The latest and greatest of VMware Workspace ONE is now available in the new release of version 1903, including new console features, new Apple, Android, and Windows 10 enhancements, plus additional tools!
What’s New Video
You can find out about the new enhancements by watching the What’s New video:
Deep Dive Video
You can get a more in-depth view by watching the Deep Dive video:
UEM Console Enhancements
The Workspace ONE UEM Console sports a number of new enhancements that make your life easier.
Navigate Easily Between Workspace ONE Service Consoles
You might have more than one console open, such as Intelligence or VMware Identity Manager, along with Workspace ONE UEM. A new icon in the upper right corner now enables you to easily switch from one console to another so you can easily navigate from one Workspace ONE service to another. This is enabled by default.
Assignment Groups Have New Categories
The new categories are Management Type and Enrollment Category.
- Management Type - Targets devices on a cross-platform basis, whether they are managed by UEM or an application such as Boxer or Content.
- Enrollment Category - Targets specific Android and iOS device deployments, which enables you to filter by deployments. For example, you can now filter Android enterprise devices from Android legacy deployments. If you are applying a specific profile or restriction that applies to specific deployments, this feature is vital to enable you to target those specific deployments.
Intelligent Hub Has Enhancements
When leveraging VMware Identity Manager with Intelligent Hub for device enrollment, you now have support for basic users, as well as for the Active Directory users that have been supported all along. In previous releases, authentication and multi-factor authentication required the use of Active Directory. But now, you can use Intelligent Hub to enroll basic and local users. The basic users in Workspace ONE UEM sync to the local user’s directory in VMware Identity Manager. These users, in turn, are eligible to perform single sign-on access to resources.
Android Staging and Shared Device Enrollment
Android staging and shared device enrollment is supported with Intelligent Hub. For details, see the Android section.
AirWatch Express for Basic Device Management
You can use AirWatch Express, a simplified version of Workspace ONE UEM, for basic device management. New actions have been added to AirWatch Express, including:
- Clear Passcode – Clear the passcode remotely from a device
- Device Wipe – Perform a factory wipe on the enrolled device
- OS Update – Start the flow of operating system updates to eligible devices
Admin Role for Bulk Tag Assignments
You can create a dedicated role to focus on assigning the tags. You can have a group of administrators create tags, and another group of administrators assign the tags. This feature is relevant if you have a hierarchical administrative structure, such as a Super Admin, who handles most of the management tasks, as well as secondary administrators who are responsible only for assigning tags to devices and other assets. To find this, navigate to Account > Administrators > Roles > Device Management > Bulk Management.
Quick Filter Search for Profile Payloads
You can enter a term or phrase in the search box, and that will immediately start filtering your search. This is especially handy for sifting through platforms with long lists of payloads.
Workspace ONE UEM 1903 release includes a number of enhancements regarding Apple-related functionality.
More Secure Enrollment Profile Installations
The Console and Intelligent Hub have been changed to support new behavior during enrollment in iOS. In the last two iOS beta cycles, Apple introduced this new behavior to improve platform security. In order to decrease misleading profile installations, you now must manually select to install the profile within 8 minutes after downloading it. If you wait too long, iOS deletes the profile.
Workspace ONE now provides a reminder in either the browser or the Intelligent Hub to remind you to take the required next step in Settings. In Settings, a series of prompts directs you to the downloaded enrollment profile and instructs you to install it.
More Control Over macOS Apps
As an administrator, you can decide whether to display or hide macOS native non-store applications and bootstrap packages in the App Catalog. This improved control allows you to reduce clutter in the user’s App Catalog. You can also leverage this functionality to deploy apps and scripts silently.
Clearer Notifications for iOS Wipes/Deletes
Notifications now more accurately reflect status when administrators issue a wipe or delete device command.
Before this release, there was confusion because when an administrator wiped or deleted a device, the device still appeared to be enrolled even though the wipe was pending. With the new release, when administrators initiate wipes, they are notified with a message saying, “Enterprise Wipe Initiated.”
There was also confusion previously because when the administrator deleted a device that was offline, the device went into “Delete in Progress” mode and was never actually deleted. With the new release, a device in this circumstance is deleted immediately without waiting to come back online.
Console VPP Count Improvements
The redeemed and externally redeemed license counts have now been combined into a single license count called Redeemed. This means you can easily see the total number of redeemed or deployed licenses which are unavailable for reassignment.
Windows 10-Specific Enhancements
The Workspace ONE 1903 release now supports Peer to Peer Distribution. The Workspace ONE Provisioning Tools is also now fully supported.
New: Workspace ONE Peer to Peer
The Workspace ONE Peer to Peer solution is easy to deploy, and available in both Professional and Enterprise editions of Windows 10. It utilizes BranchCache technology, a content-caching mechanism designed by Microsoft to reduce network bandwidth over WANs. It is supported on Windows 10 Professional and Enterprise editions using Background Intelligent Transfer Service (BITS), which helps regulate the among of bandwidth used when transferring files. No additional services are set up, and no additional licenses are required.
You must make sure the feature flag is enabled, then under System, go to Enterprise Integration > Peer Distribution. Turn on the new Workspace ONE Peer Distribution option and assign to smart groups.
Requirements to enable Peer to Peer Distribution are minimal.
- Servers – Sit back and relax. Whether you’re on SaaS or on-prem, everything is handled by the device services and installer.
- Clients – Verify that no restrictive firewall rules have inadvertently prevented the process from behaving as intended or blocked the required ports. Verify the following:
- BranchCache is running
- Default BranchCache firewall rules are enabled and required ports are open
- BranchCache service is running
For more information about Branch Cache, see What is BranchCache https://docs.microsoft.com/en-us/windows-server/networking/branchcache/branchcache#bkmk_what.
Best Practices and Troubleshooting
The video is packed with helpful troubleshooting tips and best practices to keep in mind as you start using Peer to Peer Distribution. For example, you can warm up the cache at a site by pushing the software you want to deploy to a single client. This client then stores the content in its cache.
A good test to verify that BranchCache is running within a branch is to watch how much data is transferred from the server, compared to the cache. You have a choice of how to do this, including the registry, PowerShell, and Perfmon.
Note: Peer to Peer Distribution is designed only for software distribution, not for patching.
Workspace ONE Provisioning Tool
The Workspace ONE Provisioning Tool is now fully supported. So, you can use the VMware Workspace ONE Provisioning Tool to simplify the testing and validation of your apps in your own environment, before sending the files to be applied in the Dell factory as part of the Dell Provisioning service.
Two of the main enhancements for Workspace ONE 1903 are staging and check-in/check-out (CI/CO) with VMware Identity Manager. VMware Identity Manager integration with UEM now allows syncing UEM basic users to VMware Identity Manager. You can use VMware Identity Manager integrated third-party authentication, such as MFA, Ping, and Okta.
You can now sync UEM basic users into the enrollment flows for Android devices. To do this, navigate to Settings > System > Enterprise Integration > VMware Identity Manager > Configuration. Then enable the Basic User Sync.
To benefit from the new Workspace ONE 1903 enhancements, you must have:
- UEM Server 1903
- Intelligent Hub 1903
- Launcher for Android CI/CO 4.3
- VMware Identity Manager hosted
- Hub Services
The new integration supports the following staging features:
- Single user standard staging enrollment
- Single user advanced staging enrollment
- Multi-user staging enrollment
- Hub catalog for staged enrollment
- People Search
- Home tab
Samsung EFOTA Phase 2
The new release also supports the Samsung Enterprise Firmware Over the Air (EFOTA) Phase 2. The new release upgrades to EFOTA API v2, which gives you the option to have a forced or an automatic installation of all of your updates, including the ability to schedule the updates to occur at a convenient time. This makes for easier management of your over-the-air updates on all devices.
Application Management, SDK, and APIs
The new release also brings several enhancements to application management, the SDK, and APIs.
Application Management Enhancements
The Workspace ONE 1903 release offers a new authentication type called Service Account Credential, for integrating mobile flows connectors with the backend system. The connectors are Service Account-Based Connectors.
Now, when you’re integrating mobile flow connectors with backend systems like Coupa, Concur, and so on, all you do is provide the service account credentials. To do this, you navigate to Content > Mobile Flows > New Mobile Connector. In the Authentication Type field, select Service Account, and then enter the API key in the Service Account Credential field.
Workspace ONE Privacy Module
You can build a screen within your application itself and use it to educate your end users and obtain their consent about data collection and device permission requirements. You can also include an optional link to the web-based privacy policies, as well as an option to prompt the user for their consent to an analytics opt-in.
These privacy options are modular, so you can consume it with or without the full Workspace ONE SDK. You can embed just this module in your app if you are concerned with privacy alone. Or you can integrate the full Workspace ONE SDK if you want additional features, such as custom settings, data-loss prevention, and so on, along with this privacy module.
If you embed just the privacy module, it will reduce your app size and loading times more than if you integrate the full SDK.
Dynamic Compromise Detection
Another new feature is the securely update the compromised detection algorithm over-the-air for SDK-built iOS apps. No need to update or re-release the app after compromise rule update.
Previously, if your compromised detection algorithm changes from the old algorithm, you had to update the application, or re-release the application before the new algorithms could take effect.
Now with this new feature, you can securely update the compromised detection algorithm over-the-air. To do this, you navigate to the compliance payload of the SDK profile and check the box for Enable Compromise Projection.
- Workspace ONE SDK for iOS v19.2 - Keep in mind that this feature is only available with iOS currently and apps built using Workspace ONE SDK 19.2 Swift version.
- For Dynamic Compromise Detection Connectivity, use the following URLS:
Network API Improvements
The REST APIs for Network now return all known network adapter MAC addresses in response to a network information query. That means that if, for example, you search by serial number, you receive:
- GET /MDM/Devices
- GET /MDM/Devices/Network
- GET /MDM/Devices/ExtensiveSearch
This is especially useful if, as an administrator, you are integrating Workspace ONE UEM with Network Access Control systems. Now you get a list of all MAC addresses, instead of simply a connection type. This helps prevent accidental service denial. Since the API is redesigned to return all MAC addresses, no accidental denials should occur, based on the MAC address allow-list.
Subject Matter Experts
The following people contributed to this release:
- Shardul Navare, Senior Technical Marketing Architect for VMware EUC, subject matter expert for Workspace ONE UEM Console and application management
- Robert Terakedis, Senior Technical Marketing Manager for VMware EUC Mobile Marketing, subject matter expert for Apple iOS and macOS platforms
- Chris Halstead, Staff Architect for VMware EUC Mobile Marketing, subject matter expert for Microsoft Windows 10 platform
- Karim Chelouati, Senior Technical Marketing Manager for VMware EUC Mobile Marketing, subject matter expert for Android platform