rterakedis's Posts

New Beta: Workspace ONE Admin Assistant for macOS version 3.0

by VMware Employee in Workspace ONE Discussions
‎01-28-2021 02:16 PM
1 Kudo
‎01-28-2021 02:16 PM
1 Kudo
If interested in beta testing the Workspace ONE Admin Assistant for macOS version 3.0, please join the beta at https://beta-ea.vmware.com/enter/ This beta introduces a CLI interface for the Admin As... See more...
If interested in beta testing the Workspace ONE Admin Assistant for macOS version 3.0, please join the beta at https://beta-ea.vmware.com/enter/ This beta introduces a CLI interface for the Admin Assistant.   If you do not have access to the Beta portal, you may request to join at http://beta-ea.vmware.com/key/getbeta 

ICYMI: Multiple Workspace ONE UEM application pools and services do not start once stopped

by VMware Employee in Workspace ONE Discussions
‎01-28-2021 07:16 AM
2 Kudos
‎01-28-2021 07:16 AM
2 Kudos
In Case You Missed This KB:   https://kb.vmware.com/s/article/82369 Symptoms Multiple Workspace ONE UEM application pools and services may not start once stopped after Jan 27th, 2021. Event logs di... See more...
In Case You Missed This KB:   https://kb.vmware.com/s/article/82369 Symptoms Multiple Workspace ONE UEM application pools and services may not start once stopped after Jan 27th, 2021. Event logs display an error loading certain DLLs due to a code signing validation error. This affects SaaS as well as On-premise customers. Affected version The following versions are potentially impacted: Workspace ONE UEM 19.7.0.5, 19.7.0.16, 19.7.0.38, 19.7.0.39 Workspace ONE UEM 19.9.0.2, 19.9.0.11, 19.9.0.34  Workspace ONE UEM 20.1.0.9, 20.1.0.26, 20.1.0.27 Workspace ONE UEM 20.3.0.1, 20.3.0.6 Workspace ONE UEM 20.4.0.16 Workspace ONE UEM 20.5.0.17, 20.5.0.24, 20.5.0.33, 20.5.0.34, 20.5.0.35 Workspace ONE UEM 20.6.0.14 Workspace ONE UEM 20.7.0.0 GA, 20.7.0.2 GA, 20.7.0.10 This list will be updated as we continue validation.   Resolution Our Product team is engaged and actively working to provide a resolution for each of the affected versions in the form of a patch. The affected version list (above) will also be updated as we continue to validate each supported release. Fix Version(s): Workspace ONE UEM 1907 - Addressed in 19.7.0.60 (Available for download at UEM Console 1907 Patch) Workspace ONE UEM 1909 - Addressed in 19.9.0.45 (Available for download at UEM Console 1909 Patch) Workspace ONE UEM 2001 - Addressed in 20.1.0.28 (Available for download at UEM Console 2001 Patch) Workspace ONE UEM 2003 - Addressed in 20.3.0.20 (SaaS Only) Workspace ONE UEM 2004 - Addressed in 20.4.0.17 (SaaS Only) Workspace ONE UEM 2005 - Addressed in 20.5.0.36 (Available for download at UEM Console 2005 Patch) Workspace ONE UEM 2006 - Addressed in 20.6.0.15 (SaaS Only) Workspace ONE UEM 2007 - Addressed in 20.7.0.11 (SaaS Only) Action Required: Customers with SaaS environments - None. VMware Cloud Operations is working round the clock to patch all impacted environments. Customers with On-Premise environments - Please follow this article for updates regarding the fix for each version. It is highly recommended that you deploy the relevant patch once as it is made available.   More details (Cause, Impact/Risks) can be found at the KB:      https://kb.vmware.com/s/article/82369
Labels

Re: Enrolling the New Apple M1 laptops into WS1

by VMware Employee in Workspace ONE Discussions
‎01-13-2021 08:48 PM
2 Kudos
‎01-13-2021 08:48 PM
2 Kudos
@EricMartinez, Devices with the M1 chipset is supported by Workspace ONE, although the Intelligent Hub currently requires Rosetta2 installed (which is handled by the installer for version 20.11.1). ... See more...
@EricMartinez, Devices with the M1 chipset is supported by Workspace ONE, although the Intelligent Hub currently requires Rosetta2 installed (which is handled by the installer for version 20.11.1).   More detail here:  https://kb.vmware.com/s/article/81678?lang=en_US  

NEW KB: Legacy macOS Agent URLs

by VMware Employee in Workspace ONE Discussions
‎01-12-2021 10:21 AM
‎01-12-2021 10:21 AM
ICYMI:  We've posted a new KB article https://kb.vmware.com/s/article/82032 about decommissioning the legacy awagent.com URLs! Impact / Risks The following update URLs will no longer be available ... See more...
ICYMI:  We've posted a new KB article https://kb.vmware.com/s/article/82032 about decommissioning the legacy awagent.com URLs! Impact / Risks The following update URLs will no longer be available after December 31, 2020: https://awagent.com/VMwareAirWatchAgent/VMwareAirWatchAgent.pkg https://awagent.com/AdminAssistant/VMwareAirWatchAdminAssistant.dmg https://awagent.com/AdminAssistant/VMwareAirWatchAdminAssistant.xml  The decommission of these URLs will only impact the following app versions:   VMware AirWatch Agent 4.0.1 (or lower) Released March 2019 VMware AirWatch Admin Assistant 1.0 Released February 2018   Resolution   VMware recommends all customers download the latest versions of these apps here: https://getwsone.com/macOS/VMwareWorkspaceONEIntelligentHub.pkg Latest GA version as of 12/18/20 is 20.11.1 https://getwsone.com/AdminAssistant/VMwareWorkspaceONEAdminAssistant.dmg Latest GA version as of 12/18/20 is 2.0.3
Labels

Re: Allow Full Disk Access to an application without user interaction?

by VMware Employee in Workspace ONE Discussions
‎01-11-2021 10:43 PM
1 Kudo
‎01-11-2021 10:43 PM
1 Kudo
@RENEROCHEFORT - This might also help:    1) Detail on troubleshooting profiles (there's a blurb about PPPC in there):  https://techzone.vmware.com/troubleshooting-macos-management-vmware-workspac... See more...
@RENEROCHEFORT - This might also help:    1) Detail on troubleshooting profiles (there's a blurb about PPPC in there):  https://techzone.vmware.com/troubleshooting-macos-management-vmware-workspace-one-operational-tutorial#_1318381 2) You can also try this fling:   Workspace ONE App Analyzer for macOS | VMware Flings      

Re: Managed Apple IDs with AAD Federation, itself federated with 3rd party IDP using CBA only

by VMware Employee in Workspace ONE Discussions
‎01-11-2021 10:38 PM
1 Kudo
‎01-11-2021 10:38 PM
1 Kudo
@AntonThirifays - If i'm reading this correctly, I think you need to rethink how this is happening. iOS/macOS only uses "managed apple ID's" for the special "User Enrollment" type of enrollment.  ... See more...
@AntonThirifays - If i'm reading this correctly, I think you need to rethink how this is happening. iOS/macOS only uses "managed apple ID's" for the special "User Enrollment" type of enrollment.   The whole point of user enrollment is to separate the keychain and APFS managed by UEM from the keychain/APFS containing the user's personal data.   You're basically asking if you can take the enterprise/work certificate and auth to User Enrollment.   In order for that to happen, the certificate would have to be outside the UEM-managed keychain, because until you authenticate with the managed apple ID, the work keychain/filesystem doesn't exist. Does that make sense?

Re: Intelligent Hub is not installing after enrollment (macOS DEP)

by VMware Employee in Workspace ONE Discussions
‎01-11-2021 10:21 PM
‎01-11-2021 10:21 PM
There was an issue with a previous version of the Intelligent Hub installer, specific to M1 macs.   Are the macs having issues M1-based, Intel-based, or a mix?    Are you deploying the hub that is s... See more...
There was an issue with a previous version of the Intelligent Hub installer, specific to M1 macs.   Are the macs having issues M1-based, Intel-based, or a mix?    Are you deploying the hub that is seeded in the console, or are you uploading a new version of the hub as a bootstrap package?   If you're doing a bootstrap package, make sure you're not trying to also deploy the seeded version.   This is a bug that seems to get resolve and periodically reintroduced where macOS will just fail to run any InstallEnterpriseApplication commands during AwaitConfiguration if more than one command is sent.

Beta Test Available - macOS App/Process Blocking!

by VMware Employee in Workspace ONE Discussions
‎10-16-2020 07:35 AM
‎10-16-2020 07:35 AM
Hello everyone! We’re building a new security extension into the Workspace ONE Intelligent Hub that allows IT to restrict specific applications or processes from running on managed devices. ... See more...
Hello everyone! We’re building a new security extension into the Workspace ONE Intelligent Hub that allows IT to restrict specific applications or processes from running on managed devices. We've currently opened this up for beta testing and ask that if you're interested in using this feature that you join us in testing to make sure it handles your use cases! Check out the Workspace ONE Intelligent Hub 20.10 Beta https://beta-ea.vmware.com/key/getbeta
Labels

Re: macOS - Certificate Based Authentication - App Level or OS Level?

by VMware Employee in Workspace ONE Discussions
‎10-05-2020 10:25 AM
‎10-05-2020 10:25 AM
AntonThirifays​, For starters, it's a little of both (OS vs App).   For anyone that may be new to macOS and reading this post, WS1 UEM allows you to send credentials (e.g. Certificates) as a "... See more...
AntonThirifays​, For starters, it's a little of both (OS vs App).   For anyone that may be new to macOS and reading this post, WS1 UEM allows you to send credentials (e.g. Certificates) as a "User" profile OR a "Device" profile.   This means the certificate is delivered by the mdmclient process into the login keychain, or the system keychain (respectively).   Certs within the system keychain are typically used for system-wide processes or actions --> 802.1x connectivity, etc.     As you mentioned, Safari generally knows how to handle certificates, and it does so by matching against certificates in the login keychain.  You can control which certificates get chosen using the "identity preferences" functionality in the credentials payload.   Many third-party apps don't handle cert-auth directly, and instead offer federated or SAML authentication.  By doing this, the app can present some type of in-app view (or alternatively refer the user to the mobile browser) to handle the authentication using the certificate.   That said, Apple's new "SSO Extension" functionality aims to handle some of this complexity.   The point here would be that the extension could perform authentication (such as certificate-based authentication) on behalf of any app on the device.  In this case, the apps wouldn't need to maintain any type of authentication as the extension should handle it. See the WWDC 2020 video here:  https://developer.apple.com/videos/play/tech-talks/301/ Hope that helps.   Rob

Re: Data and Application Partition on iOS MDM device

by VMware Employee in Workspace ONE Discussions
‎10-05-2020 10:01 AM
2 Kudos
‎10-05-2020 10:01 AM
2 Kudos
alextsa​ - iOS and iPadOS work in two different ways: When enrolled with automated enrollment (via Apple business manager), web enrollment, or hub-based enrollment, there is a concept of "man... See more...
alextsa​ - iOS and iPadOS work in two different ways: When enrolled with automated enrollment (via Apple business manager), web enrollment, or hub-based enrollment, there is a concept of "managed" versus "unmanaged" data and apps.  You can control whether unmanaged apps can interact with managed apps and data (and vice versa) via two checkboxes in the iOS restrictions profile.   This concept of "managed vs unmanaged" means that everything is on a shared APFS partition on the device, but the OS is tracking what was put there by MDM and then will remove it during an enterprise wipe.   Examples include volume-purchased, managed apps (or public apps that are then "taken over" by MDM to become managed apps), books, and content such as managed email accounts. When enrolled via Apple's new "User Enrollment" flow, there is a separate APFS partition created to store enterprise data separately from personal data.   This means UEM can only query and manage data and apps on the "work" partition related to User enrollment. All physically identifying attributes of the device are obfuscated.   Now, as far as for the behavior of the public app that you mentioned, this is expected behavior UNLESS you've added a location token from Apple Business Manager to your account, and delivered that app to the device as a managed, volume-purchased app.  (or, if it was a public app installed by the user's personal Apple ID, you've delivered it as a managed VPP app with the flag to "Make App MDM Managed if User Installed").   Basically, if you send the app using the "Public" apps tab in Workspace ONE UEM, then it's more of a "suggestion" that the end-user installs the app.  Apps sent using the "Purchased" or "Internal" apps tab in Workspace ONE UEM are considered fully managed. The above behavior is a fundamental difference between how i[Pad]OS works compared to Android.   Hope that helps! Rob

Re: Single app mode in iPads

by VMware Employee in Workspace ONE Discussions
‎09-22-2020 12:06 AM
1 Kudo
‎09-22-2020 12:06 AM
1 Kudo
JuhiB​ -  Here's the "happy path" on setting this up (assuming these devices will be full-time Single-App Mode: Enroll in Apple Business Manager (ABM) and ensure the devices are purchased thr... See more...
JuhiB​ -  Here's the "happy path" on setting this up (assuming these devices will be full-time Single-App Mode: Enroll in Apple Business Manager (ABM) and ensure the devices are purchased through Apple (or a reseller) and tied to your ABM customer ID. Set up ABM integrations in Workspace ONE UEM: Set up your automated enrollment profile to enroll the devices to a single basic user (or skip authentication completely depending on your security requirements).  Apply the automated enrollment profile to the correct set of devices. Set up your Location Token from Apple Business Manager and purchase licenses for the app you want in Single App Mode Alternatively, upload the "enterprise app" you'll be distributing for Single App Mode Assign the app to the devices (or the user) using "Device-Based" licensing (so no Apple ID is required). Assign a profile to the iOS devices that set the app into Single App Mode. As needed, update the app (by uploading a new enterprise app, or by telling UEM to check the ABM for a new version. Once you do that, iOS will handle background updates for the apps by locking out the user from the device while the app updates.  

Re: Macos catalina  Reinstall the system(The computer reinstalls the system for new employees)

by VMware Employee in Workspace ONE Discussions
‎08-26-2020 01:11 PM
1 Kudo
‎08-26-2020 01:11 PM
1 Kudo
xiaogui2005​, I would first point you to this specific tutorial:   Managing Major OS Updates for Mac: VMware Workspace ONE Operational Tutorial | VMware  I realize you're attempting to do some... See more...
xiaogui2005​, I would first point you to this specific tutorial:   Managing Major OS Updates for Mac: VMware Workspace ONE Operational Tutorial | VMware  I realize you're attempting to do something different, but some of the discussion in that tutorial describes how to deliver the OS installer to the device.   You don't necessarily need to deliver the full-blown installer via Internal Apps. Some other thoughts: If you do go the route to deliver the full installer, you'll need to make sure that (if you're SaaS-hosted) your quota for max file size has been increased to accommodate the larger file.  The deployment script would probably work better in the "Post-Install" field instead of pre-install. You shouldn't need to include sudo, as the process is already running with system/root context. You may need to add the "--nointeraction" flag to your command line also. THere was also some discussion on this thread:  

Re: Microsoft Defender ATP macOS Big Sur

by VMware Employee in Workspace ONE Discussions
‎08-26-2020 12:31 PM
‎08-26-2020 12:31 PM
Hey gdramirez1​ - Just checking to see if this helped, or if you're still running into issues?  Thanks!

VMware Fusion 12 and Workstation 16 Announced

by VMware Employee in Workspace ONE Discussions
‎08-20-2020 02:15 PM
‎08-20-2020 02:15 PM
ICYMI:  Announcing: VMware Fusion 12 and Workstation 16 - VMware Fusion Blog - VMware Blogs

Per-App Tunnel for SSO Kerberos Extension on Big Sur

by VMware Employee in Workspace ONE Discussions
‎08-19-2020 06:48 AM
1 Kudo
‎08-19-2020 06:48 AM
1 Kudo
Hi Everyone! We've snuck in an update to the Deploying Workspace ONE Tunnel for macOS operational tutorial to cover tunneling the Kerberos SSO Extension built-in to macOS Big Sur.   If you ar... See more...
Hi Everyone! We've snuck in an update to the Deploying Workspace ONE Tunnel for macOS operational tutorial to cover tunneling the Kerberos SSO Extension built-in to macOS Big Sur.   If you are beta testing macOS Big Sur, please give this a try! If you run into any issues: File Feedback with Apple Send us feedback via TechZone:
Labels

Re: Prevent Personal Macs

by VMware Employee in Workspace ONE Discussions
‎08-18-2020 10:48 PM
‎08-18-2020 10:48 PM
BethC​ -- Yes, if you configure the environment for registered devices only, then from an Apple perspective you essentially prevent devices that are not Apple Business Manager synced (and/or pre-... See more...
BethC​ -- Yes, if you configure the environment for registered devices only, then from an Apple perspective you essentially prevent devices that are not Apple Business Manager synced (and/or pre-registered).   ​If you unenroll a device, it should still be "registered' and you can then re-enroll via the Hub (although it will no longer be enrolled through Apple Business Manager).    That said, there are a few macOS nuances that lead folks to doing wipe/reloads: Unlike iOS, macOS has no concept of managed data separation.   This means if you were to send an "enterprise wipe" to macOS in order to re-enroll, the apps could be removed but not necessarily any of the data created by the user using those apps.   Additionally, since macOS is inherently multi-user, the Enterprise Wipe does not remove the local user account in macOS and therefore doesn't trigger the Setup Assistant.   The only supported way to trigger the Setup Assistant to go through automated enrollment with Apple Business Manager is to wipe/reload.   You used to be able to trigger SetupAssistant with some scripting (though been awhile since I've tried), but depending on what you're trying to do (such as wipe/redeploy to the same user) you could end up with some unexpected consequences with user account and home folder collisions and whatnot. To answer your last question, generally speaking wipe/reload should be your last resort when troubleshooting macOS.   You should be able to gather hub logs (for hub functionality), a sysdiagnose (preferably with the Apple GSS debug profile downloaded/enabled from developer.apple.com) for general macOS functionality (mdmclient, appstore, storedownloadd, etc), and details from the "troubleshooting" tab in the device details view. I hope that helps point you in the right direction!

Re: iPhones (supervised) force bluetooth on?

by VMware Employee in Workspace ONE Discussions
‎08-18-2020 10:20 PM
‎08-18-2020 10:20 PM
cm1190​ - You should be able to turn on Bluetooth via Managed Preferences:  Settings > Device & Users > Apple > iOS > Managed Settings Requested.  Basically, enabling the checkbox here makes Work... See more...
cm1190​ - You should be able to turn on Bluetooth via Managed Preferences:  Settings > Device & Users > Apple > iOS > Managed Settings Requested.  Basically, enabling the checkbox here makes Workspace ONE UEM send the "Enabled" property for the Bluetooth Managed Setting:   https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/bluetooth You can then use the restriction mentioned to prevent the user from changing the setting.

VMWorld 2020 - Managing Macs and Offering Mac as Choice [DWMM1650] Q&A

by VMware Employee in Workspace ONE Discussions
‎08-18-2020 08:35 PM
‎08-18-2020 08:35 PM
Hello VMworld 2020 Attendees!    If you're joining us for our Breakout Session on Managing Macs and Offering Mac as Choice [DWMM1650], I invite you to use this thread for any questions that you m... See more...
Hello VMworld 2020 Attendees!    If you're joining us for our Breakout Session on Managing Macs and Offering Mac as Choice [DWMM1650], I invite you to use this thread for any questions that you might have after the session ends! 
Labels

Re: Shared iPad for Business

by VMware Employee in Workspace ONE Discussions
‎08-14-2020 08:55 AM
‎08-14-2020 08:55 AM
teckler​ - this is how Apple's Shared iPad for Business is designed.   Each user gets their own APFS partition and the OS dynamically links writeable storage locations to that partition.   While ... See more...
teckler​ - this is how Apple's Shared iPad for Business is designed.   Each user gets their own APFS partition and the OS dynamically links writeable storage locations to that partition.   While the Teams app will remain installed, each user should see different things (as well as need to log-in to Teams).

Re: Microsoft Defender ATP macOS Big Sur

by VMware Employee in Workspace ONE Discussions
‎08-14-2020 08:52 AM
1 Kudo
‎08-14-2020 08:52 AM
1 Kudo
Hey gdramirez1​! So looking at this documentation, I'm wondering if you need to set it up as follows (all the following payloads are in "Device" scoped macOS Profiles).  I don't have the infra... See more...
Hey gdramirez1​! So looking at this documentation, I'm wondering if you need to set it up as follows (all the following payloads are in "Device" scoped macOS Profiles).  I don't have the infrastructure to test, but if that doesn't work let me know.  I think the "content filter" payload is the only unknown for me -- that may end up needing to be Custom XML. Privacy Preferences: System Extensions: Content Filter: