Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: An endpoint computing device network slice certificate provisioning and management system includes a core network system that is coupled to a Radio Access Network (RAN) system and configured to allocate a plurality of a network slices and make each of the network slices available for use in wireless communications via the RAN system. An endpoint computing device is configured to establish a first network connection with a first network slice included in the plurality of network slices and perform, via certificate provisioning wireless communications over the first network connection with the first network slice, certificate provisioning operations to provision a certificate for the endpoint computing device. The endpoint computing device may then use the certificate to verify at least one server device to provide at least one verified server device, and perform secure network communications with the at least one verified server device.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Methods and system are provided for dynamically securing a workspace based on changes in the security context in which the workspace operates. Upon receiving a request from an IHS for access to a managed resource and receiving attributes of a risk context for the request, a risk score for the request is determined. A workspace definition that provides access to the managed resource is selected based on the risk score. A workspace definition includes security requirements for operation of the workspace by the IHS, where the security requirements are commensurate with the risk score. The workspace definition is transmitted to the IHS for operation of the workspace according to the security requirements. A risk context may include, IHS software, a physical environment in which the IHS is located, a physical location of the IHS, a classification of the requested resource, IHS hardware, and a user of the IHS.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: Systems and methods provide multilevel authorization of workspaces using certificates, where all of the authorization levels may be authorized separately or may instead be authorized at once. A measurement of an IHS (Information Handling System) is calculated based on the identity of the IHS and based on firmware of the IHS. A measurement of the configuration of the IHS is calculated based on information for configuring the IHS for supporting workspaces and also based on the IHS measurement. A measurement of a workspace session is calculated based on properties of a session used to remotely support operation of the workspace by the IHS and also based on the configuration measurement. Workspace session data may by authorized at all three levels by evaluating the session measurement against a reference session measurement.

Abstract: Systems and methods support secure transfer of data between workspaces operating on an IHS (Information Handling System). Upon a request for access to a first managed resource, such as protected data, a first workspace is deployed according to a first workspace definition. Upon a request for access to a second managed resource, a second workspace is deployed according to a second workspace definition. In response to an indication of a portion of the protected data from the first workspace being copied to a buffer supported by the IHS and of a request to paste the copied portion of the protected data to the second workspace, the protections provided by the second workspace are evaluated. If the protections of the second workspace are inadequate, an updated second workspace definition is selected that specifies additional protections. The second workspace is updated according to the updated second workspace definition and the transfer is permitted.

Abstract: Systems and methods for dynamic workspace targeting with crowdsourced user context are described. In some embodiments, an Information Handling System (IHS) of a workspace orchestration service may include a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: detect execution of an application in a workspace instantiated by a client IHS; validate the application based upon productivity context information and security context information received from the client IHS; and in response to the validation, distribute the validated application to another workspace instantiated by another client IHS.

Abstract: Systems and methods are provided for recording and validating modifications to a secured container. Modifications to the secured container by trusted parties are logged. The log may be maintained in a secured memory of an IHS (Information Handling System) and may be periodically validated. Each logged modification specifies a timestamp of the modification and the digital watermark assigned to the trusted party making the modification. Upon completing modifications, the secured container is sealed by imprinting the first digital watermark and the first timestamp at locations in the secured container specified by a watermarking algorithm assigned to the trusted party making the modification. Additional modifications may be serially watermarked on the secured container according the watermarking algorithm of the trusted party making each modification. The secured container is unsealed by re-applying each of the watermarking algorithms in reverse order.

Abstract: An information handling system (IHS) includes a memory having a BIOS, at least one sensor that generates security related data for the IHS, a controller, and one or more I/O drivers. The memory, at least one sensor and controller operate within a secure environment of the IHS; the I/O driver(s) operate outside of the secure environment. The controller includes a security policy management engine, which is executable during runtime of the IHS to continuously monitor security related data generated by the at least one sensor, determine whether the security related data violates at least one security policy rule specified for the IHS, and provide a notification of security policy violation to the BIOS, if the security related data violates at least one security policy rule. The I/O driver(s) include a security enforcement engine, which is executable to receive the notification of security policy violation from the BIOS, and perform at least one security measure in response thereto.

Abstract: A system is disclosed herein including a plurality of information handling systems (IHSs) coupled to and managed by a remote management system (RMS). According to one embodiment, each IHS may be configured to monitor data pertaining to the IHS, determine if the data triggers one or more events, and transmit a notification to the RMS if one or more events are triggered. The RMS may be configured to receive a notification transmitted from at least one IHS, select a policy to be applied to one or more of the IHSs based on the received notification, and transmit the selected policy to the one or more IHS s. The one or more IHSs may be further configured to receive the selected policy from the RMS, store the selected policy, and perform actions specified by the selected policy when policy rules specified by the selected policy are violated.

Abstract: Systems and methods for continuous evaluation of workspace definitions using endpoint context. In some embodiments, an Information Handling System (IHS) of a workspace orchestration service may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: receive context information from a local management agent of a client device; in response to the context information indicating that a current workspace provided via the local management agent is over-privileged, modify a current workspace definition into a modified workspace definition, where the modified workspace definition outlines fewer resources than the current workspace definition; and transmit, to the local management agent, one or more files configured to enable the local management agent to modify the current workspace based upon the modified workspace definition to reduce a number of resources available to a user of the client device.

Abstract: An information handling system operating a low power communications engine comprising a wireless adapter for communicating on a low power communication technology network for receiving low power communication technology data traffic for at least one always-on remote management service for the information handling system, a controller receiving a location status of the information handling system via the low power communication technology network indicating a location or network, where the controller executes code instructions for a low power communications engine to assess a location trust level from an environment characteristics analysis engine to determine whether the location status is a trusted zone location or an untrusted zone location utilizing binary classification machine learning based on input variables including data relating to history of activity at the location or on the network learned by the environment characteristics analysis engine from reported operational or network activity, and the co

Abstract: A method of tunneling management traffic includes receiving at a managed system a control feature from a proxy-managed system that is connected to the managed system, determining that the proxy-managed system is not visible to a management system, providing the control feature to the management system in response to determining that the proxy-managed system is not visible, receiving a modification to the control feature from the management system, and providing, from the managed system, the modification to the control feature to the proxy-managed system in response to receiving the modification to the control feature from the management system.

Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: Systems and methods for managing network connections and priorities based on device profiles are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: receive instrumentation data from a plurality of devices coupled to the IHS via a network; receive observation data from the plurality of devices; correlate the observation data with the instrumentation data; and configure communications between the IHS and one or more the plurality of devices based, at least in part, upon the correlation.

Abstract: A method and system comprising a processor executing code instructions of a security filewall validation system for inspecting primitive file system operations to detect abnormal file types, abnormal file operation, or abnormal intended result files in violation of a security filewall rule set, a memory for storing the security filewall rule set describing permitted access to file types, file-paths, mounting points, data volume access rules, or data operations relating to the primitive file system operations where the security filewall validation system intercepts an attempted primitive file system operation and the security filewall validation system compares the attempted primitive file system operation including associated arguments indicating file, file location, and intended result to the security filewall rule set.

Abstract: A secured virtual environment provides access to enterprise data and may be configured remotely while isolated from the operating system of an Information Handling System (IHS). In secured booting of the IHS, references signatures are received via an out-of-band connection to the IHS. The reference signatures specify reference states for components of the IHS. Prior to launching a secured virtual environment, a trusted resource of the IHS, such as embedded controller isolated from the operating system, is queried for updated signatures specifying operating states of the component. The integrity of the IHS is validated based on comparisons of the respective reference signatures and updated signatures. If the integrity of the IHS is validated, a secured virtual environment is configured such that particular user may access the enterprise data according to applicable policies that may be periodically revalidated. The secured virtual environment may then be launched on the IHS.

Abstract: Systems and methods for tamper-proof detection triggering of automatic lockdown using a recoverable encryption mechanism issued from a secure escrow service. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; a secure storage device coupled to the processor, wherein the secure storage device comprises a container encrypted with a derived container key; and a memory coupled to the processor, the memory including program instructions stored thereon that, upon execution, cause the IHS to: receive a digital certificate from a remote server, wherein the digital certificate includes a public key and, in response to a detection of a tampering event, encrypt the derived container key using the public key.