Abstract: This document relates to a process for supporting the management of a variety of types of deployed devices. Administrators utilizing enterprise services can provide generic configuration data using configuration templates, which can be provided to a management server. The management server can then precompute device-specific configuration settings and resolve any conflicts that may arise based on the configuration templates. The configuration templates can also include placeholders for secret values, and once a managed device checks in to the management server, the secret values can be retrieved from an applicable enterprise service and provided to the managed device at the time of applying the configuration template.

Abstract: Various technologies described herein pertain to controlling configuration of a computing device. A configuration request can be received, at the computing device, from a configuration source external to the computing device. The configuration request can include configuration data for a dependent feature. An evaluation can be performed at the computing device to determine whether a dependency graph for the dependent feature is satisfied. The dependency graph for the dependent feature can specify interdependencies between configurations of a set of features such that remaining features in the set of features are to be configured prior to enabling the dependent feature to be configured. Moreover, the dependent feature can be configured based on the configuration data when the dependency graph for the dependent feature is satisfied. The configuring of the dependent feature based on the configuration data can be prohibited prior to the dependency graph for the dependent feature being satisfied.

Abstract: A device boots in a secure manner that allows measurements reflecting which components are loaded during booting to be generated. Measurements of such components, as well as of a device management agent and the security state of the device, are also obtained. The device management agent accesses an attestation service for an enterprise, which is a collection of resources managed by a management service. The device management agent provides the obtained measurements to the attestation service, which evaluates the measurements and based on the evaluation determines whether the device is verified for use in the enterprise. The management service uses this verification to ensure that the device management agent is running in a secure manner, is accurately providing indications of the state of the device to the management service, and is implementing policy received from the management service.

Abstract: A configuration control transfer (“CCT”) system controls the transferring of control of configuration information of a device from a current configuration source to a target configuration source. A CCT server of the CCT system may send a request for the configuration information of the device where the configuration information of the device currently under control of the at least one first configuration source. The CCT server may also receive the requested configuration information, determine whether the second configuration source is able to support the configuration information of the first configuration source, and based at least on a determination that the second configuration source is able to support the configuration information, request that the device transfer control of the configuration information from the first configuration source to the second configuration source to unenroll the device with the first configuration source and enroll the device with the second configuration source.

Abstract: Various technologies described herein pertain to controlling reconfiguration of a dependency graph for coordinating reconfiguration of a computing device. An operation can be performed at the computing device to detect whether an error exists in the dependency graph for a desired configuration state. The dependency graph for the desired configuration state specifies interdependencies between configurations of a set of features. An error can be detected to exist in the dependency graph when the desired configuration state differs from an actual configuration state of the computing device that results from use of the dependency graph to coordinate configuring the set of features. Feedback concerning success or failure of the dependency graph on the computing device can be sent from the computing device to a configuration source. The dependency graph can be modified (by the computing device and/or the configuration source) based on whether an error is detected in the dependency graph.

Abstract: A configuration control transfer (“CCT”) system controls the transferring of control of configuration information of a device from a current configuration source to a target configuration source. A CCT server of the CCT system may send to the device a message requesting the configuration information of the device. In response, a CCT client of the CCT system collects the configuration information of the device and sends the collected configuration information to the CCT server. If the second configuration source can support the configuration information of the current configuration source, the CCT server requests that the device transfer control of the configuration information from the current configuration source to the target configuration source. The CCT client then transfers control of the configuration information to the target configuration source as the new current configuration source and un-enrolls the device from the former current configuration source.

Abstract: Embodiments described herein are directed to implementing compliance settings by a computing device for bringing the computing device into compliance with a configuration scenario. For instance, a computing device may receive, from a server, configuration information describing compliance settings for implementing by the computing device to bring the computing device into compliance with a configuration scenario. Moreover, the computing device may identify a state machine indicated by the configuration information that describes a configuration process for implementing the compliance settings and execute the state machine to configure the computing device with the compliance settings.

Abstract: Various technologies described herein pertain to managing multiple enrollments of a computing device into configuration sources. Respective enrollment types for the enrollments into the configuration sources can be detected. Moreover, respective control data for the enrollments into the configuration sources can be set based on the enrollment types. Provisioning elements (e.g., policies, preferences, configuration profiles, and resources) that satisfy the respective control data can be permitted to be applied to the computing device by the configuration sources as part of the enrollments. Further, disparate provisioning elements that fail to satisfy the respective control data can be prevented from being applied to the computing device as part of the enrollments.

Abstract: Embodiments described herein are directed to managing device compliance for devices that are connected to an enterprise network. For example, a mobile device manager may provide configuration settings to a computing device, which implements the settings in order to be compliant with an enterprise's data and/or security policy. The mobile device manager also maintains a local reference of each device's configuration settings implemented thereby. When the mobile device manager subsequently performs a determination as to whether the computing device is still in compliance, the mobile device manager simply needs to refer to the local reference to determine the computing device's settings instead of explicitly querying the computing device for its settings.

Abstract: Various technologies described herein pertain to evaluating configuration compliance of a computing device. The computing device operates in a configuration compliance evaluation mode to test a set of configuration requests for a configuration source. Configuration changes to the computing device can be applied in a virtual machine run on the computing device when operating in the configuration compliance evaluation mode. Responsive to each configuration request being received and when the computing device is operating in the configuration compliance evaluation mode, the computing device can store the configuration request in a data store, apply the configuration request in the virtual machine to cause a configuration change in the virtual machine, and store data for verifying enforcement of the configuration change in the data store.

Abstract: Various technologies described herein pertain to controlling configuration of a computing device. A configuration request can be received, at the computing device, from a configuration source external to the computing device. The configuration request can include configuration data for a dependent feature. An evaluation can be performed at the computing device to determine whether a dependency graph for the dependent feature is satisfied. The dependency graph for the dependent feature can specify interdependencies between configurations of a set of features such that remaining features in the set of features are to be configured prior to enabling the dependent feature to be configured. Moreover, the dependent feature can be configured based on the configuration data when the dependency graph for the dependent feature is satisfied. The configuring of the dependent feature based on the configuration data can be prohibited prior to the dependency graph for the dependent feature being satisfied.

Abstract: Various technologies described herein pertain to controlling configuration of a computing device. A configuration request can be received, at the computing device, from a configuration source external to the computing device. The configuration request can include configuration data for a dependent feature. An evaluation can be performed at the computing device to determine whether a dependency graph for the dependent feature is satisfied. The dependency graph for the dependent feature can specify interdependencies between configurations of a set of features such that remaining features in the set of features are to be configured prior to enabling the dependent feature to be configured. Moreover, the dependent feature can be configured based on the configuration data when the dependency graph for the dependent feature is satisfied. The configuring of the dependent feature based on the configuration data can be prohibited prior to the dependency graph for the dependent feature being satisfied.

Abstract: Various technologies described herein pertain to controlling reconfiguration of a dependency graph for coordinating reconfiguration of a computing device. An operation can be performed at the computing device to detect whether an error exists in the dependency graph for a desired configuration state. The dependency graph for the desired configuration state specifies interdependencies between configurations of a set of features. An error can be detected to exist in the dependency graph when the desired configuration state differs from an actual configuration state of the computing device that results from use of the dependency graph to coordinate configuring the set of features. Feedback concerning success or failure of the dependency graph on the computing device can be sent from the computing device to a configuration source. The dependency graph can be modified (by the computing device and/or the configuration source) based on whether an error is detected in the dependency graph.

Abstract: Various technologies described herein pertain to evaluating configuration compliance of a computing device. The computing device operates in a configuration compliance evaluation mode to test a set of configuration requests for a configuration source. Configuration changes to the computing device can be applied in a virtual machine run on the computing device when operating in the configuration compliance evaluation mode. Responsive to each configuration request being received and when the computing device is operating in the configuration compliance evaluation mode, the computing device can store the configuration request in a data store, apply the configuration request in the virtual machine to cause a configuration change in the virtual machine, and store data for verifying enforcement of the configuration change in the data store.

Abstract: Various technologies described herein pertain to controlling configuration of a computing device. A configuration request can be received, at the computing device, from a configuration source external to the computing device. The configuration request can include configuration data for a dependent feature. An evaluation can be performed at the computing device to determine whether a dependency graph for the dependent feature is satisfied. The dependency graph for the dependent feature can specify interdependencies between configurations of a set of features such that remaining features in the set of features are to be configured prior to enabling the dependent feature to be configured. Moreover, the dependent feature can be configured based on the configuration data when the dependency graph for the dependent feature is satisfied. The configuring of the dependent feature based on the configuration data can be prohibited prior to the dependency graph for the dependent feature being satisfied.

Abstract: Various technologies described herein pertain to policy management on a mobile device. The mobile device includes a device policy manager system that includes a unified interface component and a policy handler component. The unified interface component is configured to receive policy configuration requests from multiple policy sources, including at least an internal policy source component executed by the mobile device and a device management server external to the mobile device. The policy configuration requests include at least a first policy configuration request (a first policy value for a policy) from a first policy source and a second policy configuration request (a second policy value for the policy) from a second policy source. The policy handler component is configured to resolve the conflict between the first and second policy values based on a conflict resolution technique to set a current policy value for the policy that controls the mobile device.

Abstract: A configuration control transfer (“CCT”) system controls the transferring of control of configuration information of a device from a current configuration source to a target configuration source. A CCT server of the CCT system may send to the device a message requesting the configuration information of the device. In response, a CCT client of the CCT system collects the configuration information of the device and sends the collected configuration information to the CCT server. If the second configuration source can support the configuration information of the current configuration source, the CCT server requests that the device transfer control of the configuration information from the current configuration source to the target configuration source. The CCT client then transfers control of the configuration information to the target configuration source as the new current configuration source and un-enrolls the device from the former current configuration source.

Abstract: A facility for maintaining the state of a managed device is described. The facility receives an indication that the managed device is to be unenrolled from management. In response to receiving the indication, during a first time period, the facility performs a first unenrollment task with respect to the managed device. In response to receiving indication, during a second time period that does not intersect the first time period, performing a second unenrollment task with respect to the managed device that is distinct from the first unenrollment task.

Abstract: A device boots in a secure manner that allows measurements reflecting which components are loaded during booting to be generated. Measurements of such components, as well as of a device management agent and the security state of the device, are also obtained. The device management agent accesses an attestation service for an enterprise, which is a collection of resources managed by a management service. The device management agent provides the obtained measurements to the attestation service, which evaluates the measurements and based on the evaluation determines whether the device is verified for use in the enterprise. The management service uses this verification to ensure that the device management agent is running in a secure manner, is accurately providing indications of the state of the device to the management service, and is implementing policy received from the management service.

Abstract: A facility for maintaining the state of a managed device is described. The facility receives an indication that the managed device is to be unenrolled from management. In response to receiving the indication, during a first time period, the facility performs a first unenrollment task with respect to the managed device. In response to receiving indication, during a second time period that does not intersect the first time period, performing a second unenrollment task with respect to the managed device that is distinct from the first unenrollment task.