The Community
Stay up to date…
VMware End-User Computing Blog Bringing you the latest VMware EUC news, trends and product innovations.
- Introducing Omnissa, the former VMware End-User Computing businessby Renu Upadhyay on April 25, 2024 at 6:23 pm
As a marketing leader, one of the most exhilarating and rewarding undertakings is to define and activate a new brand. And it’s a rare opportunity to define a brand for an established business with industry-leading solutions. I’m privileged to have the opportunity to do both as the End-User […]
- Conditional access with Workspace ONE integrates seamlessly with Microsoft Entra ID and Google’s Context-Aware Access for macOSby Chris Morelock and Paul Mounkes on April 16, 2024 at 3:37 pm
As cyber threats become more complex, it’s crucial for organizations to implement robust security measures. In today’s treacherous digital landscape, securing users’ access to organizational resources is critical. Workspace ONE Unified Endpoint Management (UEM) includes conditional access […]
- Preparing for the digital evolution: Insights from the 2024 Gartner Digital Workplace Summitby Bryan Vest on April 5, 2024 at 4:55 pm
Representatives from the Broadcom End-User Computing (EUC) Division had the privilege of attending the Gartner Digital Workplace Summit March 18–19, 2024, in Grapevine, Texas. More than 900 attendees comprising digital workplace leaders, architects, and IT execs came from around the globe to […]
- Creating custom macOS security baselines with the macOS Security Compliance Project and Workspace ONEby Chris Morelock and Paul Mounkes on April 2, 2024 at 6:57 pm
Specific types of organizations are required to configure their endpoint security protocols in accordance with designated standards and benchmarks, such as those established by the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS). Some organizations […]
- Introducing enhanced integration between Cisco ISE and Workspace ONE Unified Endpoint Managementby Sivapratap Reddy Chintam on March 28, 2024 at 2:19 am
We’re thrilled to announce the limited availability of Cisco Identity Services Engine (ISE) v3.1+ and Workspace ONE Unified Endpoint Management (UEM) integration with the Workspace ONE UEM 2402 release. This integration ensures that your end user’s devices can safely and securely connect and […]
- New management capabilities now available for macOS Activation Lock in Workspace ONEby Paul Mounkes on March 27, 2024 at 7:12 pm
Anyone who has had a laptop stolen knows the great frustration that comes with losing not only an expensive piece of tech but also the precious work and personal information, photos, and everything else that’s stored on it. Apple understands this, and long ago introduced a feature designed to […]
- Beware of CryptoChameleon, the new phishing threat that uses social engineering to trick victimsby Wendy Leung on March 26, 2024 at 3:01 pm
In the ever-evolving landscape of cyber threats, the CryptoChameleon phishing attack has emerged as a new example of how cybercriminals use advanced social engineering to gain access to victim’s accounts. Like a chameleon, the hackers camouflage themselves, but as trusted authorities, to blend in […]
- ViVE 2024: Why healthcare interoperability is key, and how we’re championing itby Amy Young on March 19, 2024 at 10:54 pm
Unmanaged devices. A mix of traditional and cloud-based applications. Data scattered across different cloud environments. This complexity in the healthcare environment can create a nightmare for data security, compliance, and efficient care delivery. Each separate tool adds another layer of chaos. […]
- Apple iOS 17.4 introduces updates, including alternative app stores and payment methodsby Adam Henry and Paul Mounkes on March 12, 2024 at 8:58 pm
In 2022, European Union (EU) watchdogs, the European Commission (EC), launched an ambitious project aimed at “ensuring fair and open digital markets.” Essentially, the goal of the Digital Markets Act (DMA) is to limit the power of designated technology “gatekeepers” and ensure they behave […]
- Workspace ONE continues to lead the charts in unified endpoint managementby Aditya Kunduri on March 8, 2024 at 2:55 am
In a rapidly evolving digital landscape, managing endpoints effectively has become paramount for enterprises worldwide. With the proliferation of diverse devices and the need for seamless connectivity, organizations are seeking robust solutions to streamline their endpoint management processes. […]
Adam Matthews Technology // IAM // EUC // Random Rubbish
- I asked ChatGPT to write me a bash script, and it worked (mostly), why do I need to know how to...by adam on December 18, 2022 at 11:12 pm
By now, ChatGPT has become pretty well known ( as of 18th Dec 2022). I’ve messed around with basic questions, but today I wanted to start to write a script that I could use with “OverSight” on Mac (https://objective-see.org/products/oversight.html). When you turn on your camera/mic, it can fire off a script with arguments. In this … Continue reading "I asked ChatGPT to write me a bash script, and it worked (mostly), why do I need to know how to code?"
- VMware ESXi – How to Remove an NFS Share that’s ‘In Use’by adam on December 14, 2022 at 11:35 am
I recently moved house, and as part of that a few things on my network changed. My NAS (A Synolofy DS8J) changed it’s IP Address. This caused an issue when ESXi was trying to get hold of the datastore. So, now this needs to be removed and replaced – I came across this error: After … Continue reading "VMware ESXi – How to Remove an NFS Share that’s ‘In Use’"
- Easily Automate your Lab with the vCenter APIby adam on February 14, 2022 at 6:00 pm
Learn how to use Python to call the VMware vCenter API to Start and Suspend Virtual Machines easily, and use Crontab to define the times it runs.
- Quickly Compress Video Files on macOSby adam on January 26, 2022 at 11:29 am
When you record your videos with Quicktime and you end up with 1.7 GB of a file, how do you shrink that?! I’ve been using this process for a couple of years now to optimise the output size of my demo videos, to make it easier to share them in presentations, and to keep my … Continue reading "Quickly Compress Video Files on macOS"
- WordPress – How to fix Jetpack connection errors, Fonts and Icons showing as squares with NGINXby adam on March 5, 2021 at 5:24 pm
I recently migrated https://blog.eucse.com/blog from running on Apache to Nginx. I found it helped a lot with utilization and speed (combined with a few more tweaks), but one thing I noticed after was Jetpack wouldn’t load correctly, and some fonts and icons were showing as squares. See examples of what I was seeing below: Resolution … Continue reading "WordPress – How to fix Jetpack connection errors, Fonts and Icons showing as squares with NGINX"
Arsen Bandurian: Technical Blog Digital Workspace, End User Computing, Enterprise Mobility, AutoID, WLANs, OSes and other technical stuff I happen to work with
- Check if a Microsoft Form comes from a trusted sourceby apcsb on November 6, 2023 at 10:14 am
When you open a Microsoft Form asking you for some sensitive data, do you know where will your data land? Could it be phishing? Read on to find out… Recently, I have received an email at work asking me to fill out a form with some of sensitive personal details (voluntary disclosure). I don’t mind... Continue Reading →
- Enhancing Windows Update Catalog metadata Accessibilityby apcsb on September 11, 2023 at 7:30 am
Microsoft has recently released a major update to the Windows Update catalog back-end, adding crucial information such as CVEs (Common Vulnerabilities and Exposures) addressed by the update and the CVE Score directly info API. This information is essential for Threat and Vulnerability Management decisions as well as Patch management and many organizations pay $$ for... Continue Reading →
- Quickly validate and enable manual application uninstall via Intune Company Portal using Graph APIby apcsb on August 3, 2023 at 7:04 am
I am back and the titles are getting longer! If you are an Intune admin, you will probably be happy to know that one of the most required features has landed: Uninstall Win32 and Microsoft store apps using the Windows Company Portal. One thing you need to be aware of, is that this feature is... Continue Reading →
- Building a custom Windows Update Report p1: Parsing HTML via PowerShell on modern systems (no IE)by apcsb on July 28, 2022 at 7:30 am
Wow, it’s been a while! A customer of mine recently wanted a detailed report that should include info such as how many weeks is the Windows on the machine behind the latest available Security Update. We’ve found to a way to combine Intune Data Warehouse and PowerBI to pull data that allows to identify the... Continue Reading →
- A case of OneDrive Personal Vault not coming up (0x8031000a, MDM, GPO and BitLocker)by apcsb on March 18, 2022 at 6:23 pm
Today I wanted to enable the Personal Vault feature on my Home PC. While following the wizard I got an error 0x8031000a “Your organization requires your device to join the domain before you can use the Personal Vault”. What does this have to do with MDM. GPO and BitLocker troubleshooting? Here’s some quick Friday entertainment!... Continue Reading →
- Android 15: What's new for enterprise?by Jason Bayton on October 31, 2024 at 12:00 am
Android 15 launched officially for Pixel on October 15th. This was about a month and a half after the release to AOSP on September 3rd. It has been a rather odd series of events this year; Pixel typically receives the latest and greatest version of Android in tandem with its release to AOSP, and the marketing and messaging goes out in unison for Android as a whole, but with Pixel's delay it caused something of an anticlimactic debut for AOSP, with most of the Android 15 blogs and announcements only really happening at Pixel's launch. Hopefully that doesn't become the norm, I'm not a fan of delaying announcements until an OEM - Pixel or otherwise - is ready with their own implementation; I can't imagine Google would have done this if Oppo, Samsung, HMD or others asked for the same. That said, here we are. I could have covered this post off for the most-part after the AOSP drop, I chose to wait until Google released their marketing materials. AOSP/developer docs rarely tell the whole story of enterprise support in an Android release, and 15 has been no different; I'd covered pretty much everything I found for AOSP in What's new (so far) for enterprise in Android 15 and so it was the wider Google Play Services and undocumented functionalities that were left to be covered. The below aims to provide a comprehensive overview of enterprise features, so may skip some items mentioned in the blog from April. Feel free to jump back there (link above) for more general Android 15 features. Let's start with a headline feature. Private Space # Android 15 introduces Private Space, the ability for users to protect a selection of apps in a private, additionally-authenticated profile on the device. These applications are isolated - similar to a work profile - from the rest of the applications on the primary parent profile. When Google announced Private Space with 15, I wrongfully anticipated this to be a mostly non-enterprise feature that wouldn't coexist in the management space. After all, it comes across as the work profile for unmanaged devices, in a way (certainly the tech it's built on tells me this). But here we are! The multiple work profiles on one device I've been asking for that Google said they'd never support 😁. Default behaviour for managed devices # The way this is managed is nuanced, per Google: The default value for an unmanaged user is false. For users with a device owner set, the default value is true and the device owner currently cannot change it to false. On organization-owned managed profile devices, the default value is false but the profile owner can change it to true via the parent profile to block creating of private profiles on the personal user. So in other words Private Space is disabled for fully managed devices by default, and cannot be enabled. For work profile-enabled company-owned devices, this can be managed. In testing, my fully managed device does indeed fail to create a Private Space, but doesn't indicate why - it simply fails: An interjection from the DPC to say this isn't possible would tremendously improve the UX. General management policies in the Private Space # If you're concerned the Private Space may become a wild-west of hidden app and user activity, fret not! Policies that have previously applied device-wide, such as the installation of apps from unknown sources, are still device-wide. The Private Space adopts these restrictions with no additional management overhead. Application management in the Private Space # While it's blocked on fully managed devices (which would be a great use case for a reversed COPE, I'll touch on below), it's very much possible to create a Private Space in COPE and co-exist with the work profile. Hang on, you may be thinking, doesn't that just mean users can add apps to a Private Space if they're not permitted to add them to their personal profile? As it turns out, no. Android 15 for business introduces the ability to apply a limited set of security restrictions to specific apps outside the Work Profile. Existing personal app allowlist or blocklist policies can be extended to the new private space feature. In the future, additional privacy preserving security configurations for core apps will be introduced and made backward compatible with Android 15. via The policies applied for permitted or blocked apps in a COPE deployment scenario also apply to the Private Space for AMAPI enrolments. CustomDPC EMMs will gain the same functionality at a later date (no ETA provided by Google). The case for Private Space on fully managed devices # It popped up in the AE Customer Community and I think it's worth further discussion: I quite like the prospect of reversing the existing COPE model to fully manage the device, but have an inaccessible profile (Private Space) for workers. Maximum control of the device with a lower-perceived, but potentially acceptable level of privacy for workers. As indicated for pool/shared devices where you auth, but can pop a few personal apps for break/other reasons the admins can ultimately remove at will.. I like it. Private Space has obviously not been enabled on fully managed devices due to the privacy concerns, I would assume, previously associated with work profiles on fully managed devices. Furthermore, I would expect there are nuances within a fully managed and dedicated use cases (which are mostly shared under the Device Owner (DO) ownership model) that would render this feature incompatible and possibly cause problems. It's also likely a lot of work resurrecting deprecated approaches to cross-profile policies and such that would bring this much closer to pre-11 Android fully managed devices with work profiles.. ..but it could be disabled by default, as it is for fully managed devices, and in organisations that want to allow a reverse-COPE wherein personal apps and data live in a separately encrypted, isolated container with limited cross-profile oversight (personal usage policies would have to apply on fully managed only, just for Private Space), it could work. Supporting this would further add the flexibility organisations want as the personally-owned vs company-owned debate rages on amongst admins. What Private Space isn't # Fort Knox. Unfortunately, and Google to their credit do highlight this, Private Space is still a profile running within Android; the applications installed in this space can be detected with relative ease and so although it makes it extremely difficult to access app data, it doesn't prevent the determined from piecing together a perception of someone based on the apps they're hiding away. Assuming they have access to the device. Giant Private Space icons added in PACKAGE SEARCH for emphasis only. I do feel it could be improved, for example with the work profile implementation there are policies that prevent an app inside the profile from locating applications outside of it, so if I run PACKAGE SEARCH within a work profile, I cannot see the user apps installed in the parent profile. I appreciate this is not 1:1, effectively asking apps in the parent profile to be blocked from running package manager searches on any packages flagged against the Private Space, but I'd like to believe it's possible. So that's Private Space. Next? COPE: Enhancements to company-owned work profiles (COPE) # Google has been busy this year boosting the functionality of the company-owned work profile deployment scenario, and it's a trend I'm here for! Still struggling with the loss of work profiles on fully managed devices, every small bump in functionality that regains some control over the parent (personal) profile of a company-owned device is nothing short of a treat. Here's what's new in Android 15: Control of parent profile screen settings in company-owned work profile deployment scenarios # For company-owned devices running work profile, the following previously fully managed-only restrictions can be applied to devices: Screen off timeout (not to be confused with time to lock, which still supersedes this in terms of hierarchy) Screen brightness (the actual brightness or the screen) Screen brightness mode (manual or automatic) Google announced these as power management controls, I suppose they could contribute to lower power consumption at the cost of user satisfaction if you were to enforce fixed brightness on personal-use devices. They could also contribute to significantly higher power consumption. I'm not sure what use cases were identified here that led to it being framed this way, but I imagine this could be a frustrating experience for knowledge workers if not implemented by organisations appropriately; who could use a device outside on a Summer's day while being limited to 30% brightness? Who would want to check an incoming call or notification in the middle of the night with a screen that doesn't adapt to the ambient conditions of the room, but rather turn on at 100% brightness? In contrast, enforcing automatic would be a sensible default. Be mindful if deploying fixed brightness or brightness modes to personal-use devices. Application defaults in the personal profile for company-owned work profile devices # Extending further control of the personal side of the device for COPE deployments, Google is allowing organisations in Android 15 to set default applications for the dialler, messaging app, and browser. To be absolutely clear, these defaults will be whatever the Android device ships with, so it wouldn't be possible to set Edge as a default in the personal profile across a managed estate. Rather, Samsung may default to Samsung Internet, Pixel to Chrome, etc. This avoids a potential privacy risk in allowing organisations to set their preferred apps as the personal default, complete with whatever identifying information and usage data they may be able to extract from the personal profile and into corporate servers. By implementing these defaults, organisations prevent the opposite scenario where a user may choose to use a non-recommended (or downright potentially harmful app) as their default in the personal profile, and open the device up to additional security risks. Google states these must be initially configured at provisioning time. That is to say set in the policy applied at the time of enrolment. If being set retrospectively, as would be required for any existing device updating to Android 15, this can be done through the use of allowlists: The default messaging app can be set at any time. To enforce OEM defaults for dialler and browser after set up, this control must be combined with an app allowlist. These do not apply to Android 15's Private Space (discussed below), as these applications should not be present in the Space to begin with. Security & privacy changes # Android 15 additionally introduces a fair few security improvements also, some of which include: Migration of events from logcat to SecurityLog # From 15 we'll start seeing more information provided to SecurityLog. For those who've debugged an Android device under management, unless you're working with the device directly, pulling & reviewing logcat can be a pain. As SecurityLog, along with NetworkLog, can be fetched through the EMM, this offers a much simpler option and ongoing review of the respective logs. The intention is to more closely align with NIAP requirements, and allow for quick review of administrative device changes. In addition, Android adds an event for the backup service being toggled by an admin which will also now be available for admins from 15 when pulling security logs. Improvements to Factory Reset Protection # Though there are no enterprise-specific changes to factory reset protection, I believe it's important to highlight some changes made to how it works within the context of an enterprise device, namely: Enabling OEM unlock in developer settings will no longer deactivate FRP Bypassing the setup wizard, which isn't uncommon for dedicated devices/OEMs, will no longer deactivate FRP. Adding accounts, passwords, and applications will no longer be possible while FRP is active Going forward it will be evermore important to ensure both FRP, and enterprise FRP (wherein organisations set the allowlisted Google accounts), are properly maintained and processes correctly followed for resetting devices, if the EMM does not turn FRP off by default (hi, Omnissa..) A bump to minimum SDK version for installation of apps # As expected, the restriction on installing applications targeting very old versions of Android is getting a bump. In Android 15 it will no longer be possible to install apps targeting API level 23 - Android Marshmallow / 6.0 - or older. Only apps that target Android 7.0 - API level 24 - or later will be permitted. jason@MBP Downloads % adb install app-release.apk Performing Streamed Install adb: failed to install app-release.apk: Failure [INSTALL_FAILED_DEPRECATED_SDK_VERSION: App package must target at least SDK version 24, but found 23] Just as last year, we're talking about applications targeting a version of Android 10+ years old. While some organisations with line-of-business apps that haven't seen an update in half a decade may balk at the idea of getting their applications updated or rewritten, the justification behind this limitation is solid - security. Where apps targeting <6.0 were able to abuse the old permissioning system (pre-runtime!), apps targeting 7.0 are still able to abuse device administrator and similar APIs. This isn't something you want potentially leveraged directly or indirectly on your managed estate. Restrictions on device identifiers for personally-owned devices # From Android 15, applications with the permission android.permission.MANAGE_DEVICE_POLICY_CERTIFICATES will be able to fetch getEnrollmentSpecificId, which is an enrolment-specific, unique device identifier that persists across re-enrolments when done so into the same deployment scenario (i.e. fully managed or personally-owned work profile), by the same vendor agent, into the same enterprise (organisation/bind). It is an alternative to identifiers such as IMEI and serial number, which Google no longer grants access to for applications without the appropriate device or profile owner role, or DELEGATION_CERT_INSTALL via policy, and becomes the default and only option for fetching a unique device identifier for personally-owned work profile devices in future. To be clear - applications in a personally-owned work profile deployment up to now with the delegated permission of DELEGATION_CERT_INSTALL have been able to fetch a device serial number with relative ease, something that defeats the entire purpose of restricting access to the identifiers, considered to be personally identifiable information, in the first place. That loophole is closing. Head's up At time of writing there's a bug in 15 - on the Pixel 9 Pro XL at least - preventing delegated scopes from being retrieved by managed apps within the work profile. It works fine in the parent profile. If you'd like to validate this yourself, here's a snippet to call from within an application: val dpm = context.getSystemService(Context.DEVICE_POLICY_SERVICE) as DevicePolicyManager val delegatedScopes = dpm.getDelegatedScopes(null, context.packageName) Security exceptions for sensors-related permissions # From 15, device admins targeting API level 35, including DPCs and device admin role holders, will begin throwing security exceptions when attempting to set permissions for some sensors-specific permissions, including: Manifest.permission.ACCESS_FINE_LOCATION Manifest.permission.ACCESS_BACKGROUND_LOCATION Manifest.permission.ACCESS_COARSE_LOCATION Manifest.permission.CAMERA Manifest.permission.RECORD_AUDIO Manifest.permission.RECORD_BACKGROUND_AUDIO Manifest.permission.ACTIVITY_RECOGNITION Manifest.permission.BODY_SENSORS The two scenarios where this is expected to happen is: The calling agent is a profile owner, rather than a device owner (so work profile deployments, not fully managed) The agent is a device owned on a fully managed device, but has EXTRA_PROVISIONING_GRANT_OPT_OUT set during the provisioning process. While this has been in place since Android 12, previously this would have silently failed. In future security exceptions will be triggered which should make it easier to debug. New restrictions # It wouldn't be an Android release unless we saw a few new features to manage. Here's the run-down: Content protection policy # The content protection policy offers admin control of a new feature for real-time threat detection within the Google Play Protect arsenal of protections covered in a prior security blog from February. For Pixel devices, the toggle for this is in Settings > Security & privacy > More security & privacy > Scanning for deceptive apps. It is buried deep in Settings. When the configuration is unspecified, currently the respective toggle is off for fully managed devices. Switching to enforced then enables the setting. This is a great approach, sympathetic to the feedback its announcement generated from administrators already frustrated with overbearing Google Play Protect policies that cannot be disabled (full disclosure, I'm generally in favour of GPP, but I'm aware of the problems it causes for some organisations), while allowing its use for organisations that feel they need it. For EMM vendors, this is already present in AMAPI as contentProtectionPolicy under AdvancedSecurityOverrides. Android 15 also introduces the permission android.permission.MANAGE_DEVICE_POLICY_CONTENT_PROTECTION for apps which are not the device or profile owner to be able to interface with this API. Google Play Protect app scanning changes # In a related note, in September 2024 Google made a considerable change that will placate any organisation deploying sideloaded enterprise applications, including those installed via the EMM DPC (agent), internal services, or sideloaded in more traditional ways. These applications will no longer be sent to Google for scanning, and no longer prompt end users to take any action against them unless they are known to Google to be potentially harmful. More information here. Disallow NFC radio # As it says on the tin. If you're thinking "Don't we already have an API for NFC?" Yes we do, but that's to control the beaming of data between devices. This is a full on radio disable and will probably live under DeviceRadioState in AMAPI at some point later. This appears to be a natural progression from the earlier DISALLOW_CHANGE_NEAR_FIELD_COMMUNICATION_RADIO which prevents the turning on/off NFC in settings. eSIM management # eSIM has been given a respectable amount of attention in 15. Here's what's new: Disallow SIM Globally # The API I found earlier in the year appears to be a subset of a larger eSIM management framework being introduced with Android 15. For completeness, as the earlier post was quite light, here's what Disallow SIM Globally actually means: Available for both fully managed and company-owned work profile devices, disallow SIM globally (DISALLOW_SIM_GLOBALLY) is an eSIM restriction to globally prevent the user download of eSIMs to a device. While I earlier assumed it may have been globally disabling cellular, killing the radio and hiding the respective settings, status bar messaging, and so forth (useful particularly for lower-cost tablets that often come with cellular) this is not the case. In my testing, with the restriction enabled I was able to go into settings, begin eSIM setup with the scan of a QR code, and only then did it prevent setup with a generic error message that suggests there's a problem with the eSIM rather than a policy restriction in place: The experience could be improved dramatically here just with the addition of management UI, and preferably earlier in the process of adding an eSIM, also. Expanding 9.0 APIs for eSIM management # More broadly Android 15 introduces eSIM configuration capabilities via EMM. Based on what I've been able to find, eSIM management is directly associated with eSIM subscription management introduced in Android 9.0, and has been expanded in 15 to allow remote configuration via EMM, or the appropriate permission: Starting from Android Build.VERSION_CODES.VANILLA_ICE_CREAM, if the caller has the android.Manifest.permission#MANAGE_DEVICE_POLICY_MANAGED_SUBSCRIPTIONS permission or is a profile owner or device owner, then the downloaded subscription will be managed by that caller. In case the caller is device owner or profile owner of an organization-owned device, switchAfterDownload can be set to true to automatically enable the subscription after download. If the caller is a profile owner on non organization owned device switchAfterDownload should be false otherwise the operation will fail with EMBEDDED_SUBSCRIPTION_RESULT_ERROR. It would appear EMM vendors with either custom DPCs or via AMAPI will be able to lean into this API from 15 to add and remove EUICC subscriptions. Neat. Further, it will even support partial payloads! Providing the device has already been registered with an eSIM on a carrier's SMDP+ server, it will allow the device to reach out to that server, declare itself and get it's eSIM. This has the potential to significantly simplify eSIM management, reducing the number of eSIM configurations necessary for large deployments. Personally-owned device users will be able to remove the configured eSIM, though for company-owned devices, the additional policy DISALLOW_CONFIG_MOBILE_NETWORKS can be set to ensure eSIMs aren't deleted. Disallow assist content # This restriction allows administrators to prevent privileged apps, such as Assistant, from receiving contextual device information. These include screenshots, package names, and more. Useful for admins wishing to reduce the sprawl of information access privileged apps can have. This is scope-specific, so on fully managed devices will apply device-wide, but on profile-enabled devices restricts only to the managed profile. Circle to search # Relatively straightforward, an enterprise API is being introduced to lock down circle to search - one of the most hyped up features I've seen in a long time.. but probably not something organisations want accidentally invoking on dedicated devices while customers try to order a Big Mac! This is a nice continuation of assist content above, limiting the amount of data being sent to Google services. Widget management is back?! # With Android 15, setKeyguardDisabledFeatures has been expanded with widget management to coincide with the re-introduction of lockscreen widgets for tablet devices. At this time it appears to only apply to widgets in managed profiles, with Google explicitly stating: ..the profile owner of an organization-owned managed profile can set KEYGUARD_DISABLE_WIDGETS_ALL which affects the parent user when called on the parent profile. More testing is needed to determine why this isn't available for fully managed devices. To note for wider context, lock screen widgets were removed way back in 5.0 citing, if I remember correctly, low use. With the recent focus on tablets, and Apple adding their own, Google clearly figured they matter again! Other changes and requirements for 15 # Rounding off what's new, here are some additional features that don't fit into the above categories: Platform signed permission management # When a vendor works with an OEM to get their application platform singed, the application is granted all system-level permissions available on the device. As you can imagine, that is an unprecedented level of device access to data and services reserved normally for only the OEM system apps, and Google's preloaded suite of applications. In Android 15, Google is introducing system permission management, allowing OEMs to grant or deny permissions to signed applications that allows for the considerable down-scoping of access of a signed app to only the explicit permissions required to function. This won't apply to system apps bundled with a set of permissions in the OEM system image, but should permissions change in a later system app update, these permissions would also be denied automatically unless allowlisted in the respective system configuration. There's an additional config to allow platform-signed shared UIDs for non-system applications that have additionally previously required access to this. There are new alerts in logging to determine the permissions applications are no longer retaining access to, which vendors should already start looking at today to avoid loss of functionality. Knowing how many enterprise vendors lean on platform signature permissions today (basically most EMMs, several SaaS products, etc), this has the potential to cause headaches as 15 lands on devices, unless OEMs and vendors work together proactively to avoid this. Screen recording improvements # If you're like me and record your screen far too often to demonstrate anything from a device feature to a bug, user guides and more, you'll be pleased to hear the previously Pixel-only feature introduced in Android 14 is coming to the wider ecosystem with the 15 update. Now users can limit screen sharing to just the app they want to show, and no longer fret on the possibility to showing something that may not be appropriate for the context. Continuing the theme of recording, this is not so much an enterprise feature in and of itself explicitly, but Android 15 will alert apps when the screen is being recorded, allowing them to hide contents. I can imagine this might be useful for enterprise applications across the board to bolster DLP (data loss prevention), and based on murmurings in Tech News, Google is testing restrictions in Chrome to prevent sensitive information from being recorded (addresses, card details, passwords, etc). Broader system update visibility # From 15, applications granted the permission android.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES will be able to obtain information about a pending system update. This softens the current requirements that an application be a device or profile owner in order to fetch this information. What this doesn't do, unfortunately, is offer any more information about the update(s) available. Today we can see an update is available and that it's a security update. This API needs to be updated to show - build info, size, how long it's been available (not just when first detected), - SPL/Android version All of this is offered either through GOTA, Google's OTA management server many OEMs are encouraged to leverage (some don't of course, consider e-FOTA from Samsung, or HMD's new FOTA platform), or the build fingerprint of the package itself. Check MTE status # Expanding on the options for getting and setting MTE policies in Android 14, in 15 it will now be possible to merely query the current state (evidently something that should have, but didn't, quite make it to the 14 release!) Deeper dedicated device experience management # With Better Together Enterprise, AKA the new customer signup flow, Google is introducing a new provisioning option for dedicated devices, in addition to PERSONAL_USAGE_ALLOWED and PERSONAL_USAGE_DISALLOWED, Google are introducing a third allowPersonalUsage AMAPI enrolment token configuration option of DEDICATED_DEVICE. That alone isn't an Android 15 feature, but an accompanying flag OEMs can set from 15 within the device software declaring it a dedicated device should give many dedicated device-based organisations a reason to take note. Such distinguishing features between knowledge worker devices and the new dedicated devices flag include: Setup Wizard customisation Default restrictions within the Android experience Managing dedicated devices, which have always been treated identically to any other consumer Android device on the market, has been a frustrating experience; devices an end user would never use shouldn't need to configure accounts, access Google Play, deal with all the setup wizard interruptions around privacy callouts and more. I'd really hoped the EDLA licence would have solved a lot of problems, but so many years now after its introduction the differentiation is still minimal from MADA. Fortunately it looks like Google are taking another approach. Unfortunately a few years too late for the almost 5 years I supported dedicated devices on a daily basis, but I look forward to future projects benefiting from these changes. What didn't make it # These didn't make it today, but may pop up in a QPR or future Android version release: Dedicated document preview app # In the earlier Android 15 article I referenced a new mandate for OEMs to include a document viewing app, saying: The absence of a document preview application for managed devices has been quite a noisy complaint from organisations for many years, overshadowed only by missing camera &/ gallery applications. None of these apps have been mandated by Google for the fully managed/work profile user experience, and so the common trend is to see them simply not added. It appears Google changed their mind on this, which is not uncommon across releases by any means. The 4 or so years I spent working on Android hardware I saw many instances where proposals ultimately didn't make it - sometimes due to an internal direction change, sometimes pressure from OEMs. Either way it looks like that has happened here also, so we'll go another year without a dedicated document preview app. Skip adding personal accounts during company-owned work profile provisioning # In the earlier article I referenced a change I interpreted as offering the possibility for organisation admins to set provisioning-time configurations that skip the add-account flow during managed provisioning of a company-owned work profile device. This would have been a small quality-of-life improvement that would shorten down the COPE provisioning time for scenarios where either: users don't wish to immediately add a personal account and complete the full setup of their device, or where devices are perhaps staged elsewhere and sent to users registered and ready to go. Alas, we won't see this in 15. With that said, it has been submitted as a feature request to Google! In future, we may see a provisioning time option similar to allow the skipping of personal setup, perhaps palmed off to deferred setup, or triggered on the first boot after provisioning completes. Why would it be useful? Mostly echoing the above - organisations still pre-provision devices, even those on zero-touch, before sending them out to users in an effort to reduce the hand-holding needed for setting up a device. With the COPE model there are privacy and ethical considerations preventing the setup of a personal profile with a user's account, and obviously skipping the account setup renders the setup process less intuitive, even with deferred setup. Ensuring the work side is sorted, then shipping it out to an end user to add their Google account and go I find quite an enticing option in this and similar scenarios. Disallow Thread Network # At the time of writing, Google developer docs still don't have an entry for the Thread API, but reference it in the UserManager docs as an unlinked entity. At some point the link to UserManager should go to the right place. In the meantime it appears the source for CTS contains a test for this API. From that it's somewhat clear what this API is intended for, and we no longer need to assume: // If the device doesn't support Thread then as long as the user restriction doesn't throw an // exception when setting - we can assume it's fine @RequireFeature("android.hardware.thread_network") @RequiresFlagsEnabled(Flags.FLAG_THREAD_USER_RESTRICTION_ENABLED) If that's too ambiguous, the CTS docs reference the hardware feature android.hardware.thread_network, which additional source commits tie directly to Thread network support. It looks like it'll be a relatively straightforward boolean (on/off) restriction allowing managed devices to interface with thread network devices when it's added to Android at a later date. Did I miss anything? # If I did, you know where to find me.
- Android 15: What's new for enterprise?by Jason Bayton on October 31, 2024 at 12:00 am
Android 15 launched officially for Pixel on October 15th. This was about a month and a half after the release to AOSP on September 3rd. It has been a rather odd series of events this year; Pixel typically receives the latest and greatest version of Android in tandem with its release to AOSP, and the marketing and messaging goes out in unison for Android as a whole, but with Pixel's delay it caused something of an anticlimactic debut for AOSP, with most of the Android 15 blogs and announcements only really happening at Pixel's launch. Hopefully that doesn't become the norm, I'm not a fan of delaying announcements until an OEM - Pixel or otherwise - is ready with their own implementation; I can't imagine Google would have done this if Oppo, Samsung, HMD or others asked for the same. That said, here we are. I could have covered this post off for the most-part after the AOSP drop, I chose to wait until Google released their marketing materials. AOSP/developer docs rarely tell the whole story of enterprise support in an Android release, and 15 has been no different; I'd covered pretty much everything I found for AOSP in What's new (so far) for enterprise in Android 15 and so it was the wider Google Play Services and undocumented functionalities that were left to be covered. The below aims to provide a comprehensive overview of enterprise features, so may skip some items mentioned in the blog from April. Feel free to jump back there (link above) for more general Android 15 features. Let's start with a headline feature. Private Space # Android 15 introduces Private Space, the ability for users to protect a selection of apps in a private, additionally-authenticated profile on the device. These applications are isolated - similar to a work profile - from the rest of the applications on the primary parent profile. When Google announced Private Space with 15, I wrongfully anticipated this to be a mostly non-enterprise feature that wouldn't coexist in the management space. After all, it comes across as the work profile for unmanaged devices, in a way (certainly the tech it's built on tells me this). But here we are! The multiple work profiles on one device I've been asking for that Google said they'd never support 😁. Default behaviour for managed devices # The way this is managed is nuanced, per Google: The default value for an unmanaged user is false. For users with a device owner set, the default value is true and the device owner currently cannot change it to false. On organization-owned managed profile devices, the default value is false but the profile owner can change it to true via the parent profile to block creating of private profiles on the personal user. So in other words Private Space is disabled for fully managed devices by default, and cannot be enabled. For work profile-enabled company-owned devices, this can be managed. In testing, my fully managed device does indeed fail to create a Private Space, but doesn't indicate why - it simply fails: An interjection from the DPC to say this isn't possible would tremendously improve the UX. General management policies in the Private Space # If you're concerned the Private Space may become a wild-west of hidden app and user activity, fret not! Policies that have previously applied device-wide, such as the installation of apps from unknown sources, are still device-wide. The Private Space adopts these restrictions with no additional management overhead. Application management in the Private Space # While it's blocked on fully managed devices (which would be a great use case for a reversed COPE, I'll touch on below), it's very much possible to create a Private Space in COPE and co-exist with the work profile. Hang on, you may be thinking, doesn't that just mean users can add apps to a Private Space if they're not permitted to add them to their personal profile? As it turns out, no. Android 15 for business introduces the ability to apply a limited set of security restrictions to specific apps outside the Work Profile. Existing personal app allowlist or blocklist policies can be extended to the new private space feature. In the future, additional privacy preserving security configurations for core apps will be introduced and made backward compatible with Android 15. via The policies applied for permitted or blocked apps in a COPE deployment scenario also apply to the Private Space for AMAPI enrolments. CustomDPC EMMs will gain the same functionality at a later date (no ETA provided by Google). The case for Private Space on fully managed devices # It popped up in the AE Customer Community and I think it's worth further discussion: I quite like the prospect of reversing the existing COPE model to fully manage the device, but have an inaccessible profile (Private Space) for workers. Maximum control of the device with a lower-perceived, but potentially acceptable level of privacy for workers. As indicated for pool/shared devices where you auth, but can pop a few personal apps for break/other reasons the admins can ultimately remove at will.. I like it. Private Space has obviously not been enabled on fully managed devices due to the privacy concerns, I would assume, previously associated with work profiles on fully managed devices. Furthermore, I would expect there are nuances within a fully managed and dedicated use cases (which are mostly shared under the Device Owner (DO) ownership model) that would render this feature incompatible and possibly cause problems. It's also likely a lot of work resurrecting deprecated approaches to cross-profile policies and such that would bring this much closer to pre-11 Android fully managed devices with work profiles.. ..but it could be disabled by default, as it is for fully managed devices, and in organisations that want to allow a reverse-COPE wherein personal apps and data live in a separately encrypted, isolated container with limited cross-profile oversight (personal usage policies would have to apply on fully managed only, just for Private Space), it could work. Supporting this would further add the flexibility organisations want as the personally-owned vs company-owned debate rages on amongst admins. What Private Space isn't # Fort Knox. Unfortunately, and Google to their credit do highlight this, Private Space is still a profile running within Android; the applications installed in this space can be detected with relative ease and so although it makes it extremely difficult to access app data, it doesn't prevent the determined from piecing together a perception of someone based on the apps they're hiding away. Assuming they have access to the device. Giant Private Space icons added in PACKAGE SEARCH for emphasis only. I do feel it could be improved, for example with the work profile implementation there are policies that prevent an app inside the profile from locating applications outside of it, so if I run PACKAGE SEARCH within a work profile, I cannot see the user apps installed in the parent profile. I appreciate this is not 1:1, effectively asking apps in the parent profile to be blocked from running package manager searches on any packages flagged against the Private Space, but I'd like to believe it's possible. So that's Private Space. Next? COPE: Enhancements to company-owned work profiles (COPE) # Google has been busy this year boosting the functionality of the company-owned work profile deployment scenario, and it's a trend I'm here for! Still struggling with the loss of work profiles on fully managed devices, every small bump in functionality that regains some control over the parent (personal) profile of a company-owned device is nothing short of a treat. Here's what's new in Android 15: Control of parent profile screen settings in company-owned work profile deployment scenarios # For company-owned devices running work profile, the following previously fully managed-only restrictions can be applied to devices: Screen off timeout (not to be confused with time to lock, which still supersedes this in terms of hierarchy) Screen brightness (the actual brightness or the screen) Screen brightness mode (manual or automatic) Google announced these as power management controls, I suppose they could contribute to lower power consumption at the cost of user satisfaction if you were to enforce fixed brightness on personal-use devices. They could also contribute to significantly higher power consumption. I'm not sure what use cases were identified here that led to it being framed this way, but I imagine this could be a frustrating experience for knowledge workers if not implemented by organisations appropriately; who could use a device outside on a Summer's day while being limited to 30% brightness? Who would want to check an incoming call or notification in the middle of the night with a screen that doesn't adapt to the ambient conditions of the room, but rather turn on at 100% brightness? In contrast, enforcing automatic would be a sensible default. Be mindful if deploying fixed brightness or brightness modes to personal-use devices. Application defaults in the personal profile for company-owned work profile devices # Extending further control of the personal side of the device for COPE deployments, Google is allowing organisations in Android 15 to set default applications for the dialler, messaging app, and browser. To be absolutely clear, these defaults will be whatever the Android device ships with, so it wouldn't be possible to set Edge as a default in the personal profile across a managed estate. Rather, Samsung may default to Samsung Internet, Pixel to Chrome, etc. This avoids a potential privacy risk in allowing organisations to set their preferred apps as the personal default, complete with whatever identifying information and usage data they may be able to extract from the personal profile and into corporate servers. By implementing these defaults, organisations prevent the opposite scenario where a user may choose to use a non-recommended (or downright potentially harmful app) as their default in the personal profile, and open the device up to additional security risks. Google states these must be initially configured at provisioning time. That is to say set in the policy applied at the time of enrolment. If being set retrospectively, as would be required for any existing device updating to Android 15, this can be done through the use of allowlists: The default messaging app can be set at any time. To enforce OEM defaults for dialler and browser after set up, this control must be combined with an app allowlist. These do not apply to Android 15's Private Space (discussed below), as these applications should not be present in the Space to begin with. Security & privacy changes # Android 15 additionally introduces a fair few security improvements also, some of which include: Migration of events from logcat to SecurityLog # From 15 we'll start seeing more information provided to SecurityLog. For those who've debugged an Android device under management, unless you're working with the device directly, pulling & reviewing logcat can be a pain. As SecurityLog, along with NetworkLog, can be fetched through the EMM, this offers a much simpler option and ongoing review of the respective logs. The intention is to more closely align with NIAP requirements, and allow for quick review of administrative device changes. In addition, Android adds an event for the backup service being toggled by an admin which will also now be available for admins from 15 when pulling security logs. Improvements to Factory Reset Protection # Though there are no enterprise-specific changes to factory reset protection, I believe it's important to highlight some changes made to how it works within the context of an enterprise device, namely: Enabling OEM unlock in developer settings will no longer deactivate FRP Bypassing the setup wizard, which isn't uncommon for dedicated devices/OEMs, will no longer deactivate FRP. Adding accounts, passwords, and applications will no longer be possible while FRP is active Going forward it will be evermore important to ensure both FRP, and enterprise FRP (wherein organisations set the allowlisted Google accounts), are properly maintained and processes correctly followed for resetting devices, if the EMM does not turn FRP off by default (hi, Omnissa..) A bump to minimum SDK version for installation of apps # As expected, the restriction on installing applications targeting very old versions of Android is getting a bump. In Android 15 it will no longer be possible to install apps targeting API level 23 - Android Marshmallow / 6.0 - or older. Only apps that target Android 7.0 - API level 24 - or later will be permitted. jason@MBP Downloads % adb install app-release.apk Performing Streamed Install adb: failed to install app-release.apk: Failure [INSTALL_FAILED_DEPRECATED_SDK_VERSION: App package must target at least SDK version 24, but found 23] Just as last year, we're talking about applications targeting a version of Android 10+ years old. While some organisations with line-of-business apps that haven't seen an update in half a decade may balk at the idea of getting their applications updated or rewritten, the justification behind this limitation is solid - security. Where apps targeting <6.0 were able to abuse the old permissioning system (pre-runtime!), apps targeting 7.0 are still able to abuse device administrator and similar APIs. This isn't something you want potentially leveraged directly or indirectly on your managed estate. Restrictions on device identifiers for personally-owned devices # From Android 15, applications with the permission android.permission.MANAGE_DEVICE_POLICY_CERTIFICATES will be able to fetch getEnrollmentSpecificId, which is an enrolment-specific, unique device identifier that persists across re-enrolments when done so into the same deployment scenario (i.e. fully managed or personally-owned work profile), by the same vendor agent, into the same enterprise (organisation/bind). It is an alternative to identifiers such as IMEI and serial number, which Google no longer grants access to for applications without the appropriate device or profile owner role, or DELEGATION_CERT_INSTALL via policy, and becomes the default and only option for fetching a unique device identifier for personally-owned work profile devices in future. To be clear - applications in a personally-owned work profile deployment up to now with the delegated permission of DELEGATION_CERT_INSTALL have been able to fetch a device serial number with relative ease, something that defeats the entire purpose of restricting access to the identifiers, considered to be personally identifiable information, in the first place. That loophole is closing. Head's up At time of writing there's a bug in 15 - on the Pixel 9 Pro XL at least - preventing delegated scopes from being retrieved by managed apps within the work profile. It works fine in the parent profile. If you'd like to validate this yourself, here's a snippet to call from within an application: val dpm = context.getSystemService(Context.DEVICE_POLICY_SERVICE) as DevicePolicyManager val delegatedScopes = dpm.getDelegatedScopes(null, context.packageName) Security exceptions for sensors-related permissions # From 15, device admins targeting API level 35, including DPCs and device admin role holders, will begin throwing security exceptions when attempting to set permissions for some sensors-specific permissions, including: Manifest.permission.ACCESS_FINE_LOCATION Manifest.permission.ACCESS_BACKGROUND_LOCATION Manifest.permission.ACCESS_COARSE_LOCATION Manifest.permission.CAMERA Manifest.permission.RECORD_AUDIO Manifest.permission.RECORD_BACKGROUND_AUDIO Manifest.permission.ACTIVITY_RECOGNITION Manifest.permission.BODY_SENSORS The two scenarios where this is expected to happen is: The calling agent is a profile owner, rather than a device owner (so work profile deployments, not fully managed) The agent is a device owned on a fully managed device, but has EXTRA_PROVISIONING_GRANT_OPT_OUT set during the provisioning process. While this has been in place since Android 12, previously this would have silently failed. In future security exceptions will be triggered which should make it easier to debug. New restrictions # It wouldn't be an Android release unless we saw a few new features to manage. Here's the run-down: Content protection policy # The content protection policy offers admin control of a new feature for real-time threat detection within the Google Play Protect arsenal of protections covered in a prior security blog from February. For Pixel devices, the toggle for this is in Settings > Security & privacy > More security & privacy > Scanning for deceptive apps. It is buried deep in Settings. When the configuration is unspecified, currently the respective toggle is off for fully managed devices. Switching to enforced then enables the setting. This is a great approach, sympathetic to the feedback its announcement generated from administrators already frustrated with overbearing Google Play Protect policies that cannot be disabled (full disclosure, I'm generally in favour of GPP, but I'm aware of the problems it causes for some organisations), while allowing its use for organisations that feel they need it. For EMM vendors, this is already present in AMAPI as contentProtectionPolicy under AdvancedSecurityOverrides. Android 15 also introduces the permission android.permission.MANAGE_DEVICE_POLICY_CONTENT_PROTECTION for apps which are not the device or profile owner to be able to interface with this API. Google Play Protect app scanning changes # In a related note, in September 2024 Google made a considerable change that will placate any organisation deploying sideloaded enterprise applications, including those installed via the EMM DPC (agent), internal services, or sideloaded in more traditional ways. These applications will no longer be sent to Google for scanning, and no longer prompt end users to take any action against them unless they are known to Google to be potentially harmful. More information here. Disallow NFC radio # As it says on the tin. If you're thinking "Don't we already have an API for NFC?" Yes we do, but that's to control the beaming of data between devices. This is a full on radio disable and will probably live under DeviceRadioState in AMAPI at some point later. This appears to be a natural progression from the earlier DISALLOW_CHANGE_NEAR_FIELD_COMMUNICATION_RADIO which prevents the turning on/off NFC in settings. eSIM management # eSIM has been given a respectable amount of attention in 15. Here's what's new: Disallow SIM Globally # The API I found earlier in the year appears to be a subset of a larger eSIM management framework being introduced with Android 15. For completeness, as the earlier post was quite light, here's what Disallow SIM Globally actually means: Available for both fully managed and company-owned work profile devices, disallow SIM globally (DISALLOW_SIM_GLOBALLY) is an eSIM restriction to globally prevent the user download of eSIMs to a device. While I earlier assumed it may have been globally disabling cellular, killing the radio and hiding the respective settings, status bar messaging, and so forth (useful particularly for lower-cost tablets that often come with cellular) this is not the case. In my testing, with the restriction enabled I was able to go into settings, begin eSIM setup with the scan of a QR code, and only then did it prevent setup with a generic error message that suggests there's a problem with the eSIM rather than a policy restriction in place: The experience could be improved dramatically here just with the addition of management UI, and preferably earlier in the process of adding an eSIM, also. Expanding 9.0 APIs for eSIM management # More broadly Android 15 introduces eSIM configuration capabilities via EMM. Based on what I've been able to find, eSIM management is directly associated with eSIM subscription management introduced in Android 9.0, and has been expanded in 15 to allow remote configuration via EMM, or the appropriate permission: Starting from Android Build.VERSION_CODES.VANILLA_ICE_CREAM, if the caller has the android.Manifest.permission#MANAGE_DEVICE_POLICY_MANAGED_SUBSCRIPTIONS permission or is a profile owner or device owner, then the downloaded subscription will be managed by that caller. In case the caller is device owner or profile owner of an organization-owned device, switchAfterDownload can be set to true to automatically enable the subscription after download. If the caller is a profile owner on non organization owned device switchAfterDownload should be false otherwise the operation will fail with EMBEDDED_SUBSCRIPTION_RESULT_ERROR. It would appear EMM vendors with either custom DPCs or via AMAPI will be able to lean into this API from 15 to add and remove EUICC subscriptions. Neat. Further, it will even support partial payloads! Providing the device has already been registered with an eSIM on a carrier's SMDP+ server, it will allow the device to reach out to that server, declare itself and get it's eSIM. This has the potential to significantly simplify eSIM management, reducing the number of eSIM configurations necessary for large deployments. Personally-owned device users will be able to remove the configured eSIM, though for company-owned devices, the additional policy DISALLOW_CONFIG_MOBILE_NETWORKS can be set to ensure eSIMs aren't deleted. Disallow assist content # This restriction allows administrators to prevent privileged apps, such as Assistant, from receiving contextual device information. These include screenshots, package names, and more. Useful for admins wishing to reduce the sprawl of information access privileged apps can have. This is scope-specific, so on fully managed devices will apply device-wide, but on profile-enabled devices restricts only to the managed profile. Circle to search # Relatively straightforward, an enterprise API is being introduced to lock down circle to search - one of the most hyped up features I've seen in a long time.. but probably not something organisations want accidentally invoking on dedicated devices while customers try to order a Big Mac! This is a nice continuation of assist content above, limiting the amount of data being sent to Google services. Widget management is back?! # With Android 15, setKeyguardDisabledFeatures has been expanded with widget management to coincide with the re-introduction of lockscreen widgets for tablet devices. At this time it appears to only apply to widgets in managed profiles, with Google explicitly stating: ..the profile owner of an organization-owned managed profile can set KEYGUARD_DISABLE_WIDGETS_ALL which affects the parent user when called on the parent profile. More testing is needed to determine why this isn't available for fully managed devices. To note for wider context, lock screen widgets were removed way back in 5.0 citing, if I remember correctly, low use. With the recent focus on tablets, and Apple adding their own, Google clearly figured they matter again! Other changes and requirements for 15 # Rounding off what's new, here are some additional features that don't fit into the above categories: Platform signed permission management # When a vendor works with an OEM to get their application platform singed, the application is granted all system-level permissions available on the device. As you can imagine, that is an unprecedented level of device access to data and services reserved normally for only the OEM system apps, and Google's preloaded suite of applications. In Android 15, Google is introducing system permission management, allowing OEMs to grant or deny permissions to signed applications that allows for the considerable down-scoping of access of a signed app to only the explicit permissions required to function. This won't apply to system apps bundled with a set of permissions in the OEM system image, but should permissions change in a later system app update, these permissions would also be denied automatically unless allowlisted in the respective system configuration. There's an additional config to allow platform-signed shared UIDs for non-system applications that have additionally previously required access to this. There are new alerts in logging to determine the permissions applications are no longer retaining access to, which vendors should already start looking at today to avoid loss of functionality. Knowing how many enterprise vendors lean on platform signature permissions today (basically most EMMs, several SaaS products, etc), this has the potential to cause headaches as 15 lands on devices, unless OEMs and vendors work together proactively to avoid this. Screen recording improvements # If you're like me and record your screen far too often to demonstrate anything from a device feature to a bug, user guides and more, you'll be pleased to hear the previously Pixel-only feature introduced in Android 14 is coming to the wider ecosystem with the 15 update. Now users can limit screen sharing to just the app they want to show, and no longer fret on the possibility to showing something that may not be appropriate for the context. Continuing the theme of recording, this is not so much an enterprise feature in and of itself explicitly, but Android 15 will alert apps when the screen is being recorded, allowing them to hide contents. I can imagine this might be useful for enterprise applications across the board to bolster DLP (data loss prevention), and based on murmurings in Tech News, Google is testing restrictions in Chrome to prevent sensitive information from being recorded (addresses, card details, passwords, etc). Broader system update visibility # From 15, applications granted the permission android.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES will be able to obtain information about a pending system update. This softens the current requirements that an application be a device or profile owner in order to fetch this information. What this doesn't do, unfortunately, is offer any more information about the update(s) available. Today we can see an update is available and that it's a security update. This API needs to be updated to show - build info, size, how long it's been available (not just when first detected), - SPL/Android version All of this is offered either through GOTA, Google's OTA management server many OEMs are encouraged to leverage (some don't of course, consider e-FOTA from Samsung, or HMD's new FOTA platform), or the build fingerprint of the package itself. Check MTE status # Expanding on the options for getting and setting MTE policies in Android 14, in 15 it will now be possible to merely query the current state (evidently something that should have, but didn't, quite make it to the 14 release!) Deeper dedicated device experience management # With Better Together Enterprise, AKA the new customer signup flow, Google is introducing a new provisioning option for dedicated devices, in addition to PERSONAL_USAGE_ALLOWED and PERSONAL_USAGE_DISALLOWED, Google are introducing a third allowPersonalUsage AMAPI enrolment token configuration option of DEDICATED_DEVICE. That alone isn't an Android 15 feature, but an accompanying flag OEMs can set from 15 within the device software declaring it a dedicated device should give many dedicated device-based organisations a reason to take note. Such distinguishing features between knowledge worker devices and the new dedicated devices flag include: Setup Wizard customisation Default restrictions within the Android experience Managing dedicated devices, which have always been treated identically to any other consumer Android device on the market, has been a frustrating experience; devices an end user would never use shouldn't need to configure accounts, access Google Play, deal with all the setup wizard interruptions around privacy callouts and more. I'd really hoped the EDLA licence would have solved a lot of problems, but so many years now after its introduction the differentiation is still minimal from MADA. Fortunately it looks like Google are taking another approach. Unfortunately a few years too late for the almost 5 years I supported dedicated devices on a daily basis, but I look forward to future projects benefiting from these changes. What didn't make it # These didn't make it today, but may pop up in a QPR or future Android version release: Dedicated document preview app # In the earlier Android 15 article I referenced a new mandate for OEMs to include a document viewing app, saying: The absence of a document preview application for managed devices has been quite a noisy complaint from organisations for many years, overshadowed only by missing camera &/ gallery applications. None of these apps have been mandated by Google for the fully managed/work profile user experience, and so the common trend is to see them simply not added. It appears Google changed their mind on this, which is not uncommon across releases by any means. The 4 or so years I spent working on Android hardware I saw many instances where proposals ultimately didn't make it - sometimes due to an internal direction change, sometimes pressure from OEMs. Either way it looks like that has happened here also, so we'll go another year without a dedicated document preview app. Skip adding personal accounts during company-owned work profile provisioning # In the earlier article I referenced a change I interpreted as offering the possibility for organisation admins to set provisioning-time configurations that skip the add-account flow during managed provisioning of a company-owned work profile device. This would have been a small quality-of-life improvement that would shorten down the COPE provisioning time for scenarios where either: users don't wish to immediately add a personal account and complete the full setup of their device, or where devices are perhaps staged elsewhere and sent to users registered and ready to go. Alas, we won't see this in 15. With that said, it has been submitted as a feature request to Google! In future, we may see a provisioning time option similar to allow the skipping of personal setup, perhaps palmed off to deferred setup, or triggered on the first boot after provisioning completes. Why would it be useful? Mostly echoing the above - organisations still pre-provision devices, even those on zero-touch, before sending them out to users in an effort to reduce the hand-holding needed for setting up a device. With the COPE model there are privacy and ethical considerations preventing the setup of a personal profile with a user's account, and obviously skipping the account setup renders the setup process less intuitive, even with deferred setup. Ensuring the work side is sorted, then shipping it out to an end user to add their Google account and go I find quite an enticing option in this and similar scenarios. Disallow Thread Network # At the time of writing, Google developer docs still don't have an entry for the Thread API, but reference it in the UserManager docs as an unlinked entity. At some point the link to UserManager should go to the right place. In the meantime it appears the source for CTS contains a test for this API. From that it's somewhat clear what this API is intended for, and we no longer need to assume: // If the device doesn't support Thread then as long as the user restriction doesn't throw an // exception when setting - we can assume it's fine @RequireFeature("android.hardware.thread_network") @RequiresFlagsEnabled(Flags.FLAG_THREAD_USER_RESTRICTION_ENABLED) If that's too ambiguous, the CTS docs reference the hardware feature android.hardware.thread_network, which additional source commits tie directly to Thread network support. It looks like it'll be a relatively straightforward boolean (on/off) restriction allowing managed devices to interface with thread network devices when it's added to Android at a later date. Did I miss anything? # If I did, you know where to find me.
- How Goto's acquisition of Miradore is eroding a once-promising MDM solutionby Jason Bayton on September 24, 2024 at 12:00 am
Back in 2014, I discovered Miradore, an ITSM solution with a then-emerging Mobile Device Management (MDM) product that promised a robust set of features for managing Android devices. My initial review, Miradore Online: Free MDM, highlighted the platform's potential and its generous free tier, which made it stand out in a market otherwise dominated by costly alternatives. Miradore isn't defined by their free tier, of course, there's a rather large and feature-rich product behind it. It's what drew me in to their product in the first place however, and has been a consistent, defining feature of their platform for more than a decade. Over the years, I revisited Miradore multiple times, documenting its growth and the expansion of its feature set in articles like Miradore Online MDM Review: A Second Look and Miradore Online MDM: Expanding Management with Subscriptions. In 2022, when Miradore announced its acquisition by Goto, I met the news with cautious optimism. Goto, a company known for its suite of remote work tools, seemed like a reasonably safe choice to nurture Miradore's growth. Official announcements from both parties, such as Goto Acquires Miradore and Miradore Acquired by Goto: What Happens Next?, painted a rosy picture of enhanced resources and expanded capabilities. However, the honeymoon period is certainly over now. Since the acquisition, Goto has more and more shown its disdain for Miradore's core MDM USP, systematically stripping away key features from the free tier and fundamentally altering the product's value proposition and accessibility. The erosion of the free tier # Last December, a significant change came when Goto removed essential functionalities from the free plan. Email configuration, VPN setup, Wi-Fi settings, contacts management, and mail were no longer accessible without a paid subscription. Details of these changes weren't outlined in Miradore's release notes, instead opting to send direct emails to certain customers only. I personally heard about it second-hand. Nevertheless, the impact was felt by long-time users who had integrated these features into their device management workflows. The situation worsened then in April; Goto further restricted the free tier by limiting mass actions — a cornerstone feature for any MDM solution. According to the official announcement: We have modified our Free plan and limited the mass actions. From now on, Free plan customers can: Deploy configuration profiles one device at a time Synchronize a single device at a time These changes effectively crippled the efficiency that Miradore once offered. Administrators now have to perform repetitive tasks individually for each device, a tedious process that is impractical for organisations managing more than a handful of devices. But Goto isn't finished. Later this year, they have announced plans to cap the number of devices on the free plan to 50, down from unlimited. The forthcoming changes were communicated through another release note recently. Yes, effectively unlimited devices down to 50. They aren't adjusting the tier functionality either, so it remains quite limited in capability after this change also. The impact on organisations # Obviously paying customers on higher tiers are wholly unaffected by these changes, and the remaining Miradore team within Goto continue to do a wonderful job with their customer base. That said, many of the paying customers they have will have come in through their free tier, often selected because organisations could get started and grow their estates without a licence commitment. These cumulative changes have made Miradore's free tier not just limited but virtually unusable for organisations of any moderate size and/or complexity, and pit Miradore far more directly with competing platforms, such as Manage Engine's 25 free licences. Fewer, yes, but not feature-limited. If you're going to enforce limits, you'd be wise typically to pick a path - limited licences, or limited functionality. The removal of both critical features and the imposition of device limits is a double-whammy that offers the worst of both worlds. I'd ask how they expect groups on the free tier to remain loyal to a platform driven by decisions that scream "we don't want you here", but it seems apparent they haven't considered the question. As someone who has championed Miradore for nearly a decade, I find this trajectory disheartening. The platform's Unique Selling Proposition (USP) was its robust free tier, which allowed organisations — especially smaller groups and communities with tight budgets — to manage their Android devices effectively without incurring additional costs, and I have directed hobbyists, charities, and indeed potential customers their way for years to benefit from this in order to take a first step into the enterprise management ecosystem. Goto's strategy appears to be undermining this USP entirely. By going down the path they've chosen, they're alienating the very user base that helped Miradore grow. It's a puzzling move, especially when considering that the MDM market is more competitive than ever, and my sympathies go out to the remaining Miradore team suffering the consequences of these mandates. Conclusion # Miradore's journey from a promising entry point into device management to its current state of limited functionality on a finite number of devices is a cautionary tale of how acquisitions can sometimes erode the very qualities that gave a product its place in a market. Goto's incremental worsening of their product will fundamentally change what Miradore offers, making it less appealing to organisations that may have used it as a jumping point into a higher tier at a later date, and more likely to be bundled with competing platforms in the decision-making process, unfortunately some with more compelling trial / free tiers than Miradore will soon offer. My hope going forward is these changes derive very real, measurable impacts on user acquisition and retention, and force Goto to revert. Better still if they also then choose to step back and let the folks who built and know the product define how it should be positioned and operated in the market going forward.
- How Goto's acquisition of Miradore is eroding a once-promising MDM solutionby Jason Bayton on September 24, 2024 at 12:00 am
Back in 2014, I discovered Miradore, an ITSM solution with a then-emerging Mobile Device Management (MDM) product that promised a robust set of features for managing Android devices. My initial review, Miradore Online: Free MDM, highlighted the platform's potential and its generous free tier, which made it stand out in a market otherwise dominated by costly alternatives. Miradore isn't defined by their free tier, of course, there's a rather large and feature-rich product behind it. It's what drew me in to their product in the first place however, and has been a consistent, defining feature of their platform for more than a decade. Over the years, I revisited Miradore multiple times, documenting its growth and the expansion of its feature set in articles like Miradore Online MDM Review: A Second Look and Miradore Online MDM: Expanding Management with Subscriptions. In 2022, when Miradore announced its acquisition by Goto, I met the news with cautious optimism. Goto, a company known for its suite of remote work tools, seemed like a reasonably safe choice to nurture Miradore's growth. Official announcements from both parties, such as Goto Acquires Miradore and Miradore Acquired by Goto: What Happens Next?, painted a rosy picture of enhanced resources and expanded capabilities. However, the honeymoon period is certainly over now. Since the acquisition, Goto has more and more shown its disdain for Miradore's core MDM USP, systematically stripping away key features from the free tier and fundamentally altering the product's value proposition and accessibility. The erosion of the free tier # Last December, a significant change came when Goto removed essential functionalities from the free plan. Email configuration, VPN setup, Wi-Fi settings, contacts management, and mail were no longer accessible without a paid subscription. Details of these changes weren't outlined in Miradore's release notes, instead opting to send direct emails to certain customers only. I personally heard about it second-hand. Nevertheless, the impact was felt by long-time users who had integrated these features into their device management workflows. The situation worsened then in April; Goto further restricted the free tier by limiting mass actions — a cornerstone feature for any MDM solution. According to the official announcement: We have modified our Free plan and limited the mass actions. From now on, Free plan customers can: Deploy configuration profiles one device at a time Synchronize a single device at a time These changes effectively crippled the efficiency that Miradore once offered. Administrators now have to perform repetitive tasks individually for each device, a tedious process that is impractical for organisations managing more than a handful of devices. But Goto isn't finished. Later this year, they have announced plans to cap the number of devices on the free plan to 50, down from unlimited. The forthcoming changes were communicated through another release note recently. Yes, effectively unlimited devices down to 50. They aren't adjusting the tier functionality either, so it remains quite limited in capability after this change also. The impact on organisations # Obviously paying customers on higher tiers are wholly unaffected by these changes, and the remaining Miradore team within Goto continue to do a wonderful job with their customer base. That said, many of the paying customers they have will have come in through their free tier, often selected because organisations could get started and grow their estates without a licence commitment. These cumulative changes have made Miradore's free tier not just limited but virtually unusable for organisations of any moderate size and/or complexity, and pit Miradore far more directly with competing platforms, such as Manage Engine's 25 free licences. Fewer, yes, but not feature-limited. If you're going to enforce limits, you'd be wise typically to pick a path - limited licences, or limited functionality. The removal of both critical features and the imposition of device limits is a double-whammy that offers the worst of both worlds. I'd ask how they expect groups on the free tier to remain loyal to a platform driven by decisions that scream "we don't want you here", but it seems apparent they haven't considered the question. As someone who has championed Miradore for nearly a decade, I find this trajectory disheartening. The platform's Unique Selling Proposition (USP) was its robust free tier, which allowed organisations — especially smaller groups and communities with tight budgets — to manage their Android devices effectively without incurring additional costs, and I have directed hobbyists, charities, and indeed potential customers their way for years to benefit from this in order to take a first step into the enterprise management ecosystem. Goto's strategy appears to be undermining this USP entirely. By going down the path they've chosen, they're alienating the very user base that helped Miradore grow. It's a puzzling move, especially when considering that the MDM market is more competitive than ever, and my sympathies go out to the remaining Miradore team suffering the consequences of these mandates. Conclusion # Miradore's journey from a promising entry point into device management to its current state of limited functionality on a finite number of devices is a cautionary tale of how acquisitions can sometimes erode the very qualities that gave a product its place in a market. Goto's incremental worsening of their product will fundamentally change what Miradore offers, making it less appealing to organisations that may have used it as a jumping point into a higher tier at a later date, and more likely to be bundled with competing platforms in the decision-making process, unfortunately some with more compelling trial / free tiers than Miradore will soon offer. My hope going forward is these changes derive very real, measurable impacts on user acquisition and retention, and force Goto to revert. Better still if they also then choose to step back and let the folks who built and know the product define how it should be positioned and operated in the market going forward.
- Google Play Protect no longer sends sideloaded applications for scanning on enterprise-managed...by Jason Bayton on September 23, 2024 at 12:00 am
In a surprise announcement last week, Google have confirmed sideloaded applications - such as those deployed via EMM solutions - will no longer be sent to Google servers for Google Play Protect scanning on enterprise-managed devices. Why apps are sent to Google # When an application is installed from a source other than Google Play, it is not considered safe by default. Google Play Protect, as part of the round-the-clock security it provides, tries to verify it. If the application doesn't match any known applications in the GPP database, it will ask the end user of the device to allow GPP to send the application up to Google's dedicated infrastructure to run the necessary security verifications. This off-device service then undertakes the necessary tasks to ensure it's safe, devoid of anything harmful, and any future devices that install the application benefit from GPP knowing of its existence ahead of time. This doesn't happen with applications that come down from Google Play because they've already undergone this security validation during the Play Store approval process. GPP knows the application, knows where it's from, and in most cases now sees an association with Google Play in the application metadata itself. Why organisations dislike it # While the service itself really can't be knocked (free security), the approach of requesting from end-users whether an application can be sent to Google is troublesome. If an organisation relies on in-house, or line of business, applications typically installed via the EMM agent directly (rather than using the Google Play iFrame or console uploaded as a private application), they may be familiar with this on-device prompt: Source: Google A disruptive, and oft-confusing interruption for end-users, this has caused questions around the quality, security, and trustworthiness of non-Google Play installed applications for years now. It is an entirely-consumer approach forced upon enterprise devices with no administrative control; had an API been present to define the answer to the above prompt (akin to how organisations can set permissions, for example) this likely wouldn't have been an issue. What's changing # As of the 6th of September (2024), applications sideloaded onto enterprise-managed devices, via any means, will no longer be sent for scanning, and thus the prompt will no longer present itself. It is, in effect, a permanent "Don't send" preset for applications installed either into the parent profile for device owner deployments (fully managed, dedicated), or the work profile of a profile owner deployment, so yes, it applies to personally owned work profile devices also. What it means for organisations # While sending applications for scanning will no longer be done, Google Play Protect remains active on devices. This is not a full disablement of on-device security, as on-device detection and prevention continues to function; known malicious apps, however they're installed, will still be flagged and may be removed. Beyond this, nothing really changes in terms of recommendations for the overall management of applications from unknown sources. Where possible it should be blocked by default. How this came to be # This announcement stems from a lengthy & passionate post on the Android Enterprise Customer Community, further highlighting the importance of the CC for direct feedback into Google and respective product teams. It's a considerable win for the community and those who use it 😁 If you're on the fence about joining up to share your own feedback, I would hope this example of Google and the customer ecosystem working together to improve the experience for everyone offers the nudge you need. Find a link to join in the share box below 👇
Brooks Peppin's Blog Managing Windows in the Modern Workplace
- How to Create a no-prompt bootable WinPE ISO – Crowdstrike Fixby Brooks Peppin on July 20, 2024 at 8:33 pm
With the massive Crowdstrike outage this week, we looked for a way to automate fixing virtual machines in our environment. Since our VMs were not ... Read more
- A Beginners Guide to Azure AD Join – Everything you Need to Knowby Brooks Peppin on April 26, 2023 at 6:58 pm
Welcome to the beginner’s guide to Azure AD join! As businesses increasingly rely on cloud-based solutions, Azure Active Directory has become an essential tool for ... Read more
- Understanding Windows Feature Updates in Microsoft Intuneby Brooks Peppin on December 19, 2022 at 10:07 pm
Deploying Windows 10/11 feature updates with Microsoft Intune is much simpler than traditional methods. You no longer have to “push” out the full patch or ... Read more
- Intune vs. Workspace ONE: 15 Pros and Cons (2022 Edition)by Brooks Peppin on October 17, 2022 at 4:53 pm
Microsoft Intune and VMware Workspace ONE are both industry-leading Unified Endpoint Management (UEM) solutions. If you look at any Gartner Magic Quadrant chart from the ... Read more
- How to Fix Hybrid Azure AD Join Error 0x801c005b: error_computer_signature_check_failureby Brooks Peppin on September 30, 2022 at 12:34 am
Seeing error 0x801c005b alongside error_computer_signature_check_failure when attempting to Hybrid Azure AD join your Windows devices? This error will prevent the hybrid join process from completing. ... Read more
Many Miles Away Helping you succeed with end user computing technologies
- Implementing Workspace ONE Relay Server Cloud Connectors (RSCC) with an existing Pull Relay...by Darryl Miles on June 1, 2024 at 2:09 am
The Workspace ONE UEM Relay Server Cloud Connector (RSCC) is a hybrid solution that pulls content (products only) from a … More
- Setting up a Workspace ONE UEM Relay Server for Android Rugged devicesby Darryl Miles on May 24, 2024 at 3:38 am
A Workspace ONE relay server acts as a middleman in distributing content within a Workspace ONE UEM environment to Android … More
- Enabling Advanced Device Telemetry for mobile devices through Workspace ONE Intelligence SDKby Darryl Miles on May 16, 2024 at 11:07 am
Spotting what’s causing a bad experience for mobile workers starts with a deep dive into device problems. The latest Workspace … More
- Enabling Shared Device Mode (SDM) for Microsoft Entra ID Conditional Access Policiesby Darryl Miles on April 30, 2024 at 12:17 am
In August 2023, Workspace ONE UEM extended conditional access capabilities for Microsoft Entra ID (formerly Microsoft Azure Active Directory) with … More
- How to deploy macOS PaperCut using Workspace ONEby Darryl Miles on April 14, 2024 at 2:46 am
PaperCut is used by businesses and organizations to track, control, and optimize their printing. PaperCut MF allows businesses to set … More
Sam Akroyd. Thoughts on Tech
- Can WiLo enable IoT-based Smart Cities?by Sam Akroyd on October 14, 2024 at 2:11 pm
I’ve spent the last few months building my own Smart Home, but we all know residential tech often…
- Home Assistant: We’ve done Smart Home, what about Smart Garden?by Sam Akroyd on September 25, 2024 at 12:11 pm
If you’ve been following the various episodes on building a Smart Home, you’ll know we’ve managed to make…
- Home Assistant: HACSby Sam Akroyd on September 10, 2024 at 10:54 am
You will have seen me reference HACS in a number of my blogs in the past few months.…
- Solar & Batteries in Home Assistantby Sam Akroyd on September 2, 2024 at 8:50 am
Solar panels, batteries and EVs are some of the fastest growing markets worldwide as the green revolution grips…
- Frigate, Home Assistant and AIby Sam Akroyd on July 23, 2024 at 8:34 am
So if you’ve seen the first blog on Frigate NVR and Home Assistant, and you’ve followed along –…
- Workspace ONE UEM Sensors and custom Registry valuesby techhub981158167 on June 10, 2024 at 12:58 pm
I had a customer enquiry recently where they were looking to pull some custom fields from a device to identify a device location, well at least where it was deployed, as well as come custom tags and other information they associate with a device at the time of deployment. If you have used Workspace ONE … Continue reading Workspace ONE UEM Sensors and custom Registry values →
- VMware App Volumes Apps on Demandby techhub981158167 on January 8, 2024 at 3:26 pm
There are plenty of articles explaining what VMware App Volumes Apps on Demand are and the benefits, for example https://www.vmware.com/uk/topics/glossary/content/apps-on-demand.html. This video demonstrates how quick and east it is to associate an App Volumes Server with an RDS Host in VMware Horizon and subsequently deliver a package using Apps on Demand.
- End of Yearby techhub981158167 on December 20, 2023 at 10:14 am
When I started this blog and YouTube channel a few years back I never really had a target other than to share any tips, tricks, information and how to for various EUC products. It’s always nice to see the end of year stats and know that people are looking at your content. Diving into the … Continue reading End of Year →
- The next phase of Workspace ONE UEM Sensorsby techhub981158167 on December 8, 2023 at 11:14 am
Earlier this year I wrote a blog article about using ChatGPT to write PowerShell scripts that could be used in Workspace ONE UEM to create Sensors. This works fine, but bear in mind that ChatGPT created PowerShell scripts for me based on best endeavours, there is no guarantee they would work or would not contain … Continue reading The next phase of Workspace ONE UEM Sensors →
- Workspace ONE UEM and Windows Multi Userby techhub981158167 on August 23, 2023 at 3:48 pm
Multi User or Shared Device, if you want to look at it that way, is something that has been supported with VMware Workspace ONE UEM but more so for Mobile Operating Systems rather than Windows. VMware has received feedback from several customers on wanting to be able to support a Windows Multi User use case. … Continue reading Workspace ONE UEM and Windows Multi User →
Thomas Cheng Welcome to my digital home!
- Proofpoint Certified Insider Threat Specialist Course 3 – A Day in the Life of an Insider Threat...by techiecheng on March 29, 2023 at 8:38 pm
Proofpoint recently released a three-part training webinar on identifying and mitigating insider threats. By viewing and taking the exam after all the sessions, Proofpoint will award you with a certificate. This post will recap what I learned in course 3 of this series.
- Proofpoint Certified Insider Threat Specialist Course 2: Building a Successful Insider Threat...by techiecheng on March 29, 2023 at 6:59 pm
Proofpoint recently released a three-part training webinar on identifying and mitigating insider threats. By viewing and taking the exam after all the sessions, Proofpoint will award you with a certificate. This post will recap what I learned in course 2 of this series.
- Proofpoint Certified Insider Threat Specialist Course 1 – Getting Started with Insider Threatsby techiecheng on March 26, 2023 at 4:47 am
Proofpoint recently released a three-part training webinar on identifying and mitigating insider threats. By viewing and taking the exam after all the sessions, Proofpoint will award you with a certificate. This post will recap what I learned in course 1 of this series.
- ‘Invalid credentials. Try again.’ when signing onto Workspace ONE UEM console with Active...by techiecheng on September 23, 2022 at 4:00 pm
Awhile back, I wrote a post on the error when signing into UEM with my AD credential. “Please contact Administrator” when signing onto Workspace ONE UEM console version with Active Directory credential Today, I got a different error when signing in with my AD credential to our shared SaaS/sandbox CN135: ‘Invalid credentials. Try again.’ I
- The true beauty of the Apple Beta Software Programby techiecheng on June 6, 2022 at 4:00 pm
Throughout the years, I’ve written many blog posts related to iOS update. Prevent users from installing iOS beta software in VMware Workspace ONE UEM by AirWatch Managing iOS update with Workspace ONE UEM Schedule iOS Update with VMware AirWatch Stop iOS update on its track with VMware AirWatch iOS 12.2 is here and how it
VirtuallyUnboxed Lifting the lid on everything virtual
- End of support for vSphere 6.5.x and 6.7.xby virtuallyunboxed on October 20, 2022 at 4:31 pm
In case you missed it, last week marked the end of general support for vSphere 6.5 and 6.7. This is the same regardless of whether you were using it for data centre services or EUC services like Horizon.
- Desktop Repurposing v4by virtuallyunboxed on October 20, 2022 at 4:23 pm
This year, myself and Matt Evans joined forced again, along with newcomer, Jonathan D'arcy to review some of the best desktop repurposing tools on the market. As with previous years we reviewed imaging and performance. However, this year we also took a look at the accompanying management solutions.
- VMware SASE and Cloud Web Securityby virtuallyunboxed on January 22, 2022 at 3:11 pm
Let's start with the basics! SASE is a Gartner term and is an abreviation of Secure Access Service Edge. Still not much help right? Well lets start explaining this by looking at how people typically work, espeically remotely, and how their traffic is secured. Most of you that ever work remotely will most likely use a device level VPN. This uses software on your device to create a tunnel into your company data centre and allows you to remotely access internal resources. This is how most companies have done it for many years, and it really dates back to the days when all a companies resources were in their own data centre. Tunnelling all the traffic back into the data centre was the perfect way to reach everything a remote user would need.
- Workspace ONE UEM and Workspace ONE Access Integration for Hub Servicesby virtuallyunboxed on March 2, 2021 at 4:06 pm
I know there are a lot of SaaS customers out there who have only been using basic MDM functionality within Workspace ONE. The platform has moved on a lot in the last few years and if you haven't already seen it i strongly suggest you check out hub services. This takes the Workspace ONE agent that is used for device management and adds additional functionality to the application such as a unified app catalogue, people search and a notifications platform to name but a few!
- Workspace ONE Access FIDO2 integrationby virtuallyunboxed on February 19, 2021 at 2:33 pm
As of this month (Feb 2021) All Workspace ONE Access SaaS tenants, now supports FIDO2 as an authentication method. So, I thought i'd put together a short video showing how easy it is to configure it and some different device types using the solution.
Mobile Jon's Blog My WordPress Blog
- Microsoft Connected Cache Jump Starts Windows Autopilot Pre-Provisioningby mobilejon on November 25, 2024 at 6:42 pm
Microsoft Connected Cache (MCC) is a new caching solution designed to enhance software deployment efficiency within enterprise networks. It allows devices to access cached content, reducing reliance on external sources. The system features straightforward deployment requirements and robust monitoring metrics to track performance, making it a valuable tool for Intune admins facing network challenges.
- Deploying Azure Virtual Desktop with Nerdioby mobilejon on November 13, 2024 at 7:08 pm
The article discusses the author's experiences with deploying Nerdio Manager for Enterprise to set up an Azure Virtual Desktop environment. It covers various steps like deploying the Manager, customizing deployment scripts, and configuring autoscaling and RDP settings. The user faced and resolved challenges during deployment, highlighting Nerdio's efficiency in simplifying VDI tasks.
- Deep Dive into Microsoft Authenticator Passkeys for iOSby [email protected] on November 1, 2024 at 7:10 pm
Microsoft recently enhanced its Authenticator app, introducing support for passkeys on iOS and Android, enabling passwordless authentication. Key features include device-bound passkeys, app attestation, and security key support. The focus is on the iOS passkey registration and authentication process, featuring Apple’s App Attest service to ensure app authenticity.
- Teams on a Diet: SlimCore Optimizes Microsoft Teams on VDIby [email protected] on October 29, 2024 at 3:01 pm
This content discusses the new Microsoft Teams architecture and its integration with VDI through SlimCore, a media engine that optimizes audio, video, and screen sharing. It highlights key components, features, and system requirements for effective usage, providing insights on installation, onboarding, and optimization for both Citrix and AVD environments.
- Deep Dive into Windows Sudoby [email protected] on October 14, 2024 at 4:00 am
This week, the focus shifts to Windows Sudo, which allows local admins to elevate commands without full admin access. The content discusses how Windows Console functions, the workings of Windows Sudo, and its code structure. Future discussions will delve deeper into its operation and monitoring through Process Monitor.
VMware Workspace ONE The un-official subreddit for VMware Workspace ONE. I recently started learning/managing Workspace One for the company I work for, I came to reddit to find others and saw that there wasn’t a community, so I started one. Our discord is here https://discord.gg/Zhr3TqMMf6
- Rolling out profile updates in waves?by /u/PotentialPeak42 on November 28, 2024 at 8:44 pm
Greetings! At work we currently have about 150 iOS devices. They are all pretty locked down, with a lot of restrictions applied and only a few managed apps available. We have about 6 to 9 profiles on each device. From time to time we do have to make some changes to the profiles. From operations perspectives it's not the best idea to apply such changes to all devices at once. I wonder if you do have any strategies on how to roll out such changes in waves. For new profiles, a rather obvious approach is to tag the devices according to the wave they belong to and then use smart groups to assign the profile to more and more groups (= waves). However, once the profile is rolled out to all waves (i.e. assigned to e.g. 3 wave groups), I cannot re-use this approach when the profile needs to be changed. Any ideas or comments? submitted by /u/PotentialPeak42 [link] [comments]
- Omnissa Community Overview and Why You Should Apply to Become an Omnissa Tech Insiderby /u/R_inspired on November 28, 2024 at 3:31 pm
submitted by /u/R_inspired [link] [comments]
- Admins Rights Windows devicesby /u/Top_Mycologist1155 on November 28, 2024 at 8:15 am
Hello erevyone, I need to retire the admins rights on the windows devices we have aready enroled, and i dont know whitch is the best option to do it, so if you have any sugestion will be sooo helpfull Thanks a lot in advance submitted by /u/Top_Mycologist1155 [link] [comments]
- Internal Appby /u/Some-Possible-2500 on November 26, 2024 at 6:29 pm
When adding an "Internal" app for a Windows device and you upload the installer file, where can you find and manage those files? There have been a few times I had to delete the said install and start over, and I have to upload the installer again, and I don't want multiple uploads taking up space since shows we have limited storage. Thanks. submitted by /u/Some-Possible-2500 [link] [comments]
- DCOM issue with cert authby /u/jriker1 on November 26, 2024 at 2:29 pm
Using WS1 On Premise with 2406 edition so on basically the latest at the time of this posting. We are trying to implement certificate based authentication with Microsoft CS and having an issue that looks to be an operating system issue (Windows 2019) in regards to lock downs that Microsoft is doing. From research looks like it’s up to the company that makes the software itself to fix. So when we setup cert auth the test fails. From our systems team the event logs on the MSCS PKI server return: Event ID 10036 on <PKI Server>. Log Name: System Source: Microsoft-Windows-DistributedCOM Date: 11/25/2024 3:53:47 PM Event ID: 10036 Task Category: None Level: Error Keywords: Classic User: <domain><ServerName>$ Computer: <PKI Server> Description: The server-side authentication level policy does not allow the user <domain><ServerName>$ SID ####################### from address ##.##.##.## to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application. Our thought is something needs to be done on the cloud connector server to change in the client application. Thoughts? submitted by /u/jriker1 [link] [comments]
- APNs for Applications renewal script - HTTP ERROR 500 --> resources.workspaceone.comby /u/Prof_Hase on November 26, 2024 at 9:30 am
I need the renewal script. Can someone provide me the script? https://kb.omnissa.com/s/article/50121242?lang=en_US&queryTerm=APNs%20for%20Application%20certificate%20renewal%20for%20On%20Premise%20environments Diese Seite funktioniert nicht resources.workspaceone.com kann diese Anfrage momentan nicht verarbeiten. But: Diese Seite funktioniert nicht resources.workspaceone.com kann diese Anfrage momentan nicht verarbeiten. HTTP ERROR 500 https://preview.redd.it/5bbzlqbkr83e1.png?width=1624&format=png&auto=webp&s=56ba77fcdd026a656966dd100c6c8d8d14d06518 submitted by /u/Prof_Hase [link] [comments]
- Problem with UAG HA in Azure deploymentby /u/EndUserExperience on November 25, 2024 at 8:35 pm
Hi all, We are doing an Azure deployment of UAG version 24.06 in cascade mode, with two UAGs in the front end and two in the back end. For some reason, we are unable to set up High Availability correctly, as all UAGs are reporting as primary in the High Availability set they have been assigned to. None of the UAGs are taking the backup role. Both Virtual IPs we are using are unique and belong to the same subnet as eth01. The GroupID is unique for the subnet. DNS names for the VIPs have been created. I didn't expect this to be a problem, and I am short on time, so a support ticket to Omnissa will be too late to solve this problem. Can any fellow Redditor guide me on which log I should start my search from the UAG log bundle I downloaded, or give me any advice on troubleshooting? SOLVED: Unified Access Gateway High Availability is not supported for Amazon AWS and Microsoft Azure deployments. https://preview.redd.it/8mhhs9rny33e1.png?width=1072&format=png&auto=webp&s=6e7485495d7ceafc905522b525482c59698eac82 submitted by /u/EndUserExperience [link] [comments]
- Is it possible to recover deleted device (windows)by /u/Such_Bison4668 on November 25, 2024 at 3:36 pm
I accidently deleted windows laptop with AirWatch and now i cannot open the SSD because i dont have the recovery key lol. is it possible to restore deleted device or is it parament ? submitted by /u/Such_Bison4668 [link] [comments]
- Rename an Organization Groupby /u/Prof_Hase on November 25, 2024 at 2:28 pm
Can I rename an Organization Group without having to make any further adjustments? The Group ID would not need to be renamed. These are also the upper Organization Groups 1 1.1 1.2 and I would have to rename 1 submitted by /u/Prof_Hase [link] [comments]
- Outlook autoconfiguring but not deployed via WS1.by /u/TheDisapprovingBrit on November 25, 2024 at 1:31 pm
We use Boxer with a very limited number of Outlook Mobile clients. We're just in the process of migrating users from on prem Exchange to Exchange Online, and we've noticed an issue - after moving to EOL, the users Outlook Mobile client is able to autoconfigure and download their mail. Since this isn't in the Work profile on Android, or whatever iOS's equivalent is, our concern is that this will be out of scope in case of a device wipe. We're further complicated by the fact that we do have a few Outlook Mobile users who do have Outlook deployed via WS1. Is there a way to prevent Outlook Mobile from being able to autoconfigure if it is installed in the Personal profile in Android, or if Outlook wasn't deployed via WS1 on iOS? submitted by /u/TheDisapprovingBrit [link] [comments]
- Unable to enrol via intelligent Hubby /u/Dontkpkb_leh on November 24, 2024 at 4:00 am
Hi Fellas, I’m experiencing enrolment issues via intelligent hub. I’m using VM’s with windows 10 to enrol & restricted enrolment is being configured Added the serial no of the VM to be whitelisted for enrolment “shows waiting for enrolment” Discovery to enrolment url works with credentials as we are on workspace one identity access for idp. Error shown after authentication success “Request Failed Unexpected Error” Does any one have any suggestion why this is happening? submitted by /u/Dontkpkb_leh [link] [comments]
- iOS Installsby /u/EntireAlarm6314 on November 22, 2024 at 7:19 pm
Hello Everyone, I need help with doing an iOS install for all the iPhone and iPads within our organization. The problem has become that when i do a force download now as the first priority and install later in the day with the next priority it seems it just gets stuck on the install command. Need help! submitted by /u/EntireAlarm6314 [link] [comments]
- Troubleshooting: Calendar Syncby /u/Medic2834 on November 21, 2024 at 8:58 pm
I use Boxer on a Pixel 8 Android 15 device, syncing from Exchange. I have more than one calendar syncing but one is not syncing fully. Some appointments dont show up and some are duplicated. We removed the program from my phone and reinstalled, didn't help. We removed me from the system and back in, didn't help. Anyone come across this problem? submitted by /u/Medic2834 [link] [comments]
- Workspace ONE UEMby /u/Ok-WS1-1994 on November 21, 2024 at 6:44 am
Hello we are facing issues samsung email app authentication.While we are putting corporate email in samsung email app we are getting Error " The action is blocked by MDM contact the MDM Administrator" - UEM version 24.6 modstack environment - Didn't set any restriction profile to block this action - Also application ID whitelisted already - not getting any error in device or console log - only M365 user getting this error - on-prem user not facing this issue Any help much appreciated or solution thanks in advance. submitted by /u/Ok-WS1-1994 [link] [comments]
- Log connectivityby /u/beautifulbird309 on November 20, 2024 at 2:36 pm
Hi all, At the comp I work for, we use a bunch of Zebra tablets for a few custom applications to use in a warehouse environment. We have intermittent issues where these custom apps time out, and give errors related to connectivity. So people are looking at our infra team to ‘fix it’, while I have the impression that it’s more related to the app being finicky on a 4G connection. What would be some solid methods to log connectivity issues? E.g. disconnecting and connecting from the network? Our previous MDM (SOTI) logged this by default, but our WS1 doesn’t seem to have that data. Thanks for the input submitted by /u/beautifulbird309 [link] [comments]
- Allow the use of the microphone to only one application on iOSby /u/Somesteam on November 20, 2024 at 2:34 pm
Hello, Currently the use of the microphone is disabled on every iPhone, but I would like to know if it is possible to give access to the microphone for only one application, but not the others? Thank you submitted by /u/Somesteam [link] [comments]
- Synchronizing Exchange Notes with Boxer Appby /u/Prof_Hase on November 19, 2024 at 11:57 am
Is it possible to sync Exchange Notes with the Boxer App? I couldn't find anything regarding this. submitted by /u/Prof_Hase [link] [comments]
- WS1 Access 23.09 End of General Support 10/31/2024by /u/Clear-Ad-9543 on November 15, 2024 at 11:33 pm
Sorry if this is a duplicate, I saw the newsletter that 24.07 was coming out but no clue 23.09 was going away so soon. submitted by /u/Clear-Ad-9543 [link] [comments]
- Windows 11 baselines will not deploy to ARM endpointsby /u/zombiepreparedness on November 15, 2024 at 4:44 pm
No matter what I do or try, I cannot get a baseline to install on a windows 11 arm endpoint, either a physical machine or virtual. I always get this error "Failed to apply admx policies of BaselineUuid: 6c40dc37-42a4-457a-88a0-e6e9c7d34037", but I have no idea what admx it can't apply. It doesn't matter if it is the windows security baseline or the cis benchmark. The same baseline applies just fine on a x86/x64 endpoint. Any thoughts? submitted by /u/zombiepreparedness [link] [comments]
- Web Links not showing on Android homescreenby /u/GeekgirlOtt on November 15, 2024 at 4:40 pm
I have the "managed bookmarks" working okay in Chrome, but takes a lot of digging for users to find that. I would prefer icons on the homescreen. I have found these instructions: https://www.reddit.com/r/WorkspaceOne/comments/12xyyhf/is_there_a_way_to_deploy_a_link_as_an_app_on/ What is the difference between this process and adding it in "Web Links" ? Should the Web Links I already configured show up as icons on the homescreen - if so, why aren't they - what did I miss ? submitted by /u/GeekgirlOtt [link] [comments]
The Support Insider VMware Support News, Alerts, and Announcements
- Simpler Licensing with VMware vSphere Foundation and VMware Cloud Foundation 5.1.1by Kelcey Lemon on March 21, 2024 at 5:28 pm
Tweet VMware has been on a journey to simplify its portfolio and transition from a perpetual to a subscription model to better serve customers with continuous innovation, faster time to value, and predictable investments. To that end, VMware recently introduced a simplified product portfolio that consists of two primary offerings: VMware Cloud Foundation, our flagship … Continued The post Simpler Licensing with VMware vSphere Foundation and VMware Cloud Foundation 5.1.1 appeared first on VMware Support Insider.
- VMware Skyline Advisor Pro Proactive Findings – January 2024 Editionby James Walker on January 24, 2024 at 11:16 am
Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of January, we released 60 new Findings. Of these, there are 37 Findings based … Continued The post VMware Skyline Advisor Pro Proactive Findings – January 2024 Edition appeared first on VMware Support Insider.
- Skyline Advisor Pro: Introducing Inventory Export Reportsby Kelcey Lemon on January 16, 2024 at 12:00 pm
Tweet You’ve asked for the ability to export inventory information, including licensing, and we’ve listened. The Skyline Team is proud to introduce this highly requested feature, Inventory Export Reports. Inventory Export Reports allow you to generate reports on your inventory, licensing, and configuration data. These reports can help you to identify potential problems, track changes … Continued The post Skyline Advisor Pro: Introducing Inventory Export Reports appeared first on VMware Support Insider.
- VMware Skyline Advisor Pro Proactive Findings – December 2023 Editionby James Walker on December 15, 2023 at 6:56 pm
Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of December, we released 56 new Findings. Of these, there are 35 Findings based … Continued The post VMware Skyline Advisor Pro Proactive Findings – December 2023 Edition appeared first on VMware Support Insider.
- VMware Skyline Advisor Pro: Proactive and Diagnostic Findings Demystifiedby Kelcey Lemon on December 13, 2023 at 3:07 pm
Tweet While supporting VMware Explore 2023 in Barcelona, a customer asked me, “What’s the difference between Proactive Findings and Diagnostic Findings in Skyline Advisor Pro and how are each one produced?” So, I’d like to take this moment to elaborate more on my original blog that introduced Diagnostic Findings. Proactive Findings Proactive Findings are potential … Continued The post VMware Skyline Advisor Pro: Proactive and Diagnostic Findings Demystified appeared first on VMware Support Insider.
- VMware Skyline Advisor Pro Proactive Findings – October 2023 Editionby James Walker on October 27, 2023 at 4:33 pm
Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of October, we released 39 new Findings. Of these, there are 30 Findings based … Continued The post VMware Skyline Advisor Pro Proactive Findings – October 2023 Edition appeared first on VMware Support Insider.
- From upgrading vSphere to troubleshooting issues with Tanzu Kubernetes Grid: Top 10 VMware Tanzu Knowledge Base Articles in September 2023.by Marcela Gleixner on October 11, 2023 at 12:18 pm
From upgrading vSphere to troubleshooting issues with Tanzu Kubernetes Grid: Top 10 VMware Tanzu Knowledge Base Articles in September 2023. The post From upgrading vSphere to troubleshooting issues with Tanzu Kubernetes Grid: Top 10 VMware Tanzu Knowledge Base Articles in September 2023. appeared first on VMware Support Insider.
- 10 most popular KB articles in September 2023, for VMware Tanzu Application Service, BOSH and more.by Marcela Gleixner on October 9, 2023 at 9:54 pm
10 most popular KB articles in September 2023, for VMware Tanzu Application Service, BOSH and more. The post 10 most popular KB articles in September 2023, for VMware Tanzu Application Service, BOSH and more. appeared first on VMware Support Insider.
- Top 10 Most Popular Knowledge Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop for September, 2023 by Jamie Gravatte on October 6, 2023 at 4:31 pm
Tweet Get answers and solutions instantly by using VMware’s Knowledge Base (KB) articles to solve known issues. Whether you’re looking to improve your productivity, troubleshoot common issues, or simply learn something new, these most used and most viewed knowledge articles are a great place to start. Here are the top 5 most viewed KB articles … Continued The post Top 10 Most Popular Knowledge Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop for September, 2023 appeared first on VMware Support Insider.
- Top 10 Most Popular Knowledge Articles for HCX, SaaS, EPG Emerging Products Group for September, 2023 by Jamie Gravatte on October 5, 2023 at 2:26 pm
Tweet Get answers and solutions instantly by using VMware’s Knowledge Base (KB) articles to solve known issues. Whether you’re looking to improve your productivity, troubleshoot common issues, or simply learn something new, these most used and most viewed knowledge articles are a great place to start. Here are the top 5 most viewed KB articles … Continued The post Top 10 Most Popular Knowledge Articles for HCX, SaaS, EPG Emerging Products Group for September, 2023 appeared first on VMware Support Insider.