settings and restrictions for the Smart Card usage.
  To learn more, see  Configure a Smart Card Profile. 
   
• Restrict or allow capturing of screen recordings and screenshots.
  We added a new restriction key that disables the user's ability to take screenshots of the display or capture a screen recording.
  To learn more, see Configure a Restrictions Profile. 

Mobile Content Management

• Select multiple files and delete them at the same time using the AirWatch Managed Content List View.
  AirWatch Managed Content List View now supports bulk file removal.
  To learn more, see Content Management List View.
   

Tunnel

• We're getting ready for something new. The Workspace ONE Tunnel for Windows app needs a new framework and additional settings for its upcoming release.
  In the UEM console, you will see new settings referring to Workspace ONE Tunnel for Windows. Wait to use these additional settings till our new app is available.
  To learn more, see Configure Per-App Tunnel Profile for Windows Desktop App.
• It's time to move your Safari Domains from iOS VPN Profile Payload to Device Traffic Rules setup.
  We've removed the Safari Domain section from the VPN Profile XML. If you are upgrading to 1907 from an older version, plan for a smooth migration strategy and move all your Safari Domains from iOS VPN Profile Payload to Device Traffic Rules setup. 

Windows

• Looking to keep your Windows 10 devices configured to industry best practices? The Baselines feature is now available to all customers.
  Baselines allows you to keep your devices secure and aligned with industry standards such as CIS Benchmarks. With Baselines, you can set and manage your preferred configurations completely over the air without any dependency on VPN or your domain. You can also create custom baselines using GPO policies. New enhancements to Baselines include editing and deleting your custom baselines.
  To learn more, see Using Baselines. 

Workspace ONE UEM console

• Get the most out of AirWatch Express with the new default configurations​.
  • Location collection is now turned on by default for new AirWatch Express deployments. . End users will now receive a confirmation prompt on their devices asking for permission to collect location data. If granted, location data appears in Device Details on the UEM console.
  • App Catalog is now enabled by default for new AirWatch Express deployments. After enrollment, the App Catalog webclip appears on the device home screen and allows end users to see all assigned apps.
  • Quickly unlock iOS devices placed in Lost Mode from the actions toolbar on the Device Details view.
• Several configuration improvements have been made to AirWatch Express that impacts location collection, app catalog, and lost mode for the iOS devices.
• Retrieve your user accounts and groups with the all new SCIM API.
  A new SCIM API helps retrieve all the groups that a user belongs to. 
• Auto-approve your applications from the Office 365 Getting Started wizard.
  The Office 365 Getting Started Wizard lets you automatically approve Office 365 apps for Android Enterprise. This is now the normal flow.
• Export your reports to XLSX files, just like CSV files.
  In addition to exporting CSV files, you can now export list views and reports as XLSX files. With this new choice, you can avoid the formatting issues caused by CSV formats.

Workspace ONE Intelligent Hub

• Easily activate your Hub Services if you are already using VMware Identity Manager and Workspace ONE UEM.
  You can now easily enable Hub Services if you are already using VMware Identity Manager and Workspace ONE UEM.
  Just enter your existing VMware Identity Manager URL to activate Hub Services. No need to reenter the admin user credentials again. We use the one you already provided to link VMware Identity Manager and Workspace ONE UEM.

iOS

• Start reporting on both physical SIMs and eSIMs with the new dual SIM support.
  Admins can now report on both physical SIMs and eSIMs configured on supported iOS devices like the iPhone XR, XS and XS Max.

Mobile Content Management

• Add wildcard values to stop your users from creating manual repositories and sub folders.
  You can now use the wildcard character (*) at the beginning and the end of the file path to stop your users from creating manual repositories and sub folders using the manual template.

Rugged

• Add apps to the Launcher profile with the ease of automation.
  You can now create dynamic rules to automatically whitelist apps added to a Launcher profile. These rules support wildcard characters in the App Field. After you add a wildcard, the app icon displays as a bundle of apps and appear in the Launcher in the available space. You do not need to republish the app every time you add a new app.
• We've extended Content Delivery Network (CDN) to VMware Workspace ONE Launcher.
  Content Delivery Network (CDN) is now extended to VMware Workspace ONE Launcher. During enrollment, when the Launcher is pushed to the device it is pushed through CDN instead of Device Services. This improves the performance of Launcher delivery to devices and reduces the server load when new version of Launcher is deployed.

Windows

• Make the most out of your Dell devices with the updated BIOS profile and Dell Command | Monitor integration.
  You no longer need to manually push Dell Command | Monitor to your Windows Desktop devices to use the BIOS profile. When you push the profile to your devices, Workspace ONE UEM automatically pushes Dell Command | Monitor to the devices.

• Give knowledge to the users. Enable a progress display for Windows Desktop devices enrolling using the Out of the Box Experience (OOBE) workflow.
  The new progress display informs the user what is happening behind the screen during the OOBE enrollment. You can also allow your users to skip OOBE after a specific timeout period.

  

• End-user devices no longer require Intelligence Hub to use the Windows Desktop Antivirus profile.
  Now it is easier than before to keep your Windows Desktop devices secure with the Windows Defender as we no longer require agent with the updated Antivirus profile for Windows Desktop devices.

• Devices have a huge number of attributes associated. Harness the power of Sensors to target the specific devices you want.
  Windows Desktop devices have tons of attributes to remember such as hardware, OS, certificates, patches, apps, and more. To track all these attributes, we created Sensors. Now you can create a sensor for a specific attribute and view this data in Workspace ONE Intelligence by creating visualizations on dashboards and customizing reports.”

Workspace ONE UEM console

• We are happy to provide you a better login experience.
  Administrators can now save their user name and passwords in the browser cache that can be used for subsequent logins.
• Easily identify your devices. We added a new device identifier called Public IP Address in the Device Details and Device List View.
  Public IP Address is added to the Device Details, Device List View and the Privacy Settings page so you can limit access to it per your business and end-user needs.
  View the Public IP Addresses for your devices by navigating to Devices > List View, then select the Layout button and customize the column selections. You can find Public IP Address in the Network tab of Device Details view. Change privacy settings regarding your devices' Public IP Addresses by navigating to Groups & Settings > All Settings > Devices & Users > General > Privacy in the Network section.
• The new My Services Selector gives you access to your Hub Services from the UEM console. 
  You can now access Hub Services from the Workspace ONE UEM console with the My Services Selector. The selector is available in the Header Menu of nearly every page of the console.
• We now offer SAML authentication for multi-domain configurations.
  Administrators (only) can now use the SAML authentication in multi-domain environments for Workspace ONE UEM, expanding the utility of the already trustworthy authentication protocol beyond single-domain configurations. Support for multi-domain environments is enabled by default, and there is no system setting required.
• AirWatch Express now gives another option to communicate with user devices with SMS messaging.  
  Start using SMS Messaging in AirWatch Express.The SMS configuration page is now available in AirWatch Express. To use the functionality, an account with a supported SMS provider is required. You can enable SMS messaging by navigating to Groups & Settings > Configurations > SMS, then complete the settings options including Gateway Type and Password.

Android 

• It's time to get started with the Google's Firebase Cloud Messaging service.
  As of April 10, 2018, Google announced that they are deprecating Google Cloud Messaging in favor of a new cloud-messaging platform called Firebase Cloud Messaging (FCM). Once GCM has been deprecated, customers enrolling new devices into GCM enabled environments can experience extended delays in communication between the Workspace ONE UEM Console and Android devices. 
  All customers are encouraged to upgrade their VMware Workspace ONE UEM Console, Workspace ONE Intelligent Hub application, and Workspace ONE application to the versions that contains support for Firebase Cloud Messaging. 
  For more information, look for Upcoming Changes to Cloud Messaging Services in Environments Utilizing Android Devices in My WorkspaceONE portal.

Content Management

• The new just-in-time content caching strategy that eliminates high memory usage.
  We have re-designed content cache for better performance.The new strategy caches only the folders and the content records that are accessed by the users. Folders are cached individually, as opposed to the old structure that caches the entire repository.

Email Management

• Start customizing the attributes that are used in the API calls to Google Suite.
  We now offer the ability to change the user attribute for Google Suite Provisioning. Customize the attributes that are used in the API calls to Google Suite by specifying an alternate attribute instead of the user's email address. 

iOS

• Stop your users from modifying the personal hotspot setting​s.
  You can now restrict your users from modifying the personal hotspot settings and prevent Siri from logging the data back to its servers on iOS 12.2+ devices.

macOS

• We now support Hub Services on macOS Intelligent Hub 19.04.
  The UEM Console 1904 brings support for macOS Intelligent Hub 19.04 features that includes enhanced catalog, People, Notifications, and custom Home tab. 
• New and improved FileVault Encryption profile.
  The Disk Encryption profile now supports MDM deferred enablement. The profile update also comes with more granular controls over Hub behavior for encryption enablement and recovery key escrow. 

Rugged

• Tighten the security of your Relay Server. Relay Server configuration now supports HTTPS protocol.
  You can now select the HTTPS protocol when you configure a relay server, including the configuration of a Stage Now barcode. Take advantage of this support by configuring an HTTPS endpoint using the web server config tool of your choice (for example IIS). You must also navigate to Devices > Provisioning > Relay Servers > List View, select Add, followed by Add Relay Server, then in the Device Connection tab, select 'HTTPS' as the Protocol.

Windows

• Keep your Windows Desktop devices safe from harmful communications with the new Firewall profile.
  The new Firewall profile contains new settings for Windows 10 devices. Now you can configure different behaviors for domain, public, and private connections. You can also add your own custom firewall rules.
• We made maintaining Dell Provisioning for VMware Workspace ONE provisioning packages easier with templates.
  Templates let you configure the settings for a provisioning package including the apps and save the settings for later use. We've also added the ability to edit and delete existing provisioning packages.
  If you have existing PPKGs when you upgrade to 1904, they will be removed as they no longer support the new workflow. You will need to recreate your existing PPKGs.
• Give the users their apps. Add user context apps to your provisioning packages for Dell Provisioning for Workspace ONE UEM.
  You can now add user context apps to provisioning packages. These apps are installed when a user signs into a device for the first time.
• Sometimes a baseline just needs a little tweaking.
  You can now customize the default ADMX settings in your Windows Desktop Baselines. This customization is in addition to adding additional ADMX policies.

Workspace ONE UEM console

• Switch between all the Workspace ONE services you have configured.
  You can now switch between all your Workspace ONE services using the new bento icon in the header menu. Give it a try by selecting the new icon, located to the right of the account name. This feature is enabled by default.
• Smart Group filter criteria is getting smarter.
  You now have two new and useful categories available when you create a Smart Group: Management Type and Enrollment Category. 
  Management Type lets you target devices on a cross-platform basis that are managed by MDM or an application like Boxer or Content. 
  Enrollment Category lets you drill down further into only the Apple or Android device pool, isolating devices by their specific enrollment path. For example, you can target only Apple devices that were DEP enrolled or only Android Enterprise devices. See the full complement of Management Types and Enrollment Categories by navigating to Groups & Settings > Groups > Assignment Groups and select the Add Smart Group button.
• Get access to the message templates that are specific to your enrollment flow.
  When you add missing active directory users to your user groups, you now have access to message templates that are specific to your enrollment. This means your users can receive an enrollment message that takes your configuration into account. For instance, if enrollment is restricted to only registered devices with a token, you can send those users an enrollment email that reflects this configuration and includes the token. Take advantage of this feature by navigating to Accounts > User Groups > List View, select Add then Add User Group, then enable the option Send Email to User when Adding Missing Users and select the Message Template that best suits your needs.
• Now you can have one group of admins creating the tags for your devices and leave assigning the tags for a different group.
  Device tag assignment is enhanced. You can have one group of admins tasked with creating all the tags for your devices and leave the bulk-assignment of those tags to another admin group.
  Take advantage of this feature by navigating to Accounts > Administrators > Roles and add the new 'Device Bulk Management assign Tags' resource to your admin roles accordingly.
• We are giving you more flexibility while managing your devices as the AirWatch Express now supports three new Device Actions.
  AirWatch Express now supports Clear Passcode, Device Wipe, and OS Update (for iOS and macOS). 
  Navigate to Devices > List View, open the device Details View by selecting the friendly name from the list view, then select the More Actions button.
• Configure service account based mobile flows connectors from the Workspace ONE UEM console.
  Administrators can now enter the service account credentials on the console while configuring out-of-the-box (OOTB) connectors.
• Extended the utility of Identity Manager as the authentication source for Workspace ONE Intelligent Hub.
  Previously Identity Manager and its Multi-Factor Authentication capability only enabled UEM Active Directory users to authenticate, now UEM basic/local users can be authenticated by Identity Manager in Intelligent Hub. 
  Additionally, Identity Manager can now be used for Android staging and shared device enrollment in Intelligent Hub. Currently this functionality is available on Android only and will be available on iOS in a future release.
• We offer single sign-on access to the Intelligent Hub app and the resources without asking you to reauthenticate.
  You can now enable basic User Sync to add local users to VMware Identity Manager Local UEM directory. When basic accounts are synced, you can use the Workspace ONE Intelligent Hub for single sign-on access to the resources.
• We have introduced Quick filter search for your payloads.
  We now have a search bar that easily helps you narrow down the desired payload on the profiles modal. Search for the payloads by typing a text search string in the Search Payload search filter.
• We have enhanced our security that restricts the enrollment flow from creating a new enrollment user in the Single User Advanced Staging flow.
  We no longer allow our users to create other enrollment users in the Single User Advanced Staging flow. Users are only allowed to enroll a device on behalf of another existing user.
• Clear all your console notifications with a single button.
  You can dismiss all active notifications and send them to the Dismissed alert listing. Try it yourself by selecting the Bell icon in the upper-right corner of Workspace ONE UEM console screen, and select Dismiss All. There is no setting to enable this feature, it is enabled by default.

Android 

• Customize firmware updates performed on your mobile enterprise devices.
  Android updates page in the Workspace ONE UEM console has additional options to customize updates for Samsung Enterprise Firmware Over the Air (EFOTA).
  ​To configure the following Android Samsung EFOTA Android Updates, navigate to  Devices > Lifecycle > Updates and select the Android tab:
  • Install method
  • Deployment start and end time
  • Server Time Zone
  • Network
• We have reached End of Support for the Play Store Integration Service.
  VMware reached End of General Support for the Play Store Integration Service on December 15th, 2018 as announced in December 2017 for the customers using the Android (Legacy) deployment method. Existing Android (Legacy) customers who use the Play Store Integration Service to search and add public Android apps to the Workspace ONE UEM console are encouraged to set up Android Enterprise to use the official Play Store search experience. 
  Want to know more? Look for the End of General Support for the Play Store Integration Service knowledge base article on My Workspace ONE portal.

iOS

• We now assist users to easily install the MDM profile during the enrollment of BYO iOS 12.2+ devices
  Users will now see instructional screens in Safari during the enrollment of devices running the latest iOS version and above. This version now requires users to manually navigate to the iOS Settings app to install the MDM profile instead of automatically taking the user there.
• Get accurate feedback on the current status of an enterprise wipe or device wipe of activation lock enabled iOS devices.
  Administrators now have better clarity while wiping activation lock enabled iOS devices and more efficiency while deleting them.
• Get an accurate count of licenses and their redeemed status for Apple Business Manager applications.
  Administrators can now see a consolidated, more accurate count of licenses, and their redeemed status for Apple Business Manager and Apple School Manager applications.

Mobile Application Management

• Manage your Horizon, Citrix or Thin App resources from within Workspace ONE UEM with the all new Virtual Apps Collections.
  In addition to Web applications, you can integrate Horizon desktops and applications, Horizon Cloud desktops and applications, Citrix published resources, and ThinApp applications within Workspace ONE UEM with the integration of Virtual Apps Collections.
• We now offer a native peer distribution system to deploy your Win32 applications to enterprise networks.
  You can now configure Workspace ONE UEM native peer distribution that uses the Windows BranchCache feature. However, the native peer distribution system will be behind the feature flag during the first few releases. If you like to try out our technical preview feature, contact Workspace ONE UEM representative and ask them to have the “WorkspaceOneP2PBranchCacheFeatureFlag” enabled. 

Rugged

• We have made the Content Delivery Service transfer faster.
  An enhancement has been made to the CDS transfer speed. By implementing a new file transfer methodology, our designers have enabled transfers to relay servers be made in parallel, simultaneously, rather than in series as before. There is no system setting for this feature, this setting is enabled by default.
• Determine whether or not a particular file exists on an Android device before you apply an action. 
  You can set the file condition as an extra criteria to download and/or install a product based on the existence or nonexistence of a file. Make a condition using this criterion by navigating to Devices > Provisioning > Components > Conditions, select Add Condition, select Android as the platform, and select File in the Condition drop-down menu. The new file condition works only on Android devices that have 19.03 version of Intelligent Hub. 
• We keep improving the Product Provisioning Performance.
  A significant performance improvement has been made to product provisioning. Currently, if a device fails to process a provisioned product, it requires a manual intervention in the form of a force reprocess. The improvement triggers the automatic retry of a product push when it detects a push failure rate of up to 5%. It makes a maximum of three retries per device, which should minimize the number of manual forces reprocesses you make. Enable this feature when you make a Product by navigating to Devices > Provisioning > Product List View and select Add Product followed by the platform. The Auto Retry check box appears in the Deployment tab.

Tunnel

• Quickly configure per-app Tunnel for the enterprise access.
  We have built a new admin experience to simplify deploying and managing Tunnel settings. To get started, navigate to Groups & Settings > Configurations > Tunnel.

Linux

• Enroll devices running any version and build of Linux into your Workspace ONE UEM deployment.
  You can now enroll your Linux devices with Workspace ONE UEM. Enroll devices running any version and build of Linux on x86_64 or ARM7 into your Workspace ONE UEM deployment by installing the Workspace ONE Intelligent Hub on the device, and then you can view the device from the Workspace ONE UEM Console.
  To download the Workspace ONE Intelligent Hub for Linux, your organization must be whitelisted with Workspace ONE UEM. Please contact your account representative to receive access to the download file.

Workspace ONE UEM console

• Know when your password is going to expire with the new Email Notification of Password Expiration.
  The UEM console sends administrators an email five days (by default) before a password expires. On-premises administrators can change the default value of five days while shared SaaS administrators cannot. If eligible, change this default value by navigating to Groups & Settings > All Settings > Admin > Console Security > Passwords.
  The emails are only sent on the first and last day of the notification period.
• Meet the new Organization Group picker.
  Several UI improvements have been made to the organization group picker, found in Add Smart Group, Add User Account, Add Admin Account > Role, and Add DEP Profile screens.
  An instant search function has been added: start typing in the OG text box and it immediately runs a search based on the string you enter, displaying the names of the OGs for which it finds matches. OGs that appear in the instant search results are presented with their full hierarchy path, with individual organization groups separated by forward-slashes. OG names and paths that are longer than the width of the OG picker window wrap around so you can see the entire name/path. No configuration is needed to use this feature, it's enabled by default.
• Improve security by including a user's active directory Secure Identifier in the certificate SAN for ADCS CA Integration.
  You can now map the SID value certificate requests for ADCS certificate templates.
• Control who you send your SMTP test connection emails to.
  We've added the ability to set the "To" email address when testing the SMTP connection. To use this new feature, navigate to Groups & Settings > All Settings > System > Enterprise Integration > Email (SMTP).
• Configure what's important with the Configurations page.
  The Configurations page is a curated list of critical system settings that are essential to setting up your business needs. You can search the configurations for the feature you are interested in, filter out features you do not want to see, and share your filtered list with other administrators. Take advantage of this feature by navigating to Groups & Settings > Configurations.
• Getting Started with Workspace ONE Intelligent Hub.
  • Enhanced experience to define the Intelligent Hub configuration.
    You can now find a summary of Intelligent Hub settings around management mode, authentication type, and Hub catalog within the Intelligent Hub configuration page, and even configure those settings easily and quickly.
  • Activate Hub Services instantly even if you don’t have the Cloud VMware Identity Manager instance (SaaS only feature).
    The Intelligent Hub Configuration page now provides instant access to Hub Services so that you can start your journey towards the digital workspace. You no longer have to file a support ticket or contact your VMware representative to take advantage of Hub Services. You can click through a simple wizard to get the VMware Identity Manager Cloud tenant and auto activate Hub Services.
  • Seamless activation of Hub Services.
    If you already have a Cloud instance of VMware Identity Manager and want to use Hub Services features like the catalog, People, and Notifications, we have you covered. We refined the experience so you can just enter the tenant URL and credentials to active Hub Services.
• Quickly configure VMware-hosted mobile flows connectors.
  Find and configure VMware-hosted mobile flows connectors without needing to deploy any connectors on your cloud or infrastructure. The UEM console compiles a list of available connectors for you to use.

Android

• Deliver messages to user devices with new Custom Messages profile. 
  We added Custom Messages profile for Android devices that allow admins to create custom messages to send to a user. The new profile will option to set lock-screen messages, set a message for blocked settings, or set a message for users to view in their device settings. This profile is available on Android 7.0+ Work Managed devices.  
  To configure this profile, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android and select the Custom Messages profile. 
• Reinstall the applications you want on your shared Android devices with the Reinstall Apps on Logout command.
  A new option to Reinstall Apps on Logout has been implemented in Android Logout Settings for Shared device which determines if applications on Shared devices are automatically reinstalled when a user logs out (checks in) a device. Admins can decide whether to always or never reinstall apps. 
  If Clear App Data on Logout is enabled, a third option is available to reinstall apps only if app data cannot be cleared.  When enabled, Workspace ONE UEM will no longer require that apps be deleted and reinstalled when one user stops using a shared device and another user begins using the same device. This means users might have access to the previous user's data including personal information.
• Choose whether to configure the SSID and password using the Enrollment Configuration Wizard.
  Admins were previously required to specify the SSID and password in the Enrollment Configuration Wizard which allows the user to skip this step during QR Code enrollment for Android devices using Work Managed device enrollment. The Password field is now optional since a password is not always required when connecting to a network.
  To configure QR Code enrollment using the Enrollment Configuration Wizard, navigate to Device > Lifecycle > Staging > List View > Configure Enrollment > Android > QR Code > Configure.
• Out with the old and in with the new. We've added support for Google's Firebase Cloud Messaging service.
  Firebase Messaging implementation will replace Google Cloud Messaging (which is soon to be deprecated by Google) for Android device communication. 
• We have removed Enterprise Wipe Device Command for Android Work Managed and Corporate Owned Personally Enabled device.
  Enterprise wipe is no longer supported on Android Work Managed and Corporate Owned Personally Enabled device as the admins would simply use the Device Wipe command to perform a factory reset on a device.
  The setting has been removed from the Workspace ONE UEM console.

iOS

• Prevent the setup or editing of eSIM configurations on supported, supervised iOS devices.
  We've added a new restriction to the iOS Restriction profile. You can now prevent users from setting up or editing eSIM configurations on supported, supervised iOS devices.

macOS

• Don't let malicious software infect your macOS devices by ensuring your devices are shielded with System Integrity Protection compliance policies.
  You can now make a compliance policy that detects whether macOS devices have System Integrity Protection disabled. Make a compliance policy that takes advantage of this support by navigating to Devices > Compliance Policies > List View, select the Add button, then select the macOS platform and choose "System Integrity Protection" in the left drop-down menu of the Rules tab.

Mobile Application Management

• Upload Internal Apps without worrying about the later versions.
  Previously, admins could not upload lower versions of internal apps without incrementing the Workspace ONE UEM Version up one. Now, admins do not need to worry about the Workspace ONE UEM version and they can upload earlier versions of internal apps without error notifications.
  For example, if admins had two versions of an internal app stored in the UEM console, numbers 1.1 (previous version) and 1.5 (latest version), they can now upload 1.3 (new version) without an error notification and without the console guiding them to increase the Workspace ONE UEM version up a number. The console migrates the assignments from the previous version to the new version. The latest version remains the latest and devices that enroll in the assigned group still get this latest version of the app. Also, admins can still retire the previous version when adding a new version.
  An exception remains with Android apps. Android apps have a string called a versionCode that still controls the versioning in Workspace ONE UEM. If admins add a new version number of an Android app that has the same versionCode as the latest version in the console, the console still guides them to increment the Workspace ONE UEM version up one number.

Rugged

• Product Provisioning performance improvement.
  A performance improvement has been made to product provisioning. Outbound and inbound communication for multi chain-wide deployments has been optimized, which improves efficiency and scale. This improvement requires no setting, it is enabled by default.
• Product persistence default disabled.
  The persistence setting for new products, previously defaulting to enabled, has been changed. The default setting for new products now features a disabled persistence setting. If you are interested in enabling persistence for a new product, you must manually enable it by navigating to Devices > Provisioning > Product List View, then select Add Product followed by the platform selection. Select Manifest, then Add, then select an action and the Persistent through enterprise reset checkbox displays.

Windows

• Personalize your Windows Desktop devices just the way you want them with the new Personalization profile.
  We've added a new Windows Desktop profile so you can control the Personalization settings for your devices. The Personalization profile controls the background and lock screen images as well as the Start Menu policies for the device. In addition to these settings, you can upload a start layout XML. This XML overrides the default start menu layout and prevents users from changing it.
• Create the Baseline you've always wanted. You can now add additional policies to your Baselines.
  You can now add additional policies to your Baselines to configure your devices the way you want them. Baselines already keep your devices secured and aligned with industry standards. Now you can add Microsoft ADMX policies to your baselines. Currently, this feature is in the technical preview.
• Hide Custom Windows Desktop Files in the Catalog.
  Use the Display in App Catalog option when you assign an internal or public app to hide those files you want to deploy but not advertise in your catalog. This feature is useful for hiding files that perform backend processes.
• Upload a Single APPX for Windows Desktop and Windows Phone.
  Workspace ONE UEM has removed the need to upload multiple app packages when using the APPX type. Now, when you add an internal, Windows, application, upload a single APPX file, no matter the architecture.
• Choose the right app for your devices. You can now select transforms and patches (MST and MSP) when adding apps to a PPKG for Dell Provisioning for VMware Workspace ONE.
  The Provisioning Package Wizard now supports selecting a transform and a patch for apps. You must add the transforms and patches to the apps using the Edit App modal.

Workspace ONE UEM Console

• No more editing the login URL for your admins. Workspace ONE UEM now supports automatic SAML authentication.
  When you have SAML login enabled in system settings, the system supplies the OG-specific login screen, that adheres to the standards of Identity Federation, when you enter the Admin username. You now no longer need to edit the login URL to get the login screen you want.
  Enable SAML login for administrators by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services. Select the Server tab and in the LDAP section, enable the Use SAML For Authentication setting and select the relevant options.
• Your Feedback Matters Still. We've enhanced the optional survey to better process your responses.
  The optional survey introduced in the previous release gathered valuable feedback based on your experiences with our software. Together with the data collected at the time you created your admin account, VMware processes these survey responses with third-party assistance to facilitate a closed loop feedback system. This system helps us understand our users better and allows us to improve our products based on your needs.
• Track basic admin account activity better with new Console Event Logging additions.
  Two new events have been added to the console event logger: 'admin account locked' and 'admin account unlocked'. These events should assist you in researching basic administrator login problems, which you can do by navigating to Monitor > Reports & Analytics > Events > Console Events. The new login events are of the Module: Administration and of the Category: Login.
• We are getting better at telling you what went wrong through some improved error messages.
  We understand that it is frustrating when things don't work. To help reduce some frustration, we are looking at our error messages to see where we can improve them.
• We have removed Data Samples Settings page in the console.
  We deprecated the ability to configure and store historic sample data related to device hardware, device network data, profile information, telecom data, restrictions, security information in the UEM console. You could make these changes from All Settings> Admin> Data Samples.
• We've deprecated several APIs so make sure you use the new replacements.
  For more information on what APIs were deprecated and their replacements, see https://resources.workspaceone.com/view/6z89m664plrjdjjr7fcb/en.

Android

• Configure more features for your Android devices.
  We've updated the Workspace ONE UEM console to include additional support for Wi-Fi Proxy, Bluetooth, Backup service, and Update Information.
  • The Wi-Fi profile includes a new section called Proxy for you to configure Proxy settings for Android devices. (Android 8.0+). 
  • The Device Details page includes a section named Pending System Update which shows information on available or last updates for Android 8.0+ devices.
  • The restrictions profile has been updated with a new restriction, "Allow Backup Service"
  • Support new restrictions available for preventing Bluetooth and Bluetooth sharing. 

• You can now enable Knox for Android devices without using Android Legacy settings.
  Under Intelligent Hub Settings the Knox license key field is no longer dependent on the Enable Containers setting.  This means you can enter a Knox license key, without turning on Enable Containers (which only applies to Android Legacy). If Enable Containers is checked and Android EMM Registration is configured, this turns on Knox Play for Work (Android legacy enrollment mode).

  To see these settings, navigate to Group & Settings > All Settings > Devices & Users> Android > Intelligent Hub Settings

• Manage how your Android devices update apps with the new Update Policy profile.
  We added a new Auto Update Policy profile for Android devices that allow admins to configure auto updates and schedule maintenance windows for public Android apps. Once pushed, the applications will only auto-update during the specified start and end times.

  To configure the Auto Update Policy, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > and select the Auto Update profile. 

• Configure additional capabilities in the Restrictions profile.
  The Restrictions profile now supports additional capabilities specific to Android Enterprise. On Work Managed devices and COPE enrollment, you can now Prevent System UI (Toasts, Activities, Alerts, Overlays) which blocks additional windows from opening on the device. For all enrollment types (Work Managed Device, Work Profile, and COPE) you can enable Skip user tutorial and introductory hints to force apps to skip user tutorials and introductory screens.

• Verify that your apps are safe for your devices with Safetynet App Verification.
  A new system setting, Safetynet App Verification, enables app verification which scans apps installed on the device before they are downloaded to detect potentially harmful apps. 

macOS

• Enhanced the macOS Network profile to support configuring multiple ethernet interfaces.
  We added options to configure multiple ethernet interfaces as needed.

• Enhanced macOS Privacy Preferences profile so you can add multiple Apple Event rules for a given app.
  To help administrators manage data access consent on behalf of the user, we enhanced the Privacy Preferences profile. Now you can multiple Apple Events to a given app.

Windows

• Keeping your Windows Desktop devices configured and up-to-date with best practices is difficult. Workspace ONE UEM curates these best practices into configurations called Baselines.
  This new feature allows you to keep your devices secure and aligned with industry standards such as CIS Benchmarks. With Baselines, you can set and manage your preferred configurations completely over the air without any dependency on VPN or your domain. Currently, this feature is offered as a technical preview.

• Track your Windows Desktop devices without needing the legacy AirWatch Agent.
  We've enhanced our GPS support for Windows Desktop devices. Workspace ONE UEM now gets location data through OMA-DM instead of relying on the AirWatch Agent from the Microsoft Store. Windows Phone devices still need to use the legacy method.

• Send your Windows 10 device traffic through a proxy with the new Proxy profile.
  This profile allows you to configure the native system proxy settings on your Windows 10 devices to direct network traffic through a proxy server.

• Devices have a huge number of attributes associated. Harness the power of Sensors to target the specific devices you want.
  Windows Desktop devices have tons of attributes to remember such as hardware, OS, certificates, patches, apps, and more. To track all these attributes, we created Sensors. Now you can create a sensor for a specific attribute and combine the sensor with smart groups to target specific devices for profiles, updates, and more.
  Note: This feature is currently in technical preview. It releases for general availability in Workspace ONE UEM 1905.

• We've made Dell Provisioning for VMware Workspace ONE easier to use.
  A new wizard in the UEM console provides a single place to create a configuration file for the various use-cases and export your Win32 apps. You no longer need to use the external configuration tool.

  Additionally, we've expanded app support to include OMA-DM and user context apps. To use the new wizard, navigate to Lifecycle > Staging > Windows.

• Control the level of device diagnostic and usage telemetry data your devices send to Microsoft.
  We have updated the Restrictions profile to control the level of data sent to Microsoft. The level of data ranges from Security, which limits the data to only what is necessary to keep the device safe and secure, to Full.

• Collect important device details through the Request Device Log action.
  We added this functionality so you can request the logs from the device to troubleshoot and provide support. To request a log, simply navigate to the device and select Request Device Log from the More Actions list.

• Wipe your devices just the way you want to.
  We enhanced the Device Wipe device action so you can choose the level of Device Wipe. In addition to the original Device Wipe, you can now perform a Wipe Protected that can't be circumvented by users. Finally, you can perform a Wipe and Persist Provisioning Data action that will back up the provisioning data and reapply it after wiping the device.

• Reset your devices back to their factory settings with the Enterprise Reset device action.
  We added this functionality to corporate-owned Windows Desktop devices. Now you can reset a device to factory settings while keeping the device enrolled in Workspace ONE UEM.

App Management

• Keep your per-app VPN profile associated with native apps updated.
  You can edit the App Tunneling configuration by selecting another Per-App VPN profile in the flexible deployment assignment. This associates the changed profile when the applications publishes. Also with the flexible deployment assignment, you can change the priority of an assignment. Move it higher in the list, and assigned groups receive those associated configurations that include the per-app VPN profile.

  You can also deselect the App Tunneling setting in the flexible deployment assignment. The system removes the per-app VPN off devices in the assigned smart group. Another option is to change the smart group of a device to one that is assigned to an application that has the desired per-app VPN profile associated to it.

• Distribute internal application packages from Workspace ONE UEM instead of redirecting users to a link.
  This feature is useful for deployments that use APIs for continuous delivery integrations and UI actions. 

• Control the cost of licenses for your software distribution and OMA DM applications with the new App Approvals workflow.
  This process allows you to approve who can consume application licenses, thus controlling the cost to manage these resources. This workflow integrates your existing deployments of ServiceNow, VMware Identity Manager, VMware Workspace ONE UEM, and VMware Workspace ONE Intelligence. Currently, this feature is offered as a technical preview.
  Note: App Approvals is currently a tech preview feature. Consider limiting your use of this feature for testing purposes only.  App Approvals should not be used in a production environment. Features are not final and are subject to change at any time.

• Updated software distribution by working to support distributing Win32 applications without a content delivery network (CDN) for on-premises deployments.
  At this time, one of two systems is still necessary for distribution, a content delivery network or a file storage system. VMware Workspace ONE UEM supports up to 5GB of storage on CDN for on-premises. If more than 5GB is needed, then use a file storage system.

Email Management

• Revoke access for Google accounts if an account violates compliance with the Token Revocation option on the Email Settings page.
  We offered a similar feature for Office 365 and now we support it for Google accounts. If you revoke a token, users lose access to their Google accounts. Workspace ONE then evaluates compliance before issuing a new token.

Workspace ONE UEM console

• Our console releases follow a new versioning format.
  VMware Workspace ONE UEM is moving away from our traditional major.minor version numbers to a date driven model represented by a year and month (YYMM). This release is version 1810 with a build of 18.10.0.0 (YY.MM.M.P) where M = maintenance and P = patch. 

• Your Feedback Matters. Participate in an optional survey and tell us about your experience with Workspace ONE UEM console.
  You can provide feedback by completing an optional survey about your experience with the Workspace ONE UEM console. Your feedback is positively used to make improvements to our software. Start the survey yourself by selecting your username in the upper-right corner and then select Send Feedback or you can opt-into the pop-up window that appears after the 25th login within a 30-day period. If you opt-out of this pop-up window, you will not be prompted again.

• Integrate VMware Identity Manager and VMware Workspace ONE UEM without Active Directory in Getting Started.
  In the Getting Started Settings page, we have decoupled the dependency for Active Directory so that you can set up VMware Identity Manager without it.
   
• We made login security for basic administrators better with the removal of the lockout time limit. 
  A Basic admin can be locked out either by exceeding the configurable maximum number of invalid login attempts or answering the security questions incorrectly more than three times.
  When they are locked out, they must either reset their password using the troubleshooting link on the login page or they must get another admin to unlock their account using the Admin List View. The locked-out admin also receives an email notification when their account is locked and again when it becomes unlocked.
  Basic administrators can also be locked out through the API, and while they must reset their passwords using the same methods, they are not notified by email in such a case.
  The lockout time limit has been removed which means when a basic admin is locked out, they can no longer just wait it out and try again. There is no additional setting required to enable this new behavior, it is enabled by default.
  To configure the maximum number of invalid login attempts, navigate to Groups & Settings > All Settings > Admin > Console Security > Passwords.
   
• We gave a new name to Hub in the UEM console. It's now called Monitor.
  The central portal that gives you fast access to all critical information is now called Monitor. 
   
• Direct enrollment with LDAP.
  We have improved external ID handling to make sure that the UEM console supports direct enrollment with LDAP.
   
• Quick-start your Mobile Flow setup with automated tenant provisioning.
  UEM console now provides end-to-end automated tenant provisioning capability from the UEM console using VMware Identity Manager.
   
• Mobile Flows accessibility got more flexible. Administrators can now access mobile flows without any restrictions.
  We have removed the access restriction of VMware Identity Manager to use Mobile Flows in the UEM console. Administrators can now access Mobile Flows within the UEM console.
   
• Mobile Flow user synchronization and authentication process got better.
  Mobile Flows does not require user synchronization from the UEM console to VMware Identity Manager. If the user account is present in VMware Identity Manager, Mobile Flows automatically authenticate client's requests.
   
• The AirWatch Agent productivity app has been renamed VMware Workspace ONE Intelligent Hub.
  This new app gives you the flexibility you need to provide employees with a unified onboarding experience across virtually any iOS and Android device. Hub Services makes delivering a true digital workspace experience easier than ever with helpful, new functionality including:
  • Unifiied App Catalog with App Ratings
  • Notifications
  • People
  For more information on the services offered, see the Guide to Deploying Workspace ONE Intelligent Hub Services.

AirWatch Cloud Connector

• We changed the name of the VMware Enterprise Systems Connector System Settings page.
  The VMware Enterprise Systems Connector System Settings page is now the Cloud Connector page. 

• Install AirWatch Cloud Connector or VMware Identity Manager Connector with their own installers.
  We have created two separate installers, one for AirWatch Cloud Connector and one for VMware Identity Manager Connector. Now you can install VMware AirWatch Cloud Connector and the VMware Identity Manager Connector separately or together.
  Download the AirWatch Cloud Connector installer from the Workspace ONE UEM console Cloud Connector page. Download the VMware Identity Manager Connector installer from my.workspaceone.com or my.vmware.com.

Android

• Deploy corporate owned devices with fully managed device functionality while giving your users the experience of a work profile.
  Administrators now get the flexibility of controlling device management features while deploying a work profile to the user. Administrators can now set separate policy settings for work and personal applications and achieve flexible deployment options for Android devices by using Corporate Owned Personally Enabled (COPE) deployment method.  
   
• Protect your Android devices against security threats with SafetyNet attestation API.
  You can now assess the security and compatibility of the Android environments in which your applications run. Administrators can use Google's SafetyNet Attestation API that validates software and hardware information on the device where your application is installed to create a profile of that device. The attestation API helps you determine if a particular device has been tampered or modified.
  Enable SafetyNet Attestation API in the UEM console by navigating to Groups & Settings >All Settings > Apps > Settings & Policies > Settings > Custom Settings and paste {"SafetyNetEnabled":true} custom XML in the Custom Settings field.
• Enterprise Factory Reset Protection policy got more flexible. Let your administrators change the settings during a device wipe.
  Factory Reset Protection can now be removed while performing a device wipe from the device management commands.
   
• Managing Samsung Knox features from the UEM console got better.
  • The new ​Firewall profile is now available for Samsung Knox and Android Enterprise configuration that allows administrators to configure firewall rules for Android devices. The Firewall profile is displayed only when the OEM Settings field is enabled and Samsung is selected from the Select OEM field.
  • The Passcode profile has been updated for Samsung Knox to include Allow Iris Scanner, Allow Face Unlock and Lockscreen Overlay restrictions.
  • The Restrictions profile is updated to include additional capabilities specific to Knox devices. You can now see a new section called Samsung Knox that lets you change the settings.
• We made Per-App VPN client configuration more flexible. You can now choose to select Tunnel for both Android Enterprise and Legacy Android.
  Per-app VPN allows you to configure VPN traffic rules based on specific applications. When configuring Per-App VPN (internal apps), administrators can now individually select VMware Tunnel for both Android Enterprise and Legacy Android. Previously, VMware Tunnel selection was applied to both Legacy Android and Android Enterprise.

Chrome OS

• Installed Status column in the Profiles List View got better. 
  Administrators can now get the details of Not Installed, Installed, and Assigned counts and view the list of users who have the profile in a specific state. 
  Take advantage of this update by filtering the Profiles List View by Platform. The Installed Status column, gives you the Not Installed, Installed, and Assigned count. You can use the status link to view the User Details in a separate window. 

iOS

• Managing your enterprise developed tvOS applications just got better.
  Now you can more easily manage your enterprise developed tvOS applications the same as iOS by adding new versions, renewing mobile provisioning profiles, setting app configuration values, and installing these applications on demand.
   
• Skip the SIM setup configuration in the Setup Assistant.
  For iOS 12.1 devices configured for DEP in Apple Business Manager, administrators can now skip the option for configuring the SIM setup step in the Setup Assistant.

macOS

• We let you define applications that can block the clean installation of an app.
  To enhance the end-user experience when updating apps, we have added the ability to define applications that might block the clean installation of an app. By defining a blocking application, administrators can ensure that the end user is notified if an application needs to be updated but is unable to update the app because a currently running application needs to be closed. If the end-user declines to close the blocking application, the Workspace ONE Intelligent Hub retries the installation on next sync.
• The macOS Bootstrap Package feature now supports the newest MDM command for enterprise application deployment.
  We have enhanced the macOS Bootstrap Package feature to support the newest MDM command for enterprise application deployment for macOS 10.13.6 and above. There is no impact on the existing packages and devices.
• macOS Mojave 10.14 brings enhancements to security around user consent for data access.
  To help administrators manage data access consent on behalf of the user, we have added a new MDM configuration profile payload called Privacy Preferences Control. In this payload, administrators can selectively allow or disallow access to various macOS services for a list of applications and processes.

Rugged 

• Use our new Role Based Access Control to reprocess a product. 
  Two new resources have been created allowing you to include permissions for product reprocessing when you make admin roles. Admins with this permission can reprocess a product on a specific device or they can request reprocessing for all the affected devices.
  To make an admin role with the reprocessing ability, navigate to Accounts > Administrators > Roles and select Add Role. On the Create Role page, enter reprocess in the Search Resources text box to use the new permissions.

Windows​

• Software Distribution for Win32 apps is turned on by default for all on-premises customers.
  Software distribution is now turned on by default in the UEM console for all on-premises customers. By default, customers get up to 5 GB of storage for applications in the database before they choose to use File Storage.
   
• Turn your Windows 10 devices into multi-app kiosk devices with the new Kiosk profile.
  The new Kiosk profile allows you to configure the device Start menu with the apps and groupings you want. Kiosk mode supports most apps and includes some built-in apps such as Microsoft Edge and Maps. You can create the profile using your own custom XML or the included designer.
   
• Remove custom profiles with ease by adding removal code to the Custom profile for Windows devices.
  We have added a new text box to the profile so you can add the removal code for your custom XML. This removal code enables the Remove Profile and Deactivate Profile functionality. You no longer need to push a custom profile to remove your custom profiles.
   
• Auto-approve all Feature Updates and Drivers for download with the Windows Update profile.
  We have added Feature Updates and Drivers to the Approved Updates functionality of the profile. Now you can set these update types for automatic approval to ensure that your devices receive these updates when they are available.

Console

• Enjoy working with a CAPTCHA free console. 
  Did you know about the challenge-response system known as CAPTCHA? Well, it stands for Completely-Automated-Public-Turing-Test to tell Computers and Humans Apart. The good news is that CAPTCHA is now deprecated, so we removed  all the CAPTCHA prompts, and settings from the Workspace ONE UEM Console, including initial login screen, SSP login screen, console and SSP password recovery screens, and system settings.

• Console security for administrators got better with the Reset Password solution.
  UEM console security for administrators is enhanced with the removal of the Change Password option in favor of a Reset Password solution. A password reset option means an email is sent to the administrator, so they choose their own password. An administrator's identity is authenticated by answering the password recovery questions that is set up ahead of time.
  You can now find the new Reset Password option in the Admin List View.
   
• Smart groups just got smarter. You read it right: exclude user groups while you create your smart groups.
  Craft device profiles and compliance policies faster by excluding user groups while you create smart groups. To do so, navigate to Groups & Settings > Groups > Assignment Groups, select Add Smart Group and choose Select Criteria. You can find the new option under Exclusions.
   
• Filter the Device Last Seen view by the number of days since the console saw a device.
  The Last Seen filter on the Device List View can now list the devices that have been seen more than, less than, or between any number of days. These options make it easier to configure lists of devices that are out of touch with the rest of your fleet, allowing you to take action.
  Check out the new Last Seen filter by navigating to Devices > List View, select the Filters button, and then select the Status drop down menu.
   
• Re-enrolling your previously un-enrolled device got simpler with the whitelist retention policy.
  The whitelist that allows registered devices to enroll was purged after 90 days. Now it is retained indefinitely, so you can re-enroll your previously un-enrolled devices at any point of time. There is no setting to enable this feature, it is automatic.
   
• Remote check-in all your shared iOS devices with the new Check In Device option.
  You can now remotely check-in a shared iOS device from the UEM console, which resets the device enrollment to the staging user with a prescribed organization group, profile, apps, and so on.
  Take advantage of this update by navigating to Devices > List View, and select the shared iOS device's Friendly Name to display Device Details. Then click the More Actions button and select Check In Device.
   
• We have announced End of Availability for Mobile-Specific View in Workspace ONE UEM Console. 
  The mobile-specific view of the UEM console has reached end of availability and is no longer included in any of the UEM console releases. With the removal of the mobile-specific view, administrators are redirected to the full view of the UEM console regardless of  the device type. 
  Want to know more? Look for the End of Availability for Mobile-Specific View in Workspace ONE UEM Console
   knowledge base article on My Workspace ONE portal.
   
• Highly secure mutual authentication between AirWatch Cloud Connector and Adaptiva Server.
  AirWatch Cloud Connector and Adaptiva Server communicate with each other with an increased level of trust and uses Transport Layer Security (TLS). To implement the enhanced mutual security authentication feature, upload an Adaptiva Public certificate while configuring your Peer Distribution software setup in the UEM console.

Content Gateway

• We have announced End of Availability for ICAP-Proxy.
  Starting this release, ICAP Proxy configurations are no longer supported from the UEM console. All our existing customers can continue using the configuration till the End of General Support. Going forward, you will not be able to configure new ICAP-Proxy from Groups & Settings > All Settings > System > Enterprise Integration > Content Gateway and Groups & Settings > All Settings > Content > Remote Storage.
  Want to know more? Look for the End of General Support for VMware AirWatch ICAP-Proxy knowledge base article on My Workspace ONE portal.

Documentation

• The evolution of Workspace ONE UEM product documentation.
  Workspace ONE UEM is always evolving, and so our documentation needs to adapt as well. Over the next few months, you'll see improvements to how our documentation looks and how it's organized.

iOS

• Specify if the native mail Exchange connection should use OAuth to authenticate all your iOS 12 devices.
  The Exchange ActiveSync profile now specifies if the native mail Exchange connection should use OAuth for authenticating your iOS 12 devices. To enable the use of OAuth for authentication, select Use OAuth in the Exchange ActiveSync payload.

• Troubleshooting of iOS 11+ devices just got easier with Remote View.
  With the Remote View feature, administrators can now easily initiate a remote view session of an iOS 11+ device from the UEM console and assist with troubleshooting by viewing the end user device. To make use of remote view, you must have purchased Advanced Remote Management SKU and must be using iOS Agent v5.8.1+. 
  To start, choose the Start Remote View action under More Actions > Support for each of the devices under the Device List View.  
   
• Publish profiles to Apple devices more efficiently.
  Improved profile publishing when assigning to devices at scale.
   
• Let your users decide whether they want to use S/MIME for signing and encryption on all iOS 12 devices.
  Email and Exchange payloads now allows the user to toggle S/MIME signing and S/MIME encryption for all your iOS 12 devices. You can also select S/MIME signing certificate​ and S/MIME encryption certificate for all your iOS 12 devices. 
   
• Group all your app notifications on iOS 12 devices using all new "group notification type". 
  Notification payload now has a setting that helps you group app notifications. Take advantage of this update by using the Select group notification type​ under the Notifications payload. 
   
• We made sure you don’t miss a critical notification because of your Do not disturb setting. 
  Notification payload now has a setting called Allow critical alert notifications that let's you mark an application notification as critical to bypass the Do Not Disturb ringer settings. 
   
• Ever been disturbed by app notifications while driving? Now you can prevent application notifications from showing in CarPlay for all your iOS 12 devices.
  Notification payload now has a setting called Allow CarPlay that is used to prevent application notifications from being shown in the CarPlay.
   
• Preserve your SIM data during a device wipe. 
  For devices below iOS 11, the device wipe command wipes the SIM data associated with the device. For iOS 11+ devices, you can preserve the SIM data plan (if it exists on the device) by selecting the Preserve Data Plan checkbox on the Device Wipe page before sending the device wipe command.
   
• Skip the proximity setup while performing a device wipe on your iOS device. 
  For iOS 11.3+ devices, you have an additional option to skip the Proximity Setup screen in the Setup Assistant and this option prevent the user from seeing the Proximity Setup option.
   
• Stop your users from changing the "Set Automatically" feature of Date & Time for an iOS device.
  Make use of the Force Date & Time to be Set Automatically settings under the Device Functionality subsection of the Restrictions payload to prevent users from changing the "Set Automatically" feature of Date & Time for an iOS device. 
   
• Allow your users to control password autofill setting for all iOS 12+ Supervised devices.
  Use Allow auto filling of passwords settings under Device Functionality subsection of the Restrictions payload to control password autofill for iOS 12+ Supervised devices.
   
• Added flexibility for Wi-Fi Password sharing for iOS 12+ Supervised devices. 
  Make use of Allow Sharing of Wi-Fi passwords settings under Device Functionality subsection of the Restrictions payload to prevent the sharing of Wi-Fi passwords from iOS 12+ Supervised device to a nearby device.
   
• Stop your users from using the password autofill settings for iOS 11+ Supervised devices.
  Make use of Force authentication before auto-filling passwords setting under the Device Functionality subsection of the Restrictions payload to enforce authentication on all your iOS 11+ Supervised devices before auto filling passwords.
   
• Stop your users from using unmanaged contacts in managed apps or managed contacts in unmanaged apps. 
  Restriction payload in the Data Loss Prevention subsection has a new feature that allows managed apps to read contacts from unmanaged contacts accounts. Take advantage of this new feature, by using Allow managed apps to read contacts from unmanaged contacts accounts or Allow unmanaged apps to read contacts from managed contacts accounts​ settings under the Data Loss Prevention subsection of the Restrictions payload.

macOS

• Specify if the native mail Exchange connection should use OAuth for authenticating macOS 10.14 devices.
  The Exchange ActiveSync profile can now specify if the native mail Exchange connection should use OAuth for authenticating your macOS 10.14 devices. To enable the use of OAuth for authentication, you can select Use OAuth in the Exchange ActiveSync payload.
   
• Stop your users from using the password autofill settings for all macOS 10.14 devices.
  Use Allow auto filling of passwords settings under Device Functionality subsection of the Restrictions payload to control password autofill for macOS 10.14 devices devices.
   
• Added flexibility for Wi-Fi Password sharing for macOS 10.14 devices.
  Make use of Allow Sharing of Wi-Fi passwords settings under Device Functionality subsection of the Restrictions payload to prevent the sharing of Wi-Fi passwords from macOS 10.14 device to a nearby device.

Mobile Application Management

• A better way of handling updates made to the most commonly accessed app sample table.
  Performance enhancements are made to the application sample collection and save process to reduce the number of read and write operations made to the most commonly accessed sample tables. The per-device-per-app application list time stamps are now converted to a per-device time stamp when the samples for all the applications are collected at once.
   
• Added flexibility for uploading application as a link.
  Along with the support for uploading an application as a link with the supported file extension in the URL, you can now upload an application as a link if the URL contains query parameters at the end of the URL. 

Mobile Content Management

• We have announced End of Availability for VMware Content Locker Outlook Add-In and VMware Content Locker for Windows Desktop. 
  The configuration settings for Outlook Add-In and Content Locker for Windows Desktop is no longer available in the UEM console as the General Support period for these applications has ended.
  Want to know more? Look for the End of General Support for VMware Content Locker Outlook Add-In knowledge base article on My Workspace ONE portal.

Printer

• Start using the Avery Dennison 9485 printer in the UEM console.
  Printer Management support is extended for the Avery Dennison 9485 printer as a new OEM. You can now manage Avery Dennison printers in the same manner as other printers, such as Zebra and Epson, from the UEM console. With the current release, you can:
  • Enroll the Avery Dennison printer.
  • View the enrolled printer in the UEM console.
  • Unenroll the printer.
  • View details of the printer in the UEM console.
  • Push configuration files to the printer.

Rugged 

• Let your users decide their Product Provisioning Deployment model.
  You can now choose how your product is deployed. Either use the default deployment mode (which is the relay server with a device services backup) or with only the relay server. Selecting relay server only frees the device server to devote its resources to other tasks. Make the choice for your own products by navigating to Devices > Staging & Provisioning > Product List View > Add Product and then select a platform.  The Deployment Mode drop-down in the Deployment tab is where you make this choice. 
   
• The Apps/Search API just got better. Administrators can search for the applications that are deployed under Staging and Provisioning.
  The Apps/Search API has been enhanced to include applications uploaded under Staging & Provisioning and returns the application ID so that it can be subsequently used within the API flow.
   
• Configure file server as a staging and provisioning component for all your Android devices.
  You can now have the File servers used as the source or destination of Download Files or Upload Files event actions. To configure a file server as a staging and provisioning component for all your Android products, navigate to Devices > Staging & Provisioning > Components > Event Actions and select the Add Event Action button. Select Android and at the Actions tab, choose either Download Files or Upload Files.
• Use our new Role Based Access Control to reprocess a product. 
  Two new resources have been created allowing you to include permissions for product reprocessing when you make admin roles. Admins with this permission can reprocess a product on a specific device or they can request reprocessing for all the affected devices.
  To make an admin role with the reprocessing ability, navigate to Accounts > Administrators > Roles and select Add Role. On the Create Role page, enter reprocess in the Search Resources text box to use the new permissions.

SDK

• We moved Compromised Protection and Offline Access for the Default SDK Profile to the Security Policies page.
  The SDK App Compliance page has been removed. However, we migrated the previous configurations for Compromised Protection and Offline Access for the Default SDK Profile to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
  Want to know more? Look for the "Changes to Compromised Protection and Offline Access SDK Settings Upon Upgrade" knowledge base article on My Workspace ONE portal.

Tunnel

• Control inheritance for your Device Traffic Rules settings between organization groups.
  You can now choose to either inherit or override the Device Traffic Rules settings for all your child OGs. Make these changes in the Device Traffic Rules under VMware Tunnel > Network Traffic Rules. 

Windows

• BitLocker enforcement just got better. Encryption profile lets you disable real-time enforcement on Windows Desktop devices.
  Previously, BitLocker encryption enforcement could cause issues when attempting to upgrade a device or to wipe it. Now you can disable real-time enforcement, so you can upgrade your Windows devices without BitLocker encryption issues.
   
• Configure your Windows 10 device even before it even leaves the factory with the new Dell Provisioning for VMware Workspace ONE. 
  Workspace ONE UEM now supports creating a provisioning package for Windows 10 devices that you can send to Dell to configure your devices before they even ship. This process requires software distribution and the new VMware Workspace ONE Configuration Tool for Provisioning. Once the provisioning package is installed on your device, end users need only sign in to complete enrollment with their applications that are already installed. Dell takes these provisioning packages and installs them onto devices so your end users receive a device with all their apps already installed.

Android

• Simplified enrollment for the Android corporate owned devices​ through the use of QR codes
  Administrators can now use automatic QR code that is generated from the UEM console to experience simplified enrollment flow for the Android devices running version 7.0 (Nougat) or later.
  UEM console now allows an IT administrator or an end user to register the device as Work Managed through the use of QR codes. The new enrollment flow is ideal for an administrator who wants to stage multiple devices before deploying to users or for the end user who wishes to enroll the device with the QR code that is provided by an IT administrator.
  Simplify your enrollment workflow by navigating to Devices > Staging & Provisioning > Staging and select Configure Enrollment button.
• Capture suspicious activity logs when a Bluetooth peripheral or a USB connection is made to your device
  Whenever a Bluetooth peripheral or a USB connection is made to your device, UEM Console tracks the event and reports this as a log to the UEM console.
  To track all the malicious activity enable Suspicious Activity Logs under Groups & Settings > All Settings > Devices & Users > Android > Agent Settings. 
• Set Weak Biometric for your Passcode content
  ​The Passcode Profile now allows you to set Weak Biometric for the passcode content under the passcode settings. Weak Biometric passcode content allows low-security biometric unlock methods, such as face recognition.
  Take advantage of this update by navigating to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android and configure the Passocde settings.
• Configure Samsung Work Managed devices within the Android enterprise profile
  Profiles in the UEM console have been updated to provide support for Samsung Knox standard features for Work Managed devices. In the General profile, a new field called OEM Settings is added. When the OEM settings is enabled, the profiles that have updated features for Knox support are denoted with a Knox symbol. These include Passcode, Restrictions, Date/Time and APN.
• Launcher profile supports Multi-User Stage enrollments and Check-In Check-Out functionality for the Work Managed devices
  Android Enterprise enrollments now support Shared device Multi-user staging and Check-In Check-out functionality. Shared Device/Multi-User Device functionality ensures that users can easily share a device while maintaining their unique enterprise resources.
• Set default Google userIDs for a device in the event a device is reset using a bootloader or fast boot
  UEM console now has a new profile called Enterprise Factory Reset Protection. The new profile allows administrators to set default Google userIDs for a device in the event a device is reset using a bootloader or fast boot. This is useful in the event a device is reset after an end user leaves the company and allows the administrator to use one of the specified Google IDs to reset the device to be assigned to another user.
  Configure your enterprise factory reset protection selecting Enterprise Factory Reset Protection from Devices > Profiles & Resources > Profiles > Add > Add Profile > Android.

Certificates

• Renew certificates issued via the Simple Certificate Enrollment Protocol (SCEP)
  Administrators can now configure a SCEP certificate template for auto-renewal when leveraging Microsoft ADCS. The renewal capability removes manual intervention required with SCEP configurations and allows the administrators to leverage the performance and scalability. 
• Define SAN attributes for Generic Simple Certificate Enrollment Protocol (SCEP) and GlobalSign
  Administrators can now configure SAN attributes for Generic SCEP and GlobalSign certificates. Take advantage of this update by configuring the SAN type under Certificate Template - Add/Edit screen. 

Chrome OS

• End processes in the Task Manager
  You can now configure Application Control Profile for Chrome OS and allow end users to see the end process option in the Chrome OS.
  To use this feature, enable Users can end processes in Task Manager from the Application Control profile under Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS.
• Launch URL at the startup
  The Content profile now includes a new option to configure URL to open at startup. An additional field, URL, allows you to Launch URL at the startup.
  Take advantage of this feature by navigating to Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS, configure the Content profile and set the URL field.
• Verify if the boot mode is required for device verification to succeed for the User and Device profiles
  The Security & Privacy for user and device profiles have a new option called Device Verified Mode Required. When enabled, it verifies if the boot mode is required for device verification to succeed.
  Take advantage of this feature by navigating to Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS, configure the Security & Privacy profile, and set the Device Verified Mode Required field.
• Experience flexible printing capability
  You can now configure Printing profile for Chrome OS that allows you to either use the print preview with Google cloud print or use system print dialog window. If this profile is disabled, printing is only possible through plugins that bypass Google Chrome.
  ​Take advantage of this new feature by navigating to Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS and configure the Printing profile.

Console

• Flexibility of enabling SAML authentication on the SSP and exclude Enrollment
  The UEM console currently allows SAML authentication for admin, users or both. Administrators now have the choice of using SAML authentication for Admin, Enrollment, or Self-Service Portal and can select all the three, or any combination of two, or choose any one of the three components. Administrators get the flexibility of forcing SAML authentication on the SSP and exclude Enrollment.
  Take advantage of this update by navigating to  Groups & Settings > All Settings > Enterprise Integration> Directory Services and enable Use SAML For Authentication.  
• Automatic user token revocation on enterprise wipe
  Currently Azure active directory does not provide an option to revoke a token from a specific device. Users are logged out from all the Azure SSO enabled sites on revoking the token during an enterprise wipe. Directory Services configuration page in the UEM console now has a new user interface setting that provides an option to the administrator to enable or disable automatic user token revocation on enterprise wipe.
  You can enable the settings by navigating to Accounts > Administrators > Administrator Settings > Directory Services and enable Automatically revoke user tokens when wiping device.
• VMware Product Improvement Program includes Self Service Portal
  The Self-Service Portal (SSP) is now included in VMware’s Product Improvement Program, which gives you the opportunity to impact the quality and effectiveness of our products. When enabled, this program tests only on SSP usability data, which is essential to ensuring our customers’ real-world needs are being met.
  You can opt in or opt out of the Product Improvement Program at any time by navigating to Groups & Settings > All Settings > Admin > Product Improvement Programs.
• Configure the Purge Job scheduler to handle file storage blobs
  The existing purge process only considers the database for blobs. The Purge Job scheduler considers both file storage and CDN for purging. Configure the Purge Job scheduler by navigating to Groups & Settings > All Settings > Admin > Scheduler.
• Enhanced security measures in the Self-Service Portal for all the token-based accounts
  Affecting only accounts that enroll with a token, the following security features are implemented in Self-Service Portal:
  • The Email Address and Phone Number fields is now made read-only on the Add Device and Account screens.
  • The Resend Enrollment Message basic action form features email address and phone number text boxes that are read-only.
  • The View Enrollment Message basic action is made unavailable.
• Restrict enrollment to only token-registered devices
  UEM console now restricts enrollment to only token-registered devices.
  Enroll your devices with a token by navigating to Devices > Device Settings > Devices & Users > General > Enrollment and ensure that the Authentication tab is selected. Scroll down past the Getting Started section and select Registered Devices only as the Devices Enrollment Mode. A toggle labeled Require Registration Token appears. Enabling this option restricts enrollment to only token-registered devices.
• Enhanced the performance of the Device List View page in the UEM console
  The performance of the Device List View page has been improved by removing the option to sort by the Asset Number column.  Take advantage of this improvement by navigating to Devices > List View.  This enhancement is enabled by default.

Content Gateway

• Choose Unified Access Gateway (UAG) as an installation type when configuring a Content Gateway node
  Administrators can now use Unified Access Gateway (UAG) as an installation type to configure a new Content Gateway on Unified Access Gateway or to migrate the existing Windows or Linux Content Gateway to Unified Access Gateway.
  You can now opt in to choose Unified Access Gateway (UAG) as an installation type when configuring a Content Gateway node by navigating to Groups & Settings > All Settings > Enterprise Integration > Content Gateway.

iOS

• Configure new DEP skip settings for your iOS devices
  You can now configure three new DEP skip settings at the time of Apple Setup Assistant configuration
  Take advantage of this update by navigating to Groups & Settings > All Settings > Devices & Users > Apple >
  Device Enrollment Program and configure the Apple Setup Assistant workflow to Skip the following Setup Assistant options:
  • ​​iMessage And FaceTime: Enable the skip setting to prevent the iMessage and FaceTime prompt during Setup Assistant.
  • Software Update: Enable the skip setting to prevent informing users about Software Updates during Setup Assistant.
  • Screen Time: Enable the skip setting to prevent informing users about Screen Time during Setup Assistant.
• Request permission from the teacher to leave an unmanaged class in the Classroom app on iOS 11.3+ devices
  While creating Restrictions Profile for Education devices, you now have the ability to allow students who are a part of unmanaged classes in the classroom app to request permission from the teacher before leaving the classroom. 
  Take advantage of this update by navigating to Devices > Profiles & Resources > Profiles > Add. Select Apple iOS and configure the Classroom 2.0 Education Restrictions settings.
• Ability to disable USB Restricted Mode on supervised devices
  Added a new security and privacy restriction in the iOS Restriction profile that prevents the iOS 11.4+ supervised device users to enter passcode to initially connect or remain connected to USB accessories while the device is locked.
  Disable USB Restricted Mode on supervised devices by navigating to Devices > Profiles & Resources > Profiles > Add, select Apple iOS and configure the Restrictions playload.
• Configure the Minimum and Maximum TLS versions for the Wi-Fi networks
  While Configuring a Wi-Fi profile for iOS devices, you can now set the minimum and maximum TLS version for the VPN profile of IKEv2 type.
  Configure the Minimum and Maximum TLS versions by navigating to Devices > Profiles & Resources > Profiles > Add. Select Apple iOS and configure the Authentication details in the Wi-Fi settings.
• Configure Bluetooth as one of the Managed Settings for iOS devices
  Along with Voice Roaming, Data Roaming, Personal Hotspot, you now enable Bluetooth as one of the settings under Managed Settings page in the UEM console. 
  Take advantage of this update by navigating to Devices > Device Settings > Devices & Users > Apple > Apple iOS > Managed Settings > Default Managed Settings.

macOS

• Optionally disable enforced management of an application
  UEM console now has a new assignment flag called Desired State Management for macOS software distribution. The new flag provide the ability for IT to optionally disable enforced management of an application. Disabling this setting provide the flexibility to deploy applications as a part of one-time configuration and gives the end-users the liberty to uninstall the application locally if needed. 
  Optionally disable this setting by navigating to Apps & Books > Applications > Native > Internal and configure the Deployment settings.
• Configure new DEP skip settings for your macOS devices
  You can now configure two new DEP skip settings at the time of Apple Setup Assistant configuration.
  Take advantage of this update by navigating to Groups & Settings > All Settings > Devices & Users > Apple >
  Device Enrollment Program and configure the Apple Setup Assistant workflow to Skip the following Setup Assistant options:
  • ​Choose Your Look:  Enable the skip setting to prevent the users from choosing the light or dark mode during Setup Assistant.
  • Display Tone: Enable the skip setting to prevent the Display Tone screen during Setup Assistant.
• Allow access to all applications in the user context macOS SCEP payload
  Added an option to allow access to all the applications in the user context macOS SCEP payload. When the feature is enabled, all the applications on the device are granted access to the certificate keychain that is issued by the SCEP payload. Thus, the user is never prompted to enter the credentials for granting access to any application on the device.
  Take advantage of this update by navigating to Devices > Profiles & Resources > Profiles > Add > Add Profile and configure the SCEP playload. 
• Choose to enable and disable Bluetooth command on macOS 10.13.4+ devices
  Device Details Action Button Cluster in the UEM console now includes Managed settings button that lets you enable or disable Bluetooth command. This is applicable only to macOS 10.13.4+ devices.
• Reboot your macOS 10.13+ device remotely with the Reboot device action
  Device Details Action Button Cluster in the UEM console now has a Reboot Device button that allows you to reboot a device remotely.
• Shut down your macOS 10.13+ device remotely with the Shut Down device action
  Device Details Action Button Cluster in the UEM console now has a Shut Down button which allows you to send command to shut down macOS devices remotely.
• Configure the Minimum and Maximum TLS versions for Wi-Fi networks
  UEM console now has the ability to set the minimum and maximum TLS version for the Wi-Fi profile of TLS, TTLS, EAP-Fast, and PEAP protocol types. Take advantage of this update by navigating to Devices > Profiles & Resources > Profiles > Add. Select Apple iOS and configure the Authentication details in the Wi-Fi settings.

Mobile Application Management

• Make asynchronous calls to VMware AirWatch Cloud Messaging with application publish
  During internal application publish, UEM console now makes asynchronous calls to AWCM so that the time taken for a batch of application installs to execute is not impacted by the performance of AWCM. The AWCM server picks the devices from a queue and sends notification.

Rugged

• Configure a proxy server when you install a new Linux-based pull service
  UEM console now allows you to configure a proxy server when you install a new Linux-based pull service. You can supply the host name, port, username, and password at install time. If you want to configure a proxy server onto your existing pull service, you must reinstall the pull service using the new installer.
  Take advantage of this update by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Pull Service Installers and follow the instructions prompted by the installer, including the optional configuration of a proxy server.
• Avoid undue strain on the database and improve the flow of data during the product provisioning process
  UEM console has now enhanced the Product Provisioning Command Queue with the following features to improve the product provisioning process: 
  • A limit has been placed on the number and frequency of commands sent to devices, which in turn, limits the number of samples returned.
  • The default limit for the AirWatch Cloud Messenger (AWCM) outbound queue to devices has been enhanced with a first in/first out (FIFO) algorithm.
  • The policy engine has been enhanced with new logic that accounts for the number of records in such a way that it can reset its queue when needed.
  • Any user-initiated action during the provisioning process is fast-tracked immediately.
  • Navigate to Groups & Settings > All Settings > Installation > Performance Tuning and consult with support about making changes to the two new settings called Product Provisioning AWCM Throttle Rate and Product Provisioning Command Release Batch Size.​

Tunnel

• Ability to remove the Public SSL certificate from the SSL Certificate Life Cycle Management
  If you have uploaded an incorrect public SSL certificate and wish to remove the certificate from the database, you now have an option to remove them from the UEM console. Take advantage of this update by navigating to Advanced tab under VMware Tunnel. 

Windows

• View the OEM updates deployed to your Windows 10 devices in the OEM Updates list view
  Workspace ONE UEM now displays all the deployed OEM updates in the OEM Updates list view. This page allows you to filter the updates by the update type including audio driver, chipset driver, BIOS updates and more. To see these updates in the UEM console, navigate to Devices > Lifecycle > Updates and select the OEM Updates tab.
• Reboot your Windows 10 devices remotely with the Reboot device action
  Device Details Action Button Cluster in the UEM console now has a Reboot Device button that allows you to reboot a device remotely.
• New minimum intervals for the device samples
  The AirWatch Agent for Windows platform has been updated with new check-in interval minimum values. The minimum sample values start at 120 minutes.
  To set the new minimum intervals, navigate to All Settings > Devices & Users > Windows > Windows Desktop > Agent Settings.

Mobile Application Management

• Wokspace ONE UEM console displays location name of the VPP location token:  Starting this release, location name of VPP location token is reported in the UEM console.

Android

• Pre-release version deployment for Android: Admins can now decide whether to push Alpha or Beta versions of apps before pushing a production version of an app to all users. Alpha and Beta versions published through Google Play can now be assigned and made available through the managed Play Store on Android devices. When assigning applications, there is a new field, Pre-Release Version for you to select which app version. If you do not select Alpha or Beta, the production version of the app is automatically pushed to all devices.
• Updated minimum check-in interval for AirWatch Agent for Android: The AirWatch Agent for Android has been updated with check-in interval minimum values. The minimum sample values start at 30 minutes. The Profile Refresh option for AirWatch Agent for Android now includes intervals for 6 hours. For minimum values see Agent Settings page for Android. 

iOS

• Updated minimum check-in interval for AirWatch Agent for iOS: The AirWatch Agent for iOS has been updated with check-in interval minimum values. The minimum sample values start at one hour. For minimum values see Agent Settings page for macOS. 

Windows

• Workspace ONE UEM OMA-DM support: Workspace ONE UEM now supports an OMA-DM secure channel to ensure communication between Windows Desktop devices and Workspace ONE UEM is secured. This secure channel uses the enrollment certificate to sign and encrypt messages between the device and Workspace ONE UEM.

Secure Email Gateway

• Secure Email Gateway support for Email Notification Service (ENS): SEG now provides authorization and compliance for Exchange Web Services (EWS) traffic used by VMware Boxer’s Email Notification Service (ENS). ENS for Cloud and On-premises deployment, and CBA using Kerberos Constrained Delegation (KCD) is supported.