Abstract: The invention is a system and method for improving the reliability of data on blockchain by proofing the data onto another blockchain by use of nonfederated nodes. Contemplated within the scope of the invention is resolution process for data forks within a blockchain network.

Abstract: The disclosed embodiments relate generally to complex data stream control and entitlement. Specifically, the disclosed embodiments provide systems and methods for ensuring that only authenticated/verified participants receive data streams. A third party, e.g., a party other than the data provider or the data recipient, who is nevertheless associated with both the data provider and the data recipient, may be involved in controlling whether data streams from the data provider can reach the data recipient. Thus, a third party may logically sit between the data provider and the data recipient, and may decide whether the data recipient should receive data streams. The disclosed embodiments implement data generation, flow, control and permissioning between multiple entities via digital assets accessed and manipulated on a shared data structure.

Abstract: Techniques are provided for computing with private healthcare data. The techniques include a de-identification method including receiving a text sequence; providing the text sequence to a plurality of entity tagging models, each of the plurality of entity tagging models being trained to tag one or more portions of the text sequence having a corresponding entity type; tagging one or more entities in the text sequence using the plurality of entity tagging models; and obfuscating each entity among the one or more tagged entities by replacing the entity with a surrogate, the surrogate being selected based on one or more attributes of the entity and maintaining characteristics similar to the entity being replaced.

Abstract: Disclosed are various embodiments for controlling access to resources in a network environment. Methods may include installing a profile on the device and installing a certificate included in or otherwise associated with the profile on the device. A request to execute an application, and/or access a resource using a particular application, is received and determination is made as to whether the certificate is installed on the device based on an identification of the certificate by the application. If the certificate is installed on the device, then execution of the application and/or access to the resource is allowed. If the certificate is not installed on the device, then the request for execution and/or access is refused.

Abstract: Accessing media data in bites, including: receiving a request from a client to access a media item, and determining an address of the requested media item, wherein the address indicates a location where the media item is stored; determining an identification number of a piece of the media item selected by the client; updating the address of the media item by combining the address with the identification number of the piece of the media item selected by the client; valuating the piece of the media item selected by the client, and sending a valuated price to the client; and providing access to the requested media item using the updated address of the media item when a payment for the valuated price is received from the client.

Abstract: Systems and methods include a method for multi-segmented oil production. A multi-segmented well production model representing production at a multi-segmented oil production facility is calibrated. The model models production based on well rates and flowing bottom-hole pressure data at various choke settings for multiple flow conditions for each segment of the multi-segmented well. Real-time updates to the well rates and the flowing bottom-hole pressure data are received. Changes to triggers identifying thresholds for identifying production improvements are received. The model is re-calibrated based on the changes to the triggers and the real-time updates. An optimization algorithm is executed to determine new optimal inflow control valve (ICV) settings. Using the re-calibrated multi-segmented well production model, a determination is made whether the new optimal ICV settings improve production. If so, the optimal ICV settings are provided to a control panel for the multi-segmented oil production facility.

Abstract: Considering the number of OSS components and the number of OSS license types available today, the number of license attributes to be considered for analyzing a product at a granular level is a challenge to perform manually, prudently considering legal implications of non-compliance and contamination and also within the limited time available today before go to market in the software industry. Systems and methods of the present disclosure intelligently facilitates a matrix which is able to identify OSS components in a deliverable and also facilitates the product owner to identify proprietary IP that can be suitably protected and licensed without contamination by the accompanying OSS components in the product under consideration. License attributes of the OSS components are mapped suitably and a final attribute is derived for each OSS component embedded in the product under consideration.

Abstract: A patient request system includes a tablet computer that configured for entry of patient requests. The tablet computer is configured to display a first menu corresponding to basic request categories for a patient. The tablet computer is configured to display a second menu that corresponds to specific patient requests falling under the basic request category selected by the patient using the first menu. A server is configured to receive a specific patient request made by the patient. A notification device is configured to display the specific patient request to a caregiver. A patient request method is also disclosed.

Abstract: A method for encoding data streams into a combined file and decoding of same, including accessing a first file having a first plurality of data bytes, accessing a second file having a second plurality of data bytes, combining the first file and the second file, comprising the steps of storing a block of data bytes of a first byte block size in the body of the combined file as a first file byte block, storing a block of data bytes of a second byte block size in the body of the combined file as a second file byte block, repeating the first and second storing steps to sequentially store all of the data bytes in the first file and the second file in the combined file, and decoding the combined file to separate the bytes of the first file and the bytes of the second file from the combined file.

Abstract: Some implementations include methods for generating a portable entitlement for a digital asset and may include generating a portable entitlement to a digital asset based on a request initiated by a first user having an entitlement to the digital asset, the portable entitlement to enable the first user to access the digital asset using a second computing device of a second user, the request initiated using a first computing device of the first user, the portable entitlement having a limited lifetime; and terminating the second computing device from accessing the digital asset based on one or more of determining that a proximity between the first and second computing devices violate the distance threshold and the lifetime of the portable entitlement has expired.

Abstract: An application that is running on a first computing device can receive personal information from a personal information manager that is running on a second computing device. The first computing device can operate using a first platform and the second computing device can operate using a second platform that is different from the first platform. The first computing device can include a first broker, and the second computing device can include a second broker. The first broker and the second broker can be configured to establish a trusted connection between the first computing device and the second computing device. The first broker can additionally be configured to request personal information from the personal information manager via the second broker. The first broker can be configured to automatically request the personal information in response to determining that the application on the first computing device has requested the personal information.

Abstract: A method of transferring control of a digital asset (2) is disclosed. The method comprises distributing shares dAi of a first private key dA of an elliptic curve cryptography (ECC) system among a plurality of first participants (4). The first private key is accessible by means of a first threshold number (6) of shares dAi of the first private key, and is inaccessible in the absence of the first threshold number of shares, and access to the digital asset (2) is provided by digital signature of a first encrypted message with the first private key. Shares of a deterministic key Dk of the cryptography system are distributed among the either the first participants or a plurality of second participants, wherein the deterministic key is accessible by means of a second threshold number of shares of the deterministic key, and is inaccessible in the absence of the second threshold number of shares.

Abstract: A device and a method for computer-aided processing of data are disclosed, the method including: providing configuration data of an application, determining a first application identification, wherein the first application identification is assigned to the application, determining a configuration identification, wherein the configuration identification is assigned to the configuration data of the application, individualizing the data by means of a second application identification, wherein the second application identification is determined using the first application identification and the configuration identification.

Abstract: A method includes acquiring a root certificate of a first node; generating a target sub-certificate based on the root certificate, where the target sub-certificate includes a first sub-certificate of a first functional module of a first application associated with the first node; and sending the target sub-certificate to a terminal device. The target sub-certificate is used for the first functional module of the first application in the terminal device communicating through the target sub-certificate. In such a manner, a capability of managing the first sub-certificate of the first functional module in the terminal device can be improved.

Abstract: A system and method for secure storage and management of transitory data using a blockchain, comprising at least a callback manager, a context analysis engine, a vault manager, and a blockchain manager, which allows a user to create a data container to store data preferences, which encrypts the data stored within a data container, and which stores the encrypted data container in a blockchain. For each block, block reference data may is generated comprising the location of the block and its associated decryption key, and the block reference data is then encrypted with a second encryption key and stored off the blockchain in a separate database. The second key is distributed to involved parties to permit access to and reading of the block reference data. The block reference data is deleted based on self-destruct event triggers or when the involved parties are finished accessing the block reference data.

Abstract: Methods, apparatuses, and computer readable media for parameter update for range-based positioning. An apparatus of a station (STA) for parameter update for range-based positioning, the apparatus including processing circuitry configured to perform a distance estimating method with access points (APs) to determine distance estimates between the APs and the STA, the distant estimating method including parameters, and configured to determine a location of the STA based on the distance estimates between the APs and the STAs and locations of the APs. The processing circuitry further configured to: update the parameters by subtracting from a parameter of the parameters a learning rate times a derivative of a cost function with respect to the parameter, where the cost function is based on the determined location of the STA, the locations of the APs, and the distance estimates between the APs and the STA.

Abstract: A computer readable media, a method, and a system registering a third party application providing an available communication system between a local user and a remote user identity, storing information related to the available communication system in a first database, obtaining contact information for the remote user identity from the third party application, determining a communication type for the third party application, pairing the remote user identity with a contact, and updating a graphical representation of contact information.

Abstract: In some examples, a system comprises at least one programmable processor; and a machine-readable medium having instructions stored thereon which, when executed by the at least one programmable processor, cause the at least one programmable processor to execute operations comprising: receiving a first request from at least one user device to execute an instance of an application; transmitting a graphical user interface (GUI) to the at least one user device to be rendered on a display of the at least one user device; receiving a second request, via the GUI, from the at least one user device, to deploy a digital advertisement, the second request including a set of platforms of a plurality of platforms of a multi-platform integration system, a set of settings, a set of parameters, and a set of allocation data; interfacing with each one of the platforms in the set of platforms; and integrating a digital advertisement directly with each one of the platforms in the set of platforms based on the set of settings, the

Abstract: A method including receiving, by a manager device from an infrastructure device, an invitation link to enable the manager device to manage network services provided by the infrastructure device; receiving, by the manager device from the infrastructure device based on the manager device activating the invitation link, seed information to be utilized by the manager device to determine authorization information; transmitting, by the manager device to the infrastructure device during an active communication session and based on determining the authorization information, a manager request related to an action to be performed regarding the network services, a portion of the manager request being signed based on utilizing a first portion of the authorization information; and performing, by the manager device, the action regarding the network services based on a verification that the communication session is currently active is disclosed. Various other aspects are contemplated.

Abstract: Methods, computer readable media, and devices for automated routing based on content metadata are provided. One method may include receiving a user request for content with metadata from a client by a content distribution network (CDN), parsing the user request for content to generate an evaluation of the metadata, determining a routing decision representing a selection of one of a plurality of origin services for the user request for content based on the evaluation of the metadata, transmitting the user request for content to the selected one of the plurality of origin services based on the routing decision, receiving a response to the user request for content from the selected one of the plurality of origin services, and sending the response to the client.

Abstract: A method including transmitting, by an infrastructure device to a manager device, an invitation link to enable the manager device to manage network services provided by the infrastructure device; transmitting, by the infrastructure device to the manager device based at least in part on the manager device activating the invitation link, seed information to be utilized by the manager device to determine authorization information; receiving, by the infrastructure device from the manager device during an active communication session, a manager request related to an action to be performed regarding the network services, the manager request being signed based at least in part on utilizing a first portion of the authorization information; and enabling, by the infrastructure device, performance of the action regarding the network services based at least in part on verifying that the communication session is currently active is disclosed. Various other aspects are contemplated.

Abstract: Exemplary embodiments prevent tampering of a software release date associated with a software application by incorporating the software release date into a key exchange with a security domain. If the software release date is tampered with, then the key exchange results in the wrong key exchange key. Without the correct key exchange key, the software application will fail its check of the license, and the software application will no longer continue to run.

Abstract: Various systems and methods use a Merklized Adaptive Radix Forest (MARF), which is an authenticated index data structure that can be used by peers, clients, miners, and/or other participants in a blockchain network for efficiently encoding a cryptographic commitment to a blockchain state. For example, the MARF data structure can be used to represent a blockchain state as key-value pairs within an authenticated directory. The MARF data structure may include various merklized adaptive radix tries (ARTs) associated with different blocks in the blockchain, some of which may be linked together via one or more back-pointers.

Abstract: There is provided a system including a memory storing an executable code and a processor executing the executable code to provide access to a plurality of users to curate video clips stored in a content repository, wherein each video clip is associated with one of a plurality of ownership identifications, receive curation inputs from a user of one of a plurality of user devices arranging two or more video clips into a video compilation, wherein a first video clip is associated with the first ownership identification of a first content owner and a second video clip is associated with the second ownership identification of a second content owner, stream the video compilation to one or more of the plurality of user devices, and distribute a first fee to the first content owner and a second fee to the second content owner, in response to streaming the video compilation.

Abstract: Robot access control and governance for robotic process automation (RPA) is disclosed. A code analyzer of an RPA designer application, such as a workflow analyzer, may read access control and governance policy rules for an RPA designer application and analyze activities of an RPA workflow of the RPA designer application against the access control and governance policy rules. When one or more analyzed activities of the RPA workflow violate the access control and governance policy rules, the code analyzer prevents generation of an RPA robot or publication of the RPA workflow until the RPA workflow satisfies the access control and governance policy rules. When the analyzed activities of the RPA workflow comply with all required access control and governance policy rules, the RPA designer application may generate an RPA robot implementing the RPA workflow or publish the RPA workflow.

Abstract: A system and method for evaluating socio-economic and/or environmental impact automatically identifies and transmits to a user computing device a socio-economic and/or environmental impact web page of an organization. A computer database coupled to a server contains data for various socio-economic and/or environmental impact web pages, defining formatting elements configured to display impact data. The computer database receives a data feed of the impact data from the organization and/or from one or more of the organization's vendors, and automatically updates the organization's socio-economic and/or environmental impact web page. The system automatically generates in the socio-economic and/or environmental impact web page, a socio-economic and/or environmental impact quotient depiction representing socio-economic and/or environmental impact of resource allocations of the associated organization.

Abstract: A method for communicating data includes interfacing different data sources to stand-alone software agents customized for the different data sources. The method also providing selected source data to the stand-alone software agents to generate first-stage data feeds in a neutral format in accordance with the customization. The selected source data is dynamically selected from within the data sources, and transformed into the first-stage data feeds in the neutral format. The stand-alone software agents send the first-stage data feeds to an aggregation agent. The aggregation agent generates for a user and based on specified criteria, a second-stage output as a composite of selected source data from the first-stage data feeds.

Abstract: Certain aspects of the present disclosure provide techniques for processing transactions in a computing system. An example method generally includes receiving a request to perform an operation with respect to an object included in the request. A system identifies an archetype defining properties of the object included in the request. Based on the identified archetype, the system identifies data repositories to commit data to in order to perform the requested operation and rules for performing the operation with respect to the object. One or more actions are executed against the identified data repositories according to the identified rules.

Abstract: One variation of a method for hosting mobile access to dense electroencephalography data includes: receiving a set of signals, in a raw resolution, recorded by a set of channels in an electroencephalography headset during an electroencephalography test; receiving, from a client computing device, a view parameters for viewing the set of signals on a display; calculating a quantity of raw signal points per pixel column of the display based on the view parameters and a length of a segment of the electroencephalography test; for each signal in the set of signals, for each discrete contiguous sequence of the quantity of raw signal points within the segment of the signal, calculating a value set characterizing the discrete contiguous sequence of the quantity of raw signal points in the signal; and generating a static image representing value sets for each channel, in the set of channels, across the segment of the electroencephalography test.

Abstract: Provided are a method for performing task processing on a common service entity, a common service entity, an apparatus and a medium for performing task processing. The method includes: receiving a task processing request; determining whether the common service entity itself performs the processing request; forwarding the request to another common service entity in a case where it is determined that the common service entity itself does not perform the task processing request, wherein the common service entity is associated with the another common service entity; performing, by the common service entity, the task processing request in a case where it is determined that the common service entity itself performs the task processing request.

Abstract: Systems and methods are disclosed for online authentication of online attributes. One method includes receiving an authentication request from a rely party, the authentication request including identity information to be authenticated and credential information to be authenticated; determining whether a user account is associated with the received identity information by accessing an internal database; accessing user data of the user account determined to be associated with received identity information; determining authentication data to obtained from a user associated with the user account based on the user data of the user account and the credential information to be authenticated; transmitting a request for authentication data; receiving authentication data associated with the user; transmitting authentication data associated with the user; and receiving an authentication result from the verification data source server for the user associated with authentication data.

Abstract: A property is identified about which to gather information. A vehicle is deployed to a location associated with the property. The vehicle gathers data at the location. A portion of the gathered data indicating a condition or event at the property is determined and encrypted. The portion of the gathered data is stored or sent to an authorized party.

Abstract: A distributed network and security operations platform is disclosed. The disclosed platform comprises an external service that facilitates network and security operations for a private network. Data from nodes of the private network is received and analyzed by the service, and an output is automatically generated by the service in response to analyzing received data that facilitates modifying the routing performed by at least one or more of the nodes of the private network.

Abstract: A method for preventing tampering with a package includes: affixing a plurality of labels to a physical package, each label including a machine-readable code, the machine-readable code being encoded with a unique value that is unique across the machine-readable code included in each of the plurality of labels; reading, by a computing device, the machine-readable code included in each label of the plurality of affixed labels to obtain the encoded unique value; storing, in the computing device, a cryptographic key pair comprised of a public key and a private key; generating, by the computing device, a digital signature using the private key; and electronically transmitting, by the computing device, a data message to a node in a blockchain network, wherein the data message includes at least the generated digital signature, the public key, and the unique value read for each label of the plurality of labels.

Abstract: A primary platform (PP) can (i) support a first set of cryptographic parameters and (ii) securely download an unconfigured secondary platform bundle (SPB) that includes a configuration package (SPB CP). The SPB CP can establish a secure session with a configuration server (CS). The CS can select operating cryptographic parameters supported by the first set. The SPB CP can derive an SPB private and public key. The PP can use the selected operating cryptographic parameters to securely authenticate and sign the SPB public key. The CS can (i) verify the PP signature for the SPB public key and (ii) generate an SPB identity and certificate for the SPB and (iii) send the certificate and SPB configuration data to the SPB CP. The SPB CP can complete configuration of the SPB using the SPB identity, certificate, and configuration data. The configured SPB can authenticate with a network using the certificate.

Abstract: A system (100) and computer-implemented method are provided for data collection for distributed machine learning of a machine learnable model. A privacy policy data (050) is provided defining computer-readable criteria for limiting a selection of medical image data (030) to a subset of the medical image data to obfuscate an identity of the at least one patient. The medical image data is selected based on the computer-readable criteria to obtain privacy policy-compliant training data (060) for transmission to another entity. The system and method enable medical data collection at clinical sites without requiring manual oversight, and enables such selections to be made automatically, e.g., based on a request for medical image data which may be received from outside of the clinical site.

Abstract: A communication apparatus, a control program of the communication apparatus, and a relay apparatus are provided. The communication apparatus is configured to download electronic data from a server storing a first amount or more of electronic data and to output the downloaded electronic data. The communication apparatus includes an output unit configured to output a second amount of electronic data smaller than the first amount at one time, a download information acquiring unit configured to acquire download information necessary for downloading the first amount of electronic data stored in the server, from the server, a download unit configured to download the second amount of electronic data of the first amount of electronic data from the server, using the download information acquired by the download information acquiring unit. The output unit is configured to output the electronic data downloaded by the download unit.

Abstract: The present technology pertains to steering a playlisting service toward media items that are likely to receive positive feedback from a user operating a client device. The present technology permits a request to play media items without requiring an input context. A playlist service can begin to receive feedback on the playback of the media items and the received playback can be utilized by a steering service in response to a steering request to identify media items for playback that are likely to receive positive feedback based on the feedback received on a sequence of previously played media items.

Abstract: A method including receiving, by a device from a transmitting source application, a transmission packet to be transmitted to a destination application; determining, by the device, connection information included in the transmission packet, the connection information indicating one or more parameters to be utilized by the destination application to connect with the transmitting source application; determining, by the device, a fingerprint associated with the connection information based at least in part on encrypting the one or more parameters; comparing, by the device, the determined fingerprint with a stored fingerprint stored in correlation with an identity of a trusted source application; and processing, by the device, the transmission packet based at least in part on a result of comparing the determined fingerprint with the stored fingerprint. Various other aspects are contemplated.

Abstract: A method including transmitting, by an infrastructure device to a manager device, an invitation link to enable the manager device to manage network services provided by the infrastructure device; transmitting, by the infrastructure device to the manager device based on verifying that the invitation link was activated by the manager device, seed information to enable the manager device to determine authorization information; determining, by the manager device, the authorization information based on utilizing the seed information; transmitting, by the manager device to the infrastructure device during a communication session, a manager request related to an action to be performed regarding the network services, the manager request being signed based on utilizing a first portion of the authorization information; and authorizing, by the infrastructure device, the manager request based on verifying that the communication session is currently active is disclosed. Various other aspects are contemplated.

Abstract: A computer-implemented method includes: receiving, by a computer device, an artifact and a first token with a check-in request; applying, by the computer device, a first level fragile watermark to the artifact, wherein the first level fragile watermark includes ownership information from the first token; receiving, by the computer device, a second token with a check-out request; applying, by the computer device, a second level fragile watermark to a copy of the first level fragile watermarked artifact, wherein the second level fragile watermark includes authentication information from the second token; and transmitting, by the computer device, the second level fragile watermarked copy of the artifact to a client device.

Abstract: A computing system includes a database and a discovery application. The discovery application obtains credentials for accessing a server hosting a software bus application which connects a plurality of applications within a managed network. The discovery application selects, based on a pattern corresponding to the software bus application, one or more files to access, transmits, to the server, instructions to access the one or more files, and receives therefrom data identifying a plurality of attributes of the software bus application. Based on this data, the discovery application transmits, to the server, instructions to identify communicative connections established between the plurality of software applications by way of the software bus application and receives therefrom data identifying the communicative connections.

Abstract: Methods and systems are presented for automatically scrubbing sensitive data from text data comprising a sequence of words based on a negative word index. The negative word index may be constructed by obtaining articles that are publicly available and extracting words and word sequences from the articles. Statistical information associated with the word and word sequences from the articles may also be determined and included in the negative word index. To scrub sensitive data from the text data, a first sub-sequence of words is identified from the text data. The first sub-sequence of words may be determined to include sensitive information or not based on statistical information associated with the first sub-sequence of words within the negative word index. If the first sub-sequence of words includes sensitive information, the first sub-sequence of words may be removed from the text data.

Abstract: A method of displaying content items, for example message items in a messaging application or service, is disclosed. The method comprises receiving encrypted content items in a chronological sequence; decrypting the content items; causing display of a display sequence, in order of the chronological sequence, of a respective place holder in place of each of the decrypted content items, and, in response to a user input, causing display of the respective content item in place of one or more of the place holders. Each place holder has an appearance of a scrambled version of the respective content item. The display sequence may be contiguous in received items or sent content items may be interleaved with received content items in the display sequence, in which case sent content items may be displayed with place holders in the same way as received items. A corresponding system and corresponding computer readable medium or media are also disclosed.

Abstract: Methods, systems, and devices for leveraging data already collected on a user in a secure and private manner, in particular to verify user credentials for third parties. The methods, systems, and devices innovate beyond traditional security and privacy platforms in computer systems by processing the data to create a useable metric for the purposes of the third parties, in which the useable metric preserves the security and privacy of the underlying data.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to track a provenance of goods. An example apparatus includes an unsigned block generator to generate a first unsigned block to store first processing data associated with the product by a first entity, a block signature engine to sign the first unsigned block with a first private key to generate a blockchain having a first signed block, the unsigned block generator to generate a second unsigned block in response to a second entity generating second processing data associated with the product by the second entity, the block signature engine to expand the blockchain by signing the second unsigned block with a second private key to generate a second signed block within the blockchain, and a blockchain validator to verify the product provenance by validating the first processing data and the second processing data using respective public keys associated with the first entity and the second entity.

Abstract: Data transaction-specific data packets transmitted over a data communications network from a plurality of source computer nodes are processed. A first data packet communication session is established between one source computer node and one destination computer node to transport data transaction specific data packets over a first path through the data communications network. A second alternative data packet communication session is established between the one source computer node and the one destination computer node to transport data transaction specific data packets over a second path that is different from and bypasses the first path. When a condition based on the data transaction-specific data packets is identified, electronic processing circuitry initiates an alteration of the first data packet communication session.

Abstract: Techniques are disclosed to automate secure propagation of a configuration to a plurality of servers in a server cluster. For example, the techniques may include a method. The method may include receiving, at a first computing device, a first public key associated with a target computing device, the first computing device having an updated configuration. The method may further include encrypting, at the first computing device, the updated configuration using the first public key. The method may further include sending the encrypted configuration to the target computing device. The method may further include decrypting, at the target computing device, the encrypted configuration using a first private key associated with the target computing device, wherein the first public key and the first private key are a first keypair associated with the target computing device. The method may further include updating the target computing device with the updated configuration.

Abstract: A system and method for media content management include creating, via a digital vault, a container file comprising media content submitted by a first user and content metadata; verifying, via the digital vault, a completeness of the content metadata associated with the media content in the container file; classifying, via the digital vault, the container file based on the completeness of the media content; capturing, via the digital vault, event metadata when a second user gains access to the container file, the event metadata comprising at least one of identification of the second user, an activation timestamp, a duration of access, portions of the container file accessed, and changes to the container file; and enabling a private communication channel between parties affiliated with the media content to permit messaging among the parties affiliated with the media content via the private communication channel.

Abstract: Disclosed are various embodiments for controlling access to resources in a network environment. Methods may include installing a profile on the device and installing a certificate included in or otherwise associated with the profile on the device. A request to execute an application, and/or access a resource using a particular application, is received and determination is made as to whether the certificate is installed on the device based on an identification of the certificate by the application. If the certificate is installed on the device, then execution of the application and/or access to the resource is allowed. If the certificate is not installed on the device, then the request for execution and/or access is refused.