Abstract: After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider. For enhanced security, conformance to an organizational security policy is verified at time of sign-on, and an authenticatable link is used to invoke the third-party application to foil attempts by malicious software to substitute another application.

Abstract: After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider. For enhanced security, conformance to an organizational security policy is verified at time of sign-on, and an authenticatable link is used to invoke the third-party application to foil attempts by malicious software to substitute another application.

Abstract: An identity management system provides single sign-on (SSO) services to clients, logging the clients into a variety of third-party services for which the clients have accounts. An SSO integration is stored for each of the third-party services, the SSO integration including information that allows the identity management system to automate the login for the corresponding third-party service, such as locations of the login pages, and/or identities of username and password fields. The identity management system uses different techniques in different embodiments to detect that a given SSO integration is broken (i.e., no longer permits login for its corresponding third-party service) and/or to repair the SSO integration.

Abstract: Registering a computer system for use in an enterprise. A method includes receiving, from a device management infrastructure of the enterprise, an executable system management component (SMC), and installing the SMC at a storage device. The method also includes executing the SMC, causing the computer system to register with the device management infrastructure, including applying a device settings policy to a configuration of the computer system. Executing the SMC also causes the computer system to configure itself to periodically execute a maintenance task received from the device management infrastructure.

Abstract: After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider.

Abstract: Registering a computer system for use in an enterprise. A method includes receiving, from a device management infrastructure of the enterprise, an executable system management component (SMC), and installing the SMC at a storage device. The method also includes executing the SMC, causing the computer system to register with the device management infrastructure, including applying a device settings policy to a configuration of the computer system. Executing the SMC also causes the computer system to configure itself to periodically execute a maintenance task received from the device management infrastructure.

Abstract: Installing apps on a device. The device is generally configured to be used in a closed market environment that only allows generally available apps of the closed market to be installed. The method includes determining that the device has been authorized to install apps outside of a set of apps generally available from the closed market and from a set of apps available only to users of a particular enterprise. The method further includes determining that an app, that is not generally available from the closed market, has been verified by a central authority. The method further includes installing the app on the device in spite of the fact that the device is generally configured to be used in a closed market environment.

Abstract: An identity management system provides single sign-on (SSO) services to clients, logging the clients into a variety of third-party services for which the clients have accounts. An SSO integration is stored for each of the third-party services, the SSO integration including information that allows the identity management system to automate the login for the corresponding third-party service, such as locations of the login pages, and/or identities of username and password fields. The identity management system uses different techniques in different embodiments to detect that a given SSO integration is broken (i.e., no longer permits login for its corresponding third-party service) and/or to repair the SSO integration.

Abstract: Installing apps and setting configuration on a device. A method includes receiving user input. The user input indicates a level of control that a user is willing to give an enterprise over the device. The method further includes determining, based on the level of control indicated by the user input, a set of apps allowed to install on the device. The set of apps allowed to install on the device is limited by the level of control indicated by the user. The method further includes authorizing installation of the set of apps on the device while restricting installation of other apps that would be authorized had the user selected a different level of control that the user is willing to give the enterprise over the device.

Abstract: After an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider.

Abstract: Installing apps on a device. The device is generally configured to be used in a closed market environment that only allows generally available apps of the closed market to be installed. The method includes determining that the device has been authorized to install apps outside of a set of apps generally available from the closed market and from a set of apps available only to users of a particular enterprise. The method further includes determining that an app, that is not generally available from the closed market, has been verified by a central authority. The method further includes installing the app on the device in spite of the fact that the device is generally configured to be used in a closed market environment.

Abstract: Installing apps and setting configuration on a device. A method includes receiving user input. The user input indicates a level of control that a user is willing to give an enterprise over the device. The method further includes determining, based on the level of control indicated by the user input, a set of apps allowed to install on the device. The set of apps allowed to install on the device is limited by the level of control indicated by the user. The method further includes authorizing installation of the set of apps on the device while restricting installation of other apps that would be authorized had the user selected a different level of control that the user is willing to give the enterprise over the device.