The Good, the Bad and the Ugly

  • Notes from the field: Omnissa Workspace ONE UEM e-mail based enrollment OG

    When configuring Omnissa UEM you seem to be able only to select the top OG in a SaaS environment when selecting e-mail based enrollment, this is called auto discovery, see https://docs.omnissa.com/bundle/WorkspaceONE-UEM-Managing-DevicesV2306/page/ConfigureEnrollmentOptions.html when completing the FTU for e-mail based enrollment afterwards you can go in and select the OG again an then drill down in the…

  • Notes from the field: Workspace ONE UEM custom attribute assignment rule limitations

    When bulk enrolling pre-existing devices or auto-pilot devices you can use a custom rule / attribute assignment on e.g. a serial number to move the corresponding devices to a deeper OG which is preferred. Only in a situation with 1200+ devices you might encounter DB maximum issues in SaaS and need to contact support. This…

  • Notes from the field: Apple DEP devices not correctly installing Workspace ONE Intelligent HUB

    When encountering a failed Apple MacOS device enrolment from the DEP program and using Workspace ONE UEM, it might be that there is an bug related to the intelligent hub from a deployment perspective. This was the case for my customer after a bulk enrolment of new devices out of the blue would be having…

  • Notes from the field: Workspace ONE UEM, Apple Federation and the APNS account

    Most companies I encounter don’t have a clear understanding of apple accounts… Well an apple account is personal and it’s not of the company even if the domain in question is being used for personal apple accounts. How can you change this? Well the company domain is from the company and then you can claim…

  • Notes from the field: Workspace ONE Access SAML Signing with 3rd party certificate

    On a recent customer deployment we got the requirement of that all certificate signing would be signed from a 3rd party trusted certificate provider. This is all no problem and you can follow this: https://docs.omnissa.com/bundle/workspace-one-access-administration-guide/page/GenerateandUseanExternalSigningCertificateforSAMLAuthenticationinWorkspaceONEAccess.html but keep the following in mind: * Existing signing certificates and an import is not possible * The request and…

  • Notes from the field: Workspace ONE UEM iOS/iPhone model smart groups

    Just a quick blog regarding Apple device classification for iPhone/iPad, you might be a bit hesitant in using this regarding the “legacy” filter being stamped upon it. This is for now as it is and everything will be supported when this will be fully moved to the new OEM & Model filte options that now…

  • Notes from the field: Workspace ONE UEM, Invites, OG and language

    When configuring an OG structure and customising templates for e.g. device enrolment invites you might encounter an issue that the expected language is not updating. The solution for this is changing it on the top OG in question: groups and setting >> all settings >> organisation group>> details >> Locale or achieve this with an…

  • Notes from the field: Horizon First-Gen / Next-Gen migration

    After all the updates and changes around company structure and licensing it’s finally there the EOL of First-Gen control plane and customers should migrate to the Next-Gen control plane. This all sounds easy enough but at my customer who was still using the First-Gen control plane for licensing only the CSP logon that should present…

  • Notes from the field: VMware/Broadcom/Omnissa CSP connector changes

    Earlier this year my customer would get an CSP migration e-mail regarding the connector based deployment scenario would be deprecated moving forward with VMware/Broadcom and the latter acquiring VMware. This is regarding https://docs.vmware.com/en/VMware-Cloud-services/services/setting-up-enterprise-federation-cloud-services/GUID-76FAECB3-CFAA-461E-B9C9-2A49C39CD17F.html After some discussion and support case feedback around this and explaining that connector less isn’t a valid option for our use case…

  • Notes from the field: Citrix NetScaler VLAN tagging and Hyper-V / VMM

    Long story short if you want to use VLAN trunk tagging, Hyper-V itself will not let you see this in the GUI and this is only supported via CLI/Powershell and further down the road VMM will allow this in an compute fabric for GEN2 only! (and NetScaler is still GEN1) see https://charbelnemnom.com/what-is-vlan-trunk-mode-in-hyper-v-hyperv/ and https://learn.microsoft.com/en-us/system-center/vmm/vm-settings?view=sc-vmm-2025&tabs=AddvNIC%2CConfigureQoS%2CProcessorThrottling#support-for-trunk-mode After…