Abstract: An apparatus includes a processor and a memory operatively coupled to the processor. The processor is configured to automatically send queries to client devices, and to receive responses from the client devices in response to the queries. The processor is configured to identify, based on the responses and on role information stored in an Active Directory database, roles of current users of the client devices and identify based on the roles security risks associated with the client devices. The roles can differ among users. The processor is configured to select a remedial action for at least one of the client devices based on the security risk associated with that client device, and is configured to implement the remedial action on that client device. The processor is configured to not select a remedial action for another of the client devices based on the security risk associated with that client device.

Abstract: An apparatus includes a processor operatively coupled to a memory. The processor receives a first set of risk assessment rules including first user privilege criteria and first device criteria. The first device criteria include a computing device patch level, a network type, and/or a password policy. The processor identifies a user-specific security risk based on the first set of risk assessment rules and applies a privilege mitigation measure based on the user-specific security risk without being in communication with a management server. The processor later receives a second, updated set of risk assessment rules at the computing device. Upon detecting another login of the user, the processor identifies an updated user-specific security risk based on the updated set of risk assessment rules, and applies a modified privilege mitigation measure based on the updated user-specific security risk, again without being in communication with the management server.

Abstract: An apparatus includes a processor operatively coupled to a memory. The processor detects a software application installed on a client computing device, and/or usage data. Detected usage data is associated with a current user of the client computing device and with the software application. The processor identifies a user role for the current user based on the software application and/or usage data. The processor applies a security configuration to the client computing device based on the user role. The security configuration limits access by the current user to a portion of the software application. The processor sends an identifier of the user role to an administrative server for storage in an Active Directory (AD) database.

Abstract: An apparatus includes a processor operatively coupled to a memory. The processor receives a first set of risk assessment rules including first user privilege criteria and first device criteria. The first device criteria includes a computing device patch level, a network type, and/or a password policy. The processor identifies a user-specific security risk based on the first set of risk assessment rules and applies a privilege mitigation measure based on the user-specific security risk without being in communication with a management server. The processor later receives a second, updated set of risk assessment rules at the computing device. Upon detecting another login of the user, the processor identifies an updated user-specific security risk based on the updated set of risk assessment rules, and applies a modified privilege mitigation measure based on the updated user-specific security risk, again without being in communication with the management server.

Abstract: An apparatus includes a processor operatively coupled to a memory. The processor receives a first set of risk assessment rules including first user privilege criteria and first device criteria. The first device criteria includes a computing device patch level, a network type, and/or a password policy. The processor identifies a user-specific security risk based on the first set of risk assessment rules and applies a privilege mitigation measure based on the user-specific security risk without being in communication with a management server. The processor later receives a second, updated set of risk assessment rules at the computing device. Upon detecting another login of the user, the processor identifies an updated user-specific security risk based on the updated set of risk assessment rules, and applies a modified privilege mitigation measure based on the updated user-specific security risk, again without being in communication with the management server.

Abstract: An apparatus includes a processor operatively coupled to a memory. The processor detects a software application installed on a client computing device, and/or usage data. Detected usage data is associated with a current user of the client computing device and with the software application. The processor identifies a user role for the current user based on the software application and/or usage data. The processor applies a security configuration to the client computing device based on the user role. The security configuration limits access by the current user to a portion of the software application. The processor sends an identifier of the user role to an administrative server for storage in an Active Directory (AD) database.

Abstract: A method includes determining capabilities associated with a first computing device and based on the capabilities of the first computing device, determining at least a subset of one or more operations in a workflow that the first device can perform. The method may involve transmitting to the first computing device at least the subset of the one or more operations, performing by the first computing device the subset of the one or more operations, and performing by a second computing device any remaining operations in the one or more operations not included in the subset. A system includes a central computer operable to receive capabilities identification information and use the capabilities identification information to determine capabilities associated with a remote computer, and further to determine a subset of one or more operations to be performed by the remote computer during performance of a workflow, based on the determined capabilities associated with the remote computer.