Abstract: Disclosed are various examples for managing network resource permissions for applications through the use of an application catalog. An identification of a particular application from the application catalog is received from a managed client device. The identification indicates a particular security group of multiple security groups. A network of the organization is configured to provide the particular application on the managed client device with access to a set of resources corresponding to the particular security group.

Abstract: Techniques for managing permissions to cloud-based resources with session-specific attributes are described. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Disclosed are various examples for managing network resource permissions for applications through the use of an application catalog. An identification of a particular application from the application catalog is received from a managed client device. The identification indicates a particular security group of multiple security groups. A network of the organization is configured to provide the particular application on the managed client device with access to a set of resources corresponding to the particular security group.

Abstract: Disclosed are various approaches for providing on-demand virtual private network (VPN) connectivity on a per-application basis. An application is determined to have begun execution on a computing device. The application is identified. A determination that the application is authorized to access a VPN connection is made, and the VPN connection is created.

Abstract: Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a network device receives a packet with one or mote device management attribute embedded in its header. The network device extracts the device management attribute from the packet header. A compliance status of a client device in an external network is determined based on the device management attribute. The network device forwards the packet based on the compliance status.

Abstract: Disclosed are various examples for managing network resource permissions for applications through the use of an application catalog. A user interface presenting an application catalog is generated that includes a listing of applications that are available to managed client devices in an organization. A selection of a particular application from the application catalog is received from a managed client device. The selection indicates a particular security group of multiple security groups. A network of the organization is configured to provide the particular application on the managed client device with access to a set of resources corresponding to the particular security group.

Abstract: Techniques for managing permissions to cloud-based resources with session-specific attributes are described. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.

Abstract: Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a network device receives a packet with one or mote device management attribute embedded in its header. The network device extracts the device management attribute from the packet header. A compliance status of a client device in an external network is determined based on the device management attribute. The network device forwards the packet based on the compliance status.

Abstract: Disclosed are various approaches for providing on-demand virtual private network (VPN) connectivity on a per-application basis. An application is determined to have begun execution on a computing device. The application is identified. A determination that the application is authorized to access a VPN connection is made, and the VPN connection is created.

Abstract: Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a gateway receives network traffic from a client device through a virtual private network (VPN) tunnel. The gateway determines one or more device management attributes associated with the client device in response to receiving the network traffic. The gateway then determines a particular network virtual segment based at least in part on the device management attribute(s). The gateway forwards the network traffic to the particular virtual network segment.

Abstract: Disclosed are various approaches for providing on-demand virtual private network (VPN) connectivity on a per-application basis. First, an application is determined to have begun execution on a computing device. The application is then identified. A determination that the application is authorized to access a VPN connection is made. Subsequently, the VPN connection is initiated.

Abstract: Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

Abstract: Disclosed are various examples for the use of network micro-segmentation in enterprise mobility management. In one example, a gateway receives network traffic from a client device through a virtual private network (VPN) tunnel. The gateway determines one or more device management attributes associated with the client device in response to receiving the network traffic. The gateway then determines a particular network virtual segment based at least in part on the device management attribute(s). The gateway forwards the network traffic to the particular virtual network segment.

Abstract: Disclosed are various examples for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.

Abstract: Disclosed are various examples for managing network resource permissions for applications through the use of an application catalog. A user interface presenting an application catalog is generated that includes a listing of applications that are available to managed client devices in an organization. A selection of a particular application from the application catalog is received from a managed client device. The selection indicates a particular security group of multiple security groups. A network of the organization is configured to provide the particular application on the managed client device with access to a set of resources corresponding to the particular security group.

Abstract: Disclosed are various approaches for providing on-demand virtual private network (VPN) connectivity on a per-application basis. First, an application is determined to have begun execution on a computing device. The application is then identified. A determination that the application is authorized to access a VPN connection is made. Subsequently, the VPN connection is initiated.

Abstract: Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

Abstract: A system and method for providing services such as Wake-on-LAN and PXE Boot services to a multi-subnet network system which includes router and/or firewalls between different subnets. This is accomplished by using a peer computer to provide the service when performing such service is required to be transmitted across the router and/or firewall. That is, the system determines whether the service is required to go across the router and/or firewall, and, if so, to identify a computer (a peer computer) which is located on the appropriate subnet, then deliver the service to that peer computer (if necessary) and have that peer computer perform the selected service, such as Wake-on-LAN.