Abstract: The present disclosure is related to devices, systems, and methods for TLS server certificate replacement using a notification mechanism. An example method can include establishing a first secure TLS connection between a client and a server verified by a first TLS certificate, creating a subscription for the client to receive a notification associated with a TLS certificate change, loading a second certificate to replace the first certificate, providing a notification to the client, wherein the notification includes the second certificate and a web token scoped to the client, and establishing a second secure TLS connection verified by the second TLS certificate responsive to the client verifying the web token.

Abstract: The present disclosure relates to workload placement responsive to fault. One embodiment includes instructions to remove a first host from a first cluster of a software-defined datacenter (SDDC) responsive to a determination of a fault in a hypervisor of the first host, place the first host into a second cluster of the SDDC, wherein the second cluster is designated to run stateless workloads, and add a second host to the first cluster.

Abstract: The present disclosure is related to devices, systems, and methods for selectively preventing resource overallocation in a virtualized computing environment. One example includes instructions to receive a request to prevent overallocation of a resource in a software-defined datacenter associated with a customer, determine an amount of the resource available to the customer, and assign a respective portion of the amount of the resource available to the customer to each of a plurality of virtual computing instances (VCIs) irrespective of a power state of each of the plurality of VCIs.

Abstract: Various examples for providing an enrollment barcode to a staging client are provided. Enrollment data can be provided to a barcode service, which generates an enrollment barcode. Interpreting the enrollment barcode by a client device causes a management component installed on the client device to authenticate to a management service using a staging credential encrypted or secured in the enrollment barcode, and causes the enrollment of the client device with the management service.

Abstract: The method of some embodiments selects a set of links to forward packets of a data flow from an application running on a machine connected to an SD-WAN that has multiple exits. The method, based on computed sets of attributes for a first set of links and a second set of links, selects between the first set of links and the second set of links. At least the first set of links has multiple links and at least one attribute of the first set of links is an attribute that is computed by aggregating an attribute of each of the links in the first set of links. The method uses the selected set of links to forward the packets of the data flow of the application to an egress managed forwarding element of the SD-WAN.

Abstract: An algorithm for efficiently maintaining a globally uniform-in-time execution schedule for a dynamically changing set of periodic workload instances is provided. At a high level, the algorithm operates by gradually adjusting execution start times in the schedule until they converge to a globally uniform state. In certain embodiments, the algorithm exhibits the property of “quick convergence,” which means that regardless of the number of periodic workload instances added or removed, the execution start times for all workload instances in the schedule will typically converge to a globally uniform state within a single cycle length from the time of the addition/removal event(s) (subject to a tunable “aggressiveness” parameter).

Abstract: An example method of identifying an equal cost multipath (ECMP)-enabled route-based virtual private networks (RBVPN) in a virtualized computing system, comprises: obtaining, at a telemetry agent executing in an edge server of a data center, learned routes; identifying, by the telemetry agent from the routes, a destination network and a plurality of next hops associated therewith and a plurality of virtual tunnel interfaces (VTIs); identifying, by the telemetry agent for each of the plurality of VTIs, an associated VPN session; grouping, by the telemetry agent, the VPN sessions identified as associated with the plurality of VTIs into an ECMP-enabled RBVPN; adding, by the telemetry agent, a description of the ECMP-enabled RBVPN to telemetry data; and sending, by the telemetry agent, the telemetry data to a telemetry service.

Abstract: A method of transmitting multicast traffic to workloads of tenants communicating over overlay networks provisioned on top of a physical network includes the steps of: detecting the multicast traffic; determining that the multicast traffic is bound for workloads of a first tenant and workloads of a second tenant; encapsulating one instance of the multicast traffic using a Layer 2 (L2) over Layer 3 (L3) encapsulation protocol to generate encapsulated traffic, wherein the encapsulated traffic includes an identifier of a first backplane network corresponding to the first tenant and an identifier of a second backplane network corresponding to the second tenant in a header portion of each packet of the encapsulated traffic; and transmitting, to a first host computing device, the encapsulated traffic with the identifiers of the first and second overlay networks.

Abstract: Examples herein describe systems and methods for application-specific compliance enforcement. An example method can include receiving, at a user device, profiles containing application-specific restrictions. When a first application is opened, a management agent compares the corresponding application-specific restrictions with current device settings. This can be done with a checksum comparison where the checksums are created based on a hash with an application- or profile-specific identifier. If they differ, the management agent stores the current device settings and prompts for, or automatically changes, the device settings to new compliant values before allowing the first application to operate in the foreground of the user device screen. If the first application is closed or minimized, the stored device settings can be restored. The management agent can compare those against application-specific restrictions of the second application before allowing the second application to run in the foreground.

Abstract: Some embodiments provide a method for an agent executing on a Kubernetes node in a cluster. The method instructs a forwarding element that also executes on the node to process a flow tracing packet. From the forwarding element, the method receives a message indicating a set of flow entries matched by the flow tracing packet as the forwarding element processes the flow tracing packet. For each flow entry of at least a subset of the flow entries matched by the flow tracing packet, the method generates mapping data that maps elements of the flow entry to Kubernetes concepts implemented in the cluster. The method reports data regarding the set of flow entries along with the generated mapping data.

Abstract: Some embodiments of the invention provide a method for cloning a set of one or more applications implemented by a first set of machines connected through a first logical network that defines a virtual private cloud in a set of one or more datacenters. The method instantiates a cloned, second set of machines that is a replicated copy of the first set of machines. The method identifies a set of network configuration data that configures a set of logical forwarding elements (LFEs) of the first logical network. The method uses the identified set of network configuration data to define a cloned, second logical network to connect the cloned, second set of machines.

Abstract: To provide a low latency near RT RIC, some embodiments separate the RIC's functions into several different components that operate on different machines (e.g., execute on VMs or Pods) operating on the same host computer or different host computers. Some embodiments also provide high speed interfaces between these machines. Some or all of these interfaces operate in non-blocking, lockless manner in order to ensure that critical near RT RIC operations (e.g., datapath processes) are not delayed due to multiple requests causing one or more components to stall. In addition, each of these RIC components also has an internal architecture that is designed to operate in a non-blocking manner so that no one process of a component can block the operation of another process of the component. All of these low latency features allow the near RT RIC to serve as a high speed IO between the E2 nodes and the xApps.

Abstract: Various examples for discovering policy bindings between group policy rules in a legacy management framework and unified endpoint management rules that are utilized in a modern mobile device management (MDM) device management framework. A configuration state view can allow an administrator to understand inconsistencies or conflicts between group policy rules and UEM rules.

Abstract: A method of deleting a first pointer block of a plurality of pointer blocks of a file system from a storage device used by a plurality of applications, wherein the plurality of pointer blocks are each subdivided into sub-blocks, includes the steps of: determining that a first sub-block of the first pointer block is marked as being empty of any addresses of the file system at which storage space is allocated to files of the applications; determining that a second sub-block of the first pointer block has not been marked as being empty; in response to the determining that the second sub-block has not been marked as being empty, determining that the second sub-block does not contain any addresses of the file system at which storage space is allocated to the files of the applications; and deleting the first pointer block from the storage device.

Abstract: Some embodiments provide a method for quantifying quality of several service classes provided by a link between first and second forwarding nodes in a wide area network (WAN). At a first forwarding node, the method computes and stores first and second path quality metric (PQM) values based on packets sent from the second forwarding node for the first and second service classes. The different service classes in some embodiments are associated with different quality of service (QoS) guarantees that the WAN offers to the packets. In some embodiments, the computed PQM value for each service class quantifies the QoS provided to packets processed through the service class. In some embodiments, the first forwarding node adjusts the first and second PQM values as it processes more packets associated with the first and second service classes. The first forwarding node also periodically forwards to the second forwarding node the first and second PQM values that it maintains for the first and second service classes.

Abstract: Disclosed are various approaches for performing biometric authentication of users using an application running on a client device. A biometric model can be trained using biometric data from a population of users. The biometric model can be used by the client application to authenticate users and can be separate from system-level biometric authentication capabilities of the client device.

Abstract: Disclosed are various embodiments for recognizing state changes in client devices and managing the state of client devices using device-driven management workflows. A computing device can receive a state of a client device. The computing device can then determine if the received state matches an expected, compliant state of the client device. When the computing device determines that the received state does not match the expected state, the computing device can identify a remedial workflow that would bring the client device into compliance. The computing device can send the remedial workflow and an instruction to run the remedial workflow to the client device.

Abstract: A method of managing configurations of a data center according to a desired state of the configurations includes retrieving a running state of the configurations, comparing the running state against a first desired state of the configurations and determining a drift of the running state from the first desired state, notifying a cloud control plane of the drift, and in response to an instruction issued by the cloud control plane to apply the desired state, configuring the data center according to a second desired state.

Abstract: The current document is directed to an automated-application-release-management system that organizes and manages the application-development and application-release processes to allow for continuous application development and release. The current document is particularly directed to implementations in which the automated application-release-management subsystem provides code-change ratings and developer ratings used throughout the code-change-submission-to-acceptance process. Code-change ratings and developer ratings are used to tailor tasks and control flow within the code-change-submission-to-acceptance process in order to respond to particular characteristics of code changes and developers.

Abstract: Examples described herein include systems and methods for synchronizing applications that target different software development kits (“SDK”). The system can execute a bridge application that registers an implementation of a content provider class. This allows the bridge application to communicate with a first application targeting a first SDK. The bridge application can also register to send and receive implicit broadcasts. After the bridge application verifies the request, it can broadcast to a second cluster of applications registered with an operating system to receive implicit broadcasts. Similarly, the bridge application can receive implicit broadcasts and synchronize those requests with a first cluster of applications by using the implemented content provider methods.