Abstract: Disclosed are various examples for device provisioning using a manufacturer boot environment. A management agent can be executed from a manufacturer's boot environment and can install a management application that is executable in the main operating system to provision a client device for management. The management agent can then set a provisioning status BIOS variable to indicate that the client device is provisioned. The client device can then be booted to the main operating system and the management application can be executed.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Disclosed are various examples for device provisioning using a manufacturer boot environment. A management agent can be executed from a manufacturer's boot environment and can install a management application that is executable in the main operating system to provision a client device for management. The management agent can then set a provisioning status BIOS variable to indicate that the client device is provisioned. The client device can then be booted to the main operating system and the management application can be executed.

Abstract: Disclosed are various examples for dynamic application deployment in trusted code environments. In some embodiments, an application is identified for installation on a client device. The client device includes a security process that limits the client device to execute trusted code based on a trusted code policy. Characteristics of a file are identified from an installation package for a client application. A management agent is instructed to update the trusted code policy to whitelist the file by providing the characteristics of the executable file to the security process. A command to install the application is transmitted to the management agent, where the management agent is a trusted installer for the client device.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Disclosed are various examples for persistent device provisioning. In some examples, a management agent is executed from the manufacturer boot environment. The management agent determines that a main operating system of the client device is currently unprovisioned for management by the management service. The management agent installs a management application that is executable in the main operating system. The client device boots to the main operating system and executes the management application. The management application enrolls the client device with the management service by installing an enrollment token received from the management service.

Abstract: Disclosed are various examples for dynamic application deployment in trusted code environments. In some embodiments, an application is identified for installation on a client device. The client device includes a security process that limits the client device to execute trusted code based on a trusted code policy. Characteristics of a file are identified from an installation package for a client application. A management agent is instructed to update the trusted code policy to whitelist the file by providing the characteristics of the executable file to the security process. A command to install the application is transmitted to the management agent, where the management agent is a trusted installer for the client device.

Abstract: Examples described herein include systems and methods for bare metal management of computing devices. Firmware of the computing device can be configured to contact a network location as part of an HTTP boot and download a boot agent. The boot agent can be prioritized to execute before a primary OS boot loader. The boot agent can download an OS configuration including a package that is inserted into the primary OS. The primary OS, as configured, can then boot. The boot agent can also attest to OS health and device compliance on subsequent boots. For example, the boot agent can cause the firmware to track how many boots have occurred since compliance verification. If a threshold number of boots occur without verification, the boot agent can initiate restoration. Alternatively, if a decommission flag is set, the boot agent can cause the computing device to boot into its original configuration.

Abstract: Disclosed are various examples for persistent device provisioning. In some examples, a management agent is executed from the manufacturer boot environment. The management agent determines that a main operating system of the client device is currently unprovisioned for management by the management service. The management agent installs a management application that is executable in the main operating system. The client device boots to the main operating system and executes the management application. The management application enrolls the client device with the management service by installing an enrollment token received from the management service.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.

Abstract: Examples described here include systems and methods for refreshing the operating system (“OS”) of a device enrolled in a management platform. Execution of a first command file ensures that necessary components of the management platform residing on the device are stored in a partitioned portion of the device hard drive to preserve them during the OS refresh. After a new instance of the OS has been installed, execution of a second command file migrates the necessary components from the partitioned portion of the hard drive to the new OS instance. When the user logs back into the refreshed device, a third command file installs all necessary device management components at the new OS instance and re-enrolls the device with the management platform. In this manner, the OS of a managed device can be refreshed and re-enrolled in the management platform without significant input from a user or administrator.