Mandatory Upgrade Required for Environments using On-Premises VMware Email Notification Service 2 (ENS2) version and older


Customers using an on premises instance of ENS2 are required to upgrade their ENS to version ENS2 depends on CNS service to deliver notifications to devices. CNS certificates expire on June 22, 2019. ENS2 version puts a mechanism in place to automatically update certificate information. This patch implements an automated process which will ensure that future certificate updates do not require a patch.


Customer Impact

If this patch is not applied, end users will stop receiving notification after June 22, 2019.



The impact of this issue can be eliminated by upgrading on premises installations of ENS2 to version or later before the expiration of the certificate.

Before Installing ENS2

Ensure that you are able to reach following URL from ENS server: If there are any firewall rules preventing from accessing this URL, they should be removed before continuing with the installation.

Be sure that the following services are stopped manually on the server:

  • IIS > Email Notification Service
  • Windows Services > AirWatch Resubscription Mechanism
  • Windows Services > AirWatch RSA Key Tracker Service

After validation of the requirements above, the server can be upgraded.


Validating the Upgrade

Once installation is complete, the AirWatch AutoDiscovery Checker service will be installed and automatically perform required updates. Ensure service is running correctly.


Next, review logs for this service at \{ENS installation directory}\Email Notification Service\Services and ensure you are able to see you are able to see the following log statement(s) without errors: New Certificate Added Successfully

As a final step review \{ENS installation directory}\Email Notification Service\Website\web.config file and ensure that at least 8 pinnedCertificate elements listed under <pinnedCertificates> section.



Installer error

  • installer_error.jpg
    This error occurs if the installer is unable to install the VMware AirWatch Root certificate. To remedy this problem, make sure that the installer has the appropriate privileges to install the certificate on the server.

AutoDiscoveryChecker.log file error(s)

Possible Errors:

  • Error while searching for public key in existing config file
  • Error occurred while updating config File
  • Exception while getting latest cert from auto discovery

These errors will be displayed if

  • is not reachable.
  • If the error is a result of a temporary network failure, the service should attempt to connect to the endpoint again after 24 hours.
  • ENS server is configured behind a reverse proxy, or if outgoing traffic is going through a proxy. If this is the case the auto discovery service will not go through that proxy and  firewall rules should be updated to allow IP address for the ENS auto discovery service to be able to reach

Possible Workaround - Manual Update

When faced with an inability to change IP address whitelisting or if excessive errors are present, the following workaround can be applied to update the public CNS certificates.
Note: If you update this manually, errors will still remain in the autodiscovery service logs, and the certificate will have to be updated manually, future certificate updates must be performed manually once this method is selected once, unless appropriate IP addresses are whitelisted for autodiscovery service to update it automatically

  1. Navigate to ENS installed directory and open Web.Config File
  2. Search for "pinnedCertificates" section
  3. Add pinned Certificate as mentioned below with the new publicKeyString:
    • <pinnedCertificate publicKeyString="3082010a02820101009c64c66879fac4590f370145026de17f7352d07292641c656e608dafb0d15a8a317e1fc07145e5b9972fc8ecd101881a2100e8277ea7fe15a12083ddfab232d6137d25f8fb4784ed6eeee1bff222f31f256a89d5d1059b1d766b69eeb1fb8a89084b96e15e1c449223e04341d5cf06b32376c3d4dfb74bf2778d99dc56926c6690afd0313d8c982acff6ab3b8b5615c17aea3740559572e46c2f7ccd915680d1493965d2927448f98cd77b387c1e05f5560c0902e96e6a7b0291eba95ba1004a6b397f9838c0219357a96ddfd80c178b08ffa11fb04fa4b4d7f4ff486c493f3e971445f90b4c57f07917365518ee66995486a9bcf4c24e2a5844d70dc0eb0c770203010001" />
    • <pinnedCertificate publicKeyString="3082010a0282010100d830f1761b2c0d17f6b523028c47125d3c757ec1db087c3ec5407e3748a576baf279aea34c9620d9b3b9f17574335af64103f9b0792b283346959ad7a9a068108141d63f465e355e06f59bc4c11fd5267ce987a60f7169af4cbf1c314a757ee5a910abf4a2fe32208486dcee065ccd22dd7dc945907d086badaf0d438f6954369a99be2fbfa23e18395ccc2d78be79a5f0416afd7a75173a8bab6680b6265c0850b4313d1d5ce906bb80cfab2f97479479d3960f98763e409ae8dffd6125adbae662d935fa37a05f52c3692fc53bb467b092758aa5acf7b0d0266a1393465d63422753f7562621508c9da4ed1d5ec7fb75a46b5fa73eeb59b8921161d20be1e70203010001"/>
  4. Save Web.Config file


Support Contact Information

To receive support, either submit a ticket via the My Workspace ONE  portal or call your local support line.


Best Regards,

The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.