Abstract: A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed.

Abstract: A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed.

Abstract: A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed.

Abstract: An endpoint machine has a unique endpoint identifier based on a configurable set of hardware attributes for an endpoint type. The endpoint agent running on that machine has an associated software identifier registered with the endpoint management solution upon install. The management server generates the unique endpoint identifier and provides it to the endpoint agent. Periodically, checks are run on the endpoint by the endpoint agent to determine if any of the hardware attributes have changed. If so, the endpoint identifier and the new hardware attribute values are sent to the management server, which uses the information to recognize the endpoint as the same endpoint or to detect a clone of known endpoint. If the endpoint type is unknown or does not exist, the unique software identifier may be used to facilitate the identification process, including the ability to detect a cloned machine.

Abstract: A method and a system are presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user is provisioned at a particular federated domain, the federated domain can provision the user to other federated domains within the federated environment. A provision operation may include creating or deleting an account for a user, pushing updated user account information including attributes, and requesting updates on account information including attributes.

Abstract: An endpoint machine has a unique endpoint identifier based on a configurable set of hardware attributes for an endpoint type. The endpoint agent running on that machine has an associated software identifier registered with the endpoint management solution upon install. The management server generates the unique endpoint identifier and provides it to the endpoint agent. Periodically, checks are run on the endpoint by the endpoint agent to determine if any of the hardware attributes have changed. If so, the endpoint identifier and the new hardware attribute values are sent to the management server, which uses the information to recognize the endpoint as the same endpoint or to detect a clone of known endpoint. If the endpoint type is unknown or does not exist, the unique software identifier may be used to facilitate the identification process, including the ability to detect a cloned machine.

Abstract: A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed.