Abstract: Techniques disclosed herein provide an approach for creating snapshots and reverting to the same for virtual machine (VM) guest operating systems (OSes). In one embodiment, a snapshot module in a guest OS receives blocks for a snapshot of a guest OS volume. In turn, the snapshot module creates a snapshot file in a repository external to a virtual disk of the VM, and writes the received blocks to the external repository. By storing snapshot content outside the virtual disks of VMs, disk space limitations in local VM disks can be overcome, and it is also more difficult for malicious software to modify the snapshots and infect them. To reduce storage space requirements, snapshots stored in the external repository may be deduplicated with other snapshots stored therein, including snapshots from guest OSes running in other VMs and/or a host OS on which a hosted hypervisor runs.

Abstract: A system and method for providing a unified file system on an air-gapped endpoint are provided. The method included monitoring a plurality of security zones, instantiated on the air-gapped endpoint, to intercept at least one file system operation to access files on a first security zone; determining if the detected file system operation triggers a display of the file system dialog window effecting a second security zone; and when the file system dialog window effecting the second security zone, blocking the display of the file system dialog window in the first security zone; and displaying the file system dialog window in the second security zone.

Abstract: Techniques are described for preserving desktop state between login sessions in desktop computing environments. During an active login session of a desktop by a user, the system intercepts all requests to open a file and records the requested file paths. The information can be recorded locally or at a remote location, such as a server accessed over a network connection. Before the login session is terminated, the system determines all open windows and captures a screenshot of each window that is open on the desktop at the time of terminating the login session. The location of each window is also determined and recorded along with the screenshots before the session is terminated. When the user starts a new active login session at a later time, the state of the desktop is restored using the recorded file paths, screenshots and window locations.

Abstract: A desktop management system is described that provides an automated process for distributing and suggesting modifications. The system is comprised of a central server and multiple client devices connected through a network. Application layer drafts for a particular modification (such as an installation, update, un-installation, fix, etc.) are generated based on snapshots of client devices before and after the modification is applied. Several application layer drafts are produced for a particular modification. Based on commonalities between the several application layer drafts, an official application layer is produced. When a client device requests a modification, an official application layer for the requested modification is retrieved and merged onto the requesting client device to apply the modification. If a client device on the network lacks an application that is present on similar client devices on the network, the system can suggest the application to the client device.

Abstract: A cloud-based system is described for producing application deltas based on application recipes that identify components of the application deltas using unique identifiers, without the recipe containing all or any content of the actual application. The application recipe can be conveyed to an organization operating on an enterprise network, where the application recipe can be matched with application files in the organization's backup storage containing copies of content of endpoint devices on the network to retrieve components identified by the recipe and produce the application delta for the application. Subsequently, the application delta can be used as an installation package to perform IT operations such as installing the application on endpoint devices.

Abstract: Techniques are described for preserving desktop state between login sessions in desktop computing environments. During an active login session of a desktop by a user, the system intercepts all requests to open a file and records the requested file paths. The information can be recorded locally or at a remote location, such as a server accessed over a network connection. Before the login session is terminated, the system determines all open windows and captures a screenshot of each window that is open on the desktop at the time of terminating the login session. The location of each window is also determined and recorded along with the screenshots before the session is terminated. When the user starts a new active login session at a later time, the state of the desktop is restored using the recorded file paths, screenshots and window locations.

Abstract: A desktop management system is described that provides an automated process for distributing and suggesting modifications. The system is comprised of a central server and multiple client devices connected through a network. Application layer drafts for a particular modification (such as an installation, update, un-installation, fix, etc.) are generated based on snapshots of client devices before and after the modification is applied. Several application layer drafts are produced for a particular modification. Based on commonalities between the several application layer drafts, an official application layer is produced. When a client device requests a modification, an official application layer for the requested modification is retrieved and merged onto the requesting client device to apply the modification. If a client device on the network lacks an application that is present on similar client devices on the network, the system can suggest the application to the client device.

Abstract: A system is described for replacing the desktop image on a computing device with a network-based desktop image (e.g., a backup copy of a desktop image) while allowing the user to resume working on the computing device with the new desktop with minimal downtime. The computing device is booted directly from the backed-up desktop image on the network. After boot, the system allows the user to use the computing device with the new desktop image by directing read requests for information that is only available on the network to the desktop image on the network. Write operations are performed on the local disk of the computing device. While the user is using the computing device, the desktop image is streamed in the background and stored on the local disk.

Abstract: A desktop image management system is described that can efficiently distribute updates to virtual desktops running on host servers in a data center. The system is comprised of a central server and multiple agents, each agent installed on a virtual machine. When a VM receives an update from the central server, the files are stored in a single instance store on the host server. The agent running on the VM then creates a corresponding stub file (empty of content) on the VM for each file in the single instance store. The agent further marks the stub file to indicate that the stub file is mapped to the single instance store. When the guest operating system requests to read the stub file, the virtual disk layer of the host server detects that the requested block has been marked and fetches the content of the file from the single instance store.

Abstract: A system for a mass centralization approach to full image cloning of multiple computing devices is provided. The system includes a server, and a computing device that includes a disk for data storage, wherein the disk includes a plurality of blocks within a plurality of regions. The system also includes a processor programmed to map each file stored on the disk to at least one of the plurality of blocks, for one or more of the plurality of regions of the disk, determine that a number of files appearing in sequential blocks exceeds a predefined threshold number of files, perform a continuous scan of the one or more of the plurality of regions of the disk occupied by the number of files appearing in sequential blocks exceeding the predefined threshold number of files, and send a copy of the files scanned from the one or more plurality of regions of the disk to the server.

Abstract: Methods, systems, and techniques for remote contextual access to an operating system desktop are provided. Example embodiments provide a desktop state agent the harvests information from a user's desktop regarding state of various objects such as open documents, recent documents, links, shared links, bookmarks, upcoming events, and/or recent emails. The harvested information is translated to html or other web browser recognized language where possible and uploaded to be accessible to a web server configured to respond to requests for desktop state using a web address. In one embodiment, the RCAS allows access to a user's desktop transparently—without the user needing to take explicit action. Further, a remote mobile device can render the desktop data without using a session or connection to the user's desktop machine and without use of a remote desktop protocol.

Abstract: A method and system for controlling access to external networks by an air-gapped endpoint are provided. The method includes identifying a type of an external network being connected, upon detection of a new network connection to the air-gapped endpoint; determining for each security zone of a plurality of isolated security zones at least one access rule to access the network, wherein the plurality of isolated security zones is operable in a virtual environment instantiated on the air-gapped endpoint; allowing a connection between a security zone and the external network based on the at least one access rule; and monitoring all traffic between the security zone and the external network to at least maintain compliance with a security policy set for the respective security zone.

Abstract: A method for performing user experience (UX) functions on an air-gapped endpoint is provided. The method includes monitoring a plurality of security zones, instantiated on the air-gapped endpoint, to detect at least one UX command executed in a first security zone; determining if the detected UX command triggers a UX function effecting a second security zone; determining if the UX function to be triggered maintains compliance with a security policy of the first and second security zones; and executing the UX function across the first and second security zones.

Abstract: An air-gapped computing system includes at least network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: initialize a hypervisor for execution over a primitive OS; create a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using the hypervisor, wherein each of the plurality of security zones includes a plurality of applications executed over a guest OS; instantiate a networking virtual machine using the hypervisor; control, by the networking virtual machine, access of each application in each of the plurality of security zones to an external network resource; and monitor execution of the guest OS and each application in at least one activated security zone of the plurality of security zones, wherein the monitoring is performed to maintain compliance with a security policy corresponding to each activated security zone being monitored.

Abstract: A system is described for integrating menu bars of applications executed on a virtual machine in a computing device with menu bars in the host operating system. A hosted hypervisor is executed on the computing device. The hypervisor manages a virtual machine running a guest operating system (OS) on the computing device. An application is executed on the guest OS. A call by the application to the guest OS is detected, the call requesting the guest OS to set a menu bar for the application. The call is intercepted, information regarding the content of the menu bar is retrieved from the intercepted call, and the information is used to set a menu bar for the application in the host OS. Subsequently, when a selection is made from the menu bar in the host OS, the selection is translated to the application running in the virtual machine to effectuate the selection.

Abstract: An enterprise management system is described for efficient operating system migration, preserving applications, data, and settings. A staging area, such as an empty folder, is created on a client device. A base layer for the new operating system and application layers for applications that will be installed on the computing device are downloaded to the staging area. After the base layer and application layers are downloaded, the layers are merged onto the computing device to instantly install the operating system and the applications. User settings, data, and other applications can be migrated to corresponding locations in the new operating system from the old operating system.

Abstract: Techniques disclosed herein provide an approach for distributed self-served application remoting. In one embodiment, a user's own computing device, on which a remoted application runs, transmits user interface updates to a destination device which displays the updates and communicates back inputs (e.g., keyboard and mouse inputs) made at the destination device. The user may select an application for remoting by moving the application's window outside the boundaries of a desktop. This is similar to moving the application across computer screens in a multi-monitor setup and may create the illusion of a boundless desktop. In another embodiment, the user may remote the application to multiple destination devices using a “broadcast” mode. In yet another embodiment, the user may remote the application to a virtual machine.

Abstract: An enterprise management system is described for efficient operating system migration, preserving applications, data, and settings. A staging area, such as an empty folder, is created on a client device. A base layer for the new operating system and application layers for applications that will be installed on the computing device are downloaded to the staging area. After the base layer and application layers are downloaded, the layers are merged onto the computing device to instantly install the operating system and the applications. User settings, data, and other applications can be migrated to corresponding locations in the new operating system from the old operating system.

Abstract: A cloud-based system is described for producing application deltas based on application recipes that identify components of the application deltas using unique identifiers, without the recipe containing all or any content of the actual application. The application recipe can be conveyed to an organization operating on an enterprise network, where the application recipe can be matched with application files in the organization's backup storage containing copies of content of endpoint devices on the network to retrieve components identified by the recipe and produce the application delta for the application. Subsequently, the application delta can be used as an installation package to perform IT operations such as installing the application on endpoint devices.

Abstract: Techniques disclosed herein provide an approach for creating snapshots and reverting to the same for virtual machine (VM) guest operating systems (OSes). In one embodiment, a snapshot module in a guest OS receives blocks for a snapshot of a guest OS volume. In turn, the snapshot module creates a snapshot file in a repository external to a virtual disk of the VM, and writes the received blocks to the external repository. By storing snapshot content outside the virtual disks of VMs, disk space limitations in local VM disks can be overcome, and it is also more difficult for malicious software to modify the snapshots and infect them. To reduce storage space requirements, snapshots stored in the external repository may be deduplicated with other snapshots stored therein, including snapshots from guest OSes running in other VMs and/or a host OS on which a hosted hypervisor runs.