Management & Security Enhancements in UEM 9.6
The latest updates and features for Workspace ONE UEM 9.6 are now available! This release’s highlights are: new profile settings for Android and Chrome OS, new Apple functionality, and Windows 10 enhancements.
Simplified QR Code Enrollment for Android
The Workspace ONE UEM Console now automatically generates a QR code, enabling administrators and end-users to register devices as Work Managed. Use this new enrollment flow to enable end user enrollment, or to stage multiple devices before deployment.
To get started, navigate to Devices > Staging & Provisioning > Staging and select Configure Enrollment button.
Android devices running version 7.0 (Nougat) or later
Biometeric Passcode Support for Android
The Passcode Profile for Android now supports low-security biometric passcodes, such as facial recognition and fingerprinting. These additional methods enable support for a wider variety use cases.
To take advantage of this update, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > Passocde.
Simplified Profile Configuration for Samsung
Now, you can find and configure supported Samsung features in one place. Workspace ONE UEM 9.6 integrates standard Samsung Knox policies into the Android Work Managed profile payloads.This integration includes the following Samsung Knox policies:
To take advantage of this update, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android, and enable OEM Settings. Once enabled, a Knox symbol displays bythe supported payloads.
Factory Reset Protection for Android
Simplify Android device reassignment in Workspace ONE UEM 9.6, with the new Enterprise Factory Reset Protection profile. Now, you no longer need previous account information to set up a factory reset device.
To see this new profile, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > Enterprise Factory Reset Protection.
Shared Device Support for Android
Android Enterprise now supports shared device multi-user staging and check-in check-out functionality. Implementing shared devices lowers the overall device cost for organizations without sacrificing security. By keeping security & authentication in place for every unique end user, the shared device only allows authorized end users to access sensitive information.
Launcher required for check-in check-out functionality.
Task Manager Control for Chrome OS
Now, a new setting in the Chrome OS Application Control Profile allows you to control users ability to end processes in Task Manager. Disabling this setting keeps users from force closing crucial tasks in Task Manager.
To disable, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS > Application Control, and disable Users can end processes in Task Manager.
Verified Device Mode for Chrome OS
Device Verified Mode Required, a new setting in the Chrome OS Security & Privacy profiles, ensures devices meet security requirements before booting up.
To take advantage of this feature, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS > Security & Privacy, and enable Device Verified Mode Required.
New Skip Screen Options for iOS
Apple Setup Assistant now supports three new skip screen options for Apple DEP:
- iMessage And FaceTime: Prevent the iMessage and FaceTime prompt during Setup Assistant.
- Software Update: Prevent informing users about Software Updates during Setup Assistant.
- Screen Time: Prevent informing users about Screen Time during Setup Assistant.
Take advantage of this update by navigating to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program, and configure theApple Setup Assistant workflow to Skip the appropriate screens.
New Supervised Device Restrictions for iOS
Enable USB Restricted Mode, a new setting in the Restrictions payload, to turn the lightning port into charge-only port if the device hasn’t been unlocked within a week.
To see the feature, navigate to Devices > Profiles & Resources > Profiles > Add > Apple iOS > Restrictions and enable or disable USB Restricted Mode.
iOS 11.4+ supervised device
Enforced Application Management for macOS
Now, a new macOS software distribution setting can disable enforced management for internal applications. Disabling enforced application management provides the flexibility to deploy applications as a part of one-time configuration, and gives end-users the liberty to locally uninstall applications.
To see this setting, navigate to Apps & Books > Applications > Native > Internal. Then, while configuring assignment, enable or disable Desired State Management.
Enhanced App Installation Notifications for Windows
Now you can quickly see when an app successfully installed and receive status updates throughout the install process. UWP apps display both the install progress and status for UWP apps and statuses for all other internal apps.
Workspace ONE 3.2 for Windows 10
Remote Reboot for Windows 10
A new command enables you to reboot managed Windows 10 devices from the console or via API. Selecting the Reboot Device button triggers a reboot within 5 minutes to allow the user to wrap up any active work.
Windows 10 version 1607+
Consolidated OEM Updates View for Windows 10
Workspace ONE UEM now displays all the deployed OEM updates in the OEM Updates list view. This page allows you to filter the updates by the update type including audio driver, chipset driver, BIOS updates and more.
To see updates in the UEM console, navigate to Devices > Lifecycle > Updates and select the OEM Updatestab.
SSL Certificate Rotation for VMware Tunnel
Now you can rotate certificates without impacting the end-user service experience. Upload up to two additional public SSL certificates, or remove an existing public SSL certificate with zero downtime. Display SSL certificate expiration date and notify the IT Administrator to rotate certificate that is about to expire.
Take advantage of this update by navigating to the Advanced tab under VMware Tunnel.
Unified Access Gateway Installation Type for Content Gateway
Administrators can now use Unified Access Gateway (UAG) as an installation type to configure a new Content Gateway on Unified Access Gateway or to migrate the existing Windows or Linux Content Gateway to Unified Access Gateway.
To access this setting, navigate to Groups & Settings > All Settings > Enterprise Integration > Content Gateway.
SAML Authentication for Selected Services
Now, you can enable SAML authentication for selected services based on the corporate policies and security requirements. Selected services include enrollment, the Workspace ONE UEM Console, and the Self-Service Portal.
Take advantage of this update by navigating to Groups & Settings > All Settings > Enterprise Integration > Directory Services and enabling Use SAML For Authentication.
Token Revocation on Enterprise Wipe
Now, enterprise wiping a device automatically revokes its Azure tokens.
To enable these settings, navigate to Accounts > Administrators > Administrator Settings > Directory Services and enable Automatically revoke user tokens when wiping device.
Many thanks to my colleague Hannah Jernigan for the original post which can be found here.