Abstract: Embodiments of the disclosure provide application management capabilities to enterprises. A computing device of a user, associated with the enterprise, receives an enrollment token signed with a certificate. The enrollment token includes an enterprise identifier associated with the enterprise. The computing device receives a package containing one or more applications. The package also includes an enterprise identifier. Installation and execution of one or more applications from the received package is accepted or rejected based on a comparison of the enterprise identifier from the enrollment token with the enterprise identifier from the received package or application. A web service provides validation services by monitoring the installation and execution of applications on the computing devices associated with the enterprise.

Abstract: Embodiments of the disclosure provide application management capabilities to enterprises. A computing device of a user, associated with the enterprise, receives an enrollment token signed with a certificate. The enrollment token includes an enterprise identifier associated with the enterprise. The computing device receives a package containing one or more applications. The package also includes an enterprise identifier. Installation and execution of one or more applications from the received package is accepted or rejected based on a comparison of the enterprise identifier from the enrollment token with the enterprise identifier from the received package or application. A web service provides validation services by monitoring the installation and execution of applications on the computing devices associated with the enterprise.

Abstract: Embodiments of the disclosure provide application management capabilities to enterprises. A computing device of a user, associated with the enterprise, receives an enrollment token signed with a certificate. The enrollment token includes an enterprise identifier associated with the enterprise. The computing device receives a package containing one or more applications. The package also includes an enterprise identifier. Installation and execution of one or more applications from the received package is accepted or rejected based on a comparison of the enterprise identifier from the enrollment token with the enterprise identifier from the received package or application. A web service provides validation services by monitoring the installation and execution of applications on the computing devices associated with the enterprise.

Abstract: Embodiments of the disclosure provide application management capabilities to enterprises. A computing device of a user, associated with the enterprise, receives an enrollment token signed with a certificate. The enrollment token includes an enterprise identifier associated with the enterprise. The computing device receives a package containing one or more applications. The package also includes an enterprise identifier. Installation and execution of one or more applications from the received package is accepted or rejected based on a comparison of the enterprise identifier from the enrollment token with the enterprise identifier from the received package or application. A web service provides validation services by monitoring the installation and execution of applications on the computing devices associated with the enterprise.

Abstract: A unified enrollment client is described that allows authentication and communication with disparate enterprise management source types. A first enterprise management source type can have a corporate-based management server which is on the premises of the corporation. A second enterprise management source type can have a cloud-based management server in which a corporate server communicates through a federation gateway to a cloud-based management server. Authentication can be handled regardless of the source type through the use of a discovery request which identifies the source type so that the enrollment client knows how to tailor the authentication, if any is needed, to the particular enterprise management source.

Abstract: Embodiments of the disclosure provide application management capabilities to enterprises. A computing device of a user, associated with the enterprise, receives an enrollment token signed with a certificate. The enrollment token includes an enterprise identifier associated with the enterprise. The computing device receives a package containing one or more applications. The package also includes an enterprise identifier. Installation and execution of one or more applications from the received package is accepted or rejected based on a comparison of the enterprise identifier from the enrollment token with the enterprise identifier from the received package or application. A web service provides validation services by monitoring the installation and execution of applications on the computing devices associated with the enterprise.

Abstract: A method and apparatus are described for unenrolling applications, such as from a mobile device. An enterprise can be associated with one or more applications. Rather than uninstalling the applications individually, a single unenroll user interface command can be used to remove all data on the mobile device associated with the enterprise. Moreover, the applications associated with the enterprise can be uninstalled. A user's personal data on the mobile device is not affected during the unenrollment.

Abstract: When receiving multiple security policy configurations from different management sources, a computer device can apply the most secure of the policy configurations to the device. If one of the policy configurations is removed from the device, a determination can be made regarding which of the remaining security policy configurations is the most secure. Once the determination is made, one of the remaining security policies that is the most secure is applied.

Abstract: A method for storing data. A method for storing data comprising arranging a plurality of data buckets in a logical inverted tree structure having a plurality of levels; and performing nested hashing at each level of the plurality of levels.

Abstract: Generating a device certificate. A method of generating a device certificate comprising forming a template that will generate a device certificate upon the occurrence of a triggering event, filling in an authorization root certificate section of the template; filling in an authorization certificate section of the template, filling in a group certificate section of the template, and forming a device certificate section of the template.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.

Abstract: A packager packages digital content for a user and a licensor issues a digital license to the user for the content such that the user renders the content only in accordance with the license. The licensor and packager share a Secret to allow the packager and the licensor to calculate a content key (KD) for the content. To package the content for the user, the packager calculates a content key (KD) based on the shared Secret and a content ID and encrypts the content according to (KD). To issue a license to the user for the content, the licensor also calculates (KD) based on the shared Secret and the content ID, encrypts (KD) according to a public key of the user to form the license, and sends the license to the user.

Abstract: A packager packages digital content for a user and a licensor issues a digital license to the user for the content such that the user renders the content only in accordance with the license. The licensor and packager share a Secret to allow the packager and the licensor to calculate a content key (KD) for the content. To package the content for the user, the packager calculates a content key (KD) based on the shared Secret and a content ID and encrypts the content according to (KD). To issue a license to the user for the content, the licensor also calculates (KD) based on the shared Secret and the content ID, encrypts (KD) according to a public key of the user to form the license, and sends the license to the user.

Abstract: Content revocation is achieved by disabling licenses issued to a computing device for the content. A content revocation is delivered within a license to the computing device. Upon license storage the content revocation is recognized, validated, and stored in a secure state store under the public key of the content server (PU-CS) that issued the content. Each license has a (PU-CS) therein, and each license evaluation considers each content revocation stored in the state store and having the same (PU-CS). The license is disabled or otherwise affected based on the considered content revocation. A content revocation is one form of a license modification that may be delivered within a license.