Abstract: Disclosed are various embodiments of a multiuser unified endpoint management (UEM) system. A device check-in can be received from a client device. The device check-in can include a device identifier that uniquely identifies the client device with respect to other client devices and a user identifier that uniquely identifies the user of the client device with respect to other users of the client device. In response, a device channel identifier associated with the device identifier and a user channel identifier associated with both the user identifier and the device identifier can be obtained. Then a first set of entitlements associated with the device channel identifier and a second set of entitlements associated with the user channel identifier can be selected. Both sets of entitlements can be provided to the client device in response to the device check-in.

Abstract: Embodiments are described for editing a remote document residing on a server that is accessed by a mobile device over a remote desktop connection, by downloading portions of text to be locally edited from the remote document to the mobile device, performing edits on the downloaded text locally on the mobile device in an interface optimized for mobile device text editing, and conveying the edited portions back to the server to be inserted into a corresponding place in the document.

Abstract: Systems and methods are described for accessing resources of a Unified Endpoint Management (“UEM”) system through an enrolled device. In an example, an unenrolled device can be paired with an enrolled device. The unenrolled device can connect to the enrolled device on a local network. The enrolled device can verify the unenrolled device using a key provided during pairing. The unenrolled device can send requests for UEM resources to the enrolled device, which the enrolled device can send to a UEM server. The UEM server can send the requested UEM resources to the enrolled device, and the enrolled device can send the UEM resources to the enrolled device over the local network.

Abstract: Systems and methods are described for increasing web browser security on a user device managed by a device management system. In an example, the user device can use an unmanaged web browser to access secure enterprise content using a browser extension provided by the enterprise. When a user attempts to access secure content from an unmanaged browser, the device management system can communicate with the extension and a management application on the user device to authenticate the user and verify that the user device complies with certain policies. In one example, the device management system can include an extension recommendation engine that analyzes user browsing data and recommends browser extensions for the user. Based on policies, the device management system can recommend the extension to the user or force installation of the extension on the user device.

Abstract: Disclosed are various embodiments for enabling an enrolled client device of a user to access an enterprise resource via a second enrolled client device of the user. One such method comprises launching, by the first client device, a peer-to-peer communication channel between the first client device and a second client device of the user that is online with the management server; transmitting, by the first client device, a peer-to-peer offline access mode request over the peer-to-peer communication channel for the first client device to be given access to an enterprise resource that is being managed by the management server, wherein the request includes instructions for the second client device to forward the request to the management server, wherein the request further includes enterprise resource identification and verification data showing that the first client device is in compliance with a compliancy policy of the management service.

Abstract: Systems and methods are described for providing and configuring an overall user experience score. Mobile and desktop user devices can collect and send data to a server about an application installed on the devices and the health of the devices. The server can use the application data and device health information to determine three scores for the application: a mobile score for a mobile version, a desktop score for a desktop version, and a device health score. The server can determine an overall user experience score based on the lowest of the three scores. The server can cause the overall user experience score to be displayed in a first graphical user interface (“GUI”). A second GUI can allow an administrator to reconfigure scoring metrics for the user experience scores by moving elements on a sliding bar that changes thresholds.

Abstract: Enrollment management for virtual devices is described. In some examples, an enrollment agent of a virtual device retrieves a serial number using an operating system command that identifies the serial number locally to the virtual device. A request to identify device records with the management service is transmitted along with the serial number. A management identifier is received for a device record that is associated with the serial number. A local device management parameter of the virtual device is set to specify the management identifier. An enrollment request is transmitted to the management service.

Abstract: Methods and systems for providing load balancing are provided. Example embodiments provide an Application Workspace System “AWS” which enables users to access remote server-based applications using the same interface that they use to access local applications, without needing to know where the application is being accessed. In one embodiment, a load balancing message bus is provided that performs load balancing and resource discovery within the AWS. For example, the AWS may use a broadcast message-bus based load balancing to determine which servers to use to launch remote application access requests or to perform session management. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

Abstract: A system is described for redirecting multimedia in a collaborative session on a virtual desktop. The virtual desktop session can be established, and collaborator virtual desktop clients can be connected in a collaborative session where each collaborator can view the desktop GUI in their respective virtual desktop client. A request can be received to play media in a media player in the virtual desktop. The media stream can be intercepted in the virtual desktop before it is rendered in the media player and conveyed to each collaborator's client over a separate virtual channel established between the virtual desktop and each collaborator. The data stream can then be rendered in a client media player by each collaborator's client.

Abstract: Disclosed are various approaches for determining a version of an application for a user to access based at least in part an overall posture of the user and the device launching the application. An application can support multiple delivery mechanisms to allow a user different ways to access the service provided by the application. A posture level (e.g., level of risk, level of compliance) associated with the overall posture of a device and user accessing an application is determined. The posture level can be used to select which version of the application should be launched by the device in order to provide the best experience for the user while ensuring that security is considered.

Abstract: Disclosed are various examples for securing enterprise resources using a virtual private network. At least one computing device that can authenticate a client device for a virtual private network (VPN) connection based on a first device identifier received from the client device and a second device identifier received from a remote management service. The at least one computing device can determine that a network event associated with the client device has been observed and execute a machine learning routine to identify a pattern of access for the client device. A network access anomaly is determined in response to a network interaction of the client device deviating from the pattern of access for the client device. A remedial action is performed based on an anomaly type associated with the network access anomaly.

Abstract: Disclosed are various approaches for remotely deploying provisioned packages. An installer for an application is stored in a cache location of the client device. A hash of the installer is then written to a registry of the client device. The installer is then executed to install the application on the client device. Then, the client device is registered with a management service. Subsequently, a registration confirmation is received from the management service. The hash of the installer is then confirmed and the installed application is identified to the management service as a managed application installed on the client device.

Abstract: Systems and methods herein provide for improved email efficiency. Based on selections made while drafting an email, a user requesting a response can cause a calendar reminder to be generated and sent to a recipient for automatic entry on that recipient's electronic calendar. When the original sender indicates that an appropriate response has been received, the system can cause the calendar entry to be removed from the recipient's calendar. The system can also generate automatic reminder emails to prompt the recipient to respond to the sender. The sender can access a list of outstanding email responses that are still due from various recipients and modify the associated reminders as desired.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. An enrollment request is received from a management component executed by a client device. A management service generates a unique device identifier for the client device and embeds it within a certificate to generate a device-identifying certificate. The management service instructs a certificate authority service to generate a public key that includes the unique device identifier and a private key for the client device, and provides the device-identifying certificate and the private key to the client device.

Abstract: Disclosed are various embodiments for providing split-tunneled network connectivity on a per-application basis. A DNS query is received from a locally hosted DNS resolver. A first recursive DNS query is sent to an external DNS server and a second recursive DNS query is sent to an internal DNS server. A first recursive DNS response is then received from the external DNS server and a second recursive DNS response is received from the external DNS server. A response is then provided to the DNS query.

Abstract: Systems and methods herein provide for improved email efficiency. Based on selections made while drafting an email, a user requesting a response can cause a calendar reminder to be generated and sent to a recipient for automatic entry on that recipient's electronic calendar. When the original sender indicates that an appropriate response has been received, the system can cause the calendar entry to be removed from the recipient's calendar. The system can also generate automatic reminder emails to prompt the recipient to respond to the sender. The sender can access a list of outstanding email responses that are still due from various recipients and modify the associated reminders as desired.

Abstract: Aspects of secure inter-application data communications are described. In one example, a first application executing on a computing device obtains an identity certificate. The identity certificate can include a unique identifier of the computing device and a public key of the first application. To obtain the public keys of other applications executing on the computing device, the first application can query a management computing environment using the identity certificate. Once the computing device is authenticated by the management computing environment, the management computing environment can store the public key of the first application and return any public keys of other applications executing on the computing device. Once the public keys have been exchanged between the applications, the applications can encrypt and sign data packages for secure data communications between each other.

Abstract: System and method are described for seamlessly installing applications on remote virtual desktops from installation files located on the local client device by redirecting the installation to the virtual desktop, while giving users an experience akin to installing applications on the local operating system. A request can be received on the client device to install an application from a corresponding installation file located on the client device, in a remote virtual desktop. In response to the request, a virtual desktop session can be established on the virtual desktop and the installation file can be redirected to the virtual desktop, where it can be launched to begin installing the application. To enable user interaction during the installation process, the application installation user interface (UI) can be streamed to the client device and user inputs into the installation UI can be conveyed back to the virtual desktop to be effectuated therein.

Abstract: Described herein is a method for creating and utilizing device navigational maps. The device navigational maps are modeled using directed graphs that contain detailed information of all components on the connected devices. An application systematically scans through the entire connected device and builds a detailed data model of the connected device, which is used as the navigational map.

Abstract: Systems and methods are described herein for assessing the device posture of user devices requesting access to a managed resource and for determining a confidence level in the device's posture. In an example, a user device can request a managed resource. A server can receive the request and retrieve an associated access policy. The access policy can include policy attributes to use for assessing the user device's device posture. The server can calculate a device attribute score for each policy attribute. The server can also calculate a confidence score for each device attribute score that measures the confidence level in the device attribute score. Using the two scores, the server can calculate a device posture score. Access to the resource can be granted or denied based on whether the device posture score exceeds a threshold score designated in the access policy.