The IT Stories

When configuring Omnissa UEM you seem to be able only to select the top OG in a SaaS environment when selecting e-mail based enrollment, this is called auto discovery, see https://docs.omnissa.com/bundle/WorkspaceONE-UEM-Managing-DevicesV2306/page/ConfigureEnrollmentOptions.html when completing the FTU for e-mail based enrollment afterwards you can go in and select the OG again an then drill down in the desired OG. Pretty straightforward. Hope it helps.

When bulk enrolling pre-existing devices or auto-pilot devices you can use a custom rule / attribute assignment on e.g. a serial number to move the corresponding devices to a deeper OG which is preferred. Only in a situation with 1200+ devices you might encounter DB maximum issues in SaaS and need to contact support. This was the case for me and my customer and sadly no solution regarding this movement rule, it seems like a hard maximum and conflicts would occur on the database in question. When using Freestyle Orchestrator with the advanced licens this would not be an issue and you would be able to fix this issue before it can occur, for us the workaround was allowing a top OG enrollment for the devices and manually bulk move to the corresponding OG. ...

When encountering a failed Apple MacOS device enrolment from the DEP program and using Workspace ONE UEM, it might be that there is an bug related to the intelligent hub from a deployment perspective. This was the case for my customer after a bulk enrolment of new devices out of the blue would be having issues, this was later confirmed in https://kb.omnissa.com/s/article/6000198 the solution for this in a future scenario would be to flip the released version of the hub to a last known state from a company/user perspective and when resolved flip it back to the most current version. This appears to only work for the MacOS side of things. iPhone etc. use the public app store and latest version which can’t be controlled this way. ...

Most companies I encounter don’t have a clear understanding of apple accounts… Well an apple account is personal and it’s not of the company even if the domain in question is being used for personal apple accounts. How can you change this? Well the company domain is from the company and then you can claim it for federation authentication. See https://support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-axmb19317543/web aftewards there will be a grace period of 30 days before a temporary apple-id account is assigned and the logon needs to be done and migrate it to a uniquely e-mail/apple-id account that is not from the company/business, it’s personal after all. ...

On a recent customer deployment we got the requirement of that all certificate signing would be signed from a 3rd party trusted certificate provider. This is all no problem and you can follow this: https://docs.omnissa.com/bundle/workspace-one-access-administration-guide/page/GenerateandUseanExternalSigningCertificateforSAMLAuthenticationinWorkspaceONEAccess.html but keep the following in mind: Existing signing certificates and an import is not possible The request and signing needs to be done from Access, importing is not possible of an already validated certificate Keep the 1 year maximum in mind and with renewals and SAML SP/IDP configurations keep in mind that an dynamic import can take some time Hope it helps. ...

Just a quick blog regarding Apple device classification for iPhone/iPad, you might be a bit hesitant in using this regarding the “legacy” filter being stamped upon it. This is for now as it is and everything will be supported when this will be fully moved to the new OEM & Model filte options that now are not classified for Apple devices. Support confirmed this and all is well again. Hope it helps. ...

When configuring an OG structure and customising templates for e.g. device enrolment invites you might encounter an issue that the expected language is not updating. The solution for this is changing it on the top OG in question: groups and setting » all settings » organisation group» details » Locale or achieve this with an override on the one you would like it to apply. Hope it helps.

After all the updates and changes around company structure and licensing it’s finally there the EOL of First-Gen control plane and customers should migrate to the Next-Gen control plane. This all sounds easy enough but at my customer who was still using the First-Gen control plane for licensing only the CSP logon that should present the Next-Gen control plane did not provide this. For this we opened up a support case and after some troubleshooting this resulted in a hard backend V1 option that needed to be switched to V2 and afterwards we would be able to logon to the First-Gen and Next-Gen control planes. ...

Earlier this year my customer would get an CSP migration e-mail regarding the connector based deployment scenario would be deprecated moving forward with VMware/Broadcom and the latter acquiring VMware. This is regarding https://docs.vmware.com/en/VMware-Cloud-services/services/setting-up-enterprise-federation-cloud-services/GUID-76FAECB3-CFAA-461E-B9C9-2A49C39CD17F.html After some discussion and support case feedback around this and explaining that connector less isn’t a valid option for our use case with Workspace ONE (now Omnissa) and many question marks around that one it finally became clear it’s two seperate things now and the solution would be: ...

Long story short if you want to use VLAN trunk tagging, Hyper-V itself will not let you see this in the GUI and this is only supported via CLI/Powershell and further down the road VMM will allow this in an compute fabric for GEN2 only! (and NetScaler is still GEN1) see https://charbelnemnom.com/what-is-vlan-trunk-mode-in-hyper-v-hyperv/ and https://learn.microsoft.com/en-us/system-center/vmm/vm-settings?view=sc-vmm-2025&tabs=AddvNIC%2CConfigureQoS%2CProcessorThrottling#support-for-trunk-mode After this would be configured via CLI/Powershell the entire VLAN tagging is out of the VM and configured on the network adapter itself, I’ve had some discussion with Citrix around GEN2 support and roadmap but sadly no new updates on that. ...