Technical Marketing Manager, End User Computing, VMware.
Cindy is a Technical Writer Manager in VMware’s End-User Computing Technical Marketing department. She has almost 20 years of experience communicating software concepts online in the form of guides, manuals, and blog posts. Cindy has been producing and collaborating on white papers, blog posts, and other content about VMware Horizon Cloud, VMware Workspace ONE, VMware Identity Manager, and more since 2013.

Article Interactions

What's New in VMware Workspace ONE UEM 1902

February 21, 2019

What's New with Workspace ONE 1902

Now announcing what's new with the VMware Workspace ONE UEM 1902! The highlights of this release are covered in the overview video, including new features for Windows 10 management, macOS and iOS management, Android management, and enhancements to the Workspace ONE UEM console. A second video provides a more technical deep dive into each feature, including how to set up a custom baseline and utilize it.

Overview Video

Watch this video to get a general overview of the new features and enhancements in Workspace ONE UEM 1902:

 

Deep Dive Video

Watch this video for a technical deep dive into the new features and enhancements in Workspace ONE UEM 1902, and how to utilize the new features:

 

Windows 10 Management

A variety of new features are now available for Windows 10 management, including baselines, desktop personalization profiles, Workspace ONE Intelligent Hub enhancements, ability to hide apps from the Catalog, and factory provisioning enhancements.

Tech Preview: Workspace ONE Baselines

Workspace ONE curates the best practices of your particular enterprise into configurations called baselines. You can use a baseline to configure settings, profiles, and security features. Then apply the baseline to your Windows 10 devices, instead of having to configure each setting, profile, or security feature individually. This not only saves time and effort, it also ensures that all your Windows 10 devices meet the same security standard, such as the CIS Benchmarks. 

Requirements:

This feature is currently offered as a tech preview and only supported on SaaS.

  • Workspace ONE UEM 1811+
  • Workspace ONE UEM Admin with Manage/View Baselines Roles
  • Workspace ONE Intelligent Hub 1811+
  • LGPO.exe located at %ProgramData%/AirWatch/LGPO*
  • SaaS Hosted Workspace ONE UEM
  • Workspace ONE Advanced or greater

New Desktop Personalization Profile

You can use this profile to personalize Windows 10 wallpaper and lock screen images, and customize start menu layout. You can also apply start menu policies like hiding the app list, setting user tiles, power options, and more. This new feature enables you to quickly customize Windows 10 devices over-the-air without relying on GPO support.

The following feature walk-through video shows this feature in action:

 

Requirements:

Microsoft Windows 10 version 1703+

Workspace ONE Intelligent Hub

You can now locally extract logs and generate status reports for Workspace ONE Intelligent Hub. Users can address issues on their own devices armed with the data from logs and reports. Admins can gather devices logs both locally and remotely, to troubleshoot Workspace ONE Intelligent Hub issues faster.

Hiding or Advertising Apps in Catalog

You now have the option to hide applications, so they are not displayed in the catalog. This gives you the flexibility to deploy software, such as for IT or security use only, without the software being visible to end users in the catalog. It is especially useful for deploying software for IT only or for security reasons that you do not want end users to see or modify, such as initial boot-up scripts, for example.

Factory Provisioning

A new wizard-driven UI helps you do factory provisioning easier and faster. You can create configuration files for various use cases, and export Win32 apps for preloading in the factory as a provisioning package. This saves time because you create both the configuration file and the PPKG in a single step, and reduces susceptibility to error. App support has also been expanded to include apps uploaded before enabling software distribution, user context apps, and apps with MST and MSP files.

macOS and iOS Management

A number of enhancements to macOS and iOS management are also now available. This includes Hub-related improvements, SIP status compliance checks, eSIM restrictions, and additional data for troubleshooting app malfunctions.

MacOS Hub-related Improvements

The Intelligent Hub Application Settings and Intelligent Hub Settings pages have been combined for ease of use and to reduce confusion. You can now take care of settings and applications in one place.

SIP Compliance Checks

A new compliance check now includes System Integrity Protection (SIP) status as a default. SIP prevents malicious software from modifying protected files on macOS, and is not easy to disable. When this compliance check is enabled, any devices that have been tampered with are flagged so admins can take action.

Requirements:

Apple macOS v 10.11+

eSIM Restrictions

A new restriction key has been added to iOS 12.1+ that prevents users from adding or removing cellular plan information from eSIM on iOS devices. The eSIM can support multiple carriers and you can use this to prevent the eSIM data plan being modified, or configuring the eSIM carrier where a physical SIM is being used. A new option in the iOS Profile enables you to allow or prevent eSIM modification with one click.

Requirements:

eSIM-enabled iOS 12.1+ devices

Additional App Details for iOS

More information about each app is now provided to help you troubleshoot malfunctioning apps. You can see the new data in two additional columns in the Device Details page, so you can see at a glance that an app needs an update, as well as the source of the app. The Source column informs you if the app was installed by the user from a public app store, managed from the public app store, volume licensed, or ad hoc internal.

Android Management

A number of enhancements to Android management are also now available, including a new profile for custom messaging, optional password field during enrollment, and Android Enterprise Check-In Check-Out.

Custom Messages

A new profile payload allows you to create custom messages that you can set in the locked screen, blocked settings, or the long message in Settings. For example, if a device is stolen, you can display a message on the locked screen. The Lock Screen message is disabled by default. If you enable it, a text box is provided in which to add your customized message. The Blocked Settings message is also disabled by default. If you enable it, two text boxes are provided, which are limited to 200 characters. The Long Message is disabled by default as well, and if enabled, one text box is provided. Users can view the message under Settings > Security > Device.

Requirements:

Android 7.0+ for both Work Managed and Work Profile devices

Optional Password Field for Enrollment Wizard

The password field is now optional for the Android enrollment wizard. Under the Staging & Provisioning QR Code enrollment, you were previously required to enter a password. The password field is now optional because a password is not always required when connecting to a network.

Requirements:

Android 8+

Android Enterprise Check-In Check-Out

This new feature enables you to retain an application and its data after checking out the device. Previously, we always uninstalled the application and its data after either check-in or check-out. However, in some use cases such as retail, admins wanted to retain certain apps and the respective data for the next use. This option now allows the application and data to remain on the device after check-in or check-out. You can enable this option under Android Logout Settings. Note that this can raise privacy issues.

Workspace ONE UEM Console

Enhancements to the UEM Console now include password expiration notifications, Secure ID in SAN certificates, curated list of settings, Intelligent Hub experience, and VMware-hosted mobile flows connectors.

Password Expiration Notifications

You are notified in advance about impending password expiration. The default value for the time of advance warning is five days and can only be changed for on-premises deployments. The default cannot be modified for shared or dedicated SaaS.

Secure ID in the SAN Certificate

Secure ID (SID) is now included in the certificate template as the SAN attribute. SAN Type depends on look-up values, which can be insecure if the value is easy to obtain, such as an email address. On the other hand, SID is unique, of variable length, and is issued by an authority such as a domain controller. The inclusion of SID provides greater security because the SID for any particular user is harder to guess.

Requirements:

Supported only for ADCS CA integrations

Configurations Page

If you find the list of system settings overwhelming, the new Configurations Page is for you. The Workspace ONE UEM Console puts settings for many multiple use cases at your fingertips, but not all settings are equally relevant to any single deployment. The Configurations Page is a curated list of critical system settings. If you are interested in VMware Productivity Apps or Enterprise Apps that use Workspace ONE SDK, just navigate to Groups & Settings > Configurations, search for SDK, and it will tell you the integration name and category that is relevant for you. You can also share the curated list of essential settings with other administrators for collaboration.

Workspace ONE Intelligent Hub Improvements

The Workspace ONE Intelligent Hub experience has been improved by simplifying the process of getting started. If you do not have a cloud instance of the VMware Identity Manager, no need to file a support ticket. Instead, just click the Request Cloud Tenant button. If you already do, enter the URL and credentials to get started quickly.

VMware-Hosted Mobile Flows Connectors

It is now easier to leverage mobile flows functionality by hosting some of the mobile flow connectors. For example, to leverage the Salesforce mobile flow connector, enter the Discovery URL of the mobile flow connector hosted by VMware. Configure the Base URL of the backend system or the hosted Salesforce instance in your environment. Then configure the Network/Access rules, which enables the mobile flow connector hosted by VMware can communicate with the Base URL. You no longer need to set up the mobile flow connector from scratch, which results in quicker adoption and simplified deployment.

Application Management

Enhancements to the application management now include the ability to upload different versions of the same application.

Previously, you had to maintain a UEM version, especially when uploading an older version of an app after having already uploaded a newer version. Now you can upload an older version without adjusting the console or switching to a different group, resulting in better version control. For example, you can apply a patch for an older app even after a newer version has been deployed to a beta test group. Some exceptions apply, such as if you upload a different build of the same version of an application, or if the application utilizes an alpha-numeric code for versioning. Also note that assignments are from the newest version, even if an older version is successfully uploaded.

Contributors

The following people contributed to the creation of this deep dive:

  • Josue Negron, Staff Architect for VMware EUC Mobile Marketing, contributed Windows 10 content.
  • Robert Terakedis, Senior Technical Marketing Manager for VMware EUC Mobile Marketing, contributed iOS and macOS content.
  • Karim Chelouati, Senior Technical Marketing Manager for VMware EUC Mobile Marketing, contributed Android content.
  • Shardul Navare, Senior Technical Marketing Architect for VMware EUC, contributed Workspace ONE UEM Console and application management content.
February 21, 2019

Technical Marketing Manager, End User Computing, VMware.
Cindy is a Technical Writer Manager in VMware’s End-User Computing Technical Marketing department. She has almost 20 years of experience communicating software concepts online in the form of guides, manuals, and blog posts. Cindy has been producing and collaborating on white papers, blog posts, and other content about VMware Horizon Cloud, VMware Workspace ONE, VMware Identity Manager, and more since 2013.

Article Interactions

Comments

andrew.clack@cfacorp.com
Really appreciate the deep dive video. A couple questions I have regarding baselines: - Looks like LGPO.exe is being used which essentially sets local group policy using a GPO backup. In theory any admin user could change these policies via gpedit.exe. Is LGPO used to set the policy just once or does it re-run on some interval to ensure there is no policy drift? - Ideally, we'd like as many settings configured via CSPs (MDM profiles) as possible. This would help alleviate some of the concern in my first question because settings set via CSP are persistent and can't be changed by a user - not even an admin user. Does baselines only use GPO backups or is it configuring CSPs where possible?
By andrew.clack@cfacorp.com
March 07, 2019
Chris Halstead
Hi Andrew - It is group policy over the air - which is different that just using gpedit. Today it just sets the policy one time. Baselines is also just GPO today - CSPs are available as profiles in the Workspace ONE console. Any CSPs that are not available in the console can be created with https://vmwarepolicybuilder.com/#/login and applied through the console. Thanks
By Chris Halstead
March 11, 2019