Abstract: The current document is directed to methods and systems that generate microsegmentation quotients for computational entities and components of a distributed-computer-system. In the described implementation, microsegmentation quotients are generated for each component, subsystem, or computational entity, collectively referred to as “system entities,” of a set of specified system-entity types within the distributed computer system. Microsegmentation quotients are generated for system entities at any of the various hierarchical levels within a distributed computer system, including for the entire distributed computer system. Microsegmentation quotients are generated by an iterative process that refines initial estimates of the microsegmentation quotients for system entities within the distributed computer system.

Abstract: A failure analysis system identifies a root cause of a failure (or other health issue) in a virtualized computing environment and provides a recommendation for remediation. The failure analysis system uses a model-based reasoning (MBR) approach that involves building a model describing the relationships/dependencies of elements in the various layers of the virtualized computing environment, and the model is used by an inference engine to generate facts and rules for reasoning to identify an element in the virtualized computing environment that is causing the failure. Then, then the failure analysis system uses a decision tree analysis (DTA) approach to perform a deep diagnosis of the element, by traversing a decision tree that was generated by combining the rules for reasoning provided by the MBR approach, in conjunction with examining data collected by health monitors. The result of the DTA approach is then used to generate the recommendation for remediation.

Abstract: Systems herein allow a digital assistant to make requests to applications, such as third-party applications, that access data in an enterprise mobility management (“EMM”) system. The digital assistant can link to a portal application and receive a token that identifies a user. A remote application on a user device can establish a session with the portal application as part of a single sign on (“SSO”). The session can identify the same user. The portal application can then link the digital assistant to the remote application. When the digital assistant makes a request to the portal application, a notification can be pushed to the remote application. The user can confirm the request, establishing an authorized session during which time the digital assistant can make additional requests to the portal application. The portal application can service the requests by accessing third-party applications available through the portal application and authorized for access by the SSO.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to detect drift in a hybrid cloud environment. An example apparatus to detect drift in a hybrid cloud environment includes a configuration model determiner to, after deployment of a blueprint in the hybrid cloud environment, generate a first model including first relationships of a first plurality of resources corresponding to the blueprint, the blueprint including a plurality of properties in which at least one of the plurality of properties is agnostic of type of cloud, an inventor model determiner to generate a second model including second relationships of a second plurality of resources as deployed in the hybrid cloud environment based on the blueprint, and a drift determiner to determine a drift value based on the first relationships and the second relationships, the drift value representative of a difference between the first relationships and the second relationships.

Abstract: System and method for managing copy-on-write (COW) B tree structures for metadata of storage objects stored in a storage system determine, when a request to modify a target storage object stored in the storage system that requires a modification of a target leaf node in a B tree structure for metadata of the target storage object is received, whether an operation sequence number of the target leaf node is greater than a snapshot sequence number of a parent snapshot of a running point of the B tree structure. When the operation sequence number is greater than the snapshot sequence number, the target leaf mode is modified in place without copying the target leaf node. When the operation sequence number is not greater than the snapshot sequence number, the target leaf node is copied as a new leaf node for the B tree structure and the new leaf node is modified.

Abstract: Disclosed are various examples for selective screen sharing. In one example, a computing device can generate a video stream based on a screen capture and transmit the video stream to a destination device. The computing device can also obtain a user-specified modification to an area of the screen capture within the video stream. The computing device can also update the video stream by application of a transformation to the screen capture based at least in part on the user-specified modification, after the video stream started transmission to the destination device. In some cases, a user-specified modification to the area is also obtained. The video stream can be updated by applying an updated transformation to the screen capture that obscures the updated area within the video stream.

Abstract: A structured document is verified for changes that are made during and after deployment of an application. The structured document includes first fields that are designated as mutable, and second fields that are designated as immutable. An attempted change is detected to the structured document during or after deployment of the application. Upon detecting the attempted change, a digital signature is generated of the second fields of the structured document. A determination is made whether the generated digital signature of the second fields matches a reference digital signature of the second fields. Upon determining that the generated digital signature matches the reference digital signature, the change to the structured document is permitted. Upon determining that the generated digital signature does not match the reference digital signature, the change is blocked to the structured document.

Abstract: Examples described herein include systems and methods for dynamically determining enrollment requirements and enrolling a user device into a management system. The systems and methods can differ based on the type and version of operating system executing on the user device. With some operating systems, enrollment can be completed through a single application that performs other functionality, such providing single-sign-on access to enterprise resources. With other operating systems, enrollment can be completed by pausing the first application and requiring installation of an agent application to complete enrollment. The determination of how and when to enroll a user device can be done automatically and can be based on an organizational group to which the user belongs.

Abstract: Example methods and systems for packet handling in a software-defined networking (SDN) environment are disclosed. One example method may comprise detecting an egress application-layer message from a first logical endpoint supported by a first host; and identifying a second logical endpoint supported by the second host for which the egress application-layer message is destined. The method may also comprise generating an egress packet that includes the egress application-layer message and metadata associated with the second logical endpoint, but omits one or more headers that are addressed from the first logical endpoint to the second logical endpoint. The method may further comprise sending the egress packet to the second host to cause the second host to identify the second logical endpoint based on the metadata, and to send the egress application-layer message to the second logical endpoint.

Abstract: A network environment is described for securely storing data for anonymized contact tracing while an application is executing in a background state. An application can receive a message containing data while the application is executing in a background state. The data is encrypted using a public key. Next, the application can store the encrypted data in an alternate data store. Subsequently, and upon user authentication, the application can decrypt a secure data store decrypt the encrypted data. The application can then store the decrypted data in the decrypted secure data store. The application can receive user input indicating a positive test result for a communicable disease with an incubation period, and anonymously upload the data stripped of any uniquely identifying information.

Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.

Abstract: This disclosure describes a computer implemented method for receiving authentication credentials identifying a user; identifying computing systems for which the user is authorized access to; and transmitting tokens granting access to the identified computing systems. In some embodiments, no two tokens of the transmitted tokens grants access to the same one of the identified computing systems. The user typically has access to a management tool configured to manage the transmission of the received tokens to the corresponding computing systems, thereby granting the user the ability to have seamless access to any of the computing systems associated with the user's authenticated identity.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: A network system that uses a cluster of edge nodes to send and receive multicast traffic is provided. The network system is a network virtualization environment that includes one or more distributed routers, each distributed router implemented by virtualization software running on one or more host machines. The network system also includes a cluster of edge nodes for sending data from the one or more distributed routers to one or more uplink/upstream physical routers outside of a datacenter and for receiving data from the physical routers to the distributed routers. One of the edge nodes is a designated edge node that queries for membership information for one or more multicast groups to be received by at least two edge nodes of the cluster of edge nodes. The cluster of edge nodes forwards multicast traffic to and from the distributed routers according to the received membership information.

Abstract: Disclosed are various approaches for workflow service application networking. In some aspects, a workflow creation user interface is provided to create a networking workflow with at least one networking action. A networking action is specified for a first application to utilize application content from a second application. The networking action is verified based on a response to a test action request transmitted to the workflow service. The networking action is transmitted from the workflow application to a workflow service to cause the first application to utilize the application content from the second application according to the networking action.

Abstract: A system and method for orchestrating distributed operations to be executed in a distributed computing system with multiple virtual infrastructures uses a distributed operation descriptor to find any Cloud-Native Network Function (CNF) entry in the distributed operation descriptor. For each found CNF entry, a CNF descriptor is retrieved from a CNF catalog and parsed to find an overridable property for a CNF described in the CNF descriptor for which a property override is defined. Then, a target virtual infrastructure is selected from the multiple virtual infrastructures to perform a lifecycle management operation of the CNF. Instructions are then transmitted to a local operator in the target virtual infrastructure with the property override so that information regarding the CNF is transmitted to a local orchestrator of the target virtual infrastructure to perform the lifecycle management operation of the CNF at the target virtual infrastructure using the property override.

Abstract: Disclosed are various examples for enrollment of gateway enrollment for Internet-of-Things (IoT) device management. In one example, the gateway device transmits an enrollment request to a management service. The enrollment request includes enrollment credentials that are entered through a user interface. The gateway device receives gateway credentials that authenticate communications with a management service. Subsequent communications transmitted from the gateway device to the management service are authenticated using the gateway credentials.

Abstract: A cloud management server and method for performing automatic placement of clients in a distributed computer system uses a list of compatible clusters to select an affinity cluster to place the clients associated with an affinity constraint. As part of the placement method, a cluster that cannot satisfy any anti-affinity constraint associated with the clients and the affinity constrain is removed from the list of compatible clusters. After the affinity cluster has been selected, at least one cluster in the distributed computer system is also selected to place clients associated with an anti-affinity constraint.

Abstract: An example method of checking compatibility of a guest cluster executing as a virtual extension of a host cluster having an orchestration control plane managing the guest cluster, the host cluster being part of a software defined data center (SDDC), is described.

Abstract: Example methods and systems are provided for location-aware service request handling. The method may comprise: generating and sending location information associated with virtualized computing instance to a service node or a management entity for transmission to the service node. The location information may identify logical element(s) to which the virtualized computing instance is connected. The method may further comprise: in response to detecting, from the virtualized computing instance, a service request for a service from the service node, generating a modified service request by modifying the service request to include the location information associated with the virtualized computing instance; and sending the modified service request towards the service node.