Abstract: Systems and methods support updates to an Information Handling System (IHS). A workspace is instantiated on the IHS based upon a received workspace definition, where the workspace identifies an available update to a system operating on the IHS. A request is made for a first credential used for validation of the IHS by a first remote workspace orchestrator. The workspace provides the first credential to a second remote workspace orchestrator that controls access to updates to the system operating on the IHS. The second remote workspace orchestrator uses the first credential to validate the IHS with the first remote workspace orchestrator. The workspace performs the available update to the system operating on the IHS using a second credential provided by the second remote workspace orchestrator upon validation of the IHS by the first remote workspace orchestrator. The IHS maintains separate confidentiality with each remote orchestrator providing credentials for the update.

Abstract: Systems and methods are provided for managing capabilities of workspaces operating on an Information Handling System (IHS). A request is received from a user of the IHS for access to a protected resource. A security context and a productivity context are determined for operation of a primary workspace on the IHS. Two or more applications are identified for operation within the primary workspace, where the applications provide access to the protected resource, and where the applications include overlapping capabilities. Based on the security context and the productivity context for the primary workspace deployment, two or more of the applications with overlapping capabilities are selected for operation within the primary workspace.

Abstract: Systems and methods support transferring control of a workspace that operates on an Information Handling System (IHS). An authorization policy is established on the IHS that is modifiable only by an arbiter of a remote orchestration service. The authorization policy specifies authorized administrators of the workspace. The authorization policy is modified to specify the arbiter and a first remote orchestrator as authorized administrators of the workspace. Administration of the workspace by the first orchestrator is allowed based on credentials that validate it as an authorized administrator specified by the policy. A notification is received of a transfer of orchestration of the workspace to a second remote orchestrator. The authorization policy is modified to specify the arbiter and the second orchestrator as authorized administrators of the workspace.

Abstract: Systems and methods support operation of primary on an Information Handling System (IHS) and the operation of subordinate workspaces on peripheral devices coupled to the IHS. The IHS receives a primary workspace definition from a remote orchestrator and instantiates a primary workspace based upon the primary workspace definition, where the instantiated primary workspace operates using core resources of the IHS and provides access to a protected resource. The IHS reports, to the remote orchestrator, an inventory of peripheral devices that are detected as coupled to the IHS. In response, one or more subordinate workspace definitions are received from the remote orchestrator, where each of the subordinate workspace definitions are for operation of a subordinate workspace by one of the peripheral devices coupled to the IHS. Based on the received subordinate workspace definitions, operation of subordinate workspaces is initiated on peripheral devices coupled to the IHS.

Abstract: Systems and methods for hardware-based protection of Application Programming Interface (API) keys are described. In some embodiments, an endpoint Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: send an encrypted API key to a trusted controller; and receive a decrypted API key from the trusted controller.

Abstract: Systems and methods support updates peripheral devices that may be coupled to an Information Handling System (IHS), such as provided at shared-use workstations. The IHS reports, to a remote orchestrator, an inventory of peripheral devices that are coupled to the IHS. In response, the remote orchestrator provides the IHS with files for updates to some or all of the coupled peripheral devices. As part of the updates, the remote orchestrator also designates a specific peripheral device as a proxy for making updates to other peripherals of the shared-use workstation. The IHS transmits the files to the proxy peripheral device, where the files are stored in a memory of the proxy peripheral device. The proxy peripheral device uses the files to update the other peripherals of the shared-use workstation, such as when the peripherals are not in use by the IHS, or after the IHS has been disconnected.

Abstract: Systems and methods for providing fleet remediation of compromised workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive, from a first local management agent configured to provide a first workspace in a fleet of workspaces, an indication that the first workspace has suffered a security compromise, where the first workspace is instantiated based upon a first workspace definition; and in response to the indication, transmit a second workspace definition to a second local management agent configured to provide a second workspace in the fleet of workspaces, where the second workspace is instantiated based upon the first workspace definition, and where the second local management agent is configured to instantiate a third workspace based upon the second workspace definition.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: A virtual BIOS engine may be configured to, during runtime of an operating system, in response to an operating system event for updating firmware, load onto an isolated compute domain of the processor to emulate firmware update processes of a non-transitory computer-readable media with a virtual non-transitory computer-readable media and emulate the firmware update processes of the cryptoprocessor with a virtual cryptoprocessor, extract a firmware payload to the virtual non-transitory computer-readable media, and execute a virtual trust chain to measure the firmware payload in the virtual non-transitory computer-readable media.

Abstract: An information handling system includes a hardware processor and a memory device to execute code instructions of an automatic peripheral device pairing management system pairing agent to receive, via a wireless interface adapter, a device identifier composition engine (DICE) certificate from a wireless peripheral device indicating the identity of the wireless peripheral device, the DICE certificate including a public key. The hardware processor executes computer readable program code of an out-of-band (OOB) temporary key generator agent to generate an OOB temporary key. The hardware processor executes the computer readable program code of the automatic peripheral device pairing management system pairing agent to encrypt the OOB temporary key using the public key. The hardware processor to sends the public key-encrypted OOB temporary key to the wireless peripheral device to be decrypted using a private key at the wireless peripheral device.

Abstract: An information handling system includes a hardware processor and a memory device to execute code instructions of an automatic peripheral device pairing management system pairing agent to receive, via a wireless interface adapter, a symmetric key to receive a symmetric key-wrapped secure pairing key data package from a wireless peripheral device as part of a pairing query. The hardware processor to, with the symmetric key, unwrap the symmetric key-wrapped secure pairing key data package to obtain pairing key data used to automatically Bluetooth® (BT) pair the backend coupled information handling system to the wireless peripheral device when the pairing key data matches peripheral device pairing key data at the wireless peripheral device including a received or generated out-of-band temporary key at the information handling system with a copy generated at the wireless peripheral device.

Abstract: A backend management server includes a hardware processor to code instructions of an automatic peripheral device pairing management system to receive a peripheral device identification (PD ID) associated with a wireless peripheral device from a manufacturer and the backend management server generating a temporary key to be associated with the wireless peripheral. The hardware processor to execute code instructions of a temporary key wrapping agent to wrap the temporary key in a transport private key and sending the transport private key-wrapped temporary key and PD ID for the wireless peripheral device to an assigned backend-coupled information handling system. A copy of the transport private key-wrapped temporary key is sent to the wireless peripheral device upon receiving a matching PD ID in a wireless peripheral device pairing query. The backend-coupled information handling systems may then verify and pair with the wireless peripheral device upon matching the temporary keys at both devices.

Abstract: An information handling system includes a hardware processor and a memory device to execute code instructions of an automatic peripheral device pairing management system to generate or receive a temporary key and receive peripheral device identification (PD ID) for each of a plurality of ordered wireless peripheral devices (PDs). The hardware processor to receive from a peripheral device assignment agent, assignment instructions for the plurality of ordered PDs to a designated subset of managed information handling systems. The temporary keys to be stored on each corresponding ordered wireless PD and the hardware processor to also deliver each of the temporary keys and PD IDs associated with each of the plurality of the ordered wireless PDs to the designated subset of managed information handling systems for automatic querying, verification, and pairing of each of the plurality of wireless PDs with the designated subset of managed information handling systems.

Abstract: An information handling system includes a hardware processor and a memory device, the processor executing code instructions of an automatic peripheral device (PD) pairing management system pairing agent to receive and store a temporary key and peripheral device identification data (PD ID) associated with a peripheral device assigned to the information handling system from a backend management server via secure wireless link. In response to a pairing query from the assigned peripheral device including a sent PD ID, the automatic PD pairing management system pairing agent determines that the received PD ID matches the stored PD ID and verifies BT pairing with the peripheral device is authorized by determining that the temporary key received from the backend management server matches a peripheral device temporary key stored at the peripheral device before establishing a Bluetooth® wireless link between the peripheral device and the information handling system.

Abstract: Systems and methods for distributed orchestration using delegate workspaces are described. In an illustrative, non-limiting embodiment, a remote orchestrator with respect to a workspace executed by a client Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the remote orchestrator to: communicate with a database of delegate workspaces, each delegate workspace instantiated by a respective one of a plurality of edge IHSs; and assign a management task with respect to a client IHS's workspace to a delegate workspace executed by a selected edge IHS, where the delegate workspace is selected, at least in part, based upon information stored in the database.

Abstract: Systems and methods provide endorsement of workspaces operating on Information Handling Systems (IHSs). A primary workspace definition is received by an IHS from a remote orchestrator. A primary workspace is instantiated on the IHS based upon the primary workspace definition, where the primary workspace provides access to a protected resource. The primary workspace definition received from the remote orchestrator identifies applications for operation within the primary workspace and also includes one or more endorsements for each of the applications. Instructions for operation of a applications are validated against an endorsement from the workspace definition. Applications are initiated for use within the workspace upon successful validation of the instructions.

Abstract: Systems and methods are provided for managing capabilities of workspaces operating on an Information Handling System (IHS). A request is received from a user of the IHS for access to a protected resource. A security context and a productivity context are determined for operation of a primary workspace on the IHS. Two or more applications are identified for operation within the primary workspace, where the applications provide access to the protected resource, and where the applications include overlapping capabilities. Based on the security context and the productivity context for the primary workspace deployment, two or more of the applications with overlapping capabilities are selected for operation within the primary workspace.

Abstract: Systems and methods support updates to an Information Handling System (IHS). A workspace is instantiated on the IHS based upon a received workspace definition, where the workspace identifies an available update to a system operating on the IHS. A request is made for a first credential used for validation of the IHS by a first remote workspace orchestrator. The workspace provides the first credential to a second remote workspace orchestrator that controls access to updates to the system operating on the IHS. The second remote workspace orchestrator uses the first credential to validate the IHS with the first remote workspace orchestrator. The workspace performs the available update to the system operating on the IHS using a second credential provided by the second remote workspace orchestrator upon validation of the IHS by the first remote workspace orchestrator. The IHS maintains separate confidentiality with each remote orchestrator providing credentials for the update.

Abstract: An Information Handling System (IHS), such as an IHS supporting workspaces employing subject workspace data, and/or an IHS of a workspace orchestration service may identify each modification to the subject data, identify each trusted entity performing each trusted operation on the data, and identify each unauthorized or undocumented modification to the data, each based, at least in part, on each gap in identification of each trusted entity performing each trusted operation on the data. Whereupon, a security score of the data may be decremented for each identified unauthorized or undocumented modification to the data. A data passport may be implemented, in which each modification to the data is identified. This data passport may be a ledger, such as a blockchain, a log file, such as an Extract, Transform, Load (ETL) server log file, rendered content from layered applications, such as a certificate chain (e.g., a final leaf certificate node).

Abstract: Systems and methods support operation of primary on an Information Handling System (IHS) and the operation of subordinate workspaces on peripheral devices coupled to the IHS. The IHS receives a primary workspace definition from a remote orchestrator and instantiates a primary workspace based upon the primary workspace definition, where the instantiated primary workspace operates using core resources of the IHS and provides access to a protected resource. The IHS reports, to the remote orchestrator, an inventory of peripheral devices that are detected as coupled to the IHS. In response, one or more subordinate workspace definitions are received from the remote orchestrator, where each of the subordinate workspace definitions are for operation of a subordinate workspace by one of the peripheral devices coupled to the IHS. Based on the received subordinate workspace definitions, operation of subordinate workspaces is initiated on peripheral devices coupled to the IHS.