Abstract: In an example, a method of creating a secured workspace in a mobile device includes installing an application management agent on the mobile device, wherein the application management agent is configured to communicate with a remote server to obtain a security policy. The method further includes installing a wrapped enterprise application to the mobile device. The wrapped enterprise application includes code injected therein that, when executed by the mobile device, causes the mobile device to intercept at least a portion of instructions being executed by the wrapped enterprise application and to interpose alternative instructions that comply with the security policy. The method further includes communicating among the wrapped enterprise application, the application management agent, and other wrapped enterprise applications through pasteboard and uniform resource locator (URL) handlers provided by an operating system of the mobile device.

Abstract: One or more embodiments of the invention provide access to a work environment in a mobile device from a lock screen presented by a personal environment of the mobile device, wherein the work environment is running in a virtual machine supported by a hypervisor running within the personal environment and wherein the personal environment is a host operating system (OS) of the mobile device. The host OS receives an authentication credential from a user in response to a presentation of the lock screen on a user interface (UI) of the mobile device and then determines whether the authentication credential is valid for the personal environment or the work environment. If the authentication credential is valid for the personal environment, access is enabled only to the personal environment. If the authentication credential is valid for the work environment, access is enabled to both the personal environment and the work environment.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract: An example method includes modifying, prior to run time, an executable file of an application to cause an operating system loader to load additional code using a dynamically-linked library. Modifying the executable file includes determining whether the executable file includes sufficient unused space to accommodate a load command, and adding the load command to the executable file when the executable file includes sufficient unused space by: shifting, in the executable file, an existing load command that does not contain dependency information to make space for the load command; or identifying unused space outside of a data portion of the executable file that can be removed to accommodate the load command. The additional code, when executed by a processor, causes the processor to change a pointer in a table that indicates an address of an imported function implementing a system call so the pointer indicates an address of a customized function.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract: An example method includes modifying, prior to run time, an executable file of an application to cause an operating system loader to load additional code using a dynamically-linked library. Modifying the executable file includes determining whether the executable file includes sufficient unused space to accommodate a load command, and adding the load command to the executable file when the executable file includes sufficient unused space by: shifting, in the executable file, an existing load command that does not contain dependency information to make space for the load command; or identifying unused space outside of a data portion of the executable file that can be removed to accommodate the load command. The additional code, when executed by a processor, causes the processor to change a pointer in a table that indicates an address of an imported function implementing a system call so the pointer indicates an address of a customized function.

Abstract: In an example, a method of creating a secured workspace in a mobile device includes installing an application management agent on the mobile device, wherein the application management agent is configured to communicate with a remote server to obtain a security policy. The method further includes installing a wrapped enterprise application to the mobile device. The wrapped enterprise application includes code injected therein that, when executed by the mobile device, causes the mobile device to intercept at least a portion of instructions being executed by the wrapped enterprise application and to interpose alternative instructions that comply with the security policy. The method further includes communicating among the wrapped enterprise application, the application management agent, and other wrapped enterprise applications through pasteboard and uniform resource locator (URL) handlers provided by an operating system of the mobile device.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by using a validation certificate to validate against a root certificate embedded in a configuration profile installed on the device. The configuration profile is configured to be non-removable, so it cannot be remove or updated, except by another configuration profile signed by the same authority.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by using a validation certificate to validate against a root certificate embedded in a configuration profile installed on the device. The configuration profile is configured to be non-removable, so it cannot be remove or updated, except by another configuration profile signed by the same authority.

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract: A method for providing a secure lockout from executing application programs is provided. An opaque graphical component obscures graphical components for all executing software (applications) programs on a display apparatus and prevents events from reaching the executing application programs.

Abstract: Store for operating system resource data is provided integrally with application program resource data in an application program environment to create a shared object. Application programs executing the in application program environment are prevented from accessing the operating system resource data portion of the shared object.

Abstract: An application programming language runtime environment is integrated with an operating system kernel. The resulting merged data structures, meta-data structures and access methods contain the consolidation of information needed by the application programming language runtime and the operating system, without duplication. Integrating resources of the application programming language runtime and the operating system reduces the overall memory needed to store the merges data structures and meta data structures. Additionally, overhead in maintaining multiple data structures in parallel is also reduced, thus reducing the processing required. The integrated application programming language runtime and operating system kernel environment can also sharing semantic behavior such that untrusted application program code is prevented from escaping the application programming language runtime environment.

Abstract: A garbage collector, from time to time, and within a single cycle, determines objects that are eligible to have their associated memory freed; executes high-priority finalizers associated with such eligible objects as are determined; and after execution of a high-priority finalizer, deallocates the memory of the associated object. The garbage collector queues references to eligible objects that have non-high-priority finalizers in a list. After garbage collection is completed, a finalizer thread runs the queued non-high-priority finalizers and marks the associated objects as ready for deallocation. The garbage collector, during a subsequent cycle, then deallocates the memory associated with marked objects.

Abstract: The invention method and system provides rotation of an image on a display screen. A graphics library translates on-screen coordinates from a base viewing mode to a desired alternate viewing mode. The translated coordinated are rendered directly to the display screen.

Abstract: Memory and processing required for managing virtual memory segments is reduced by overloading the existing page table entries in a virtual memory page table to encode virtual memory segmentation data. Therefore, no additional data structures are required for virtual memory segment management. Virtual memory segmentation information is stored in the actual page table entries, using bits that are reserved as unused for the given computer architecture to identify the virtual memory segment management information.

Abstract: A graphics sub-system manages a two-dimensional coordinate space which includes a plurality of rectangular regions. The two-dimensional coordinate space is represented by a hierarchical linked list of nodes. Each node represents a rectangular region of two-dimensional coordinate space. Each node acts as a bounding box for all descendant nodes in the hierarchical linked list of nodes.