rterakedis's Posts

hey syarbrou​ - Just wanted to clarify, while Hub services co-exist with an Access tenant, they do not both need to be set up.   If you look in the console (Getting Started > Workspace ONE > Intelligent Hub), you can either enter credentials for an access tenant you are already assigned (even if it has yet to be configured), or you can request a new access tenant if you were never provided one.   In either case, you configure the hub settings separately from Access. That said, there are some features of Hub that require access integration --> Unified App Catalog (Saas/Horizon/Mobile), People Search, and Enhanced Notifications.

Ramkumara11​ - I have seen in the past where profiles that use ADCS-generated certificates can sometimes take a long time to deploy.   The reason for this usually ends up being something related to the following: The number of devices which need the profile is large.... leading to... A large number of certificate requests being made to the CA which may be undersized. Remember, each time you request a new certificate from the CA it has to do the math to generate the unique key for the certificate (at whatever bit length you specify).   A lot of times I’ve seen where the Root CA is a physical machine locked away in a closet, but the intermediate CA(s) run on  VMs which are not sized for mass certificate generation.   I would say you might want to open a ticket with Support and they can help you look at the DB to determine if these processes are waiting on the CA to return the certificate to get embedded in the profile. As a quick test, one option would be to watch the CA specified in your credentials payload to see if new certificates are being generated and if so, how many are being generated over a certain timeframe.

Dhanushkav​ - There isn’t an equivalent of the “light” installer for macOS (e.g. the ODT where you supply a configuration XML file).   Microsoft’s only deployment options for macos are as follows: Full Suite Installer Package Individual App Installer Packages Mac App Store That said, if the issue is you want to avoid all the computers downloading MS Office from the Internet, you can do one of the following: Host the full suite Installer locally on your network and write a script that downloads it from that location. If using the Mac App Store version, make sure you have macOS Caching Services deployed on your network.  Also, Microsoft does support hosting MAU locally on your network:   https://macadmins.software/docs/MAU_CachingServer.pdf

From an Apple perspective, I recommend looking into setting up the Application as a Custom App.   Managing iOS Custom Apps: VMware Workspace ONE Operational Tutorial Basically, by doing so, you can securely share the app to your partners/customers, but in a way that they can easily add them into their own MDM solution.  Additionally, with the app in the Custom App store, it gains the same benefits as any normal app from the perspective of global CDN distribution and macOS Caching Services.

lawrencechow​ - Yes, Workspace ONE can perform a device wipe on macOS.   I have seen problems with it in the past in the following scenarios: The device was enrolled as "employee-owned" and the Privacy settings in the console prevent device wipe on employee-owned devices. There used to be a dependency on having the recovery partition created on the device.   I remember a few years back when imaging/cloning macOS was more popular, some folks were removing the recovery partition and if this was the case the command wouldn't succeed because the recovery partition was missing.   I haven't seen it come up lately, but most folks aren't imaging machines anymore because of recent hardware changes breaking these processes. The device actually needs to be online on the Internet in order to get the command from Workspace ONE The wipe should basically leave the device in a non-bootable state.  You'll need to reinstall macOS for sure.

shabsn​ -- have you tried uploading the certificate in a macOS device profile?   You should be able to upload a certificate there and have it placed into the System keychain. When creating macOS profiles, "User" profiles affect the login keychain while "Device" profiles affect the System keychain.

dragan979​ - I think what you're looking at is a fundamental difference between the data architectures in Android verusus iOS. In modern Android platforms, the work profile physically separates data managed by MDM from data created by the user (the exception here being "work owned" or "corporate managed" android devices - see Understanding Android Device Mode​ ).  As such, there is a clearly defined boundary, and Android denotes the boundary by adding the briefcase icon to all the "Work Profile" apps.   Again, the briefcase icon denoting a work app is put there by the Android OS, not by Workspace ONE. With regards to iOS, up until the recent introduction of "User Enrollment" there hasn't been a clear separation of work and personal data other than to say what was "managed" versus "unmanaged".   Also, unlike Android, Apple has never made any overlays on the app icons to denote a personal app versus a work app.  Apple has never provided a device-wide copy-paste restriction, and has instead simply chosen to focus on "managed open-in".   In other words, they focused on data-loss prevention by controlling whether you could move entire documents/files to personal apps.   If you look in the iOS restrictions payload, you'll see a number of settings to manage this: But LukeDC​ and RogerDeane​ hinted at the underlying issue.   Copy/Paste restrictions (and a method of control) are left up to the individual app developer to implement.   VMware provides the Workspace ONE SDK (which we've already included in all the VMware Apps -- Hub, Boxer, Smartfolio, etc) to make this easier for individual app developers to implement, but again, it's up to them to implement.   In the case of the Microsoft Apps, Microsoft wrote their own method of copy/paste restriction and tied it to MAM (Mobile Application Management) controls in InTune, which can be controlled by Workspace ONE through API integration. If copy/paste restrictions are a necessity, and iOS is a requirement, then you may need to look at using VMware's containerized apps (Boxer, etc) so that you can apply the SDK profile for stringent control.  

hey VinceHWebb​! Apologies for the copy/paste fail!  As for the prompt still happening, i wrote this up awhile back to help with troubleshooting:   euc-samples/macOS-Samples/Privacy Preferences Policy Control at master · vmware-samples/euc-samples · GitHub One of the things that may help is to examine what actually gets saved in the TCC db.   One of the blurbs in that GitHub doc is this:    You can also review the TCC database after clicking the button to whitelist the app. Run the command echo ".dump" | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db and echo ".dump" | sudo sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db to view the entries in the TCC databases. You will not be able to read the TCC.db if Terminal is not granted permissions (SystemPolicyAllFiles) https://github.com/vmware-samples/euc-samples/tree/master/macOS-Samples#tcc-db-reset The kicker is that Terminal needs to be granted full access in your testing system (either via MDM or using the System Preferences Security & Privacy pane).   If you don't give Terminal Access, you won't be able to read the databases...

HerrMaximilianLeupold​ — You’ll need to give some more details so we can try to figure out what’s going on there.  I was looking at Microsoft Teams call flows - Microsoft Teams | Microsoft Docs​  and Office 365 URLs and IP address ranges | Microsoft Docs .   What version of the UAG and Tunnel apps are you using?   What version of iOS?    Can you post some “sanitized” details about what your Device Traffic Rules look like?  Thanks!

VinceHWebb​ -- This looks like an "Apple Events" preference.  Try adding: Receiver Identifier: com.apple.systemevents Receiver Code Requirement: identifier “com.apple.systemevents” and anchor apple It would basically look like this: