Abstract: Techniques to manage mobile devices are disclosed. In various embodiments, a request to perform a management action with respect to a mobile device is received from a mobile device management (MDM) authority. A scope of authority of the MDM authority with respect to the mobile device is determined. The management action is caused to be performed with respect to the mobile device based at least in part on the determined scope of authority of the MDM authority with respect to the mobile device.

Abstract: Techniques to manage applications, such as mobile apps, across multiple management domains are disclosed. In various embodiments, a set of one or more application management policies to be enforced with respect to a mobile device is received from a management entity to which a scope of authority to manage applications with respect to the mobile device has been delegated. A management agent on the mobile device is used to enforce the one or more application management policies with respect to applications and application data that are within the scope of authority delegated to the management entity.

Abstract: Techniques to establish a communication system between an administrative node, such as a remote help desk, and an instance of a managed mobile app running on a mobile device are disclosed. In various embodiments, an indication is received to establish a help desk session associated with a mobile device. A help desk library embedded in mobile app code comprising a managed mobile app installed on the mobile device is used to provide the help desk session. The help desk library is configured to provide in real time to a help desk system external to the mobile device mobile app data associated with the managed mobile app while the managed mobile app is running on the mobile device.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: A mobile device traffic splicer is disclosed. In various embodiments, a network communication associated with a destination is received from a mobile device. A stored routing data associated with the mobile device is used to determine, based at least in part on the destination, to redirect the network communication to a proxy associated with the destination. The network communication is sent to the proxy associated with the destination. In various embodiments, one or both of metering network traffic by destination and/or domain and filtering network communications and/or portions thereof based on the destination and/or domain may be performed.

Abstract: Techniques of the present disclosure register a device to a mobile device management (MDM) network to enable access of the MDM network. In some embodiments, a registration service receives a request to register a device as a device managed by an enterprise associated with the registration service. In response, the registration service sends a response redirecting the device to authenticate via an authentication service, where the device is configured via an authentication profile to authenticate via the authentication service. The device sends a token issued by the authentication service of the enterprise. The registration service provides access to the registration service based the received token, including by allowing the registration service to be used to register the device as a device managed at least in part by the enterprise. The present techniques improve security of communications by registering a device without requiring input of sensitive authentication information.

Abstract: Techniques to provide secure mobile access to a cloud-based service are disclosed. In various embodiments, a request to access the cloud-based service is received from a mobile device. A security certificate associated with the request is used to synthesize a basic authentication header associated with the request. The synthesized basic authentication header is sent to the cloud-based service on behalf of the mobile device.

Abstract: A containerized architecture to secure and manage Internet-connected devices, such as “Internet of Things” devices, is disclosed. In various embodiments, one or more containerized applications are run, e.g., on an Internet of Things gateway, subject to management by the management server. At least one of the containerized applications is a management agent configured to participate, subject to control of the management server, in management of one or more other of said containerized applications.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: Secure application-to-application communication is disclosed. A shared encryption key may be used to encrypt data to be transferred from a first mobile application to a second mobile application. The encrypted data is provided to a shared storage location. The second mobile application is configured to retrieve the encrypted data from the shared storage location.

Abstract: Location, time, and other contextual mobile application policies are disclosed. Access state information associated with a managed set of applications may be determined based at least in part on environmental context data associated with a mobile device and one or more contextual policies associated with the managed set of applications. The access state information may be provided to at least one application included in the managed set of applications, wherein at least one application in the managed set of applications is configured to use the access state information to regulate use of the application in a manner required by the one or more contextual policies.

Abstract: Techniques to authorize access to a service are disclosed. In various embodiments, a token that includes data comprising or otherwise associated with a device identifier of a device on which an application configured to access a service is installed is provided to the application. A service access authorization request that includes the token is received. The token is used to determine device information associated with the service access authorization request.

Abstract: Information associated with a remote display server is received at a mobile device from a device management server. A local display node is advertised. A request to connect to the local display node is received from a mobile device component. The component sends the request in response to a command received from the device management server to connect to the local display node. The local display node uses the information associated with the remote display server to advertise the local display node in a manner that associates the local display node with the command received by the component. A connection is established between the local display node and the component in response to the request. The information associated with the remote display server and the connection between the component and the local display node is used to transparently proxy data from the component to the remote display server.

Abstract: Techniques to manage mobile devices are disclosed. In various embodiments, a request to perform a management action with respect to a mobile device is received from a mobile device management (MDM) authority. A scope of authority of the MDM authority with respect to the mobile device is determined. The management action is caused to be performed with respect to the mobile device based at least in part on the determined scope of authority of the MDM authority with respect to the mobile device.

Abstract: Techniques described herein convert mobile traffic between different types of VPN protocols, including IP and Transport. In an embodiment, a security proxy associated with a server receives a packet associated with a client app on a device, the packet including a source identifier and a destination identifier. The security proxy reassigns a tunnel identifier as the source and a node identifier as the destination, then stores a correlation of the tunnel identifier, the source identifier, and the destination identifier. The security proxy forwards the packet to the node inside the security proxy, and determines the destination identifier based on the correlation. The node then forwards the packet to the destination. This allows for multiple devices to use a same source identifier, e.g., same IP address. In some embodiments, a secure connection is established and/or the device and server are mutually authenticated prior to the processing of the packets.

Abstract: A mobile device management system that monitors the security state of one or more mobile devices and sets indicators related to such security state. Enterprise network applications, such as an email application, can access the security state information when making access control decisions with respect to a given mobile device.

Abstract: In various embodiments, a device may include a communications interface configured to receive, from the device management server, an indication to perform an action that requires access to a privileged user space. The device may include a processor configured to use a bridge service to perform the action, where the bridge service runs in a security context that enables the service to operate in the privileged user space. In various embodiments, a server may include a communications interface and a processor. The processor may be configured to receive an indication to perform a management action not within a native device management functionality. The processor may be further configured to invoke a bridge service running on the managed device to perform the action by sending a request via the communications interface, where the bridge service runs in a security context that enables the service to operate in the privileged user space.

Abstract: Adapting a mobile or other application (“app”) to a partitioned environment is disclosed. In various embodiments, a “secure zone” or other logical partition is created and enforced at least in part by adapting a mobile or other app to behave in a manner required by and/or otherwise associated with the secure zone or other partition and which behavior is or in various embodiments may be different than a native behavior of the mobile or other app as designed and written by an application developer of the app.

Abstract: Techniques to provide secure access to a cloud-based service are disclosed. In various embodiments, a request is received from a client app on a device to connect to a security proxy associated with the cloud-based service. A secure tunnel connection between the device and a node with which the security proxy is associated is used to establish the requested connection to the security proxy. Information associated with the secure tunnel is used to determine that the requesting client app is authorized to access the cloud-based service from the device and to obtain from an identity provider associated with the cloud-based service a security token to be used by the client app to authenticate to the cloud-based service.

Abstract: Embodiments of the present application relate to a method, apparatus, and system for enrolling a mobile device with an enterprise network. The method includes receiving, from a mobile device, a request to access an enrollment address. In response to receiving the request to access the enrollment address, determining whether the mobile device is pre-enrolled with the enterprise network, and in the event that the mobile device from which the request to access the enrollment address is received corresponds to the mobile device that is pre-enrolled with the enterprise network, pushing user-specific settings to the mobile device.