Like two peas in a pod, the Workspace ONE UEM Console and the Airwatch Cloud Connector (ACC) are meant to be together…. version wise. To help with this union the Workspace ONE UEM Admin Console is capable of installing a new version of the Airwatch Cloud Connector (ACC) each time the Admin Console is upgraded to a new release. The setting for the Auto Update behavior is the toggle switch in the UEM Admin console shown below. It’s supposed to be a Set and Forget kind of feature. But there is a dark side to this convenience and you should turn this feature off if you are using Drop Ship Provisioning and joining Active Directory. Why? Let’s discuss further.
The Best Practice for Workspace ONE UEM is to keep the UEM Console version and the version of the ACC in-sync with each other. I always recommend this practice be followed for your environment, but don’t let the Auto Update feature do it for you for the 3 reasons below:
First, the ACC server component is installed or upgraded via an MSI that bundles a specific version of the Microsoft .NET Framework. Depending on your Windows Server OS update cycles the .NET version installed on the ACC might not match what the ACC expects to see. If there are problems, the MSI install logic handles this situation poorly and often fails. Best case scenario – the MSI reverts to the previous version and nothing changes, more commonly though you get a broken ACC and no one can log into the UEM console.
Second, the MSI includes very poor logic handling edits to the CloudConnector.exe.config file. If you don’t know, editing the CloudConnector.exe.config file is required to enable debug logging. Hopefully it’s not something you have to do often, but when you do, you have now introduced another logic problem for the MSI to deal with and most of the time the result is an XML file missing error message as seen below. While the automated MSI installer will not display this error when it is encountered, it will prevent the install from being successful.
Third, and most importantly – if you are managing Windows 10/11 devices via Workspace ONE UEM and are taking advantage of the UEM Console’s Offline Domain Configuration capability, you’ve had to change the Windows Service named Airwatch Cloud Connector “LogIn as” properties from running as the default “System” context to running as a specific service account that has been delegated access to create computer objects in Active Directory. The automated MSI installer launched via ACC Auto Upgrade doesn’t understand this configuration change and will revert the ACC back to the Local System account as part of the installation. The end result will be an upgraded ACC and a broken off-line domain join process.
In summary, the only time it makes sense to keep the ACC Auto-Upgrade enabled is when you are not using the Offline Domain Join capability of the ACC and have left the default ACC configuration of using Local System as the login account.
