Abstract: Disclosed are various embodiments for accessing resources when a client device complies with distribution rules. A client device receives distribution rules associated with resources that are accessible at a distribution service. The client device determines whether the client device complies with the distribution rules. The client device transmits an indication of compliance for the distribution to the distribution service. The client device receives the resource from the distribution service.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Disclosed are various embodiments for accessing resources when a client device complies with distribution rules. A client device receives distribution rules associated with resources that are accessible at a distribution service. The client device determines whether the client device complies with the distribution rules. The client device transmits an indication of compliance for the distribution to the distribution service. The client device receives the resource from the distribution service.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Abstract: Disclosed are various examples for providing network content filtering to client devices on a per-application basis. A client device is identified. Then the client device is authenticated by the device management service. If the client device is not authenticated, a user interface will facilitate the enrollment process on the client device to authenticate the client device with the management service. Then, an authentication token is received. The management application receives a request from an application to initiate a network connection. Based at least in part on the identity of the application and the client device, the management application routes network traffic associated with the application and the network connection using or without using a managed network tunnel.

Abstract: Disclosed are various examples for providing network content filtering to client devices on a per-application basis. A client device is identified. Then the client device is authenticated by the device management service. If the client device is not authenticated, a user interface will facilitate the enrollment process on the client device to authenticate the client device with the management service. Then, an authentication token is received. The management application receives a request from an application to initiate a network connection. Based at least in part on the identity of the application and the client device, the management application routes network traffic associated with the application and the network connection using or without using a managed network tunnel.

Abstract: Disclosed are various examples of integrating multiple domains within a directory service. A computing device retrieves a first list of members in a first group of users for the domain from a first directory service for a first domain. The computing device then determines that a second group of users is a member of the first group of users, wherein the second group of users corresponds to a second domain. The computing device then retrieves a second list of members in the second group of users from a second directory service for a second domain. The computing device subsequently compares the first list of members in the first group of users and the second list of members in the second group of users with a third list of members in a third group of users, wherein the third list of members in the third group of users corresponds to a user list maintained by the application.

Abstract: Disclosed are various examples for providing network content filtering to client devices on a per-application basis. A network stack receives a request from an application to connect to a network service. The network stack then determines the identity of the application. Based at least in part on the identity of the application, the network stack initiates a network connection between the application and the network service using or without using a managed network tunnel.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Disclosed are various embodiments for accessing resources when a client device complies with distribution rules. A client device receives distribution rules associated with resources that are accessible at a distribution service. The client device determines whether the client device complies with the distribution rules. The client device transmits an indication of compliance for the distribution to the distribution service. The client device receives the resource from the distribution service.

Abstract: Disclosed are various embodiments for accessing resources when a client device complies with distribution rules. A client device receives selected resources and distribution rules associated with the resources. The client device determines whether the client device complies with the distribution rules. When the resources are modified, the changes are sent to a distribution service associated with the resources.

Abstract: Disclosed are various examples for providing network content filtering to client devices on a per-application basis. A network stack receives a request from an application to connect to a network service. The network stack then determines the identity of the application. Based at least in part on the identity of the application, the network stack initiates a network connection between the application and the network service using or without using a managed network tunnel.

Abstract: Disclosed are various examples for providing a single sign-on experience for managed mobile devices. A management application executed in a computing device receives a single sign-on request from a managed client application executed by the same computing device. The management application determines that the client application is permitted to access a management credential for single sign-on use. The management application provides the management credential to the client application in response to the single sign-on request.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Abstract: Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a network device receives a packet with one or mote device management attribute embedded in its header. The network device extracts the device management attribute from the packet header. A compliance status of a client device in an external network is determined based on the device management attribute. The network device forwards the packet based on the compliance status.

Abstract: Disclosed are various examples for providing network content filtering to client devices on a per-application basis. A network stack receives a request from an application to connect to a network service. The network stack then determines the identity of the application. Based at least in part on the identity of the application, the network stack initiates a network connection between the application and the network service using or without using a managed network tunnel.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices using Kerberos. For example, a certificate is received from a client device. In response, a Kerberos ticket-granting ticket is generated and sent to the client device. A request for a service ticket is later received from the client device. The request for the service ticket can include the ticket-granting ticket. The service ticket is then generated and sent to the client device. Subsequently, the service ticket is received from the client device and a security assertion markup language (SAML) response is sent to the client device in reply. The SAML response can provide authentication credentials for a service provider associated with the service ticket.

Abstract: Systems herein allow an administrator to efficiently set up user devices for use in a classroom environment. A management server can display a graphical user interface that includes selection options for defining and using carts of user devices. The carts can be selected and assigned to classes. The GUI also allows the administrator to specify which applications a class will use. Based on these selections, the management server can then manage which user devices install which applications, and allocate licenses accordingly.