Abstract: Systems and methods provide endorsement of workspaces operating on Information Handling Systems (IHSs). A primary workspace definition is received by an IHS from a remote orchestrator. A primary workspace is instantiated on the IHS based upon the primary workspace definition, where the primary workspace provides access to a protected resource. The primary workspace definition received from the remote orchestrator identifies applications for operation within the primary workspace and also includes one or more endorsements for each of the applications. Instructions for operation of a applications are validated against an endorsement from the workspace definition. Applications are initiated for use within the workspace upon successful validation of the instructions.

Abstract: Systems and methods support updates to an Information Handling System (IHS). A workspace is instantiated on the IHS based upon a received workspace definition, where the workspace identifies an available update to a system operating on the IHS. A request is made for a first credential used for validation of the IHS by a first remote workspace orchestrator. The workspace provides the first credential to a second remote workspace orchestrator that controls access to updates to the system operating on the IHS. The second remote workspace orchestrator uses the first credential to validate the IHS with the first remote workspace orchestrator. The workspace performs the available update to the system operating on the IHS using a second credential provided by the second remote workspace orchestrator upon validation of the IHS by the first remote workspace orchestrator. The IHS maintains separate confidentiality with each remote orchestrator providing credentials for the update.

Abstract: An Information Handling System (IHS), such as a workspace orchestration service IHS, observes location information of a device, and receives location information logged by the device. The observed location information may include telemetry of the device, and/or the received device-logged location information may include below-OS telemetry of the device The IHS correlates the observed location information with the received device-logged location information, and adjusts a security score of the device in accordance with the resulting correlation. Where the device is a workspace instantiation client IHS, the logged location information is logged by the workspace, and the security score is the security score of the workspace. Also, the workspace orchestration service IHS may build a definition for the workspace, that includes one or more localized entitlements for the workspace, or may build the workspace definition to include remediation action, based on the location information and/or adjusted security score.

Abstract: Systems and methods for managing credentials usable in the orchestration of workspaces by multiple remote orchestrators are described. In an illustrative, non-limiting embodiment, an Information Handling System (IHS), may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: allow a first remote orchestrator to manage a workspace instantiated by the IHS in response to the first remote orchestrator having a first credential, where the first remote orchestrator is associated with a first domain; receive a request from a second remote orchestrator to manage the workspace, where the second remote orchestrator is associated with a second domain within the first domain; and allow the second remote orchestrator to manage the workspace in response to a determination that the second remote orchestrator has a second credential provided by the first remote orchestrator.

Abstract: Systems and methods for telemetry collection auto-tuning for workspaces are described. In an illustrative, non-limiting embodiment, a client Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the client IHS to: collect telemetry during execution of a workspace using a telemetry collection setting specified in a file or policy received from a workspace orchestration service, where the file or policy implements a workspace definition usable by a local management agent to instantiate the workspace; in response to a comparison between a security risk score and a threshold risk level, modify the telemetry collection setting; and collect telemetry using the modified telemetry collection setting.

Abstract: Methods and systems for securing data processing systems are disclosed. A data processing system may be operably connected to other devices via ports. When operably connected, some devices connected via the ports may cause undesired actions to be performed. To limit physical access to the ports, a security apparatus may be used to lock the ports. The security apparatus may transition between states where it may be inserted into openings for the ports and may be locked to the openings for the ports. When so locked, physical access to the ports may be limited.

Abstract: Systems and methods for multilayer encryption for user privacy compliance and corporate confidentiality are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: transmit, from a workspace instantiated by a local management agent to a portal managed by an enterprise: (i) a request to store a once-encrypted document, and (ii) an indication that the once-encrypted document is encrypted with a controlvault key; receive, from the portal at the workspace, a request to encrypt the once-encrypted document with an enterprise-issued cryptographic key to produce a twice-encrypted document; and transmit, from the workspace to the portal, a copy of the twice-encrypted document.

Abstract: A main housing portion of a portable information handing system. The main housing portion includes: a top cover portion; a bottom cover portion; and, an information handling system locking system, the information handling system locking system including a bottom cover locking component, the bottom cover locking component being mounted to the bottom cover, the bottom cover locking component defining a bottom cover locking portion aperture, the bottom cover locking portion aperture being aligned with the top cover aperture.

Abstract: Methods and systems for securing data processing systems are disclosed. A data processing system may be operably connected to other devices via ports. When operably connected, some devices connected via the ports may cause undesired actions to be performed. To limit physical access to the ports, a security apparatus may be used to lock the ports. The security apparatus may transition between states where it may be inserted into openings for the ports and may be locked to the openings for the ports. When so locked, physical access to the ports may be limited.

Abstract: Various embodiments of systems and methods are provided to bind a system identifier that uniquely identifies an information handling system (IHS) to the system platform, so that the identity of the IHS can be cryptographically verified. More specifically, the present disclosure provides methods to bind a unique system identifier to an IHS platform, and methods to cryptographically verify the identity of the IHS using the unique system identifier and a plurality of keys generated and stored with a Trusted Platform Module (TPM) of the IHS. Systems are provided herein to perform such methods. As such, the systems and methods disclosed herein enable system identity to be irrefutably verified, thereby preventing theft and misuse of system identity.

Abstract: An information handling system housing is secured against unauthorized access with a security device integrated in the housing that selectively enables and disables screw movement relative to threads disposed in the housing. For instance, a freewheeling nut in the housing interfaces with an actuator that selectively releases or holds the freewheeling nut relative to the housing. When released, a screw coupled to the freewheeling nut cannot rotate relative to the threads of the freewheeling nut so that the screw maintains the housing secured until the freewheeling nut is held in position to allow removal of the screw.

Abstract: Systems and methods are provided that may be implemented to provide a basic input/output system (BIOS) with the ability to authenticate and then execute one-time unique instructions that are previously left behind (i.e., stored) in public memory of an information handling system by a containerized computing environment session that is no longer executing on the information handling system. The disclosed systems and methods may be so implemented to share with the system BIOS privileged instructions to identify which executables are authorized for execution on a targeted information handling system. The privileged instructions may be previously created and optionally stored together with an executable code in system public memory, and these instructions may provide instructions on how to execute the executable code.

Abstract: Workspace instantiations are monitored for potentially suspicious behavior. When a workspace is instantiated, a client endpoint computer creates a log of historical workspace instantiations. Each time the client endpoint computer requests, receives, or executes a workspace, the client endpoint computer adds and timestamps a new entry in the log of historical workspace instantiations. The log of historical workspace instantiations thus represents a rich database description of each workspace, its corresponding workspace definition file, and its corresponding timestamp. A workspace orchestration service may monitor how frequently the log of historical workspace instantiations is generated and flag or alert of unusual or anomalous counts. Any current workspace instantiation may thus be terminated as a security precaution.

Abstract: Workspace instantiations are monitored for potentially suspicious behavior. A client endpoint computer creates and maintains a log of historical events associated with a workspace instantiation. Each time the client endpoint computer processes an event associated with the workspace instantiation, the client endpoint computer adds and timestamps a new entry in the log of the historical events associated with the workspace instantiation. The log of the historical events thus represents a rich database description of the workspace instantiation, its corresponding workspace definition file, its corresponding workspace lifecycle events, and their corresponding timestamps. A workspace orchestration service (perhaps provided by a server) may monitor the log of historical events and flag or alert of any entries indicating suspicious behavior. Any current workspace instantiation may thus be terminated as a security precaution.

Abstract: Systems and methods for preventing content rendered by an Information Handling System (IHS) display from being captured or recorded (e.g., photographed, filmed, recorded, etc.) are described. In an embodiment, an IHS may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: receive an image from a camera; detect a device in the image; and in response to the detection, prevent content rendered by a display from being captured or recorded by the device.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described.

Abstract: A system includes a communication channel monitor configured to calculate a hash value of a first encrypted code segment based on a measurement. A security module may derive a first encryption key using a key decryption function operation from the hash value of the first encrypted code segment. A processor decrypts the first encrypted code segment with a seed key retrieved from a storage device, and if the decryption is successful then executes the first decrypted code segment. The processor may retrieve a second one of the encrypted code segments, wherein the second encrypted code segment is a next encrypted code segment for execution after the first encrypted code segment according to a sequence of execution, decrypt the second encrypted code segment with the first encryption key, and if the decryption is successful then execute the second decrypted code segment.

Abstract: A virtual BIOS engine may be configured to, during runtime of an operating system, in response to an operating system event for updating firmware, load onto an isolated compute domain of the processor to emulate firmware update processes of a non-transitory computer-readable media with a virtual non-transitory computer-readable media and emulate the firmware update processes of the cryptoprocessor with a virtual cryptoprocessor, extract a firmware payload to the virtual non-transitory computer-readable media, and execute a virtual trust chain to measure the firmware payload in the virtual non-transitory computer-readable media.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: An information handling system is configured to support first and second boot sequences, which invokes first and second bootloaders respectively. The bootloaders may be stored in an NVMe storage boot partition. Each bootloader may be associated with a corresponding encryption key generated by a trusted platform module, which may seal the first and second keys in accordance with one or more measurements taken during the respective boot sequences. The system determines whether a boot sequence in progress comprises is to invoke the first or second bootloader. The system then unseals the appropriate encryption key to access the appropriate bootloader. The first bootloader may be a host OS bootloader and the second bootloader may be for a recovery resource invoked when the host OS fails to load. The recovery resource may enables BIOS to connect to a remote store and download an image via a HTTP mechanism.