When deploying the Legacy App Catalog profile, there is an issue which may result in displaying hardware identifiers. While this is not a security vulnerability - no direct access to unauthorized data is permitted by this issue - such information may be considered sensitive and as such, customers might wish to take actions to utilize the latest secure version of the catalog, which is unaffected by this issue.
How to identify if you are affected
If you are a SaaS or On-Premise customer explicitly using the App Catalog URL in a profile (Web Clips profile for iOS, Bookmarks profile for Android, etc.) deployed with the following URL format, device hardware IDs might be exposed:
Additionally, if you are On-Premise, check if the following query returns any results (ex: Location GroupID, CustomerName, DeviceCount, etc.):
DECLARE @StartTime DATETIME
--Get the date the environment was upgraded to 7.3
SELECT TOP 1 @StartTime = StartTime
WHERE MajorVersion = 7
AND MinorVersion = 3
ORDER BY StartTime
--Select Customers and Devices For All environments
LG.Name as CustomerName,
COUNT(D.DeviceID) as DeviceCount
FROM deviceProfile.DeviceProfileDevicePool DPDP (NOLOCK)
INNER JOIN deviceProfile.DeviceProfile DP (NOLOCK)
ON DPDP.DeviceProfileID = DP.DeviceProfileID
INNER JOIN dbo.Device D (NOLOCK)
ON DPDP.DeviceID = D.DeviceID
INNER JOIN dbo.Location L
ON D.LocationID = L.LocationID
INNER JOIN dbo.LocationGroupFlat LGF (NOLOCK)
ON L.PrimaryLocationGroupID = LGF.ChildLocationGroupID
INNER JOIN dbo.LocationGroup LG (NOLOCK)
ON LGF.ParentLocationGroupID = LG.LocationGroupID
WHERE LG.LocationGroupTypeID = 2
AND DP.ModifiedOn < @StartTime
AND DP.Name = 'iOS App Catalog Settings'
AND DPDP.InstalledStatusID = 1
GROUP BY LG.Name,LG.LocationGroupID
If you have published a profile affected by this issue, add a new version of the profile with the following URL format:
Once you have finalized the URL changes, publish the new version. This will deploy the latest secure version of the catalog to the devices.
If you are On-Premise and have discovered you are affected by running the query above, you will need to navigate to Settings > Apps > Workspace ONE > App Catalog > General and re-save the Settings Page. This will deploy the latest secure version of the catalog to the devices.
Note: This step is not needed for On-Premise customers if you are not affected.
Support Contact Information
The AirWatch Team