Abstract: Disclosed are various embodiments for conditional time-based one time password token issuance based on locally aggregated device risk. Embodiments of this application can evaluate the security of the client device using mobile threat defense signals or a device posture summary before generating a seed on the client device to ensure the security of all the connected systems as a whole. Additionally, embodiments of this application can evaluate the security of the client device to determine if changes have been made that require a remedial action to be taken. In some embodiments, the client device may be completely disconnected from the network and capable of generating time-based one time passwords, while remaining offline. However, offline attacks may still occur; in such a situation, the client device can determine the security of the device and perform the remedial actions independent of other devices, systems, computing environments, or networks.

Abstract: Examples of device-driven management are described. A management console can include a set of workflow objects to use in a workflow creation user interface. Workflow objects can be positioned in the workflow creation user interface area based on user manipulation. A device state criteria overlay can be painted on a connector workflow object to indicates that a branch of executable instructions corresponding to the connector workflow object is performed where a client device corresponds to the specified device state criteria.

Abstract: Examples of device-driven management are described. A management service can transmit a device-driven management workflow to a number of client devices. The device-driven management workflow can include workflow objects that define a branching sequence of instructions. The client devices can provide a corresponding plurality of completion statuses for a step of the device-driven management workflow. The management service can identify a failure of the step according to a set of failure rules, and visually emphasize the failure within a representation of the device-driven management workflow.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A connector service identifies a certificate request from a messenger service. The certificate request includes a credential identifier for a certificate authority. An authentication credential is retrieved using the credential identifier. A certificate request and the certificate authority authentication credential are transmitted to the certificate authority. A certificate is retrieved and provided as a response to the certificate request.

Abstract: Disclosed are various embodiments for managing the state of client devices using device-driven management workflows. The device-driven management workflow can be evaluated to determine a current state of the computing device, install software, and direct the computing device to watch at least one value stored in memory for a modification. When at the at least one value stored in memory is modified, the computing device can execute the device-driven management workflow to resolve a discrepancy between the expected state and the current state or perform a remedial action to prevent unwanted access to secure resources.

Abstract: Examples of device-driven management are described. A management service can generate a management console that includes a set of workflow objects to use in a workflow creation user interface. A device-driven management workflow is defined through the workflow creation user interface. The management service identifies that device-driven management workflow lacks a condition specified in a comprehensiveness definition. A workflow object for the condition specified in a comprehensiveness definition is generated for display. A user interaction incorporates the workflow object into the device-driven management workflow so that device-driven management workflow considers the specified condition.

Abstract: Disclosed are various embodiments for recognizing state changes in client devices and managing the state of client devices using device-driven management workflows. A computing device can receive a state of a client device. The computing device can then determine if the received state matches an expected, compliant state of the client device. When the computing device determines that the received state does not match the expected state, the computing device can identify a remedial workflow that would bring the client device into compliance. The computing device can send the remedial workflow and an instruction to run the remedial workflow to the client device.

Abstract: Disclosed are various embodiments for managing the state of client devices using device-driven management workflows. A computing device can be evaluated to determine the current state of the computing device. Then, the current state of the computing device is compared to an expected state of the computing device. The expected state of the computing device may be based at least in part on a result of execution of at least one device-driven management workflow by the computing device. In response to a determination that the current state of the computing device fails to match the expected state of the computing device, the device-driven management workflow can be executed to resolve the discrepancy between the expected state and the current state.

Abstract: Disclosed are various embodiments for securely distributing certificates or encryption keys. A management service can receive an enrollment request from a client device. The management service can then send a key request to a certificate provider, the key request comprising a user identifier. The management service can also send a skeleton payload to an enterprise gateway. In response, the management service can receive an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with an encryption key inserted by the enterprise gateway into the skeleton payload. Finally, the management service can send the encrypted profile to the client device.

Abstract: Disclosed are various embodiments for managing the state of client devices using device-driven management workflows. A computing device can be evaluated to determine the current state of the computing device. Then, the current state of the computing device is compared to an expected state of the computing device. The expected state of the computing device may be based at least in part on a result of execution of at least one device-driven management workflow by the computing device. In response to a determination that the current state of the computing device fails to match the expected state of the computing device, the device-driven management workflow can be executed to resolve the discrepancy between the expected state and the current state.

Abstract: Examples of device-driven management are described. A management service can transmit a device-driven management workflow to a number of client devices. The device-driven management workflow can include workflow objects that define a branching sequence of instructions. The client devices can provide a corresponding plurality of completion statuses for a step of the device-driven management workflow. The management service can identify a failure of the step according to a set of failure rules, and visually emphasize the failure within a representation of the device-driven management workflow.

Abstract: Examples of device-driven management are described. A management console can include a set of workflow objects to use in a workflow creation user interface. Workflow objects can be positioned in the workflow creation user interface area based on user manipulation. A device state criteria overlay can be painted on a connector workflow object to indicates that a branch of executable instructions corresponding to the connector workflow object is performed where a client device corresponds to the specified device state criteria.

Abstract: Examples of device-driven management are described. A management service can generate a management console that includes a set of workflow objects to use in a workflow creation user interface. A device-driven management workflow is defined through the workflow creation user interface. The management service identifies that device-driven management workflow lacks a condition specified in a comprehensiveness definition. A workflow object for the condition specified in a comprehensiveness definition is generated for display. A user interaction incorporates the workflow object into the device-driven management workflow so that device-driven management workflow considers the specified condition.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A connector service identifies a certificate request from a messenger service. The certificate request includes a credential identifier for a certificate authority. An authentication credential is retrieved using the credential identifier. A certificate request and the certificate authority authentication credential are transmitted to the certificate authority. A certificate is retrieved and provided as a response to the certificate request.

Abstract: Examples of device-driven management is described. A management service can generate a management console that includes a set of workflow objects to use in a workflow creation user interface. A management workflow can be retrieved from a network service and translated to be formatted into the workflow objects. A user can select the management workflow, and the management console can be updated to show graphical representations of the workflow objects. The management service can transmit a device-driven management workflow that includes a translated version of the management workflow.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A first request for a certificate is received from a client device. Then a certificate request can be created. The certificate request may include a credential identifier for a certificate authority. The credential identifier may uniquely identify an authentication credential to use to request the certificate from certificate authority. The certificate request can then be added to a message queue. Later, a second request from another computing device is received and the message stored in the message queue is provided in response. A certificate is then received from the other computing device and is provided to the client device in response to the first request.

Abstract: Disclosed are various embodiments for securely distributing certificates or encryption keys. A management service can receive an enrollment request from a client device. The management service can then send a key request to a certificate provider, the key request comprising a user identifier. The management service can also send a skeleton payload to an enterprise gateway. In response, the management service can receive an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with an encryption key inserted by the enterprise gateway into the skeleton payload. Finally, the management service can send the encrypted profile to the client device.

Abstract: Disclosed are various embodiments for securely distributing certificates or encryption keys. A management service can receive an enrollment request from a client device. The management service can then send a key request to a certificate provider, the key request comprising a user identifier. The management service can also send a skeleton payload to an enterprise gateway. In response, the management service can receive an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with an encryption key inserted by the enterprise gateway into the skeleton payload. Finally, the management service can send the encrypted profile to the client device.

Abstract: Disclosed are various embodiments for delegating authentication to certificate authorities. A first request for a certificate is received from a client device. Then a certificate request can be created. The certificate request may include a credential identifier for a certificate authority. The credential identifier may uniquely identify an authentication credential to use to request the certificate from certificate authority. The certificate request can then be added to a message queue. Later, a second request from another computing device is received and the message stored in the message queue is provided in response. A certificate is then received from the other computing device and is provided to the client device in response to the first request.