Abstract: A system and method for providing stringent tamper resistant protection against changes to key system security features. The tamper protection is configured such that any changes to the policy can only occur from a configuration manager console, thereby preventing local device admin users or other malicious actors from altering the setting. Thus, tamper protection locks the selected service and prevents security settings from being changed through third-party apps and methods. When a system administrator enables the feature for an enterprise's workstations, only administrators will be able to change the service settings across a company's computers. The tamper protection policy is digitally signed in the backend before being deployed to endpoints, and the endpoint verifies the validity and intent of the policy, establishing that it is a signed package that only security operations personnel with the necessary administrator rights can control.

Abstract: A system and method for providing stringent tamper resistant protection against changes to key system security features. The tamper protection is configured such that any changes to the policy can only occur from a configuration manager console, thereby preventing local device admin users or other malicious actors from altering the setting. Thus, tamper protection locks the selected service and prevents security settings from being changed through third-party apps and methods. When a system administrator enables the feature for an enterprise's workstations, only administrators will be able to change the service settings across a company's computers. The tamper protection policy is digitally signed in the backend before being deployed to endpoints, and the endpoint verifies the validity and intent of the policy, establishing that it is a signed package that only security operations personnel with the necessary administrator rights can control.

Abstract: Selectively wiping data. A method includes identifying a plurality of datasets on a device. The method further includes identifying one or more datasets, on a dataset basis, from among the plurality of datasets that are managed datasets associated with a particular user account by being associated with an account identifier for the particular user account at a data structure external to the device. The managed datasets are associated with a particular user account by being associated with an account identifier for the particular user account. The method further includes receiving an indication that managed data associated with the particular user account should be wiped from the device. The method further includes wiping the one or more datasets that are identified as being managed datasets associated with a particular user account while not wiping datasets from the plurality of datasets that are not associated with the particular user account.

Abstract: Determining whether or not a device is managed. A method includes, as part of running a particular application, determining whether or not certain state and/or data (such as a particular specialized font, a particular certificate chain, or particular xml policy setting) is present on the device. When the certain state and/or data is present on the device, the method includes determining that the device is managed, otherwise, determining that the device is not managed.