Abstract: Systems and methods for hardware-based protection of Application Programming Interface (API) keys are described. In some embodiments, an endpoint Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: send an encrypted API key to a trusted controller; and receive a decrypted API key from the trusted controller.

Abstract: Systems and methods are provided that may be implemented to provide a hardware-rooted, protected, and operating system (OS)-agnostic environment in which designated logic (e.g., one or more software and/or firmware tools such as an OS agent) may be run to verify the ownership and/or registration of a given information handling system before the OS is booted and running, and therefore before system data (e.g., user data) is exposed. In one exemplary embodiment, the designated logic may include a unified extensible firmware interface (UEFI) driver that is protected (e.g., signed), and that runs during the system boot sequence before the OS is booted. The disclosed systems and methods may be advantageously implemented in one embodiment to allow a system user who purchases and acquires a given information handling system from a source and/or channel other than the original system manufacturer to register and/or associate the given information handling system with their manufacturer-assigned user account.

Abstract: An information handling system including a port or wireless antenna to operatively couple one or more peripheral devices to the information handling system and the processor executing code instructions of a peripheral devices reporting module for managing the one or more peripheral devices in coordination for a remotely-located peripheral device management system, wherein the processor is configured to generate a manifest of the information handling system and the one or more peripheral devices, and a network interface device to transmit to the remotely-located peripheral device management system the manifest to be associated a user account for peripheral device management services utilize usage data from the one or more peripheral devices to monitor peripheral device usage lifecycle status or peripheral device health status.

Abstract: The present disclosure provides various embodiments of information handling systems and related methods to generate a cryptographic key, which may be used to cryptographically verify information handling system (IHS) platform components and track events associated with the platform components. In the embodiments disclosed herein, a wide variety of platform-related information may be collected from a plurality of system platform components and embedded into a single cryptographic key. Once a cryptographic key is generated, it may be decoded and/or compared with cryptographic key(s) subsequently generated by the IHS to securely verify the system platform components, determine if changes have been made to the system platform components, facilitate system diagnostics and/or perform additional functions.

Abstract: The present disclosure provides various embodiments of systems and related methods to track and cryptographically verify system configuration changes. More specifically, systems and methods are disclosed herein to track an original system configuration of an information handling system (IHS) as the system was built by a manufacturing facility, and any system configuration changes that are made to the original system configuration after the IHS leaves the manufacturing facility. Once a user takes ownership of the IHS, systems and methods disclosed herein may be used to cryptographically verify a current system configuration of the IHS. In doing so, the present disclosure provides a way to authenticate or validate system configuration changes that may occur after the IHS leaves the manufacturing facility.

Abstract: Systems and methods for providing trusted local orchestration of workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a system memory coupled to the processor, the system memory having program instructions stored thereon that, upon execution, cause the IHS to: receive an orchestration code from a workspace orchestration service; record, using a trusted controller coupled to the processor, a log comprising: the orchestration code, and an indication of a sequence of operations performed during an instantiation of a workspace by the local management agent; provide a copy of the log to the workspace orchestration service; and establish a connection between the workspace and the workspace orchestration service in response to the workspace orchestration service's successful: (i) authentication of the orchestration code, and (ii) verification of the sequence of operations.

Abstract: Systems and methods for evaluating security risks using a manufacturer-signed software identification manifest are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive a request to perform attestation of a client device; retrieve, from an agent executed by the client device, a manifest comprising: (i) a signature portion encrypted with a first key, and (ii) a software identification (SWID) portion encrypted with a second key; retrieve the first key from a manufacturer database; retrieve the second key from a customer database; decrypt the signature and the manifest with the first and second keys; and perform the attestation using the decrypted manifest.

Abstract: Embodiments of systems and computer implemented methods are provided to transfer software licenses and entitlements associated with a user account from a first information handling system (IHS) to a second IHS. A computer implemented method in accordance with the present disclosure may generally include executing an entitlement management service to reassign the software licenses and entitlements associated with the user account to the second IHS, executing at least one local validation service on the second IHS to validate the second IHS and the user's workspace, and if the second IHS and the user's workspace is successfully validated by the at least one local validation service, executing one or more cloud-based orchestration services to verify the user account, determine which software licenses and entitlements are associated with the user account, and acquire and validate the software licenses and entitlements before transferring the software licenses and entitlements to the second IHS.

Abstract: A system, method, and computer-readable medium are disclosed for attesting component certificates to particular devices. An enterprise hosted integrity protected distributed ledger, such as a block chain, is provided to publish component certificates. Component vendors are provided authorization tokens to publish their component certificates. Manifests are generated by the original equipment manufacturer (OEM) that includes vendor component identifiers. End users discover the distributed ledger through a verification mechanism, and the component certificates are retrieved from the distributed ledger.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: Systems and methods are provided that may be implemented to provide a hardware-rooted, protected, and operating system (OS)-agnostic environment in which designated logic (e.g., one or more software and/or firmware tools such as an OS agent) may be run to verify the ownership and/or registration of a given information handling system before the OS is booted and running, and therefore before system data (e.g., user data) is exposed. In one exemplary embodiment, the designated logic may include a unified extensible firmware interface (UEFI) driver that is protected (e.g., signed), and that runs during the system boot sequence before the OS is booted. The disclosed systems and methods may be advantageously implemented in one embodiment to allow a system user who purchases and acquires a given information handling system from a source and/or channel other than the original system manufacturer to register and/or associate the given information handling system with their manufacturer-assigned user account.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Systems and methods for providing trusted local orchestration of workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a system memory coupled to the processor, the system memory having program instructions stored thereon that, upon execution, cause the IHS to: receive an orchestration code from a workspace orchestration service; record, using a trusted controller coupled to the processor, a log comprising: the orchestration code, and an indication of a sequence of operations performed during an instantiation of a workspace by the local management agent; provide a copy of the log to the workspace orchestration service; and establish a connection between the workspace and the workspace orchestration service in response to the workspace orchestration service's successful: (i) authentication of the orchestration code, and (ii) verification of the sequence of operations.

Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: Various embodiments of network access control (NAC) systems and methods are provided herein to control access to a network comprising a plurality of network endpoint nodes, where each network endpoint node includes a policy information point and a policy decision point. The policy information point within each network endpoint node stores a distributed ledger including one or more client policies that must be satisfied to access the network, and a smart contract including a set of predefined rules defining network access behaviors and actions. Upon receiving a network access request from a client device outside of the network, the policy decision point within each network endpoint node executes the smart contract to determine whether the client device should be granted access, denied access or have restricted access to the network, and executes consensus algorithm to select one of the network endpoint nodes to be a policy decision point leader.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: A method may include, during execution of a basic input/output system comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted and/or powered on and execute prior to execution of an operating system of the information handling system, executing a hardware attestation verification application configured to: (i) read a platform certificate comprising information associated with one or more information handling resources of the information handling system recorded during creation of the platform certificate; (ii) perform hardware attestation of the information handling system by comparing information associated with the one or more information handling resources and the information stored within the platform certificate; and (iii) generate a log indicative of the results of the hardware attestation.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: A system, method, and computer-readable medium are disclosed for attesting component certificates to particular devices. An enterprise hosted integrity protected distributed ledger, such as a block chain, is provided to publish component certificates. Component vendors are provided authorization tokens to publish their component certificates. Manifests are generated by the original equipment manufacturer (OEM) that includes vendor component identifiers. End users discover the distributed ledger through a verification mechanism, and the component certificates are retrieved from the distributed ledger.

Abstract: Systems and methods for workspace deployment using a secondary trusted device are described. In some embodiments, a first Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the first IHS to: establish a first connection with a second IHS, where the second IHS is configured to establish a second connection with a workspace orchestration service, and where the workspace orchestration service is configured to: receive device identification information of the first IHS from the second IHS; and authenticate the device identification information against a database provided by a manufacturer of the first IHS; and in response to a successful authentication, establish a third connection with the workspace orchestration service.