Abstract: A request is received from a device within a network for a resource on server outside of the network. The resource is subject to a policy of the network. An informational webpage is served to the device; the webpage includes an interface element. An indication of a selection of the interface element is received the resource is served to the device from a proxy server configured to apply the policy to the resource.

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; identifying a user identity associated with the secure request; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting and/or blocking the secure request based at least in part on determining that the secure request is directed to the domain name and based at least in part on the user identity associated with the secure request.

Abstract: Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name, the response including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting the secure request based at least in part on determining that the secure request is directed to the domain name.

Abstract: A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for switching between parallel networks. One of the methods includes maintaining a plurality of parallel networks including a first network that precludes access to secure resources, and a second network that provides access both to unsecured resources and secured resources, enabling a user device access to connect to the first network, receiving input from the user device seeking access to one or more secured resources, in response to the received input, installing a device management profile on the user device, and causing the user device to switch from the connection to the first network to a connection to the second network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for recycling a user device. One of the methods includes facilitating a device analysis application to be stored and installed on a user device, testing, by the device analysis application executing on the user device, one or more properties of the user device, determining an exchange value of the user device based at least in part on a result of testing the one or more properties of the user device, and presenting the determined exchange value to an operator of the user device.

Abstract: A gateway within a network intercepts a request by a client within the network for content associated with a server outside the network, the client having a direct connection with the server outside the network. The method further includes determining whether a copy of the requested content is available in a cache within the network. The method further includes, if the copy of the requested content is determined to be available in the cache within the network, transmitting a redirect response to the client to cause the cause to retrieve the copy of the requested client from the cache within the network. The method further includes if the copy of the requested content is determined not to be available in the cache within the network, permitting the intercepted content request by the client to be transmitted to the server outside the network to cause the requested content to be retrieved via the direct connection between the server outside the network and the client within the network.

Abstract: Methods and systems for performing device authentication using proxy automatic configuration script requests are described. One example method includes generating a unique key for a client device; configuring the client device to send a request for a proxy automatic configuration (PAC) script upon accessing a network, the request including the unique key; receiving, over a network, a request for the PAC script including a request key; and authenticating the client device on the network if the request key matches the client device's unique key.

Abstract: Methods and systems for providing device-specific authentication are described. One example method includes receiving, by an input port of a network adapter within the computer system, a stream of network traffic; dividing, by load balancing logic within the network adapter, the received stream of network traffic into a plurality of substreams; and presenting the plurality of substreams to respective interfaces of the network adapter, each network adapter interface being accessible by an operating system executing on the computer system.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for selectively performing man in the middle decryption. One of the methods includes receiving a first request to access a first resource hosted by a server outside the network, determining whether requests from the client device to access the first resource outside the network should be redirected to a second resource hosted by a proxy within the network, providing a redirect response to the client device, the redirect response including the second universal resource identifier, establishing a first encrypted connected between the client device and the proxy hosting the second resource, and a second encrypted connection between the proxy hosting the second domain and the server hosting the first resource, and decrypting and inspecting the encrypted communication traffic passing between the client device and the server hosting the first resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implicitly linking access policies using group names. One of the methods includes receiving first information corresponding to a directory service of network users, the directory service configured to organize the network users into a plurality of user roles, receiving second information corresponding to a resource available to the network users, the resource having a plurality of policy groups, identifying at least one first user role name that matches at least one first policy group name, and linking the user role corresponding to the matched first user role name with the policy group corresponding to the matched first policy group name such that the one or more network users in the linked user role are subject to the usage policies associated with the linked policy group.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: Methods and systems for providing device-specific authentication are described. One example method includes generating device-specific credentials, associating the device-specific credentials with a device, authenticating the device based on the device-specific credentials, and after authenticating the device, authenticating a user of the device based on user-specific credentials associated with the user and different than the device-specific credentials.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining a network usage policy using a physical location of a device. One of the methods includes storing information defining a plurality of network policy groups, receiving first information indicating that a client device is connected to the network at a first physical location, and identifying a first user role associated with the client device, identifying, from among the plurality of network policy groups, a first network policy group having both (i) an associated first policy location that corresponds to the client device's first physical location, and (ii) an associated policy role that corresponds to the client device's first user role, and regulating the client device's access to resources available on the network based on the one or more network usage policies associated with the identified first network policy group.

Abstract: A device within the network receives a domain name service (DNS) request for an address of a first resource outside the network, the first resource associated with a security policy of the network. An address of a second resource within the network is returned to the device within the network in response the DNS request, the second resource address having previously been associated with the first resource address. A first encrypted connection is established between the device and the second resource, and a second encrypted connection is established between the second resource and the first resource, to facilitate encrypted communication traffic between the device and the first resource. The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource.

Abstract: This specification generally relates to controlling access of a device to a network based on the detection of a network application running on the device. One example method includes maintaining one or more application profiles, each application profile associated with one or more network activities in a network; detecting one or more network activities in the network associated with a device, the one or more activities directed outside the network; determining that the one or more detected network activities associated with the device directed outside the network substantially match network activities associated with a predetermined application profile; and denying access by the device to one or more resources within the network based upon the determination.

Abstract: Methods and systems for providing destination-specific network management are described. One example method includes receiving from a client within a network, a request to access a resource associated with a destination address outside the network, the received request including referrer information; determining that the destination address corresponds to an unclassified destination; determining whether the received request's referrer information corresponds to a referrer entity that is included in a set of approved referrers; and selectively blocking the network request to access the resource at the destination address based upon a result of the determining.

Abstract: This specification generally relates to controlling access of a device to a network based on detection of a network application running on the device. One example method includes maintaining one or more application profiles, each application profile associated with one or more network activities in a network; detecting one or more network activities associated with a device connected to the network; determining that the one or more detected network activities associated with the device substantially match network activities associated with a first application profile; and associating the device with a restricted network profile upon determining that the one or more detected network activities substantially match network activities associated with the first application profile, the restricted network profile configured to deny access by the device to one or more first resources on the network, and configured to allow access by the device to one or more second resources on the network.

Abstract: Methods and systems for detecting profile changes based on device behavior. One example method includes assigning a network configuration to a device associated with a network, applying a mobile device management (MDM) profile to the device, the MDM profile including settings configuring the device according to the network configuration, monitoring network activity of the device to detect one or more actions by the device that are prohibited by the network configuration, determining that the MDM profile has been altered based at least in part on the detection of one or more actions prohibited by the network configuration, and performing a remediation action associated with the device based on the determination that the MDM profile has been altered.