Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Purpose As part of our ongoing journey to enhance the quality and security of the Workspace ONE UEM SaaS service, VMware is migrating to Amazon Web Services (AWS) as the network ingress service for all UEM SaaS environments. Note, the migration to AWS CloudFront has been placed on hold indefinitely as described here. Moving to AWS will further improve the security posture of Workspace ONE UEM as well as help align the SaaS platform to better adopt newer industry standards and needs in the future. VMware will implement this change for all Workspace ONE UEM SaaS environments. VMware will send out a notification with a new schedule date and time at least five days before the planned maintenance window. Workspace ONE UEM FedRAMP Services are also in scope for this change. Impact / Risks Customers who configure IP-based allow lists that restrict traffic from their corporate network to the UEM SaaS service will need to migrate away from these configurations (https://kb.vmware.com/s/article/2960995 ). VMware will stop publishing IP ranges for UEM SaaS services and recommends customers use DNS-based allow lists instead as doing so will greatly reduce a customer’s administrative overhead and provide seamless transitions for future changes and traffic security enhancements. If customers are unable to adopt the new VMware best practice of deploying DNS-based allow lists, deploying IP-based allow lists is still possible for customers hosted in our VMC on AWS platform. To configure this type of allow list going forward, customers will need to add the list of IP ranges published by AWS here. Please note these IP addresses may change frequently and without any notification from VMware as these IP addresses/ranges are managed entirely by AWS. Any network that does not adhere to the new networking requirements may experience interruptions to these Workspace ONE UEM Services: Service Example Features UEM Console Administrative Console access e.g. Profile Creation, Compliance Creation, etc. Device Services Device check-ins and command processing e.g. Device Check-in/check-out, Device Sample processing, Device Profile or Application installs, etc. API API automations & third-party integrations Note: All third-party API integrations used by customers to integrate with their Workspace ONE UEM SaaS tenant must support Server Name Indication (SNI). e.g. Unified Access Gateway (UAG) updates for Tunnel, Content Gateway and Email Gateway, etc. AWCM ACC integrations and device communications e.g. MDM Commands processing by devices), Active Directory Integration via ACC, etc. Following Global Services configuration will be included in this change Global Service Hostname App Wrapping appwrap04.awmdm.com, appwrapandroid.awmdm.com Auto Discovery discovery.awmdm.com, awtrustdiscovery.awmdm.com Cloud Notification Service (FedRAMP service) cns.gc.workspaceone-gov.com AirWatch Certificate Portal awcp.air-watch.com VMware strongly recommends moving these items to a DNS based allow configuration. For Akamai Content Distribution Network (CDN) integration please refer to “FAQ: Content Delivery Networks (CDN) ”. Please note – customers will need to work with their internal network teams to ensure that the customer managed networks will support the new DNS-based allow lists to avoid any disruption of service. Not In-Scope Workspace ONE Intelligence, Workspace ONE Access and Workspace ONE Assist are not in scope at this time. Any other network traffic changes for these SaaS-based solutions will be communicated separately. These other SaaS-based solutions will continue to operate per standing guidance listed below. Workspace ONE Access and Hub Services: https://kb.vmware.com/s/article/68035. Workspace ONE Intelligence: https://docs.vmware.com/en/VMware-Workspace-ONE-Intelligence/services/intelligence-documentation/GUID-IntelRequirements.html. Workspace ONE Assist: https://kb.vmware.com/s/article/82567?lang=en_US
To prevent any impact from this change VMware recommends that customers move away from IP based allow lists in favor of more resilient DNS based allow lists. DNS-based allow lists will help align the SaaS platform to be better prepared to adopt newer industry standards and needs in the future. Alternatively, administrators can rely on a combination of secure DNS and PKI for secure communication with the UEM SaaS service. The recommended URLs to be included in Allow lists for Workspace ONE UEM will be environment specific URLs (Ex: cn135.awmdm.com, ds135.awmdm.com, as135.awmdm.com, and awcm135.awmdm.com). These URLs can be found in Groups & Settings > All Settings > System > Advanced > Site URLs. Note: If customers do not have access to “Site URLs” in Workspace ONE UEM console, they can file a Support Request via the Customer Connect portal and our Support team can assist in providing the Console, Device Services, AWCM and API URLs Additionally, all third-party API integrations used by customers to integrate with their Workspace ONE UEM SaaS tenant must support Server Name Indication (SNI). Customers are recommended to work with their internal teams and third-party vendors as needed to determine any follow-up actions for the same. Without SNI support, communications between API clients connecting to Workspace ONE UEM SaaS platform will be disrupted. Managed Hosted Customers who are unable to modify their existing configurations by January 15th, 2024 may request an additional 30-day extension for their environment. Shared SaaS tenants are already granted this extension by default with the start date of deployment being February 15th, 2024. To request this extension please reach out to VMware Support or create a support ticket with the title “KB:95271 - Request for Extension”. All extension requests must be filed by January 10th, 2024.