Abstract: Examples of detecting whether a device meets an enrollment level are disclosed. In one case, a method for providing access to an application on a client device includes receiving a request to access an application from the client device, determining an enrollment level associated with the application, and determining that multi-factor authentication is required for access to the application on the client device based on the enrollment level associated with the application. The method can also include initiating multi-factor authentication on the client device before access to the application is permitted. The method can also include determining that multi-factor authentication is successful on the client device, transmitting a management component to the client device, and installing the management component on the client device for enrollment as a managed device with a management service.

Abstract: Disclosed are various embodiments for controlling a distribution of resources on a network. In one example, among others, a system is configured to receive the plurality of resources and a plurality of rules. The system is also configured to determine an authorized location and an authorized area based on the plurality of rules. The authorized location and the authorized area are determined to have different access rights to the plurality of resources. The system is further configured to determine a location of the computing device and grant access to a resource based on the location of the computing device with respect to the authorization location or the authorized area.

Abstract: Disclosed are approaches for enforcement of updates for devices unassociated with a domain or directory service. An application executing on a client device can determine that the client device is to use a locator specified in a policy to receive and install updates to software installed on the client device. The application determines whether the client device complies with the policy based at least in part on a value of a registry key stored on the client device. The application then modifies a value of a registry key stored on the client device in an instance in which it is determined that the client device is to use the locator and that the client device does not comply with the policy.

Abstract: On-demand activation of a security policy may be provided. Upon receiving a selection of a link, a profile identified by a security policy associated with the link may be activated and the link may be opened according to the security policy. In some embodiments, opening the link according to the security policy may comprise redirecting the opening of the link from a first application to a second application.

Abstract: Disclosed are various examples for downloading data objects by enforcing a threshold amount of allocated data. In one example, among others, an application downloads a first subset of the files from a remote file management system. A user interface displays file system entries that represent the first subset of downloaded files and a second subset of undownloaded files from the remote file management system. The application detects an event for a respective file system entry associated with a respective file from the second subset of undownloaded files. The respective file is downloaded from the remote management system.

Abstract: Time-based functionality restrictions may be provided. Periodic scans may be performed to identify requests to perform functions on user devices, to determine whether the functions are compliant with compliance rules associated with the user devices that specify time periods during which the user devices are authorized to perform the functions, and to perform remedial actions if the functions are not compliant with the compliance rules.

Abstract: Disclosed are various approaches for providing authentication of a user and a client device. A user's credentials can be authenticated by an identity provider. In addition, a device posture assessment that analyzes the device from which the authentication request originates is also performed. An authentication request can be authenticated based upon whether the device posture assessment reveals that device to be a managed device that is in compliance with compliance rules.

Abstract: Disclosed are various examples for providing network content filtering to client devices on a per-application basis. A client device is identified. Then the client device is authenticated by the device management service. If the client device is not authenticated, a user interface will facilitate the enrollment process on the client device to authenticate the client device with the management service. Then, an authentication token is received. The management application receives a request from an application to initiate a network connection. Based at least in part on the identity of the application and the client device, the management application routes network traffic associated with the application and the network connection using or without using a managed network tunnel.

Abstract: Methods, systems, and devices provide control over resources electronically communicated among computing devices. In some embodiments, a management application identifies multiple entities for communicating electronic content. The management application determines that at least a subset of the entities required for communicating the electronic content is available for electronic communication. The management application authorizes communication of at least some of the electronic content among the entities in response to determining that the required subset of entities is available for electronic communication.

Abstract: Disclosed are various embodiments for controlling access to resources in a network environment. Methods may include installing a profile on the device and installing a certificate included in or otherwise associated with the profile on the device. A request to execute an application, and/or access a resource using a particular application, is received and determination is made as to whether the certificate is installed on the device based on an identification of the certificate by the application. If the certificate is installed on the device, then execution of the application and/or access to the resource is allowed. If the certificate is not installed on the device, then the request for execution and/or access is refused.

Abstract: Disclosed are various examples for enrolling a client device and synchronizing user attributes for the client device across multiple directory services. A search request for user attributes can be sent to a first directory service with an identifier for a user account. The first directory service can query for the identifier and send back user attributes. If a global identifier is included in the attributes, another search request for user attributes can be sent to a second directory service with the global identifier. The second directory service can query for the global identifier and send back user attributes.

Abstract: The disclosure relates to detecting vulnerabilities in managed client devices. A system determines whether a vulnerability scan of a computing device is required to be performed. The system installs a vulnerability detection component in the computing device in response to determining that the vulnerability scan is required to be performed. The system requests the vulnerability detection component to perform the vulnerability scan of the computing device. The system transmits a result of the vulnerability scan to a remote management service for the computing device.

Abstract: Systems and methods for allowing an orchestrator to manage screen sharing in a meeting between multiple user devices are described. The orchestrator can use a master device to start a sharing session and select user devices to join as participant devices. The orchestrator can also select at least one receiver for receiving shared media. Participant devices are displayed on the master device. The orchestrator can then select a participant device to act as a source, and a receiver to receive the shared media from the source. The master device can contact a management server to cause the selected participant device to being sharing its screen on the receiver.

Abstract: Disclosed are various examples for managing network resource permissions for applications through the use of an application catalog. An identification of a particular application from the application catalog is received from a managed client device. The identification indicates a particular security group of multiple security groups. A network of the organization is configured to provide the particular application on the managed client device with access to a set of resources corresponding to the particular security group.

Abstract: A system can include a host device that includes a host management component and a virtual machine execution environment with a guest management component. The guest management component receives a data object generated by the host component. The data object specifies host parameters detected for the host device and hypervisor parameters detected for the hypervisor component. The hypervisor component relays the data object from the host management component to the guest management component, which identifies a violation of a compliance rule using this information. The guest management component performs an action based on the violation.

Abstract: Systems herein allow a user device to monitor calendar events with a secure bubble application. When an event is upcoming, the secure bubble application can present a notification. The secure bubble application can search other managed applications for content relevant to the meeting event. The secure bubble application can extract text, tags, and other metadata from the calendar event and any attached files. The text, tags, and other metadata can be used to search each managed application. Relevant emails, files, and notes can be displayed in a card generated by the secure bubble application.

Abstract: Disclosed are various embodiments for sharing documents among users of an enterprise as well as with users external to an enterprise. A document is identified and document components extracted from the document. A browser representation is generated that, when rendered or interpreted by a browser, causes the browser to generate a user interface that presents at least a portion of the document as the document would be viewed by a native viewer.

Abstract: Disclosed are various examples for categorization using an organizational hierarchy. In some examples, a client device receives an enterprise map comprising a plurality of user identifiers, each being associated with a hierarchy level of an enterprise hierarchy. Enterprise content is received. The enterprise content includes data associated with a user identifier from the enterprise map. The enterprise content is associated with a category based on a hierarchy level of the user identifier. A user interface is generated to include the enterprise content and a visual design element based on the category.

Abstract: Disclosed are various embodiments for initiating execution of an application using trigger characters. In one embodiment, a computing device detects an entry of a trigger character in an input field of a first user interface presented by a first application. The input field is specified for detection of the individual trigger character based on a trigger rule for the first application. The computing device then identifies a string following the trigger character. The computing device then determines that the string matches a name of a second application installed on the computing device based on a list of applications installed on the computing device. The computing device then initiates execution of the second application. Subsequently, the computing device switches from the first user interface to a second user interface presented by the second application.

Abstract: Disclosed are various embodiments for controlling access to resources in a network environment. Methods may include installing a profile on the device and installing a certificate included in or otherwise associated with the profile on the device. A request to execute an application, and/or access a resource using a particular application, is received and determination is made as to whether the certificate is installed on the device based on an identification of the certificate by the application. If the certificate is installed on the device, then execution of the application and/or access to the resource is allowed. If the certificate is not installed on the device, then the request for execution and/or access is refused.