Abstract: Various examples are described for operating system update management. In some examples, an OS update schedule is generated. The OS update schedule specifies an OS update for a plurality of client devices. A command to deploy the OS update is transmitted to a subset of the client devices. Update behavior data is received from the client devices that have applied the OS update. An analysis of the update behavior data correlates an update incompatibility with the OS update. The OS update is prevented from being deployed to additional client devices specified in the OS update schedule.

Abstract: Disclosed are various implementations for distributing and installing packages in response to user logon events. A logon event associated with a user account is detected for a client device. A query containing a respective user account identifier is sent to a provisioning service to retrieve a set of packages to install on the client device. The set of packages are received from the provisioning service and installed on the client device.

Abstract: Various examples for providing a dynamic runtime interface for device management are described. In one example, a computing environment can access metadata that describes a configuration of a user interface made in a profile template designer application. The computing environment can identify a request for a profile creator that provides at least one setting for a desired configuration of a client device enrolled with a management service, and, in response to the request being identified, dynamically generate the user interface using the metadata, where the user interface includes a configured to receive the at least one setting for the desired configuration of the client device. The computing environment can generate a configuration profile accessible by the client device that causes an agent application executable on the client device to configure the client device in accordance with the configuration profile.

Abstract: Disclosed are various approaches to automate vulnerability assessment implement policy-based mitigation. A plurality of vulnerability records from respective ones of a plurality of vulnerability feeds are aggregated. Each of the plurality of vulnerability records are stored in a standardized format. A plurality of enterprise-specific severity scores are generated by calculating an enterprise-specific severity score for each of the plurality of vulnerability records. Then, a web page can be created that includes at least a subset of the plurality of enterprise-specific severity scores and respective ones of the plurality of vulnerability records.

Abstract: Disclosed are various embodiments for a remotely-hosted auto-discovery service. An auto-discovery request received from a client device over a network can be accessed to identify a domain associated with the auto-discovery request. A digital certificate corresponding to the domain can be identified and a configuration file can be generated for a web server application that creates at least one virtual host for a uniform resource locator (URL) identified in the auto-discovery request. The digital certificate can be bound to the at least one virtual host to operate a secure connection with the client device. An enrollment response can be generated for communication to the client device over the network.

Abstract: Various examples for providing a dynamic runtime interface for device management are described. In one example, a computing environment can access metadata that describes a configuration of a user interface made in a profile template designer application. The computing environment can identify a request for a profile creator that provides at least one setting for a desired configuration of a client device enrolled with a management service, and, in response to the request being identified, dynamically generate the user interface using the metadata, where the user interface includes a configured to receive the at least one setting for the desired configuration of the client device. The computing environment can generate a configuration profile accessible by the client device that causes an agent application executable on the client device to configure the client device in accordance with the configuration profile.

Abstract: Systems and methods are included for causing a computing device to implement a management policy prior to a user logging into an operating system on initial boot. As part of initial boot, the computing device contacts a management server for enrollment. Installation of the operating system is paused while the management server synchronizes the software and policies on the computing device. To do this prior to login, the management server can create a temporary user account to associate with the computing device and apply a default management policy. After the installation is complete, an installed management agent can gather user inputs made during login. The management agent can send these inputs to the management server for use in creating an actual user account to associate with the computing device.

Abstract: Operating system update management for enrolled devices is disclosed according to various examples. In one example, a computing environment can publish, to an agent application on a client device, a deployment profile with a setting that specifies a restriction associated with download or installation of software updates by a subset of client devices that includes the client device. The computing environment can receive, from the agent application, an identification of a software update available for the client device. The computing environment can receive a specification of the subset of client devices to apply the software update. In response to a predefined interaction being performed, for example, by an administrator, the computing environment can direct at least one client device in the subset to install the software update.

Abstract: Systems and methods are included for causing a computing device to assemble and boot from a managed operating system. When the computing device is powered on, it can execute firmware that specifies a server to contact. The server can identify a base operating system (OS) image to boot, and the location of a pre-enrollment installer for installing the base OS image. The pre-enrollment installer can download the base OS image in one or more pieces from multiple locations. This can include base OS images related to enterprise management and company-specific applications and drivers. Once the pre-enrollment OS has combined the base OS images, the computing device reboots using the combined image.

Abstract: Operating system update management for enrolled devices is disclosed according to various examples. In one example, a computing environment can receive an identifier from at least one of a multitude of client devices enrolled with a management service, where the identifier is indicative of a software update available for the at least one of the plurality of client devices. The computing environment can query a service using the identifier to identify information pertaining to the software update and cause a display of the information in at least one user interface. In response to a specification of a subset of the client devices being received, for example, by an administrator, the computing environment can cause the subset of the plurality of client devices to perform an installation of the software update.

Abstract: Various examples for performing automated enrollments of client devices with a management service after being accessed by a staging user account are described. A client device can be configured to identify a user account active on the client device and determine whether the user account is a staging user account or an end user account associated with an intended recipient of the client device. In an instance in which the user account is the staging user account, the client device can create an event listener on the client device that monitors a subsequent login of a user account performed through an operating system of the client device, the subsequent login of the user account being the end user account. In an instance in which the subsequent login of the user account is detected by the event listener, the client device can perform an automated enrollment with a remote management service.

Abstract: Systems and methods are included for causing a computing device to install a management agent prior to an operating system completing its first boot. A bootstrap loader is flashed into firmware, such as the BIOS, of a computing device. The bootstrap loader installs an enroller that identifies a management agent. This can include downloading the management agent from a management server. The enroller can find or contact the management server by contacting an address provided in a WINDOWS Platform Binary Table (WPBT). The management agent is installed prior to the user logging into the operating system to prevent circumvention of management policies.

Abstract: Disclosed are approaches for detecting attempts to circumvent security policies on a client device. A deletion of a user account on a computing device is detected, wherein the deletion is initiated locally on the computing device and the user account is associated with an enrollment of the computing device with a management service. Data stored in a memory of the computing device that is subject to a policy received from the management service is identified. The data is deleted from the memory of the computing device. The policy is then deleted from the memory of the computing device.

Abstract: Systems and methods are included for causing a computing device to request ownership information and configure itself based on which tenant is associated with the computing device. During launch of an operating system, such as WINDOWS, the computing device can contact a server that tracks ownership information. The server can be identified in firmware or an operating system image of the computing device. The server can determine which operating system image and applications to install at the computing device. The server can provide addresses that the computing device can contact to retrieve portions of the operating system or applications.

Abstract: Various examples for providing execution of both a first management application and a second management application on a client device are provided. In one example, a client device can be configured to identify that a first management application, such as a legacy management application, installed on the client device has management privileges with an operating system of the client device. As the first management application is configured to generate a terminate command in response to detection of the second management application, the terminate command can be intercepted prior to a receipt of the terminate command by the operating system. As a result, the operating system does not terminate execution of the second management application on the client device, thereby allowing both the first management application and the second management application to co-exist on the client device.

Abstract: Disclosed are various approaches for providing single sign-on capabilities for a user on a client device. A user's credentials can be authenticated by an identity provider application. The identity provider application can facilitate single sign-on capabilities for browser-based applications and native applications on the client device.

Abstract: Disclosed are various approaches for a secure communication session between applications installed on a client device. The secure communication session can be provided over an insecure operating system application programming interface (API). By exchanging session information and encryption data, communications over the insecure API can be secured.

Abstract: Disclosed are various approaches for providing single sign-on capabilities for a user on a client device. A user's credentials can be authenticated by an identity provider application. The identity provider application can facilitate single sign-on capabilities for browser-based applications and native applications on the client device.

Abstract: Disclosed are approaches for native enrollment of mobile devices. A first message is received from a client device, wherein the first message comprises an enrollment request for the client device. An application is sent to the client device, wherein the application is to be installed on the client device. A second message is received from the client device, wherein the second message comprises an authentication request from the client device. Authentication credentials are then provided to the installed application. A third message is received from the client device, wherein the third message comprises an enrollment confirmation for the client device. The enrollment status of the client device is then changed. Finally, a policy is sent to the installed application.

Abstract: Disclosed are various examples of transmitting management commands to a device using a short message service (SMS) message or voice call. A device may lack network connectivity with a management service. Network capabilities of the device may be disabled or impaired. The management service can generate a SMS message or voice call that includes the management command. The SMS message or voice call can be transmitted to the client device over a cellular network. The SMS message or voice call can include an authentication string with which the authenticity of the SMS message or voice call can be verified. The device can then execute the management command.