Abstract: An embodiment includes a method of vocal profile generation and implementation that includes causing display of a prompt for a user that represents an input value of a processing engine. The method includes obtaining a first spoken pronunciation from the user that corresponds to the prompt. The method includes generating a vocal profile based on the first spoken pronunciation that provides a basis for interpretation of vocal input received on distributed devices. The method includes storing the vocal profile at a data storage with other vocal profiles generated for users. The method includes obtaining identifier information that indicates that the user is operating a distributed device. Responsive to the identifier information, the method includes retrieving the vocal profile and loading it onto the distributed device such that obtained vocal input is interpreted according to the vocal profile prior its communication as an input value to the processing engine.

Abstract: A method of credential sharing between users in a system includes creating a credential for a first user that is configured such that entry of secure details of the credential enables execution of an operation. The method includes receiving data indicative of a first selection of the credential and a second selection of a second user. The method includes encrypting the secure details such that the second user is capable of decrypting the secure details and other users are incapable of decrypting the secure details. The method includes appending a profile of the second user with encrypted secure details. The method includes receiving an execution request to perform the first operation from the second user and decrypting the secure details. After entry of the decrypted secure details, the method includes authenticating the second user using the secure details and enabling execution of the first operation by the second user.

Abstract: An embodiment includes a method of self-election of a node in a subnet. The method includes receiving a first ping message. The first ping message is unicast from a second node, includes direct information related to the second node, and includes indirect information related to a third node. The method includes updating a first status of the second node in a status list stored at the first node consistent with the direct information. The method includes determining whether statuses of a threshold number of nodes have been received. Responsive to the threshold number of nodes being received, the method includes performing a local election operation. The method includes propagating a second ping message to a randomly identified additional node. The second ping message includes direct information regarding the first node and indirect information regarding at least one other node.

Abstract: A method may include obtaining Domain Name System (DNS) configuration policies, that indicate how to direct a DNS query based on various Internet Protocol (IP) addresses or Fully Qualified Domain Names (FQDNs). The method may include obtaining a DNS query request on a first interface adapter in which the DNS query request is obtained from a DNS client and directed toward a particular FQDN. The method may include determining whether the particular FQDN included with the DNS query request is included in the DNS configuration policies and directing the DNS query request to an alternative DNS destination responsive to determining that the particular FQDN is not included in the DNS configuration policies. The method may include generating, at the alternative DNS destination, a DNS response that includes an error code, injecting the DNS response into a Transport Control Protocol (TCP)/IP stack, and sending the DNS response to the DNS client.

Abstract: A method of executable storage in a peer-to-peer based software package distribution system. The method includes receiving an instruction to install a software package. An executable configured to execute installation of the software package may be available at a uniform resource location (URL). The method includes detecting a designation parameter. The method includes generating a subfolder name based on the designation parameter. The method includes searching a local cache folder and a peer cache folder for the executable based on the subfolder name. Responsive to the executable being unavailable at the local and peer cache folders, the method includes downloading the first executable from the URL. The method includes generating a subfolder for the executable in the local cache folder. The subfolder has the generated subfolder name. The method includes storing the executable in the generated subfolder.

Abstract: A method of establishing communication with a second device via wireless communication channel that is not natively secure. The method includes performing mutual authentication between the first and second devices by receiving via the communication interface from the second device a FIDO public certificate of the second device and using a FIDO public key of the second device. The FIDO public key of the second device having been registered by the second device with a FIDO relying party in connection with a user identity associated with both the first device and the second device. The FIDO public key of the second device having been fetched by the first device from the FIDO relying party in connection with FIDO registration of the first device with the FIDO relying party in connection with the user identity. The method may include negotiating a shared secret used to engage in ongoing communication.

Abstract: A method of dynamic structured data communication includes registering a structure configured for data communication between applications. The structure includes a structure name and a mapping between data elements and attributes related to the data elements. The structure is registered such that it is accessible to a second application. The method includes receiving encoded data from a first application. The encoded data includes values for the data elements encoded according to the structure and an indication of the structure name. The method includes resolving the encoded data to identify the structure name. Based on the structure name, the method includes accessing the structure and decoding the encoded data according to the accessed structure. The decoding includes generation of a first value that corresponds to a first data element of the encoded data and generated to conform to a first attribute mapped to the first data element in the accessed structure.

Abstract: An embodiment includes a method of application vulnerability assessment and prioritization. The method includes ingesting modelling data from data sources for application vulnerabilities. The method includes transforming at least a portion of the modelling data to covariate vectors. The method includes extracting keywords and phrases from the modelling data and statistically measuring relevance of files of the modelling data based on the extracted keywords and phrases. The method includes generating threat levels of the application vulnerabilities based on the covariate vectors and the measured relevance. The method includes outputting the threat levels to a network management system. The method includes implementing, at a first endpoint device of the network, a first patch to address one of the application vulnerabilities.

Abstract: An apparatus includes a processor operatively coupled to a memory. The processor receives a first set of risk assessment rules including first user privilege criteria and first device criteria. The first device criteria include a computing device patch level, a network type, and/or a password policy. The processor identifies a user-specific security risk based on the first set of risk assessment rules and applies a privilege mitigation measure based on the user-specific security risk without being in communication with a management server. The processor later receives a second, updated set of risk assessment rules at the computing device. Upon detecting another login of the user, the processor identifies an updated user-specific security risk based on the updated set of risk assessment rules, and applies a modified privilege mitigation measure based on the updated user-specific security risk, again without being in communication with the management server.

Abstract: A method of evaluating a computer-implemented product that is deployed on one or more endpoints. The method includes identifying a first program and a second program of a product deployed on a first endpoint of multiple endpoints. The method includes implementing a diagnostic process at the first endpoint. The diagnostic process includes a first subroutine directed to the first program and a second subroutine directed to a second program. The subroutines each execute installation and functional parameter tests of the programs. Responsive to the first subroutine indicating that the first program is operational, the method includes outputting data that the first subroutine passed. Responsive to the second subroutine returning an unexpected result, the method includes outputting data indicating details of the unexpected result and implementing a remediation that modifies the second program or a condition at the first endpoint to mitigate the unexpected result.

Abstract: A method may include accessing a key from a secure storage. A payload may be encrypted using the key. A policy token may be generated. The policy token may include a publicly-readable header including a header identifier of the key and the payload encrypted using the key. The policy token may be sent. The policy token may be received. The publicly-readable header may be read. The key may be identified using the header identifier of the key from the publicly-readable header. The key may be accessed from the secure storage. The payload may be decrypted using the key.

Abstract: An embodiment includes a method of vulnerability detection and mitigation in a managed network. The method includes receiving a defined state of a product on a managed endpoint of a managed network. The method includes detecting a trigger event in the managed network. The trigger event is indicative of a change to the managed device or to the product that is inconsistent with the defined state. Responsive to detection of the trigger event, the method includes automatically implementing a product modification process. The product modification process includes distribution of at least one product update to a product installed at the managed endpoint.

Abstract: An embodiment includes a method of data collection optimization in a managed network having a digital experience platform that includes collecting data from managed endpoints using first collection criteria. The first collection criteria include a first frequency and a first verbosity. The method includes identifying, in the collected data, device context data that indicates a defined event exists relative to an endpoint. The collected data or the device context data are used to compute a digital experience index. Responsive to the identified device context data, the method includes modifying the first frequency or the first verbosity to implement a second collection criteria relative to a subset of managed endpoints; collecting additional data from the subset of managed endpoints using the second collection criteria; receiving additional context data that indicates the defined event no longer exists; and in response, collecting data from the managed endpoints using the first collection criteria.

Abstract: A method of remote desktop protocol (RDP) operating system (OS) session remote-control includes providing security credentials to a client device. The method includes requesting OS sessions currently operating on the client device. The method includes receiving from an agent on the client device, an indication of OS sessions currently operating on the client device. The OS sessions include one or more RDP OS sessions and a console OS session. The method includes selecting a first RDP OS session of the one or more RDP OS sessions. Responsive to the selection of the first RDP OS session, the method includes communicating with an agent an instruction to initiate a remote-control interface with the client device. The remote-control interface is configured such that the agent transmits visual data of the RDP OS session to the service device and relays commands from the service device.

Abstract: An embodiment includes a method of real-time, endpoint-specific SLA compliance evaluation in a managed network. The method includes receiving SLA definition input that indicates an SLA definition of the managed network. Responsive to detection of a trigger event, the method includes initiating a scan of endpoints including retrieval of endpoint-level state data. The method includes identifying a portion of the retrieved state data relevant to the SLA definition. The method includes aggregating the portions of the retrieved state data. The method includes determining whether the managed network is SLA compliant at an endpoint-level of granularity based on the aggregated portions. Responsive to the managed network being noncompliant, the method includes identifying a subset of endpoints failing to meet the SLA definition and implementing a product modification process to address a metric of the SLA definition and change a product to bring the first endpoint into compliance.

Abstract: An embodiment includes a method of application vulnerability assessment and prioritization. The method includes ingesting modelling data from data sources for application vulnerabilities. The method includes transforming at least a portion of the modelling data to covariate vectors. The method includes extracting keywords and phrases from the modelling data and statistically measuring relevance of files of the modelling data based on the extracted keywords and phrases. The method includes generating threat levels of the application vulnerabilities based on the covariate vectors and the measured relevance. The method includes outputting the threat levels to a network management system. The method includes implementing, at a first endpoint device of the network, a first patch to address one of the application vulnerabilities.

Abstract: A method for patch management is described. The method includes downloading a patch that is incompatible with a patch management system. The method also includes creating an archive that is executable by the patch management system. The archive includes the incompatible patch. The method further includes sending the archive to the patch management system.

Abstract: A method of mobile device management (MDM) comprising scanning, by an optical reader of a first mobile device, an optical code. The optical code is generated based on a policy and a group that includes the first and a second mobile device. The optical code has encoded enrollment details of the policy. Responsive to the scanning, the method includes connecting to a computer interface on which an enrollment application is accessible and causing display of an enrollment page. The method includes receiving identification input entered into the enrollment page. In response to the identification input, the method includes automatically transferring the enrollment details and the identification input to the enrollment application. Based on the transfer, enrolling the first mobile device in a MDM system. Enrollment of the first mobile device includes enabling a set of functions of the first mobile device consistent with the policy of the group.

Abstract: A method of product update management in systems having product access restrictions associated with administrative credentials includes detecting that an operating system (OS) update is outstanding at an endpoint. The method includes communicating a request for an OS update to the endpoint and determining whether it is enrolled in a mobile device management (MDM) environment. If the endpoint is enrolled in the MDM environment, the method includes communicating a request for an MDM call to an MDM module of a management device. The MDM module includes authority to initiate the OS update. The method includes queuing and scheduling an OS update command with an MDM requester. The method includes communicating, by the MDM requester, an update command to a vendor agent of the endpoint. The method includes interfacing with a third party update service to retrieve an OS update and communicating with the OS to initiate installation the OS update.

Abstract: Techniques to provide secure access to a service via an unmanaged device are disclosed. In various embodiments, a request from an unmanaged device to access a service is received via a communication interface. A user associated with the request is authenticated at least in part by prompting the user to use a managed device associated with the user to interact with data displayed at the unmanaged device. Access to the service is provided via the unmanaged device at least in part via a virtual browser instance running on a secure node and configured to access the service on behalf of the user and stream data associated with the service to the unmanaged device.