Abstract: Workspace instantiations are monitored for potentially suspicious behavior. When a workspace is instantiated, a client endpoint computer creates a log of historical workspace instantiations. Each time the client endpoint computer requests, receives, or executes a workspace, the client endpoint computer adds and timestamps a new entry in the log of historical workspace instantiations. The log of historical workspace instantiations thus represents a rich database description of each workspace, its corresponding workspace definition file, and its corresponding timestamp. A workspace orchestration service may monitor how frequently the log of historical workspace instantiations is generated and flag or alert of unusual or anomalous counts. Any current workspace instantiation may thus be terminated as a security precaution.

Abstract: Workspace instantiations are monitored for potentially suspicious behavior. A client endpoint computer creates and maintains a log of historical events associated with a workspace instantiation. Each time the client endpoint computer processes an event associated with the workspace instantiation, the client endpoint computer adds and timestamps a new entry in the log of the historical events associated with the workspace instantiation. The log of the historical events thus represents a rich database description of the workspace instantiation, its corresponding workspace definition file, its corresponding workspace lifecycle events, and their corresponding timestamps. A workspace orchestration service (perhaps provided by a server) may monitor the log of historical events and flag or alert of any entries indicating suspicious behavior. Any current workspace instantiation may thus be terminated as a security precaution.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: Systems and methods for securely deploying a collective workspace across multiple local management agents are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, at a workspace orchestration service from a first local management agent, first context information and a first split key; receive, at the workspace orchestration service from a second local management agent, second context information and a second split key; determining, by the workspace orchestration service, that the first and second context information match a collaborative workspace policy; in response to the determination, authenticate the first and second split keys; and in response to the authentication, transmit a collaborative workspace definition to the first and second local management agents.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Systems and methods for workspace deployment using a secondary trusted device are described. In some embodiments, a first Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the first IHS to: establish a first connection with a second IHS, where the second IHS is configured to establish a second connection with a workspace orchestration service, and where the workspace orchestration service is configured to: receive device identification information of the first IHS from the second IHS; and authenticate the device identification information against a database provided by a manufacturer of the first IHS; and in response to a successful authentication, establish a third connection with the workspace orchestration service.

Abstract: Embodiments provide access to enterprise data via a secured virtual environment hosted on an Information Handling System (IHS), with the integrity of the IHS validated prior to launching the virtual environment. The integrity of the IHS may also be continuously validated during operation of the launched virtual environment. Policies for accessing the enterprise data are stored in a secured memory that is isolated from the operating system of the IHS. A virtual environment is configured, according to the policies, with resources for a particular user to access the enterprise data. If the integrity of the IHS is validated by a trusted resource on the IHS, the virtual environment is launched. During operation of the virtual environment, the trusted resource periodically confirms the integrity of the IHS. If the integrity of the IHS is not verified or policy changes are identified, access to the secured workspace may be revoked.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: Systems and methods for securely deploying a collective workspace across multiple local management agents are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, at a workspace orchestration service from a first local management agent, first context information and a first split key; receive, at the workspace orchestration service from a second local management agent, second context information and a second split key; determining, by the workspace orchestration service, that the first and second context information match a collaborative workspace policy; in response to the determination, authenticate the first and second split keys; and in response to the authentication, transmit a collaborative workspace definition to the first and second local management agents.

Abstract: Systems and methods for bare-metal or pre-boot user-machine authentication, binding, and entitlement provisioning are described. In some embodiments, a method may include: receiving, at a first portal managed by a manufacturer of an Information Handling System (IHS): (i) user credentials associated with a user of the IHS, and (ii) device identification associated with the IHS before the IHS is shipped to the user; selecting a customer of the manufacturer associated with the device identification; forwarding an indication of the user credentials to a second portal managed by the customer; and, in response to the second portal having successfully authenticated the user, establishing an identity session with the second portal; receiving, from the IHS, a request to initiate an entitlement sequence.

Abstract: Systems and methods are provided that support configuration of settings of an Information Handling System (IHS), such as by external configuration tools that are delegated authority to configure any portion of the configurable settings of IHS. During factory provisioning of the IHS, an inventory of configurable settings of the IHS is generated and permissions are assigned for configuration of a portion of the configurable IHS settings by a configuration tool. During the factory provisioning, credentials are stored to the IHS for authenticating communications from the assigned configuration tool. Once the IHS has been delivered and deployed, configuration of the assigned portion of IHS is allowed when configuration requests from the assigned configuration tool are successfully validated against the credentials stored to the IHS during factory provisioning. The configurable settings of the IHS may include BIOS settings, operating system settings and settings supported by hardware components of the IHS.

Abstract: Systems and methods are provided for swapping computing architectures used by workspaces operating on an Information Handling System (IHS). A first workspace definition is generated for deployment of a workspace on the IHS using a first computing architecture. A timer is initiated upon deployment of the workspace on the IHS according to the first workspace definition. Upon expiration of the timer, a second workspace definition is generated for redeployment of the workspace using a second computing architecture. The workspace is then redeployed on the IHS according to the second workspace definition. The duration of the timer may be a randomized interval, or may be selected based on security and/or productivity metrics for the deployment of the workspace on the IHS. Through swapping of the computing architecture used by the workspace, the attack surface presented by the workspace is regularly altered, thus thwarting malicious actors attempting to compromise the workspace.

Abstract: Systems and methods for dynamic workspace targeting with crowdsourced user context are described. In some embodiments, an Information Handling System (IHS) of a workspace orchestration service may include a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: detect execution of an application in a workspace instantiated by a client IHS; validate the application based upon productivity context information and security context information received from the client IHS; and in response to the validation, distribute the validated application to another workspace instantiated by another client IHS.

Abstract: Systems and methods for performing self-contained posture assessment from within a protected portable-code workspace are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory having program instructions that, upon execution, cause the IHS to: transmit, from an orchestration service to a local agent, a workspace definition that references an application, where the application comprises a first portion of code provided by a developer and a second portion of code provided by the orchestration service; and receive, from a local agent at the orchestration service, a message in response to the execution of the second portion of code within a workspace instantiated based upon the workspace definition. The second portion of code may inspect the contents of the runtime memory of the workspace upon execution, for example, by performing a stack canary check, a hash analysis, a boundary check, and/or a memory scan.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: Systems and methods adjust workspaces based on available hardware resource of an IHS (Information Handling System) by which a user operates a workspace supported by a remote orchestration service. A security context and a productivity context of the IHS are determined based on reported context information. A workspace definition for providing access to a managed resource is selected based on the security context and the productivity context. A notification specifies a hardware resource of the IHS that is not used by the workspace definition, such as a microphone or camera that has not been enabled for use by workspaces. A productivity improvement that results from the updated productivity context that includes use of the first hardware resource is determined. Based on the productivity improvement, an updated workspace definition is selected that includes use of the first hardware resource in providing access to the managed resource via the IHS.

Abstract: A protected stream manager includes one or more subsystems to receive a content stream in a virtual environment, obfuscate the content stream, and prioritize use of a processor to process the content stream.

Abstract: Systems and methods for endpoint context-driven, dynamic workspaces are described.