Abstract: Systems and methods are included for causing a computing device to assemble and boot from a managed operating system. When the computing device is powered on, it can execute firmware that specifies a server to contact. The server can identify a base operating system (OS) image to boot, and the location of a pre-enrollment installer for installing the base OS image. The pre-enrollment installer can download the base OS image in one or more pieces from multiple locations. This can include base OS images related to enterprise management and company-specific applications and drivers. Once the pre-enrollment OS has combined the base OS images, the computing device reboots using the combined image.

Abstract: Systems and methods are included for causing a computing device to request ownership information and configure itself based on which tenant is associated with the computing device. During launch of an operating system, such as WINDOWS, the computing device can contact a server that tracks ownership information. The server can be identified in firmware or an operating system image of the computing device. The server can determine which operating system image and applications to install at the computing device. The server can provide addresses that the computing device can contact to retrieve portions of the operating system or applications.

Abstract: Systems and methods are included for causing a computing device to install a management agent prior to an operating system completing its first boot. A bootstrap loader is flashed into firmware, such as the BIOS, of a computing device. The bootstrap loader installs an enroller that identifies a management agent. This can include downloading the management agent from a management server. The enroller can find or contact the management server by contacting an address provided in a WINDOWS Platform Binary Table (WPBT). The management agent is installed prior to the user logging into the operating system to prevent circumvention of management policies.

Abstract: Systems and methods are included for causing a computing device to assemble and boot from a managed operating system. When the computing device is powered on, it can execute firmware that specifies a server to contact. The server can identify an operating system (OS) to boot, and the location of a pre-enrollment installer for assembling the OS image. The pre-enrollment installer can download base OS images in one or more pieces from multiple locations determined based on ownership information of the computing device. The multiple OS images can relate to enterprise management and company-specific applications and drivers. Once the pre-enrollment installer has combined the base OS images, the computing device reboots using the combined OS image.

Abstract: Systems and methods are included for causing a computing device to implement a management policy prior to a user logging into an operating system on initial boot. As part of initial boot, the computing device contacts a management server for enrollment. Installation of the operating system is paused while the management server synchronizes the software and policies on the computing device. To do this prior to login, the management server can create a temporary user account to associate with the computing device and apply a default management policy. After the installation is complete, an installed management agent can gather user inputs made during login. The management agent can send these inputs to the management server for use in creating an actual user account to associate with the computing device.

Abstract: Disclosed are approaches for detecting attempts to circumvent security policies on a client device. A deletion of a user account on a computing device is detected, wherein the deletion is initiated locally on the computing device and the user account is associated with an enrollment of the computing device with a management service. Data stored in a memory of the computing device that is subject to a policy received from the management service is identified. The data is deleted from the memory of the computing device. The policy is then deleted from the memory of the computing device.

Abstract: Operating system update management for enrolled devices is disclosed according to various examples. In one example, a computing environment can receive an identifier from at least one of a multitude of client devices enrolled with a management service, where the identifier is indicative of a software update available for the at least one of the plurality of client devices. The computing environment can query a service using the identifier to identify information pertaining to the software update and cause a display of the information in at least one user interface. In response to a specification of a subset of the client devices being received, for example, by an administrator, the computing environment can cause the subset of the plurality of client devices to perform an installation of the software update.

Abstract: Disclosed are various approaches for a secure communication session between applications installed on a client device. The secure communication session can be provided over an insecure operating system application programming interface (API). By exchanging session information and encryption data, communications over the insecure API can be secured.

Abstract: Various examples for providing a dynamic runtime interface for device management are described. In one example, a computing environment can access metadata that describes a configuration of a user interface made in a profile template designer application. The computing environment can identify a request for a profile creator that provides at least one setting for a desired configuration of a client device enrolled with a management service, and, in response to the request being identified, dynamically generate the user interface using the metadata, where the user interface includes a configured to receive the at least one setting for the desired configuration of the client device. The computing environment can generate a configuration profile accessible by the client device that causes an agent application executable on the client device to configure the client device in accordance with the configuration profile.

Abstract: Various examples for providing execution of both a first management application and a second management application on a client device are provided. In one example, a client device can be configured to identify that a first management application, such as a legacy management application, installed on the client device has management privileges with an operating system of the client device. As the first management application is configured to generate a terminate command in response to detection of the second management application, the terminate command can be intercepted prior to a receipt of the terminate command by the operating system. As a result, the operating system does not terminate execution of the second management application on the client device, thereby allowing both the first management application and the second management application to co-exist on the client device.

Abstract: Disclosed are various approaches for providing single sign-on capabilities for a user on a client device. A user's credentials can be authenticated by an identity provider application. The identity provider application can facilitate single sign-on capabilities for browser-based applications and native applications on the client device.

Abstract: Disclosed are various approaches for providing single sign-on capabilities for a user on a client device. A user's credentials can be authenticated by an identity provider application. The identity provider application can facilitate single sign-on capabilities for browser-based applications and native applications on the client device.

Abstract: Disclosed are approaches for detecting attempts to circumvent security policies on a client device. A deletion of a user account on a computing device is detected, wherein the deletion is initiated locally on the computing device and the user account is associated with an enrollment of the computing device with a management service. Data stored in a memory of the computing device that is subject to a policy received from the management service is identified. The data is deleted from the memory of the computing device. The policy is then deleted from the memory of the computing device.

Abstract: Disclosed are various approaches for sharing data between sandboxed applications with certificates. A request for a certificate is received from a client device. The certificate is then generated, wherein the certificate comprises data to be shared between applications executing on the client device. A response is sent to the client device, wherein the response includes the certificate.

Abstract: Disclosed are various approaches for sharing data between sandboxed applications with certificates. A request for a certificate is received from a client device. The certificate is then generated, wherein the certificate comprises data to be shared between applications executing on the client device. A response is sent to the client device, wherein the response includes the certificate.

Abstract: Disclosed are approaches for native enrollment of mobile devices. A first message is received from a client device, wherein the first message comprises an enrollment request for the client device. An application is sent to the client device, wherein the application is to be installed on the client device. A second message is received from the client device, wherein the second message comprises an authentication request from the client device. Authentication credentials are then provided to the installed application. A third message is received from the client device, wherein the third message comprises an enrollment confirmation for the client device. The enrollment status of the client device is then changed. Finally, a policy is sent to the installed application.

Abstract: Disclosed are various examples of transmitting management commands to a device using a short message service (SMS) message or voice call. A device may lack network connectivity with a management service. Network capabilities of the device may be disabled or impaired. The management service can generate a SMS message or voice call that includes the management command. The SMS message or voice call can be transmitted to the client device over a cellular network. The SMS message or voice call can include an authentication string with which the authenticity of the SMS message or voice call can be verified. The device can then execute the management command.

Abstract: Disclosed are approaches for enforcement of updates for devices unassociated with a directory service. An application executing on a computing device can determine, based on a policy received from a management service, that the computing device is to use an update service specified in the policy to receive updates. The application then modifies a setting of the computing device to specify the use of the update service by the computing device.

Abstract: Disclosed are approaches for detecting attempts to circumvent security policies on a client device. A deletion of a user account on a computing device is detected, wherein the deletion is initiated locally on the computing device and the user account is associated with an enrollment of the computing device with a management service. Data stored in a memory of the computing device that is subject to a policy received from the management service is identified. The data is deleted from the memory of the computing device. The policy is then deleted from the memory of the computing device.

Abstract: Disclosed are various examples for enrolling a client device and synchronizing user attributes for the client device across multiple directory services. A search request for user attributes can be sent to a first directory service with an identifier for a user account. The first directory service can query for the identifier and send back user attributes. If a global identifier is included in the attributes, another search request for user attributes can be sent to a second directory service with the global identifier. The second directory service can query for the global identifier and send back user attributes.