Omnissa Release Notes

Omnissa Identity Service | MAY 2026

Check for additions and updates to these release notes.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

What’s New in May 2026

Omnissa and Google Workspace Integration for New Environments

You can now connect Omnissa Identity Service directly to Google Workspace to automate user lifecycles and enable seamless federated authentication.

What’s Supported

• Automated Provisioning (SCIM): Real-time, one-way sync from Google to Omnissa Identity Service. This automatically creates, updates, deletes, activates, and deactivates users to eliminate manual overhead and secure your perimeter.
• Single Sign-On (SAML): Users log into Omnissa services instantly using their existing Google Workspace credentials.

Current Limitations

• No Groups: Google Workspace does not support SCIM group provisioning, so sync is limited to individual users.
• Protocols: Built strictly on SAML. OpenID Connect (OIDC) and Workspace ONE UEM Password Grant flows are not supported.
• Migration to Google Workspace from your current Workspace ONE UEM and Omnissa Access integrations is not yet supported.

Setup Guides

• Omnissa: Integrating Omnissa Identity Service with Google Workspace
• Google: Google Workspace Help Center App Integration Guide

What’s New in March 2026

Migration to SCIM 2.0 for Workspace ONE UEM customers with Omnissa Access configured (Limited Availability)

Omnissa Identity Service now supports directory migration from on-premises Active Directory to cloud Identity Providers supporting SCIM 2.0 for existing customers with Workspace ONE UEM and Omnissa Access configured.

This feature allows organizations to centralize identity management, eliminate on-premises dependencies, and streamline user provisioning and authentication.

This feature has been added to the Limited Availability program. Use the Omnissa Beta Program to check requirements and apply.

Key Benefits for Workspace ONE UEM and Omnissa Access Customers

• Cloud-Native Provisioning: Provision users and groups from your cloud IDP to Workspace ONE UEM using SCIM 2.0, replacing legacy Active Directory sync.
• No On-Premises Components: Eliminate the need for AirWatch Cloud Connector and Omnissa Access Connector for authentication and user sync.
• Centralized Management: Manage users and groups from Omnissa Connect, a unified web-based portal for all Omnissa services.
• Federated Authentication: Enable seamless SSO into Omnissa services using your cloud IDP as the identity provider.

Migration Process

The migration process is guided by a wizard in Omnissa Connect and includes:

• Completing prerequisites (such as IDP setup and attribute mapping)
• Integrating your cloud IDP with Omnissa Identity Service
• Comparing directory data between Workspace ONE UEM, Omnissa Access, and Omnissa Identity Service
• Executing the migration in stages (authentication switch, provisioning cutover)

Minimum downtime is expected during the migration.

Unsupported Features and Limitations

Before migrating, review the following limitations:

• No Rollback: Once provisioning is migrated to Omnissa Identity Service, rollback to Active Directory is not possible.
• Immutable externalId: For Microsoft Entra ID, the externalId in Entra ID must match the original Active Directory value.
• Feature Gaps- Workspace ONE UEM: Some Workspace ONE UEM features are not supported post-migration. See the Unsupported Features list for details.
• Feature Gaps - Omnissa Access: Features that are not supported post-migration include the following.
  • Local users and administrators
  • Dynamic groups
  • Directory administrators (administrators are provisioned from Omnissa Connect)
  • Password (cloud deployment) and Password (Local Directory) authentication methods
  • People Search

See the Unsupported Features list for more information.

• Sync via Airwatch Provisioning Adapter from Omnissa Access to Workspace ONE UEM is not supported.

Learn More

For detailed setup instructions, prerequisites, and best practices, see the documentation:

• Migrating Directories to Omnissa Identity Service (Limited Availability)
• Workspace ONE UEM: Omnissa Identity Service with Directory Services

What’s New in January 2026

Okta and generic SCIM Identity Provider migration to Omnissa Identity Service (Limited Availability)

Omnissa Identity Service (OIS) now extends Workspace ONE UEM directory migration support beyond Microsoft Entra ID to include Okta and generic SCIM 2.0–compliant identity providers, enabling Workspace ONE UEM customers to modernize identity architectures using their existing cloud IDPs. This enhancement allows organizations to migrate away from on-premises Active Directory while preserving their preferred identity provider for user lifecycle management and authentication.

This feature is in Limited Availability. Use the Omnissa Beta Program to review requirements and apply for access.

Key Benefits for Workspace ONE UEM Customers

• Cloud-Native Provisioning: Provision users and groups from Okta or a generic SCIM IDP into Workspace ONE UEM using SCIM 2.0, replacing legacy Active Directory–based synchronization.
• No On-Premises Components: Eliminate the need for AirWatch Cloud Connector and other on-premises directory infrastructure.
• Centralized Identity Management: Manage users, groups, and directory integrations from Omnissa Connect, a unified web-based portal for all Omnissa services.
• Federated Authentication: Enable seamless single sign-on (SSO) into Omnissa services using Okta or a supported SCIM-based identity provider as the authentication source.

Migration Process

The migration experience is guided by a wizard in Omnissa Connect and follows a consistent framework across supported identity providers. The staged approach is designed to minimize disruption, with minimal expected downtime during the migration window.

Note: By default, an email notification is sent to users when they are provisioned into Workspace ONE UEM through Omnissa Identity Service. You can customize or disable this notification. For details, see Workspace ONE UEM Directory Services Configuration for information.

Unsupported Features and Limitations

Before migrating, review the following limitations:

• Omnissa Access Integration: If any directories or identity providers are configured in Omnissa Access, migration is not supported. Migration scenarios involving Workspace ONE UEM plus Access will be supported in a future release.
• No Rollback: Once provisioning is migrated to Omnissa Identity Service, rollback to the previous directory (Active Directory or legacy sync) is not supported.
• Immutable External Identifier: The SCIM externalId provided by Okta or the generic IDP must remain immutable and must match the existing directory identifier in Workspace ONE UEM.
• Feature Gaps: Some Workspace ONE UEM directory-dependent features are not supported post-migration. Review the Unsupported Features list before proceeding.

Learn More

For detailed setup instructions, prerequisites, and best practices, see the following documentation:

• Migrating Directories to Omnissa Identity Service (Limited Availability)
• Integrating Omnissa Identity Service with Okta
• Integrate Omnissa Identity Service with a Generic Identity Provider
• Workspace ONE UEM: Omnissa Identity Service with Directory Services

Ability to select common identifier during migration to Omnissa Identity Service

Omnissa Identity Service now supports using an attribute other than distinguishedName as the unique, common identifier to match existing Workspace ONE UEM users and groups with those synced from your cloud identity provider. You can select the common identifier during Step 1: Complete Directory Prerequisites of the migration process. This feature is available for all supported cloud identity providers.

What’s New in December 2025

Support for Workspace ONE UEM Basic users in new environments

Omnissa Identity Service now supports Workspace ONE UEM Basic user accounts in Identity Service-integrated Workspace ONE UEM environments, extending the support to new organizations. Previously, Workspace ONE UEM Basic user accounts were supported only in migration environments.

To use this feature, enable the Basic user authentication for UEM option in Step 4: Select Authentication Protocol of the Omnissa Identity Service integration wizard. When this option is selected, federated users are authenticated by the third-party identity provider, while Basic users are authenticated by Workspace ONE UEM Basic user authentication.

For more information, see Configuring Authentication for Workspace ONE UEM Basic Users.

Extension of Platform SSO support in Workspace ONE environments with user sync through Identity Service (SCIM 2.0)

We are now extending support for Workspace ONE UEM to configure Platform SSO using Omnissa Access as an IdP for environments that sync users and groups via SCIM 2.0 with Identity Service.

Administrators use Workspace ONE UEM to configure and manage Platform SSO, deploying the necessary profiles and settings to Macs. Platform SSO extends single sign-on directly to the macOS login, meaning the user’s IdP password becomes synchronized with their Mac password. It can facilitate the creation of local macOS user accounts directly from the IdP and can also synchronize IdP password policies and enforce them on the local password.

Note: Omnissa Identity Service must be integrated with a third-party identity provider that supports the OpenID Connect (OIDC) protocol.

See Configuring Apple macOS Platform Single Sign-On with Omnissa Access for more information.

Support for Horizon 8 SSO to Azure VMs joined to Entra ID

Horizon 8 has added support for Single Sign-On to Entra ID-joined desktops and applications when the Windows client is launched using Omnissa Identity Service and Workspace ONE Access. Users are synced from Entra ID and authenticate through Omnissa Access. They can launch their Horizon desktops and applications without needing to re-enter Entra ID credentials inside the desktop. This streamlines access for environments built on Entra ID and gives on-prem organizations a smoother path when delivering Azure-based Horizon resources. See SSO to Microsoft Entra ID joined desktops and applications through Workspace ONE Access in the Desktops and Applications in Omnissa Horizon 8 documentation.

What’s new in November 2025

URL Migration Dashboard

As part of the migration from legacy domains to Omnissa domains, URLs are being updated in Omnissa Access and Omnissa Identity Service for customers in selected cloud regions. These changes require you to update your integrations with Identity Providers. A Migration dashboard is available in the Identity Service admin console for impacted regions to guide you through the migration process.

See KB article 6001062 for detailed information about the migration process and timeline.

Action Required:

1. Review KB article 6001062.
2. In the Identity Service console, select Migration Support to access the Migration dashboard.
3. Follow the instructions in the dashboard to complete the migration. See the KB article for additional information.

IMPORTANT: We strongly encourage you to start migration as soon as possible. See KB article 6001062 for the cutover timeline.

What’s New in September 2025

Omnissa Identity Service opens in new tab

You can now launch Omnissa Identity Service directly from the Omnissa Connect menu in a separate tab to manage end-user directory configurations and view details. In Omnissa Connect, select Identity Management > End User Management, then click Launch End User Management.

Horizon 8 App Support

Omnissa Identity Service now supports Omnissa Access integration with Horizon 8, enabling users to access virtual desktops and published applications:

• Natively with Horizon Client
• Through Workspace ONE Intelligent Hub

This integration is only supported with Horizon 8 pods that have True SSO enabled.

Additional attributes are required for the Omnissa Access integration with Horizon 8. For more information, see:

• User Attribute Mapping for Omnissa Identity Service
• Set up Your Omnissa Access Environment for Horizon Integration - Omnissa Access tenants that have Omnissa Identity Service enabled

Note: If Okta is configured as the third-party identity provider in Omnissa Identity Service, Omnissa Access integration with Horizon 8 is not supported.

What’s New in July 2025

Active Directory Migration to Microsoft Entra ID (Limited Availability)

Omnissa Identity Service (OIS) now supports directory migration from on-premises Active Directory to Microsoft Entra ID, enabling a modern, cloud-first identity architecture for Workspace ONE UEM customers. This feature allows organizations to centralize identity management, eliminate on-premises dependencies, and streamline user provisioning and authentication.

This feature is in Limited Availability. Use the Omnissa Beta Program to check requirements and apply.

Key Benefits for Workspace ONE UEM Customers

• Cloud-Native Provisioning: Provision users and groups from Microsoft Entra ID to Workspace ONE UEM using SCIM 2.0, replacing legacy Active Directory sync.
• No On-Premises Components: Eliminate the need for AirWatch Cloud Connector.
• Centralized Management: Manage users and groups from Omnissa Connect, a unified web-based portal for all Omnissa services.
• Federated Authentication: Enable seamless SSO into Omnissa services using Microsoft Entra ID as the identity provider.

Migration Process

The migration process is guided by a wizard in Omnissa Connect and includes:

• Completing prerequisites (such as Entra ID setup and attribute mapping)
• Integrating Microsoft Entra ID with Omnissa Identity Service
• Comparing directory data between Workspace ONE UEM and Omnissa Identity Service
• Executing the migration in stages (authentication switch, provisioning cutover)

Minimum downtime is expected during the migration.

Note: By default, an email notification is sent to users when they are provisioned to Workspace ONE UEM through Omnissa Identity Service. You can customize the email or turn off the notification. See Workspace ONE UEM Directory Services Configuration for information.

Unsupported Features and Limitations

Before migrating, review the following limitations:

• Omnissa Access Integration: If any directories or identity providers are configured in Omnissa Access, migration is not supported. Workspace ONE UEM plus Access migration will be supported in a subsequent release.
• No Rollback: Once provisioning is migrated to Omnissa Identity Service, rollback to Active Directory is not possible.
• Immutable externalId: The externalId in Entra ID must match the original Active Directory value.
• Feature Gaps: Some Workspace ONE UEM features are not supported post-migration. See the Unsupported Features list for details.

Learn More

For detailed setup instructions, prerequisites, and best practices, see the documentation:

• Migrating Directories to Omnissa Identity Service (Limited Availability)
• Workspace ONE UEM: Omnissa Identity Service with Directory Services

User Notification Settings for Users Provisioned to Workspace ONE UEM

You can now configure whether end users receive an email notification when their accounts are provisioned in Workspace ONE UEM through Omnissa Identity Service. By default, a user activation email is sent upon provisioning. You can customize the email or turn off the notification. See Workspace ONE UEM Directory Services Configuration for information.

What’s New in January 2025

• Integration with Horizon Cloud Service Next-Gen
• Move to Omnissa Connect

Integration with Horizon Cloud Service Next-Gen

Horizon Cloud can now leverage Omnissa Identity Service to integrate with Microsoft Entra ID to sync users and groups and configure federation for end users. Omnissa Identity Service is available as another identity provider option in Horizon Cloud Service next-gen, in addition to the existing identity provider options. The service is available for tenants with no previous Identity Management configuration in the Horizon Cloud Control Plane next-gen.

In the Omnissa Connect console, select End User Management, configure the integration with Entra ID, select Horizon, and add the necessary information to your Horizon Cloud Control Plane next-gen to complete the integration.

The following configuration is supported:

• Microsoft Entra ID as the third-party identity provider integrated with Omnissa Identity Service
  Okta and generic SCIM 2.0 identity providers are not currently supported.
• OpenID Connect as the authentication protocol
• Enabling Intelligent Hub
  However, the Enforce Intelligent Hub setting, which forces users to access their apps through Intelligent Hub, is not currently supported.

For more information, see:

• Configuring User Provisioning and Identity Federation with Omnissa Identity Service
• Using Horizon Control Plane next-gen - Horizon Cloud Service and Cloud-Connected Horizon 8

Move to Omnissa Connect

Omnissa Identity Service is now part of Omnissa Connect, a new web-based service that provides a centralized access point for all Omnissa services and solutions. In the Omnissa Connect console, select End User Management in the left pane to access and configure Omnissa Identity Service.

Your existing Omnissa Identity Service configuration has not changed with the move from Workspace ONE Cloud Admin Hub, the Workspace ONE Cloud console, to Omnissa Connect.

For more information, see:

• Omnissa Connect: Designed to simplify your digital workspace
• Omnissa Connect documentation
• Omnissa Identity Service documentation

What’s New in December 2024

• New provisioning app for Okta integration
• New Status tab for provisioning errors

New provisioning app for Okta integration

We are excited to announce the availability of a new provisioning app, the Omnissa Identity Service app, in the Okta Integration Networks App catalog! The app makes it easier for you to set up user provisioning from Okta to Omnissa by including preconfigured settings.

To get started with your provisioning app, search for “Omnissa Identity Service” in the Okta App catalog, then select the app.

Read more about how to integrate Omnissa Identity Service with Okta in the Identity Service documentation.

New Status tab for provisioning errors

You can now use a new Status tab to monitor real-time provisioning errors. The tab displays information about the provisioning status from Omnissa Identity Service to the services that you selected to use with it (Workspace ONE UEM or Access), as well as error details for user, group, and membership objects.

We have also added an error banner on the Identity Service summary page that displays the total error count across downstream services.

For example:

What’s New in September 2024

Password Grant Flows

When an Omnissa Workspace ONE® UEM tenant is integrated with Omnissa Identity Service, end users are redirected to your Identity Provider (IdP) for SAML authentication when enrolling or checking out devices. A SAML-redirection is not possible on the device or client in some authentication flows. The Password Grant Flow feature, when enabled, allows SCIM-provisioned users to authenticate against your IdP when SAML-redirection is not available. Additionally, it enables certain basic user authentication flows. See Support for Certain Workspace ONE UEM Username and Password-based Flows for details of these flows. Also see Configure Workspace ONE UEM Settings for Omnissa Identity Service for information on how to configure the new Password Grant setting.

What’s New in April 2024

SAML Authentication Context for Generic Identity Provider Integrations

If you integrate a generic SAML 2.0 identity provider with Omnissa Identity Service and select SAML as the authentication protocol, you can now choose between the following authentication context types: unspecified, PasswordProtectedTransport, or a custom value.

The authentication context indicates how a user is authenticated at an identity provider. The identity provider includes the authentication context in an assertion at the request of a service provider or based on the configuration at the identity provider.

Note: You can change the authentication context for existing configurations.

What’s New in February 2024

Ability to deactivate Omnissa Identity Service from the console

We’ve now made it possible for you to deactivate Omnissa Identity Service from the Workspace ONE Cloud console. After deactivating Omnissa Identity Service, you can set up directory provisioning and federated authentication from Workspace ONE UEM and Omnissa Access directly. You might need to deactivate Omnissa Identity Service in the following scenarios:

• Your use cases are not supported by Omnissa Identity Service.
• You want to sync users and groups directly from Active Directory.
• You want to configure directory services and identity federation in Workspace ONE UEM or Omnissa Access, instead of the Workspace ONE Cloud service.

Here’s how you do it: Deactivating Omnissa Identity Service

What’s New in December 2023

• Omnissa Identity Service public APIs
• Token expiry notification for administrators

Omnissa Identity Service public APIs

We are happy to announce the release of Omnissa Identity Service public APIs, bringing the power of automation to your Workspace ONE Cloud integration with cloud identity providers that use the SCIM 2.0 protocol.

The following use cases are available for the API integration:

• Configure a provisioned directory of users and groups using the System for Cross-domain Identity Management (SCIM 2.0) protocol.
• Manage identity provider configuration for federated authentication into Omnissa products and services.
• Leverage centralized user management and authentication for Omnissa Access and Workspace ONE UEM.

You can create an OAuth 2.0 client in the Workspace ONE console to get API access to get started.

To learn more about the new APIs, see Omnissa Identity Service APIs.

Note: The Omnissa Identity Service APIs are available to new Omnissa Access or Workspace ONE UEM customers, and to existing customers that have already onboarded Omnissa Identity Service.

Token expiry notification for administrators

We now send notifications to administrators when the secret token used for directory synchronization is about to expire or has expired. Notifications are sent to the administrator by email and also appear as a banner in the Workspace ONE Cloud console.

Administrators can opt out from receiving email notifications.

What’s New in October 2023

New Flow for Okta Integration with Workspace ONE Cloud

We are excited to announce that a new Okta flow is now available in the Workspace ONE Cloud console to support integration with Okta! This flow makes it easier for you to provision users and groups from Okta to Workspace ONE Cloud and authenticate users using Okta. Prior to this release, Okta was tested and documented for the generic SCIM 2.0 Identity Provider flow.

Get familiar with the new flow by reading Integrating Omnissa Identity Service with Okta in the Omnissa Identity Service documentation.

Note: The Okta integration is available for new customers or customers that have already onboarded to Omnissa Identity Service.

What’s New in June 2023

Audit events for provisioning to downstream products and services

Omnissa Identity Service introduces audit events to track successes and failures in pushing data from Workspace ONE Cloud to downstream products and services such as Workspace ONE UEM and Omnissa Access. Admins can use the audited information to identify, track, and debug provisioning-based issues. Audit events support filtering based on the object name, object type, downstream service, and errors. A detailed view of audit events provides error states.

See Viewing Audit Events for Omnissa Identity Service for more information.

What’s New in April 2023

New provisioning app for Microsoft Entra ID integration

We are excited to announce the availability of a new provisioning app in the Microsoft Entra App Gallery! The app makes it easier for you to set up user provisioning from Microsoft Entra ID to Omnissa Identity Service by including preconfigured settings.

Read more about how to integrate Omnissa Identity Service with Microsoft Entra ID in the documentation.

Introducing Omnissa Identity Service - January 2023

We’re introducing a new service that makes user provisioning and identity federation easier for new customers of Omnissa Access and Workspace ONE UEM! You can now leverage Omnissa Identity Service to configure a provisioned directory of users and groups based on SCIM 2.0 in the Workspace ONE Cloud console. Omnissa Identity Service will then automatically provision the users and groups, as well as authentication settings, to your Workspace ONE UEM and Omnissa Access admin consoles.

While integrating with your third-party identity provider, you confirm the user attributes to synchronize into Omnissa Identity Service.

Take a look at some of the use cases:

• Create and configure a provisioned directory of users and groups using the System for Cross-domain Identity Management (SCIM) 2.0 protocol.
• Manage identity provider configuration for federated authentication into Omnissa products and services.
• Leverage centralized user management and authentication across Omnissa products and services.

Currently, Omnissa Identity Service supports Workspace ONE UEM and Omnissa Access for centralized user management and authentication from the Workspace ONE Cloud console for newly-created environments.

Supported identity providers and directory sources:

• Microsoft Entra ID, a cloud-based identity service in Microsoft Azure
• Generic SCIM 2.0 identity source (tested for Okta)

Important:

• Omnissa Identity Service is only available for new Workspace ONE Cloud environments.
• Omnissa Identity Service is not available for Managed Services Provider customers at this time.

To get started with Omnissa Identity Service, log into your organization’s Workspace ONE Cloud Admin Hub, the Workspace ONE Cloud console, and select Accounts > End User Management.

Click Get Started and use the wizard to set up the integration with your identity provider.

Known Issues

• Unsupported features

When Omnissa Identity Service is enabled, some features are not supported in Omnissa Access, Workspace ONE UEM, Omnissa Workspace ONE® Hub Services, and Omnissa Workspace ONE® Intelligent Hub and portal. See Configuring User Provisioning and Identity Federation with Omnissa Identity Service for more information.

• After you select a service such as Omnissa Access or Workspace ONE UEM to use with Omnissa Identity Service and save your selection, you cannot deselect it.

Solution: Contact Support to reset the selection.

• Deleting a user in Microsoft Entra ID does not delete the user from Omnissa Identity Service

When you delete a user in Microsoft Entra ID, the account is suspended for a specific period of time before being deleted. The user is deactivated in Omnissa Identity Service, too, for that period of time. In Microsoft Entra ID, the username of the deleted user is also modified, and the changes are reflected in Omnissa Identity Service. See How Microsoft Entra ID Users are Deleted for more information.

• Deleting user and group attribute values in Microsoft Entra ID does not delete the values in Omnissa Identity Service

In Microsoft Entra ID, when you delete a user or group attribute value that was already synced to Omnissa Identity Service, the value is not deleted in Omnissa Identity Service and downstream services. Microsoft Entra ID does not propagate null values.

Solution: Instead of clearing the value completely, enter a space character.

• Okta integration requires two apps

When you integrate Omnissa Identity Service with Okta, you must create separate apps in the Okta Admin console for user provisioning and identity provider configuration. You cannot use the same app for provisioning and authentication.

• Login_hint feature does not work

When you integrate a third-party identity provider with Omnissa Identity Service using the OpenID Connect protocol, the login_hint feature does not work. If the relying party sends a login_hint, Omnissa Identity Service does not pass it to the identity provider.

• Deleting an attribute mapping in Microsoft Entra ID or Okta does not remove the attribute from users in Omnissa Identity Service

When you delete an attribute mapping from the provisioning app in Microsoft Entra ID or Okta, the changes are not propagated to Omnissa Identity Service. The attribute is not deleted for users in Omnissa Identity Service and downstream services.

Documentation

See Configuring User Provisioning and Identity Federation with Omnissa Identity Service in the Omnissa Identity Service documentation site.

Internationalization

Omnissa Identity Service is available in the following languages:
Czech, French, Polish, Simplified Chinese (China), Danish, Italian, Portugese, Chinese (Taiwan), German, Japanese, Russian, English, Korean, Swedish, Spanish, Dutch, Turkish

To view the documentation in your preferred language, select the language icon at the top-right of the page.

Localized Content for Omnissa Docs

See KB article 6000664: Announcing Omnissa Localization Support for information about localized content.

Support Contact Information

Contact Support at Omnissa Customer Connect when you need help with your Omnissa Identity Service environment. See How to file a Support Request in Customer Connect and via Cloud Services Portal.

Original source

Experience Management for macOS Release Notes describe the new features and enhancements in each release. This page contains a summary of the new capabilities, issues that have been resolved, and known issues that have been reported in each release.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 and KB6000802 for more information.

Experience Management 26.02 for macOS

New Features

• We’ve updated the Experience Management for macOS agent code base.
  • If you use a proxy server in your Experience Management deployment, you must configure proxy awareness on the macOS device.
  • For details, access Use a proxy server? You must configure proxy awareness on the device.

Minimum Requirements

Minimum Requirements for Experience Management 26.02 for macOS

• Omnissa Workspace ONE Experience Management for macOS package
• Omnissa Workspace ONE Intelligent Hub for macOS 24.11.3 or later
• macOS Sonoma, version 14 or later
• Omnissa Intelligence tenant opted-in and Desktop Advanced Telemetry integration card activated

Resolved Issues

• We are always working to improve Experience Management with every release. There are no major bug fixes to report.

Known Issues

• DCP-11462: There is a known issue concerning the reporting of NIC models and manufactures as “unknown” in wi-fi network adapter events. For details, see the KB article Wi‑Fi NIC Model and Manufacturer Showing as “Unknown” on Apple Silicon (M1) macOS Devices.

Download Instructions

• Omnissa Workspace ONE Experience Management 26.02 for macOS is available as a resource on Customer Connect.

Original source

Omnissa Access 24.12.1.0 | 11 SEP 2025 | Build 49efda362374f8d76a5a23fecc282b330acfe913

Omnissa Access Connector (Windows) 24.12.1.0 | 02 SEP 2025 | Access-Connector-Installer-24.12.1.0.exe

Omnissa Access Desktop 24.12.1.0 | 11 SEP 2025 | Omnissa-Access-Desktop-24.12.1.exe

Check for additions and updates to these release notes.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

Omnissa Access 24.12.1.0

Omnissa Access helps you provide your users faster access to SaaS, web, and native mobile apps with multi-factor authentication, conditional access, and single sign-on. The Release Notes describe the new features, resolved issues, and known issues in this version of Omnissa Access.

Note: Omnissa Access 24.12.1.0 is an update release, resulting in abbreviated release notes. The contents of the Omnissa Access 24.12 Release Notes apply to this version too.

What’s New

Omnissa Access 24.12.1.0 includes branding and security-related updates and other product fixes.

• NEW - MAY 20, 2026: A new patch containing security updates is now available. HW-261052-Appliance-24.12.1.0.zip also includes all previously-released patches and can be applied on top of any existing patches.
  Download Patch HW-261052-Appliance-24.12.1.0.zip from the Omnissa Access 24.12 Download page on Customer Connect. For detailed instructions, see KB article 6001156.

• NEW - FEB 20, 2026: A new patch containing security updates is now available. HW-253749-Appliance-24.12.1.0.zip also includes all previously-released patches and can be applied on top of any existing patches.
  Download Patch HW-253749-Appliance-24.12.1.0.zip from the Omnissa Access 24.12 Download page on Customer Connect.

• NEW - JAN 21, 2026: A new patch, HW-251347-Appliance-24.12.1.0.zip, is now available for Omnissa Access 24.12.1.0. This cumulative patch combines all previously-released patches including HW-250276-Appliance-24.12.1.0.zip and HW-247745-Appliance-24.12.1.0.zip, and also includes additional fixes. You can apply this patch on top of any patches you might have already applied.
  The older patches are no longer available for download separately.
  You can download the new patch from the Omnissa Access 24.12 Download page on Customer Connect. For detailed instructions, see KB article 6001156.

• NEW - DEC 22, 2025: A patch to address CVE-2025-66516 in Apache Tika packages used in Omnissa Access is available.
  We have determined that Apache Tika ships with Omnissa Access in a way that significantly mitigates the severity of CVE-2025-66516. Administrative credentials are required to attempt exploitation and there are other safeguards in place that make exploitation more difficult, resulting in a Medium severity CVSS 3.1 score of 6.4/10.
  We have made a patch available to update Apache Tika packages to fixed versions in Omnissa Access. Download Patch HW-250276-Appliance-24.12.1.0.zip from the Omnissa Access 24.12 Download page on Customer Connect.

• NEW - DEC 12, 2025: A new patch is now available for the Omnissa Access 24.12.1.0 virtual appliance. Patch HW-247745-Appliance-24.12.1.0.zip:

  • Contains a fix for Authenticator App based two-factor authentication failure
  • Resolves the issue of the TCP over TLS syslog configuration option not working
  • Includes multiple OS and package-level upgrades to the latest available versions
    Download Patch HW-247745-Appliance-24.12.1.0.zip from the Omnissa Access 24.12 Download page on Customer Connect.

• IMPORTANT Upgrade-only release for virtual appliance: Omnissa Access virtual appliance 24.12.1.0 is only available as an upgrade from the versions listed in the Upgrade section. A new installation of the Omnissa Access 24.12.1.0 virtual appliance is not supported. However, other components such as the Omnissa Access connector and Omnissa Access Desktop are available as new installations with this release.

• New version of Omnissa Access Connector: Omnissa Access Connector 24.12.1.0 is available with this release and includes the fixes listed in Resolved Issues. You can perform a new installation of version 24.12.1.0, or upgrade from the versions listed in the Upgrade section.

• New version of Omnissa Access Desktop: Omnissa Access Desktop 24.12.1.0 is available with this release and has specific compatibility requirements as listed in Omnissa Access Desktop Compatibility. Desktop 24.12.1.0 is available as a new installation only. Uninstall your old version, then install version 24.12.1.0.

• Branding updates: The 24.12.1.0 release includes further rebranding changes related to the launch of Omnissa as a new company. Among other changes, a new option to renew Omnissa Access SAML signing and encryption certificates is now available. Renewing a certificate also updates the certificate to Omnissa branding.

Compatibility

• Omnissa Access virtual appliance 24.12.1.0 is compatible with:

  • Omnissa Access Connector 24.12.1.0 and earlier versions. It does not support a later version of the connector.
  • Omnissa Access Desktop 24.12.1.0 and later versions. It does not support Workspace ONE Desktop Client 23.09 or earlier versions. (Omnissa Access Desktop was formerly named Workspace ONE Desktop Client.)

• Omnissa Access Connector 24.12.1.0 is compatible with:

  • Omnissa Access virtual appliance 24.12.1.0 and later versions
  • Omnissa Access Cloud
  • Omnissa Access FedRAMP

• Omnissa Access Desktop 24.12.1.0 is compatible with:

  • Omnissa Access virtual appliance 24.12.1.0 and later versions only. A workaround is available if you want to use it with virtual appliance version 24.12.0.0. See Omnissa Access Desktop Compatibility for information.
  • ThinApp packages created with Omnissa ThinApp 24.12 and later versions only. If you have ThinApp packages that were created with an older version, you must create new packages with ThinApp 24.12.

Installation

• Omnissa Access virtual appliance: A new installation of the Omnissa Access 24.12.1.0 virtual appliance is not supported. You can only upgrade to version 24.12.1.0 from an existing installation. See the Upgrade section for the versions supported for upgrade.

• Omnissa Access Connector: A new installation of Omnissa Access Connector 24.12.1.0 is supported, in addition to upgrade. You can download the connector from Omnissa Connect.

• Omnissa Access Desktop: A new installation of Omnissa Access Desktop 24.12.1.0 is supported. You can download the Desktop from Omnissa Connect.

• No license required
  Omnissa Access 24.12.1.0 version does not require a license. The Settings > Appliance > License page has been removed from the Omnissa Access console.

Upgrade

Upgrading to Omnissa Access Virtual Appliance 24.12.1.0 (Photon Linux)

• Upgrade to Omnissa Access virtual appliance 24.12.1.0 is supported from the following versions:

  • 24.12.0.0
  • 24.07
    Earlier versions must be upgraded to version 24.07 first, then upgraded to 24.12.1.0.

• Support for offline upgrade only
  Online upgrade is not supported for the Omnissa Access virtual appliance in this release. You must use the offline upgrade process described in Upgrading Omnissa Access Offline.

• After upgrade, leave the Customer Experience Improvement Program
  If you previously opted in to the Customer Experience Improvement Program, you must leave the program after upgrading the virtual appliance to version 24.12.1.0 or 24.12.0.0. The legacy Customer Experience Improvement Program collected information about your organization’s use of Omnissa products.

  1. In the Access admin console, select Settings > Appliance.
  2. Select the Customer Experience Improvement Program tab.
  3. Deselect the Join the Customer Experience Improvement Program option.

During the upgrade, all services are stopped; plan the upgrade with the expected downtime in mind.
See the Upgrading Omnissa Access guide for information about the upgrade process.

Upgrading to Omnissa Access Connector 24.12.1.0 (Windows)

Upgrade to Omnissa Access Connector 24.12.1.0 is supported from the following versions:

• 24.12.0.0
• 24.07
• 23.09
  See the Upgrading Omnissa Access Connector guide for information about the upgrade process.

Important: Omnissa Access Connector 24.12.1.0 is compatible with Omnissa Access virtual appliance version 24.12.1.0 and later versions, Omnissa Access Cloud, and Omnissa Access FedRAMP.

Legacy Connectors

Omnissa Access 24.12.x does not support legacy connectors (version 19.03.0.1 and earlier). The Connectors (Legacy) page has been removed from the Omnissa Access console.

Resolved Issues

This release includes the following resolved issues.

Connector - Directory Sync service:

• HW-230769: Prevent directory sync failure when a deleted user continues to have group membership
• HW-215396: Allow manual override of domain controller auto-discovery in krb5.conf file
• HW-216294: During Active Directory password reset from Intelligent Hub, limit domain controller discovery retries
• HW-201638: Add safeguards check to photo sync
• HW-223982: Limit the number of directory sync alerts to 1,000

Connector - Virtual App service:

• HW-222985/HW-225845: Support the new Omnissa-based application partition names in Active Directory Lightweight Directory Services (LDS) introduced with Horizon 2503 (see KB article 6000797).

Known Issues

This release has the following known issues:

• Authenticator App based two-factor authentication might fail after upgrade to Omnissa Access 24.12.1.0
  Solution: Patch HW-247745-Appliance-24.12.1.0.zip resolves this issue. Download the patch from the Omnissa Access 24.12 Download page on Customer Connect.

• The TCP over TLS option in the syslog configuration in Omnissa Access does not work
  Solution: Patch HW-247745-Appliance-24.12.1.0.zip resolves this issue. Download the patch from the Omnissa Access 24.12 Download page on Customer Connect.

• Unable to reset the lost root or sshuser password for the Omnissa Access virtual appliance
  Solution: If you have lost the root or sshuser password to the Omnissa Access virtual appliance, try to reset the password using the Photon OS instructions. In those instructions, replace the following command:

/sbin/pam_tally2 --reset --user username

with

faillock --user username --reset

where username is either sshuser or root.

Documentation

• Omnissa Access documentation
• Omnissa Workspace ONE® Hub Services documentation

Localized Content

See KB article 6000664: Announcing Omnissa Localization Support for information about localized content.

Support Contact Information

Contact Support at Omnissa Customer Connect when you need help with your Omnissa Access environment. See How to file a Support Request in Customer Connect and via Cloud Services Portal.

Original source

With Horizon 8, IT departments can run remote desktops and applications in the data center and deliver these desktops and applications to employees. End users gain a familiar, personalized environment accessible from any number of devices, anywhere within the enterprise or home. Administrators gain control, efficiency and security by centralizing data in the data center.

Important Notes
• The Horizon 2512 Agent is now supported with both the 2503 ESB Server and the 2512 Server versions. See Compatibility Matrix for Various Versions of Horizon 8 Components for more details.
• Horizon 8 2512 with Nutanix automated pools or farms: A pairing mechanism change in 2512.1 requires that Connection Servers and Agents must both be updated to 2512.1 for ongoing provisioning operations to work. To prepare your environment for limited backward compatibility, see KB article 6001315.
• Horizon 8 is not supported with vSphere 6.5 or vSphere 6.7, which are both past the end of General Support. Horizon 8 Instant Clones are incompatible with vSphere 6.5 and vSphere 6.7 so you must upgrade to vSphere 7.0 or later before upgrading to Horizon 8 if you are using Instant Clones.
• For information about the combined offering of Omnissa Horizon with VMware vSphere Foundation for VDI, including licensing, packaging, and frequently asked questions, see KB article 6000381.

What’s New - 2512.1
Horizon 8 2512.1 is a maintenance release.

What’s New - 2512
Support for Nutanix AHV
Horizon 8 support for Nutanix AHV is now generally available. This release also adds the following features to Horizon’s support for Nutanix AHV:
• Support for Automated RDSH Farms, including published applications and desktops
• App Volumes published apps on demand
• ClonePrep customization for Pools and Farms
• Sysprep profile management through Horizon Console
• Overlay network support
• VM Hosted Apps (published Apps against Nutanix single-session Desktop pools)
• Horizon in FIPS-enabled mode
• Horizon Recording
• Workspace ONE Intelligence Horizon monitoring
• Horizon Cloud Help Desk
• DEX for Horizon

Note: Customers upgrading from Horizon 8 2506 with Nutanix Limited Availability functionality enabled will need to upgrade Horizon Agents immediately after upgrading Horizon Connection Server, due to changes in communication between Server and Agents:
• Non-persistent pools: Upgrade (or create new) Golden Image with 2512 Agent, initiate a Push Image task to update the pool
• Persistent pools: Upgrade Horizon Agent from 2506 to 2512 on each deployed VM. Upgrade (or create new) Golden Image with 2512 Agent for future pool expansion.

Horizon Connection Server
• This release includes Workspace ONE Assist integration for Horizon 8 with Horizon Cloud-connected customers. Administrators can now initiate secure remote support sessions directly from the Horizon Cloud Universal Console to an active Horizon 8 VDI desktop. This enhancement streamlines troubleshooting, eliminates the need for third-party tools, and boosts support efficiency across all environments.
• This release enhances the Helpdesk REST API to return detailed log-on segment metrics in a structured format. The updated endpoint provides breakdowns for Authentication, Brokering, Protocol Connection, GPO Load, Logon Script, Profile Load, and Interactive Session. This enables you to better monitor, diagnose, and reduce VDI log-on delays.
• This release adds per-Pod SAML configuration in Horizon, allowing administrators to define SAML settings at the Pod level instead of for each individual Connection Server. This enhancement increases flexibility, supports tenant- or Pod-specific identity requirements, and maintains full backward compatibility. It also strengthens security, improves customization options, and better aligns with varied enterprise authentication needs. Additionally, this release now fully supports the use of special characters in Dynamic Metadata URLs.
• Starting with Horizon 8 2512, encrypted backup files are not recoverable by earlier installations once the data recovery password has been modified. When upgrading to 2512 or later, it is important to ensure that all Connection Servers in the pod or cluster are upgraded before changing the data recovery password.
• This release improves accessibility compliance in Horizon 8 Connection Server in alignment with DCSA and WCAG 2.0 standards. Enhancements address previously unmet guidelines to raise the VPAT compliance score above 50%. This work supports an inclusive user experience, ensures continued eligibility for federal use, and meets mandated requirements from the CIO and federal agencies.
• The installer now automatically transfers the Schema Master FSMO role to the local LDAP instance before uninstalling existing Connection Server services during an upgrade. This prevents upgrade failures that could otherwise leave the server unresponsive. If the Schema Master role cannot be transferred, the installer aborts safely and preserves the existing services, ensuring stability during parallel upgrades.
• Favicon health checks have been moved from Tomcat to a secure gateway, providing a more efficient process. Originally, /favicon.ico polling was being processed by Tomcat, which increased load during frequent health checks. By implementing this change, overall response times are faster, back-end load is reduced, and load balancers can now poll more frequently without the previous constraint of two balancers at 30-second intervals.
• Horizon 8 now supports the policy Access Based on User Location for Automated Desktop, Manual Desktop, RDS Desktop, and Application Pools. Administrators can configure settings for Internal Access (via Horizon Connection Server), External Access (via UAG), or both. For instance, bank users on the office network may access all banking applications, whereas those connecting from home have access to email only.
• This release enhances Horizon logging for client restrictions. New audit events are recorded in the Events DB and forwarded to Syslog for SIEM visibility. Logs capture client block/warn actions details with version, IP, policy, and reason metadata. Event types include version recommendations, unsupported clients, and certificate policy outcomes.
• The default lifetime of the vdm certificate is now set to 6 months. This change enhances security by requiring certificates to be renewed more frequently, reducing the risk associated with long-lived credentials. This update aligns with current industry trends favoring shorter certificate lifetimes.
• Added role-based access control (RBAC) feature to Horizon Recording, to help admins to configure who can access Horizon Recording Console and what tasks different user groups are authorized to perform. With role-based access control, you can create roles and selectively assign privileges and create permissions and access level to specific Active Directory user groups.
• This release adds support for Single Sign-On to Entra ID joined desktops and applications when the Windows client is launched using Omnissa Workspace ONE Access. Users authenticate through Omnissa Access and can launch their Horizon desktops and applications without needing to re-enter Entra ID credentials inside the desktop. This streamlines access for environments built on Entra ID and gives on-prem organizations a smoother path when delivering Azure-based Horizon resources. ​Awaiting Microsoft GA rollout (tentative: By end of Jan 2026). See SSO to Entra ID joined desktops and applications through Workspace ONE Access section in the Desktop and Applications Guide.
• Broker-Managed Client Upgrade: Horizon Connection Server now supports the management of client upgrades for Windows and Mac clients. Administrators can enforce version policies, host installer files for desktop clients, and prompt users to update when their client version is blocked.
• This release introduces the ability to Find Machines with the grid showing the assigned users of a particular group based on group ID. Filtering and sorting is not available across columns in the Find Machines grid for the REST API in the Users and Groups workflow.

Horizon Console
• Administrators can now disable/enable load index-based RDSH session load balancing at an RDSH Farm level through Horizon Console or Horizon REST API. Previously, administrators could only disable load index-based RDSH session load balancing at a Pod level via an ADAM DB change. Additionally, the RDSH session bucketing attributes now adapt as required to ensure an even load distribution during both low and high usage periods. See Load Balancing Settings for more details.
• This release introduces server-side column-level filtering and sorting support for grid views, replacing the previous global client-side filter. The enhanced REST API now enables accurate filtering and sorting across individual columns in workflows such as Machines and Inventory. This improves data clarity, usability, and consistency as more workflows transition to server-driven UI operations.
• Administrators can now select a vGPU profile directly in the Horizon console during Instant Clone desktop pool creation or push image workflows. Previously, vGPU profiles were inherited from snapshots. This enhancement adds a vGPU profile dropdown as part of the compute profile definition when creating an Instant Clone pool, or when preparing a push image operation. This allows a single vGPU golden image to be used with different pools whilst allowing for different vGPU profiles, and removes the need to update golden images just to change vGPU profile.
• Administrators can now enable Workspace ONE UEM management directly from the Horizon Console when creating persistent (dedicated) desktop pools. This enhancement extends Workspace ONE UEM across physical devices, mobile endpoints, and Horizon VDI, delivering a unified Day-2 management experience through a single console. The integration ensures consistent policy application from day one, simplifies operations, enhances compliance and security, and reduces total cost of ownership.
• Auto Agent Upgrade is now available with expanded agent source support. In addition to Omnissa-hosted CDS and full URLs, administrators can define a UNC path to use an SMB file share for agent delivery. The Horizon console allows downloading the agent, selecting the share, and configuring it as the upgrade source.

Horizon Agent for Linux
• Support for NVIDIA Blackwell GPUs: The Horizon Agent for Linux now supports NVIDIA Blackwell GPUs in all Linux distributions. This means that Linux VDI workloads can use the latest GPU architecture.
• This release includes the URL redirection feature for the Linux Agent. Now, URLs opened in the Omnissa Horizon Linux agent’s browser can be redirected to open on the Omnissa Horizon client machine, based on user-configurable settings.
• Updated NVIDIA vGPU Support: Horizon Agent 2512 adds support for NVIDIA vGPU versions 16.12, 18.5, 19.3, and 19.4.

Horizon Agent for Windows
• Passwordless installation: Unmanaged agents can now be installed on domain-joined machines without Horizon Administrator credentials, using pre-allocation. The agent installer can also discover its pre-allocated pod or cluster.
• Horizon clients can now get and report their public IP addresses. The Horizon Agent for Windows now gets and reports the client machine’s public IP address as part of the DEX telemetry. The Horizon Client DEEM plug-in obtains the public IP from the DEEM agent when a user connects to a remote session and forwards it to the agent, which then reports it to Workspace ONE Intelligence (INTEL/WS1). Administrators gain improved visibility into connection sources, helping them monitor user activity, respond to incidents, and maintain compliance requirements.
• Windows 10 End of Support: Microsoft ended mainstream support for Windows 10 in October 2025 and now offers Extended Security Updates (ESU). Horizon extends its support for Windows 10 from release 2512 through Agent 2603, but only when the operating system is covered by Microsoft ESU. For more information, see KB 6001105.
• Agent Auto Upgrade: Agent Auto Upgrade now includes pre-flight validation checks. If a pre-flight check fails, both the agent update and the VM update are marked as failed. Pre-flight checks include:
◦ Insufficient disk space detection
◦ Windows Update in-progress check
◦ Pending reboot validation
◦ Invalid or unreachable UNC path checks
• Support for NVIDIA Blackwell GPUs: The Horizon Agent for Windows now supports NVIDIA Blackwell GPUs on Windows 10, Windows 11, and Windows Server guest operating systems. This allows high-performance graphics workloads on the latest GPU generation.
• Horizon V2 Agent now supports the ability to run a post-customization script. Administrators can configure a script to run after the Agent has completed customization, including Azure AD join, on-prem AD join, hybrid join, Instant Clone domain join, and LCM “skip domain join” scenarios. This capability is controlled using new JSON configuration fields and registry values for execution and status tracking.
• Enhanced USB Redirection for RDS Hosts: The Horizon Agent for Windows (RDSH) now supports redirecting multiple USB devices that share the same Vendor ID (VID) and Product ID (PID). Previously, only a single device with a matching VID/PID pair could be redirected to a session. This enhancement allows environments using identical USB hardware (such as scanners, HID devices, or custom peripherals) to attach multiple instances simultaneously.
• Updated NVIDIA vGPU Support: Horizon Agent 2512 adds support for NVIDIA vGPU versions 16.12, 18.5, 19.3, and 19.4.
• Windows 11 25H2 and Windows Server 2025 Support: Full support has been added for Windows 11 25H2 and Windows Server 2025, including Single-Session Desktops, Multi-Session Farms, and App Mode configurations. Support for Windows 11 22H2 has ended.

Horizon 8 on Amazon WorkSpaces Core
• Provisioning operations have been enhanced to deliver significantly faster pool creation times. In some cases, provisioning time has been reduced by as much as 60%, improving efficiency and scalability. See KB 600123 for additional information.
• Agent Auto Upgrade for Horizon 8 on Amazon WorkSpaces Core dedicated pools is now supported. This feature allows administrators to automatically update the Horizon agents on WorkSpaces instances. The WorkSpaces instances need to be in the available state to use this feature. See Auto Upgrade Horizon Agent for more information.
• Administrators can now configure Power Optimized - Hourly Pools with zero online spares to reduce costs. By setting the spare count to “0” and selecting the option to provision all machines up front, all machines will be provisioned and then suspended to minimize ongoing expenses. When a user entitlement is launched, the WorkSpaces instance is powered on and delivered to the user on demand, ensuring cost efficiency without compromising availability. Power Scheduler is no longer needed and your entitlements are available whenever required.
• Administrators can now enable Workspace ONE UEM management and enroll machines directly from the Horizon Console when creating dedicated desktop pools.
• Helpdesk Remote Assistance is now available with Horizon 8 on Amazon WorkSpaces Core. You can generate remote assistance tickets for connected desktop or application sessions. Administrators can use remote assistance to take control of a user’s desktop and troubleshoot problems.
• Omnissa Horizon 8 on Amazon WorkSpaces Core now supports hybrid Microsoft Entra deployments in both Federated and Managed modes

Remote Desktop Features
• This release introduces GPO-based control to map URL redirection to an existing connected VDI session. URLs redirect to the most recently connected VDI when multiple sessions exist, or fall back to a defined default VDI when none are active. If no default applies, users can choose to launch in a VDI or local browser.
• Enhanced BENIT Transport Switching: The enhancement of BENIT switching to maintain performance amidst fluctuating network conditions.The BENIT transport switching logic can use the TCP connection quality to help it switch the active transport between TCP and BEAT. This approach allows for a more flexible adaptation of the Blast transport to the current network conditions, enhancing the end-user experience in varying network environments. This enhancement applies only to Windows Horizon Agent and All Clients.
• Blast Compatibility with NVIDIA GPUs on vSphere/VCF 9.x: Horizon now supports Blast connections using NVIDIA vGPUs on vSphere and VMware Cloud Foundation (VCF) 9.x. This update enables GPU-accelerated Blast performance across supported guest operating systems, including Windows 10, Windows 11, Windows Server, and supported Linux distributions.
• Horizon now supports Blast Extreme Adaptive Transport (BEAT) over Reverse Connection. Previously, Reverse Connection supported only TCP-based Blast. BEAT now works in Reverse Connection deployments without requiring any additional configuration, aside from ensuring outbound UDP connectivity from the agent to the UAG.
• Updated NVIDIA VideoSDK Support and Enhanced Blast Encoding Capabilities: Blast now upgrades to NVIDIA VideoSDK 13, replacing the legacy SDK 8 support and enabling use of both SDK 12 and SDK 13. This update includes improvements to encoder presets and tuning profiles as recommended by NVIDIA, resulting in improved compression efficiency to deliver higher video quality at lower bitrates.
• Dynamic Time Zone Redirection for RDSH: Added support for dynamic time zone redirection in RDSH (multi-session) environments to ensure the user’s client time zone, including dynamic DST rules, is accurately applied in the session. (This is already supported in VDI single session.)
• Vvc Raw Channel support for Blast MKS/Audio is now supported on Mac and mobile clients, and in deployments using UAG.
• Some of the performance enhancements in Vvc Raw Channels have been extended to all other Vvc-based features on TCP.
• Support for MS Teams Zoom Feature: Horizon Agent now supports the Zoom feature when using the Omnissa WebRTC Teams Optimization.
• Manual Noise Suppression Control: Horizon now adds support for manually disabling Noise Suppression when using Horizon Teams Optimization (WebRTC 1.0).

Windows OS Optimization Tool for Omnissa Horizon
• This release adds support for Windows 11, version 24H2 and later.

Resolved Issues - 2512.1
The numbers included before the resolved issues refer to the issues logged in the Omnissa internal issue tracking system.
• AST-8489: Addressed an issue where certain UWP applications, including Microsoft Photos, HEVC Video Extensions, and HEIF Image Extensions, could take up to 15–20 minutes to register after user logon when the Windows image was optimized using the “Keep all Store apps” option.
• HZN-7784 - vCenter managed manual desktop pools could not be created with the 3D Renderer set to NVIDIA GPU because the virtual machine grid did not display any vGPU-compatible VMs. Also, editing and saving an automated pool (Instant Clone or Full Clone) with vGPU enabled could fail, resulting in the error “max_number_of_monitors cannot be set if grid_vgpus_enabled is set to true,” even though the Max number of monitors field was grayed out and could not be changed in the UI.
• HZN-7808 - Horizon Connection Server, operating in Workspace ONE, incorrectly reported the error “Your Horizon Client version does not support the features of this Horizon Connection Server. Please upgrade your Client.” Subsequent desktop or application launches were blocked after the user’s SSO credentials became locked following the initial launch.
• HZN-7810 - In the Admin Console, unable to sort machines by the Pending Image column on the Machines tab for Instant Clone pools.
• HZN-7844 - Published Apps on Demand from App Volumes 2512 failed to launch and displayed the error message, “The application could not be launched, possibly because it is missing or misconfigured.”
• HZN-7478 - Nutanix FIPS mode desktop pools fail to customize resulting in timeout errors.
• VCART-10256 - Nutanix Clone Prep desktop pool was getting stuck in “Hybrid domain join in progress”.

Resolved Issues - 2512
The numbers included before the resolved issues refer to the issues logged in the Omnissa internal issue tracking system.
• HZN-7190 - Horizon Connection server may experience high CPU usage caused by SamlReconfigure.
• HZN-5129 - Unable to change AD container from default of CN=Computers in Horizon Console when creating a Nutanix pool.
• HZN-5146 - Spare VMs are generated during the reprovisioning phase following a push operation in an on-demand instant-clone pool.
• HZN-5409 - Users may observe that machine assignments changed from readable username to GUID.
• HZN-5591 - Slow loading of user sessions in the Admin UI is significantly impacting helpdesk staff productivity and user access.
• HZN-5776 - Users may experience intermittent issues with on-demand power on/off functionality within their Horizon VDI sessions.
• HZN-6120 - Unable to save vTPM flag value set during push operation scheduled through REST API.
• HZN-6137 - The Helpdesk tool is failing to properly disconnect VMs between pods, resulting in session errors.
• HZN-6202 - Some users experienced upgrade failures requiring replica server removal and subsequent standard server upgrades.
• HZN-6331 - Provisioning error banner not cleared on admin console though provisioning was sucessful later after fixing provisioning error.
• HZN-6444 - An instant clone becoming unavailable and reporting as “Agent Disabled” in the Horizon console, even though the VDI appears to be functioning correctly
• HZN-6726 - Cluster Identity certificate shows not in use in the Horizon console even after replacing it with a CA-signed cert.
• HZN-6733 - A maximum of 10 networks are shown for selection during Nutanix pool creation workflow.
• HZN-6734 - RDS servers with active user sessions are moved into disabled state when push operation is performed with “wait for users to log off”; however, their status continues to appear as “Available” in the Horizon admin UI.
• HZN-6911 - The pool power policy is configured to power off; however, when users log off, the VDI desktops remain powered on instead of shutting down.
• HZN-6931 - Some users may have experienced difficulties associating network labels with Full Clone desktops during pool creation.
• HZN-6958 - New full-clone persistent VDIs created through API or Network Label Tool deploy on the master template’s VLAN instead of the pool’s updated VLAN.
• HZN-7024 - Logon segment metric data may intermittently disappear within a few minutes, impacting reporting accuracy.
• HZN-7053 - The Horizon Admin console incorrectly displays no events, preventing users from quickly identifying issues within the cluster.
• HZN-7075 - Despite Password Cache being enabled and TrueSSO mode being disabled in Workspace ONE, TrueSSO login is still being initiated.
• HZN-7189 - When administrators search for users and try to select the user’s VM session, they may encounter an error if the VM is running RHEL 9.6.
• HZN-7275 - Users reported a slow System Health Dashboard after upgrading to 2503.1.
• HZN-7356 - Some users are unable to reset their desktops from the Workspace ONE Access Hub Console.
• HZN-7365 - Connection via F5 to connection server is not working after upgrade to 2503.
• UBI-585 - Refresh OS disk after n days setting for Nutanix pools causes refresh after logoff.
• UBI-680 - Unable to re-register a Nutanix golden image with Connection Server.

Known Issues
The numbers included before the known issues refer to the issues logged in the Omnissa internal issue tracking system.
Before upgrading to this release, please review the information in KB 6000681 and Upgrading to Omnissa Horizon 8 2412 and Later.

Horizon Connection Server
• HZN-5160: Sorting and filtering capabilities have been removed for specific columns in administrative grids. This results in a loss of functionality compared to previous releases and may impact administrative workflows.
Workaround: None
• HZN-7443: If a VM is stuck in Customization state, delete the VM from Horizon Admin Console or Horizon REST API. Horizon will then recreate the VM.
• When there are more than ten global dedicated entitlements available to a user, the machine host name will sometimes not be visible in global entitlements if the “Show assigned host name” option is enabled.
• Scheduling an upgrade for an RDS host may complete successfully, but the upgrade itself can fail when the scheduled time is reached.
Workaround: See KB article 6000992.
• If Horizon Events Database is hosted by an instance of Microsoft SQL Server (any version), do not disable TLS 1.2. This connection cannot be made over TLS 1.3.
• HZN-2542: When changing the browser locale and refreshing the Horizon Console UI, error alerts fail to display for the newly selected language.
Workaround: Log in to Horizon Console in a new browser tab.
• HZEC-2336: View API consumers like the MP4H Adapter invoke MachineDetailsView. This API fails intermittently with user data not found error.
Workaround: None
• HZEC-2873: Number of issues reported for ESXi Hosts in the dashboard summary may not match with number of issues reported in the dedicated ESXi Host issues section in the dashboard. If NVIDIA vGPU support detects a mismatch with the supported vGPUs for the given host, the issue count should be incremented but the count may not display in the UI.
Workaround: View the warnings in Dashboard > System Health > View > vSphere > ESX Hosts.

Horizon Agent for Windows
• HZN-8997: The Admin UI displays an incorrect GOS type for the Agent VM following the upgrade from Windows 10 to Windows 11.
Workaround: Remove the machine from the Admin UI (under Registered Machines > Others), then reinstall the unmanaged agent. After completing these steps, the Admin UI correctly displays the operating system as Windows 11.

Horizon Agent for Linux
This section describes issues that might occur with Horizon Agent for Linux or when you configure a Linux desktop.
• VCART-9593: Linux VDI sessions fail to launch when FIPS mode is enabled on RHEL 8.10. There is no workaround for this issue.
• VCART-1502: The Session Collaboration icon disappears from the system tray after resizing a Debian 12.x desktop.
Workaround: Disconnect from and reconnect to the desktop. The Session Collaboration icon usually appears after reconnection to the desktop. Alternatively, you can try restarting GNOME Shell with the following steps:
1. Press Alt+F2 to display the Run a Command dialog box.
2. Type “r” in the dialog box.
3. Press Enter.
• VCART-9623: Sometimes the Collaboration window might not appear after you connect to a remote desktop and click the Collaboration UI icon.
Workaround: Resize the desktop window or reconnect to the remote desktop.
• VCART-9624: The Linux agent’s keyboard layout and locale do not synchronize with the client if the Keyboard Input Method System is set to fcitx.
Workaround: Set the Keyboard Input Method System to iBus.
• VCART-9625: If you configure two monitors with different resolutions, and the resolution of the primary screen is lower than that of the secondary screen, you might not be able to move the mouse or drag application windows to certain areas of the screen.
Workaround: Make sure that the primary monitor’s resolution is at least as large as the secondary monitor’s.
• VCART-9626: If a client user minimizes the window of a Linux published application using the Minimize command and then selects the Maximize command, the window is restored to its previous size instead of changing to full-screen mode as expected.
Workaround: To change to full-screen mode, select the Maximize command again.
• VCART-9627: Linux published applications do not support using the window taskbar to divide the work area in a multiple-monitor display. For example, suppose a client user has two monitors arranged side by side. If the user moves the taskbar to the right side of the left monitor’s screen or the left side of the right monitor’s screen, the work area is divided into two parts. However, if the user then maximizes the application window, the window is displayed incorrectly in relation to the taskbar.
• VCART-9638: When connecting to a Linux published application from Horizon Client for Mac, the application window is displayed with square corners instead of rounded corners.
• VCART-9639: If a client user leaves a nonmodal dialog box open in a Linux published application and then makes active a native application on the client system, part of the dialog box will appear to be missing when the user returns to the published application.
• VCART-9640: If the client user minimizes a Linux published application window or brings another application in front of the published application window, the taskbar fails to display the thumbnail preview of the published application window. Hovering over the published application icon in the taskbar displays a blank thumbnail instead of the contents of the published application window.
• VCART-9641: Linux published applications do not support the Aero Snap feature on Windows client systems. Users connecting to a Linux published application from Horizon Client for Windows do not have the capability to snap or fix windows to the edges of the computer screen using the keyboard or mouse.
• VCART-9642: Linux published applications do not support the jump list feature on Windows client systems. If a user connects to a Linux published application from Horizon Client for Windows and right-clicks the taskbar icon for the application, no jump list is displayed.
• VCART-9643: Due to a limitation in the work area, Linux published application windows cannot be moved partially off the edge of the client’s screen or work area. If the user attempts to move a published application window past the edge of the screen, the window will bounce back inside the screen’s boundaries.
• VCART-9644: If the client user opens a modal dialog box from a Linux published application, that dialog box might not appear in front of native windows.
• VCART-9645: When connecting to a published application from a Windows client system, there are some differences between the context menus of the Windows taskbar and the application window’s title bar. Shift + right-clicking the application icon in the Windows taskbar displays a menu with the items: Restore, Move, Size, Minimize, Maximize, Close. Right-clicking the application window’s title bar displays a menu with the items: Minimize, Maximize, Move, Resize, Close.
• VCART-9646: Published applications do not support the Move and Size context commands for the taskbar on Windows client systems. When a user Shift + right-clicks the published application icon in the Windows taskbar, Move and Size appear in the menu but neither command has any effect if selected.
• VCART-9647: Published applications do not support the Size command from the application window’s context menu. When a user right-clicks the title bar of the application window, Size appears in the menu of commands but has no effect if selected.
• VCART-9648: When a user opens multiple session windows for the same published application on a Windows client system, the Cascade all windows command has no effect.
• VCART-9649: If a Windows client user with a dual monitor configuration maximizes a published application in the lower-resolution monitor’s work area, the Windows taskbar turns black.
• VCART-9650: After publishing a LibreOffice application as an application pool, duplicate LibreOffice icons might appear in Horizon Client.
Workaround: From the Connection Server, manually assign the icon for the LibreOffice application.
• VCART-9651: Linux published applications do not support the Multi-Session Mode option in the application pool settings in Horizon Console.
• VCART-9652: When connected to a Linux published application, if the user opens a dialog box related to user account controls (such as when editing firewall settings), the desktop will not show.
• VCART-9653: Horizon Agent for Linux does not support session stealing between published desktops and published applications. For example, if a user has opened a published desktop session and then attempts to open an application session based on the same farm, the desktop session remains active and the application session is not established. Likewise, if the user has opened an application session and then attempts to open a published desktop session based on the same farm, the application session remains active and the desktop session is not established.
• VCART-9628: If a user types an entry into the Session Collaboration invitation text box and moves the cursor away from the text box, the original entry is cleared.
• VCART-9629: If a client user with a multi-monitor system opens a published application in seamless window mode, display problems might occur when moving the application window between monitors.
Workaround: Shift + right-click the application icon in the client’s task bar and select Maximize to enlarge and refresh the window display.
• VCART-9644: Display problems might occur when a client user opens published applications in seamless window mode on a multi-monitor system where some monitors have portrait orientation and other monitors have landscape orientation. If the user maximizes the application windows in all the monitors, the task bar appears black in the landscape monitors.
• VCART-9630: When client users copy content containing images in rich text format and then paste the content into an application on a remote Linux desktop, the images might be missing from the pasted content. This issue is caused by a limitation in certain third-party applications such as OpenOffice or LibreOffice, not by Horizon Agent for Linux.
Workaround: Use a clipboard manager to retrieve the missing content from the clipboard.
• VCART-9632: The Enter Ctrl + Alt + Del control in Horizon Client does not take effect when connected to a RHEL 7.9 desktop with MATE desktop environment.
Workaround: Use the default keyboard shortcut for logging out of a MATE desktop. Or, define a custom keyboard shortcut for logging out.
• VCART-9633: A small blank recording (2-3 kb) is sometimes created when a blast session running on Linux agent is being recorded by the Horizon Recording solution.
Workaround: None. There is no adverse effect on the functionality except that a small recording can be seen in the recordings page for some of the sessions during a fresh logon.

Horizon Agent for Windows
• VCART-7428: Scheduling an upgrade for an RDS host may complete successfully, but the upgrade itself can fail when the scheduled time is reached.
Workaround: See KB article 6000992.

Horizon Client
This section describes problems that end users might encounter when using Horizon Client or Horizon Web Client to connect to remote desktops and applications. For problems that occur only in a specific Horizon Client platform, see the Horizon Client release notes in the Omnissa Product Documentation portal.
• VCART-9656: When you connect to a Linux desktop, some keyboard inputs do not work. For example, if you are using a non-English IME on both the client device and the remote desktop, some non-English keys are not displayed correctly.
Workaround: None.
• VCART-9655: When you use the Ambir Image Scan Pro 490i to perform a scan on a remote desktop or application, the dialog box always displays “Scanning…” and does not complete.
Workaround: Perform a scan on the client. The client scan calibrates the scanner. After the calibrate operation is finished, save the calibration file and deploy it in ProgramData\AmbirTechnology\ImageScanPro490i.
• VCART-4245: HDR support for full screen mode is limited to a scenario where the selected monitor is the primary monitor.
Workaround: None.

Windows OS Optimization Tool
• When the exported analysis report is exported to the same VM where you’re running the Optimization Tool EXE, the report is auto-deleted after running the tool’s Generalize task. Even though you’ll still be able to view the report inside the Optimization Tool user interface, the exported report is deleted after Sysprep runs (Sysprep runs as part Generalize).
Workaround: Export the analysis report to another location on the network instead of saving the report into the current user folders on the same VM. Because those user folders get deleted as part of Sysprep, if saved in those folders on the VM, the report is deleted during the Generalize run. If you specify to redirect the report to another location on the network, the report will be retained after running Generalize.

APIs
• HZN-3296: REST API ObjectGUIDs change after certain events, such as disaster recovery and pod rebuilding.
Workaround: Do not rely on ObjectGUIDs as persistent identifiers. After an event such as disaster recovery and pod rebuilding, resync any third-party applications to the new ObjectGUIDs.

Nutanix
• HZN-6730: Desktops are not able to refresh when the connection server is down and the replica server is up.
Workaround: None
• HZN-6964: Registered machines can be deleted when pools exist.
Workaround: None
• HZN-7169: Farms can be created using the Windows 10 GI template.
Workaround: None

Horizon 8 API
For the latest set of Horizon 8 APIs, see Omnissa Developer Portal and navigate to the current release in the drop down. Click on the Documentation tab for more details and examples on how to use the API.

Horizon Edge and Horizon Cloud Connector
Applicable to customers with Horizon Universal Subscription, Horizon Enterprise Plus Subscription, Horizon Standard Plus Subscription, Horizon Apps Universal Subscription, or Horizon Apps Standard Subscription.
The Horizon Edge is a required component for connecting Horizon 8 to Horizon Control Plane next-gen for subscription licensing enablement and additional control plane SaaS services.
The Horizon Cloud Connector virtual appliance is a required component for connecting Horizon 8 to the first-gen Horizon Control Plane for subscription licensing enablement and additional control plane services.

Horizon 8 Deployed on Public Cloud SDDCs
For a list of Horizon 8 features supported on Azure Omnissa Solution (AVS), see KB 80850.
For a list of Horizon 8 features supported on VMware Cloud on AWS, see KB 58539.
For a list of Horizon 8 features supported on Google Cloud VMware Engine (GCVE), see KB 81922.
For a list of Horizon 8 features supported on Oracle Cloud Omnissa Solution, see KB 88202.
For a list of Horizon 8 features supported on Alibaba Cloud Omnissa Service (ACVS), see KB 92140.

Before You Begin
• Important note about installing VMware Tools: If you plan to install a version of VMware Tools downloaded from the product downloads page, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the Omnissa Product Interoperability Matrix. (Supported versions: 11.1.0, 11.0.6, 10.3.22, 10.3.21). There are also performance issues with the 11.x versions of VMware Tools. For more information, see KB 78434.
• When you deploy an instant clone as a RDS host, do not reboot the RDS host directly from within the Windows Server OS. Instead, refresh the instant clone VM using the push image workflow.
• To use View Storage Accelerator in a vSphere environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.
• For best practices on using Carbon Black with Horizon 8, see KB 95512.
• Horizon 8 supports a maximum of 500 virtual machines per ESXi host when using vSAN 8 ESA datastore. The achievable maximum depends on the workload and specifics of the hardware. For information on all Horizon configuration maximums, see VMware Configuration Maximums.

Upgrade
Check the Omnissa Product Interoperability Matrix before upgrading your Horizon deployment. Note the following guidance:
• You can only upgrade to a version with a release date later than your current deployment.
• When upgrading from a non-ESB version to an ESB version, the target ESB version must be later that your current non-ESB release. For example, you cannot upgrade from Horizon 8 2203 (non-ESB) to Horizon 8 2111.1 (ESB) even though 2111.1 was released after 2203 (or you will lose features). You can only upgrade to Horizon 8 2212 or later versions.
• Important: Please allow for extra time and preparation when you upgrade from a VMware-branded Horizon version to an Omnissa-branded Horizon version. For more details, see KB 6000681 and Upgrading to Omnissa Horizon 8 2412 and Later.

Compatibility Notes
The table below contains specific compatibility information as well as links to information located elsewhere.

Use of Open Source
As part of the installation process, an open_source_licenses.txt file is written to the file system. Key open-source components included in this release are:
• Horizon Connection Server 2512 is built on the Apache Tomcat implementation of Jakarta EE, version 10.1.49.
• Horizon Agent for Linux 2512, Horizon Agent for Windows 2512, and Horizon Connection Server 2512 all utilize the BellSoft Liberica distribution of OpenJDK, version 17.0.16.0.1 (CPU).

Documentation
Horizon 8 documentation is in the Omnissa Product Documentation portal.

Localized Content for Omnissa Docs
For details on Omnissa’s localization strategy, see Announcing Omnissa Localization Support.

Support Contact Information
To receive support and to learn more about support policies, see Omnissa Customer Connect.
For information on filing a support request in Customer Connect and via Cloud Services Portal, see KB 6000005.

Original source

Experience Management for Windows and Horizon Release Notes describe the new features and enhancements in each release. These notes contain a summary of the new capabilities, issues that have been resolved, and known issues that have been reported in each release.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 and KB6000802 for more information.

Experience Management 25.09.2 for Windows

What’s New

This patch release concerns Experience Management for Windows and not Experience Management for Horizon.

Windows

• In this release, we’ve made updates containing general quality and performance improvements.

Minimum Requirements

Windows

Minimum requirements for Experience Management 25.09.2 for Windows

• A Microsoft supported Semi-Annual Channel Windows 11 Version 21H2 or later
• Hardware Specifications:
  • 1Ghz processor with minimum of 4 cores
  • 8GB RAM
  • 256GB Hard disk space
• Omnissa Workspace ONE Intelligent Hub for Windows 24.12 or later
• Workspace ONE Experience Management for Windows package
• Omnissa Intelligence tenant opted-in and the Desktop Advanced Telemetry integration card activated

Resolved Issues

Windows

• We are always working to improve Experience Management with every release. There are no major bug fixes to report.

Known Issues

Windows

• We haven’t identified any notable known issues in this release. If you’re facing any problems, reach out to our support team.

Download Instructions

Windows

• Omnissa Workspace ONE Experience Management for Windows and Horizon is available as a resource on Customer Connect.

Windows

• Experience Management for Windows is delivered with the Workspace ONE Intelligent Hub for Windows app. Direct users to download the Workspace ONE Intelligent Hub for Windows app from getwsone.

Original source

The Omnissa Connect Release Notes outline the new features and enhancements in each release. This page contains a summary of the new capabilities, issues that have been resolved, and known issues that have been reported. With Omnissa Connect, you can access your Omnissa solutions portfolio from a centralized location.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

Omnissa Connect 26.05.12

New Features

• In this release, we’ve made a few updates containing general quality and performance improvements with no new features.

Resolved Issues

• CXP-8182: Fixed an issue where the system was not enforcing an organization level IP Authentication Policy during login.

Known Issues

• We haven’t identified any notable known issues in this release. If you’re facing problems, reach out to the Omnissa Global Customer Support (GCS) Team.

Original source

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

Omnissa Workspace ONE Content for Android Release Notes detail the new features and enhancements in each release. This page contains a summary of the new capabilities, issues that have been resolved, and known issues that have been reported in each version.

Workspace ONE Content 26.04 - March 2026

New Features

• Provision for users to view For You sections as per the order configured in Workspace ONE UEM.
• Seamless admin and user repository authentication experience when repository and enrollment credentials are the same.

Note

For information about new features and improvements on Workspace ONE UEM, see Workspace ONE UEM Documentation at Omnissa Docs.

Minimum Requirements

• Android 9+
• Workspace ONE UEM Console 2410+. For more information, see the Knowledge Base article Workspace ONE (WS1) UEM Console Release and End of General Support Matrix (2960922).

Resolved Issues

Note

The numbers included before the resolved issues are used for internal issue tracking.

• AST-18946: Print option not available in Android Content app for pdf file uploaded in UEM Console.

Known Issues

We have not identified any notable known issues in this release. If you are facing any problems, feel free to reach out to our support team.

Original source

We’re excited to share the new release of Workspace ONE UEM version 2506! Read on to learn about the new features and improvements in this release.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware-owned domains to Omnissa-owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa-owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

What’s New in this Release

Android Management

Experience seamless single sign-in and sign-out with Microsoft Entra for shared Android devices

You now have the advantage of a smooth single sign-in and sign-out process for applications that support the Microsoft Authentication Library (MSAL) on shared Android devices using the Workspace ONE Launcher. This feature supports first-party Microsoft applications such as Teams and any third-party applications that integrate MSAL and support Microsoft’s Shared Device Mode.

To use this feature, organizations must configure devices to use Check-in/Check-out (CICO) with Workspace ONE Launcher. Users authenticate with Microsoft Entra to check out the shared device. Users only need to launch supported MSAL-enabled apps to start using them. When users log out of Workspace ONE Launcher, they are automatically signed out of these applications. Additionally, this feature provides an alternative to the Workspace ONE Mobile SSO for organizations that cannot federate Microsoft Entra with Workspace ONE Access or cannot use Workspace ONE Tunnel as their VPN client.

Remotely deliver certificates to your device using SCEP payload

A new SCEP payload is now available in Android Custom DPC profiles. Push this profile to enable the remote delivery of certificates to your device from your certificate authority using the SCEP protocol. The Intelligent Hub obtains an SCEP challenge from Workspace ONE UEM, securely generates a private key on the device, and acquires the certificate from your certificate authority. The Hub then adds the certificate to the Android Keystore, where other applications on the device can access it. Silently granting applications access to these certificates is supported. Workspace ONE UEM currently does not support the use of the SCEP payload for configuring Wi-Fi with certificate-based authentication.

Configure Access Point Names (APNs) for work managed Android devices

A new Access Point Name (APN) payload is now available in Android Custom DPC profiles. Push this profile to remotely add APNs for mobile networks to Android devices. Additionally, you have the option to mandate that your Work Managed devices utilize only managed APN settings. This allows organizations to easily deploy private APNs to better secure access to corporate resources over mobile networks. This is supported on Android 9.0 and higher that are enrolled in Work Managed mode.

Android Management Mode Filter for Smart Groups

You can now create Smart Groups that capture Android devices with a specific Android Management Type (Custom DPC vs AMAPI) and Android Management Mode (Work Profile, Work Managed, or COPE).

Note: This feature is available on demand in Workspace ONE UEM 2506. Please contact your Omnissa representative or submit a support request to enable this functionality. This feature will be generally available in Workspace ONE UEM 2509.

Certificate Management

Integrate OID-SID and SAN into certificate templates

To meet the updated certificate requirements, we have enhanced certificate templates within Workspace ONE UEM to include OID-SID Extension and support for SID values in the SAN field.

• When assigning a certificate to a user in Active Directory (AD), it is essential to format the certificate entry using one of the strong formats.
• Ensure that the Security Identifier (SID) is selected in the Active Directory Certificate Services (ADCS) certificate template. The Certificate Signing Request (CSR) must contain the OID-SID key-value pair and this extension is present in the generated certificates.
• Alternatively, the same value can be submitted in the SAN field and is the primary implementation for SCEP-based certificates.

For more information, see Certificate-based authentication changes on Windows domain controllers.

Integrate DigiCert ONE with Workspace ONE UEM for enhanced security

Workspace ONE administrators can now set DigiCert ONE as a trusted certificate authority within UEM. Following this, they can create a certificate template and utilize the profile’s credential payload to issue and deploy certificates. This integration significantly enhances stability, security, and authentication, facilitating the effective use of certificates across various domains, including Public Key Infrastructure (PKI) and S/MIME.

Freestyle Orchestrator

Streamline onboarding entitlements in workflows

Onboarding entitlements within workflows allow administrators to prioritize resources essential for onboarding, which take precedence over other resource assignments. This is available only for Windows. For more information, see Onboarding Workflows.

Enhance device onboarding through offline domain join within workflows

You can now incorporate the domain joining process into workflow systems, enhancing the onboarding process for devices and allowing devices to join a domain before other resources are deployed. This is available only for Windows. For more information, see Offline Domain Join in Workflows.

In-line Sensor evaluation: A better way to use Sensors within workflows

Sensors are now assessed at their step within the workflow rather than at the beginning of workflow execution. This approach enables administrators to monitor sensor values within the workflow as needed instead of re-using the value stored from evaluations done prior to the start of execution.

Enhanced reporting for application deployments within Freestyle Orchestrator

Gain better visibility into application deployment outcomes with improved reporting capabilities for Windows devices. When app deployments are triggered from Freestyle workflows, you’ll now receive detailed status updates, clear failure reasons, and timestamp enrichments.

Workflow Engine Enhancements

The workflow engine has undergone a significant backend enhancement with an upgrade to .NET 8.

iOS Management

Enhance device security with Managed Device Attestation

Managed Device Attestation is available for devices running iOS 16, iPadOS 16.1 or later with Apple Silicon or A11 Bionic chip or newer. This feature offers robust verification of the device’s properties, which are essential for trust evaluation. This cryptographic declaration of device properties is based on the security of the Secure Enclave and the Apple’s attestation servers. By leveraging attributes such as Serial Number, UDID, and OS version, Managed Device Attestation enhances trust evaluations for devices enrolled through Automated Device Enrollment or profile-based device enrollment. For more information, see Managed Device Attestation.

This feature is Generally Available from 2506 Patch 1.

After device wipe, return to service easily with automated reprovisioning process

With this exciting new feature, organizations can easily wipe all user data from a managed iOS device and get the device back into service without needing administrators to physically handle it. Workspace ONE UEM supports Return to Service functionality for iOS 17 devices, allowing MDM to add an enrollment and Wi-Fi profile to the device wipe command. This automated process eliminates the need for manual Wi-Fi configuration by administrators post-Device Wipe. For more information, see Return to Service.

Easily release a device from Apple Business Manager and Workspace ONE UEM

You can release corporate iPhones and MacBooks from Apple Business Manager or Apple School Manager if they’ve been sold, lost, are beyond repair, or when an employee moves on from your organization. With Workspace ONE UEM, you can now release devices using the Enterprise Wipe, Device Wipe, and Delete Device actions. By default, this capability is only available to administrators with the System Administrator role, with plans to extend access to Console Administrator and AirWatch Administrator roles in the near future. For more information, see Release a Device.

Enhance Apple Books delivery with Modern SaaS Architecture

The delivery of Apple Books (internal and public, not VPP books) now leverages our Modern SaaS Architecture to significantly improve delivery performance. Read more about our new architecture here.

Apple GitHub integration for DDM configurations is now available

Declarative Configurations was in limited rollout in 2410 release and is now Generally Available from 2506 Patch 3. Declarative Configurations now integrate directly with Apple’s GitHub-hosted MDM developer documentation. This integration streamlines how we implement and update DDM configurations, enabling significantly faster development cycles and improved alignment with Apple’s latest specifications. To explore Declarative Configurations in Apple’s GitHub MDM documentation, visit the GitHub Device Management repository.

The following new DDM configurations have been added with 2506 patch 3:

• Software Update: Settings
• Math Settings

Launcher

Custom XML Settings Integrated into the Console

Some settings introduced to Workspace ONE Launcher can only be configured through XML pushed through the Custom Settings profile. We have configured these settings as native features or settings in the Launcher profile payload.

The following features have been integrated into the Launcher profile:

• Speed Lock
• Dynamic App Availability
• Show Logout Button from Guest Mode
• Require Tunnel before Launcher

For more information, see Workspace ONE Launcher product documentation.

Linux Management

Easily implement firewall rules on Linux devices

In addition to the recent profile releases, including Date/Time, Proxies, Passcode, and Restrictions, we are excited to introduce support for a Linux Firewall Profile. This new profile allows users to configure firewall rules that will be enforced on the device once assigned and deployed. For more information on profiles, see Linux Profiles.

Enhancements to Workspace ONE Sensors

To provide greater flexibility and choice, administrators now have the option to write Workspace ONE Sensors using Python 3, in addition to the existing option of using Bash. For more information, see Sensors for Linux Based Devices.

macOS Management

Enhance device security with Managed Device Attestation

Managed Device Attestation is available for devices running macOS 14 or later with Apple Silicon or A11 Bionic chip or newer. This feature offers robust verification of the device’s properties, which are essential for trust evaluation. This cryptographic declaration of device properties is based on the security of the Secure Enclave and Apple’s attestation servers. By leveraging attributes such as Serial Number, UDID, and OS version, Managed Device Attestation enhances trust evaluations for devices enrolled through Automated Device Enrollment or profile-based device enrollment. For more information, see Managed Device Attestation.

This feature is Generally Available from 2506 Patch 1.

Easily release a device from Apple Business Manager and Workspace ONE UEM

You can release corporate iPhones and MacBooks from Apple Business Manager or Apple School Manager if they’ve been sold, lost, are beyond repair, or when an employee moves on from your organization. With Workspace ONE UEM, you can now release devices using the Enterprise Wipe, Device Wipe, and Delete Device actions. By default, this capability is only available to administrators with the System Administrator role, with plans to extend access to Console Administrator and AirWatch Administrator roles in the near future. For more information, see Release a Device.

Apple GitHub integration for DDM configurations is now available

Declarative Configurations was in limited rollout in 2410 release and is now Generally Available from 2506 Patch 3. Declarative Configurations now integrate directly with Apple’s GitHub-hosted MDM developer documentation. This integration streamlines how we implement and update DDM configurations, enabling significantly faster development cycles and improved alignment with Apple’s latest specifications. To explore Declarative Configurations in Apple’s GitHub MDM documentation, visit the GitHub Device Management repository.

The following new DDM configurations have been added with 2506 patch 3:

• Account: CalDav
• Account: CardDav
• Account: LDAP
• Account: Mail
• Account: Subscribed Calendar
• Math Settings
• Screensharing: Connection
• Screensharing: Host Settings
• Disk Management: Settings
• Software Update: Settings

Resource Management

Pending Actions visible for troubleshooting

When troubleshooting device issues, you now have the advantage of accessing Pending Actions. This feature provides a comprehensive list of planned resource installation and uninstallation commands for Apps, Profiles and Workflows on a device the next time it checks in. To view a device’s Pending Actions, go to Device Details, navigate to More > Troubleshooting, and then select the newly added Pending Actions tab.

Installation metrics now retained upon Resource and Smart group updates

When assignment or payload updates are made to apps and profiles, or when their assigned Smart groups are modified and republished, installation metrics achieved so far will now be retained and remain visible on the Deployment Tracking page as Currently assigned. It denotes all devices having a confirmed assignment to an app or profile at any given time. This enhancement is currently being rolled out on a Limited Availability basis starting with Patch 16. If you are interested in an early access, get in touch with your account team.

Faster resource delivery for larger device populations

Faster resource delivery is now supported for a larger device population when apps and profiles are published. This type of delivery is initiated whenever new apps or profiles are published, assignments for existing ones are updated, profile payloads are modified, or Smart Group rules change if the number of devices impacted by such updates is below a defined threshold. Devices impacted by these updates will check in immediately and install or remove the necessary resources instead of waiting for the standard check-in cycle. This enhancement is being rolled out on Limited Availability starting 2506 Patch 12. Contact your Account Team if you would like to participate in the Limited Rollout or have any questions regarding this enhancement.

Rugged Device Management

Relay Server Management enhanced with V2 APIs

As part of our continuous efforts to streamline and expand product provisioning, we are launching Relay Server V2 APIs. These are UUID-based endpoints supporting basic CRUD operations, advanced search(by name, type, status etc.), and a test connection API to verify relay server connectivity. The V2 APIs enable secure, fully automated, end-to-end management of relay servers. For more information, refer to the ‘RelayServersV2’ section of API help page.

tvOS Management

After device wipe, return to service easily with automated reprovisioning process

Workspace ONE UEM supports Return to Service functionality for tvOS 18 devices, allowing MDM to add an enrollment and Wi-Fi profile to the device wipe command. This automated process eliminates the need for manual Wi-Fi configuration by administrators post-Device Wipe. For more information, see Return to Service.

User Management

Streamline user group management using the latest REST APIs

A new set of REST APIs is now available to simplify group management. These APIs provide functionalities including creating user groups, updating their properties, and performing actions such as synchronization and merging, and deleting unwanted groups.

Directory Services migration to Omnissa Identity Service

With this Limited Availability feature, you can now integrate with the Omnissa Identity Service to migrate Directory Services from on-premises Active Directory (LDAP) to Entra ID (SCIM 2.0). The Omnissa Identity Service provides a seamless transition to Entra ID for user provisioning and authentication through a guided migration wizard. This is designed for users who are synced to UEM through LDAP-based integration with Active Directory.

visionOS Management

Overview of recently added profiles for visionOS

The following visionOS profiles have been introduced to the Workspace ONE Console UI. For more information, see visionOS Profiles.

• AirPrint
• CardDAV
• Certificate Transparency
• DNS Proxy
• Domains
• Email
• Global HTTP Proxy
• Passcode
• Subscribed Calendars
• VPN

Windows Management

Launch native and App Volumes MSI apps directly from Intelligent Hub for Windows

With this enhanced app catalog functionality, you can now launch native applications and App Volumes MSI apps directly from the Intelligent Hub app catalog in addition to the existing ability to launch Web and Horizon apps.

The key new features are as follows:

• App Launch Support: Native apps and App Volumes MSI apps can now be launched from within the Hub catalog.
• Admin Control: IT administrators can define custom launch commands for all applications in the app configuration within Workspace ONE UEM.
• Improved User Experience: You no longer need to manually locate and open native apps post-installation; you can now launch them directly from the Hub interface.

Previously, users could install native applications through the Intelligent Hub, but launching them directly was not possible. Now, with launch commands configured in UEM, the Hub executes the command defined by the user, providing a seamless experience to both install and launch apps from a single interface. This enhancement simplifies app access and enhances productivity by reducing the number of steps required to open frequently used apps. For more information, see Installing Native Apps.

Default User Mode configuration during Windows device enrollment

Workspace ONE UEM now supports configuring the default user mode (Single User Mode or Multi User Mode) at the Organization Group (OG) level. This setting is automatically applied to Windows devices during enrollment through the Intelligent Hub client.

• Configuration in UEM console (Requires UEM version 2506 or later): Administrators can define the default user mode in the UEM console under the OG settings. The available options include:
  • Single User Mode
  • Multi User Mode
• Hub behavior during enrollment (Requires Hub version 24.10.10+ or 25.06.x):
  • During the enrollment process, the Windows Intelligent Hub queries the UEM console for the default user mode setting.
  • The retrieved mode is validated and stored locally by the Hub.
  • Based on the setting, the Hub configures the Windows device accordingly.

Manage Intelligent Hub application versions on Windows devices

The Technical Preview feature, Intelligent Hub Application Version Control allows administrators to manage precise control over version of the Intelligent Hub is installed on Windows devices, supporting both Win32 and ARM platforms. You can now deploy Intelligent Hub updates independently of Workspace ONE UEM console upgrades and gain direct access to Beta builds without manual download or upload steps. Unified version control is available for both Intel/AMD (Win32) and ARM-based Windows devices.

Once enabled, the setting Intelligent Hub Automatic Updates will be renamed to Use Intelligent Hub Version Control, and a new section for Intelligent Hub Target Seeding will allow version assignment at the Organizational Group level. The key capabilities include:

• You can now assign specific versions to production OG to ensure consistency, while using the latest GA or Beta version in a test OG for validation.
• Instant application of changes to newly enrolled devices (including OOBE and Autopilot) with existing devices auto-updating within 48 hours.
• Downgrades are not supported for devices already running newer versions.

If Intelligent Hub Automatic Updates were previously enabled, the new setting defaults to Latest available. In contrast, if automatic updates were deactivated, the new version control setting will also remain in a disabled state.

Note: This feature requires Workspace ONE UEM version 2506 or later.

Faster SFD delivery and installation through the Intelligent Hub

Workspace ONE now supports a faster and more efficient installation of the Software Distribution Framework (SFD) by shifting the process from the traditional OMA-DM channel to a Hub-based installation. With this enhancement, SFD is bundled with Hub and is installed immediately after enrollment, enabling earlier application deployment and improving overall device readiness. We’ve made the following improvements:

• SFD is now installed through the Intelligent Hub, independent of the OMA-DM workflow.
• Installation occurs immediately after enrollment as the SFD package is part of the Intelligent Hub, reducing delays in the provisioning process.
• Applications can start installing sooner, accelerating time-to-productivity.
• Devices reach a usable state faster, enhancing the end-user experience.

Note: This feature requires Workspace ONE UEM version 2506 or later and Hub version 25.06.x.

Enhanced Offline Domain Join (ODJ) configuration

The Offline Domain Join (ODJ) configuration process has been significantly enhanced to improve reliability and flexibility, particularly in Autopilot Hybrid Join scenarios. Configuring Offline Domain Join is no longer tied to the device enrollment process. It can now be applied at any time, significantly reducing the risk of failures caused by race conditions or timeouts during Autopilot enrollments. With this update, ODJ can also be configured as a step within the Freestyle workflows, especially the new Onboarding workflows introduced recently, enabling IT teams to properly sequence and stage devices before they reach end users. This ensures a smoother onboarding experience and more consistent device readiness. For more information, see Offline Domain Join in Workflows.

Administrators can now deploy ODJ even after a device has been moved to a different Organizational Group (OG), including child OGs. Additionally, to maintain naming consistency, a device’s computer name will only change if it is not already joined to a domain.

Note: This feature requires Workspace ONE UEM version 2506 or later and Hub version 25.06.x.

Improvements in logging and troubleshooting

This release introduces several powerful enhancements to improve visibility, streamline troubleshooting, and reduce time-to-resolution for both end users and administrators.

• Log submission from Intelligent Hub: Users can now send logs directly to Workspace ONE UEM from the Hub Support tab, with two new options added alongside the existing Collect Logs feature:
  • Send Hub Logs to UEM: Automatically uploads all Intelligent Hub-related logs to the UEM console. Logs are accessible under Device Details > Attachments > Documents.
  • Send Other Logs to UEM: Sends logs from DEEM, Workspace ONE Assist, and Workspace ONE Tunnel to the same location in the UEM console. Users receive a confirmation once the log upload is complete, improving transparency and support efficiency.
• Application deployment event logging: To enhance visibility into application deployment, Intelligent Hub now sends detailed application deployment event summaries to the UEM console under Device Details > Troubleshooting > Event Logs. These event logs include data on detection statuses, Pre-condition checks, Exit codes and more helping administrators quickly identify the causes of application installation and uninstallation failures.
• Filter logs by duration and component: Administrators can now filter collected logs based on timeframe and log source, making it easier to isolate relevant data during troubleshooting.
  • Timeframe Filters: All logs, or logs from the last 1, 3, 7, or 14 days.
  • Component Filters: Hub (Logs from Intelligent Hub, App Deployment Agent, Provisioning Agent, Factory Provisioning, and MDM), System (Windows and PCRefresh logs), Other (Logs from Assist, DEEM Telemetry Agent, and Workspace ONE Tunnel).

Note: This feature requires Workspace ONE UEM version 2506 or later and Hub version 25.06.x.

Enhanced processor architecture selection for app deployment

This new feature provides administrators with granular control over app distribution based on processor architecture. Previously, administrators could only select one option among 32-bit, 64-bit, and ARM64 as the ‘Supported Processor Architecture’ during app deployment. UEM will then determine the distribution to device architectures in the backend, limiting flexibility. Key capabilities include:

• Multi-Selection Option: Administrators can now select multiple processor architectures during app deployment. The available options include 32-bit, 64-bit, ARM32, and ARM64.
• Granular Control: This enhancement allows for more precise control over app distribution. For example,
  • Distribute a 32-bit app ‘X’ to devices with 32-bit and 64-bit architectures only, excluding ARM64.
  • Distribute a 64-bit app ‘Y’ to devices with 64-bit and ARM64 architectures, utilizing x64 emulation for compatibility.

Note: This feature requires Workspace ONE UEM version 2506 or later and Hub version 25.06.x.

Support for Administrative Template (ADMX) with profiles

With this Technical Preview feature, Workspace ONE UEM now supports Administrative Template (ADMX), providing a unified and scalable way to manage Windows policies across the device fleet. With this feature, you can manage all administrative templates for Windows 10, Windows 11, and Windows Server directly from the UEM console. You are provided with Pre-Uploaded ADMX templates for common applications, including those for Microsoft Office, Omnissa Horizon, Google Chrome, Mozilla Firefox, and more.

Note: Reapplying baselines will reset policies applied though the ADMX profiles. The capability for Baselines and ADMX profiles to coexist seamlessly will be introduced when this feature becomes Generally Available. If you currently have baselines configured, refrain from using this feature.

Windows Native Enrollment: Auto-Move Devices to Specified OG via Allowlist

Administrators can now assign a target Organisation Group (OG) while creating allowlist records for Windows devices. Upon enrollment, devices automatically move to the specified OG, streamlining device management without requiring prior user association. This feature is in Limited Availability for Windows Native enrollment (Out of Box Enrollment / OOBE and Autopilot). To enable this feature, reach out to your account team.

Original source

We are excited to share the first release of Workspace ONE Content Gateway Container version 2601! Read on to learn about learn about the new option to deploy Content Gateway independently.

What’s New

Starting with 2601, Content Gateway can be deployed as a containerized, independent service using Omnissa dux. Administrators can deploy and manage Content Gateway separately from Unified Access Gateway, enabling flexible and scalable architecture options for their environments.

Note

This release only introduces an additional deployment option for Content Gateway using containerized deployment with dux. The Content Gateway package remains functionally identical to the Content Gateway bundled with Unified Access Gateway 25.12.

Minimum Requirements

• Workspace ONE UEM Console 2410 or later
• Omnissa dux 3.1

Download Instructions

You can download the Content Gateway Container software from Customer Connect.

Product Documentation

Omnissa dux

Content Gateway Guide

Support Contact Information

To receive support, either submit a ticket through the Customer Connect portal or call your local support line. See Omnissa Support Phone Numbers (6000004) and Omnissa Customer Connect FAQs.

Original source

Omnissa App Volumes 2512 | December 16 2025 | Build 4.20.0.109

Omnissa App Volumes 2512.4 | March 11 2026 | Build 4.20.4.128

Check for additions and updates to these release notes.

Omnissa App Volumes is a real-time application delivery system that enterprises can use to dynamically deliver and manage applications.

Omnissa App Volumes Release Notes lists New Features, resolved Issues and Known Issues for this release.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers' network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB article

What’s New

• General Availability: App Volumes Manager for Windows Endpoints

App Volumes Manager now provides full Application Lifecycle Management (ALM) for physical Windows endpoints, unifying packaging, delivery, rollback, markers, and version governance across both physical and virtual environments.

General Availability for Windows endpoints includes the following:

• VHD + MSI in App Volumes Manager, enabling consistent capture, replication across file shares and compressed delivery across endpoints.

• Local copy mode in the App Volumes Agent, ensuring reliable application delivery to physical devices while maintaining the App Volumes packaging and lifecycle model.

This release significantly expands the Apps Everywhere strategy, giving organizations a single platform to manage their entire Windows application portfolio.

Note:

• Advanced lifecycle capabilities for physical endpoints require the Omnissa Apps Essentials license.

• The VHD+MSI capability (and the related functionality such as Local Copy mode) requires App Volumes Manager to be configured with VHD In-Guest as machine manager. If your existing App Volumes Manager instance is configured with vCenter Server, you cannot perform an in-place upgrade and change the machine manager configuration to VHD In-guest.

  Instead, you must install a new App Volumes Manager instance and configure the machine manager as VHD In-Guest.

• App Volumes Agent Message for Background Package Delivery

When newly assigned application packages begin downloading, the App Volumes agent now displays a lightweight notification indicating that applications are being prepared in the background. This notification improves clarity during app delivery, reduces user confusion, and helps prevent unnecessary help-desk tickets while allowing users to continue working uninterrupted.

• Windows Update Detection Before Application Capture

App Volumes now checks whether Windows Update is enabled before application capture begins. If active, the administrator is alerted, preventing Windows Update artifacts from being included in the package. This results in cleaner, more predictable packages by avoiding OS-layer file contamination, metadata bloat, and version drift across Windows builds.

• Published Apps on Demand for Nutanix

App Volumes now supports Apps on Demand for Horizon deployments running on Nutanix. Applications can be assigned dynamically and launched instantly without pre-provisioning, improving resource efficiency and enhancing the published application experience in Nutanix environments.

• Configurable App Volumes Manager Log Levels

Administrators can now adjust App Volumes Manager logging levels without restarting services. This streamlines troubleshooting, reduces operational overhead, and maintains continuous service availability.

Resolved Issues for App Volumes 2512

The number included after each resolved issue is used by the internal issue tracking system:

• [AVM-45428] Applications with missing App Links do not get synchronized to the target App Volumes instance even after the Sync Integrations background job runs multiple times. The application status for these applications is either Syncing App Links or Syncing Properties.

• [AVM-45130] Applications with VHD+MSI packages are not delivered to Windows endpoints which are configured in the Shared Storage package access mode.

  However, these applications are delivered correctly to Windows endpoints which are configured in the Local Copy package access mode.

• [AVA-27205] Multiple shortcuts of an application having the same name are not displayed in the Start menu when the application is delivered as on-demand.

• [AVA-27166] When icon index is more than the number of RT_GROUP_ICON resources, App Volumes agent fails to extract the application shortcut icon. As a result, the application when delivered on demand has blank shortcuts.

  Note: When the application is launched for the first time, the application shortcut icon is correctly displayed.

• [AVA-27071] End user experiences a delay when logging in or logging out of a Windows endpoint which has no network connection. The action eventually succeeds but there is a delay of approximately 5 minutes and the following message is displayed: Please wait for the svservice.

  This issue occurs when the Windows endpoint is configured either in the Local Copy package access mode or the Standalone mode. For more information about these modes, see the Choose Your App Volumes Deployment Model and Application Delivery Modes with App Volumes Manager sections in the App Volumes Install Guide at Omnissa Product Documentation.

• [AVA-26981] App Volumes applications using a local database and having intensive file open or file close operations might fail to run.

• [AVA-26750] The following error You cannot call a method on a null-valued expression is observed multiple times in the command prompt when the support.bat loglevels command is used. This issue occurs when only the App Volumes agent is installed in a virtual machine and not the Horizon agent.

• [AVA-25639] A file access or access denied error occurs when running a database-related application.

Resolved Issues for App Volumes 2512.4

• [AVM-46052] “A ConnectionTimeoutError: Could not obtain a connection from the pool within… all pooled connections were in use” might occur due to a database connection leak when a large number of ESXi hosts are used for direct mounting of App Volumes packages.

  Direct mounting occurs when a vCenter Server is configured as the machine manager with the Mount ESXi option enabled, or when an ESXi (Single Host) is configured as the machine manager. This issue is more likely when the number of ESXi hosts are high.

• [AVM-45808] An end user cannot log into any virtual machine if their VHD Writable Volume stays attached after a virtual machine crashes.

  In VHD In-guest mode if a Writable Volume is attached and the VM crashes, the following might happen: If a Writable Volume is in use during the failure, the file share might not release the file handle from the crashed virtual machine. As a result, the user is prevented from using the Writable Volume on other virtual machines. If the Exception Resolution setting of the Writable Volume is configured as Block user login, the user cannot login into other virtual machines.

  When the Writable Volume is requested for a user and the unused file handle is released, the Writable Volume attachment is updated in App Volumes. The user can then use the Writable Volume in any virtual machine they log into. Administrators can configure the file share to modify the behavior of unused file handles.

• [AVM-45692] The Browse button for selecting a custom location fails to work when installing App Volumes Manager in the custom location (other than the default location). As a result, App Volumes Manager cannot be installed in the custom location.

• [AVM-45652] The launch of an on demand published application, which is delivered by App Volumes, fails in Horizon 2512 with the following error message The application could not be launched, possibly because it is missing or misconfigured. Contact your administrator for more information. This issue is seen with App Volumes 2512 and earlier.

• [AVA-27442] In some environments like Hyper-V, application capture fails with the following error: virtual disk delete failed: The process cannot access the file because it is being used by another process.

Known Issues

The number included after each known issue is used by the internal issue tracking system:

• [AVM-46052] A ConnectionTimeoutError: Could not obtain a connection from the pool within… all pooled connections were in use might occur due to a database connection leak when a large number of ESXi hosts are used for direct mounting of App Volumes packages.

  Direct mounting occurs when a vCenter Server is configured as the machine manager with the Mount ESXi option enabled, or when an ESXi (Single Host) is configured as the machine manager. This issue is more likely when the number of ESXi hosts are high.

  Workaround: Configure vCenter Server as the machine manager inApp Volumes Manager and ensure that the Mount ESXi option is not enabled.

  Resolved: This issue is now fixed in App Volumes 2512.4.

• [AVM-45808] An end user cannot log into any virtual machine if their VHD Writable Volume stays attached after a virtual machine crashes.

  In VHD In-guest mode if a Writable Volume is attached and the VM crashes, the following might happen:

  If a Writable Volume is in use during the failure, the file share might not release the file handle from the crashed virtual machine. As a result, the user is prevented from using the Writable Volume on other virtual machines. If the Exception Resolution setting of the Writable Volume is configured as Block user login, the user cannot login into other virtual machines.

  Workaround: The user must log into the same VM to access the Writable Volume. When the user logs out of the virtual machine, the Writable Volume can be used on another virtual machine.

  Resolved: This issue is now fixed in App Volumes 2512.4.

• [AVM-45692] The Browse button for selecting a custom location fails to work when installing App Volumes Manager in the custom location (other than the default location). As a result, App Volumes Manager cannot be installed in the custom location.

  Resolved: This issue is now fixed in App Volumes 2512.4.

• [AVM-45652] The launch of an published application on demand, delivered by App Volumes, fails in Horizon 2512 with the following error message The application could not be launched, possibly because it is. This issue is seen with App Volumes 2512 and earlier.

  Resolved: This issue is now fixed in App Volumes 2512.4.

• [AVM-36787] The following error is logged in App Volumes Manager when session hosts in a host pool are shut down: Session: Request is missing session cookie. In the Azure Virtual Desktop environment, a session cookie is provided only when an end user logs into a computer. If a computer starts and shuts down without any end user logging in, then a session cookie is never set. This results in a 401 (unauthorized) error. This error does not affect the end user.

• [AVA-27442] In some environments like Hyper-V, application capture fails with the following error: virtual disk delete failed: The process cannot access the file because it is being used by another process.

  Resolved: This issue is now fixed in App Volumes 2512.4.

• [AVA-26831] If a packaged application launches many processes quickly, one after another, svservice.log might contain a large number of nearly identical lines related to User Sentiment.

  Workaround: None. Ignore these lines in the log file.

• [AVA-24547] .tmp files are seen in the install directory when an upgrade rolls back in a persistent machine with active entitlements. These files do not affect any App Volumes operations. By default, these files are automatically deleted after the machine restarts.

  Workaround: If they are not deleted due to any issue, then you can navigate to the install directory and manually delete the files.

• [AVA-24493] If the CURRENT marker of the application is modified after the user launches the application in a session, RemoteApp launch silently fails in Azure Virtual Desktop.

  Workaround: To use the RemoteApp, the end user must log out of the Remote Desktop client app and log back in again.

• [AVA-26351] An OS junction point from a native folder that belongs to a banned list to a non-virtualized folder (such as %APPDATA% in configurations that do no use UIA+Profile Writable Volume or a Profile-only Writable Volume) does not work properly. Files written to the junction source do not appear in the junction target.

• [AVA-26353] In a multi-session environment, the error associated with the Microsoft Office application is also visible to users who are not assigned this application package. While the application does not behave as expected for the users assigned to this package, the error has no effect on users who are not assigned to the package.

• [2791414] When a Writable Volume and FSLogix Office Container are deployed together in a VDI, the FSLogix Office Container VHD is not created on an SMB file share. This issue occurs only when the Cloud Cache feature is enabled.

  Workaround: Deactivate the Cloud Cache feature of FSLogix Office Container.

• [2624048] Sometimes, the applications that are packaged using App Volumes versions older than 2.18.2 have many redundant firewall rules. These rules can impact the end-user login time on agent computers where the application package is deployed. This issue is fixed in App Volumes 2.18.2 and later.

  Workaround: If you are migrating an application package created in an App Volumes version earlier than 2.18.2 with such an issue, repackage the application after migrating to the target version.

• [2845852] When a remote printer is defined on a UIA+Profile Writable Volume and the printer is attached to its print server through a USB interface, the printer definition on the Writable Volume might get deleted on the next non-persistent logon.

  Workaround: On the system volume, add the following two scripts to %SVAgent%\Config\Custom\uia_plus_profile :

  OnPreLoadApp.bat: sc config spooler start= disabled net stop spooler

  OnPostEnableApp.bat: sc config spooler start= auto net start spooler

  If you already have the same script names on the Writable Volume, add the spooler commands to the scripts.

  When a script is present on a Writable Volume and in the system volume at %SVAgent%\Config\Custom\uia_plus_profile , App Volumes agent runs the script present on the Writable Volume and ignores the script on the system volume. To ensure that the App Volumes agent runs both scripts, you can add the following to the script on the Writable Volume:

  if exist "%SVAgent%\Config\Custom\uia_plus_profile\%~nx0"
("%SVAgent%\Config\Custom\uia_plus_profile\%~nx0")

• [2115593] A Writable Volume move or copy operation might fail when bulk operations are performed on many volumes.

  Workaround: Retry the move or copy operation.

App Volumes Documentation

• For information about how to install, deploy, and upgrade Omnissa App Volumes see Omnissa App Volumes Installation Guide.
• For information about how to configure and use Omnissa App Volumes see Omnissa App Volumes Administration Guide.

Omnissa App Volumes documentation is available at Omnissa Product Documentation.

Internationalization

App Volumes content is available only in English.

Support Contact Information

To receive support, access Customer Connect.

To file a Support Request in Customer Connect and via Cloud Services Portal, see How to file a Support Request in Customer Connect and via Cloud Services Portal -6000005.

Original source

Omnissa Workspace ONE Tunnel Tunnel Container Release Notes describe the new features and enhancements in each release. This page contains a summary of the new capabilities, issues that have been resolved, and known issues.

Omnissa Workspace ONE Tunnel Container 26.03

What’s New

New ARM64 build

Introducing a native ARM64 build, enabling support for ARM‑based systems alongside x86 and x64 systems.

Minimum Requirements

Workspace ONE UEM Console 2410 or later

Resolved Issues

We are always working to improve Workspace ONE Tunnel with every release. There are no major bug fixes to report.

Known Issues

We haven’t identified any notable known issues in this release. If you’re facing any problems, feel free to reach out to our support team.

Original source

We’re excited to share the new release of Workspace ONE UEM version 2604!

Read on to learn about the new features and improvements in this release.

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware-owned domains to Omnissa-owned domains, customer network and security teams must make firewall changes to allow access to the new Omnissa-owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

What’s New in this Release

Admin Experience

New Workspace ONE UEM Console experience

Experience a redesigned Workspace ONE UEM console featuring a modern layout, intuitive navigation, and a refreshed Device List View to improve admin efficiency. This feature is now Generally Available and is enabled as the default console experience. The Organization Group picker is now prominently accessible in the app header, making it easier to switch context across your deployment. Administrators can opt in to the new Device List View or continue using the legacy view. For more details, see KB Article.

Improved user detail visibility in Device List View

Administrators can now view accurate user details directly in the Device List View, even when encryption is enabled. Encrypted user detail fields (First Name, Email Address, etc.) previously displayed the placeholder text “Encrypted” and now show the correct user information, while the underlying data remains encrypted in the database.

Enhanced troubleshooting experience using Device Operations tab

The new Device Operations tab provides administrators a unified view of all device actions. This interface combines Legacy Commands and Modern stack actions into one consolidated timeline, allowing users to track operations from initiation to completion. By minimizing context switching, administrators can diagnose issues more quickly and efficiently. For more information, see Device Operations Tab.

Android Management

Mobile Network Slicing Support (Custom DPC)

Android 13+ supports mobile network slicing, enabling Custom DPC EMMs to configure how enterprise apps utilize carrier network resources. You can now assign network slices to specific applications or globally to all work applications. You may also restrict applications to only using the assigned network slice.

Enhanced Screen and Display Controls for Custom DPC

You now have more precise control over screen timeout and brightness, including the option to lock brightness at a fixed level on corporate-owned devices. Minimum OS version varies based on the device management mode:

• Work Managed mode on Android 9+
• Corporate Owned Personally Enabled (COPE) mode on Android 15+

For more information, see our Android Device Management documentation.

Certificate Management

Expanded Entrust Dynamic SCEP challenge support

Workspace ONE UEM now supports flexible parameter pass-through for Entrust Dynamic SCEP challenges, removing the previous three-parameter limitation (IGUsername, IGGroup, DeviceType). Administrators can now configure any parameters required by their Entrust certificate templates.

Key benefits:

• Prevents enrollment failures caused by missing Entrust-specific parameters
• Supports complex template configurations without predefined parameter restrictions

Freestyle Orchestrator

Streamline onboarding entitlements in Android workflows

Onboarding entitlements within workflows allow administrators to prioritize resources essential for onboarding that take precedence over other resource assignments. For more information, see Onboarding Workflows.

Upgrading the communication pipeline from UDS to gRPC for macOS

Administrators now have more consistent workflow executions with our replacement of the communication pipeline between the workflow engine and macOS intelligent hub. This ensures that workflow step statuses are sent reliably so that execution can proceed to the next step. This change is in Limited Availability and will require Workspace ONE Intelligent Hub for macOS version 26.04. To have this enabled for your environment, contact your Account team.

iOS Management

App preservation during MDM migration

The new Preserve Applications setting in ADE profile now provides enhanced control for preserving managed applications during MDM migration scenarios. Administrators can specify which apps must be preserved and available immediately after migration during the Setup Assistant phase—choosing to await all apps or selecting specific critical applications. This ensures essential apps are ready before devices reach end users, minimizing downtime and eliminating the need for manual app reinstallation. The enhancement streamlines migrations, reduces IT intervention, and delivers fully configured devices ready for immediate productive use. For more information, see App preservation during MDM migration.

DDM app status subscriptions for iOS

On supported iOS devices, app-related Declarative Device Management (DDM) status subscriptions are enabled automatically, so application state can flow through declarative reporting without additional admin setup.

Key features:

• Automatic enablement: App-related DDM status subscriptions activate automatically on compatible iOS devices with no manual setup required
• Real-time app inventory: Application state flows through declarative reporting, keeping managed app data current and aligned with device-reported information
• Enhanced visibility: Console displays more accurate, up-to-date information about installed applications as iOS surfaces it through DDM
• Improved troubleshooting: Reduced blind spots when auditing app deployments, verifying installations, or diagnosing assignment issues across your fleet.

Platform-based default ADE profiles for automated enrollment

Administrators can now configure separate default Automated Device Enrollment (ADE) profiles for iOS, macOS, tvOS, and visionOS. This makes mixed-fleet onboarding more predictable. Each platform can land on the right baseline profile automatically as devices sync, with less manual cleanup and fewer mismatched assignments when you expand ADE across your Apple estate.

Enhanced Apple App platform management - Universal App support

With this Limited Availability feature, the Workspace ONE UEM console now dynamically recognizes and manages supported platforms for apps imported from Apple Business Manager, replacing previous hardcoded logic. An admin can automatically sync and assign the same application for iOS, iPadOS, visionOS, macOS, and tvOS from ABM into the console without having to sync an app version for each individual operating system.

Key enhancements include:

• Dynamic platform detection: Automatically identifies supported platforms (iOS, iPadOS, visionOS, macOS, and tvOS) from Apple Business Manager metadata
• Flexible app assignment: Enhanced VPP app assignment page enables platform-specific deployment selection
• Universal app support: Streamlined deployment workflows for Universal Apps across all supported Apple devices

These updates ensure seamless app management, flexible deployment options, and alignment with organizational policies for Apple device ecosystems. For more information, see Universal Apps.

Automatic Apple OS version seeding

Workspace ONE UEM now automatically detects and seeds new Apple OS versions across all platforms (iOS, iPadOS, macOS, watchOS, and tvOS). When a new OS version is detected or when a device enrolls with an unseeded OS version, UEM automatically seeds it and makes it immediately available for use in Enrollment Restrictions, Smart Group Criteria, Compliance Policies, Add Device, and ADE/DEP profiles, without relying on manual seeding. Administrators receive a notification when a new Apple OS version is available.

Support for OS 26.4 MDM and DDM payload and key changes

UEM now includes Apple OS 26.4 updates for MDM payloads and DDM declarations. New 26.4 keys and declaration types appear in the Console as you roll out policies aligned with Apple’s current device management specifications.

Target policies and content by Apple device model

Smart Groups now allow you to filter by Apple device model, so you can assign configurations and apps to particular hardware types using the same model names found in Enrollment Restrictions. This update lets administrators deploy test builds to lab devices, apply camera policies only to supported models, or roll out updates by device generation, all without the need for manual device lists or error-prone naming.

Key features:

• Familiar model selection: Define audiences using the same clear Model names you already use in Enrollment Restrictions
• Multi-select capability: Multi-select option allows coverage of multiple models in a single group
• Dynamic membership: Group membership automatically updates based on device-reported models, ensuring accuracy as inventory changes
• Data quality protection: Devices without a reliable model value are excluded from model-based groups to prevent silent mis-application of criteria
• Rule compatibility: Model-based rules work alongside your other Smart Group rules

macOS Management

Simplified macOS application deployment and management

The Enterprise App Repository (EAR) for macOS eliminates manual app packaging and enables admins to deploy enterprise applications as easily as App Store apps—streamlining deployment and ongoing maintenance.

• Curated app catalog
  • Deploy enterprise apps directly from the repository without manual packaging
  • Add apps via Add > Enterprise App Repository > macOS to browse available applications
• Intelligent search & discovery
  • Search applications by name or vendor to quickly find what you need
  • Filter and browse the catalog efficiently
• Seamless upgrades
  • Apps with available updates will show the corresponding status in the Apps List View
  • Seamlessly update previously deployed apps, even if they were originally added manually

For more information, see Add macOS applications from the Enterprise App Repository.

Platform SSO with Automated Device Enrollment in macOS 26

With this Limited Availability feature, macOS 26 streamlines Platform Single Sign-On (PSSO) configuration by integrating it directly into Setup Assistant, enabling first-user account creation through Identity Provider authentication. This streamlined workflow delivers faster onboarding, improved security, and simplified deployment by replacing multi-step setup processes with one integrated flow.

How it works:

• During the Setup Assistant, users authenticate using their Identity Provider (such as Omnissa Access, Okta, Microsoft Entra ID, etc.).
• The Setup Assistant temporarily pauses while the Platform SSO application and necessary profiles are deployed to the device.
• macOS automatically completes the registration for Platform SSO.
• A new first-user account is created using the authenticated IdP credentials, which is then immediately registered with the Platform SSO frameworks.

Enhanced admin experience for macOS software distribution

Workspace ONE UEM now provides administrators with the ability to customize macOS application names using a new Display Name field. When adding macOS applications, admins can now assign custom display names for different versions of the same application while the parent application name remains unchanged. A future release of macOS Intelligent Hub will allow for this value to be displayed to users in the Hub Catalog. Additionally, the supported models and minimum OS fields have been removed from the macOS application workflow to streamline the app management process. This allows for applications to be deployed to macOS virtual machines. When adding new macOS applications, administrators will see an informational banner notifying them of these field removals to ensure awareness of the updated workflow.

Declarative Device Management Assets for macOS

Declarative Management for macOS now supports User Identity asset for eligible macOS devices. You can create a single User Identity asset, reuse it across declarative configurations, and manage it through the standard declarative profile workflow (add, edit, assign, and delete). That gives admins a consistent way to supply identity context for declarative scenarios without duplicating the same data across multiple declarations. For more information, see Declarative Device Management.

Enhanced Apple App platform management - Universal App support

With this Limited Availability feature, the Workspace ONE UEM console now dynamically recognizes and manages supported platforms for apps imported from Apple Business Manager, replacing previous hardcoded logic. Administrators can automatically sync and assign the same Application for iOS, iPadOS, visionOS, macOS, and tvOS from ABM into the console without having to sync an app version for each individual operating system.

Key enhancements include:

• Dynamic platform detection: Automatically identifies supported platforms (iOS, iPadOS, visionOS, macOS, and tvOS) from Apple Business Manager metadata
• Flexible app assignment: Enhanced VPP app assignment page enables platform-specific deployment selection
• Universal app support: Streamlined deployment workflows for Universal Apps across all supported Apple devices

These updates ensure seamless app management, flexible deployment options, and alignment with organizational policies for Apple device ecosystems. For more information, see Universal Apps.

Platform-based default ADE profiles for Automated Enrollment

Administrators can now configure separate default Automated Device Enrollment (ADE) profiles for iOS, macOS, tvOS, and visionOS. That makes mixed-fleet onboarding more predictable. Each platform can land on the right baseline profile automatically as devices sync, with less manual cleanup and fewer mismatched assignments when you expand ADE across your Apple estate.

Support for OS 26.4 MDM and DDM payload and key changes

UEM now includes Apple OS 26.4 updates for MDM payloads and DDM declarations. New 26.4 keys and declaration types appear in the Console as you roll out policies aligned with Apple’s current device management specifications.

Resource Management

Percentage based phased rollout for internal apps

Phased Deployment is now Generally Available for Internal apps. Additionally, you can now configure phases to target a specific percentage of your device pool. In the previous release, phased deployment required setting up specific Assignment Groups for each phase. This enhancement relieves you of the overhead of creating and maintaining custom Assignment Groups for each phase. It gives you greater flexibility and control over your rollout strategy. Moreover, for progressed phases, you’ll now see additional progression details captured at the moment the deployment has advanced. For more information, see Phased Deployment of Resources.

Vulnerability Defense

Vulnerability Defense integration with CrowdStrike

Workspace ONE UEM 2604 offers Limited Availability for Workspace ONE Vulnerability Defense, bringing seamless assessment, prioritization, and remediation directly into the Omnissa platform.

Key Capabilities

• CrowdStrike Falcon Integration: Seamlessly integrate Workspace ONE UEM with CrowdStrike Falcon Exposure Management to retrieve comprehensive vulnerability assessment data
• Automated Device Correlation: Automatically map CrowdStrike vulnerability data to your Windows devices in Workspace ONE UEM
• Risk-Based Prioritization: Access context-rich dashboards that enable rapid, data-driven prioritization of security risks
• Streamlined Remediation: Deploy remediations directly through Workspace ONE UEM’s native app and OS management capabilities to address vulnerabilities and reduce organizational risk

Windows Management

Windows server management: Enroll and manage Windows servers using Intelligent Hub

Windows Server management is now Generally Available. This feature was previously available under Limited Availability and is now enabled by default for licensed tenants. Administrators can enroll and manage Windows Server 2016, 2019, 2022, and 2025 devices, including Server Core, using Workspace ONE Intelligent Hub. Management is Hub-based.

Supported capabilities include:

• Hub-managed profiles: ADMX-backed, DDUI-backed, Certificate (SCEP not supported), Custom Settings, and Managed Resources
• Security Baselines enforcement and remediation
• Granular Patch Management with scheduled maintenance windows, zero-day patching, deferral notifications, and per-device patch lifecycle logging
• Internal application deployment via SFD with assignment-level retention control on enterprise wipe or unassignment
• Sensors and Scripts for custom data collection and on-demand or scheduled actions
• Roles and Features Sampling for automatic inventory of installed server roles and features
• Freestyle Orchestrator workflows with sequenced execution and conditional logic
• Workspace ONE Assist for remote view, remote control, file transfer, and remote shell

For more information, see Windows Server Management.

Granular patch management with on-demand update deployment

Administrators can now deploy specific Windows updates, such as critical security KBs to targeted Windows desktops and servers outside of their standard Windows Update for Business ring configuration. This capability enables a rapid response to urgent security patches without disrupting established update schedules. For more information, see Granular Patch Management.

Unified App Sampling: Remote application uninstallation

Administrators can now remotely trigger the uninstallation of applications collected through Unified App Sampling. This enhancement lets you control apps that are not managed, are unwanted, or not allowed on devices from the Workspace ONE UEM Console or through the supported APIs. For more information, see Assign Applications to your Windows Device.

Resolved Issues

Admin Experience

• FCA-212233: Settings Summary XML export fails when the Organization Group (OG) name contains a comma (,).
• FCA-212663: Images vanish from custom message templates after they are saved.
• FCA-213345: Incorrect devices scoped for bulk actions in the Device List View when filters are applied on Tags, Smart Groups or User Groups.

Android Management

• AGGL-20077: Managed config keys do not update when adding new version of internal app.
• AGGL-20435: Newly enrolled Zebra devices are showing up with the wrong oeminfo.

Common Services

• CMSVC-20840: OEM and model IDs are silently ignored during SG creation.

Core Platform

• CRSVC-62551: Script trigger updates on console is not synced to device.
• CRSVC-73705: Enhanced SCEP auto-renewal logic to support user-based profiles where signed user & enrollment user are not the same.

Content Management

• CMCM-191789: Content app on iPad and Android, displays duplicate of same folders.

iOS Management

• AAPP-21692: VPP apps are not receiving app settings, and users encounter an error stating, “no server has been configured for this app.”

Resource Management

• ARES-32880: Multiple profile removal failure events displayed in troubleshooting logs of mobile devices for profiles deleted from UEM.
• ARES-32876: Application removal protection triggered despite device threshold not being met within time window, causing false alarms.
• ARES-36784: Passcode not cleared from shared iOS devices when user logs out of it.
• ARES-37278: Incorrect app config delivered to newly enrolled devices assigned to future-dated Internal app assignments.
• ARES-19301: Profiles requiring WLAN MAC address lookup are delivered to iOS devices without the required value, resulting in authentication failures.

User Management

• UM-10208: Directory-type admin account is unable to modify roles while logged in at Partner-type OG.
• UM-10209: Inconsistent Full Name and Display name during OIS SCIM Provisioning.
• UM-10484: User Search option in Add Device Registration screen permits search for empty string.
• UM-10592: Admin Group Deletion Removes Roles from existing Admins.
• UM-11073: Enrollment to a child OG fails for basic users in OIS-enabled tenants.
• UM-11104: SSP authentication to a child OG fails for basic users in OIS-enabled tenants.

Windows Management

• AMST-44384: When ProfileDeliveryAtScaleFeatureFlag is enabled, nodes are absent from the profile syncML when resuming.
• AMST-46045: Apps installed on the Hololens are appearing as Not managed, which is preventing us from uninstalling them.

Known Issues

We haven’t identified any notable known issues in this release. If you are facing any problems, feel free to reach out to our support team.

Release Availability

We strive to deliver high-quality products, and to ensure quality and seamless transitions, we roll out our products in phases. Each rollout may take up to four weeks to accomplish and is delivered in the following phases:

• Phase 1: Demo, Shared SaaS UATs, and Latest Mode UATs
• Phase 2: Shared SaaS environments
• Phase 3: Latest Mode environments

Getting Ready for Major OS Releases

To prepare for the upcoming software updates from major device vendors, read through the Getting Ready for Major OS releases section of the Omnissa Product Documentation.

Documentation

To learn more about Workspace ONE UEM, browse Workspace ONE UEM Documentation.

Localized Content for Omnissa Docs

For details on Omnissa’s localization strategy, see the KB article: Announcing Omnissa Localization Support.

Support Contact Information

To receive support, access Omnissa Customer Connect. For information about filing a Support Request in Customer Connect and using Cloud Services Portal, see the KB article here.

Original source

Urgent Notification regarding legacy Domain End of Service

As part of the migration from legacy VMware owned domains to Omnissa owned domains, customers’ network and security teams must make firewall changes to allow access to the new Omnissa owned domains by June 15th, 2025, to prepare and not block the new Omnissa domain network requests in upcoming product and service updates. This also impacts any API driven tasks or automation tasks created. Please see KB6000840 for more information.

What’s Coming in May 2026

The following features are now in preview.

Email as a Notification Channel (BYO SMTP)

Administrators can now send Hub Services notifications via email in addition to push notifications, ensuring critical communications reach end users even when push notifications are disabled on their devices. This feature uses a Bring-Your-Own (BYO) SMTP configuration.

Send Notifications to Multiple Groups

Administrators can now select multiple target audience groups of the same type when creating a notification, eliminating the need to recreate the same notification for each group.

• When building a notification, administrators select a single target audience type (Omnissa Access user groups, Organization Groups, or Smart Groups) and then choose multiple groups within that type.
• The notification is sent to all selected groups in a single action.
• The Notification List is updated to reflect the multi-group notification.

Previously, administrators could only target one group per notification and had to use the “Edit and Send” workaround to reach additional groups.

Launch Hub Services Admin Console in a New Tab

When an administrator clicks Manage Hub Experience from the account icon in the Workspace ONE Intelligent Hub web portal, the Hub Services admin console now opens in a new browser tab instead of replacing the current tab. This allows administrators to keep the Hub web portal open while managing Hub Services settings.

Dark Mode for the Hub Services Admin Console

The Hub Services admin console now supports a dark mode UI theme, providing improved comfort in low-light environments and a modern visual experience.

Edit Default Categories in Hub Catalog (browser only)

Previously, the Hub Catalog always displayed certain default categories – including Workspace ONE UEM-provided categories and system categories such as All Apps, Web Apps, and Virtual Apps – with no way for administrators to hide or control them. This often resulted in the same app appearing multiple times across default and custom categories.

With this enhancement, Hub Services now allows administrators to control the visibility of these default categories in the browser-based Hub Catalog.

Original source

Workspace ONE Tunnel 26.03

New Features

Support zero-downtime Tunnel certificate rotation

Starting with Workspace ONE UEM 2602, Tunnel client on iOS supports zero-downtime server certificate rotation for both Workspace ONE CA and 3rd Party CA issued certificates.

New Custom Setting

Introducing Tunnel profile custom setting to manage Rapid DTR sync interval. The Tunnel client will periodically check-in with Workspace ONE APIs on this interval and locally update the DTR with changes, if any.

Add the following custom setting in the VPN-Tunnel profile > Custom Configuration section.

Key:

ClientSyncInterval

Value: Time in minutes (Default: 240)

Note

Starting with Tunnel for iOS 26.03, the client no longer supports the Tunnel server KVP (client_sync_interval). If the ClientSyncInterval custom setting is not configured, the client defaults to 240 minutes.

Minimum Requirements

• iOS 15+, iPadOS 15+
• Workspace ONE UEM 2402+
• Workspace ONE Unified Access Gateway 2406+ | Workspace ONE Tunnel Container 24.12+

Resolved Issues

We are always working to improve Workspace ONE Tunnel with every release. There are no major bug fixes to report.

Known Issues

We haven’t identified any notable known issues in this release. If you’re facing any problems, feel free to reach out to our support team.

Original source

Omnissa Workspace ONE® Assist allows Omnissa Workspace ONE® UEM administrators to remotely access and troubleshoot devices in real time while respecting end-user privacy.

Workspace ONE Assist for macOS Release Notes describes the new features and enhancements in each release. This page contains a summary of the new capabilities, issues resolved, and known issues reported in each release over the last 18 months.

Workspace ONE Assist 25.11.1 - April 2026

New Features

In this release, we’ve made an update addressing functionality and performance improvements with no new features.

Minimum Requirements

Listed are the minimum requirements:

• Workspace ONE Assist Console 25.11.1
• macOS 10.15 (Catalina) or later
• Workspace ONE Intelligent Hub 24.11 or later
• Workspace ONE UEM 24.06 or later
• Latest versions of Chrome, Edge, Firefox, or Safari browsers
• For macOS Ventura, Workspace ONE Intelligent Hub should be 24.11 or later
• macOS Ventura requires a Login Profile to be configured in UEM

Resolved Issues

• AET-23359: Advanced keyboard support fixes.
• AET-22770: Distorted image on remote connections in Safari with Assist v25.11 on macOS.

Known Issues

• AET-23387: Intermittently, Japanese input causes random applications to open instead of typing text.

Original source