The Community

Stay up to date…

VMware End-User Computing Blog Bringing you the latest VMware EUC news, trends and product innovations.

    Feed has no items.

Arsen Bandurian: Technical Blog Digital Workspace, End User Computing, Enterprise Mobility, AutoID, WLANs, OSes and other technical stuff I happen to work with

  • Check if a Microsoft Form comes from a trusted source
    by apcsb on November 6, 2023 at 10:14 am

    When you open a Microsoft Form asking you for some sensitive data, do you know where will your data land? Could it be phishing? Read on to find out… Recently, I have received an email at work asking me to fill out a form with some of sensitive personal details (voluntary disclosure).  I don’t mind... Continue Reading →

  • Enhancing Windows Update Catalog metadata Accessibility
    by apcsb on September 11, 2023 at 7:30 am

    Microsoft has recently released a major update to the Windows Update catalog back-end, adding crucial information such as CVEs (Common Vulnerabilities and Exposures) addressed by the update and the CVE Score directly info API. This information is essential for Threat and Vulnerability Management decisions as well as Patch management and many organizations pay $$ for... Continue Reading →

  • Quickly validate and enable manual application uninstall via Intune Company Portal using Graph API
    by apcsb on August 3, 2023 at 7:04 am

    I am back and the titles are getting longer! If you are an Intune admin, you will probably be happy to know that one of the most required features has landed: Uninstall Win32 and Microsoft store apps using the Windows Company Portal. One thing you need to be aware of, is that this feature is... Continue Reading →

  • Building a custom Windows Update Report p1: Parsing HTML via PowerShell on modern systems (no IE)
    by apcsb on July 28, 2022 at 7:30 am

    Wow, it’s been a while! A customer of mine recently wanted a detailed report that should include info such as how many weeks is the Windows on the machine behind the latest available Security Update. We’ve found to a way to combine Intune Data Warehouse and PowerBI to pull data that allows to identify the... Continue Reading →

  • A case of OneDrive Personal Vault not coming up (0x8031000a, MDM, GPO and BitLocker)
    by apcsb on March 18, 2022 at 6:23 pm

    Today I wanted to enable the Personal Vault feature on my Home PC. While following the wizard I got an error 0x8031000a “Your organization requires your device to join the domain before you can use the Personal Vault”. What does this have to do with MDM. GPO and BitLocker troubleshooting? Here’s some quick Friday entertainment!... Continue Reading →

  • Samsung announces Knox SDK restrictions for Android 15
    by Jason Bayton on June 15, 2024 at 12:00 am

    Android's Device Administrator (DA) APIs were a cornerstone of device management since their inception way back in Android 2.2. However, with their deprecation in 2017 with Android 9.0 (and obviously prior given AE was introduced in 5.0), Google and the wider ecosystem (👋) has encouraged a shift to the more robust and secure Android Enterprise as DA APIs have slowly faded away. Embracing Android Enterprise provides organisations with better security, enhanced functionality, and clearer data separation. For an in-depth read, see: Google is deprecating device admin in favour of Android Enterprise. What’s the difference between Device Admin and Android Enterprise? Android Enterprise vs Device Admin: Why DA is no longer suitable In contrast, Samsung’s Knox APIs have maintained capabilities for applications outside of Android Enterprise for several years since DA’s deprecation, even while Google has slowly removed said APIs from circulation with newer Android releases. There have been use cases for this, especially around value-add solutions leaning on Knox APIs while devices are managed with other EMM platforms, but With Android 15, this is about to change. In spite of how it looks, it may not be a sudden change of heart from Samsung, as the timing of this aligns closely with upcoming restrictions in Android 15 that appear to make this basically necessary. Samsung's Knox SDK Update # Samsung is restricting access to several of its Knox SDK APIs for use only within the Android Enterprise management framework, gradually phasing out access for non-enterprise apps (or, at least, those enterprise apps not used within scope of Android Enterprise). Starting with Android 15 (Knox 3.11) later in 2024, only apps running as Device or Profile Owners will have access to the relevant Knox SDK features. By late 2025, with Android 16, all Knox SDK APIs will be restricted in the same way. Samsung says this move aims to enhance device security and ensure that advanced features, like remote control capabilities, are only utilised within managed environments. For further details, check Samsung's announcement. The affected APIs for 15 are: SDK Class SDK Method(s) EnterpriseDeviceManager setAdminRemovable ApplicationPolicy installApplication uninstallApplication uninstallApplications updateApplication setApplicationStateList setApplicationComponentState setApplicationInstallationDisabled setApplicationUninstallationDisabled stopApp startApp addPackagesToPreventStartBlackList addPackagesToDisableUpdateWhiteList addPackagesToDisableUpdateBlackList preventNewAdminInstallation preventNewAdminActivation addNewAdminActivationAppWhiteList addAppPackageNameToBlackList addPackageToWhiteList CertificateProvisioning deleteCertificateFromKeystore resetCredentialStorage addPackagesToCertificateWhiteList SystemManager setHardKeyIntentBroadcast SDK Class SDK method(s) RemoteDesktop All methods RemoteInjection All methods And their accessibility: Knox SDK methods AE (DO/PO) apps DA mode apps Other apps DA restricted methods Accessible Not accessible Not accessible Remote control methods Accessible Accessible* Accessible* Other methods Accessible Accessible Not accessible *Accessible in DO/PO Google's Policies for 15 # Google is expected to introduce new, sweeping mandates around custom API development and data access/management for devices launching with or upgrading to Android 15. They define where APIs can target (based on management mode), what they can do (such as special permissions management), and the visibility they provide organisation admins that don't align with that already in AOSP. It feels like the final nail in the coffin of DA and DA functionality outside of Android Enterprise management, and obviously impacts all OEMs (except those building for dedicated use cases alone, it appears so the likes of Zebra, Honeywell, Panasonic, and more may be exempt). Potential impact # For enterprises, this shift presents both challenges and opportunities; the latter in hopefully being a final shove into migrating legacy deployments into Android Enterprise management and off of DA, though for the vendors reliant on these SDKs today for non-AE deployments, it poses a significant and quickly-approaching deadline to work with organisations in allowing functionality to be restored.. of course in some instances this won't be feasible for the use case of the app in question, or the ability for organisations to adapt. It'll be interesting to see what comes of this as 15 rolls out, and I'm sure we'll see plenty of conversations about it over on the Customer Community.

  • Samsung announces Knox SDK restrictions for Android 15
    by Jason Bayton on June 15, 2024 at 12:00 am

    Android's Device Administrator (DA) APIs were a cornerstone of device management since their inception way back in Android 2.2. However, with their deprecation in 2017 with Android 9.0 (and obviously prior given AE was introduced in 5.0), Google and the wider ecosystem (👋) has encouraged a shift to the more robust and secure Android Enterprise as DA APIs have slowly faded away. Embracing Android Enterprise provides organisations with better security, enhanced functionality, and clearer data separation. For an in-depth read, see: Google is deprecating device admin in favour of Android Enterprise. What’s the difference between Device Admin and Android Enterprise? Android Enterprise vs Device Admin: Why DA is no longer suitable In contrast, Samsung’s Knox APIs have maintained capabilities for applications outside of Android Enterprise for several years since DA’s deprecation, even while Google has slowly removed said APIs from circulation with newer Android releases. There have been use cases for this, especially around value-add solutions leaning on Knox APIs while devices are managed with other EMM platforms, but With Android 15, this is about to change. In spite of how it looks, it may not be a sudden change of heart from Samsung, as the timing of this aligns closely with upcoming restrictions in Android 15 that appear to make this basically necessary. Samsung's Knox SDK Update # Samsung is restricting access to several of its Knox SDK APIs for use only within the Android Enterprise management framework, gradually phasing out access for non-enterprise apps (or, at least, those enterprise apps not used within scope of Android Enterprise). Starting with Android 15 (Knox 3.11) later in 2024, only apps running as Device or Profile Owners will have access to the relevant Knox SDK features. By late 2025, with Android 16, all Knox SDK APIs will be restricted in the same way. Samsung says this move aims to enhance device security and ensure that advanced features, like remote control capabilities, are only utilised within managed environments. For further details, check Samsung's announcement. The affected APIs for 15 are: SDK Class SDK Method(s) EnterpriseDeviceManager setAdminRemovable ApplicationPolicy installApplication uninstallApplication uninstallApplications updateApplication setApplicationStateList setApplicationComponentState setApplicationInstallationDisabled setApplicationUninstallationDisabled stopApp startApp addPackagesToPreventStartBlackList addPackagesToDisableUpdateWhiteList addPackagesToDisableUpdateBlackList preventNewAdminInstallation preventNewAdminActivation addNewAdminActivationAppWhiteList addAppPackageNameToBlackList addPackageToWhiteList CertificateProvisioning deleteCertificateFromKeystore resetCredentialStorage addPackagesToCertificateWhiteList SystemManager setHardKeyIntentBroadcast SDK Class SDK method(s) RemoteDesktop All methods RemoteInjection All methods And their accessibility: Knox SDK methods AE (DO/PO) apps DA mode apps Other apps DA restricted methods Accessible Not accessible Not accessible Remote control methods Accessible Accessible* Accessible* Other methods Accessible Accessible Not accessible *Accessible in DO/PO Google's Policies for 15 # Google is expected to introduce new, sweeping mandates around custom API development and data access/management for devices launching with or upgrading to Android 15. They define where APIs can target (based on management mode), what they can do (such as special permissions management), and the visibility they provide organisation admins that don't align with that already in AOSP. It feels like the final nail in the coffin of DA and DA functionality outside of Android Enterprise management, and obviously impacts all OEMs (except those building for dedicated use cases alone, it appears so the likes of Zebra, Honeywell, Panasonic, and more may be exempt). Potential impact # For enterprises, this shift presents both challenges and opportunities; the latter in hopefully being a final shove into migrating legacy deployments into Android Enterprise management and off of DA, though for the vendors reliant on these SDKs today for non-AE deployments, it poses a significant and quickly-approaching deadline to work with organisations in allowing functionality to be restored.. of course in some instances this won't be feasible for the use case of the app in question, or the ability for organisations to adapt. It'll be interesting to see what comes of this as 15 rolls out, and I'm sure we'll see plenty of conversations about it over on the Customer Community.

  • What's new (so far) for enterprise in Android 15
    by Jason Bayton on April 11, 2024 at 12:00 am

    It's that time of year again. Android 15 is available in pre-release, and combined with some of the changes I've seen committed to the developer documentation, there are a few tasty treats for organisations to come in the next dessert (Vanilla Ice-cream to don't you know). This is, as last year, a non-definitive and unconfirmed list of changes. Like the work profile changes in Android 14 things can change at any point and without warning. Here we go! A bump to minimum SDK version for installation of apps # As expected, the restriction on installing applications targeting very old versions of Android is getting a bump. In Android 15 it will no longer be possible to install apps targeting API level 23 - Android Marshmallow / 6.0 - or older. Only apps that target Android 7.0 - API level 24 - or later will be permitted. jason@MBP Downloads % adb install app-release.apk Performing Streamed Install adb: failed to install app-release.apk: Failure [INSTALL_FAILED_DEPRECATED_SDK_VERSION: App package must target at least SDK version 24, but found 23] Just as last year, we're talking about applications targeting a version of Android 10+ years old. While some organisations with line-of-business apps that haven't seen an update in half a decade may balk at the idea of getting their applications updated or rewritten, the justification behind this limitation is solid - security. Where apps targeting <6.0 were able to abuse the old permissioning system (pre-runtime!), apps targeting 7.0 are still able to abuse device administrator and similar APIs. This isn't something you want potentially leveraged directly or indirectly on your managed estate. Content protection policy # This appears to offer control for the scanning of harmful applications on a device, perhaps allowing admins to explicitly prevent line of business APKs from being flagged up on end user devices as potentially harmful, unrecognised, or any other state that'd trigger a complaint to the admin helpdesk. It has been a point of contention for the dedicated ecosystem for some years, particularly as Play Protect has become more active and aggressive over the last few Android versions. Unfortunately CPP appears related to a newer Phishing Protection service introduced with Google Play Protect, and will not give admins the ability to disable on-device scanning overall. This is covered in a recent security blog from February. I'm not sure it's something I'm personally going to be advocating for with customers for the most part unless it's actively causing issues, but it's amazing to see Google catering to the dedicated space for a change after so much increased focus on features that promote privacy at the cost of control for dedicated estates. Android 15 also introduces the permission android.permission.MANAGE_DEVICE_POLICY_CONTENT_PROTECTION for apps which are not the device or profile owner to be able to interface with this API. Disallow NFC radio # As it says on the tin. If you're thinking "Don't we already have an API for NFC?" Yes we do, but that's to control the beaming of data between devices. This is a full on radio disable and will probably live under DeviceRadioState in AMAPI at some point later. Disallow Thread Network # I'm assuming this is related to comms with thread devices, no additional context has been provided, but you can assume what's coming. Disallow SIM Globally # This sounds like it's ticking off a long-desired feature request to fully disable all cellular on a device, but again missing any additional context I don't want to jump to conclusions. Vital apps mandate for document previewer # I touched on this in a recent doc. The absence of a document preview application for managed devices has been quite a noisy complaint from organisations for many years, overshadowed only by missing camera &/ gallery applications. None of these apps have been mandated by Google for the fully managed/work profile user experience, and so the common trend is to see them simply not added. In fact, when I was building devices for enterprise, I spent a decent amount of time learning the intricacies of vital apps and considering the use cases of customers to determine what was vital to productivity. I'd always opt to deploy Files By Google as the "Downloads" application, as this killed two birds with one stone - file preview support & a file (download) manager. Any photos taken could then be viewed in this app. But not all OEMs consider this, or really think about enterprise at all, and so it's nice to see Google identifying the gap and plugging it accordingly.. even if it took several years to do so. A switch to feature flagging # This isn't super new information, as Google have been feature flagging already with Android 14, but Google are touting Android 15 as their line in the sand for introducing their new approach to development, Trunk Stable. Mishaal Rahman, the prolific Android code-sleuthing extraordinaire, goes into more detail on Trunk Stable and aconfig (the feature flag system), as well as many more (lesser enterprise) Android features in this video from the latest AOSP & AAOS meetup:

    The change is an interesting one, it comes across as there being more code out in the open to review, and the ability to potentially build Android flavours with feature flags enabled for early access to features not yet committed to a release, but equally seems that it'll be far harder to put a finger on timelines of when features will actually land in builds; could it be the next dessert release? A QPR update? Who knows. Furthermore, this adds far more flexibility for the Android team, and I presume far less pressure on managing the development cycle for when things need to be pushed/pulled accordingly. Hiding work-in-progress code behind feature flags is probably considered a breath of fresh air for them 😁 Platform signed permission management # When a vendor works with an OEM to get their application platform singed, the application is granted all system-level permissions available on the device. As you can imagine, that is an unprecedented level of device access to data and services reserved normally for only the OEM system apps, and Google's preloaded suite of applications. In Android 15, Google are introducing system permission management, allowing OEMs to grant or deny permissions to signed applications that allows for the considerable down-scoping of access of a signed app to only the explicit permissions they require to function. This won't apply to system apps bundled with a set of permissions in the OEM system image, but should permissions change in a later system app update, these permissions would also be denied automatically unless allowlisted in the respective system configuration. There's an additional config to allow platform-signed shared UIDs for non-system applications that have additionally previously required access to this. There are new alerts in logging to determine the permissions applications are no longer retaining access to, which vendors should already start looking at today to avoid loss of functionality. Knowing how many enterprise vendors lean on platform signature permissions today (basically most EMMs, several SaaS products, etc), this has the potential to cause headaches once 15 launches. Partial screen recording # If you're like me and record your screen far too often to demonstrate anything from a device feature to a bug, user guides and more, you'll be pleased to hear the previously Pixel-only feature introduced in Android 14 is coming to the wider ecosystem with the 15 update. Now users can limit screen sharing to just the app they want to show, and no longer fret on the possibility to showing something that may not be appropriate for the context. Huzzah! Screen recording detection # Continuing the theme of recording, this is not so much an enterprise feature in and of itself explicitly, but Android 15 will alert apps when the screen is being recorded, allowing them to hide contents. I can imagine this might be useful for enterprise applications across the board to bolster DLP (data loss prevention) App archiving # Another expansion of existing functionality, Android 15 introduces system-settings control over app archiving, previously only opt-in and managed by Google Play directly.
    Presumably this will succumb to the same restrictions as disabling or uninstalling apps we have in place today (that is, users won't be allowed to depending on policy set). In my testing so far, archiving is just disabled on managed devices, with the option greyed out even on INSTALL_TYPEs of AVAILABLE (AVAILABLE means the app is provided to users within managed Google Play, but not downloaded or installed, so the user has full control over whether they wish to install it or not). Backup job execution exception permission # Less enterprise-explicitly, and more of a general observation which may benefit enterprise app developers, Android 15 introduces the permission android.permission.RUN_BACKUP_JOBS, which: Gives applications with a major use case of backing-up or syncing content increased job execution allowance in order to complete the related work. The jobs must have a valid content URI trigger and network constraint set. This is a special access permission that can be revoked by the system or the user. Protection level: signature|privileged|appop It's a special permission, and likely only one being leveraged by vendors with OEM partner relationships given the protection level, but all the same it's pretty cool to see Google direct some attention to the backup use case. Restrictions on device identifiers for personally owned devices # From Android 15, applications with the permission android.permission.MANAGE_DEVICE_POLICY_CERTIFICATES will be able to fetch getEnrollmentSpecificId, which is an enrolment-specific, unique device identifier that persists across re-enrolments when done so into the same deployment scenario (i.e fully managed or personally owned work profile), by the same vendor agent, into the same enterprise (organisation/bind). It is an alternative to identifiers such as IMEI and serial number, which Google no longer grants access to for applications without the appropriate device or profile owner role, or DELEGATION_CERT_INSTALL via policy, and becomes the default and only option for fetching a unique device identifier for personally owned work profile devices in future. To be clear - applications in a personally owned work profile deployment up to now with the delegated permission of DELEGATION_CERT_INSTALL have been able to fetch a device serial number with relative ease, something that defeats the entire purpose of restricting access to the identifiers, considered to be personally identifiable information, in the first place. That loophole is closing. Broader system update visibility # From 15, applications granted the permission android.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES will be able to obtain information about a pending system update. This softens the current requirements that an application be a device or profile owner in order to fetch this information. What this doesn't do, unfortunately, is offer more insight into what the available update is. Today we can see an update is available and whether or not it's a security update. This API needs to be updated to show - build info, size, how long it's been available (not just when first detected), - SPL/Android version All of this is offered either through GOTA, Google's OTA management server many OEMs are encouraged to leverage (some don't of course, consider e-FOTA from Samsung, or HMD's new FOTA platform), or the build fingerprint of the package itself. Check MTE status # Expanding on the options for getting and setting MTE policies in Android 14, in 15 it will now be possible to merely query the current state (evidently something that should have, but didn't, quite make it to the 14 release!) Control of parent profile screen settings in company owned work profile deployment scenarios # From Android 15, company owned work profile deployment scenarios (COPE) will see scope of policies expand a little to include screen settings: Screen off timeout (not to be confused with time to lock, which still supersedes this in terms of hierarchy) Screen brightness (the actual brightness or the screen) Screen brightness mode (manual or automatic) This comes across as a quality-of-life (QoL) improvement, though I'd have liked to be a fly on the wall when the scenarios were defined to justify prioritising this. Control over Private Space # Android 15 introduces Private Space, the ability for users to allocate a selection of apps in a private, authenticated profile on the device. These applications are isolated - similar to a work profile - from the rest of the applications on the primary parent profile. The way this is managed is nuanced, per Google: The default value for an unmanaged user is false. For users with a device owner set, the default value is true and the device owner currently cannot change it to false. On organization-owned managed profile devices, the default value is false but the profile owner can change it to true via the parent profile to block creating of private profiles on the personal user. So in other words private space is disabled for fully managed devices by default, and cannot be enabled. For work profile-enabled company owned devices, this can be managed. In testing, my fully managed device does indeed fail to create a private space, but doesn't indicate why - it simply fails. Disallow assist content # This restriction allows administrators to prevent privileged apps, such as Assistant, from receiving contextual device information. These include screenshots, package names, and more. Useful for admins wishing to reduce the sprawl of information access privileged apps can have. This is scope-specific, so on fully managed devices will apply device-wide, but on profile-enabled devices restricts only to the managed profile. Circle to search # Relatively straightforward, an enterprise API is being introduced to lock down circle to search - the most unnecessarily hyped up feature I've seen in a long time. This is a nice continuation of assist content above, limiting the amount of data being sent to Google services. Widget management is back?! # With Android 15, setKeyguardDisabledFeatures has been expanded with widget management to coincide with the re-introduction of lockscreen widgets for tablet devices. At this time it appears to only apply to widgets in managed profiles, with Google explicitly stating: the profile owner of an organization-owned managed profile can set KEYGUARD_DISABLE_WIDGETS_ALL which affects the parent user when called on the parent profile. More testing is needed to determine why this isn't available for fully managed devices. To note for wider context, lock screen widgets were removed way back in 5.0 citing, if I remember correctly, low use. With the recent focus on tablets, and Apple adding their own, Google clearly figured they matter again! Deeper dedicated device experience management # With Better Together Enterprise, Google is introducing a new provisioning option for dedicated devices, in addition to PERSONAL_USAGE_ALLOWED and PERSONAL_USAGE_DISALLOWED, Google are introducing a third allowPersonalUsage AMAPI enrolment token configuration option of DEDICATED_DEVICE. Such distinguishing features between knowledge worker devices and the new dedicated devices flag include: Setup Wizard customisation Skipping/prevention of Google account setup Default restrictions within the Android experience Managing dedicated devices, which have always been treated identically to any other consumer Android device on the market, has been a frustrating experience; devices an end user would never use shouldn't need to configure accounts, access Google Play, deal with all of the setup wizard interruptions around privacy callouts and more.. and now it looks like Google are finally doing something about it. Unfortunately a few years too late for the almost 5 years I supported dedicated devices on a daily basis, but I look forward to future projects benefitting from these changes. Additional management roles # Something of a placeholder at the moment, because I don't fully understand the implications (other than goading Googlers about the reintroduction of Device Admin where all apps have the ability to get Device Policy Manager API control rather than just the explicit device/profile owner as it has been up to Android 14 -- it's not that, for the record, but documentation is just so light it's easy to draw those kinds of conclusions 😅). Once the scope of wider DPM role holders is clear, I'll update this here. More to come! # As 15 continues to develop, I'll update this list accordingly. Feel free to reach out with anything you find also!

  • What's new (so far) for enterprise in Android 15
    by Jason Bayton on April 11, 2024 at 12:00 am

    It's that time of year again. Android 15 is available in pre-release, and combined with some of the changes I've seen committed to the developer documentation, there are a few tasty treats for organisations to come in the next dessert (Vanilla Ice-cream to don't you know). This is, as last year, a non-definitive and unconfirmed list of changes. Like the work profile changes in Android 14 things can change at any point and without warning. Here we go! A bump to minimum SDK version for installation of apps # As expected, the restriction on installing applications targeting very old versions of Android is getting a bump. In Android 15 it will no longer be possible to install apps targeting API level 23 - Android Marshmallow / 6.0 - or older. Only apps that target Android 7.0 - API level 24 - or later will be permitted. jason@MBP Downloads % adb install app-release.apk Performing Streamed Install adb: failed to install app-release.apk: Failure [INSTALL_FAILED_DEPRECATED_SDK_VERSION: App package must target at least SDK version 24, but found 23] Just as last year, we're talking about applications targeting a version of Android 10+ years old. While some organisations with line-of-business apps that haven't seen an update in half a decade may balk at the idea of getting their applications updated or rewritten, the justification behind this limitation is solid - security. Where apps targeting <6.0 were able to abuse the old permissioning system (pre-runtime!), apps targeting 7.0 are still able to abuse device administrator and similar APIs. This isn't something you want potentially leveraged directly or indirectly on your managed estate. Content protection policy # This appears to offer control for the scanning of harmful applications on a device, perhaps allowing admins to explicitly prevent line of business APKs from being flagged up on end user devices as potentially harmful, unrecognised, or any other state that'd trigger a complaint to the admin helpdesk. It has been a point of contention for the dedicated ecosystem for some years, particularly as Play Protect has become more active and aggressive over the last few Android versions. Unfortunately CPP appears related to a newer Phishing Protection service introduced with Google Play Protect, and will not give admins the ability to disable on-device scanning overall. This is covered in a recent security blog from February. I'm not sure it's something I'm personally going to be advocating for with customers for the most part unless it's actively causing issues, but it's amazing to see Google catering to the dedicated space for a change after so much increased focus on features that promote privacy at the cost of control for dedicated estates. Android 15 also introduces the permission android.permission.MANAGE_DEVICE_POLICY_CONTENT_PROTECTION for apps which are not the device or profile owner to be able to interface with this API. Disallow NFC radio # As it says on the tin. If you're thinking "Don't we already have an API for NFC?" Yes we do, but that's to control the beaming of data between devices. This is a full on radio disable and will probably live under DeviceRadioState in AMAPI at some point later. Disallow Thread Network # I'm assuming this is related to comms with thread devices, no additional context has been provided, but you can assume what's coming. Disallow SIM Globally # This sounds like it's ticking off a long-desired feature request to fully disable all cellular on a device, but again missing any additional context I don't want to jump to conclusions. Vital apps mandate for document previewer # I touched on this in a recent doc. The absence of a document preview application for managed devices has been quite a noisy complaint from organisations for many years, overshadowed only by missing camera &/ gallery applications. None of these apps have been mandated by Google for the fully managed/work profile user experience, and so the common trend is to see them simply not added. In fact, when I was building devices for enterprise, I spent a decent amount of time learning the intricacies of vital apps and considering the use cases of customers to determine what was vital to productivity. I'd always opt to deploy Files By Google as the "Downloads" application, as this killed two birds with one stone - file preview support & a file (download) manager. Any photos taken could then be viewed in this app. But not all OEMs consider this, or really think about enterprise at all, and so it's nice to see Google identifying the gap and plugging it accordingly.. even if it took several years to do so. A switch to feature flagging # This isn't super new information, as Google have been feature flagging already with Android 14, but Google are touting Android 15 as their line in the sand for introducing their new approach to development, Trunk Stable. Mishaal Rahman, the prolific Android code-sleuthing extraordinaire, goes into more detail on Trunk Stable and aconfig (the feature flag system), as well as many more (lesser enterprise) Android features in this video from the latest AOSP & AAOS meetup:

    The change is an interesting one, it comes across as there being more code out in the open to review, and the ability to potentially build Android flavours with feature flags enabled for early access to features not yet committed to a release, but equally seems that it'll be far harder to put a finger on timelines of when features will actually land in builds; could it be the next dessert release? A QPR update? Who knows. Furthermore, this adds far more flexibility for the Android team, and I presume far less pressure on managing the development cycle for when things need to be pushed/pulled accordingly. Hiding work-in-progress code behind feature flags is probably considered a breath of fresh air for them 😁 Platform signed permission management # When a vendor works with an OEM to get their application platform singed, the application is granted all system-level permissions available on the device. As you can imagine, that is an unprecedented level of device access to data and services reserved normally for only the OEM system apps, and Google's preloaded suite of applications. In Android 15, Google are introducing system permission management, allowing OEMs to grant or deny permissions to signed applications that allows for the considerable down-scoping of access of a signed app to only the explicit permissions they require to function. This won't apply to system apps bundled with a set of permissions in the OEM system image, but should permissions change in a later system app update, these permissions would also be denied automatically unless allowlisted in the respective system configuration. There's an additional config to allow platform-signed shared UIDs for non-system applications that have additionally previously required access to this. There are new alerts in logging to determine the permissions applications are no longer retaining access to, which vendors should already start looking at today to avoid loss of functionality. Knowing how many enterprise vendors lean on platform signature permissions today (basically most EMMs, several SaaS products, etc), this has the potential to cause headaches once 15 launches. Partial screen recording # If you're like me and record your screen far too often to demonstrate anything from a device feature to a bug, user guides and more, you'll be pleased to hear the previously Pixel-only feature introduced in Android 14 is coming to the wider ecosystem with the 15 update. Now users can limit screen sharing to just the app they want to show, and no longer fret on the possibility to showing something that may not be appropriate for the context. Huzzah! Screen recording detection # Continuing the theme of recording, this is not so much an enterprise feature in and of itself explicitly, but Android 15 will alert apps when the screen is being recorded, allowing them to hide contents. I can imagine this might be useful for enterprise applications across the board to bolster DLP (data loss prevention) App archiving # Another expansion of existing functionality, Android 15 introduces system-settings control over app archiving, previously only opt-in and managed by Google Play directly.
    Presumably this will succumb to the same restrictions as disabling or uninstalling apps we have in place today (that is, users won't be allowed to depending on policy set). In my testing so far, archiving is just disabled on managed devices, with the option greyed out even on INSTALL_TYPEs of AVAILABLE (AVAILABLE means the app is provided to users within managed Google Play, but not downloaded or installed, so the user has full control over whether they wish to install it or not). Backup job execution exception permission # Less enterprise-explicitly, and more of a general observation which may benefit enterprise app developers, Android 15 introduces the permission android.permission.RUN_BACKUP_JOBS, which: Gives applications with a major use case of backing-up or syncing content increased job execution allowance in order to complete the related work. The jobs must have a valid content URI trigger and network constraint set. This is a special access permission that can be revoked by the system or the user. Protection level: signature|privileged|appop It's a special permission, and likely only one being leveraged by vendors with OEM partner relationships given the protection level, but all the same it's pretty cool to see Google direct some attention to the backup use case. Restrictions on device identifiers for personally owned devices # From Android 15, applications with the permission android.permission.MANAGE_DEVICE_POLICY_CERTIFICATES will be able to fetch getEnrollmentSpecificId, which is an enrolment-specific, unique device identifier that persists across re-enrolments when done so into the same deployment scenario (i.e fully managed or personally owned work profile), by the same vendor agent, into the same enterprise (organisation/bind). It is an alternative to identifiers such as IMEI and serial number, which Google no longer grants access to for applications without the appropriate device or profile owner role, or DELEGATION_CERT_INSTALL via policy, and becomes the default and only option for fetching a unique device identifier for personally owned work profile devices in future. To be clear - applications in a personally owned work profile deployment up to now with the delegated permission of DELEGATION_CERT_INSTALL have been able to fetch a device serial number with relative ease, something that defeats the entire purpose of restricting access to the identifiers, considered to be personally identifiable information, in the first place. That loophole is closing. Broader system update visibility # From 15, applications granted the permission android.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES will be able to obtain information about a pending system update. This softens the current requirements that an application be a device or profile owner in order to fetch this information. What this doesn't do, unfortunately, is offer more insight into what the available update is. Today we can see an update is available and whether or not it's a security update. This API needs to be updated to show - build info, size, how long it's been available (not just when first detected), - SPL/Android version All of this is offered either through GOTA, Google's OTA management server many OEMs are encouraged to leverage (some don't of course, consider e-FOTA from Samsung, or HMD's new FOTA platform), or the build fingerprint of the package itself. Check MTE status # Expanding on the options for getting and setting MTE policies in Android 14, in 15 it will now be possible to merely query the current state (evidently something that should have, but didn't, quite make it to the 14 release!) Control of parent profile screen settings in company owned work profile deployment scenarios # From Android 15, company owned work profile deployment scenarios (COPE) will see scope of policies expand a little to include screen settings: Screen off timeout (not to be confused with time to lock, which still supersedes this in terms of hierarchy) Screen brightness (the actual brightness or the screen) Screen brightness mode (manual or automatic) This comes across as a quality-of-life (QoL) improvement, though I'd have liked to be a fly on the wall when the scenarios were defined to justify prioritising this. Control over Private Space # Android 15 introduces Private Space, the ability for users to allocate a selection of apps in a private, authenticated profile on the device. These applications are isolated - similar to a work profile - from the rest of the applications on the primary parent profile. The way this is managed is nuanced, per Google: The default value for an unmanaged user is false. For users with a device owner set, the default value is true and the device owner currently cannot change it to false. On organization-owned managed profile devices, the default value is false but the profile owner can change it to true via the parent profile to block creating of private profiles on the personal user. So in other words private space is disabled for fully managed devices by default, and cannot be enabled. For work profile-enabled company owned devices, this can be managed. In testing, my fully managed device does indeed fail to create a private space, but doesn't indicate why - it simply fails. Disallow assist content # This restriction allows administrators to prevent privileged apps, such as Assistant, from receiving contextual device information. These include screenshots, package names, and more. Useful for admins wishing to reduce the sprawl of information access privileged apps can have. This is scope-specific, so on fully managed devices will apply device-wide, but on profile-enabled devices restricts only to the managed profile. Circle to search # Relatively straightforward, an enterprise API is being introduced to lock down circle to search - the most unnecessarily hyped up feature I've seen in a long time. This is a nice continuation of assist content above, limiting the amount of data being sent to Google services. Widget management is back?! # With Android 15, setKeyguardDisabledFeatures has been expanded with widget management to coincide with the re-introduction of lockscreen widgets for tablet devices. At this time it appears to only apply to widgets in managed profiles, with Google explicitly stating: the profile owner of an organization-owned managed profile can set KEYGUARD_DISABLE_WIDGETS_ALL which affects the parent user when called on the parent profile. More testing is needed to determine why this isn't available for fully managed devices. To note for wider context, lock screen widgets were removed way back in 5.0 citing, if I remember correctly, low use. With the recent focus on tablets, and Apple adding their own, Google clearly figured they matter again! Deeper dedicated device experience management # With Better Together Enterprise, Google is introducing a new provisioning option for dedicated devices, in addition to PERSONAL_USAGE_ALLOWED and PERSONAL_USAGE_DISALLOWED, Google are introducing a third allowPersonalUsage AMAPI enrolment token configuration option of DEDICATED_DEVICE. Such distinguishing features between knowledge worker devices and the new dedicated devices flag include: Setup Wizard customisation Skipping/prevention of Google account setup Default restrictions within the Android experience Managing dedicated devices, which have always been treated identically to any other consumer Android device on the market, has been a frustrating experience; devices an end user would never use shouldn't need to configure accounts, access Google Play, deal with all of the setup wizard interruptions around privacy callouts and more.. and now it looks like Google are finally doing something about it. Unfortunately a few years too late for the almost 5 years I supported dedicated devices on a daily basis, but I look forward to future projects benefitting from these changes. Additional management roles # Something of a placeholder at the moment, because I don't fully understand the implications (other than goading Googlers about the reintroduction of Device Admin where all apps have the ability to get Device Policy Manager API control rather than just the explicit device/profile owner as it has been up to Android 14 -- it's not that, for the record, but documentation is just so light it's easy to draw those kinds of conclusions 😅). Once the scope of wider DPM role holders is clear, I'll update this here. More to come! # As 15 continues to develop, I'll update this list accordingly. Feel free to reach out with anything you find also!

  • Google quietly introduces new quotas for unvalidated AMAPI use
    by Jason Bayton on March 25, 2024 at 12:00 am

    Google have made one of the most significant changes to permissible use of AMAPI in the last few years, imposing new limits for the number of devices permitted to enrol without validating a solution for commercial availability (that being applying for the EMM community & validating up to a minimum of Standard solution set support). The reasoning hasn't been provided, but my own experience of receiving requests for support and/or consultancy on an almost-weekly basis for projects that go entirely against permissible use (financing/leasing tools, internal EMM projects, etc) tells me this has been a wide-spread and troubling issue for the AMAPI team for quite a long time. As ever, it is the actions of the few that spoil it for the rest of us. What's changing # Google's Permissible Usage page has updated from no explicit maximum number of devices per project (it was a soft 1000 prior, referenced below) to now topping out at 500 devices. Before After No mention Default quota of 500 registered devices for each project. In addition, the Android Enterprise features list (requirements) has additionally been updated from the prior 1000 devices to reflect the updated quota: Before After If you intend to manage more than 1000 devices, your EMM solution must support all the standard features (star) of at least one solution set before it can be made commercially available. If you intend to manage more than 500 devices, your EMM solution must support all the standard features (star) of at least one solution set before it can be made commercially available. The prior 1000-limit was written, but not actively (automatically) enforced, allowing project owners to break this barrier without much in the way of immediate repercussions; of course any considerable use of the API would catch Google's attention eventually. So what's different now? The AMAPI API now enforces this quota, which wasn't the case before. The addition of two new events returned to project administrators via a UsageLogEvent, which is a collection of various events logged on devices from the use of ADB to power on/off, external media mounting, and so on, suggest the API itself has the limits baked right in: "MAX_DEVICES_REGISTRATION_QUOTA_WARNING", "MAX_DEVICES_REGISTRATION_QUOTA_EXHAUSTED" No room for interpretation here. The API offers two states: a near-quota warning (the number which triggers this not published at time of writing), and a quota-reached state, presumably at which point further enrolments will either be wiped, or disabled (..and wiped after 5 minutes, which is standard behaviour for disabled devices on enrolment without a valid policy applied today). That's speculation until it's appropriately documented, though, since currently it is not documented under the EventType docs. Interesting, but probably not overly strange, is using device events to trigger these states. I suppose it is a device registering with AMAPI that triggers the states, and so it works that the device informs the enterprise of quota warnings/limits. I'd have expected it to be pushed as an enterprise attribute though without reading too much more into it. Perhaps it'll make more sense once Google document it. Exceptions continue # Despite the addition of these new, actively enforced quotas, it remains possible to request a higher limit on a case by case basis. Google now provide a form to - amongst other things - "respond to a quota limit": Interesting also is this used to be a Google Cloud process, which suggests to me the Android Enterprise team are foregoing the established Google Cloud processes in favour of a more hands-on - and hopefully personal interaction with project owners. What does this mean for the unvalidated? # Project owners today, prospective EMM vendors or scenarios where AMAPI is in use that don't breach permissible usage policies running over 500 devices should at minimum register their AMAPI solution with the EMM partner portal. If you haven't already started seeing quota warnings, you will soon. Obviously if it's not yet feasible to validate up to Standard solution set support, the form (https://goo.gle/android-enterprise-response) may offer a bit of runway. For everyone else not quite at the point of hitting the limit, make preparations to validate your product with the AMAPI team before that threshold is reached. Closing thoughts # Obviously this won't solve the problem of AMAPI being either abused intentionally or used in ways Google doesn't permit. There's little to stop those driven to do so from spinning up multiple projects across multiple accounts in an ever-continuing game of cat and mouse. It is a deterrent though, an additional overhead to have to manage to make it worth-while, and perhaps that'll make enough of a difference to justify the engineering time (that could have been dedicated to offline system update management or ephemeral user support, just sayin' 😁) to implement this.

    Feed has no items.

Brooks Peppin's Blog Managing Windows in the Modern Workplace

Many Miles Away Helping you succeed with end user computing technologies

    Feed has no items.

    Feed has no items.

Sam Akroyd. Thoughts on Tech

  • Workspace ONE UEM Sensors and custom Registry values
    by techhub981158167 on June 10, 2024 at 12:58 pm

    I had a customer enquiry recently where they were looking to pull some custom fields from a device to identify a device location, well at least where it was deployed, as well as come custom tags and other information they associate with a device at the time of deployment. If you have used Workspace ONE … Continue reading Workspace ONE UEM Sensors and custom Registry values →

  • VMware App Volumes Apps on Demand
    by techhub981158167 on January 8, 2024 at 3:26 pm

    There are plenty of articles explaining what VMware App Volumes Apps on Demand are and the benefits, for example https://www.vmware.com/uk/topics/glossary/content/apps-on-demand.html. This video demonstrates how quick and east it is to associate an App Volumes Server with an RDS Host in VMware Horizon and subsequently deliver a package using Apps on Demand.

  • End of Year
    by techhub981158167 on December 20, 2023 at 10:14 am

    When I started this blog and YouTube channel a few years back I never really had a target other than to share any tips, tricks, information and how to for various EUC products. It’s always nice to see the end of year stats and know that people are looking at your content. Diving into the … Continue reading End of Year →

  • The next phase of Workspace ONE UEM Sensors
    by techhub981158167 on December 8, 2023 at 11:14 am

    Earlier this year I wrote a blog article about using ChatGPT to write PowerShell scripts that could be used in Workspace ONE UEM to create Sensors. This works fine, but bear in mind that ChatGPT created PowerShell scripts for me based on best endeavours, there is no guarantee they would work or would not contain … Continue reading The next phase of Workspace ONE UEM Sensors →

  • Workspace ONE UEM and Windows Multi User
    by techhub981158167 on August 23, 2023 at 3:48 pm

    Multi User or Shared Device, if you want to look at it that way, is something that has been supported with VMware Workspace ONE UEM but more so for Mobile Operating Systems rather than Windows. VMware has received feedback from several customers on wanting to be able to support a Windows Multi User use case. … Continue reading Workspace ONE UEM and Windows Multi User →

Thomas Cheng Welcome to my digital home!

VirtuallyUnboxed Lifting the lid on everything virtual

  • End of support for vSphere 6.5.x and 6.7.x
    by virtuallyunboxed on October 20, 2022 at 4:31 pm

    In case you missed it, last week marked the end of general support for vSphere 6.5 and 6.7. This is the same regardless of whether you were using it for data centre services or EUC services like Horizon.

  • Desktop Repurposing v4
    by virtuallyunboxed on October 20, 2022 at 4:23 pm

    This year, myself and Matt Evans joined forced again, along with newcomer, Jonathan D'arcy to review some of the best desktop repurposing tools on the market. As with previous years we reviewed imaging and performance. However, this year we also took a look at the accompanying management solutions.

  • VMware SASE and Cloud Web Security
    by virtuallyunboxed on January 22, 2022 at 3:11 pm

    Let's start with the basics! SASE is a Gartner term and is an abreviation of Secure Access Service Edge. Still not much help right? Well lets start explaining this by looking at how people typically work, espeically remotely, and how their traffic is secured. Most of you that ever work remotely will most likely use a device level VPN. This uses software on your device to create a tunnel into your company data centre and allows you to remotely access internal resources. This is how most companies have done it for many years, and it really dates back to the days when all a companies resources were in their own data centre. Tunnelling all the traffic back into the data centre was the perfect way to reach everything a remote user would need.

  • Workspace ONE UEM and Workspace ONE Access Integration for Hub Services
    by virtuallyunboxed on March 2, 2021 at 4:06 pm

    I know there are a lot of SaaS customers out there who have only been using basic MDM functionality within Workspace ONE. The platform has moved on a lot in the last few years and if you haven't already seen it i strongly suggest you check out hub services. This takes the Workspace ONE agent that is used for device management and adds additional functionality to the application such as a unified app catalogue, people search and a notifications platform to name but a few!

  • Workspace ONE Access FIDO2 integration
    by virtuallyunboxed on February 19, 2021 at 2:33 pm

    As of this month (Feb 2021) All Workspace ONE Access SaaS tenants, now supports FIDO2 as an authentication method. So, I thought i'd put together a short video showing how easy it is to configure it and some different device types using the solution.

Mobile Jon's Blog My WordPress Blog

  • Windows 11 Best Practices Part Three: Security Advanced
    by mobilejon on June 3, 2024 at 4:00 am

    The latest article delves into advanced security technologies for Windows 11, including Endpoint Privilege Management (EPM), Windows Defender Application Control (WDAC), Application Patch Management, and Device Control. EPM leverages Microsoft Intune and features automatic elevation and reporting capabilities. WDAC focuses on restricting app execution, requiring signed apps, and managing policies. Additionally, it provides a detailed outlook on managing WDAC policies and policy considerations, such as managing internal and 3rd party apps, enforcing code signing, and ensuring a scalable approach. The article also explores options for Windows Application Patch Management and Device Control in Microsoft Defender for Endpoint (MDE), emphasizing the importance of tailoring security capabilities to organizational needs to avoid creating an unmanageable security environment.

  • Windows 11 Best Practices Part Two: Security
    by mobilejon on May 14, 2024 at 4:30 pm

    The recent security article covered best practices for Windows 11. It stresses personalization of security policies and highlights the significance of the Windows Autopatch feature. Additionally, it addressed the management of security baselines, Microsoft Defender for Endpoint settings, BitLocker usage, personal data encryption, certificate authentication strategies, and device compliance best practices. The emphasis was on utilizing Microsoft Cloud PKI and SCEPman and leveraging custom compliance scripts for specific compliance requirements. This aligns with the focus on modern CSPs and core Intune components for securing Windows 11 effectively. Future chapters will delve into more complex features like EPM, App Control, and Device Control.

  • Windows 11 Best Practices Part One: Onboarding
    by mobilejon on May 6, 2024 at 4:00 am

    Windows 11 best practices are often challenging. It's a loaded question that encompasses many areas. Today, we will focus on onboarding best practices like Windows Autopilot, debloating, imaging, device join, and much more!

  • Demystifying Passkeys and Extending Microsoft Entra with Passwordless Authentication
    by mobilejon on April 29, 2024 at 2:00 pm

    Passkeys, introduced in Entra, are receiving much attention for their cryptographic and phishing-resistant authentication model. They are user-centric, unique per service, and stored only on the user's device. Supported by Windows with TPM, they provide strong security and cross-device authentication. Implementing passkeys in Entra and Windows is straightforward, enhancing device security.

  • The Workspace ONE Admin’s Guide to Microsoft Intune Part 4: SECURITY!
    by mobilejon on April 22, 2024 at 3:36 pm

    In part 4, of the Workspace ONE Admin's Guide to Microsoft Intune. It covers security capabilities including Windows patching, security baselines, leveraging profiles for security hardening, account protection, conditional access, and remediations. Final thoughts include an upcoming webinar and future articles on API comparisons.

VMware | Digital Workspace Tech Zone Go from zero to hero with the latest technical resources on the VMware Digital Workspace Tech Zone.

VMware Workspace ONE The un-official subreddit for VMware Workspace ONE. I recently started learning/managing Workspace One for the company I work for, I came to reddit to find others and saw that there wasn’t a community, so I started one. Our discord is here https://discord.gg/Zhr3TqMMf6

  • Intelligent Hub not recognizing that a profile has been installed on iPhone
    by /u/House_llama on June 13, 2024 at 6:55 pm

    I'm setting up an end user's profile on an iPhone. I can download the profile, successfully apply it in settings, but Hub doesn't seem to recognize that the profile has been set up. It just sits there at "Install Profile.". Any advice? submitted by /u/House_llama [link] [comments]

  • Workspace One with Sysprep
    by /u/compudude on June 13, 2024 at 6:37 pm

    I have to sysprep WIndows 11 images that have Workspace One installed. Not having done this before, does running sysprep generalize the unique identifier in the image so that all the machines deployed with this image won't show up as the same machine? Sorry if it's a dumb question first time seeing it! submitted by /u/compudude [link] [comments]

  • Platform SSO for Mac OS - SSO Extension Profile
    by /u/Arman_WS1 on June 13, 2024 at 3:20 pm

    Hi All, Hope you’re all well, Hope someone has tried this already, Platform SSO Extension for Logging into Mac OS devices.. Has anyone tried this or ? Attempted to configure this yet? Please let me know if there are any guides on the configuration and how it looks! Thank you. Arman Shah submitted by /u/Arman_WS1 [link] [comments]

  • Is there a way to disable cellular services via policy on an iPhone with esim?
    by /u/Chewskiz on June 13, 2024 at 2:32 pm

    Title If not I have been trying to disable it, then block changing it in screen time, but it seems you can still go into settings and turn it on, thanks in advance submitted by /u/Chewskiz [link] [comments]

  • 500/4500 managed Zebra devices not showing Wi-Fi IP address in device table and looking at induvial devices show 0.0.0.0?
    by /u/rastacola on June 12, 2024 at 4:32 pm

    Any ideas on this one? I use IP info to tag devices but seems some devices are not reporting back properly. submitted by /u/rastacola [link] [comments]

  • Problem with enrolling new devices in WorkspaceOne / login for already enrolled users is working
    by /u/Lucky_Local_2060 on June 12, 2024 at 2:37 pm

    Hi, I have a problem with WS One when enrolling new PCs. Problem is only during enrollment process, current users (that are already enrolled) can normally login in WS One Intelligent Hub with OKTA. So, we use OKTA as IDP and that part works fine and I'm able to login with OKTA and see message "Enrollment starts..." but only for few seconds. After that, it stops with Local login screen and message "Failed to validate user credentials." We have configured default Access policy (in Workspace One Access) which primary use "OKTA Auth method" and if OKTA fails, then it use failback which is Local login. The problem is that also local login doesn't work. Previously we used AD login, but now it is the same problem. So, none of authentication methods works from Access. So, I'm assuming that from some reason it doesn't validate OKTA login for enrollment, and then it switch to failback login. This is strange, because login in WS One Intelligent Hub for already enrolled users works fine with OKTA. If we bypass authentication, so the users authenticate directly on UEM (without Access) that works. On other hand, Access is fully connected with UEM, so I'm not sure where is the problem. Did anyone had same issue with WS One? Also, everything works just fine last week, no one didn't touch any configuration and now it doesn't working. submitted by /u/Lucky_Local_2060 [link] [comments]

  • What happens to the OEM BIOS password when a device is unenrolled?
    by /u/theslats on June 11, 2024 at 9:05 pm

    Is it stored and recoverable someplace outside the, now gone, device history? Do we need to escrow this to keep it safe? submitted by /u/theslats [link] [comments]

  • Anyone able to enroll a iOS18 device yet?
    by /u/Throwaway4638763 on June 11, 2024 at 12:58 pm

    Am getting this error: Starting security provider failed SDK Error emptyProfiles: There is no SDK profile assigned to Intelligent Hub. Please contact your IT administrator submitted by /u/Throwaway4638763 [link] [comments]

  • Activate lost mode devices where the user became inactive
    by /u/Divestry on June 11, 2024 at 9:42 am

    Hey guys, quick question: is there any possibility to automatically enable the lost mode on devices where the user became inactive in AD? Thanks in advance! submitted by /u/Divestry [link] [comments]

  • APP Issue: Downloaded content differs from Content Manifest.
    by /u/Escles on June 7, 2024 at 3:33 pm

    Hi All! I created a managed app for Windows machines, it's VMware workstation player 7.2.5. The application has deployed to about 65~ machines succesfully however I can still see that some machines are not updating. Machines that didn't get the update has this as the last error description in registry Downloaded content differs from Content Manifest. and in the log I can see this: 2024-06-07T15:25:14.6120691Z ExecuteAsync: Download request completed in 53/sec. Result = 0 2024-06-07T15:25:14.6459444Z OnAfterExecutionAsync: 85a89ce3-31d5-4509-8068-243c8889e826: OnAfterExecutionAsync, DownloadContent => True 2024-06-07T15:25:14.7031965Z OnExecutionRollbackFinalAsync: 85a89ce3-31d5-4509-8068-243c8889e826 - status: DownloadContentSuccessful, suspend: None, event: AfterExecution 2024-06-07T15:25:14.7445329Z HandleDownloadAsync: 85a89ce3-31d5-4509-8068-243c8889e826: HandleDownloadAsync, SanitizeCache => InProgress 2024-06-07T15:25:14.7445329Z HandleDownloadAsync: 85a89ce3-31d5-4509-8068-243c8889e826: HandleDownloadAsync, CacheConsistency => Unstarted 2024-06-07T15:25:14.7465347Z OnExecutionRollbackFinalAsync: 85a89ce3-31d5-4509-8068-243c8889e826 - status: DownloadContentSuccessful, suspend: None, event: BeforeExecution 2024-06-07T15:25:16.4844866Z OnAfterExecutionAsync: 85a89ce3-31d5-4509-8068-243c8889e826: OnAfterExecutionAsync, SanitizeCache => True 2024-06-07T15:25:16.5348646Z OnExecutionRollbackFinalAsync: 85a89ce3-31d5-4509-8068-243c8889e826 - status: DownloadContentSuccessful, suspend: None, event: AfterExecution 2024-06-07T15:25:16.5528730Z HandleDownloadAsync: 85a89ce3-31d5-4509-8068-243c8889e826: HandleDownloadAsync, CacheConsistency => InProgress 2024-06-07T15:25:16.5538728Z OnExecutionRollbackFinalAsync: 85a89ce3-31d5-4509-8068-243c8889e826 - status: DownloadContentSuccessful, suspend: None, event: BeforeExecution 2024-06-07T15:25:16.5945851Z OnAfterExecutionAsync: 85a89ce3-31d5-4509-8068-243c8889e826: OnAfterExecutionAsync, CacheConsistency => False 2024-06-07T15:25:16.6381661Z OnExecutionRollbackFinalAsync: 85a89ce3-31d5-4509-8068-243c8889e826 - status: DownloadContentSuccessful, suspend: None, event: AfterExecution 2024-06-07T15:25:16.7176502Z OnExecutionRollbackFinalAsync: 85a89ce3-31d5-4509-8068-243c8889e826 - status: DownloadContentSuccessful, suspend: None, event: DeploymentFinalState 2024-06-07T15:25:16.7381975Z OnStartRollback: Starting Rollback I have no clue how I can fix this, any ideas? I saw that it downloads the installer to the appdeployementcache just fine but then deletes it due to this. Thanks in advance for any assistance 🙂 submitted by /u/Escles [link] [comments]

  • Boxer notifications not working
    by /u/Remote-Lettuce1498 on June 7, 2024 at 2:12 pm

    We are in the process of moving from on prem to exchange 365. We are migrating boxer connections for azure ad / MFA conditional access. Going well (except for Android devices...) however 3 out of like 100ish users are having issues not getting notifications on boxer. Their boxer inbox doesn't even update until they open the app. I cannot figure out why this would be just for this small subset of users. Everyone is getting the same boxes app config profile. Having issues with broadcom support so figured I'd ask here if anyone has run into this, has any clues. Our ws1 instance is cloud, we do see an error in boxer regarding ens2 server not set up. We saw this well before the migration and push notifications were never really an issue. submitted by /u/Remote-Lettuce1498 [link] [comments]

  • Disable personal mail account on ios applications.
    by /u/TillRevolutionary669 on June 7, 2024 at 8:11 am

    Hi everyone, is possible from WS1 mdm to disable personal mail account from ios applications like (OneDrive, Teams, ecc..)? submitted by /u/TillRevolutionary669 [link] [comments]

  • Internal Website Accessible from PC, but not Mobile Device
    by /u/ByrdDogX on June 6, 2024 at 2:09 pm

    So we are working to deploy OS (Android) upgrade for Spectralink devices used in our system. In order for this to work, we basically build out a website on a webserver and place the firmware file in the root folder and configure the app to the location (URL) of the file to pull down the firmware. So I created a site on port 80 and have a DNS entry and can access it from any PC in the system. When I try to access the site from a managed device on an internal network with (or without) restrictions, I get 'This Site Can't Be Reached' 'Check if there is a typo in URL' Now I have worked with our firewall team and they say no traffic is being blocked. Wouldn't be the first time they said that and it was. The index page is just a 'Hello World' line on the page, no other code or content on the page itself. I am not a web developer, but know this should render on a PC or Mobile browser. Any ideas on what I should check. submitted by /u/ByrdDogX [link] [comments]

  • eSIM profile questions
    by /u/FourEyesAndThighs on June 4, 2024 at 10:56 pm

    As we start to roll out iPhone 15's across the company, this issue has come up a few times. The user forgets their passcode and the device wipes after 10 attempts. Upon restart, the eSIM is not preserved. I found documentation on a flag ForcePreserveeSIMOnErase, but how do I implement this as a profile in WS1? Custom XML? MobileIron's interface had a flag for this on the Restrictions payload options, but WS1 seems to be missing it. submitted by /u/FourEyesAndThighs [link] [comments]

  • Smartgroup where members must be in two user groups to be added?
    by /u/theslats on June 4, 2024 at 9:01 pm

    Is there a way to do this? It seems like I can not do logic on the user group member assignment. submitted by /u/theslats [link] [comments]

  • Set Android fonts & notification (repeated)
    by /u/jowy_ham on June 4, 2024 at 9:01 am

    Can someone pls kindly advise on how to use MDM to: Allow users to change their font size for the launcher on the Android 13/14 OS ? Set repeat notification. For Samsung phones, under settings > notifications > advanced settings > repeat notification alerts submitted by /u/jowy_ham [link] [comments]

  • Devices enrolled but not deploy applications.
    by /u/FixZealousideal9252 on June 2, 2024 at 7:41 am

    We have some devices in our WS1 that are enrolled, are registering, are in our org group but are not receiving any scripts/apps from WS1. When installing an app, they report: Out of date. Application assigned but not installed. Last action taken: Install Command dispatched https://preview.redd.it/81zg034e444d1.png?width=274&format=png&auto=webp&s=37b35ad90e09ce8b7636ac991bfe24ee43f7c496 If I check Troubleshoot, it shows Application installation failed Device returned: Add Command Status: 200 - Success, Executive Command Status: 500 - Command Failed https://preview.redd.it/t2271ikf444d1.png?width=768&format=png&auto=webp&s=094c79d4e3b102c1b80e634b2d6b5485c83b08fd The problematic ones seem to be in Intelligent Hub v23.2.0.24. I hope I can fix this problem without recreating each device. Any help would be greatly appreciated! Best regards submitted by /u/FixZealousideal9252 [link] [comments]

  • Omnissa Community
    by /u/R_inspired on May 31, 2024 at 9:25 am

    submitted by /u/R_inspired [link] [comments]

  • Device deleted from Workspace - But phone remains enrolled.
    by /u/Icy_Conclusion_7455 on May 26, 2024 at 9:35 pm

    Hi All, I deleted a device completely from Workspace One UEM and I had assumed the device would remove the profiles etc from the device once this was done however the phone remains enrolled. It's showing as enrolled, compliant & connected. Sync button does not update. Profiles restrict full factory reset including from recovery mode. How do I get UEM off this device or is it now a paperweight? submitted by /u/Icy_Conclusion_7455 [link] [comments]

  • Regarding the issue of Vidm (Workshop ONE Access) uag reverse proxy
    by /u/Present_Syllabub_609 on May 25, 2024 at 8:34 am

    After configuring the reverse proxy in UAG, entering "catalog portal" only displays the logo, but the management interface can be accessed normally, https://preview.redd.it/9ad4756jaj2d1.png?width=2109&format=png&auto=webp&s=78ad884c1fe58149e381f0801b8cdd711713a24b I have only configured these basic contents, and the following is the complete configuration of my UAG reverse prox https://preview.redd.it/yme3c2jtbj2d1.png?width=835&format=png&auto=webp&s=9067b63f732981667653dab9328917b5a991a3b9 submitted by /u/Present_Syllabub_609 [link] [comments]

The Support Insider VMware Support News, Alerts, and Announcements

  • Simpler Licensing with VMware vSphere Foundation and VMware Cloud Foundation 5.1.1
    by Kelcey Lemon on March 21, 2024 at 5:28 pm

    Tweet VMware has been on a journey to simplify its portfolio and transition from a perpetual to a subscription model to better serve customers with continuous innovation, faster time to value, and predictable investments. To that end, VMware recently introduced a simplified product portfolio that consists of two primary offerings: VMware Cloud Foundation, our flagship … Continued The post Simpler Licensing with VMware vSphere Foundation and VMware Cloud Foundation 5.1.1 appeared first on VMware Support Insider.

  • VMware Skyline Advisor Pro Proactive Findings – January 2024 Edition
    by James Walker on January 24, 2024 at 11:16 am

    Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of January, we released 60 new Findings. Of these, there are 37 Findings based … Continued The post VMware Skyline Advisor Pro Proactive Findings – January 2024 Edition appeared first on VMware Support Insider.

  • Skyline Advisor Pro: Introducing Inventory Export Reports
    by Kelcey Lemon on January 16, 2024 at 12:00 pm

    Tweet You’ve asked for the ability to export inventory information, including licensing, and we’ve listened. The Skyline Team is proud to introduce this highly requested feature, Inventory Export Reports. Inventory Export Reports allow you to generate reports on your inventory, licensing, and configuration data. These reports can help you to identify potential problems, track changes … Continued The post Skyline Advisor Pro: Introducing Inventory Export Reports appeared first on VMware Support Insider.

  • VMware Skyline Advisor Pro Proactive Findings – December 2023 Edition
    by James Walker on December 15, 2023 at 6:56 pm

    Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of December, we released 56 new Findings. Of these, there are 35 Findings based … Continued The post VMware Skyline Advisor Pro Proactive Findings – December 2023 Edition appeared first on VMware Support Insider.

  • VMware Skyline Advisor Pro: Proactive and Diagnostic Findings Demystified
    by Kelcey Lemon on December 13, 2023 at 3:07 pm

    Tweet While supporting VMware Explore 2023 in Barcelona, a customer asked me, “What’s the difference between Proactive Findings and Diagnostic Findings in Skyline Advisor Pro and how are each one produced?” So, I’d like to take this moment to elaborate more on my original blog that introduced Diagnostic Findings. Proactive Findings Proactive Findings are potential … Continued The post VMware Skyline Advisor Pro: Proactive and Diagnostic Findings Demystified appeared first on VMware Support Insider.

  • VMware Skyline Advisor Pro Proactive Findings – October 2023 Edition
    by James Walker on October 27, 2023 at 4:33 pm

    Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of October, we released 39 new Findings. Of these, there are 30 Findings based … Continued The post VMware Skyline Advisor Pro Proactive Findings – October 2023 Edition appeared first on VMware Support Insider.

  • From upgrading vSphere to troubleshooting issues with Tanzu Kubernetes Grid: Top 10 VMware Tanzu Knowledge Base Articles in September 2023.
    by Marcela Gleixner on October 11, 2023 at 12:18 pm

    From upgrading vSphere to troubleshooting issues with Tanzu Kubernetes Grid: Top 10 VMware Tanzu Knowledge Base Articles in September 2023. The post From upgrading vSphere to troubleshooting issues with Tanzu Kubernetes Grid: Top 10 VMware Tanzu Knowledge Base Articles in September 2023. appeared first on VMware Support Insider.

  • 10 most popular KB articles in September 2023, for VMware Tanzu Application Service, BOSH and more.
    by Marcela Gleixner on October 9, 2023 at 9:54 pm

    10 most popular KB articles in September 2023, for VMware Tanzu Application Service, BOSH and more. The post 10 most popular KB articles in September 2023, for VMware Tanzu Application Service, BOSH and more. appeared first on VMware Support Insider.

  • Top 10 Most Popular Knowledge Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop for September, 2023   
    by Jamie Gravatte on October 6, 2023 at 4:31 pm

    Tweet Get answers and solutions instantly by using VMware’s Knowledge Base (KB) articles to solve known issues. Whether you’re looking to improve your productivity, troubleshoot common issues, or simply learn something new, these most used and most viewed knowledge articles are a great place to start.   Here are the top 5 most viewed KB articles … Continued The post Top 10 Most Popular Knowledge Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop for September, 2023    appeared first on VMware Support Insider.

  • Top 10 Most Popular Knowledge Articles for HCX, SaaS, EPG Emerging Products Group for September, 2023   
    by Jamie Gravatte on October 5, 2023 at 2:26 pm

    Tweet Get answers and solutions instantly by using VMware’s Knowledge Base (KB) articles to solve known issues. Whether you’re looking to improve your productivity, troubleshoot common issues, or simply learn something new, these most used and most viewed knowledge articles are a great place to start.   Here are the top 5 most viewed KB articles … Continued The post Top 10 Most Popular Knowledge Articles for HCX, SaaS, EPG Emerging Products Group for September, 2023    appeared first on VMware Support Insider.