Abstract: A method for rendering virtual desktops on an air-gapped endpoint is provided. The method includes rendering a first window presenting a first virtual desktop of a first security zone; rendering a second window presenting a second virtual desktop display of a second security zone, wherein the first security zone and the second security zone are of a plurality of security zones instantiated on the air-gapped endpoint; and controlling, by a hypervisor, display of the first window and the second window on a desktop of the air-gapped endpoint, wherein any application in the first security zone cannot access any application in the second security zone when displayed on the same desktop.

Abstract: A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

Abstract: A method and system for method for providing a managed and isolated workspace on a user device are provided. The method creating a secured workspace in the user device, wherein the secured workspace is separated from a host operating system and includes a guest operating system; monitoring activity performed in the secured workspace and host operating system; determining, based on a security policy, if the monitored activity is risky; and causing execution of any determined risky activity in the secured workspace, thereby defending the host operating system from the determined risky activity, wherein the host operating system executes sensitive applications to an organization.

Abstract: A method for performing user experience (UX) functions on an air-gapped endpoint is provided. The method includes monitoring a plurality of virtual machines to detect at least one user request to be executed within a security zone; intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.

Abstract: A method for binding a user account operable on an air-gapped computer to an appropriate virtual machine (VM), comprising: monitoring a plurality of VMs to determine an associated user account for each of the plurality of VMs, wherein the plurality of VMs are executed over the air-gapped computer, and wherein each of the plurality of VMs is a distinct security zone in the air-gapped computer; determining a current VM from the plurality of VMs to bind an associated user account thereto; and displaying user specific indications on desktop items associated with each user account.

Abstract: A system and method for providing a unified file system on an air-gapped endpoint are provided. The method included monitoring a plurality of security zones, instantiated on the air-gapped endpoint, to intercept at least one file system operation to access files on a first security zone; determining if the detected file system operation triggers a display of the file system dialog window effecting a second security zone; and when the file system dialog window effecting the second security zone, blocking the display of the file system dialog window in the first security zone; and displaying the file system dialog window in the second security zone.

Abstract: A system and method for providing a unified file system on an air-gapped endpoint are provided. The method includes monitoring the first and second security zones instantiated on the virtually air-gapped endpoint to intercept at least one file system operation to access files on the first security zone; determining if the detected file system operation triggers a display of a file system dialog window of the second security zone; and when the file system dialog window of the second security zone is determined to be triggered, preventing the display of a file system dialog window in the first security zone; and displaying the file system dialog window of the second security zone in the second security zone.

Abstract: A management agent operates transparently in the background on each endpoint computing device that needs to be managed. The agent sets up a sandboxed environment on the endpoint computing device on which it is operating in order to capture applications that have been installed on the endpoint device. The application capture is performed after the applications have been installed on the endpoint device and therefore does not require installing the application on any dedicated staging machine, nor any recording of the pre-installation state. The application capture process involves running the application from an isolated sandboxed environment on the computing device in order to identify all necessary components of the application by monitoring accesses by the application to components located outside of the sandbox. The identified components can then be packaged together and managed as individual application packages.

Abstract: A method for operating an air-gapped endpoint is provided. The method includes initializing, on the endpoint, a hypervisor for execution over a primitive operating system (OS) of the endpoint; creating an isolated security zone by instantiating a virtual machine using the hypervisor, wherein the security zone includes a plurality of applications executed over a guest OS; and auditing, by the hypervisor, any action performed by any application executed in the security zone.

Abstract: A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

Abstract: A method for rendering virtual desktops on an air-gapped endpoint is provided. The method includes rendering a first window presenting a first virtual desktop of a first security zone; rendering a second window presenting a second virtual desktop display of a second security zone, wherein the first security zone and the second security zone are of a plurality of security zones instantiated on the air-gapped endpoint; and controlling, by a hypervisor, display of the first window and the second window on a desktop of the air-gapped endpoint, wherein any application in the first security zone cannot access any application in the second security zone when displayed on the same desktop.

Abstract: A method for performing user experience (UX) functions on an air-gapped endpoint is provided. The method includes monitoring a plurality of security zones, instantiated on the air-gapped endpoint, to detect at least one UX command executed in a first security zone; determining if the detected UX command triggers a UX function effecting a second security zone; determining if the UX function to be triggered maintains compliance with a security policy of the first and second security zones; and executing the UX function across the first and second security zones.

Abstract: A method for binding a user account operable on an air-gapped computer to an appropriate virtual machine (VM), comprising: monitoring a plurality of VMs to determine an associated user account for each of the plurality of VMs, wherein the plurality of VMs are executed over the air-gapped computer, and wherein each of the plurality of VMs is a distinct security zone in the air-gapped computer; determining a current VM from the plurality of VMs to bind an associated user account thereto; and displaying user specific indications on desktop items associated with each user account.

Abstract: A method for performing user experience (UX) functions on an air-gapped endpoint is provided. The method includes monitoring a plurality of virtual machines to detect at least one user request to be executed within a security zone; intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.

Abstract: A system and method for providing a unified file system on an air-gapped endpoint are provided. The method included monitoring a plurality of security zones, instantiated on the air-gapped endpoint, to intercept at least one file system operation to access files on a first security zone; determining if the detected file system operation triggers a display of the file system dialog window effecting a second security zone; and when the file system dialog window effecting the second security zone, blocking the display of the file system dialog window in the first security zone; and displaying the file system dialog window in the second security zone.

Abstract: Systems and methods are described for capturing and reproducing the full state of an application session. An application is captured by performing a dump of various components of the session and storing the components in an application session capture. Captured components include a memory image, CPU register values, open handles to kernel objects, and loaded libraries. The session is reproduced when requested based on the session capture. In cases where locations or references to certain items (e.g., memory locations, open handle references, library addresses, etc.) are different when the session is restored, a driver is used to remap the old locations or references to the new locations or references.

Abstract: A system is described for backing-up a client device to a server using space-optimized snapshots. A snapshot is captured on the client device. The system determines which files of the snapshot are required to be uploaded to perform a backup. Thereafter, the system monitors the required files (and not other files) for write commands and directs write operations for the required files to be performed copy-on-write. After a required file is uploaded, the system stops monitoring the file and any copy-on-write data that may have been generated for the file is removed from the snapshot to conserve space. The process continues until all required files are uploaded.

Abstract: A management agent operates transparently in the background on each endpoint computing device that needs to be managed. The agent sets up a sandboxed environment on the endpoint computing device on which it is operating in order to capture applications that have been installed on the endpoint device. The application capture is performed after the applications have been installed on the endpoint device and therefore does not require installing the application on any dedicated staging machine, nor any recording of the pre-installation state. The application capture process involves running the application from an isolated sandboxed environment on the computing device in order to identify all necessary components of the application by monitoring accesses by the application to components located outside of the sandbox. The identified components can then be packaged together and managed as individual application packages.

Abstract: A management agent operates transparently in the background on each endpoint computing device that needs to be managed. The agent performs a static analysis of the system on the endpoint computing device on which it is operating in order to capture the applications that have been installed on the endpoint device. The static analysis is performed after the applications have been installed on the endpoint device and therefore does not require installing the application on any dedicated staging machine, nor any recording of the pre-installation state. The post-installation static analysis involves steps that are used to determine all of the necessary components that comprise the application, which can then be packaged together and managed as individual application packages.

Abstract: Systems and methods are described for packaging and deploying applications using minimal and maximal component sets. A minimal set of application components that includes at least the necessary components for launching the application is first downloaded to an endpoint device from a central server. The application is launched on the endpoint from the minimal set. If the application requests a missing component that is not available on the endpoint, the missing component is requested and delivered on-demand from a maximal set located on the server, where the maximal set contains all possible application components. The application is suspended during the download of the missing component. After the missing component is downloaded, the application is resumed, having access to the missing component on the endpoint.