Abstract: Various systems facilitate encrypted file storage. A client device may generate an encrypted version of a file. The client device may obtain at least one reference to at least one storage location for the encrypted version of the file. The client device may cause the encrypted version of the file to be store at the at least one storage location using the at least one reference to the at least one storage location.

Abstract: Examples of managed device risk assessment are described. In one example, a copy of an application installed on a client device is decompiled, to identify operations performed during execution of the application. A profile including one or more rules that specify whether the operations are assigned higher or lower levels of risk is obtained. A first number of times that the first rule is violated by the operations is determined, and a second number of times that the second rule is violated by the operations is determined. A total of the violations is compared against a threshold, and a remedial action is initiated in response to determining that the total exceeds the threshold.

Abstract: Disclosed are various approaches for generating a device posture token corresponding to a client device. The device posture token can be used by a verification computing device to determine whether the client device complies with the security policies of a particular facility.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Techniques are described for sharing clipboard data by redirecting it between different virtual desktop sessions. A first user establishes a first desktop session and submits a request to share their clipboard data with a second user working on a second virtual desktop session. The request to share clipboard data is transmitted from the first desktop session to a connection server, where it is determined whether the second user currently has any active virtual desktop sessions. If so, the connection server forwards the request to all active virtual desktop sessions of the second user, where the second user is provided with an option to approve or deny the request. If the second user approves the clipboard redirection request, the connection server notifies the first virtual desktop session, and a virtual channel of a remote display protocol can be established for sharing the clipboard data.

Abstract: Examples described herein include systems and methods for contextually providing automated device enrollment into a management system. A management application on a user device can receive network settings for connecting to a local server. The network settings can be preconfigured by an administrator. The management application can cause the user device to send an enrollment request and a device identifier to the local server. The device identifier can be used to validate the device and provide a security token to the management application. The management application can use the security token to complete enrollment of the user device.

Abstract: Examples of enterprise management using managed virtual machines are described. A host user context configuration can be received from a host management agent. The host user context configuration can include one or more policies. A managed virtual machine user context configuration can be received from a guest management agent within a managed virtual machine. A portion of the host user context configuration can be processed using a translation matrix to identify a configuration service provider (CSP)-based profile that is mapped to a policy from the host user context configuration. A command to enforce the CSP-based profile on the managed virtual machine can be transmitted.

Abstract: Embodiments of the disclosure relate to proxying at least one email resource from at least one email service to at least one client device, determining whether the email resources are accessible to the client devices via at least one unauthorized application on the client devices, and modifying the email resources to be inaccessible via the unauthorized applications on the client devices in response to a determination that the email resources are accessible via the unauthorized applications on the client devices.

Abstract: Disclosed are various embodiments for preventing unauthorized access to materials presented in a meeting room. In one example, a system comprises a computing device that is configured to identify a list of invited users for a meeting occurring in a meeting room and to detect a client device of an uninvited user that has entered the meeting room. An uninvited user notification is transmitted to a remote computing device. A suspension command is received for the meeting room from the remote computing device based on the uninvited user notification. The computing device is configured to enforce a suspension action on a meeting room device located in the meeting room based on the suspension command.

Abstract: A method of downloading or opening a file in response to a user input made through an application running in the computer system, includes the steps of detecting by the application that the user input is to download or open a file, issuing a request by the application to a file sanitation server to sanitize the file to remove embedded codes in the file and return the sanitized file, and upon receiving the sanitized file by the application, saving the sanitized file in a folder where the sanitized file can be opened.

Abstract: Disclosed are various examples for managing endpoints or client devices. A client device can be managed using unified endpoint management (UEM) protocols or using an endpoint management framework. A management console can allow an administrator to perform UEM management actions as well as out-of-band management actions on managed endpoints.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data for the user device and compare it to a minimum access policy (“MAP”). The MAP can include threshold or binary values for states of a group of user device operational aspects. Where the compliance profile satisfies the MAP, the gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The virtual session can be configured at the VM server based on the compliance profile so as to allow access to a portion of a full virtual session capability scheme.

Abstract: A user accesses a remote session, the connection to which is managed by a connection broker, according to a single sign-on (SSO) process. The SSO process includes the user entering his or her credentials and being authenticated to the connection broker. In addition to user authentication, the SSO process includes connection broker authentication to confirm that the connection broker is trustworthy. When the connection broker is authenticated, the user credentials are transmitted to the connection broker in a secure manner and the connection broker forwards them onto a machine hosting the remote session so that the user can be logged into the remote session without entering his or her credentials again.

Abstract: A server-based desktop-virtual machines architecture may be extended to a client machine. In one embodiment, a user desktop is remotely accessed from a client system. The remote desktop is generated by a first virtual machine running on a server system, which may comprise one or more server computers. During execution of the first virtual machine, writes to a corresponding virtual disk are directed to a delta disk file or redo log. A copy of the virtual disk is created on the client system. When a user decides to “check out” his or her desktop, the first virtual machine is terminated (if it is running) and a copy of the delta disk is created on the client system. Once the delta disk is present on the client system, a second virtual machine can be started on the client system using the virtual disk and delta disk to provide local access to the user's desktop at the client system. This allows the user to then access his or her desktop without being connected to a network.

Abstract: Disclosed are various embodiments for managing deployment model migrations for enrolled devices. A client application can transmit a capability status to a management service in an instance in which a plurality of device conditions of the client device are validated. The client application can obtain and execute instructions that cause the client application to manage a migration of the client device from a first configuration to a second configuration. A user interface can be pinned on a display of the client device in an instance in which an enterprise environment endpoint is identified and a migration interface on the client device executed. The client application can transmit samples of device conditions of the second configuration of the client device to the management service.

Abstract: Embodiments perform automatic document handling by retrieving icons from local document handlers or from an application volumes manager, without installing the application locally. Embodiments further perform on-demand application mounting by intercepting and suspending requests to launch applications until the appropriate virtual disk, corresponding to the application, is mounted to the disk subsystem by the application volumes manager. The application launch is then resumed.

Abstract: Disclosed herein are examples of systems and methods for formatting electronic messages using machine learning. An electronic message can be obtained, and a processed message can be generated based at least in part on the electronic message. At least one attribute for the processed message can be determined. A formatting specification can be generated based at least in part on the at least one attribute. A reformatted message can be generated based at least in part on the formatting specification.

Abstract: A scanner redirection method for a remote desktop system that includes a client computing device that has running therein a scanner redirection module, and a host server, the scanner redirection module including a data source manager for communicating with a data source that is configured to communicate with a physical scanner, includes the steps of: receiving from an application running on the host server, a request for a scanned image; in response to the request for the scanned image, transmitting to the data source a request to acquire the scanned image from the physical scanner; and upon receiving the scanned image from the data source, transmitting the scanned image to the application.

Abstract: Various examples for managing a client device having multiple enrolled user accounts thereon are described. A computing device is directed to store a mapping of a client device to a plurality of user accounts active. The computing device communicates remotely with a management application on the client device to identify an active one of the user accounts from an operating system of the client device. In response to receipt of information associated with a first one of the user accounts active on the client device, the computing device enrolls the first one of the user accounts with a management service in association with the client device. In response to receipt of information associated with a second one of the user accounts active on the client device, the computing device enrolls the second one of the user accounts with the management service in association with the client device.

Abstract: Disclosed are various embodiments for automatic enrollment of Internet of Things (IoT) endpoints. An identity of an IoT endpoint is verified by an IoT gateway. The IoT gateway is configured to transmit, over a network, an enrollment request to an IoT management service. The enrollment of the IoT endpoint with the IoT management service is confirmed. A compliance policy for the IoT endpoint is retrieved from a command queue. The compliance policy is stored in the command queue until retrieved by the IoT gateway. The IoT gateway enforces the compliance policy on the IoT endpoint.