Abstract: Adapting a mobile or other application (“app”) to a partitioned environment is disclosed. In various embodiments, a “secure zone” or other logical partition is created and enforced at least in part by adapting a mobile or other app to behave in a manner required by and/or otherwise associated with the secure zone or other partition and which behavior is or in various embodiments may be different than a native behavior of the mobile or other app as designed and written by an application developer of the app.

Abstract: Location and time based mobile app policies are disclosed. One or more location and time policies are received at a management agent on a device. The policies are calculated by processing user and group information. Policy information in a bus is updated with a current allowed state. Location information is received from the device. The location information includes a new location that is not an allowed location. A use of an application may be blocked by the management agent based at least in part on the received location information.

Abstract: Providing secure access to a mobile or other device using a network-assisted PIN or other short password is disclosed. In various embodiments, upon entry by a user of a personal identification number (PIN) or other short password, the password and a unique identifier, such as a user and/or device identifier, and/or other data, are sent to a remote server. The remote server returns to the mobile or other device a cryptographic key and/or other data, such as a more secure (e.g., more characters and/or including characters drawn from a larger set of characters) password usable at the mobile device to access encrypted data.

Abstract: In particular implementations, a mobile device management system allows network administrators to control the distribution and publication of applications to mobile device users in an enterprise network. A user profile is accessed to determine a user attribute. A catalog of applications is filtered based at least in part on the user attribute and an enterprise application availability policy to determine a set of applications to be returned and provided via an enterprise mobile device application management interface.

Abstract: A partitioned application environment is disclosed. In various embodiments, a request associated with an application environment in which an application is running is received from the application. A determination is made to fulfill the request at least in part via a call to a node at which application code associated with the application is running in an application environment partition provided at the node. A call associated with the request is sent to the node, based at least in part on the determination.

Abstract: Preventing enterprise or other protected content data from “leaking” from being under secure management on a device, for example by virtue of being viewed using an untrusted app on the device, is disclosed. An indication is received that a content to be provided to a first mobile application on a mobile device is to be protected against unauthorized access at the mobile device using unauthorized applications other than the first mobile application. The content is encrypted while in transit to the mobile device, using a key associated with a second mobile application authorized to be used to access the content at the mobile device.

Abstract: Adaptive encryption optimization is disclosed. A first secure tunnel is established between a device and a node. It is determined that a second secure tunnel between an application on the device and a server has been established. The second secure tunnel is established at least in part using the first secure tunnel. The first secure tunnel is removed based at least in part on the determination that the second secure tunnel has been established.

Abstract: One embodiment of the present disclosure provides a method that includes accessing, by a mobile device management system, a profile for a mobile device. The method also includes negotiating, by the mobile device management system, with a certificate authority to obtain a certificate for the mobile device. The negotiating with the certificate authority includes imitating the mobile device based on the profile. The negotiating with the certificate authority also includes, based at least on the imitation, transmitting one or more certificate enrollment messages to the certificate authority. The negotiating with the certificate authority further includes, based on the one or more messages, receiving, at the mobile device management system, the certificate for the mobile device. The method further includes transmitting the certificate to a control agent hosted on the mobile device for installation.

Abstract: Rule-based mobile device management delegation is disclosed. A set of rules are applied to attributes associated with a mobile device to assign the mobile device to one of a plurality of management partitions. The mobile device is managed according to a policy associated with the assigned management partition.

Abstract: Self-removal of enterprise application data (e.g., managed application data) is disclosed. It may be determined that a data removal condition has been satisfied. Based at least in part on the determination, data removal information may be generated for a plurality of applications including a managed set of mobile applications. The data removal information may be provided to at least a first application included in the plurality of applications. The first application may provide the data removal information to a data storage location accessible to at least a second application upon a data removal-related event.

Abstract: Secure transfer of mobile application content is disclosed. A state-related event associated with a managed application in a managed set of applications may be detected. It may be determined that content from the managed application is stored at a public storage location on a mobile device. At least a portion of the content may be transferred to a secure storage location accessible to the managed set.

Abstract: Virtual file management is disclosed. Managed content from multiple separate storage domains is organized into a virtual file system that maintains with respect to each of at least a subset of said separate storage domains information of storage domain specific file system primitives to perform primitive operations with respect to content stored in that storage domain. Policies are determined that apply to the managed content. Each policy indicates primitive operations permitted to be performed with respect to the managed content. Information comprising the virtual file system and the policies is provided to a client application on a mobile device. The client application is configured to provide access to the managed content in the virtual file system in a manner at least in part indicated in the policies, including by allowing the permitted primitive operations to be performed using said storage domain specific file system primitives.

Abstract: An enterprise zone is disclosed. An attempt to use an application in a zone of applications may be received. The application may find that the zone of applications is locked. A passcode may be requested to unlock the zone of applications. A received passcode may be validated. An application bus may be updated. Use of the application may be allowed.

Abstract: Securing access to one or more applications in an enterprise zone (e.g., a set of protected applications) is disclosed. A last activity time associated with a use of at least one mobile application in the protected subset may be retrieved from a shared storage location associated with a protected subset of two or more protected mobile applications. It may be determined that the last activity time is within a session expiration time period associated with the protected subset. Access to one or more applications in the protected subset may be allowed without credential verification based at least in part on the determination.

Abstract: In various embodiments, a control client is configured to determine whether or not the most current configuration profile has been installed within a corresponding mobile device. In particular embodiments, the client is configured to store its own copy of a configuration profile and to compare its copy with the most current configuration profile generated by a device management system as well as to the configuration profile currently installed and applied by a configuration manager within the mobile device. Each configuration profile includes an embedded verification token that facilitates this process. Furthermore, the client may be configured to inform the device management system as to whether or not the current configuration profile has been installed. The device management system may govern enterprise access by the mobile device based on whether or not the current configuration profile has been installed.

Abstract: A user interface for a virtual file management system that provides user access to managed content on mobile devices. The system comprises storage domains storing the managed content distributively using file systems, and a data infrastructure that organizes the managed content into a virtual file system. The data infrastructure includes a component that maintains policies defining controls for permissible operations on the managed content, the permissible operations including the file system primitives. A client application including a user interface is hosted on the mobile devices and is coupled to the data infrastructure and the storage domains and includes an enforcement component that retrieves and enforces the policies by applying the controls on the mobile devices.

Abstract: A secure mobile application connection bus is disclosed. First encryption information and an identifier associated with a data storage location on a mobile device are provided from a first application to a second application. Second encryption information associated with the second mobile application is retrieved from the data storage location. The second mobile application is configured to provide data to the data storage location. Data is transferred securely between the first mobile application and the second mobile application via the data storage location.

Abstract: In various embodiments, a method is described that includes receiving mobile device usage data directly from each of a plurality of mobile devices associated with a particular enterprise, aggregating the usage data from each of the plurality of mobile devices at a central database, and generating one or more mobile device usage reports based on the aggregated usage data.

Abstract: Distributed mobile device management including a plurality of management agents is disclosed. Management-related information may be retrieved from a storage location accessible to a plurality of management agents. The management-related information may have been provided to the storage location from a management agent associated with a managed application. And at least one operation may be performed based at least in part on the management-related information.

Abstract: Self-removal of enterprise application data (e.g., managed application data) is disclosed. It may be determined that a data removal condition has been satisfied. Based at least in part on the determination, data removal information may be generated for a plurality of applications including a managed set of mobile applications. The data removal information may be provided to at least a first application included in the plurality of applications. The first application may provide the data removal information to a data storage location accessible to at least a second application upon a data removal-related event.