Abstract: Methods and systems are described for managing access to a virtual session. A user device can send a request for a virtual session to a virtual desktop interface (“VDI”) server. The VDI server can send details of a user's account to a management server. The management server can send a machine learning (“ML”) model trained to identify the user's face to the user device. The user device can apply the ML model to a video feed of the viewing area of the user device to verify the user's face. The VDI server can initialize the virtual session if the user's face is verified. The user device can monitor the video feed during the virtual session to detect unauthorized objects. If an unauthorized object is detected, the user device can terminate or minimize the session.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data for the user device and compare it to a minimum access policy (“MAP”). The MAP can include threshold or binary values for states of a group of user device operational aspects. Where the compliance profile satisfies the MAP, the gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The virtual session can be configured at the VM server based on the compliance profile so as to allow access to a portion of a full virtual session capability scheme.

Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: A system is described for providing more efficient ways to implement attachable writable volumes for capturing write data in virtual desktops. In particular, embodiments described herein leverage a local differencing virtual disk to which write data on a virtual machine is saved, and a background process for syncing the differencing virtual disk with an attachable master writable volume where user data is stored long-term. As a result, in cases where desktop performance would suffer due to limited data transfer speeds between the virtual machine and the master writable volume, the performance penalty caused by write delays is spared by writing the data first to the local differencing virtual disk, and then syncing the master writable volume with the differencing virtual disk in the background.

Abstract: The disclosure provides an approach for authenticating a user of a computer system, wherein the computer system implements a virtual desktop infrastructure (VDI), the method comprising connecting to a computing device through a network, receiving from the computing device authentication credentials, and determining whether the authentication credentials match an authorized user of the computer system. The approach further comprises extracting from the computing device features of the computing device, retrieving a machine learning (ML) model associated with the authorized user, wherein the ML model is at least one of (a) a supervised ML model or (b) an unsupervised ML model, and executing the ML model to authenticate the features of the computing device.

Abstract: Examples herein describe systems and methods for concealing internal applications that are accessed over the internet. A user device can select a remote internal application to access using a client. The user device can send an access request to an open listening port of an access server. The access server can be a gateway and proxy to the internal application, which can reside elsewhere. The access server can open a different randomized access port for establishing the connection by proxy to the internal application. The port number for the access port can be identified in the access request at the listening port. The access server can open the access port for a short time interval. The connection can be made through the access port during that time interval. A firewall can then close the access port but maintain an established connection between the user device and the internal application.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data. The gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The VM server can use the compliance profile and security data from the user device to determine a risk profile of the user device. The virtual session can be configured at the VM server based on the risk profile so as to allow access to a subset of available applications and functions within the applications for the virtual session.

Abstract: The disclosure provides an approach for authenticating a user of a computer system, wherein the computer system implements a virtual desktop infrastructure (VDI), the method comprising connecting to a computing device through a network, receiving from the computing device authentication credentials, and determining whether the authentication credentials match an authorized user of the computer system. The approach further comprises extracting from the computing device features of the computing device, retrieving a machine learning (ML) model associated with the authorized user, wherein the ML model is at least one of (a) a supervised ML model or (b) an unsupervised ML model, and executing the ML model to authenticate the features of the computing device.

Abstract: Examples herein describe systems and methods for concealing internal applications that are accessed over the internet. A user device can select a remote internal application to access using a client. The user device can send an access request to an open listening port of an access server. The access server can be a gateway and proxy to the internal application, which can reside elsewhere. The access server can open a different randomized access port for establishing the connection by proxy to the internal application. The port number for the access port can be identified in the access request at the listening port. The access server can open the access port for a short time interval. The connection can be made through the access port during that time interval. A firewall can then close the access port but maintain an established connection between the user device and the internal application.

Abstract: Systems and methods can enable select virtual session capabilities on a user device configured to access a virtual session, which is an instance of a virtual machine. The user device can receive and forward to a gateway sever, a request to launch a virtual session. Based on the virtual session launch request, the gateway server can obtain a compliance profile determined from operational data for the user device and compare it to a minimum access policy (“MAP”). The MAP can include threshold or binary values for states of a group of user device operational aspects. Where the compliance profile satisfies the MAP, the gateway can permit user device access a virtual session hosted on a virtual machine (“VM”) server. The virtual session can be configured at the VM server based on the compliance profile so as to allow access to a portion of a full virtual session capability scheme.

Abstract: A system is described for fault-tolerant delivery of virtualized applications. A client on a client device requests access to a virtualized application. The application is launched in a server-based virtual machine and computer vision is used to determine whether the application launched successfully based on the UI produced by the application. If it is determined that the application failed to launch successfully, an alternative mechanism is used to deliver access to the application using an application storage volume (ASV), which is a mountable container containing the application. In one approach, the ASV is mounted directly to the client device. In another approach, a second virtual machine is launched and the ASV is mounted on the second virtual machine.

Abstract: The disclosure provides for repositioning applications from physical devices to a cloud location without removing the applications from the physical devices. This provides advantages of cloud-based availability for the applications while preserving device configurations. Thus, a user may continue to use the local version during transition to cloud usage so that if a problem arises during transition, adverse effects on user productivity are mitigated. Examples include generating, on a device, a first virtualization layer, and uninstalling an application from the first virtualization layer while capturing uninstallation traffic within the first virtualization layer. Examples further include generating, on the device, a second virtualization layer, installing the application in the second virtualization layer, and generating, from the second virtualization layer with the installed application, an application package. Examples are able to position the application package on a remote node for execution.

Abstract: Data that includes user data and application data that is generated during a remote desktop session to a cloud computing system is stored in cloud storage according to a risk level of the remote desktop session. The storage device has provisioned therein a plurality of storage containers, including first and second storage containers, where the first storage container stores less percentage of the user data than the second storage container. The first storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a first level and the second storage container is selected for storing the user data if the determined risk level of the remote desktop session is at a second level that is lower than the first level.

Abstract: Systems and methods are described for providing ways to protect client devices in communication with virtual desktops and virtual applications from keylogging attacks. A keyboard filter driver obfuscates scancodes from key presses produced on the keyboard of the client device so that malicious keylogging or keyboard hooking software is not able to observe user inputs. The obfuscated scancodes are conveyed and de-obfuscated before being applied in the virtual desktop or virtual application.

Abstract: Examples herein describe systems and methods for concealing internal applications that are accessed over the internet. A user device can select a remote internal application to access using a client. The user device can send an access request to an open listening port of an access server. The access server can be a gateway and proxy to the internal application, which can reside elsewhere. The access server can open a different randomized access port for establishing the connection by proxy to the internal application. The port number for the access port can be identified in the access request at the listening port. The access server can open the access port for a short time interval. The connection can be made through the access port during that time interval. A firewall can then close the access port but maintain an established connection between the user device and the internal application.

Abstract: Described herein are systems, methods, and software to enhance the management of inter-process communications (IPCs) for containers according to an implementation. In one implementation, a container management service executing on a host with a plurality of containers may identify an IPC object generation with a first identifier from one of the containers. Responsive to the request, the service may translate the first identifier into a second identifier, and store the IPC object in a memory system using the second identifier. Once stored, requests may be made from applications in approved containers for the object using the first identifier, and the service may retrieve the IPC object using the second identifier.

Abstract: A system is described for providing more efficient ways to implement attachable writable volumes for capturing write data in virtual desktops. In particular, embodiments described herein leverage a local differencing virtual disk to which write data on a virtual machine is saved, and a background process for syncing the differencing virtual disk with an attachable master writable volume where user data is stored long-term. As a result, in cases where desktop performance would suffer due to limited data transfer speeds between the virtual machine and the master writable volume, the performance penalty caused by write delays is spared by writing the data first to the local differencing virtual disk, and then syncing the master writable volume with the differencing virtual disk in the background.

Abstract: Certain embodiments described herein are generally directed to executing applications on a computing device. In some embodiments, a method includes receiving, by an app store interface, a first distribution package from an app store, the first distribution package comprising a first virtual disk file comprising an application. The method further includes opening, by an application agent, the first virtual disk file based on a file type association (FTA) between the first virtual disk file and the application agent. The method further includes storing, by the application agent, the application in a second virtual disk file. The method also includes mounting the second virtual disk file at the computing device. The method also includes executing the application stored on the mounted second virtual disk file.

Abstract: A method of downloading or opening a file in response to a user input made through an application running in the computer system, includes the steps of detecting by the application that the user input is to download or open a file, issuing a request by the application to a file sanitation server to sanitize the file to remove embedded codes in the file and return the sanitized file, and upon receiving the sanitized file by the application, saving the sanitized file in a folder where the sanitized file can be opened.