Omnissa Newsletter 2025 Week 16

bkruit

Upcoming Omnissa Events

EventLink and descriptionSpeakersDate
Omnissa Tech Deep Dive: Enrich your access policies with more data for better security  Omnissa Tech Deep Dive: Enrich your access policies with more data for better security – April 16th, 8 am PST / 5 pm CET

We invite you to join this session on April 16th to learn how Omnissa can protect your enterprise data based on knowledge rather than guesswork.
We will discuss the security capabilities in the Omnissa platform, real-time and continuous data sharing, and access decisions based on more data about the user, devices, and session.https://community.omnissa.com/events/event/35-omnissa-tech-deep-dive-enrich-your-access-policies-with-more-data-for-better-security/		Peter Bjork, Principal Architect16 April
Omnissa Community Webinar: 
Big Game Hunting: Ransomware’s High-Stakes War on Enterprises		Big Game Hunting: Ransomware’s High-Stakes War on EnterprisesWe invite you to join an insightful session, where we will focus on the most successful cybercrime operation in history. As a professional in the EUC space, understanding how ransomware gangs operate, evolve, and target enterprises is essential.We’ll also cover what Omnissa architects and subject matter experts can do to harden defenses and prevent breaches. Join this session for critical insights into the ever-evolving threat landscape.Big game hunting: Ransomware’s high-stakes war on enterprisesHuib Dijkstra, Lead Solution Engineer7 May
Omnissa Tech Deep Dive: Bringing VDI goodies to your physical desktops and laptopsWe invite you to a demo-packed session, where you will learn how to bring the benefits of App Volumes and DEM (Dynamic Environment Manager) to your physical Windows devices.This brings the same benefits and features you know from your Horizon VDI environments to your desktops and laptops. You have full control over the application lifecycle, ensuring the best user experience and more!
Omnissa Tech Deep Dive: Bringing VDI goodies to your physical desktops and laptops		Pim Van De Vis, Customer Success Engineer18 June
Omnissa ONE returns in 2025 SAVE THE DATEOmnissa ONE America
Las Vegas, Cosmopolitan Hotel
Sept 15th – Sept 17th Omnissa ONE Europe
Amsterdam, Maritim Hotel Amsterdam
Oct 7th – Oct 9th Omnissa ONE Asia
Tokyo, ANA InterContinental Hotel 
Nov 17th – Nov 19th 		  

Release Updates:

Omnissa Workspace ONE Experience Management 24.12 for Windows

  • We’ve updated Experience Management for Windows telemetry services to include a single service, ws1etlm, that implements all Experience Management functionality.
  • We’ve added GPOs to templates.
  • Horizon Template
  • Proxy Configuration: Configures proxy servers used by Horizon Desktops when sending data to Intelligence.
  • Number of days to keep unsent Historical data: Configures the number of days to keep unsent Historical data when disconnected from the network or otherwise unable to reach the Intelligence service.
  • UEM Template
  • Proxy Configuration: Configures the proxy server configuration used by UEM Desktops when sending data to Intelligence.
  • Number of days to keep unsent Historical data: Configures the number of days to keep unsent Historical data when disconnected from the network or otherwise unable to reach the Intelligence service.
  • Internet Latency Template:
  • Configure Interval of Internet Latency Collection: Configures the interval of collecting a device’s internet latency.
  • Enable IPv4 Internet Latency Collection: Configures whether Experience Management collects IPv4 internet latency on a device.
  • Enable IPv6 Internet Latency Collection: Configures whether Experience Management collects IPv6 internet latency on a device.
  • LAN Latency Template:
  • Configure Interval of LAN Latency Collection: Configures the interval of collecting a device’s LAN latency.
  • Enable IPv4 LAN Latency Collection: Configures whether Experience Management collects IPv4 LAN latency data on the device.
  • Enable IPv6 LAN Latency Collection: Configures whether Experience Management collects IPv6 LAN latency data on the device.
  • We’ve rebranded Experience Management for Windows to align with the Omnissa brand.

Omnissa Horizon 8 2503

Horizon 8 version 2503 is an Extended Service Branch (ESB). It includes the following new features and enhancements.

License Activation

A new licensing module for term and perpetual licenses was introduced in the 2412 release. While existing license keys remain supported, we strongly recommend activating Horizon 8 2503 with a new Omnissa license if you are using a term or perpetual license.

  • The new Omnissa Horizon license key is available through the Customer Connect portal. A banner notification will prompt you to upgrade to the new Omnissa license, and you will have 60 days to complete this transition. Failure to update the license keys within this period will result in Horizon Console entering restricted mode. See Enabling Horizon 8 for Subscription Licenses and Horizon Control Plane Services in the Horizon 8 Installation and Upgrade guide.
  • Additionally, starting with this release, the 15-day grace period for subscription licenses has been removed. If you activate a subscription license in Horizon 8 without Horizon Edge, you must reactivate it every 90 days to maintain full functionality. However, licenses will be automatically activated if you are using Horizon Edge.
  • The Licensing and Usage screen in Horizon Console includes a field for the Subscription End Date. When data becomes available from the Horizon Control Plane, this field will display the end date of the subscription license. Otherwise, this field will display “N/A”.

Horizon Connection Server

  • The ADAM instance application partition name has been updated with “horizon” to ensure consistency for brownfield customers. For greenfield or new customers, the partition name will default to “horizon.”

New Partition Name:

  • Local LDAP: dc=vdi,dc=horizon,dc=internal
  • Global LDAP: dc=vdiglobal,dc=horizon,dc=internal

To maintain compatibility, the Connection Server installer allows selecting the old or new partition in Horizon 2412 or lower. From Horizon 2503, both partition types are supported.

  • To assist brownfield customers with the transition to the updated application partition names, Omnissa provides a migration script that updates the partition names while ensuring data integrity. After upgrading all pods to Horizon 2503, customers can run the script to permanently update their deployments to the new application partition naming convention, ensuring a seamless migration without data loss. See KB 6000797 for details and for the migration script.
  • Unmanaged Mode Support and new rebranded 2503 ADAM DB Partition – The 2503 Server supports both old ADAM DB and new ADAM partitions. Due to the “Failed to update LDAP…” error encountered when registering the Old Horizon 8 Agent with a new Server, unmanaged Horizon 8 Agents (versions 2412 and earlier) will not work with the 2503 Server having the new ADAM DB partition. For more information on this and other backward compatibility considerations, see KB 6000681.
  • Workarounds: To use the 2412 Agent (or earlier versions) with a 2503 (or later) Horizon Server, ensure the server is installed with the old Horizon Directory Services partition. If you wish to use a 2503 (or later) Horizon Server with the newer Directory Services partition, make sure the Agent is first upgraded to 2503 (or later) before connecting it to the Connection Server. Note: These considerations only apply if the Agent is installed in Unmanaged mode. In regular mode, older Horizon Agents will work with the 2503 Server that has the new ADAM DB partition.
  • Horizon 8 now supports Horizon Connection Server on Microsoft Windows Server 2025 for greenfield deployments. Enhancements include Enrollment Server support, True SSO with Microsoft CAActive Directory (2025 domain functional level), and Event Database support with a compatible Microsoft SQL version. For operating system support details, see KB 78652.
  • The Agent Auto-Update feature is now available under the Horizon Term license.
  • The Horizon Lifecycle Management APIs now support SMB file shares for registering Horizon Connection Server packages, removing the requirement for creating and maintaining a valid web server.
  • You can monitor Connection Server health, utilization, session details, and errors/warnings for a specific POD from the Horizon Console. Navigate to Monitor/Infrastructure to view details and ensure VM uptime by addressing issues promptly.
  • Horizon Server now includes ChaCha cipher suites in the default configuration for non-FIPS mode to enhance security and performance, especially on devices without AES hardware acceleration. Added cipher suites are:
  • TLS 1.3: TLS_CHACHA20_POLY1305_SHA256
  • TLS 1.2 & TLS 1.3: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

These cipher suites offer strong encryption and improved efficiency. No action is required unless using a custom TLS configuration. FIPS mode remains unaffected.

Horizon Console

  • The Horizon 2503 CS server now supports IDP (Identity Provider) authentication for users, enhancing security and access control. Administrators can enable the IDP Should Authenticate User Every Time setting to require IDP re-authentication, even if an active SAML session exists. By default, users will not need to re-authenticate if a session is already active. Enabling this option ensures stricter authentication policies, reducing unauthorized access risks. This feature improves compliance and security for organizations requiring frequent user verification. Configure this setting in the Authentication preferences to tailor IDP behavior to your security needs.

Virtual Desktops and Applications

  • Adaptive Authentication & Network Access Policy is now available at the pool level, offering greater flexibility in securing access based on user location and application sensitivity. Administrators can define network access policies (External/Internal/All) and enforce stronger authentication for critical applications. For example, a doctor can access all applications inside the hospital network but may require stricter authentication for VDI or RDSH outside the network. Supported authentication methods include USERNAME_PASSWORD, CERTIFICATE, GSSAPI, RADIUS, SAML, RSA_SECURID, and JWT. This feature is API support only, enabling granular control over authentication and network policies for enhanced security and compliance.
  • The session recording feature now has the same lifetime as the Blast remoting session it is recording. Previously, recording was terminated early if the primary Blast session had a brief network outage, even if the Horizon Client succeeded to automatically reconnect to the Horizon Agent within the two-minute network recovery period.
  • Horizon Agent simplifies authentication for Horizon Physical PCs by removing the requirement for Remote Desktop Users group membership. For more information, see Manual Pool of Registered Physical Machines.

Horizon Agent for Windows

  • A new TCP bandwidth estimator now further reduces the bandwidth consumed by the Blast protocol. Available for the Windows Agent and Client starting with version 2412, this feature is now available in 2503 for these clients: Horizon Client for Linux, Horizon Client for Mac, Horizon Client for Android and Horizon Client for iOS.

Remote Desktop Features

  • Screen Sharing Support for Chrome and Edge C on Linux Browser Content Redirection: Browser Content Redirection (BCR) now supports screen-sharing capabilities on Linux (CentOS, RHEL, and Ubuntu) clients using Chrome and Edge C. This enhancement allows you to seamlessly share your screen during web conferencing sessions on UC applications like Microsoft Teams, Zoom, and Cisco Webex, providing a smoother experience for media-intensive applications.
  • New ViewClient_Broker_AuthMethod registry value: Specifies the authentication method used to connect to the broker.
    Possible values include:
  • Windows-password
  • Cert-auth
  • GSSAPI (LACU and WHFB)
  • SecurID
  • Unauthenticated
  • SAML
  • JWT
  • RADIUS

Horizon 8 and Amazon WorkSpaces Core

  • Omnissa Access is now supported with Horizon 8 on Amazon WorkSpaces Core. This requires Omnissa Access connector 24.12 or later.
  • Horizon 8 automated pools now support Amazon WorkSpaces Core graphics G4DN (NVIDIA T4) instances. Graphics.g4dn is ideal for customers seeking low-cost GPU-enabled virtual desktops and the GraphicsPro.g4dn enables high-end media production, or GIS data processing. See more at the Amazon page EC2 G4dn family.

Omnissa Dynamic Environment Manager 2503

  • Support for asynchronous startup tasks. Omnissa Dynamic Environment Manager now supports asynchronous startup tasks, significantly reducing system boot time and provides efficient environment management at computer startup. Administrators can configure tasks to run independently using FlexService, ensuring tasks continue to execute even after FlexEngine.exe exits.
  • Help. To facilitate the search for Help, the Helpdesk Support Tool now has an Admin guide link. Clicking the Admin Guide button will take you to the product’s administrative manual.
  • Updated Components. This release updates the main product components and Helpdesk Support Tool. Application Profiler and SyncTool are not updated.

Omnissa App Volumes 2503

  • App Volumes Term Licensing

App Volumes now supports term-based licenses, enabling compatibility with Term SKUs. This enhancement allows the same license key to be used for both App Volumes Manager and App Volumes agent-only deployments, streamlining license management and ensuring greater flexibility in different environments.

  • Storage Group VHD Replication

Storage Group functionality has been extended to support SMB-based replication, providing administrators with the ability to replicate VHD storage across multiple file shares. Just like VMDK storage replication, specific VHD storage locations can now be designated not to be replicated, ensuring storage efficiency in distributed environments.

  • Recovery Administrator Account

A new Recovery Administrator account introduces an independent, local access method for App Volumes Manager when domain credentials are unavailable. This account is strictly limited to managing domain configuration and administrator roles, allowing administrators to restore access in situations where primary login methods are disrupted.

  • Removal of Volumes (2.x) and AppStacks

The ability to enable Volumes (2.x) is removed from the advanced settings to simplify the interface for customers. The support for App Volumes 2.x ended on March 9, 2023.

Workspace ONE Boxer 25.03 for Android

New Features

  • (Experimental) Rich Text formatting in signatures for delegated accounts

End users can add various text styles and bulleted lists to the signatures of their delegated accounts.

  • Quality improvements and crash fixes

Minimum Requirements

Following are the minimum requirements for Workspace ONE Boxer for Android:

  • Android 12 or later
  • Workspace ONE UEM Console 2212 or later

Workspace ONE UEM 2410

We’re excited to share that the new release of Workspace ONE UEM version 2410 is General Available! Read on to learn about the new features and improvements in this release. You can find the On Prem Download here.

Admin Experience

Intuitive page navigation for Workspace ONE UEM
Explore our new page navigation for Workspace ONE UEM. Similar functions are now categorized together in sub-menus, with updated labels. For more information, see the KB article.

Revamped UEM API Explorer page includes comprehensive API metadata and search features
We’ve built a new API Explorer to provide enhanced security, improved search functionality, and reduce page load times.

Overcome random MAC address challenges with Cisco Identity Services Engine (ISE) 3.1+ integration
The Workspace ONE UEM and Cisco Identity Services Engine (ISE) 3.1+ integration is now available to everyone. This allows end users’ devices to connect securely to network resources, even when they use randomized MAC addresses. For more information and integration instructions, refer to the Tech Zone article Integrating Workspace ONE UEM and Cisco ISE v3.1 and beyond.

Troubleshoot large device log files easily
You can now collect and access large device logs more efficiently. The previous process involved uploading multiple files from Workspace ONE Hub to UEM, requiring administrators to download and merge numerous separate files, which was time-consuming for troubleshooting large log files. Device logs are now uploaded and automatically merged into a single file (up to 200MB), reducing the effort and time needed to troubleshoot devices. This feature is supported only for Android and Windows platforms, starting from 2408 release of the Android and 2410 release for Windows Hub clients.

Modern SaaS Architecture is now available for MSP Partners
We are excited to extend the rollout of the Modern SaaS Architecture to Managed Service Provider (MSP) partner environments, which will be introduced to your environments in the coming months. With this rollout, MSP partner environments can leverage the next-generation Workspace ONE features that enhance performance, scalability, and management capabilities alongside the ongoing support for existing Partner Organization Group use cases.

Omnissa Branding Update
The Workspace ONE UEM console has been updated to align with the new Omnissa brand identity. We have made changes to all the login screens, message templates, URLs, and policy documents to conform to Omnissa standards. We have also replaced old logos, illustrations,and labels with the new Omnissa changes. For more information, see the KB article.

Workspace ONE Mobile Threat Defense Dual Enrollment Configuration by Smart Groups
We initially released support for the configuration of Workspace ONE Mobile Threat Defense (MTD) by Smart Groups in UEM 2406. Now, with Workspace ONE MTD, you can also configure Dual Enrollment support for Android devices by Smart Group. Android Dual Enrollment allows you to enable MTD in both the personal and work profiles of their users’ devices. You can also introduce a custom settings profile using the MTD configuration page for specific Smart Groups, enabling support for any future MTD custom settings. This requires Workspace ONE UEM version 2410 Patch 2 and Intelligent Hub 25.01+ on Android.

Faster resource delivery for Tag and Organization Group changes
Resource delivery now happens instantly whenever a tag is added or removed from a device, or when its Organization Group changes. Based on the updated tags or Organization Group, the device will check in immediately and receive the necessary installations or removals. This enhancement ensures faster updates for applications and profiles, reducing delays in bringing devices to their desired state in modern architecture enabled UEM environments.

Tunnel

We’ve updated Tunnel administration for enterprise management and monitoring capabilities (Limited Availability)

If you have multiple networks to manage or use cases for distinct organizations, you can now easily set up and manage multiple Tunnel environments in a single organization group. This simplifies the integration and distribution of apps and profiles and consolidates the view of their deployment. This update is part of the navigation updates to UEM and also includes new updates to Tunnel’s navigation and health metrics for monitoring your Tunnel deployment. For more information, refer to the KB article.

Android Management

Support for Corporate Owned Personally Enabled mode with Android Management API
Organizations can now manage Android devices in Corporate-Owned Personally Enabled (COPE) mode using AMAPI. This mode was previously only supported with Android using the Custom DPC management type. The QR code generation wizard for corporate-owned Android devices has been enhanced to support generation of QR codes for AMAPI. Also, Android profiles for AMAPI feature new payloads and settings to support COPE devices. For more information on Android Management modes and AMAPI, see Integrating Workspace ONE UEM with Android.

This integration will be enabled by phased rollout for Workspace ONE UEM 2410 environments deployed on UEM modern architecture.

Enhancements to Application Management for Android Management API
For devices managed using AMAPI, Workspace ONE UEM introduces multiple enhancements to application management that bring it to parity with Custom DPC Android device management. Administrators can now remotely configure applications using Application Configuration, which in turn enables organizations to deploy OEMConfig applications. A new Application Policy tab has been added to the application assignment flow for Android public apps that supports app-specific policies, such as managing runtime permissions. Finally, the Auto Update Priority setting is now supported for devices managed using AMAPI.

This integration will be enabled by phased rollout for Workspace ONE UEM 2410 environments deployed on UEM modern architecture.

Support for Full-Device VPN with Workspace ONE Tunnel and Android Management API
Workspace ONE Tunnel is now supported on devices managed using AMAPI. Administrators can now configure Workspace ONE Tunnel through the Tunnel and Always-On VPN profile payloads for AMAPI. When assigning public Android applications, administrators can also select a Full-Device VPN profile for AMAPI devices. Support for Per-App Tunnel mode will be added in a future update.

This integration will be enabled by phased rollout for Workspace ONE UEM 2410 environments deployed on UEM modern architecture.

Updates to Android Public Application Management
In recent years, Google has introduced significant updates to the Play Store APIs. Workspace ONE UEM uses to provision public applications to managed Android devices. Workspace ONE UEM now supports these updated APIs. This introduces several behavioral changes that administrators should be aware of. For more information, see the KB article Upcoming Changes to Android Public Applications.

Support for Root Certificates for enterprise WiFi profiles (Custom DPC)
Workspace ONE UEM now supports setting up to two trusted Root Certificates in WiFi profiles for Custom DPC devices. This allows administrators to set two trusted certificate authorities for a WPA2 Enterprise SSID. In turn, this allows organizations to update network servers to use a certificate issued by a new certificate authority without disrupting connected devices.

Freestyle Orchestrator

Freestyle for Mobile – Android and iOS Devices (General Availability)
Our powerful workflow orchestration solution is available for Android and iOS platforms. Create intuitive, conditional workflows using Freestyle’s drag-and-drop UI to sequence the deployment of applications and profiles to your mobile device fleet.

  • Target devices based on Smart Group Membership
  • Leverage device conditions for granular targeting
  • Empower end users with on-demand workflows they can initiate through the Intelligent Hub app
  • Configurable retry behavior
  • Robust deployment tracking at both the workflow level and individual step execution level

Note: To use this feature, your environment must be Modern Stack-enabled. For information regarding the rollout schedule, view KB article.

Enhanced Reporting for Application Deployments within Freestyle Orchestrator
Gain better visibility into application deployment outcomes with improved reporting capabilities for Windows devices. When app deployments are triggered from Freestyle workflows, you’ll now receive detailed status updates, clear failure reasons, and timestamp enrichments. The minimum versions necessary to support this are UEM 2410, HUBW 2410, and SFD 2410.

Export evaluated devices within Freestyle Workflow details
Admins can now export evaluated (In Progress, Completed, Failed, Blocked) devices from within the Workflow Details page. Exporting the device table leverages the export framework within UEM Monitoring, so exported devices can be found there. Mod Stack is required for this feature.

iOS Management

Declarative Device Management

  • Status Channel
    Workspace ONE UEM now supports 9 new status items via Declarative Device Management (DDM). For eligible devices, Workspace ONE UEM will automatically receive these attributes as they change on managed iOS devices.
  • OS Version (iOS 16+)
  • Build Version (iOS 16+)
  • OS Supplemental Build Version (iOS 16.1+)
  • OS Supplemental Build Version Extra (iOS 16.1+)
  • OS Family (iOS 16+)
  • Pending Version (iOS 17+)(Available only in Omnissa Intelligence)
  • Install State (iOS 17+)(Available only in Omnissa Intelligence)
  • Install Reason (iOS 17+)(Available only in Omnissa Intelligence)
  • Failure reason (iOS 17+)(Available only in Omnissa Intelligence)

For more information on the declarative status channel, see Declarative Device Management.

  • Declarations
    Declarative Configurations now integrate with Apple’s GitHub MDM developer documentation. This integration enables us to implement and update configurations significantly faster. With the help of this integration, Workspace ONE UEM now supports the following new configurations:
  • Math Settings (iOS 18+)
  • Safari: Extension Settings (iOS 18+)
  • Software Update: Settings (iOS 18+)

This integration will be enabled by phased rollout for Workspace ONE UEM 2410 environments deployed on UEM modern architecture. To access Declarative Configurations in the Apple GitHub MDM developer documentation, go to the GitHub Device Management repository.

Application Management
Workspace ONE UEM now collects and displays the Distributor Identifier application attribute on the Device Details > Apps tab. This attribute indicates where an application was downloaded from, whether it be Apple’s App Store or an alternative app marketplace. Alternative app marketplaces are currently only available in the European Union. For more information on alternative app marketplaces, see About alternative app distribution in the European Union.

Profiles
We’ve enhanced the existing Restrictions, VPN, Skip Setup Assistant, Web Clip, and Font payloads and added new payloads for ACME Certificate, and Relay payloads.

Updated Payloads

PayloadDescription
RestrictionsThe Restrictions payload now supports all new iOS 18 features. Here is the list of newly added Restrictions, along with their version and supervision requirements.Allow or block Apple Intelligence featuresGenmoji (iOS 18 + Supervised)Image Playground (iOS 18 + Supervised)Image Wand (iOS 18 + Supervised)Personalized Handwriting Results (iOS 18 + Supervised)Writing Tools (iOS 18 + Supervised)Mail Summary (iOS 18.1 + Supervised)External Intelligence Integrations (iOS 18.2)External Intelligence Integrations Sign-in (iOS 18.2 + Supervised)Allow or block Auto Dim (iOS 17.4 + Supervised)Allow or block iPhone Mirroring (iOS 18 + Supervised)Allow or block Video Conferencing Remote Control (iOS 18 + Supervised)Allow or block Hiding Apps (iOS 18 + Supervised)Allow or block Locking Apps (iOS 18 + Supervised)Allow or block Call recording (iOS 18.1 + Supervised)Allow or block RCS Messaging (iOS 18.1 + Supervised)Allow or block RCS Messaging (iOS 18.1 + Supervised)Allow or block Default Browser Modification (iOS 18.2 + Supervised)
VPNThe VPN payload now supports Cellular Slice(iOS 18) and Post-Quantum Pre-Shared Key(iOS 18) functionality. You can now assign a specified cellular slice to a VPN tunnel, and configure a VPN with post quantum pre-shared keys.
FontYou can now deploy font files via the Profiles page. Previously, this was only possible via Settings > Devices & Users > Apple > Font.
Web ClipsAdded new options for Target Application Bundle ID and Ignore Manifest Scope.

New Payloads

PayloadDescription
ACME Certificate (iOS 16+)The Automated Certificate Management Environment (ACME) Certificate payload allows for ACME certificate deployment.
Relay (iOS 17+)The Relay payload allows for the creation, deployment, and modification of relay settings. This feature enables administrators to configure an array of dictionaries that define one or more relay servers, which the system can chain together for enhanced routing flexibility and performance.

Enrollment

Device Enrollment Program (DEP) is now Automated Device Enrollment (ADE)
In Workspace ONE UEM, we are adopting Apple’s rebranding of Device Enrollment Program (DEP) to Automated Device Enrolment (ADE). The Device Enrollment Program console settings page is now named Automated Device Enrollment. We have also renamed the existing Automated Enrollment console settings page to Apple Configurator Enrollment.

Enforce minimum OS for Automated Device Enrollment
You can now enforce a minimum OS during Automated Device Enrollment (formerly known as Device Enrollment Program). There is a new option within the Automated Device Enrollment (ADE) profile to set a minimum OS. This feature requires the device be running at least iOS 17 or above. When a device attempts to enroll via ADE and the minimum OS is not yet, the device is forced to update to the OS version defined in the ADE profile. For more information, see Automated Device Enrollment.

Linux Management

Check out the new profiles that have been added to Workspace ONE UEM
Workspace ONE UEM 2410 environments installed on UEM modern architecture will gradually roll out two additional profiles.

  • Restrictions Profile – This release introduces the capability for administrators to configure device restrictions and deploy them through a profile for enrolled devices. This profile includes various configurations, including restricting sudo access, limiting access to USB storage media, and naming specific folders as restricted on the endpoints, among other options.
  • Passcode Profile – With this release, administrators are provided with the capability to configure mandatory passcode restrictions through a profile assigned to enrolled devices. This profile enforces various passcode restrictions, including complexity, length, and expiration timeframes for the endpoints.

macOS Management

Workspace ONE UEM updates that requires user action
This release includes Omnissa rebranding changes that change the bundle identifiers for Intelligent Hub for macOS and other supporting software. This requires user action to ensure continued function of our solution.

  • Changes to Intelligent Hub for macOS bundle identifier
    In Intelligent Hub for macOS 24.11, the bundle identifier of the application has changed from com.vmware.hub.mac to com.ws1.hub.mac. When deploying Intelligent Hub for macOS 24.11, any references to the Hub bundle identifier in your custom settings profiles will need to be updated. If you are using Intelligent Hub for macOS 24.07 or lower, no updates are required to the Custom Settings or profiles.
  • Update custom settings for blocking applications and processes
    If you are using a Custom Settings profile to block applications and processes using Intelligent Hub for macOS, we recommend using the Advanced Security Controls profile that is now available in UEM console. However, as Advanced Security Control profile requires Workspace ONE Intelligent Hub for MacOS 24.11, you need to upgrade to Intelligent Hub version 24.11.

To continue using custom settings profile to block applications and processes using Intelligent Hub for macOS version 24.11, update the custom settings to replace the existing payload type key value to com.ws1.hub.mac.restrictions. If you are using Intelligent Hub for macOS 24.07 or lower, no updates are required to Custom Settings profile.

  • Managing new internal applications
    The Bundle ID for all internal applications distributed through software distribution has changed from com.vmw.macos.<appname> to com.ws1.macos.<appname> format. From UEM 24.10 version onwards, any newly added application will have the Bundle ID with the com.ws1.macos.<appname> format.
  • Managing updates to internal applications
    Bundle ID for applications added before UEM 24.10 upgrade as well as any new versions added for existing applications will have the com.vmw.macos.<appname> format.

Declarative Device Management
This release marks the introduction of the first set of features for macOS using Declarative Device Management (DDM). These enhancements leverage DDM’s modern approach to device management, enabling faster updates and improved compliance.

New Declarative Configurations
You can now configure a number of Declarative Configurations for macOS including:

  • Software Update Enforcement Configuration
  • Enforce macOS updates using the latest DDM capabilities. (Force Required Operating System Updates)
  • Define policies to ensure devices are running the minimum required macOS version.
  • Administrators can streamline software update compliance without relying solely on legacy MDM commands.
  • Passcode DDM Configuration
  • Introduce passcode compliance through DDM configurations.
  • Simplified passcode policy enforcement for macOS devices, ensuring alignment with organizational security standards.
  • Policies include specifications for passcode complexity, length, and reset intervals.

These features represent a significant step toward modernizing macOS management and enhancing your ability to secure and manage Apple devices efficiently. Future UEM releases will have full support for DDM.

Status Channel
Workspace ONE UEM now supports 9 new status items via Declarative Device Management (DDM). For eligible devices, Workspace ONE UEM will automatically receive these attributes as they change on managed macOS devices.

  • OS Version (macOS 13+)
  • Build Version (macOS 13+)
  • OS Supplemental Build Version (macOS 13+)
  • OS Supplemental Build Version Extra (macOS 13+)
  • OS Family (macOS 13+)
  • Pending Version (macOS 14+)(Available only in Omnissa Intelligence)
  • Install State (macOS 14+)(Available only in Omnissa Intelligence)
  • Install Reason (macOS 14+)(Available only in Omnissa Intelligence)
  • Failure reason (macOS 14+)(Available only in Omnissa Intelligence)

For more information on the declarative status channel, see Declarative Device Management.

Enrollment

Device Enrollment Program (DEP) Updates
The section All Settings > Apple > Device Enrollment Program has been renamed to All Settings > Apple > Automated Device Enrollment (ADE). Prior to this release, DEP skip keys could be configured either using the standard profile builder in Data Driven UI or within All Settings. These keys are now exclusively supported in the newly renamed Automated Device Enrollment (ADE) area under System Settings.
Note: We have replaced all references of Device Enrollment Program and DEP with Automated Device Enrollment and ADE.

Enforce minimum OS for Automated Device Enrollment

You can now enforce a minimum OS during Automated Device Enrollment (formerly known as Device Enrollment Program). There is a new option within the Automated Device Enrollment (ADE) profile to set a minimum OS. This feature requires the device be running at least macOS 14 or above. When a device attempts to enroll via ADE and the minimum OS is not yet, the device is forced to update to the OS version defined in the ADE profile. For more information, see Automated Device Enrollment.

Profiles

DDUI (Data-Driven User Interface) Enablement
This UEM release will enable the Data-Driven User Interface (DDUI) by default. As part of this update, numerous new payloads and keys are introduced, expanding beyond those listed here.

Updated Payloads

PayloadDescription
Skip Setup AssistantYou can now skip the new Apple Intelligence setup assistant screen in both the DEP profile and Setup Assistant payloads.Skip Setup Intelligence Pane (macOS 15.0+)Enable Lockdown Mode (macOS 14.0+)
RestrictionsThe Restrictions payload now supports all new macOS 15 features. Here is the list of newly added Restrictions, along with their version and supervision requirements.Allow or block Apple Intelligence featuresExternal Intelligence Integrations (macOS 15.2)External Intelligence Integrations Sign-in (macOS 15.2+)Genmoji (macOS 15.0+)Image Playground (macOS 15.0+)Writing Tools (macOS 15.0+)Mail Summary (macOS 15.1+)

Advanced Security Controls
This feature allows for granular restrictions on applications and processes, enabling organizations to better protect their environments from unauthorized or potentially harmful software. If you are using Custom Settings profiles today to manage this settings, you can now do it all right from the Workspace ONE Console. This payload requires Intelligent Hub for macOS 24.11 or higher. If you are using an older version of Hub, continue to use Custom Settings.

The key features are:

  • Application Restrictions by Bundle IDs – Specify application bundle identifiers to restrict access to specific apps.
  • Application Name Restrictions – Define application names to apply restrictions, ensuring a straightforward way to block apps based on their names.
  • File Path Restrictions – Restrict specific executables by defining their file paths, offering precise control over application behavior.
  • CDHash Value Restrictions – Utilize cryptographic hashes (CDHash) of app code to block specific applications, ensuring that restrictions are applied to the intended software.
  • SHA-256 Hash Value Restrictions – Enhance security further by restricting binaries using their SHA-256 hash values, preventing tampering and unauthorized execution.
  • Customizable User Notifications – Customize notifications displayed to users when restricted apps or processes are blocked. This ensures clarity and consistency in communication.

This new payload empowers administrators to implement tailored security policies, ensuring environments remain compliant and protected from evolving threats.

New Payloads

PayloadDescription
Relay ProfileThe Relay profile allows for the creation, deployment, and modification of relay settings. You can configure an array of dictionaries that define one or more relay servers, which the system can chain together for enhanced routing flexibility and performance.HTTP/3 Relay URL: Define relay server URLs compatible with HTTP/3 protocol.HTTP/2 Relay URL: Define relay server URLs compatible with HTTP/2 protocol.Additional HTTP Header Fields: Configure custom headers for HTTP requests.Authentication Certificate: Specify certificates required for authenticating relay connections.Raw Public Keys: Provide raw public keys for enhanced security measures.Match Domains: Define specific domains for relay server matching.Exclude Domains: Specify domains to exclude from relay server processing.
ACME CertificateEnhancements to the Automated Certificate Management Environment (ACME) Certificate payload simplify certificate provisioning and add flexibility.Directory URL: Configure the directory endpoint for ACME operations.Client Identifier: Specify a unique identifier for ACME clients.Key Size and Type: Define the size and type of the certificate keys.Hardware Bound: Specify whether the certificate is tied to hardware.Attest: Enable certificate attestation.Subject, DNS, NT Principal, RFC822, URI, and Alternative Names: Configure various subject and alternative name fields.Key Usage: Define allowed uses for the certificate keys.App Access Settings: Restrict which apps can access the certificate.
DNS ProxyThis update adds the ability to configure a DNS proxy network extension, giving administrators control over how DNS traffic is routed through proxies.
New keys:App Bundle Identifier: Identify the application responsible for the DNS proxy.Provider Bundle Identifier: Specify the bundle ID of the DNS provider.Provider Configuration: Configure DNS proxy provider-specific settings.
Font PayloadWith the new Font payload, you can deploy font files directly to devices. This simplifies font management across macOS environments.
Key details:Each payload may contain a single font file.Supported formats: TrueType (.ttf) and OpenType (.otf).Unsupported formats: Collection types (.ttc or .otc).Fonts are uniquely identified by their embedded PostScript name.Installing multiple fonts with the same PostScript name is not supported and may result in undefined behavior.

Download the rebranded Admin Assistant version 24.11

Admin Assistant version 24.11 includes updated Omnissa branding, also available in UEM version 24.10. You can download this renamed version from the UEM dashboard by navigating to Resources > Apps > Native Apps > Add Application for macOS application lifecycle management.

Rugged Device Management

Deprecation of Sideloading and Barcode Mobile Staging features
The following Mobile Staging features for Android devices will be deprecated with this release:

  • Sideloading
  • Honeywell Barcode
  • Barcode

Note: QR Code and Stage Now Barcode features will remain supported for Android Rugged Devices. For more details, refer to the KB article.

Support for Zebra LifeGuard OTA
You can keep the Zebra devices in your fleet up to date by using Lifeguard, Zebra’s over the air (OTA) security and patching system for its Android devices. Workspace ONE UEM provides native capabilities for applying LifeGuard updates. For more information, see Zebra Lifeguard OTA Updates.

visionOS Management

Support for visionOS
You can now enroll and manage Apple Vision Pro devices in Workspace ONE UEM. Workspace ONE UEM supports all versions of visionOS 1.1 and higher. Devices can be enrolled using Account Driven User Enrollment or Automated Device Enrollment. Workspace ONE UEM manages visionOS as a new platform alongside iOS, macOS and tvOS.

The key features are:

  • Enroll Apple Vision Pro devices.
  • View device details.
  • Configuration Profiles for Wi-Fi, Credentials, Custom Settings and Restrictions.
  • An initial set of commands and custom commands are supported.

Automated Device Enrollment (ADE)
Workspace ONE UEM now supports ADE for visionOS 2.0 and higher based devices that are registered in Apple Business Manager (ABM). Work with Apple to register any Apple Vision Pro devices in ABM. visionOS devices enrolled using ADE are supervised devices.

Once visionOS devices are synchronised between ADM and UEM, you can set up an ADE profile for enrollment. For more information on ADE, see TechZone article.

Account Driven User Enrollment
Workspace ONE UEM now supports Account Driven User Enrollment (ADUE) for visionOS 1.1 and higher devices. ADUE allows users to enroll a device into Workspace ONE UEM via the Apple visionOS Settings UI. visionOS devices enrolled using ADUE are user enrolled devices and not supervised.

ADUE has several requirements including a Managed Apple ID, Apple service discovery, and more. For more information, see User Enrollment and MDM.

Profiles
We have now added the following profiles for visionOS:

  • Wi-Fi
  • Restrictions
  • Credentials
  • Custom Settings

For profiles that are not added in the UEM console, the Custom Settings profile can be used to push down the XML for any Apple supported MDM configuration profile. More visionOS profiles will be added in future versions of UEM.

Commands
We have added the following commands for visionOS:

  • Query
  • Lock
  • Clear Passcode
  • Enterprise Wipe
  • Device Wipe
  • Custom Command

For any command that is not in the UEM console, the Custom Command feature in the Device List View can be used to apply any Apple-supported MDM command to a device. More commands will be added in future versions of visionOS.

Windows Management

Enhanced certificate template for OID-SID extension support
In order to address certificate requirements set to be enforced by February 11, 2025, we have enhanced certificate templates for ADCS within Workspace ONE UEM to include OID-SID Extension. This implementation introduces the users SID attribute as an object identifier (OID) within a non-critical extension key value pair to ensure that certificates meet these new minimum requirements. For more information, see Certificate-based authentication changes on Windows domain controllers.

Intel’s Chip to Cloud capabilities
Enable this feature through the Workspace ONE UEM Integrations panel. This cloud-native integration supports device capabilities with Intel vPro® Enterprise. Workspace ONE and Intel® Active Management Technology provide complete remote manageability, allowing access to devices outside the corporate firewall or those with a non-responsive operating system. Additionally, Intel® Endpoint Cloud Services lets IT remotely and securely manage devices inside and outside the firewall, over the cloud.

  • Power Actions – Send out-of-band power commands to devices such as Power On, Power Off, Cycle, and Reset actions.
  • KVM control – Remote keyboard, video, and mouse (KVM) control.
  • The minimum versions necessary to support this are UEM 2410 and HUBW 2410.

Check out more new Windows Security Baseline Templates
We have added new baseline templates for creating Microsoft security baselines for Windows 11 24H2. For more information, see Creating Baselines with a Template.

Support for push notifications in the new WinUI-based Hub
We are launching support for Workspace ONE UEM push notifications in the new WinUI-based Hub as part of our transition from the legacy UWP framework to the new WinUI framework in Intelligent Hub for Windows.

Workspace ONE Mobile Threat Defense Dual Enrollment Configuration by Smart Groups

We initially released support for configuration of Workspace ONE Mobile Threat Defense (MTD) by Smart Groups in UEM 2406. With the 2410 patch 2 release, Workspace ONE MTD customers can also configure Dual Enrollment support for Android devices by Smart Group. Android Dual Enrollment allows customers to enable MTD in both the personal and work profiles of their users’ devices. Customers will also be able to introduce a custom settings profile via the MTD configuration page for specific Smart Groups, enabling support for any future MTD custom settings. This requires Intelligent Hub 25.01+ on Android.

Current Omnissa Security Advisories

Omnissa UX Research Opportunities: 

  • Our goal is to gather insight into user behaviors, motivations, and goals, so we can use those insights to inform and strengthen product and design decisions.
  • Interested in giving your opinion and making your voice heard? Check out what’s available!

WS1 UEM: NEW Split View functionality

  • About: Split View reimagines the way you work in WS1 UEM by giving your screen twice the brainpower. A split view is like having two screens in one — your display is divided into separate panes, so you can view and interact with different content side-by-side.  
  • Opportunity: Provide feedback on the latest design in a 1-hour focus group via Zoom the week of 4/28
  • Group A: Tuesday, 4/29 from 7-8am PDT (9am CDT, 10am EDT, 3pm BST, 4pm CEST)  
  • Group B: Wednesday, 4/30 from 7-8am PDT (9am CDT, 10am EDT, 3pm BST, 4pm CEST)  

WS1 UEM: Faster Device Management with Quick Actions, Test Before Launch 

  • About: Modernization efforts continue – this time for the Devices page where Admins can manage device tags, do an enterprise wipe, delete a device, and more. Design has refreshed the design and added the functionality of “quick actions” – a variety of shortcuts and filters to help Admins manage devices more efficiently.
  • Opportunity: Play with the production environment in a 1-hour focus group via Zoom the week of 4/21
  • Group A: Wednesday, 4/23 from 7-8am PDT
  • Group B: Wednesday, 4/23 from 4-5pm PDT
  • Group C: Thursday, 4/24 from 11am – 12pm PDT 

KB Highlights & Announcements:

Preparing for Workspace ONE Modern SaaS Rollout (Managed Hosting / Dedicated Cloud Customers)

  • For Shared SaaS, environments have already been enabled or will be enabled automatically in the near future
  • Familiarize yourselves with upcoming changes with Modern SaaS, including changes in workflows, terminology, and known issues. (See – TechZone article here.)​
  • Request environment migration with the Omnissa account team (CSM, TAM, AE, SE) once ready. The team will work internally to request an enablement week on your behalf.​
  • Environment clean-up* (resources outside of tenant boundary e.g., global resources).​
  • Remove/migrate invalid resources (apps, profiles, policies) from the console.​
  • Remove/migrate invalid SGs.​
  • Ensure all users/devices are at or under Customer/Partner OGs. If users exist above Customer/Partner OGs with devices enrolled, device enrollment may be required.​
  • Validate Smart Group & app exclusion. See KB here.​
  • Update Workspace ONE UEM to the latest version prior to Mod Stack enablement, minimum UEM 24.06.​
  • Review the list of known issues and changes aggregated in the weekly newsletter below. Ensure resolutions/workaround are implemented as applicable.​
  • Develop a testing plan post migration and communicate with internal stakeholders.​
  • KB Article Overview
  • Announcement & Updates​

High Priority KBs: 

Recently added KBs (Links) 

Recently updated KBs (Links)

Digital Workspace Techzone, Blog, Community and YouTube Updates 

  • None

3rd Party Blog Updates & Industry News 

Beta, Lab and Tech Preview Updates 

Currently available: 

Coming soon:

  • Omni*– Wk of 4/14
  • Boxer (iOS, Android) — April
  • Web (iOS, Android) — Wk of 4/14
  • Content for iOS — Wk of 4/21
  • Experience Management – web app monitoring* — mid April

Past Omnissa Event Recordings

Omnissa Online Recording of Omnissa Online Event: YouTube RecordingVarious 
EUC TechInsights – Reimagine Application Management: Unlock the Power of App Volumes Is your application management strategy ready for a transformation? Join us to explore how decoupling applications from operating systems with portable VHDs can simplify deployments, enhance scalability, and boost efficiency. Discover Jeff UlatoskiDirector Product ManagementFeb 4, 2025
EUC TechInsights – Stay Ahead in IT Management with Workspace ONE, why best things in life are not always freeChoosing the right device management platform goes beyond upfront costs and basic features. As your business grows, will your solution scale with you? Some platforms offer a solid start, but others require complex scripting, third-party add-ons, and workarounds—leading to hidden costs and increased risk. Welcome! You are invited to join a webinar: EUC TechInsights – Stay Ahead in IT Management with Workspace ONE, why best things in life are not always free. After registering, you will receive a confirmation email about joining the webinar.Pim van de VisFeb 25, 2025
Exploring Workspace ONE UEM Frontline and What’s New with Android Management APIo Session 1 – Omnissa Workspace ONE UEM and DEX for Frontline Use Cases – What’s new in Analytics for Frontline Deployments – What’s new in configuring the experience for Frontline devices (Launcher) – What’s new in managing and maintaining Frontline devices o Session 2 – What’s New with Android Management API – What is Android Management API? – AMAPI enhancements with Workspace ONE UEM 2410 – What’s next for AMAPI in 2025 Exploring Workspace ONE UEM Frontline and What’s New with Android Management APIMitch Berk, Senior Director of Product Management; Owais Syed, Product Line Manager; Nick Brouillette, Group Product Line Manager & Manuel Perez, Product ManagerFeb 25 2025
Omnissa Tech Deep Dive: What’s new with Windows software distribution?Whether you’re a newbie or a veteran of deploying Windows apps, this session will provide an A to Z discussion about software distribution, as well as best practices, troubleshooting, and new functionality.Join Omnissa subject experts @Jo Harder@Grischa Ernst@Phillip Helmling@Saurabh Jhunjhunwala@Sujay Gopalan@Camille Debay to learn about new options and improved ways to streamline configuration and deployment of applications.Omnissa Tech Deep Dive: What’s new with Windows software distribution?@Jo Harder,
@Grischa Ernst,
@Phillip Helmling,
@Saurabh Jhunjhunwala,
@Sujay Gopalan,
@Camille Debay		Mar 26 2025

Latest Patch & Seed Script Updates:

OS Updates Seed Script

  • Most recent update :
  • visionOS 2.5 beta (22O5442g)
  • tvOS 18.5 beta (22L5542f)
  • macOS 15.5 beta (24F5042g)
  • iPadOS 18.5 beta (22F5042g)
  • iOS 18.5 beta (22F5042g)
  • Last Update: CW15

Device Model Seed Script

  • Seed Script to support
  • iPad Air 11-inch (M3) Wi-Fi
  • Last update: CW12

Workspace ONE UEM 23.06

  • Patch Level 23.6.0.47
  • RUGG-13443 – Product fails to honour applicability rule when oemBuildVersion attribute is used more than once in applicability rule.
  • FCA-208683 – Intelligence Opt-In flow showing error screen after clicking on ‘Opt-In’ button.
  • AAPP-18903 – VPP app Epic Rover app fails to install.
  • Last Update: CW11

Workspace ONE UEM 23.10

  • Patch level 23.10.0.48
  • FCA-207991 – Updated console notification templates.
  • Last Update: CW16

Workspace ONE UEM 24.02

  • Patch Level: 24.2.0.27
  • FCA-207991 – Update console notification templates to reflect Omnissa branding.
  • ESI-499 – An end-user is able to enrol a device in an OG even when the registration token is mapped to a different user.
  • Last Update: CW16

Workspace ONE UEM 2406

  • Patch level 24.6.0.30

Modernized Environments

  • ARES-31581 – Distribution tab on the Windows Internal app Assignment page was missing several options when editing assignments from the Deployment Tracking page.

All Environments

  • AAPP-18601 – Unable to edit an iOS profile with various payloads.
  • Last Update: CW14

Workspace ONE UEM 2410

  • Patch level 24.10.0.6

Modernized Environments

  • ARES-31983 – Deleted profiles visible on Profile List View.
  • FCA-210023 – Event data opening up to an error screen in the Device Details > Troubleshooting tab.
  • ARES-30330 – Installation status on Device Details Profiles tab do not match with the actual profile installation status on devices.
  • CRSVC-59015 – Update Event Log entries to improve scenarios where multiple log entries are displayed.

All Environments

  • AMST-43100 – Add Multi User Status to devices/deviceuuid API.
  • CRSVC-57763 – Add support for issuing of non-escrowed certs for EJBCA.
  • AGGL-18137 – Android Enterprise Factory Reset Protection profile not prompting option to remove FRP prior to wiping device.
  • CRSVC-60454 – Break MDM Complete Event Notification No Longer Includes Detailed Event Information – Breaking Third-Party Workflows.
  • UM-9568 – Certificate does not contain SID when “Include Security Identifier (SID) in certificate” is enabled. If you use ACC for PKI integration, restart ACC after UEM patch is deployed.
  • RUGG-13523 – Errors enrolling Zebra Printers with Zebra Airwatch Connector.
  • MACOS-5595 – macOS uploaded profiles must be linked to user or device context.
  • AGGL-17463 – Single App Mode profiles are failing to migrate to EntitlementService under certain conditions in production environments.
  • MACOS-5499 – User profile removal from profile deployment tracking page is not working.
  • Last Update: CW16


Disclaimer

Please note: All information in this Newsletter is statically copied from various sources. Once published, these sources won’t be checked and the Newsletter won’t be updated retrospectively. In case of doubts, always check and refer to the linked source in Omnissa Docs, Techzone or Knowledgebase.

Leave a Reply

Your email address will not be published. Required fields are marked *