Abstract: Systems and methods are provided for optimizing and securing an enterprise voice service accessed by an external voice assistant device. An enterprise voice assistant installed on a client device acts as an enterprise voice service for an external voice assistant device. The enterprise voice assistant receives a voice query from the external voice assistant device. The voice query is processed using a machine learning model to extract an intent and at least one slot. The extracted intent and at least one slot are used to determine whether a response to the voice query can be generated using local enterprise data that was previously received and stored by the client device from a management server. The response is generated based on the determination by using the local enterprise data or by sending the extracted intent and at least one slot to and receiving the response from the management server.

Abstract: Disclosed are various examples for audio data leak prevention using user and device contexts. In some examples, a voice assistant device can be connected to a remote service that provides enterprise data to be audibly emitted by the voice assistant device. In response to a request for the enterprise data being received from the voice assistant device, an audio signal can be generated that audibly broadcasts the enterprise data. The audio signal can be generated to audibly redact at least a portion of the enterprise data based at least in part on a mode of operation of the voice assistant device. The voice assistant device can be directed to emit the enterprise data through a playback of the audio signal.

Abstract: The technology disclosed herein enables packet handling based on user information included in packet headers. In a particular embodiment, a method provides, in a gateway to a network environment, establishing a first connection with a first connection endpoint outside of the network environment. The first connection is established based on authentication of user information received from the first connection endpoint. The method further provides adding the user information to a packet header of one or more first packets carrying a request to establish a second connection between the gateway and a second connection endpoint within the network environment. Also, the method provides transferring the one or more first packets towards the second connection endpoint.

Abstract: A first server can generate user profiles and receive requests from user devices for enrollment in a first server-managed system that includes user groups. The first server can provide a unique key to a user device during an enrolment process based on a user group the user device is assigned to. The first server can include an enrollment notification for the user device in a first notification transmitted to a messaging service. The messaging service can transmit a second notification to the user device, and the user device can request a user profile from a second server based on second server access information included in the second notification. The second server can use the unique key to access user profile information which it transmits to the user device based on the request. The user device can access the user profile from the profile information using the unique key.

Abstract: Examples described herein include systems and methods for performing distributed encryption across multiple devices. An example method can include a first device discovering a second device that shares a network. The device can identify data to be sent to a server and calculate a checksum for that data. The device can then split the data into multiple portions and send a portion to the second device, along with a certificate associated with the server for encrypting the data. The first device can encrypt the portion of data it retained. The first device can receive an encrypted version of the second portion of the data sent to the second device. The first device can merge these two portions and send the merged encrypted data to the server, along with the checksum value. The server can decrypt the data and confirm that it reflects the original set of data.

Abstract: Disclosed are various approaches for dynamically creating content to present to a user based on an identified intent, or other context, associated with a message (e.g., email). A message that is received from a message server can be analyzed to identify the message content within the message prior to distributing to the recipient client device. Trained intent identification models can be applied to the identified message content to determine an intent, or other type of context, associated with the message. Upon identifying the intent, the message header can be modified to include the intent prior to forwarding the message to the recipient client device. The client device can then display a user interface including the message and a user interface element corresponding to a third-party service. The user interface element can be dynamically generated to include an action component that upon selection, triggers an action associated with the intent.

Abstract: Examples described herein include systems and methods for performing distributed encryption across multiple devices. An example method can include a first device discovering a second device that shares a network. The device can identify data to be sent to a server and calculate a checksum for that data. The device can then split the data into multiple portions and send a portion to the second device, along with a certificate associated with the server for encrypting the data. The first device can encrypt the portion of data it retained. The first device can receive an encrypted version of the second portion of the data sent to the second device. The first device can merge these two portions and send the merged encrypted data to the server, along with the checksum value. The server can decrypt the data and confirm that it reflects the original set of data.

Abstract: Described herein are methods and systems for dynamically optimizing a Flying Ad-Hoc Network (“FANET”). A server that manages the FANET can receive information relating to the network activity of user devices connected to the FANET. Examples of the type of information included can include the user devices' locations, network connection quality, and network traffic volume dedicated to a Unified Endpoint Management (“UEM”) system of an enterprise. The server can analyze the network activity information based on a set of rules to prioritize the user devices connected to the FANET. The server can instruct unmanned aerial vehicles (“UAVs”) in the FANET to reposition themselves to provide the best connection for higher priority user devices.

Abstract: Disclosed are various aspects of postponing or migrating tasks from a first assistant device to another assistant device. In some examples, an assistant device can facilitate task completion. Tasks can be recommended for postponement based upon the complexity of the task, a historical user profile, or the location of the assistant device.

Abstract: Disclosed are various approaches for facilitating single sign-on (SSO) for third-party services that are accessible through messages (e.g., email) received by a user. A user can receive a message that includes an embedded URL or link that opens in a third-party service that requires authentication. Instead of requiring the user to enter authentication credentials for accessing the third-party service, a tunnel service can be used to intercept requests for authentication and redirect the requests to an identity manager that can issue a SSO token following an authentication of the user and device. Upon supplying the third-party service with the SSO token, the user can access the content associated with the third-party service without entering authentication credentials.

Abstract: Disclosed are various examples for securing enterprise resources using a virtual private network. At least one computing device that can authenticate a client device for a virtual private network (VPN) connection based on a first device identifier received from the client device and a second device identifier received from a remote management service. The at least one computing device can determine that a network event associated with the client device has been observed and execute a machine learning routine to identify a pattern of access for the client device. A network access anomaly is determined in response to a network interaction of the client device deviating from the pattern of access for the client device. A remedial action is performed based on an anomaly type associated with the network access anomaly.

Abstract: Disclosed are various examples for securing enterprise resources using a virtual private network. A client device can send a first unique device identifier for the client device to a remote management service upon enrollment. When a virtual private network application is first executed, the client device can send a second unique device identifier to the remote management service, where the remote management service is configured to store the second unique device identifier in association with the first unique universal identifier. During subsequent executions of the virtual private network application, the virtual private network service can authenticate the client device by comparing the first unique device identifier and the second unique device identifier to a device identifier received from the remote management service. A machine learning routine can be employed to identify anomalies as the virtual private network application is executed.

Abstract: This disclosure describes various ways in which a client agent can be incorporated into multiple virtual machines of a server cluster to keep track of the location of each instance of services running on the server cluster and facilitate rapid connection of different services on the server cluster as needed. When a first service requests connection to a second service, a client agent co-located with the first service is able to forward the request to a virtual network interface card (VNIC) associated with the second service. The VNIC is configured to forward the request to an available instance of the second service. The location of the services are determined and stored on one or more service registries right after the service instances are instantiated, removing the need for a search when new requests are received.

Abstract: Systems herein allow a student to share media with other students in a classroom with the permission of a teacher. The student can send a sharing request to a management server with a sender student device. The management server can identify a teacher device and send the sharing request to the teacher device for approval. When the request is granted, the student device can supply an address local to the sender device, from which the media will stream. The management server can send the address and an authentication token to other recipient student devices. The management server can further lock the recipient student devices into the sharing location to ensure that each student device will stream the media. At the request of the teacher device or the sender student device, the streaming can end.

Abstract: Examples described herein include systems and methods for creating a per-app virtual private network (“VPN”) using hooking, even though an isolated process is used for networking functions. The isolated process can include networking functions of the WebView class for ANDROID. The application can start an HTTP proxy server to receive local HTTP requests. Then, the application can trigger a broadcast to the isolated process, causing the isolated process to route its HTTP requests to the HTTP proxy of the application. The application can then hook HTTP requests and send them to a virtual private network (“VPN”) tunnel server. This can allow an application to securely connect to enterprise files or data even though the networking functions occur in the isolated process.

Abstract: The technology disclosed herein enables packet handling based on user information included in packet headers. In a particular embodiment, a method provides, in a gateway to a network environment, establishing a first connection with a first connection endpoint outside of the network environment. The first connection is established based on authentication of user information received from the first connection endpoint. The method further provides adding the user information to a packet header of one or more first packets carrying a request to establish a second connection between the gateway and a second connection endpoint within the network environment. Also, the method provides transferring the one or more first packets towards the second connection endpoint.

Abstract: A first server can generate user profiles and receive requests from user devices for enrollment in a first server-managed system that includes user groups. The first server can provide a unique key to a user device during an enrolment process based on a user group the user device is assigned to. The first server can include an enrollment notification for the user device in a first notification transmitted to a messaging service. The messaging service can transmit a second notification to the user device, and the user device can request a user profile from a second server based on second server access information included in the second notification. The second server can use the unique key to access user profile information which it transmits to the user device based on the request. The user device can access the user profile from the profile information using the unique key.

Abstract: Example methods and systems for context-aware network policy enforcement are described. In one example, a computer system may detect a request for a client device to access a destination server. The computer system may extract, from the request, connection information identifying a connection to be established for the client device to access the destination server; and map the connection information to contextual information associated with the client device or a user operating the client device, or both. Based on the contextual information, the computer system may apply one or more network policies to determine whether to allow or deny access by the client device to the destination server. In response to determination to allow the access, a first response may be generated and sent to allow establishment of the connection. Otherwise, a second response may be generated and sent to block establishment of the connection.

Abstract: Described herein are methods and systems for dynamically optimizing a Flying Ad-Hoc Network (“FANET”). A server that manages the FANET can receive information relating to the network activity of user devices connected to the FANET. Examples of the type of information included can include the user devices' locations, network connection quality, and network traffic volume dedicated to a Unified Endpoint Management (“UEM”) system of an enterprise. The server can analyze the network activity information based on a set of rules to prioritize the user devices connected to the FANET. The server can instruct unmanned aerial vehicles (“UAVs”) in the FANET to reposition themselves to provide the best connection for higher priority user devices.

Abstract: The technology disclosed herein enables packet handling based on user information included in packet headers. In a particular embodiment, a method provides, in a gateway to a network environment, establishing a first connection with a first connection endpoint outside of the network environment. The method further provides identifying first user information associated with the first connection and adding the first user information to a packet header of one or more first packets associated with the first connection. Also, the method provides transferring the one or more first packets into the network environment.