Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various approaches for remotely deploying provisioned packages. An installer for an application is stored in a cache location of the client device. A hash of the installer is then written to a registry of the client device. The installer is then executed to install the application on the client device. Then, the client device is registered with a management service. Subsequently, a registration confirmation is received from the management service. The hash of the installer is then confirmed and the installed application is identified to the management service as a managed application installed on the client device.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Disclosed are various approaches for remotely deploying provisioned packages. An installer for an application is stored in a cache location of the client device. A hash of the installer is then written to a registry of the client device. The installer is then executed to install the application on the client device. Then, the client device is registered with a management service. Subsequently, a registration confirmation is received from the management service. The hash of the installer is then confirmed and the installed application is identified to the management service as a managed application installed on the client device.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various examples for dynamic application deployment in trusted code environments. In some embodiments, an application is identified for installation on a client device. The client device includes a security process that limits the client device to execute trusted code based on a trusted code policy. Characteristics of a file are identified from an installation package for a client application. A management agent is instructed to update the trusted code policy to whitelist the file by providing the characteristics of the executable file to the security process. A command to install the application is transmitted to the management agent, where the management agent is a trusted installer for the client device.

Abstract: Disclosed are various examples for dynamic application deployment in trusted code environments. In some embodiments, an application is identified for installation on a client device. The client device includes a security process that limits the client device to execute trusted code based on a trusted code policy. Characteristics of a file are identified from an installation package for a client application. A management agent is instructed to update the trusted code policy to whitelist the file by providing the characteristics of the executable file to the security process. A command to install the application is transmitted to the management agent, where the management agent is a trusted installer for the client device.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Disclosed are various approaches for remotely deploying provisioned packages. An installer for an application is stored in a cache location of the client device. A hash of the installer is then written to a registry of the client device. The installer is then executed to install the application on the client device. Then, the client device is registered with a management service. Subsequently, a registration confirmation is received from the management service. The hash of the installer is then confirmed and the installed application is identified to the management service as a managed application installed on the client device.

Abstract: Apparatus and methods are disclosed for allowing smart phone users to “capture the moment” by allowing easy access to a camera application when a mobile device is in an above-lock (or locked) mode, while also preventing unauthorized access to other smart phone functionality. According to one embodiment of the disclosed technology, a method of operating a mobile device having an above-lock state and a below-lock state comprises receiving input data requesting invocation of an camera application when the mobile device is in the above-lock state and invoking the requested camera application on the device, where one or more functions of the requested application are unavailable as a result of the mobile device being in the above-lock state.

Abstract: Disclosed are various examples for dynamic application deployment in trusted code environments. In some embodiments, an application is identified for installation on a client device. The client device includes a security process that limits the client device to execute trusted code based on a trusted code policy. Characteristics of a file are identified from an installation package for a client application. A management agent is instructed to update the trusted code policy to whitelist the file by providing the characteristics of the executable file to the security process. A command to install the application is transmitted to the management agent, where the management agent is a trusted installer for the client device.

Abstract: A method and apparatus is provided for operating a mobile device having stored thereon a plurality of applications (“apps”) that are each configured to capture an image. The method includes receiving first user input data requesting invocation of a given one of the applications. The given application is launched by the user. After launching the given application a user interface is presented which serves as an entry point through which all of the image capture applications stored on the mobile device are made available to the user.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Apparatus and methods are disclosed for allowing smart phone users to “capture the moment” by allowing easy access to a camera application when a mobile device is in an above-lock (or locked) mode, while also preventing unauthorized access to other smart phone functionality. According to one embodiment of the disclosed technology, a method of operating a mobile device having an above-lock state and a below-lock state comprises receiving input data requesting invocation of an camera application when the mobile device is in the above-lock state and invoking the requested camera application on the device, where one or more functions of the requested application are unavailable as a result of the mobile device being in the above-lock state.

Abstract: A method and apparatus is provided for operating a mobile device having stored thereon a plurality of applications (“apps”) that are each configured to capture an image. The method includes receiving first user input data requesting invocation of a given one of the applications. The given application is launched by the user. After launching the given application a user interface is presented which serves as an entry point through which all of the image capture applications stored on the mobile device are made available to the user.