Last updated: 06/20/2023
Like two peas in a pod, the VMware Workspace ONE UEM Console (UEM) and the Airwatch Cloud Connector (ACC) are meant to be together; at least as far as software revisions are concerned. It is a VMware best practice to always upgrade ACC to the same version that ships with the current version of the UEM Console. To help with this union the UEM Admin Console is capable of upgrading the ACC each time UEM is upgraded to a new release. In theory this will happen every couple of months. The setting for the Auto Update behavior is the toggle switch in the UEM Admin console shown below:
Enable Auto Update is supposed to be one of those “Set and Forget” kind of things, but there is a dark side to this convenience in that many of the error conditions that cause the upgrade to fail won’t show up anywhere alerting IT Admins that there is a problem. At best, the upgrade fails and reverts to the existing version, but in most cases these error conditions cause the ACC install to break leaving the service broken which prevents all users from being able to login to the UEM Console. I recommend turning off ACC Auto Upgrade and handling the installation manually. Here are my Top 3 reasons for doing so:
- If you are managing Windows 10/11 devices via Workspace ONE UEM and are taking advantage of the UEM Console’s Offline Domain Configuration capability, you’ve had to change the service account used by the ACC to an account that is able to create computer accounts on your domain controllers. This is accomplished on the ACC by editing the Windows Service named “Airwatch Cloud Connector” and changing the “LogIn as” properties from running as the default “System” context to running as a specific service account that has been delegated access to create computer objects in Active Directory.
The automated MSI installer launched via ACC Auto Upgrade does not understand this configuration change and will revert the ACC back to the Local System account as part of the installation. The end result will be an upgraded ACC and a broken off-line domain join process.
What’s odd about this scenario is that the Login As property account reset does not happen with every ACC version change. I’ve been dealing with this issue since Offline Domain Join was introduced to the UEM and with some ACC upgrades the problem does not happen, but then the next month a new version of ACC comes out and it breaks it again. For the last year or so it’s consistently inconsistant to a point of being annoying.
To avoid this situation, turn off ACC Auto Upgrade and manually install the new ACC MSI to upgrade to the latest version, then adjust the service configuration after the installation. - The ACC server component is installed or upgraded via an MSI that bundles a specific version of the Microsoft .NET Framework. Depending on your Windows Server OS update cycles the .NET version installed on the ACC might not match what the ACC expects to see. If there are problems, the MSI install logic handles this situation poorly and often fails. Best case scenario – the MSI reverts to the previous version and nothing changes, more commonly though you get a broken ACC and no one can log into the UEM console.
To avoid this situation, turn off ACC Auto Upgrade and manually install the new ACC MSI to upgrade to the latest version and if there are .NET errors the MSI will display them to you and give you an opportunity to upgrade/install the version of .NET required. - The ACC MSI includes very poor logic handling when the IT Admin has had to edit the CloudConnector.exe.config file. If you don’t know, editing the CloudConnector.exe.config file is required to enable debug logging. Hopefully it’s not something you have to do often, but when you do, you have now introduced another logic problem for the MSI to deal with and most of the time the result is an XML file missing error message as seen below:
While the automated MSI installer will not display this error when it is encountered, it will prevent the install from being successful.
To avoid this situation turn off ACC Auto Upgrade and manually install the new ACC MSI to upgrade to the latest version
In summary, keeping ACC upgraded to the latest version to match UEM is highly recommended but using the ACC Auto Upgrade feature is not a UEM console setting I recommend enabling.