Abstract: A system for locating and monitoring electronic devices utilizing a security system that is secretly and transparently embedded within the computer. This security system causes the client computer to periodically and conditionally call a host system to report its serial number via an encoded series of dialed numbers. A host monitoring system receives calls from various clients and determines which calls to accept and which to reject by comparing the decoded client serial numbers with a predefined and updated list of numbers corresponding to reported stolen computers. The host also concurrently obtains the caller ID of the calling client to determine the physical location of the client computer. The caller ID and the serial number are subsequently transmitted to a notifying station in order to facilitate the recovery of the stolen device. The security system remains hidden from the user, and actively resists attempts to disable it.

Abstract: A system and method for controlling the surveillance conducted by lost or stolen electronic devices dependent upon the location of such electronic devices is provided. A data repository contains data that specifies, for each of a plurality of geographic regions (e.g. legal jurisdictions), a set of surveillance methods that are permissible in the respective region. At least some of the geographic regions have different respective sets of permissible surveillance methods than others. A computer system is operable to communicate with the devices over a computer network, and programmed to use received information regarding a location of a potentially lost or stolen device, in combination with the data in the computer data repository, to cause the potentially lost or stolen device to initiate surveillance according to the set of permissible surveillance methods (and/or other actions) corresponding to the location.

Abstract: A data protection system selectively deletes data from an electronic device when the device is reported as lost or stolen, or when another data protection triggering event occurs. Different data files may, for example, be treated differently depending on when such files were created. For example, data files that were created while the computing device was known to be in the owner's possession may be deleted, while data files created after the electronic device left the owner's possession may be left intact (since they may have been created by an innocent user). Data files created between these two points in time may be quarantined so that they later be restored, if appropriate.

Abstract: A system is disclosed that protects private data of users while permitting the monitoring or tracking of electronic devices that are shared for both business and private purposes. The electronic devices are configured to selectively encrypt location data, and/or other types of data, before such data is transmitted to a monitoring center. For example, data collected or generated on a user device outside of work hours may be encrypted with a private key of the device's user prior to transmission to the monitoring center, so that the data is not accessible to the employer. Data collected or generated during work hours may be transmitted without such encryption.

Abstract: A system for locating and monitoring electronic devices utilizing a security system that is secretly and transparently embedded within the computer. This security system causes the client computer to periodically and conditionally call a host system to report its serial number via an encoded series of dialed numbers. A host monitoring system receives calls from various clients and determines which calls to accept and which to reject by comparing the decoded client serial numbers with a predefined and updated list of numbers corresponding to reported stolen computers. The host also concurrently obtains the caller ID of the calling client to determine the physical location of the client computer. The caller ID and the serial number are subsequently transmitted to a notifying station in order to facilitate the recovery of the stolen device. The security system remains hidden from the user, and actively resists attempts to disable it.

Abstract: A database stores results of scans for wireless (e.g., Wi-Fi) access points, some of them directly associated with GPS coordinates. Mobile electronic devices detect access points, details of which are sent to the database. Contents of the database are analyzed for relations between the scanned access points and previously stored GPS coordinates. If a relation is found, the GPS coordinates are used for determining or estimating the location of the mobile device.

Abstract: Techniques for performing an action, based on the present location of a client, to protect resources of the client from theft or unauthorized access. A server may intermittently receive, from a client, location information such as GPS information, triangulation information based on one or more Wi-Fi access points, and IP trace information. The server may determine the client's location by (a) determining, for an interval of time, whether GPS information, triangulation information, and IP trace information are available for the client, and (b) based on the available GPS information, triangulation information, and IP trace information, determining the present location of the client, e.g., by determining a weighted arithmetic mean or by using a sequence of types of location information ordered based on accuracy. In response to following a security policy, the server may perform an action, specified by the security policy, based on the present location of the client.

Abstract: Electronic devices without device names are provided with an application for retrieving a data point from the device from which a name can be deduced. A match for the data point is searched for in the contacts list in the device, and when found, the name corresponding to the contact entry, in which the data point has been found, is used to derive the device name. The derived device name (or information from which the device name may be derived) may be transmitted to a remote server which may be used for managing multiple such devices.

Abstract: A profile manager application is installed in an electronic device that fetches configuration profiles for third party applications from a remote server. Using code libraries incorporated in the third party applications and URL based commands, the profile manager application communicates with the third party applications to configure them according to the corresponding configuration profiles, even though the third party applications are running in a sandboxed environment.

Abstract: Techniques for protecting resources of a client from theft or unauthorized access. A BIOS agent stores policy data within a BIOS of the client. The BIOS agent is one or more software modules operating in the BIOS of the client. The policy data describes one or more security policies which the client is to follow. In response to the client following at least one of the one or more security policies, a persistent storage medium of the client is locked by instructing a controller of the persistent storage medium to deny, to any entity, access to data stored on the persistent storage medium unless the entity supplies, to the controller, a recognized authentication credential. In this way, a malicious user without access to the recognized authentication credential cannot access the data stored on the persistent storage medium, even if the persistent storage medium is removed from the client.

Abstract: A system and method for controlling the surveillance conducted by lost or stolen electronic devices dependent upon the location of such electronic devices is provided. A data repository contains data that specifies, for each of a plurality of geographic regions (e.g. legal jurisdictions), a set of surveillance methods that are permissible in the respective region. At least some of the geographic regions have different respective sets of permissible surveillance methods than others. A computer system is operable to communicate with the devices over a computer network, and programmed to use received information regarding a location of a potentially lost or stolen device, in combination with the data in the computer data repository, to cause the potentially lost or stolen device to initiate surveillance according to the set of permissible surveillance methods (and/or other actions) corresponding to the location.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: Techniques for securing a client. A BIOS agent stores policy data within a BIOS of the client. The BIOS agent is one or more software modules that execute in the BIOS of the client. The policy data describes one or more policies which the client should follow. When an operating system agent detects that a condition, specified by a particular policy of the one or more policies, has been met, the operating system agent performs one or more actions specified by the particular policy, such as disabling the client, retrieving a file from the client, erasing a file from the client, or encrypting a file on the client. The operating system agent is one or more software modules that execute in the operating system of the client.

Abstract: A system is disclosed that enables multiple electronic devices to be tracked in the case of theft or loss without the need for monitoring or tracking the devices prior to the loss or theft. The system operates by sending bulk status information regarding the lost/stolen statuses of multiple devices to one of these devices. The receiving device then decodes the bulk status information to determine its own lost/stolen status. If the status reveals that the device is currently reported as lost or stolen, the device initiates an appropriate security action, such as the transmission of its location to a monitoring center.

Abstract: The availability of software assets on electronic devices, such as mobile devices of users, is restricted based on the time as determined by a managing server. An application that runs on the electronic devices communicates with the server to obtain information regarding which software assets are permitted to be accessed, and restricts user access accordingly. The server may use a clock, in combination with administrator-generated access restriction policies, to determine which software assets are to be made available on each electronic device at particular points in time.

Abstract: A data protection system selectively deletes data from an electronic device when the device is reported as lost or stolen, or when another data protection triggering event occurs. Different data files may, for example, be treated differently depending on when such files were created. For example, data files that were created while the computing device was known to be in the owner's possession may be deleted, while data files created after the electronic device left the owner's possession may be left intact (since they may have been created by an innocent user). Data files created between these two points in time may be quarantined so that they later be restored, if appropriate.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: A system and method for controlling the surveillance conducted by lost or stolen electronic devices dependent upon the location of such electronic devices is provided. A data repository contains data that specifies, for each of a plurality of geographic regions (e.g. legal jurisdictions), a set of surveillance methods that are permissible in the respective region. At least some of the geographic regions have different respective sets of permissible surveillance methods than others. A computer system is operable to communicate with the devices over a computer network, and programmed to use received information regarding a location of a potentially lost or stolen device, in combination with the data in the computer data repository, to cause the potentially lost or stolen device to initiate surveillance according to the set of permissible surveillance methods (and/or other actions) corresponding to the location.

Abstract: An electronic device, for example, a laptop computer includes a processor, a transceiver module, for example, a Bluetooth module and a memory. The memory includes a platform proximity agent, which may be implemented as a series of instructions, which when executed by the processor, causes the processor to receive a Bluetooth signal from a corresponding provisioned Bluetooth device, for example, a cellular telephone. Next, determine whether the received signal exceeds both a strength threshold level and a predetermined time threshold level, where the signal strength and time threshold levels are established when the laptop and a corresponding cell phone are paired during a provisioning process. When the received signal strength and duration both exceed the corresponding policy based thresholds, the laptop enters (or remains in) a full power state with full access to the monitor and the platform.

Abstract: Techniques for securing a client. When a client, such as a portable computer, undergoes a change in operational state, an operating system agent sends a state message to a server. The state message describes the change in the operational state of the client. The operating system agent is one or more software modules that execute in an operating system of the client. The client receives a policy message from the server. The policy message contains policy data, which a BIOS agent stores in the BIOS of the client. The policy data identifies one or more security policies which the client should follow.