Abstract: An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for switching between parallel networks. One of the methods includes maintaining a plurality of parallel networks including a first network that precludes access to secure resources, and a second network that provides access both to unsecured resources and secured resources, enabling a user device access to connect to the first network, receiving input from the user device seeking access to one or more secured resources, in response to the received input, installing a device management profile on the user device, and causing the user device to switch from the connection to the first network to a connection to the second network.

Abstract: An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.

Abstract: Operations performed by a software application instance executed by a computing device are monitored. A determination is made that a particular operation performed matches an application signature representing a particular software application. In response, a match score is added to a total score for the software application. In response to determining that the total score is greater than or equal to a threshold, the software is classified.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: Associations are maintained among a plurality of subnets, policies, and client types. Each subnet has an associated client type and policy. For a particular client device, (i) a client type of the particular client device, and (ii) a client type associated with the subnet on which the particular client device is hosted is determined. For the particular client device, (i) the determined client type of the particular client device with (ii) the determined client type associated with the subnet on which the particular client device is hosted is compared. Responsive to a determination that the client type of the particular client device matches the client type associated with the subnet that hosts the particular client device, a policy is applied to the particular client device.

Abstract: This specification generally relates to using redirect messages to implement caching. One example method includes receiving from a client a first request for a network resource, the first request including an original location of the network resource; determining that a response to the first request is to be cached; sending a redirect response to the client including a cache location for the network resource; receiving a second request for the network resource from the client, the second request including the cache location; in response to receiving the second request for the network resource from the client: determining that the network resource has not been previously cached; retrieving the network resource from the original location; caching the retrieved network resource in a location associated with the cache location for the network resource; and sending the retrieved network resource to the client.

Abstract: A first request is received from a device over a network. It is determined that the first request should be redirected, based at least in part on information included in the first request. A redirect message is sent to the device over the network. A second request is received that includes the address and the port number. Responsive to determining that the port number is on the predetermined list of port numbers, modifying the second request by removing the port number. The modified second request is sent to the address.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for location based network usage policies. One of the methods includes storing information defining a plurality of network policy groups, receiving first information indicating that a client device is connected to the network at a first physical location, and identifying a first user role associated with the client device, identifying, from among the plurality of network policy groups, a first network policy group having both (i) an associated first policy location that corresponds to the client device's first physical location, and (ii) an associated policy role that corresponds to the client device's first user role, and regulating the client device's access to resources available on the network based on the one or more network usage policies associated with the identified first network policy group.

Abstract: Methods and systems for managing packets using lower layer protocol attributes include determining a network address and a lower layer protocol attribute associated with a packet and applying a particular network policy to the packet based on the determined network address and the lower layer protocol attribute. The lower layer protocol attribute is associated with a protocol layer lower than a protocol layer associated with the network address.

Abstract: Methods and systems for generating a proxy automatic configuration (PAC) script based on the location of a device. One example method includes receiving a request for a proxy automatic configuration (PAC) script from a source address associated with a device; determining, based at least in part on the source address, a location of the device; generating a PAC script based at least in part on the determined location of the device; and sending a response to the request for the PAC script including the generated PAC script.

Abstract: Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel.

Abstract: Data including a set of one or more resources and one or more associated IP addresses is updated based on data from a DNS server. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request.

Abstract: Data including a set of one or more resources and one or more associated IP addresses is updated based on monitored DNS responses. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request.

Abstract: Methods and systems for generating a proxy automatic configuration (PAC) script based on the location of a device. One example method includes receiving a request for a proxy automatic configuration (PAC) script from a source address associated with a device; determining, based at least in part on the source address, a location of the device; generating a PAC script based at least in part on the determined location of the device; and sending a response to the request for the PAC script including the generated PAC script.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for selectively performing man in the middle decryption. One of the methods includes receiving a first request to access a first resource hosted by a server outside the network, determining whether requests from the client device to access the first resource outside the network should be redirected to a second resource hosted by a proxy within the network, providing a redirect response to the client device, the redirect response including the second universal resource identifier, establishing a first encrypted connected between the client device and the proxy hosting the second resource, and a second encrypted connection between the proxy hosting the second domain and the server hosting the first resource, and decrypting and inspecting the encrypted communication traffic passing between the client device and the server hosting the first resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automated mobile device management profile distribution. One of the methods includes receiving a first request for access to a first network resource from a client device, the first network resource corresponding to one of a plurality of restricted resources accessible only by devices enrolled with a mobile device management system, determining that the client device is not enrolled with the mobile device management system, preventing the client device access to the first network resource, providing to the client device a redirect to a mobile device management resource that is different from the first network resource, providing instructions for presentation of a user interface to the client device, and enrolling the client device with the mobile device management system, the enrolling comprising providing a copy of the mobile device management profile to the client device.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: This present disclosure generally relates to managing encrypted network traffic using Domain Name System (DNS) responses.