Abstract: Systems and methods for securely deploying a collective workspace across multiple local management agents are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, at a workspace orchestration service from a first local management agent, first context information and a first split key; receive, at the workspace orchestration service from a second local management agent, second context information and a second split key; determining, by the workspace orchestration service, that the first and second context information match a collaborative workspace policy; in response to the determination, authenticate the first and second split keys; and in response to the authentication, transmit a collaborative workspace definition to the first and second local management agents.

Abstract: Systems and methods for providing trusted local orchestration of workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a system memory coupled to the processor, the system memory having program instructions stored thereon that, upon execution, cause the IHS to: receive an orchestration code from a workspace orchestration service; record, using a trusted controller coupled to the processor, a log comprising: the orchestration code, and an indication of a sequence of operations performed during an instantiation of a workspace by the local management agent; provide a copy of the log to the workspace orchestration service; and establish a connection between the workspace and the workspace orchestration service in response to the workspace orchestration service's successful: (i) authentication of the orchestration code, and (ii) verification of the sequence of operations.

Abstract: Systems and methods for multilayer encryption for user privacy compliance and corporate confidentiality are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: transmit, from a workspace instantiated by a local management agent to a portal managed by an enterprise: (i) a request to store a once-encrypted document, and (ii) an indication that the once-encrypted document is encrypted with a controlvault key; receive, from the portal at the workspace, a request to encrypt the once-encrypted document with an enterprise-issued cryptographic key to produce a twice-encrypted document; and transmit, from the workspace to the portal, a copy of the twice-encrypted document.

Abstract: Systems and methods for providing fleet remediation of compromised workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, from a first local management agent configured to provide a first workspace in a fleet of workspaces, an indication that the first workspace has suffered a security compromise, where the first workspace is instantiated based upon a first workspace definition; and in response to the indication, transmit a second workspace definition to a second local management agent configured to provide a second workspace in the fleet of workspaces, where the second workspace is instantiated based upon the first workspace definition, and where the second local management agent is configured to instantiate a third workspace based upon the second workspace definition.

Abstract: Systems and methods for self-protecting and self-refreshing workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a workspace based upon a workspace definition; determine that a context of the client IHS has been modified; in response to the determination, terminate the workspace; and receive, from the workspace orchestration service, one or more files or policies configured to enable the client IHS to re-instantiate the workspace based upon the workspace definition.

Abstract: Systems and methods for evaluating security risks using a manufacturer-signed software identification manifest are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive a request to perform attestation of a client device; retrieve, from an agent executed by the client device, a manifest comprising: (i) a signature portion encrypted with a first key, and (ii) a software identification (SWID) portion encrypted with a second key; retrieve the first key from a manufacturer database; retrieve the second key from a customer database; decrypt the signature and the manifest with the first and second keys; and perform the attestation using the decrypted manifest.

Abstract: Systems and methods for bare-metal or pre-boot user-machine authentication, binding, and entitlement provisioning are described. In some embodiments, a method may include: receiving, at a first portal managed by a manufacturer of an Information Handling System (IHS): (i) user credentials associated with a user of the IHS, and (ii) device identification associated with the IHS before the IHS is shipped to the user; selecting a customer of the manufacturer associated with the device identification; forwarding an indication of the user credentials to a second portal managed by the customer; and, in response to the second portal having successfully authenticated the user, establishing an identity session with the second portal; receiving, from the IHS, a request to initiate an entitlement sequence.

Abstract: Systems and methods support secure transfer of data between workspaces operating on an IHS (Information Handling System). Upon a request for access to a first managed resource, such as protected data, a first workspace is deployed according to a first workspace definition. Upon a request for access to a second managed resource, a second workspace is deployed according to a second workspace definition. In response to an indication of a portion of the protected data from the first workspace being copied to a buffer supported by the IHS and of a request to paste the copied portion of the protected data to the second workspace, the protections provided by the second workspace are evaluated. If the protections of the second workspace are inadequate, an updated second workspace definition is selected that specifies additional protections. The second workspace is updated according to the updated second workspace definition and the transfer is permitted.

Abstract: Systems and methods provide multilevel authorization of workspaces using certificates, where all of the authorization levels may be authorized separately or may instead be authorized at once. A measurement of an IHS (Information Handling System) is calculated based on the identity of the IHS and based on firmware of the IHS. A measurement of the configuration of the IHS is calculated based on information for configuring the IHS for supporting workspaces and also based on the IHS measurement. A measurement of a workspace session is calculated based on properties of a session used to remotely support operation of the workspace by the IHS and also based on the configuration measurement. Workspace session data may by authorized at all three levels by evaluating the session measurement against a reference session measurement.

Abstract: In a system of networked IHSs (Information Handling Systems) supporting the use of roaming biometric profiles, an individual may utilize biometric authentication for gaining access to various IHSs within the system. An IHS configured to support roaming biometric authentication includes biometric sensors that support secure transmission and management of biometric prints collected by such sensors. Such biometric sensors may interoperate with a secure processing component of the IHS in order to prevent transmission and storage of unprotected biometric prints, while still supporting roaming biometric authentication. The biometric sensor utilizes an encryption key for encoding biometric prints where the key is selected based on a group affiliation of the individual, thus protecting biometric prints from other groups that use roaming biometric authentication while sharing the same network of IHSs.

Abstract: Methods and system are provided for dynamically securing a workspace based on changes in the security context in which the workspace operates. Upon receiving a request from an IHS for access to a managed resource and receiving attributes of a risk context for the request, a risk score for the request is determined. A workspace definition that provides access to the managed resource is selected based on the risk score. A workspace definition includes security requirements for operation of the workspace by the IHS, where the security requirements are commensurate with the risk score. The workspace definition is transmitted to the IHS for operation of the workspace according to the security requirements. A risk context may include, IHS software, a physical environment in which the IHS is located, a physical location of the IHS, a classification of the requested resource, IHS hardware, and a user of the IHS.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: A method may include, during execution of a basic input/output system comprising boot firmware configured to be the first code executed by the processor when the information handling system is booted and/or powered on and execute prior to execution of an operating system of the information handling system, executing a hardware attestation verification application configured to: (i) read a platform certificate comprising information associated with one or more information handling resources of the information handling system recorded during creation of the platform certificate; (ii) perform hardware attestation of the information handling system by comparing information associated with the one or more information handling resources and the information stored within the platform certificate; and (iii) generate a log indicative of the results of the hardware attestation.

Abstract: In some examples, a target device determines that each device of a plurality of devices (i) includes a certificate that is provided to each device during provisioning, (ii) is within a predetermined distance from the target device, (iii) includes a beacon secret that is broadcast to each device at a predetermined time interval, and (iv) that either: (a) a privilege level associated with at least one device of the plurality of devices satisfies a particular privilege level specified by an access policy or (b) a number of the plurality devices with the determined distance from the target device satisfies a predetermined number specified by the access policy. The target device grants at least one device of the plurality of devices access to the target device, and receives a message from the at least one device. The target device initiates an action based at least in part on the message.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: An authentication system for providing shared credential authentication includes a client information handling (IHS) system having a resource service application, and a mobile IHS having a shared authentication application. The shared authentication token indicates that an authenticated state between the client IHS and the mobile IHS exists. The resource service application receives a request to access the resource, and sends an authentication request to an authentication server to authorize access to the resource. The shared authentication application receives a query from the authentication server to verify a status of a shared authentication token, and, when the shared authentication token is valid, responds to the query that the shared authentication token is valid. The resource service application further receives a response to the authentication request, and grants access to the resource when the authentication token indicates that the shared authentication token is valid.

Abstract: The present disclosure provides various embodiments of systems and related methods to track and cryptographically verify system configuration changes. More specifically, systems and methods are disclosed herein to track an original system configuration of an information handling system (IHS) as the system was built by a manufacturing facility, and any system configuration changes that are made to the original system configuration after the IHS leaves the manufacturing facility. Once a user takes ownership of the IHS, systems and methods disclosed herein may be used to cryptographically verify a current system configuration of the IHS. In doing so, the present disclosure provides a way to authenticate or validate system configuration changes that may occur after the IHS leaves the manufacturing facility.

Abstract: Various embodiments of systems and methods are provided to bind a system identifier that uniquely identifies an information handling system (IHS) to the system platform, so that the identity of the IHS can be cryptographically verified. More specifically, the present disclosure provides methods to bind a unique system identifier to an IHS platform, and methods to cryptographically verify the identity of the IHS using the unique system identifier and a plurality of keys generated and stored with a Trusted Platform Module (TPM) of the IHS. Systems are provided herein to perform such methods. As such, the systems and methods disclosed herein enable system identity to be irrefutably verified, thereby preventing theft and misuse of system identity.

Abstract: Systems and methods for a network environment for client-side remote access of a server device from a client device may utilize a biometric sensor device of the client device and a pluggable authentication and authorization framework. The biometric sensor device may capture a gesture of a target user. The server device may authenticate the target user based on previously registered encrypted biometric information of the target user utilizing the pluggable authentication and authorization framework and a remote desktop protocol. When the target user has been authenticated, the client device may be authorized to access a service of the server device.

Abstract: A secured container provides access to enterprise data while isolated from the operating system of an Information Handling System (IHS). The secured container remains secured during its delivery and deployment. A secured container is configured to provide a user of the IHS with access to enterprise data. The secured container is encrypted using a symmetrical key that is transmitted to a secured storage that is isolated from the operating system of the IHS via out-of-band communications. The encrypted secured container is digitally signed using an asymmetric key pair. The digital signature and the encrypted secured container are transmitted to the IHS via in-band communications. At the IHS, the public key of the asymmetric key pair is used to validate the digital signature and the private symmetric key is retrieved from secured storage to decrypt the secured container. Additional embodiments provide a technique for securely migrating a secured container between IHSs.