US Pat. No. 9,769,266

CONTROLLING ACCESS TO RESOURCES ON A NETWORK

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program instructions executable in a client device that, when executed
by the client device, cause the client device to:
generate a request on the client device to access an enterprise resource from an enterprise device, the request comprising
user access credentials and a device identifier corresponding to the client device;

cause the request to access the enterprise resource to be communicated to a proxy server configured to:
authenticate a user account of the client device by determining that the user access credentials match approved user access
credentials stored in a data store;

authenticate the client device by determining that the device identifier matches an approved device identifier stored in the
data store;

communicate with a compliance server to determine that the client device complies with at least one compliance rule based
at least in part on a device profile generated for the client device;

associate enterprise access credentials with the client device in response to the client device being authorized by the proxy
server and the compliance server to access the enterprise resource;

modify the request to generate a subsequent request to access the enterprise resource for transmission to the enterprise device
by replacing the user access credentials with the enterprise access credentials in response to the enterprise access credentials
being associated with the client device, the subsequent request further comprising the device identifier;

receive the enterprise resource from the enterprise device in response to the subsequent request being received by the enterprise
device from the proxy server and the subsequent request being authenticated by the enterprise device using the enterprise
access credentials and the device identifier; and

communicate the enterprise resource to the client device; and
access the enterprise resource received at the client device from the proxy server.

US Pat. No. 9,378,350

FACIAL CAPTURE MANAGING ACCESS TO RESOURCES BY A DEVICE

AirWatch LLC, Palo Alto,...

1. A method of managing access to resources by a device, comprising:
receiving a request to access a computing resource;
determining that access to the computing resource requires a facial capture;
activating a camera of the device to capture a first image, wherein the first image comprises a first face of a user attempting
to access the computing resource;

determining that the first face fails to match a second face of the user stored in a second image;
deleting the computing resource from the device in response to determining that the first face fails to match the second face;
storing a record associating the first image and the requested computing resource, wherein the record includes a time and
a date that the computing resource was accessed and information that indicates a version of the computing resource; and

transmitting the record and the first image to a remote server associated with the computing resource.

US Pat. No. 9,401,915

SECONDARY DEVICE AS KEY FOR AUTHORIZING ACCESS TO RESOURCES

AirWatch LLC, Palo Alto,...

1. A method comprising:
transmitting, from a device, a request to an authorization service for access to at least one resource;
receiving from the authorization service an indication that the device must comply with a distribution rule associated with
the at least one resource, wherein the distribution rule requires a specified secondary device to be in proximity to the device
as a prerequisite to accessing the at least one resource;

transmitting an indication that the device is in proximity to the secondary device;
receiving an authorization indication at the device in response to transmitting the indication that the device is in proximity
to the secondary device;

creating a registration key based on the authorization indication, a user identifier, and a property of the device;
determining whether access to at least one resource is permitted according to the registration key;
obtaining an authorization credential from the secondary device, the authorization credential being associated with the at
least one resource; and

in response to determining that access to the at least one resource is permitted according to the registration key and receiving
the authentication credential, permitting the device to access the at least one resource.

US Pat. No. 9,442,725

BRANCH TRACE COMPRESSION

AirWatch LLC, Atlanta, G...

1. A computer-implemented method, comprising:
assigning a plurality of branch instructions within a computer program to a plurality of prime numbers, wherein each branch
instruction is assigned a unique prime number within the plurality of prime numbers;

receiving or reading a run-time branch trace value generated while the computer program is executed;
determining the run-time branch trace value is divisible, without a remainder, by a first prime number of the plurality of
prime numbers; and

generating an output, in response to the determination, indicating that a first branch instruction assigned to the first prime
number was executed during an execution of the computer program that generated the run-time branch trace value.

US Pat. No. 9,383,983

METHOD AND SYSTEM TO IMPOSE ENTERPRISE SECURITY MECHANISMS THROUGHOUT A MOBILE APPLICATION LIFECYCLE

AirWatch LLC, Atlanta, G...

1. A method to authenticate a user of an application running on a mobile operating system (OS) installed on a mobile device,
wherein the mobile OS invokes callback methods of the application upon making changes to an execution state of the application,
the method comprising:
embedding code into an executable version of the application prior to installation of the application on the mobile device,
wherein the embedded code is configured to hook into at least one of the callback methods to cause the application to communicate
with a management agent installed in the mobile OS prior to execution of the at least one callback method;

upon the mobile OS triggering a change in execution state of the application to a foreground state, and upon the mobile OS
invoking the at least one callback method of the application, executing the embedded code to determine whether the user should
be provided an authentication challenge prior to enabling the application to run in the foreground state;

in response to determining that the user should be provided the authentication challenge, invoking the management agent by
execution of the embedded code to present the authentication challenge to the user through a user interface of the mobile
device; and

returning execution control from the management agent back to the application wherein the application executes the at least
one callback method prior to running in the foreground state.

US Pat. No. 9,325,713

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device comprising at
least one hardware processor, the program comprising code that, when executed by the at least one computing device, causes
the at least one computing device to:
access an email resource requested by a client device from at least one email service;
identify a resource rule specifying a condition for which the client device is authorized to access the email resource, the
resource rule being identified based at least in part on a device state of the client device;

determine whether the email resource satisfies the resource rule based at least in part on a stringency level associated with
the resource rule, the stringency level being increased or reduced based at least in part on the device state;

responsive to the email resource failing to satisfy the resource rule, modify the email resource causing the email resource
to satisfy the resource rule; and

responsive to the email resource, as modified, satisfying the resource rule, authorize the client device to access the email
resource.

US Pat. No. 9,473,417

CONTROLLING RESOURCES USED BY COMPUTING DEVICES

AirWatch LLC, Palo Alto,...

1. A method comprising:
determining, by a management application executed on a processor, that computing devices are available for management;
determining, by the management application, that one or more computing devices are executing a respective instance of a client
application, wherein the client application is configured to communicate with the management application and is further configured
to control at least one respective computing resource; and

configuring, by the management application, the at least one respective computing resource such that at least one of the computing
devices is restricted to accessing at least one common resource and prevented, for a duration in which the at least one common
resource is being accessed, from accessing any other resource than the at least one common resource, wherein the at least
one computing device is configured through communication between the management application and the respective instance of
the client application.

US Pat. No. 9,225,742

MANAGED REAL-TIME COMMUNICATIONS BETWEEN USER DEVICES

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving a request to instantiate a communication connection from an application;
generating a session encryption key pair comprising a public key and a private key,
establishing a secure session between the application and a second application according to the session encryption key pair;
receiving an input from a user of the application;
applying at least one management policy to the input of the user of the application; and
causing the input to be transmitted to the second application;
determining whether a device associated with the user is in compliance with at least one second management policy; and
in response to determining that the device associated with the user is not in compliance with the at least one second management
policy, applying a remediation action associated with the at least one second management policy to the device, the remediation
action comprising overriding a user preference associated with the application.

US Pat. No. 9,185,099

SECURELY AUTHORIZING ACCESS TO REMOTE RESOURCES

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving a request to determine whether a user device communicatively coupled to a resource server is authorized to access
at least one resource hosted by the resource server;

determining whether the user device communicatively coupled to the resource server is authorized to access the at least one
resource hosted by the resource server based at least in part on whether the user device communicatively coupled to the resource
server has been issued a management identifier;

responsive to a determination that the user device communicatively coupled to the resource server is authorized to access
the at least one resource hosted by the resource server, providing a response indicating that the user device communicatively
coupled to the resource server is authorized to access the at least one resource hosted by the resource server; and,

responsive to a determination that the user device communicatively coupled to the resource server is not authorized to access
the at least one resource hosted by the resource server, providing a response indicating that the user device communicatively
coupled to the resource server is not authorized to access the at least one resource hosted by the resource server.

US Pat. No. 9,203,820

APPLICATION PROGRAM AS KEY FOR AUTHORIZING ACCESS TO RESOURCES

AirWatch LLC, Atlanta, G...

1. A method performed by a client side application executed on a client device comprising:
transmitting a request to an authorization service for access to a resource;
receiving from the authorization service a request for confirmation that the client device complies with a distribution rule
associated with the resource, wherein the distribution rule requires a previous installation of a key application to be installed
on the client device as a prerequisite to accessing the resource and the request for confirmation includes a key application
identifier identifying the key application; and

in response to a determination that the client device complies with the distribution rule, accessing the resource.

US Pat. No. 9,298,936

ISSUING SECURITY COMMANDS TO A CLIENT DEVICE

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed
by the client device, being configured to cause the client device to at least:
receive a request to communicate with a mail server, the request originating from a mail client executed by the client device,
wherein the mail client is configured to transmit requests associated with a mail account to the mail server, the mail server
corresponding to a network address of the client device and the mail server further corresponding to a mail proxy executed
by the client device;

determine, in response to receiving the request, whether a limitation on at least one component of the client device has been
removed;

in response to determining that the limitation on at least one component of the client device has not been removed, forwarding
the request to communicate with the mail server to a remote mail server accessible through a network, the remote mail server
corresponding to a network address external to the client device and the remote mail server further corresponding to a remote
mail server executed by another computing device, wherein a response to the request to communicate with the mail server is
received from the remote mail server and forwarded to the mail client; and

in response to determining that the limitation on at least one component of the client device has been removed, issuing a
command from the mail proxy executed by the client device to the mail client executed by the client device to remove data
from the client device.

US Pat. No. 9,280,665

FAST AND ACCURATE IDENTIFICATION OF MESSAGE-BASED API CALLS IN APPLICATION BINARIES

AIRWATCH LLC, Atlanta, G...

15. A method, comprising:
analyzing, by at least one computing device, binary code of an application to determine a first listing of classes and a first
listing of methods, wherein the first listing of classes includes local classes but not external classes, and the first listing
of methods includes local methods but not external methods;

analyzing, by the at least one computing device, metadata of the application to determine a second listing of classes and
a second listing of methods, wherein the second listing of classes includes at least one local class and at least one external
class, and the second listing of methods includes at least one local method and at least one external method;

determining, by the at least one computing device, a listing of external classes from the first listing of classes and the
second listing of classes;

determining, by the at least one computing device, a listing of external methods from the first listing of methods and the
second listing of methods;

obtaining, by the at least one computing device, data identifying a plurality of public application programming interface
(API) definitions; and

determining, by the at least one computing device, a plurality of public APIs invoked by the application by comparing the
listing of external classes and the listing of external methods with the data identifying the plurality of public API definitions.

US Pat. No. 9,202,025

ENTERPRISE-SPECIFIC FUNCTIONALITY WATERMARKING AND MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, comprising code that:
identifies a request to perform an enterprise function of the client device, the enterprise function being associated with
a compliance rule;

communicates the request to a compliance server over a network to identify at least one watermark template from a plurality
of available watermark templates based at least in part on the enterprise function of the client device requested to be performed,
the at least one watermark template identified by querying a data store accessible by the compliance server;

applies the at least one watermark template to the enterprise function of the client device such that a performance of the
enterprise function complies with the compliance rule by:

causing descriptive data to be added to the at least one watermark template, the descriptive data being descriptive of the
enterprise function of the client device requested to be performed;

overlaying the at least one watermark template onto a resource generated by the enterprise function of the client device;
and

storing the resource in accordance with a storage structure convention defined by configuration data of the watermark template;
and

receives an authorization from the compliance server that causes the client device to perform the enterprise function identified
in the request, the authorization being determined using at least a property set forth in the at least one watermark template
that indicates whether the client device complies with the compliance rule.

US Pat. No. 9,123,031

ATTENDANCE TRACKING VIA DEVICE PRESENCE

AirWatch LLC, Atlanta, G...

1. A method comprising:
determining that a meeting has begun;
identifying, via at least one processing device, a plurality of mobile devices present at the meeting by:
defining a geographical area associated with the meeting, the geographical area comprising an area within which a respective
mobile device must be located in order for presence at the meeting to be registered; and

for each of the plurality of mobile devices, obtaining a global positioning system (GPS) location associated with the respective
mobile device and determining whether the respective mobile device is within the geographical area;

correlating, via the at least one processing device, one or more of the plurality of mobile devices present at the meeting
with one or more users so as to determine one or more attendees of the meeting;

creating an attendance log based at least in part on the one or more attendees of the meeting to determine a number of the
one or more attendees;

determining whether a discrepancy exists between the number of the one or more attendees and a number of the plurality of
mobile devices; and

authorizing, in an instance in which it is determined that the discrepancy does not exist between the number of the one or
more attendees and the number of the plurality of mobile devices, communication of electronic content to one or more authorized
attendees.

US Pat. No. 9,195,811

FUNCTIONALITY WATERMARKING AND MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, comprising code that:
identifies a request to perform a function of the client device, the function being associated with a compliance rule;
queries a data store to identify at least one watermark template from a plurality of available watermark templates, the at
least one watermark template being identified based at least in part on the function of the client device requested to be
performed;

applies the at least one watermark template to the function of the client device such that a performance of the function complies
with the compliance rule by:

causing descriptive data to be added to the at least one particular watermark template, the descriptive data being descriptive
of the function of the client device; and

causing at least a portion of the at least one watermark template to be added to at least one resource generated during performance
of the function;

causing the at least one resource generated by the function of the client device to be named in accordance with a naming convention
specified in configuration data of the at least one watermark template; and

receives an authorization from a compliance server that causes the client device to perform the function identified in the
request, the authorization being determined by the compliance server using at least a device profile describing a state of
the client device indicating whether the at least one computing device complies with the compliance rule.

US Pat. No. 9,591,001

REMOTE PROCESSING OF MOBILE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A method, comprising:
receiving a request from a management agent executed by a client device for access to server-side aspects of a restricted
resource, the management agent executed by the client device being configured to generate an aggregate user interface for
interacting with one or more of device-side aspects of the restricted resource or the server-side aspects of the restricted
resource;

generating an instance of the restricted resource, the instance of the restricted resource being configured to execute the
server-side aspects of the restricted resource;

generating an instance of a user interface associated with the restricted resource, the instance of the user interface associated
with the restricted resource being configured to provide interaction with the executed server-side aspects of the restricted
resource;

determining that the client device is authorized to access the server-side aspects of the restricted resource based at least
in part on a profile associated with the restricted resource and information describing the client device, wherein the profile
comprises profile criteria related to state details of the client device; and;

providing the management agent executed by the client device with access to data representative of the instance of the user
interface associated with the restricted resource.

US Pat. No. 9,391,995

REMOTE PROCESSING OF MOBILE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A method comprising:
responsive to receiving an indication of a request to access a resource, accessing a profile associated with the resource,
wherein the profile comprises at least one profile criterion;

evaluating the at least one profile criterion based at least in part on status information associated with a client device
requesting access to the resource to determine whether the requested resource is subject to a processing restriction;

responsive to receiving an indication that the resource is subject to a server-only processing restriction:
requesting access to the resource from a remote server; and
receiving data representative of an instance of a user interface (UI) for interacting with an instance of the requested resource,
wherein the instance of the UI is configured for presentation to a user of the client device;

responsive to receiving an indication that the resource is subject to a server-device processing restriction:
outputting data representative of a UI for interacting with device-side aspects of the requested resource to an aggregate
generator;

requesting access to server-side aspects of the requested resource from the remote server;
receiving data representative of an instance of a UI for interacting with an instance of the server-side aspects of the requested
resource;

outputting data representative of the instance of the UI for interacting with the instance of the server-side aspects of the
resource to the aggregate generator; and

generating an aggregate UI, wherein the aggregate UI is configured for presentation to the user of the client device, and
wherein the aggregate UI is configured to allow the user to interact with device-side aspects and server-side aspects of the
requested resource;

responsive to receiving the indication of the request, determining whether the request is to interact with device-side aspects
of the requested resource or server-side aspects of the requested resource;

responsive to determining the request is to interact with device-side aspects of the requested resource:
processing the request;
updating the UI for interacting with device-side aspects of the requested resource based on the processed request;
outputting data representative of an updated UI for interacting with device-side aspects of the requested resource to an aggregate
generator; and

generating an updated aggregate UI; and
responsive to determining the request is to interact with server-side aspects of the requested resource:
outputting the request to the remote server;
receiving data representative of an updated instance of a UI for interacting with the instance of server-side aspects of the
requested resource;

outputting data representative of the updated instance of the UI for interacting with the instance of server-side aspects
of the requested resource to the aggregate generator; and

generating the updated aggregate UI.

US Pat. No. 9,167,104

TELECOMMUNICATIONS DATA USAGE MANAGEMENT

AIRWATCH LLC, Atlanta, G...

1. A method comprising:
identifying a network state associated with a device in communication with a communication network;
determining whether the network state is in compliance with a data usage policy based upon whether a user associated with
the device is a member of a first user group or a second user group, the first user group associated with a higher data usage
priority than the second user group; and

in response to determining that the network state is not in compliance with the data usage policy based upon the user being
a member of the second user group, restricting access to the communication network at least one application.

US Pat. No. 9,058,495

RIGHTS MANAGEMENT SERVICES INTEGRATION WITH MOBILE DEVICE MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
restricting at least one functionality associated with a document according to a compliance policy, the document being associated
with a sender device;

transmitting the document to at least one recipient device;
receiving, in a rights management server associated with the sender device, a request to un-restrict the at least one functionality
associated with the document, the request being associated with an application associated with viewing of the document on
the at least one recipient device;

receiving, in the rights management server, an indication from a compliance server associated with the at least one recipient
device, wherein the rights management server is associated with the sender device and the compliance server is associated
with the at least one recipient device, the indication being associated with whether the at least one recipient device complies
with the compliance policy;

determining, in the rights management server, whether the at least one recipient device complies with the compliance policy
based at least in part upon the indication received from the compliance server;

transmitting, from the rights management server to the compliance server, an authorization to un-restrict the at least one
functionality associated with the document; and

in response to determining that the at least one recipient device complies with the compliance policy, initiating un-restricting
the at least one functionality associated with the document by the application associated with viewing of the document by
the at least one recipient device.

US Pat. No. 9,813,247

AUTHENTICATOR DEVICE FACILITATING FILE SECURITY

AirWatch LLC, Atlanta, G...

1. A method for controlling access to an encrypted file, comprising:
establishing a trusted relationship between an authenticator device and a file storage application hosting the encrypted file;
receiving a request to access the encrypted file from an access device;
authenticating the request by determining that the access device has authority to access the encrypted file;
providing a decryption key to the authenticator device when the access device has authority;
providing the encrypted file to the access device;
transmitting the decryption key from the authenticator device to the access device; and
decrypting the encrypted file, by the access device, using the decryption key received from the authenticator device.

US Pat. No. 9,391,960

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AirWatch LLC, Palo Alto,...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, comprising program
code that, when executed, causes the at least one computing device to:
access an email resource requested by a client device from at least one email service;
identify a uniform resource locator (URL) within the email resource;
determine whether the URL is required to be accessed by a particular browser application; and
responsive to determining that the URL is required to be accessed by the particular browser application, modify the URL within
the email resource to include a designation of the particular browser application, wherein the URL as modified cannot be accessed
by at least one browser application other than the particular browser application.

US Pat. No. 9,148,416

CONTROLLING PHYSICAL ACCESS TO SECURE AREAS VIA CLIENT DEVICES IN A NETWORKED ENVIRONMENT

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium encoded with software for execution and, when executed, operable to:
receive a request for a physical access credential, wherein the request comprises at least one user access credential associated
with a mobile device and at least one physical access point identifier, the at least one user access credential obtained by
a sensor associated with a physical lock actuator and the at least one physical access point identifier being associated with
the physical lock actuator;

authenticate the request based at least in part on the at least one user access credential;
determine whether the mobile device is in compliance with a plurality of compliance rules, the compliance rules comprising
at least a hardware restriction and a mobile device management restriction, the hardware restriction comprising a requirement
that the mobile device include a particular hardware capability, the particular hardware capability comprising: a Bluetooth
capability, a camera, and a wireless communications capability, and the mobile device management restriction comprising a
requirement that the mobile device be enrolled with a mobile device management system;

in response to authenticating the request and determining whether the mobile device is in compliance with the plurality of
compliance rules, send the physical access credential associated with the physical lock actuator to the mobile device; and

actuate an unlocking function of the physical lock actuator associated with the physical access point identifier.

US Pat. No. 9,112,749

FUNCTIONALITY MANAGEMENT VIA APPLICATION MODIFICATION

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving, in a management server, one or more requests to perform an action;
modifying, in the management server, an application to redirect the one or more requests to perform the action to a second
application;

determining, by the management server, whether the action is associated with a metered resource by determining whether authorizing
the action to be performed would consume at least a portion of the metered resource, wherein determining whether the action
would consume at least a portion of the metered resource comprises identifying one or more functions associated with the action
to be performed and computing an amount of the metered resource consumed by at least one of the one or more functions;

in response to determining that the action is associated with the metered resource, determining, by the management server,
whether the request complies with at least one management policy by determining whether the computed amount of the metered
resource consumed by at least one of the one or more functions exceeds a quota amount of the metered resource; and

in response to determining that the request complies with the at least one management policy, authorizing, by the management
server, the action to be performed.

US Pat. No. 9,413,754

AUTHENTICATOR DEVICE FACILITATING FILE SECURITY

AirWatch LLC, Palo Alto,...

18. A method, comprising:
obtaining, within a server, a request to store a file in association with a storage account associated with at least one of
a user or at least one computing device;

generating, within the server, a security key corresponding to at least one of the file or the storage account;
generating, within the server, a secured file corresponding to the file based at least in part upon the security key;
storing, via the server, the secured file in storage accessible to the server;
identifying, within the server, at least one public key corresponding to the storage account;
generating, within the server, at least one encrypted security key corresponding to the security key, the at least one encrypted
security key being encrypted using the at least one public key corresponding to the storage account; and

storing, via the server, the at least one encrypted security key in storage accessible to the server.

US Pat. No. 10,025,459

GESTURE-BASED WORKFLOW PROGRESSION

AirWatch LLC, Atlanta, G...

1. A computer-implemented method executed using one or more processors, the method comprising:displaying, by the one or more processors, at least one graphical representation associated with an electronic document on a touchscreen display, the electronic document corresponding to an email message; and
receiving, by the one or more processors, user input to the at least one graphical representation, the user input indicating a touchscreen gesture to the touchscreen display, and in response:
generating a horizontal sliding animation of the at least one graphical representation towards a side of the touchscreen display that corresponds to a direction of the touchscreen gesture;
determining whether a type of the touchscreen gesture is a positive gesture based upon whether the direction of the touchscreen gesture corresponds to the positive gesture;
determining a degree of the touchscreen gesture by:
determining a length of the touchscreen gesture;
comparing the length to a first threshold;
in response to determining that the length is greater than the first threshold:
comparing the length to a second threshold;
in response to determining that the length is less than the second threshold, specifying that the degree of the touchscreen gesture is a first degree; and
in response to determining that the length is greater than the second threshold, specifying that the degree of the touchscreen gesture is a second degree;
identifying one or more actions based on the type and the degree, each action of the one or more actions being executable to take a first action or a second action on the email message;
displaying the first action from the one or more actions corresponding to the first degree on the touchscreen display by generating a first modified at least one graphical representation within and during the horizontal sliding animation in response to the length being less than the second threshold;
displaying the second action from the one or more actions corresponding to the second degree on the touchscreen display by generating a second modified at least one graphical representation within and during the horizontal sliding animation in response to the length being greater than the second threshold; and
upon detecting completion of user input, taking the first action or the second action on the email message.

US Pat. No. 9,426,129

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AirWatch LLC, Palo Alto,...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, comprising code
that:
accesses an email resource in transit to a client device from at least one email service, the email resource comprising an
email attachment;

identifies a compliance rule associated with the email resource, the compliance rule specifying that the email resource may
only be accessed if the email attachment is removed from the email resource and is encrypted with a cryptographic key accessible
to a secure container application, the secure container application being configured to prohibit performing at least one of
a cut function, a copy function, or a screen capture function while the email attachment is accessed;

removes the email attachment from the email resource in accordance with the compliance rule;
generates an encrypted email attachment from the email attachment using the cryptographic key accessible to the secure container
application in accordance with the compliance rule; and

causes a transmission of the email resource and the encrypted email attachment to the client device.

US Pat. No. 9,406,157

CONCEALING SENSITIVE INFORMATION ON A DISPLAY

AirWatch LLC, Atlanta, G...

1. A method for a computing device to conceal sensitive information on a display, wherein the computing device is coupled
to a first display and a second display, the method comprising:
detecting sensitive information in a desktop shown on the first display by detecting a user interface element associated with
sensitive information;

in response to detecting sensitive information in the desktop shown on the first display, generating a replacement image that
conceals the detected sensitive information in the desktop and sending the replacement image to the second display for display,
wherein generating the replacement image that conceals the detected sensitive information comprises capturing a static image
of the desktop before the detected sensitive information appears on desktop and modifying a portion of the desktop in the
static image on which the sensitive information is detected; and

in response to failing to detect sensitive information in the desktop shown on the first display, sending a mirror image of
the desktop shown on the first display to the second display for display.

US Pat. No. 9,292,699

ENCRYPTED FILE STORAGE

AirWatch LLC, Atlanta, G...

1. A method, comprising:
receiving, at a file index server, a request from a client device to store index data for an encrypted version of a file that
the client device causes to be stored in a storage location of a remote cloud data storage provider, the remote cloud data
storage provider being accessible to the client device through a network and being separate from the file index server;

storing, at the file index server, an encryption key used to generate, for or by the client device, the encrypted version
of the file stored in the remote cloud data storage provider; and

storing, at the file index server, a reference to the storage location of the remote cloud data storage provider where the
encrypted version of the file is stored such that the reference can be subsequently retrieved without contacting the remote
cloud data storage provider.

US Pat. No. 9,270,777

SOCIAL MEDIA AND DATA SHARING CONTROLS FOR DATA SECURITY PURPOSES

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving a request to transmit an element of data to a recipient, the request identifying a public server through which the
element of data is requested to be shared;

identifying a service associated with the public server;
determining whether the element of data is allowed to be shared through the service associated with the public server based
upon an analysis of the content of the element of data;

determining whether a contact record associated with the recipient is a work contact or a personal contact of the sender;
determining whether the recipient is appropriate to receive the element of data based upon an identity of the service and
whether the contact record is a work contact or a personal contact;

in response to determining that the recipient is appropriate to receive the element of data, causing the element of data to
be transmitted; and

in response to determining that the recipient is not appropriate to receive the element of data, causing at least one remedial
action to be performed.

US Pat. No. 9,226,155

DATA COMMUNICATIONS MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
identifying an available wireless network;
determining whether the available wireless network comprises a second network that fails to support a minimum security level
that is supported by an authorized wireless network; and

in response to determining that the available wireless network comprises the second network:
determining whether a user associated with a client device is associated with an elevated priority based at least in part
upon an amount of time since a previous connection with a compliance server or whether a location of the client device is
within a specified location;

causing a connection to be established with the available wireless network in response to the user being associated with the
elevated priority; and

causing at least one data communication to be performed through the second network, the at least one data communication comprising
a device check-in with the compliance server.

US Pat. No. 9,813,241

ENCRYPTED FILE STORAGE

AirWatch LLC, Atlanta, G...

1. A method of storing files that are associated with a user account in at least one cloud data storage provider, comprising:
receiving, by an index server, a request to store a first file on behalf of a user associated with access credentials of the
user account, the request being received from a client device executing a file management application that communicates with
the index server;

identifying, by the index server, a first storage location of the first file associated with a cloud data storage provider
that is different from the index server; and

providing, by the index server, the first storage location to the file management application, the first storage location
specifying where to send an encrypted version of the first file, the encryption being based on a first key associated with
the first storage location of the first file, the first key being different than the access credentials for the cloud data
storage provider.

US Pat. No. 9,769,141

SECURELY AUTHORIZING ACCESS TO REMOTE RESOURCES

AirWatch LLC, Palo Alto,...

1. A method for authorizing access to a cloud-based content repository, comprising:
receiving, based on a determination that a mobile device complies with one or more compliance policies provided by a management
service, a management identifier;

transmitting an access request including the management identifier to the content repository;
receiving access to the content repository based on a determination that the management identifier is valid, wherein receiving
access further comprises determining, at the time of the access request, whether the mobile device continues to comply with
the one or more compliance policies; and

determining a subset of content for which access should be granted based on the management identifier and evaluation of compliance
with the one or more compliance policies.

US Pat. No. 9,510,182

USER ONBOARDING FOR NEWLY ENROLLED DEVICES

AirWatch LLC, Palo Alto,...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device comprising at
least one hardware processor, the program, when executed by the at least one computing device, being configured to cause the
at least one computing device to:
transmit a first command to a client device to disable at least one function of the client device;
associate the client device with a user account in a data store based at least in part on an authentication of a user of the
client device, the user account comprising at least one role associated with the user;

search the data store to identify content to be presented by the client device based at least in part on the role of the user;
and

transmit a second command to remotely enable the disabled at least one function of the client device in response to a determination
that the content has been viewed by the user of the client device, wherein the determination is based at least in part on
a confirmation provided by the client device, wherein the determination that the content has been viewed by the user of the
client device is made based at least in part on an amount of time the content has been rendered in a display of the client
device, whether the user has scrolled to an end of the content, a detection of a face by a camera of the client device exceeding
a predefined amount of time, or an acknowledgement made by the user in a user interface provided in association with the content.

US Pat. No. 9,246,918

SECURE APPLICATION LEVERAGING OF WEB FILTER PROXY SERVICES

AIRWATCH LLC, Atlanta, G...

1. A method for controlling access of client devices enrolled in a management system, comprising:
receiving, from a secure application executing on a client device, a first request to access a resource, the secure application
being provisioned as part of the management system separately from a client application;

in response to the first request, transmitting, from the client device, a second request for a compliance server to provide
an indication that an aggregate result of content analysis from a plurality of filter proxy services determines that the resource
complies with an acceptable use policy;

obtaining, in the client device, the indication that the aggregate result determines that the resource complies with the acceptable
use policy; and

in response to the indication that the aggregate result determines that the resource complies with the acceptable use policy,
granting, in the client device, the first request to access the resource.

US Pat. No. 9,247,432

SYSTEMS AND METHODS FOR CONTROLLING NETWORK ACCESS

AIRWATCH LLC, Atlanta, G...

1. An apparatus, comprising:
one or more processors;
one or more memory devices including program code instructions, the program code instructions being configured to cause the
one or more processors to at least:

receive one or more requests to access one or more network beacons from one or more client devices;
access one or more device profiles describing one or more states of the one or more client devices, wherein the one or more
device profiles indicate a date of last maintenance of the one or more client devices, and wherein the one or more states
of the one or more client devices indicate one or more locations of the one or more client devices and one or more signal
strengths of the one or more network beacons;

determine a stringency for one or more authorization rules associated with the one or more network beacons based at least
in part on whether the one or more client devices are located within a transmission range of the one or more network beacons,
wherein the stringency of the one or more authorization rules is adjusted based at least in part on the one or more states
of the one or more client devices;

determine, based at least in part on the one or more states, whether the one or more client devices satisfy the stringency
for the one or more authorization rules associated with the one or more network beacons, the one or more authorization rules
specifying one or more permitted states associated with an operating system software requirement for the one or more client
devices;

responsive to a determination that the one or more client devices satisfy the stringency for the one or more authorization
rules associated with the one or more network beacons, authorize the one or more client devices to access the one or more
network beacons; and

terminate the authorization of the one or more client devices to access the one or more network beacons by at least causing
one or more resources associated with the one or more network beacons to be removed from the one or more client devices in
an instance in which the one or more client devices no longer satisfy the one or more authorization rules associated with
the one or more network beacons.

US Pat. No. 9,231,818

FUNCTIONALITY MANAGEMENT VIA APPLICATION MODIFICATION

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving, in at least one computing device, a request to perform an action associated with an application, wherein the application
is modified to redirect a plurality of requests to perform the action to a second application;

identifying, by the at least one computing device, a plurality of functions associated with the action to be performed;
computing, by the at least one computing device, an amount of the metered resource consumed by each of the plurality of functions;
determining, by the at least one computing device, whether performing the action will utilize a metered resource;
in response to determining that performing the action will utilize the metered resource, determining, by the at least one
computing device, whether the request complies with at least one cost compliance policy by determining whether the computed
amount of the metered resource consumed by each of the plurality of functions exceeds a quota amount of the metered resource;
and

in response to determining that the request complies with the at least one cost compliance policy, authorizing, by the at
least one computing device, the action to be performed.

US Pat. No. 9,730,044

TELECOMMUNICATIONS DATA USAGE MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
identifying a network state associated with a device in communication with a communication network;
determining whether the network state is a specified network state identified by a data usage policy; and
in response to determining that the network state is the specified network state, identifying a type associated with a communication
generated by the device for transmission over the communication network;

determining whether the data usage policy specifies that the type associated with the communication is permitted when the
device is associated with the specified network state; and

permitting access to the communication network when the type associated with the communication is permitted when the device
is associated with the specified network state.

US Pat. No. 9,438,635

CONTROLLING PHYSICAL ACCESS TO SECURE AREAS VIA CLIENT DEVICES IN A NETWORK ENVIRONMENT

AirWatch LLC, Palo Alto,...

1. A non-transitory computer-readable medium encoded with executable instructions that, when executed, cause at least one
computing device to at least:
identify a request to receive a physical access credential, wherein the request comprises at least one user access credential
associated with the mobile device and at least one physical access point identifier, the at least one physical access point
identifier being associated with a physical lock actuator;

authenticate the at least one user access credential;
determine whether the mobile device is in compliance with at least one compliance rule, the at least one compliance rule comprising
a mobile device management restriction and a hardware restriction, the mobile device management restriction comprising a requirement
that the mobile device be enrolled with a mobile device management system and the hardware restriction comprising a requirement
that the mobile device includes particular computer hardware components; and

when the at least one user access credential is authenticated and the mobile device is in compliance with the at least one
compliance rule:

authorize the mobile device to receive the physical access credential through the computer network, and
authorize the mobile device to transmit the physical access credential to the physical lock actuator associated with the at
least one physical access point identifier to cause the physical lock actuator to be in an unlocked state.

US Pat. No. 9,426,162

LOCATION-BASED CONFIGURATION POLICY TOGGLING

AirWatch LLC, Palo Alto,...

1. A system comprising:
at least one memory storage; and
at least one processor coupled to the at least one memory storage, wherein the at least one processor is configured to:
identify at least one configuration profile associated with at least one user device;
determine whether the at least one user device is authorized to enable the at least one configuration profile based at least
in part on whether the current location associated with the at least one user device complies with at least one compliance
rule, the compliance rule specifying that the at least one user device is authorized to enable the at least one configuration
profile when the at least one user device is within a proximity of a second device, the second device being a mobile device;
and,

enable the at least one configuration profile in response to a determination that the at least one user device is within the
proximity of the second device.

US Pat. No. 9,712,477

EMAIL NOTIFICATIONS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program,
when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
monitor at least one inbox associated with an email service, the at least one inbox being associated with at least one client
device;

determine whether a security preference specifies that a notification should include a default string indicating arrival of
a new email message or at least a portion of the new email message;

generate the notification indicating a delivery of a new email message to the at least one inbox, the notification comprising
the default string or the at least a portion of the new email message based upon the security preference; and

communicate the notification to a push notification service corresponding to the at least one client device.

US Pat. No. 9,544,747

TRANSMITTING MANAGEMENT COMMANDS TO A CLIENT DEVICE

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed
by the client device, being configured to cause the client device to at least:
extract a short message service (SMS) message from a SMS inbox of the client device, the SMS message having been originated
from a management service;

authenticate the SMS message based upon a message content of the SMS message;
identify a management command embedded within the SMS message, the management command specifying an action to be executed
on the client device with respect to management of the client device;

execute the management command on the client device;
generate a response to the management command, the response including an indication of an execution status of the management
command;

compose another SMS message including the response; and
transmit the other SMS message to the management service.

US Pat. No. 9,450,921

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AirWatch LLC, Palo Alto,...

1. A non-transitory computer-readable medium embodying a program executable in a computing device comprising code that, when
executed, causes the computing device to at least:
access an email message received by the computing device;
identify a uniform resource locator (URL) within the email message, wherein the URL corresponds to a resource residing in
a protected location that is not accessible by a native browser application of the computing device;

determine whether the computing device is permitted to access the URL; and
request access to the resources through a secure browser application of the computing device, the secure browser application
being different from the native browser application, upon a determination that the computing device is permitted to access
the resource in accordance with at least one resource rule, wherein the secure browser application is capable of accessing
the resource residing in the protected location in compliance with the at least one resource rule.

US Pat. No. 9,703,572

MANAGED APPLICATION DETECTION LOGIC

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device, the program
code being configured to cause the at least one computing device to at least:
determine whether an installation token is present in managed configuration data for an application;
execute the application as unmanaged based at least in part on a determination that the installation token is not present
in the managed configuration data; and

based at least in part on a determination that the installation token is present in the managed configuration data, determine
whether to execute the application as managed or execute the application as unmanaged according to whether a keychain installation
token is present in keychain data for the application, a value of the keychain installation token, and a value of a launched
flag in user default data for the application.

US Pat. No. 9,584,437

RESOURCE WATERMARKING AND MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
enrolling a user device with a management system that manages the user device for an enterprise;
generating, using the user device, a device profile that comprises first descriptive data describing the user device at a
first instance in time;

obtaining, in the user device, a configuration profile that causes the user device to at least obtain at least one watermark
template from the management system, wherein the configuration profile further causes the user device to at least comply with
at least one compliance rule;

identifying, using the user device, a request to access at least one resource;
determining, using the user device, whether the at least one compliance rule specifies that the at least one resource is required
to be associated with at least one watermark template in order for the user device to be authorized to access the at least
one resource;

determining, using the user device, whether the at least one watermark template is associated with the at least one resource;
associating, using the user device, the at least one watermark template with the at least one resource in response to determining
that the at least one watermark template is not associated with the at least one resource; and

adding, using the user device, the first descriptive data from the device profile to the at least one watermark template associated
with the at least one resource;

updating, using the user device, the device profile with second descriptive data describing the user device at a second instance
in time; and

adding, using the user device, the second descriptive data from the device profile to the at least one watermark template
associated with the at least one resource.

US Pat. No. 9,275,245

DATA ACCESS SHARING

AIRWATCH LLC, Atlanta, G...

1. A method comprising:
receiving, in at least one computing device, a request to obtain a plurality of data items contained within a sandbox environment,
wherein data in the sandbox environment is inaccessible to a component that is not authorized to operate within the sandbox
environment, and wherein the plurality of data items comprise at least one of a plurality of calendar events, a plurality
of contacts, a plurality of files, or plurality of messages;

determining, using the at least one computing device, whether access to the plurality of data items is restricted by an access
control policy;

in response to determining that the access to the plurality of data items is restricted by the access control policy, determining,
using the at least one computing device, whether the at least one computing device complies with a plurality of compliance
rules, wherein at least one of the plurality of compliance rules specifies a hardware restriction for the at least one computing
device, and wherein at least one of the plurality of compliance rules specifies a software restriction for the at least one
computing device;

in response to determining that the at least one computing device complies with the plurality of compliance rules, identifying,
using the at least one computing device, at least one data item a portion of the plurality of data items that does not comprise
confidential data; and the access control policy permits the client device to access; and

publishing, using the at least one computing device, the at least one data item that does not comprise the confidential data
to a shared storage space in the at least one computing device.

US Pat. No. 9,940,333

FILE FORMAT BUNDLING

AirWatch LLC, Atlanta, G...

1. A method, comprising:receiving, at a file service, a request to store a file copy in a content repository, the file copy being associated with a particular file format and file metadata;
generating, at the file service, a plurality of copies in a plurality of file formats based upon the file copy;
generating, at the file service, a manifest file associated with the file copy and the plurality of copies, the manifest file comprising the file metadata and references to the file copy and the plurality of copies;
associating, by the file service, the manifest file, the file copy, and the plurality of copies with a file identifier, wherein the file copy and the plurality of copies are associated with a plurality of client device parameters;
receiving, from a client device, a request for a compatible file copy corresponding to the file identifier;
identifying the compatible file copy based upon a request parameter associated with the request; and
transmitting the compatible file copy corresponding to the file identifier to the client device.

US Pat. No. 9,584,964

ENFORCEMENT OF PROXIMITY BASED POLICIES

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code being configured to allow remote application of a policy
that controls the type of authentication to be used between devices under a device management system, the program code being
executable in a computing device, the program code being configured to cause the computing device to at least:
obtain, remotely at a policy server, a first location indication associated with an anchor device, the first location indication
being at least one of a geographic location or a network location of the anchor device;

obtain, remotely at the policy server, a second location indication associated with a companion device, the second location
indication being at least one of a geographic location or a network location of the companion device;

identify, on the policy server, a policy stored in a data store that associates the anchor device and the companion device,
the policy specifying a security requirement that when the first location and the second location are within a proximity,
the companion device can be accessed using a reduced authentication, and when the first location and the second location are
not within the proximity, the companion device cannot be accessed using the reduced authentication;

determine whether the policy is violated based at least in part upon the first location indication and the second location
indication; and

issue a command to the companion device from the policy server in response to a determination that the policy is violated
based at least in part upon the first location indication and the second location indication, the command requiring that the
companion device be accessed in accordance with the security requirement, wherein the policy server operates as part of the
device management system to vary and control the types of authorization required between a plurality of anchor devices and
companion devices.

US Pat. No. 9,537,842

SECONDARY COMMUNICATIONS CHANNEL FACILITATING DOCUMENT SECURITY

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed
by the computing device, being configured to cause the computing device to at least:
identify a request on behalf of a sending user to transmit a file to a recipient, the request being associated with a primary
communications identifier;

identify a secondary communications identifier associated with the recipient;
identify a security key associated with the file;
transmit the file to the recipient using the primary communications identifier; and
transmit the security key to the recipient using the secondary communications identifier, wherein the secondary communications
identifier associated with the recipient is extracted from a contact entry associated with the recipient from a plurality
of contacts accessible to the computing device.

US Pat. No. 9,535,857

AUTONOMOUS DEVICE INTERACTION

AirWatch LLC, Atlanta, G...

1. A method for providing autonomous device interaction with a peripheral device, comprising:
receiving response configuration information that relates at least one peripheral device with at least one triggering event;
receiving an indication of at least one occurrence of the at least one triggering event associated with the peripheral device;
receiving information regarding the at least one peripheral device;
determining, based at least in part on the information regarding the at least one peripheral device and the response configuration
information, at least one configured responsive action;

performing at least one authorization procedure;
determining, based at least in part on the at least one authorization procedure, whether the at least one configured responsive
action is authorized; and

in an instance in which the at least one configured responsive action is authorized:
causing the at least one configured responsive action to be automatically performed by the peripheral device.

US Pat. No. 9,882,887

SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed
by the client device, being configured to cause the client device to at least:
send an access request to a service provider;
receive a redirection from the service provider to an identity provider;
send an identity assertion request to the identity provider based at least in part on the redirection;
receive a response from the identity provider, the response requesting authentication by a management credential, the management
credential corresponding to a secure certificate or a Kerberos profile;

obtain the management credential from a device management application executed in the client device, wherein the device management
application enforces at least one compliance rule on the client device, a device management service configures the device
management application over a network to enforce the at least one compliance rule, the device management application obtains
the management credential over the network from the device management service, and the device management application is in
an authenticated state with the device management service in order to obtain the management credential;

send data associated with the management credential to the identity provider;
receive an identity assertion from the identity provider based at least in part on the data associated with the management
credential; and

authenticate with the service provider by way of the identity assertion.

US Pat. No. 9,552,463

FUNCTIONALITY WATERMARKING AND MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device that, when
executed, causes the at least one computing device to:
identify a request to establish an association between a watermark template and a function capable of being performed on a
client device, the request being performed by an administrator through a console application, wherein, if associated, the
watermark template is applied to the at least one resource in response to the function being performed on the client device;

determine whether the request to establish the association between the watermark template and the function of the client device
is authorized based at least in part on a role of the administrator complying with at least one compliance rule, the at least
one compliance rule specifying that the administrator has authorization to manage the client device through a mobility management
service; and

responsive to a determination that the request to establish the association between the watermark template with the function
of the client device is authorized, cause an agent application executable on the client device to establish the association
between the watermark template and the function of the client device where the watermark template is applied to the at least
one resource in response to the function being subsequently performed on the client device, wherein applying the watermark
template to the at least one resource comprises causing at least a portion of the watermark template to be overlaid onto at
least one graphical user interface (GUI) associated with the client device.

US Pat. No. 9,446,519

REMOTE TESTING METHOD AND SYSTEM

AirWatch LLC, Atlanta, G...

1. A method for a computing device coupled to a network to facilitate testing of an electronic apparatus with a robot, comprising:
receiving, by the computing device, a Hypertext Transfer Protocol (HTTP) request to control the robot through the network
from an apparatus, which is coupled to the network and physically separate from the computing device;

retrieving, by the computing device, a first command from the HTTP request for the robot;
mapping, by the computing device, the first command to a movement for the robot based on a movement library;
converting, by the computing device, the movement for the robot to a general purpose input/out (GPIO) related signal based
on a GPIO library;

configuring, by the computing device, the robot to physically interface with the electronic apparatus to perform one or more
tests by moving in different axes according to the GPIO related signal; and

in response to a crash to the electronic apparatus caused by the one or more tests, transmitting status of the tests, instead
of one or more images or video clips, indicating the occurrence of the crash and one or more conditions under which the crash
occurred to the apparatus through the network.

US Pat. No. 9,258,301

ADVANCED AUTHENTICATION TECHNIQUES

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving at least one request to access at least one resource;
receiving at least one composite authentication credential, the at least one composite authentication credential comprising
a first credential component and a second credential component, the first credential component comprising a sequential component
indicating an order of input for a plurality of biometric signature elements and the second credential component comprising
the plurality of biometric signature elements;

determining whether the first credential component is valid;
determining whether the second credential component is valid;
permitting, when the first credential component and the second credential component are valid, access to the at least one
resource;

performing, when the first credential component is not valid, a first remedial action; and
performing, when the second credential component is not valid, a second remedial action, the second remedial action preventing
further authentication attempts until at least one alternative authentication credential is validated, wherein the first remedial
action is different from the second remedial action.

US Pat. No. 9,756,141

MEDIA CONTENT CONSUMPTION ANALYTICS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program instructions executable in at least one computing device comprising
at least one hardware processor that, when executed by the at least one computing device, cause the at least one computing
device to:
generate a request for measurement data obtained by a client device during playback of media content;
generate a metric based upon the measurement data received from the client device, the metric indicating a probability that
a user of the client device has watched at least a portion of the media content;

identify a compliance rule associated with the media content, the compliance rule specifying a threshold amount of the media
content required to be consumed for the client device to maintain compliance with a remote management service;

determine that the compliance rule associated with the media content has not been satisfied based at least in part upon the
metric; and

generate an additional request for transmission to the client device in response to the compliance rule not being satisfied,
the additional request causing a client application executable in the client device to perform a remedial action identified
by the additional request.

US Pat. No. 9,544,306

ATTEMPTED SECURITY BREACH REMEDIATION

AirWatch LLC, Atlanta, G...

1. A method for controlling access to a computing device, comprising:
defining, by an enterprise using a remote compliance server, a plurality of geofence boundaries of known suspicious locations;
creating, at the remote compliance server, a plurality of compliance rules that define:
restrictions for authenticating to the computing device within one of the plurality of geofence boundaries; and
restrictions that define a manner in which the computing device must be operated to gain access to resources of the enterprise,
the computing device being a user device;

installing, at the computing device, an agent application configured to monitor operation of the computing device;
receiving, from the compliance server by the agent application executing on the computing device, the plurality of compliance
rules;

receiving information regarding at least one authentication attempt;
determining, using at least one processor, based at least in part on the information regarding the at least one authentication
attempt, whether the at least one authentication attempt comprises a suspected attempted security breach on the computing
device; and

in an instance in which it is determined that the at least one authentication attempt comprises a suspected attempted security
breach:

causing at least one recording to be captured via at least one recording device communicatively coupled to the at least one
processor,

causing at least a portion of the at least one recording to be compared against at least one database, the database comprising
information regarding at least one person,

transmitting a command to the agent application executing on the computing device to turn on a global positioning sensor on
the computing device in response to determining that the at least one authentication attempt comprises a suspected attempted
security breach;

determining whether the computing device is located within one of the defined geofence boundaries identifying a suspicious
location, based on a location of the computing device determined using the global positioning sensor,

transmitting the location of the computing device to the remote compliance server;
locking the computing device and initiating a countdown timer when the comparison indicates a suspected attempted security
breach and when the computing device is within one of the defined geofence boundaries, and

automatically wiping data from the computing device when the countdown timer expires without completing a successful authentication
attempt.

US Pat. No. 9,516,066

RIGHTS MANAGEMENT SERVICES INTEGRATION WITH MOBILE DEVICE MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
generating a restriction on a functionality of a document associated with a sender device, the document being restricted according
to a compliance policy;

transmitting the document to a recipient device;
receiving, in a rights management server, a request to remove the restriction associated with the document, the request being
associated with viewing of the document by the recipient device;

determining, in the rights management server, whether the recipient device complies with the compliance policy based upon
a compliance indication received from a compliance server associated with the recipient device; and

transmitting, from the rights management server, an approval to remove the restriction in response to a determination that
the recipient device complies with the compliance policy.

US Pat. No. 9,917,838

PROVIDING ACCESS TO APPLICATIONS WITH VARYING ENROLLMENT LEVELS

AIRWATCH LLC, Atlanta, G...

1. A method, comprising:
obtaining a request to authenticate a user of a client device based upon user credentials associated with the user;
identifying at least one application for which the user is authorized based upon a user account associated with the user;
identifying an enrollment level associated with the at least one application, the enrollment level requiring an installation
of a management profile on the client device, the installation of the management profile on the client device causing a management
service to be registered as an administrator of the client device, and the registration of the management service as the administrator
of the client device causing the client device to be configured to perform at least one management function upon receiving
a management command received from the management service;

generating a user interface including a notice specifying the user is authorized to access the at least one application in
an instance in which the client device satisfies the enrollment level associated with the at least one application;

generating a user interface including a notice specifying at least one enrollment term associated with the enrollment level
associated with the at least one application;

receiving a request to access an application associated with the enrollment level;
determining that the client device fails to satisfy the enrollment level;
causing the management profile to be transmitted to the client device, wherein the transmission of the management profile
to the client device causes installation of a management component on the client device; and

initiating installation of the application in response to installation of the management component on the client device.

US Pat. No. 9,813,390

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device to ensure security
of email attachments, comprising code that:
accesses an email sent to a client device from at least one email service, the email comprising an email attachment;
identifies a rule associated with the email, the rule specifying that the email attachment must be removed from the email
prior to displaying the email to the recipient;

removes the email attachment from the email in accordance with the rule;
encrypts, without user interaction, the removed email attachment with a cryptographic key accessible to a secure container
application, the secure container application being provided separately from an email application used to access the email;

generates an encrypted email attachment from the email attachment using the cryptographic key accessible to the secure container
application; and

modifies the email to include the encrypted email attachment.

US Pat. No. 9,787,686

ON-DEMAND SECURITY POLICY ACTIVATION

AirWatch LLC, Atlanta, G...

1. A method comprising: receiving, using an email application in at least one mobile computing device, a user selection of
a resource locator displayed in an email message, wherein the resource locator comprises a reference to a resource; determining,
using the at least one mobile computing device, whether the resource locator selected from the email message is associated
with a security policy; and in response to determining that the resource locator is associated with the security policy: activating,
in the at least one mobile computing device, a profile identified by the security policy, wherein the profile specifies that
a secure application is permitted to access the resource referred to by the resource locator; and accessing the resource referred
to by the resource locator using the secure application specified by the profile instead of another application installed
on the mobile computing device.

US Pat. No. 9,705,887

REMOTE PROCESSSING OF MOBILE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A method, comprising:
receiving a request to configure a profile associated with a resource;
determining that the request to configure the profile associated with the resource was initiated by an administrative user
of a management service associated with the resource;

receiving an indication of a processing restriction, the processing restriction comprising at least one feature or aspect
of the resource that must be processed remotely from a client device;

receiving an indication of profile criteria, the profile criteria comprising a specification of when the processing restriction
must be enforced, and the specification comprising at least one state of the client device;

causing the profile associated with the resource to be configured based at least in part on the processing restriction and
the profile criteria; and,

causing the profile to be transiently stored in a data store accessible to the management service by causing the profile to
be cleared or overwritten upon the occurrence of a predefined condition, wherein the predefined condition comprises an instance
in which the client device is not enrolled with the management service.

US Pat. No. 9,921,819

PERSISTENT MOBILE DEVICE ENROLLMENT

AirWatch LLC, Atlanta, G...

1. A method for persistently enrolling a client device with a management system, comprising:
determining, by a loader service application installed on a client device, in response to determining that the client device
has been powered on, whether an activator application is installed upon the client device, the activator application being
configured to initiate registration with the management system by obtaining an agent application;

transmitting, from the client device, an indication that the activator application is not installed to a first computing environment
external to the client device and accessible through a network;

obtaining, from the first computing environment, the activator application in response to determining that the activator application
is not installed;

installing, on the client device, the activator application in response to determining that the activator application is not
installed;

determining, by the activator application, whether the agent application is installed on the client device, the agent application
being configured to enroll the client device with the management system; and

obtaining, by the activator application, the agent application from a second computing environment accessible through the
network in response to determining that the agent application is not installed on the client device.

US Pat. No. 9,584,510

IMAGE CAPTURE CHALLENGE ACCESS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device, the program
code being configured to cause the at least one computing device to at least:
issue a request for a user of the at least one computing device to change a physical orientation of the at least one computing
device;

detect a change of the physical orientation of the at least one computing device based at least in part on a physical orientation
of the at least one computing device at a first instance and a physical orientation of the at least one computing device at
a second instance;

capture, during the first instance, with an image sensor, a first reference image including a first plurality of facial fiducial
features and a first field of view, the first reference image being captured based at least in part on a focal point of the
image sensor and an aperture setting associated with the image sensor, and the first reference image comprising a first focus
value associated with each of a plurality of positions within the first field of view;

capture, during the second instance, with the image sensor, a second reference image including a second plurality of facial
fiducial features and a second field of view, the second reference image being captured based at least in part on the focal
point of the image sensor and an adjustment to the aperture setting associated with the image sensor, the second reference
image comprising a second focus value associated with each of a plurality of positions within the second field of view;

determine that the user of the at least one computing device is authorized to access at least one function of the at least
one computing device based at least in part on:

a comparison between the first plurality of facial fiducial features, the second facial fiducial features, and an expected
set of features, the expected set of features being based on at least one of a plurality of facial fiducial features of the
user of the at least one computing device, the physical orientation of the at least one computing device at the first instance,
the physical orientation of the at least one computing device at the second instance, the first field of view, or the second
field of view; and,

a determination that a difference between the first focus value associated with each of the plurality of positions within
the first field of view and the second focus value associated with each of the plurality of positions within the second field
of view is greater than a threshold deviation; and,

enable access to the at least one function of the at least one computing device.

US Pat. No. 9,516,005

INDIVIDUAL-SPECIFIC CONTENT MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving information regarding at least one prerequisite condition relating to at least one individual;
receiving information regarding the at least one individual;
determining, based at least in part on the information regarding the at least one prerequisite condition and the information
regarding the at least one individual, whether the at least one prerequisite condition is satisfied;

causing to be transmitted, individual-specific content associated with the at least one individual, at least a portion of
the individual-specific content comprising protected content that is configured to be unviewable or unmodifiable via at least
one user device;

receiving at least one access credential;
causing, following receiving the at least one access credential and determining that the at least one prerequisite condition
is satisfied, at leas a portion of the protected content to be viewable or modifiable via the at least one user device; and

in response to detecting an occurrence of at least one predetermined event occurring after causing the at least a portion
of the protected content to be viewable or modifiable, causing at least a portion of the protected content to again be unviewable
or unmodifiable via the at least one user device.

US Pat. No. 9,825,834

NETWORK SPEED DETECTION

AirWatch LLC, Atlanta, G...

1. A method, comprising:
generating, by a management service, a network testing profile for a client device, the client device enrolled with the management
service as a managed device using a management component installed on the client device and the network testing profile comprising
a network testing schedule;

transmitting, from the management service, the network testing profile to the client device, wherein the testing schedule
specifies a schedule for execution of at least one network test with a particular network testing endpoint;

receiving, in response to transmitting the network testing profile, at least one test result associated with the client device
based upon exchange of at least one test packet with the particular network testing endpoint and the client device;

saving, in a data store in communication with the management service, the at least one test result;
determining, by the management service, that a network speed of a connection between the client device and the particular
network endpoint fails to meet a threshold; and

causing, by the management service, a polling frequency specifying how often the management component is required to check
in with the management service to be modified in response to determining that the network speed of the connection fails to
meet the threshold.

US Pat. No. 9,800,454

FUNCTIONALITY MANAGEMENT VIA APPLICATION MODIFICATION

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving, in a management server, a request to perform an action from an application executed by a client device, the action
comprising a request to communicate with the Internet, wherein the application is configured to redirect the request to the
management server in response to determining that the application is unauthorized to communicate with the Internet;

determining, by the management server, that the action is associated with a metered resource by determining that authorizing
the action would consume at least a portion of the metered resource, wherein the metered resource comprises a data usage quota
associated with communications over the Internet;

in response to determining that the action would consume the metered resource, determining, by the management server, that
the request complies with at least one management policy stored in the management server; and

in response to determining that the request complies with the at least one management policy, authorizing, by the management
server, the request to communicate with the Internet to perform the action.

US Pat. No. 9,559,847

CONTENT ACCESS FOR DURATION OF CALENDAR EVENTS

AirWatch LLC, Atlanta, G...

1. A method for ensuring security of attachments to calendar events transmitted to a plurality of recipients using e-mail,
comprising:
receiving a request to create a calendar event to be distributed by e-mail, the request including a request to attach at least
one document to the calendar event in advance of a time associated with the calendar event;

generating an encryption key pair;
encrypting the at least one document according to the encryption key pair;
establishing an accessible time period associated with the encrypted at least one document, wherein the accessible time period
is associated with the calendar event;

distributing the calendar event, using e-mail and prior to the accessible time period, with an attachment including the encrypted
at least one document to a plurality of users;

prohibiting access to the encrypted at least one document sent using e-mail by the plurality of recipients prior to the accessible
time period;

determining whether a current time falls within the accessible time period; and
in response to determining that the current time falls within the accessible time period, permitting the encrypted at least
one document to be decrypted.

US Pat. No. 9,847,986

APPLICATION PROGRAM AS KEY FOR AUTHORIZING ACCESS TO RESOURCES

AirWatch LLC, Atlanta, G...

1. A method comprising:
determining, in a client device, whether the client device complies with at least one distribution rule associated with at
least one resource;

in response to determining that the client device complies with the at least one distribution rule, transmitting a request
for access to a resource, the request including an indication that the client device complies with the at least one distribution
rule, wherein the distribution rule requires installation of a key application on the client device as a prerequisite to accessing
the resource and the request includes a key application identifier identifying the key application;

authorizing the client device to access the resource; and
in response to a receiving the authorization to access the requested resource, accessing the requested resource on the client
device.

US Pat. No. 9,654,463

APPLICATION SPECIFIC CERTIFICATE MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
transmitting a request to generate a security certificate;
determining whether the security certificate has been generated, wherein determining whether the security certificate has
been generated comprises determining whether the security certificate has been stored in a memory cache associated with a
first application, the memory cache comprising an insecure memory cache accessible by a plurality of applications;

in response to determining that the security certificate has been generated:
retrieving the security certificate,
authenticating the security certificate,
deploying the authenticated security certificate,
encrypting a plurality of resources according to the authenticated security certificate, and
transmitting the encrypted plurality of resources to at least one recipient of the deployed authenticated security certificate;
providing a second key certificate to the first application; and
retrieving a private key certificate from the memory cache, wherein the private key certificate is encrypted according to
the second key certificate.

US Pat. No. 10,075,424

APPLICATION AUTHENTICATION WRAPPER

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a computing device comprising a processor, a memory, and a network interface;
an application comprising machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least:
receive a Kerberos authentication request from a Kerberos service executing on the computing device, the Kerberos authentication request specifying an internet protocol (IP) address of the computing device as an address for a Kerberos key distribution center (KDC) service;
encrypt the Kerberos authentication request to generate an encrypted Kerberos authentication request; and
forward the Kerberos encrypted authentication request to a reverse proxy server.

US Pat. No. 10,083,320

DYNAMIC CONTENT REDACTION

Airwatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device, the program code being configured to cause the at least one computing device to at least:permit access to content in a data file for display on a device;
parse a redaction schema for the data file, the redaction schema identifying at least one range of the content to be concealed for at least one user of the device and at least one other range of content to be concealed according to at least one operating status parameter of the device;
generate a redaction layer for overlay over the content for display based in part on the redaction schema, a user of the device, and an operating status parameter of the device, the redaction layer comprising at least one masking object to conceal one or more ranges of the content from view, the at least one masking object comprising a text indicator that indicates a reason for the at least one masking object;
render the content for display on the device under the redaction layer;
receive a changed operating status parameter of the device;
determine whether to continue to permit access to the data file for display on the device based in part on the changed operating status parameter of the device; and
in response to a determination to continue to permit access, regenerate the redaction layer based in part on the redaction schema and the changed operating status parameter of the device.

US Pat. No. 10,025,612

ENFORCING COMPLIANCE RULES AGAINST HYPERVISOR AND HOST DEVICE USING GUEST MANAGEMENT COMPONENTS

AirWatch LLC, Atlanta, G...

1. A method, comprising:executing a guest management component in a virtual machine, wherein the virtual machine executes in a host device, the host device executing a host management component;
determining, by the guest management component, whether at least one of a hypervisor or the host device violates the at least one compliance rule based on data regarding a condition of at the least one of the hypervisor or the host device obtained from the host management component;
causing, by the guest management component, the host management component to perform a first action in response to determining that the host device violates the at least one compliance rule, wherein the first action comprises enabling, disabling or uninstalling a non-compliant component or a feature of the non-compliant component of the host device; and
causing, by the guest management component, the guest management component to perform a second action in response to determining that the hypervisor violates the a compliance rule, wherein the second action comprises enabling, disabling or uninstalling a non-compliant component or a feature of the non-compliant component of the hypervisor.

US Pat. No. 9,825,996

RIGHTS MANAGEMENT SERVICES INTEGRATION WITH MOBILE DEVICE MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving an indication that a sender device is only authorized to provide a recipient device with access to a message when
a first compliance rule and a second compliance rule are satisfied, the first compliance rule requiring that at least one
functionality of the document be restricted, and the second compliance rule requiring that the recipient device be configured
to restrict at least one functionality of the recipient device;

identifying a request by the sender device to provide the recipient device with access to the message;
causing a restricted document to be generated by causing the document to be configured to restrict the at least one functionality
of the document;

causing a determination of whether the recipient device is configured to restrict the at least one functionality of the recipient
device; and,

causing the operating system of the recipient device to configure the recipient device to restrict the at least one functionality
of the recipient device when it is determined that the recipient device is not configured to restrict the at least one functionality
of the recipient device.

US Pat. No. 10,021,542

PROVIDING ACCESS TO APPLICATIONS WITH VARYING ENROLLMENT LEVELS

AirWatch LLC, Atlanta, G...

1. A method, comprising:obtaining a request to access an application on behalf of a user, the request being obtained from a client device associated with the user;
determining that a multi-factor authentication is required in order to access the application;
authenticating the user through the multi-factor authentication;
identifying an enrollment level associated with the application, the enrollment level requiring an installation of a management profile on the client device, the installation of the management profile on the client device causing a management service to be registered as an administrator of the client device, and the registration of the management service as the administrator of the client device causing the client device to be configured to perform at least one management function upon receiving a management command generated by the management service;
determining that a state of the client device does not satisfy the enrollment level associated with the application;
identifying an acceptance by the user of the client device of an installation of the management profile on the client device; and,
causing the management profile to be transmitted to the client device.

US Pat. No. 10,003,670

REMOTE PROVISIONING AND ENROLLMENT OF ENTERPRISE DEVICES WITH ON-PREMISES DOMAIN CONTROLLERS

AIRWATCH LLC, Atlanta, G...

1. A method implemented in a client device for provisioning and enrolling the client device to access enterprise resources within a corporate domain, comprising:retrieving, by a client device, an enrollment application from a command queue managed by a server, the command queue being associated with the client device;
retrieving certificates and configuration settings for establishing a virtual private network (VPN) connection;
executing the enrollment application to cause the client device to perform the steps of:
modifying a network setting of a network interface card (NIC) of the client device;
establishing the VPN connection with a domain controller located within the corporate domain using the certificate and configuration settings, the domain controller being configured to process login requests to the corporate domain;
transmitting a request over the VPN connection to the domain controller to join the corporate domain, wherein a corporate account in a directory service is established for the client device;
reverting back to the prior network setting of the NIC and terminating the VPN connection; and
rebooting the client device.

US Pat. No. 9,990,222

ENFORCING COMPLIANCE RULES AGAINST HYPERVISOR AND VIRTUAL MACHINE USING HOST MANAGEMENT COMPONENT

AirWatch LLC, Atlanta, G...

1. A method, comprising:executing a host management component in a host device, the host device in communication with a networked environment, the host device comprising a virtual machine execution environment, wherein the virtual machine execution environment comprises a hypervisor, a virtual machine, and a guest management component in the virtual machine;
obtaining, by the host management component, at least one compliance rule stored on a device in an enterprise computing environment;
determining, by the host management component, whether at least one of the hypervisor or the virtual machine violates the at least one compliance rule based on data regarding a condition of the at least one of the hypervisor or the virtual machine obtained from the guest management component;
causing the host management component to perform a first action in response to determining that at least one of the hypervisor or the virtual machine violates the at least one compliance rule, wherein the first action includes modifying, enabling, disabling or uninstalling a component or a feature of the component of the at least one of the hypervisor or the virtual machine;
determining, by the guest management component, whether the host device violates the at least one compliance rule; and
causing the guest management component to perform a second action on the host device further in response to determining that the host device violates the at least one compliance rule.

US Pat. No. 9,948,632

SHARING DATA BETWEEN SANDBOXED APPLICATIONS WITH CERTIFICATES

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a client device comprising a first application executing in a first sandbox and a second application executing in a second sandbox;
a computing device in data communication with the client device, the computing device comprising a processor and a memory; and
machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least:
receive a request for a certificate from the first application executing in the first sandbox on the client device, the request containing a message generated by the first application to be delivered to the second application executing in the second sandbox on the client device;
generate the certificate;
insert the message into the certificate;
send a response to the client device, wherein the response includes the certificate; and
instruct the client device to store the certificate in a user certificate store or a machine certificate store;
wherein the second client application is configured to cause the client device to parse the certificate to identify the message inserted into the certificate.

US Pat. No. 9,942,242

CONTENT ACCESS FOR DURATION OF CALENDAR EVENTS

AirWatch LLC, Atlanta, G...

1. A system comprising:a memory store; and
a processor coupled to the memory store, wherein the processor is configured to execute an application comprising:
logic that creates a calendar event associated with a plurality of attendee users,
logic that encrypts a content element associated with the calendar event,
logic that distributes the encrypted content element to each of the plurality of attendee users,
logic that determines whether a current time is within a time period associated with the calendar event, and
in response to determining that the current time is within the time period associated with the calendar event, logic that distributes a decryption key for the encrypted content element to at least one of the plurality of attendee users.

US Pat. No. 9,900,261

SHARED RESOURCE WATERMARKING AND MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
identifying, using a user device, a request to transmit at least one resource;
responsive to the request to transmit the at least one resource, identifying, using the user device, whether at least one
compliance rule specifies that the at least one resource is required to be associated with at least one watermark template
in order for the user device to be authorized to transmit the at least one resource;

responsive to identifying that the at least one compliance rule specifies that the at least one resource is required to be
associated with the at least one watermark template in order for the user device to be authorized to transmit the at least
one resource, identifying, using the user device, whether the at least one watermark template is associated with the at least
one resource; and

responsive to identifying that the at least one watermark template is not associated with the at least one resource:
associating, using the user device, the at least one watermark template with the at least one resource; and
adding, using the user device, data describing the at least one resource to the at least one watermark template.

US Pat. No. 9,571,288

PEER TO PEER ENTERPRISE FILE SHARING

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed
by the client device, being configured to cause the client device to at least:
generate an encrypted file hash based at least in part upon a file hash corresponding to a file, wherein the file and the
file hash corresponding to the file are associated with a file repository;

transmit the encrypted file hash corresponding to the file to a second client device;
receive a second encrypted file hash from the second client device;
verify that the second encrypted file hash was generated based at least in part upon the file hash corresponding to the file;
and

establish a file transfer session with the second client device through which the file may be transferred.

US Pat. No. 10,032,044

MULTI-PARTY AUTHENTICATION AND AUTHORIZATION

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a first client computing device, the program, when executed by the first client computing device, being configured to cause the first client computing device to at least:receive an access request from a first user to access secured data stored on the first client computing device, wherein the first client computing device has a display, the first user is using the first client computing device by interacting with a user interface rendered on the display, and the first user has access to other data stored on the first client computing device when the access request is received;
determine that an authorization from a second user is required to grant the access request;
send an authorization request to a second client computing device associated with the second user;
receive the authorization by the second user from the second client computing device; and
facilitate access by the first user to the secured data in response to the authorization.

US Pat. No. 9,996,514

DECOUPLING AND RELOCATING BOOKMARKS AND ANNOTATIONS FROM FILES

AIRWATCH LLC, Atlanta, G...

1. A method, comprising:identifying a data object associated with a file, wherein the data object includes a reference and a characteristic;
determining that a new version of the file is available; and
rendering the new version of the file with the reference based on the characteristic;
identifying a third party reference associated with the file;
determining a text section in the file corresponding to the third party reference;
detecting an edit to the text section; and
generating a warning indicating the text section corresponds to the third party reference.

US Pat. No. 9,917,619

PROVISIONING DEVICES USING NEAR-FIELD COMMUNICATION

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executed by an administrator device configured to facilitate
provisioning of a client device, wherein the program is configured to cause the administrator device to at least:
obtain network configuration parameters for network accessibility of the client device;
obtain an identity of a management component for the client device, wherein the identity of the management component includes
a download location of the management component;

obtain a plurality of enrollment configuration parameters associated with a user; and
initiate a plurality of near field communication (NFC) sessions, wherein the administrator device initiates transmission of
the network configuration parameters, transmission of the download location of the management component, download of the management
component by the client device, and transmission of the enrollment configuration parameters during the plurality of NFC sessions,
wherein a second NFC session is initiated after installation of the management component on the client device in a first NFC
session and the enrollment configuration parameters transmitted in the second NFC session are captured by the management component.

US Pat. No. 9,891,810

COLLABORATION FOR NETWORK-SHARED DOCUMENTS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device comprising
at least one hardware processor, the program code, when executed by the at least one computing device, being configured to
cause the at least one computing device to:
generate a user interface for display on a plurality of client devices, the user interface comprising a user interface component
shown in a region of the user interface corresponding to a file shared among a plurality of client devices on a network, wherein
the user interface component is configured to, when manipulated, cause a display of a communication component in the user
interface that permits a plurality of communications to be generated and shared among the plurality of client devices specific
to the file;

identify an instance of at least one identifier comprising a predefined string of characters used in one of the plurality
of communications made between a first user device and a second user device, the one of the plurality of communications being
specific to the file;

determine, based on the at least one identifier, a task that modifies a permission of a respective one of the plurality of
client devices to access the file, wherein the respective one of the plurality of client devices is identifiable based on
the at least one identifier;

determine that performing the task would comply with at least one compliance rule; and
perform the task in response to the task complying with the at least one compliance rule.

US Pat. No. 9,843,572

DISTRIBUTING AN AUTHENTICATION KEY TO AN APPLICATION INSTALLATION

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed
by the computing device, being configured to cause the computing device to at least:
transmit an identity certificate to a client device, the identity certificate uniquely associated with a user account and
specifying which applications installed on the client device have permission to access the identity certificate, the identity
certificate further being installed as a certificate profile by an operating system executed by the client device;

initiate an installation of an instance of an application on the client device;
receive a request to access content from the instance of the application;
transmit a request for the identity certificate to the client device, wherein the request is intercepted by the operating
system executed by the client device;

receive the identity certificate from the client device;
validate an identity of the user account based upon whether the identity certificate received from the client device matches
the identity certificate transmitted to the client device without first requiring comparison of a username or a password corresponding
to a user;

generate an authentication key in response to validation of the identity of the user account, the authentication key being
associated with the instance of the application; and

transmit the authentication key to the client device to be stored in access-restricted storage such that access by other applications
on the client device is prohibited by the operating system, wherein the instance of the application provides the authentication
key to authenticate the application for access to a network resource without first requiring comparison of the username or
the password corresponding to the user.

US Pat. No. 10,051,045

SEARCHING CONTENT ASSOCIATED WITH MULTIPLE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A system, comprising:a computing device; and
a search interface component executable by the computing device, wherein the search interface component, when executed by the computing device, is configured to cause the computing device to at least:
obtain a search query from a search component;
validate the search query in response to an authentication of a key associated with the search component;
search a search index for first application content that corresponds to the search query and second application content that corresponds to the search query, wherein the first application content is secured within a first sandbox for a first application and the second application content is secured within a second sandbox for a second application; and
provide at least one search result to the search component based upon the search index, wherein the at least one search result is based at least in part on the first application content that corresponds to the search query or the second application content that corresponds to the search query.

US Pat. No. 10,027,491

CERTIFICATE DISTRIBUTION USING DERIVED CREDENTIALS

AIRWATCH LLC, Atlanta, G...

1. A system for relaying simple certificate enrollment protocol (SCEP) payloads using derived credentials, comprising:a computing device comprising a processor and a memory; and
an application stored in the memory that, when executed by the processor, causes the computing device to at least:
configure a device profile corresponding to a client device, the device profile comprising a SCEP payload that comprises a first SCEP challenge;
receive an override for the SCEP payload from a broker service, the override comprising a second SCEP challenge that is based at least in part on a user account credential submitted by the client device to the broker service;
create a modified copy of the device profile comprising the override for the SCEP payload; and
send the modified copy of the device profile to the client device.

US Pat. No. 9,917,862

INTEGRATED APPLICATION SCANNING AND MOBILE ENTERPRISE COMPUTING MANAGEMENT SYSTEM

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:
a server comprising a server processor and a server memory;
a client device in data communication with the server, the client device comprising a client processor and a client memory;
a management service stored in the server memory that, when executed by the server processor, causes the server to at least:
add a first command to a command queue associated with the client device, wherein the first command instructs the client device
to provide a unique device identifier associated with the client device to the management service, wherein the unique device
identifier uniquely identifies the client device with respect to at least one other client device;

receive a first request from the client device for the first command stored in the command queue;
send the first command to the client device;
identify the unique device identifier associated with the client device;
send the unique device identifier to a scanning service;
send a policy linked with the unique device identifier to the scanning service, the policy comprising an identifier of a client
application prohibited on the client device;

receive a notification from the scanning service, the notification comprising the unique device identifier and an indication
that the client application is present on the client device;

add a second command to the command queue, wherein the second command instructs the client device to perform a remedial action
specified by the policy;

receive a second request from the client device for the second command stored in the command queue; and
send the second command to the client device.

US Pat. No. 9,906,510

VIRTUAL CONTENT REPOSITORY

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed
by the computing device, being configured to cause the computing device to at least:
authenticating a request based upon a first authentication credential uniquely associated with a user and an enterprise user
account, the request comprising a storage request to store a file in a virtual content repository associated with the enterprise
user account and being received from a client device;

identify a content repository in which the file should be stored, the identified content repository being independent of the
virtual content repository and associated with a second user account having a second authentication credential uniquely associated
with the user within the identified content repository that is different from the first authentication credential;

generate a programmatic application programming interface (API) call according to an API provided by the identified content
repository to store the file within the identified content repository, the programmatic API call instructing the client device
how to store the file within the identified content repository in a location associated with the second user account corresponding
to the second authentication credential;

transmit the programmatic API call and the second authentication credential to the client device; and
receive an indication that the file has been stored by the client device using the programmatic API call authenticated by
the identified content repository using the transmitted second authentication credential, the indication received from the
client device.

US Pat. No. 9,906,582

CONTENT SNIP CAPTURE AND SHARING

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device, the program
code being configured to cause the at least one computing device to at least:
receive, through a user interface, an identifier of a recipient for a link to a content file;
parse content access metadata of the content file to identify at least one accessible range of the content file for the recipient
and at least one inaccessible range of the content for the recipient based on content access rules for the recipient;

present, in the user interface, an indicator of the at least one accessible range of the content file for the recipient and
an indicator of the at least one inaccessible range of the content file for the recipient;

identify, through the user interface, a selection of a snip of the at least one accessible range of the content file for the
recipient;

generate the link to the content file, the link comprising at least one argument that specifies a start and an end of the
snip of the content file; and

forward the link to the recipient.

US Pat. No. 9,866,569

INDIVIDUAL-SPECIFIC CONTENT MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving information regarding at least one prerequisite condition relating to at least one individual;
receiving information regarding the at least one individual, the information comprising location information specifying a
location associated with the at least one individual;

determining, based at least in part on the information regarding the at least one prerequisite condition and the information
regarding the at least one individual, whether the at least one prerequisite condition is satisfied by at least determining,
based at least in part on the location information, whether the at least one user device is within a predetermined proximity
to the location associated with the at least one individual;

causing to be transmitted, individual-specific content associated with the at least one individual, at least a portion of
the individual-specific content comprising protected content that is configured to be unviewable or unmodifiable using the
at least one user device;

receiving at least one access credential; and
causing, following receiving the at least one access credential and determining that the at least one prerequisite condition
is satisfied, at least a portion of the protected content to be viewable or modifiable using the at least one user device.

US Pat. No. 9,843,563

SECURING RELAYED EMAIL COMMUNICATION

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program,
when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
receive a request to transmit an email message corresponding to a sender associated with a sender mail server to a recipient
associated with a recipient mail server;

determine an identity of the recipient mail server based at least in part upon a domain or an internet protocol (IP) address
of the recipient mail server;

obtain a public encryption key associated with the recipient mail server based at least in part upon the identity of the recipient
mail server;

generate an encrypted payload based at least in part upon the email message using the public encryption key, wherein:
the public encryption key comprises an organizational key associated with a plurality of users having user accounts associated
with the recipient mail server, and

the organizational key is not exclusive to the recipient of the email message.

US Pat. No. 9,819,682

CERTIFICATE BASED PROFILE CONFIRMATION

AirWatch LLC, Atlanta, G...

1. A method for managing a device independent of enrollment with a mobile device management (MDM) service, comprising:
installing a profile in the device, wherein the profile specifies that an application is permitted to execute on the device,
the profile comprises a certificate that uniquely identifies the profile from another profile, the profile is uniquely associated
with the application, and the certificate comprises at least one of a root certificate or an intermediate certificate;

storing the certificate in storage accessible to the device to indicate that the profile is installed in the device and that
the profile is applicable to the device;

receiving, using the device, a request to execute the application on the device;
in response to the request to execute the application, determining, using the device, that the certificate is located in the
storage accessible to the device to verify that the profile that specifies that the application is permitted to execute on
the device is applicable to the device; and

responsive to determining that the certificate is located in the storage accessible to the device, initiating an execution
of the application on the device.

US Pat. No. 9,785,425

MANAGED CLONE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, comprising:
code that receives an application, the application being publicly available via an application distribution environment;
code that generates a managed clone of the application by at least:
generating a different package name for the managed clone of the application, the different package name differing from an
original package name of the application;

adding a management wrapper to the application to enforce a restriction; and
repackaging the application to use the different package name;
code that deploys the managed clone of the application to a mobile client device;
code that instructs the mobile client device executing a single mobile operating system to install the managed clone of the
application on the single mobile operating system, without uninstalling the application from the single mobile operating system;
and

code that instructs the mobile client device on when to switch between executing the application and the managed clone of
the application based on one or more compliance rules established remotely by an administrator and provided to the mobile
client device.

US Pat. No. 10,127,751

CONTROLLING PHYSICAL ACCESS TO SECURE AREAS VIA CLIENT DEVICES IN A NETWORKED ENVIRONMENT

AIRWATCH LLC, Atlanta, G...

1. A method, comprising:identifying, by a client device, a particular physical access point comprising a physical lock actuator;
identifying, by the client device, at least one authentication credential associated with the client device;
generating, by the client device, a request to cause the physical lock actuator to be in an unlocked state, the request comprising the at least one authentication credential associated with the client device, the request comprising a hardware restriction, the hardware restriction identifying that a hardware feature of the client device is restricted;
transmitting, by the client device, the request to a computing device wherein the computing device returns an access credential to the client device, the access credential comprising a hash of at least one security identifier associated with at least one physical access point comprising the particular physical access point, wherein the computing device returns the access credential based on the authentication credential and the hardware restriction; and
transmitting, by the client device, the access credential to the particular physical access point to actuate the physical lock actuator.

US Pat. No. 9,910,724

FAST AND ACCURATE IDENTIFICATION OF MESSAGE-BASED API CALLS IN APPLICATION BINARIES

AIRWATCH LLC, Atlanta, G...

7. A method, comprising:
obtaining a set of compliance rules from a compliance rule store;
receiving a request to analyze an application;
performing an application analysis by:
obtaining data identifying a plurality of public application programming interface (API) definition,
analyzing binary code of the application and metadata of the application to determine a list of external classes and local
classes used by the application and a list of external methods and local methods called by the application, and

scanning the application to identify at least one public API invoked by the application, wherein the at least one public API
invoked by the application is identified by comparing the list of external classes and local classes used by the application
and the listing of external methods called by the application with the data identifying the plurality of public API definitions;

wrapping the application based at least in part on the application analysis; and
enforcing the set of compliance rules on the application based at least in part on the application analysis.

US Pat. No. 9,875,372

REDACTING RESTRICTED CONTENT IN FILES

AirWatch LLC, Atlanta, G...

1. A method, comprising:
identifying, using a computing device, restricted content of a data file, the data file being stored in a data store associated
with a particular enterprise computing environment;

generating, using the computing device, a redacted version of the data file, the restricted content being omitted from the
redacted version of the data file;

generating, using the computing device, one or more restricted content data files comprising one or more portions of the restricted
content of the data file;

generating, using the computing device, one or more instructions for generating an unredacted version of the data file, the
one or more instructions specifying one or more locations within the redacted version of the data file where the restricted
content should be inserted;

generating, using the computing device, one or more compliance rules specifying when a containerized content application is
authorized to generate the unredacted version of the data file, the one or more compliance rules specifying that a client
device executing the containerized content application must be in communication with a particular local area network that
is managed by the particular enterprise computing environment for the containerized content application to be authorized to
generate the unredacted version of the data file, the containerized content application being configured to restrict a user
of the client device from performing a function of the client device while the unredacted version of the data file is accessed
by the containerized content application, and the function of the client device comprising at least one of: a copy function,
a cut function, or a share function;

storing, using the computing device, the one or more restricted content data files separate from the redacted version of the
data file; and,

providing, using the computing device, the client device with access to at least one of: the one or more restricted content
data files, the redacted version of the data file, the one or more instructions, or the one or more compliance rules.

US Pat. No. 9,721,112

PASSIVE COMPLIANCE VIOLATION NOTIFICATIONS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program
being configured to monitor and restrict usage of a mobile device as part of an enterprise mobility management system, comprising:
code that monitors usage of one or more enterprise applications on the mobile device according to compliance rules established
remotely at the enterprise mobility management system, the compliance rules being defined as one or more policies and sent
to the mobile device from the enterprise mobility management system;

code that determines that a policy violation with respect to use of the mobile device under management by the enterprise mobility
management system has occurred;

code that determines whether the policy violation is a passive violation;
code that causes a user notification of the policy violation to be generated by the mobile device and displayed on a screen
of the mobile device that violated the policy in response to determining that the policy violation is the passive violation;

code that, after causing the user notification to be generated, determines that the policy violation has increased in severity
to an active violation;

code that determines whether an active violation remedial action associated with the active violation can be bypassed;
code that initiates the active violation remedial action in response to determining that the policy violation is the active
violation and cannot be bypassed, the active violation remedial action being defined by the enterprise mobility management
system; and

code that bypasses the active violation remedial action based on a request from the user when the active violation can be
bypassed.

US Pat. No. 9,524,154

METHOD AND SYSTEM FOR IDENTIFYING AND REPLACING SYSTEM CALLS

AirWatch LLC, Atlanta, G...

1. A method for facilitating identifying a system call in an application and replacing the identified system call with a customized
function call, comprising:
upon a launch of the application, loading a hooking and injection manager into a process of the application prior to loading
any modules in the application that make system calls;

executing an executable file of the application, wherein the executable file has been modified to execute the hooking and
injection manager at run time of the application, the hooking and injection manager including an interposition library configured
to replace references to a system call with a respective reference to a customized function; and prior to the application
making the system call:

determining, from a symbol table, symbol table index values corresponding to one or more symbols associated with each system
call in the application;

determining, from an import table, an import table entry storing pointers to each respective system call based on corresponding
symbol table index values;

if the import table is a lazy symbol table, searching through a load command section of an application object file for at
least one load command for a pointer holding an address of an indirect table and the lazy symbol table, wherein the address
of the indirect table is stored in a _lazy_symbol section in the load command section and is associated with an S_RESERVED1
field in the _lazy_symbol_section in the load command section, and waiting until a respective system function call is called
to change the pointers to each respective system call in the lazy symbol table so that the pointers to each respective system
call are updated to indicate an address of the respective customized function call; and

if the import table is a non-lazy symbol table, searching through the load command section of the application object file
for at least one load command for a pointer holding an address of the indirect table and the non-lazy symbol table, wherein
the address of the indirect table is stored in a _non_lazy_symbol section in the load command section and is associated with
an S_RESERVED1 field in the _non_lazy_symbol_section in the load command section, and changing, prior to the application making
the respective system call, the respective pointer to the respective system call in the non-lazy symbol table so that the
respective pointer to the respective system call is updated to indicate the address of the respective customized function
call.

US Pat. No. 10,122,761

DEVICE AUTHENTICATION BASED UPON TUNNEL CLIENT NETWORK REQUESTS

Airwatch LLC, Atlanta, G...

1. A system for authenticating a user and determining a device posture during authentication, comprising:at least one computing device comprising a processor and a memory; and
an identity provider executable by the at least one computing device, the identity provider causing the at least one computing device to at least:
obtain an authentication request from an authentication proxy, the authentication proxy being received from a tunnel client executed by a client device, the tunnel client terminating a virtual private network (VPN) connection at the authentication proxy, the authentication proxy removing an encryption layer used in the VPN connection, and authentication proxy storing: at least one device identification parameter from the authentication request, and a signature of a certificate used to encrypt the encryption layer;
query the authentication proxy for the at least one device identification parameter associated with the authentication request;
provide the at least one device identification parameter to a management service;
obtain an indication from the management service of whether the client device corresponding to the at least one device identification parameter is compliant with a plurality of compliance rules;
authenticate the authentication request in response to receiving an indication that the client device is compliance with the compliance rules; and
transmit an indication that the authentication request has been authenticated to the client device over the VPN connection.

US Pat. No. 10,116,583

CONTROLLING RESOURCES USED BY COMPUTING DEVICES

AirWatch LLC, Atlanta, G...

1. A method for restricting access to at least one function on client devices while at least one computing device is sharing a resource, comprising:identifying, by a management application executing on the at least one computing device, a plurality of client devices executing an instance of a client application that are available for management by the management application, the client application being configured to control at least one function of a respective one of the plurality of client devices;
changing, by the management application, a mode of operation of the plurality of client devices that causes at least one common resource shared among the plurality of client devices to be shown in a display of the plurality of client devices;
causing, by the management application, the client application executing on individual ones of the plurality of client devices to restrict access to the at least one function only during a time in which the at least one common resource is shown in the display of the plurality of client devices, wherein the plurality of client devices are configured through communication between the management application and the instance of the client application; and
wherein restricting access to the at least one function comprises at least one of: accessing a device application programming interface (API) of individual ones of the plurality of client device to disable user access to at least one hardware component, accessing the device API to disable user access to at least one software function, and rerouting network traffic through a proxy configured to selectively permit or prevent access to available network resources.

US Pat. No. 10,108,809

APPLYING RIGHTS MANAGEMENT POLICIES TO PROTECTED FILES

AIRWATCH LLC, Atlanta, G...

1. A method, comprising:receiving, from a client device, a request to obtain a file from a data store on behalf of a user account;
determining that a content policy specifies that the file must be protected at rest on the client device using a first information rights policy;
causing a configuration profile to be installed on the client device, the configuration profile comprising an administrator credential, wherein the administrator credential is accessible by a file management application of the client device, and wherein the administrator credential is inaccessible by a user of the client device;
applying the first information rights policy to the file to generate a protected file, wherein access to the file is permitted based on the administrator credential; and
transmitting the protected file and the content policy to the client device once the first information rights policy is applied to the file, wherein the content policy further specifies a second information rights policy to apply to the file in order to share the file from the client device.

US Pat. No. 9,916,446

ANONYMIZED APPLICATION SCANNING FOR MOBILE DEVICES

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:
a server comprising a server processor and a server memory;
a client device in data communication with the server, the client device comprising a client processor and a client memory;
a management service stored in the server memory that, when executed by the server processor, causes the server to at least:
add a first command to a command queue associated with the client device, wherein the first command instructs the client device
to provide a list of installed applications to the management service

receive a first request from the client device for the first command stored in the command queue;
send the first command to the client device;
receive the list of installed applications from the client device;
add the list of installed applications to an aggregate listing of applications, wherein the aggregate listing of applications
represents a list of client applications installed on one or more of a plurality of client devices;

send to a scanning service a policy comprising an identifier of a prohibited client application, wherein the presence of the
prohibited client application is prohibited on the client device;

send the aggregate listing of applications to the scanning service;
receive a notification from the scanning service, the notification an indication that the prohibited client application is
present in the aggregate listing of applications;

add a second command to the command queue, wherein the second command instructs the client device to determine whether the
prohibited client application is installed on the client device and to perform a remedial action specified by the policy in
response to determination that the prohibited client application is installed on the client device;

receive a second request from the client device for the second command stored in the command queue; and
send the second command to the client device.

US Pat. No. 9,866,546

SELECTIVELY ENABLING MULTI-FACTOR AUTHENTICATION FOR MANAGED DEVICES

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program,
when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
receive an authentication request for a first client application executed in a managed client device, the authentication request
including a first authentication factor corresponding to a management single sign-on (“SSO”) credential wherein the SSO credential
is downloaded to the managed client device during or after enrollment with a device management service:

determine a version of an operating system of the managed client device;
determine, at an identity provider service separate from the managed client device, whether at least one second authentication
factor should be requested when the version of the operating system corresponds to a particular operating system version;
and in response to determining that the at least one second authentication factor should be requested based on the particular
operating system version:

request the at least one second authentication factor from a second client application;
receive the at least one second authentication factor from the second client application; and
authenticate the first client application in response to verifying the first authentication factor and the at least one second
authentication factor.

US Pat. No. 9,787,655

CONTROLLING ACCESS TO RESOURCES ON A NETWORK

AirWatch LLC, Atlanta, G...

1. A method comprising:
receiving, in a proxy server, a request from a client device to access a remote resource, wherein the request comprises a
device identifier and at least one user credential;

determining, by the proxy server, whether the device identifier and the at least one user credential are authentic;
in response to determining that the device identifier and the at least one user credential are authentic, generating, in the
proxy server, a request to authorize the client device;

transmitting, from the proxy server over a network, the request to authorize the client device to a compliance server that
is separate from the proxy server, the compliance server configured to determine whether the client device complies with a
hardware restriction, a software restriction, and a mobile device management restriction, wherein the software restriction
identifies whether the client device is permitted to have screen-capture functionality enabled;

receiving, from the compliance server, an indication of whether the client device is authorized based upon whether the client
device complies with the hardware restriction, the software restriction, and the mobile device management restriction;

in response to determining, based upon the indication, that the client device is authorized to access the remote resource,
associating, by the proxy server, a resource access credential for accessing the remote resource with the client device; and

providing, from the proxy server, the resource access credential to a remote device associated with the remote resource.

US Pat. No. 9,582,672

ENCRYPTED FILE STORAGE

AirWatch LLC, Atlanta, G...

1. A method of storing files that are associated with a user account in at least one cloud data storage provider, comprising:
receiving, at an index server, a request to store a file on behalf of a user associated with the user account in a management
service, the request received from a client device associated with the user account;

identifying, at the index server, a plurality of storage accounts associated with the user account, wherein each of the plurality
of storage accounts are separate from the index server and are associated with a respective cloud data storage provider, the
respective cloud storage provider being accessible to the client device through a network and different from the file index
server;

partitioning, at the index server, the file into a plurality of file partitions;
transmitting, by the index server, each of the plurality of file partitions to at least one of the plurality of storage accounts
for storage in a respective storage location of the cloud data storage provider; and

storing, by the index server, a reference to the respective storage location of each of the plurality of file partitions,
the reference stored in association with the user account, wherein the file is stored such that the reference can be subsequently
retrieved without contacting the cloud data storage provider.

US Pat. No. 9,585,016

DATA COMMUNICATIONS MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:
identifying an available wireless network;
determining whether the available wireless network comprises an authorized wireless network that is different from a first
wireless network;

in response to determining that the available wireless network comprises the authorized wireless network:
determining whether a request to communicate with the available wireless network is associated with an elevated priority by
determining that the request comprises a request to check in with a compliance server with which a computing device is enrolled
as a managed device;

initiating a connection with the available wireless network in response to the request being associated with the elevated
priority; and

causing at least one data communication associated with the request to be performed through the authorized wireless network.

US Pat. No. 10,152,383

EXPEDITED DEVICE BACKUP, WIPE, AND ENROLLMENT

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program for performing a criteria-based backup and wipe of enterprise data stored on a client device enrolled with a remote management service, the program, when executed by the client device, being configured to cause the client device to at least:send a request to a computing device over a network to enroll the client device with the remote management service, wherein the remote management service is executable on the computing device and configured to:
oversee operation of the client device remotely;
maintain a device state of the client device; and
determine that the device state of the client device is not in conformance with at least one compliance rule;
maintain enterprise data and personal data in memory on the client device;
in response to a determination that the device state of the client device is not in conformance with the at least one compliance rule, receive a communication from the remote management service of the computing device that comprises predefined criteria that causes the client device to perform a backup of the enterprise data associated with the predefined criteria and to perform a wipe of the enterprise data associated with the predefined criteria from the client device, wherein the communication is generated by the remote management service in response to:
an enrollment of another client device with the remote management service; or
a number of a plurality of client devices permitted by the remote management service exceeding a predefined threshold, the client device being one of the plurality of client devices;
in response to a determination that the device state of the client device is not in conformance with the at least one compliance rule, place the client device in a locked state during the backup of the enterprise data by disabling at least one hardware function or at least one software function on the client device during the backup;
perform the backup of the enterprise data by communicating the enterprise data maintained in the memory to the remote management service over a network; and
perform the wipe of the enterprise data by removing the enterprise data associated with the predefined criteria specified in the communication from the client device, wherein the personal data not associated with the predefined criteria is retained in the memory of the client device after the wipe.

US Pat. No. 9,923,902

REMOTE PROCESSSING OF MOBILE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A method, comprising:
receiving a request by a client device to access a resource;
determining that the client device is authorized to access the resource in an instance in which the client device satisfies
at least one compliance rule associated with the resource;

identifying status information associated with the client device;
determining that the client device satisfies the at least one compliance rule based at least in part on the status information
associated with the client device;

determining that the resource is associated with a profile comprising a processing restriction and profile criteria, the processing
restriction comprising at least one feature or aspect of the resource that must be processed remotely from a client device,
the profile criteria comprising a specification of when the processing restriction must be enforced, and the specification
comprising at least one state of the client device;

causing the resource to be accessible to the client device;
causing the profile associated with the resource to be accessible to the client device;
causing an instance of the resource to be generated;
causing data representative of a user interface of the instance of the resource to be generated; and,
causing the data representative of the user interface of the instance of the resource to be accessible to the client device,
wherein causing the data representative of the user interface of the instance of the resource to be accessible to the client
device comprising storing the data representative of the user interface of the instance of the resource in a command queue
associated with the client device.

US Pat. No. 9,924,026

MANAGING CLASSROOM ATTENDANCE AND STUDENT DEVICE USAGE

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium containing instructions for managing user mobile devices in an environment, the
instructions causing a processor to perform stages including:
receiving, at a teacher device, a session identifier and an associated device identifier, wherein the session identifier specifies
a first session from a plurality of classes assigned to the teacher and the device identifier corresponds to a first user
device of a student enrolled in the first session, wherein a teacher device uses the session identifier and device identifier
to determine which communications to respond to;

receiving, at the teacher device over a peer-to-peer network, a plurality of transmissions including a first transmission
from the first user device, wherein the first transmission includes the session identifier and the device identifier;

determining that the session identifier and device identifier are associated with the first session;
causing a graphical user interface to visually indicate that a user associated with the first user device is present in the
first session and that another user associated with a second user device is absent, wherein the graphical user interface highlights
present and absent users differently;

sending, to a server, a first message to apply a first lock to the first user device; and
sending a second message to remove the first lock from the first user device upon detecting that the first session is dismissed.

US Pat. No. 9,736,171

ANALOG SECURITY FOR DIGITAL DATA

AirWatch LLC, Atlanta, G...

1. A system, comprising:
a computing device comprising a processor and a memory;
an application comprising a set of machine readable instructions stored in the memory that, when executed by the processor,
cause the computing device to at least:

split content into a plurality of framelets, wherein the content comprises an image, and wherein causing the computing device
to split the content into a plurality of framelets comprises causing the computing device to a least:

convert the image into a monochrome image;
divide a black pixel of the monochrome image into a first set of four subpixels;
shade each subpixel in the first set of four subpixels;
assign two of the first set of four subpixels to a corresponding set of subpixels in the first one of the plurality of framelets;
assign two of the first set of four subpixels to a corresponding set of subpixels in the second one of the plurality of framelets;
divide a white pixel of the monochrome image into a second set of four subpixels;
shade two subpixels in the second set of four subpixels to generate a shaded subset of subpixels;
copy the shaded subset of subpixels into the first one of the plurality of framelets; and
copy the shaded subset of subpixels into the second one of the plurality of framelets;
send a first one of the plurality of framelets to a first client device; and
send a second one of the plurality of framelets to a second client device.

US Pat. No. 9,514,078

PERIPHERAL DEVICE MANAGEMENT

AirWatch LLC, Palo Alto,...

1. A method comprising:
receiving, in a compliance server, a request for a user device to access a peripheral device, the request comprising information
regarding the user device, information regarding the peripheral device, and an authentication credential associated with user
data, wherein the request is sent in response to a detection of the user device in proximity to the peripheral device;

determining, in the compliance server, by comparing at least one compliance rule to the information regarding the user device
and the information regarding the peripheral device, whether to grant the request for the user device to access the peripheral
device; and

facilitating, by the compliance server, access to the peripheral device for the user device in response to determining that
the request for the user device to access the peripheral device is granted.

US Pat. No. 10,127,401

REDACTING RESTRICTED CONTENT IN FILES

Airwatch LLC, Atlanta, G...

1. A method, comprising: identifying, using a computing device, restricted content of a data file, the data file being stored in a data store associated with a particular enterprise computing environment;generating, using the computing device, a redacted version of the data file, the restricted content being omitted from the redacted version of the data file;
generating, using the computing device, one or more restricted content data files comprising one or more portions of the restricted content of the data file;
generating, using the computing device, one or more instructions for generating an unredacted version of the data file, the one or more instructions specifying one or more locations within the redacted version of the data file where the restricted content should be inserted;
generating, using the computing device, one or more compliance rules specifying when a containerized content application is authorized to generate the unredacted version of the data file, the one or more compliance rules specifying that a client device executing the containerized content application must be in communication with a particular local area network that is managed by the particular enterprise computing environment for the containerized content application to be authorized to generate the unredacted version of the data file, the containerized content application being configured to restrict a user of the client device from performing a function of the client device while the unredacted version of the data file is accessed by the containerized content application, and the function of the client device comprising at least one of:
a copy function, a cut function, or a share function;
storing, using the computing device, the one or more restricted content data files separate from the redacted version of the data file; and
providing, using the computing device, the client device with access to at least one of: the one or more restricted content data files, the redacted version of the data file, the one or more instructions, or the one or more compliance rules.

US Pat. No. 10,129,240

DISTRIBUTING SECURITY CODES THROUGH A RESTRICTED COMMUNICATIONS CHANNEL

Airwatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed by the computing device, being configured to cause the computing device to at least:initiate enrollment of a client device associated with a user as a managed device with a management service through at least one mobile device management (MDM) application programming interface (API) provided by an operating system of the client device, wherein enrollment comprises authenticating at least one user credential of the user;
cause a management component to be installed on the client device;
establish a restricted communications channel between the computing device and the management component, wherein the restricted communications channel is encrypted using a certificate, the restricted communications channel further comprising an MDM channel established using the MDM API provided by the operating system of the client device;
transmit, through the restricted communications channel, a command causing the client device to install a token application;
cause the client device to install the token application on the client device;
generate a security code on behalf of a user account in response to a request to authenticate the user account, wherein the security code is associated with a one-time password protocol; and
transmit the security code to the token application through the restricted communications channel.

US Pat. No. 10,129,242

MULTI-PERSONA DEVICES AND MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A method comprising:configuring a first end-user environment in a device, wherein the first end-user environment comprises a first set of compliance policies;
configuring a second end-user environment in the device, wherein the second end-user environment comprises a second set of compliance policies;
causing at least a portion of the first set of compliance policies to be applied to a first data element;
causing at least a portion of the second set of compliance policies to be applied to a second data element;
receiving a request to install an application in the device in the first end-user environment;
in response to receiving the request to install the application, determining that the first set of compliance policies permits the application to be used in the first end-user environment;
in response to determining that the first set of compliance policies permits the application to be used in the first end-user environment:
causing the application to be installed in the device; and
causing the application to be accessible to the first end-user environment;
causing the device to switch from an active use of the first end-user environment to the second end-user environment in response to detecting a trigger event associated with the device;
in response to receiving a request to access a network content repository, facilitating an authentication of the device with the network content repository over a network based at least in part on a credential associated with the second end-user environment in the device; and
determining that communication between the device and the network content repository is permissible based at least in part on the active use of the second end-user environment and the authentication of the credential for the second end-user environment.

US Pat. No. 10,122,577

PRE-POPULATING FIELDS FOR CREATING DYNAMICALLY GENERATED CONFIGURATION PROFILES

AirWatch LLC, Atlanta, G...

1. A system, comprising:at least one computing device; and
program instructions executable in the at least one computing device that, when executed by the at least one computing device, cause the at least one computing device to:
identify a request to generate a configuration profile, the configuration profile comprising information for configuring at least one client device through interaction with a management service;
identify at least one field for input of a setting used to generate the configuration profile;
query a plurality of existing configuration profiles to identify a plurality of existing settings specified through the at least one field;
determine a score for each of the plurality of existing settings based at least in part on a number of active uses of a corresponding one of the plurality of existing settings in active ones of the plurality of existing configuration profiles;
rank the plurality of existing settings to determine a recommended value for the at least one field based at least in part on the score determined for each of the plurality of existing settings;
generate at least one user interface comprising the at least one field, wherein the at least one field is pre-populated in the at least one user interface to comprise the recommended value as a default value; and
generate the configuration profile for deployment to the at least one client device.

US Pat. No. 10,057,117

SYSTEMS FOR CONFIGURING AND MANAGING CLASSROOM DEVICES

AirWatch LLC, Atlanta, G...

1. A non-transitory, computer-readable medium containing instructions executed by at least one processor to perform stages for configuring user devices in a classroom, the stages comprising:enrolling first and second pluralities of user devices at a management server, including installing a management agent on the first and second pluralities of user devices;
receiving a first selection on a graphical user interface (“GUI”) of the management server to assign the first plurality of user devices to a first cart and the second plurality of users to a second cart;
receiving a second selection on the GUI to assign the first cart to a first class;
receiving a third selection on the GUI to assign a first application to the first class;
assigning, at the management server, the first application to the first plurality of user devices based on the first cart being assigned to the first class; and
installing the first application on the first plurality of user devices based on communications between the management server and management agent.

US Pat. No. 9,967,287

DETECTION OF OFFLINE ATTEMPTS TO CIRCUMVENT SECURITY POLICIES

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a computing device comprising a processor and a memory;
a first application comprising machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least:
monitor a second application to detect a deletion of a user account initiated locally on the computing device, wherein the user account is associated with an enrollment of the computing device with a management service;
identify data subject to a policy received from the management service;
delete the data from the memory of the computing device; and
report the deletion of the user account to the management service.

US Pat. No. 9,854,030

SEARCHING CONTENT ASSOCIATED WITH MULTIPLE APPLICATIONS

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:
a computing device; and
a search interface component executable by the computing device, wherein the search interface component, when executed by
the computing device, is configured to cause the computing device to at least:

determine that a communication key has been obtained in the search interface component;
determine that the communication key is authentic;
in response to determining that the communication key has been obtained and the communication key is authentic:
obtain a search query from a search component;
search for first application content that corresponds to the search query, wherein the first application content is secured
by a first sandbox for a first application;

search for second application content that corresponds to the search query, wherein the second application content is secured
by a second sandbox for a second application; and

provide at least one search result to the search component, wherein the at least one search result is based on at least one
of the first application content that corresponds to the search query or the second application content that corresponds to
the search query.

US Pat. No. 10,069,629

CONTROLLED ACCESS TO DATA IN A SANDBOXED ENVIRONMENT

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a computing device comprising an operating system;
a first application executable on the computing device in a first sandbox, wherein the first sandbox is provided by the operating system of the computing device, and the first application, when executed by the computing device, is configured to cause the computing device to at least:
receive a request for access to data using an application programming interface (API) of a sandbox communications framework provided by the operating system, wherein the request is received from a second application executing on the computing device in a second sandbox provided by the operating system, and the data is stored in the first sandbox;
retrieve a key-value pair from an access-restricted data store provided by the operating system, the key-value pair comprising a timestamp and an application identifier, wherein access to the access-restricted data store is restricted to a group of applications that comprises the first application and the second application; and
provide the second application with access to the data using the API of the sandbox communications framework based at least in part on the key-value pair retrieved from the access-restricted data store, wherein the second application is authorized to access the data based at least in part on a determination that the application identifier identifies the second application, and the timestamp specifies a point in time within a predetermined period of time.

US Pat. No. 9,882,850

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AIRWATCH LLC, Atlanta, G...

1. A method for managing access to content by an access control server that determines whether a client can access e-mail
provided by an email server, comprising:
obtaining content for transmission to a client, the content comprising an e-mail message and an attachment to the e-mail message;
determining that access to the content should be restricted to an authorized email client installed on the client;
encrypting the attachment to the e-mail message;
transmitting the attachment to the client; and
transmitting at least one instruction to the authorized email client installed on the client, the at least one instruction
including a key for decrypting the attachment, wherein the key for decrypting the attachment is inaccessible to a native email
client installed on the client.

US Pat. No. 9,853,928

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

AirWatch LLC, Atlanta, G...

1. A method, comprising:
identifying a plurality of email resources associated with a client device;
identifying at least one resource rule that specifies that the client device is only authorized to access the email resources
when a portion of individual ones of the email resources is configured for exclusive access by a secure container application
executable by the client device, wherein the secure container application is configured to prevent performance of at least
one of: a cut function, a copy function, and a screen capture function on the client device;

determining that the email resources do not satisfy the at least one resource rule;
in response to the email resources not satisfying the at least one resource rule:
causing the portion of the individual ones of the email resources to be configured for exclusive access by the secure container
application by encrypting the portion of the individual ones of the email resources using a cryptographic key;

identifying a request by the secure container application executable by the client device to access an encrypted portion of
at least one of the email resources;

providing the cryptographic key to the secure container application on the client device; and
providing the encrypted portion of the at least one of the email resources to the client device for access by the secure container
application.

US Pat. No. 9,819,670

DISTRIBUTING SECURITY CODES THROUGH A RESTRICTED COMMUNICATIONS CHANNEL

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed
by the computing device, being configured to cause the computing device to at least:
initiate enrollment of a client device associated with a user as a managed device with a management service through at least
one mobile device management (MDM) application programming interface (API) provided by an operating system of the client device,
wherein enrollment comprises authenticating at least one user credential of the user;

cause a management component to be installed on the client device, the management component configured to enforce at least
one compliance rule obtained from the management service on the client device;

establish a restricted communications channel between the computing device and the management component, wherein the restricted
communications channel is encrypted using a unique certificate associated with an enterprise, the restricted communications
channel further comprising an MDM channel established using the MDM API provided by the operating system of the client device;

transmit, through the restricted communications channel, a command instructing the client device to download a token application
to the management component;

cause the management component to initiate installation of the token application on the client device;
generate a security code on behalf of a user account in response to a request to authenticate the user account, wherein the
security code is associated with a one-time password protocol; and

transmit the security code to the token application through the restricted communications channel.

US Pat. No. 10,120,988

MANAGING GROUPED STUDENT DEVICES WITH TIMED LOCKS

AIRWATCH LLC, Atlanta, G...

1. A system for teacher-controlled launching of resources on student devices, including:a teacher device comprising one or more processors and memory;
a management server that enforces management services on a plurality of student devices and the teacher device, wherein a management component is installed on the teacher device and a student device of the plurality of student devices by the management server; and
wherein the teacher device executes the one or more processors and memory to execute a teacher application that performs stages including:
generating a graphical user interface (“GUI”) that lists students in a class associated with the teacher device, wherein the GUI of the teacher device includes a selectable lock profile to apply to student devices, wherein the lock profile automatically updates to new configurations based on upcoming lesson plans;
receiving selections, on the GUI, including:
a first selection of a student associated with the student device by selecting a student icon on the GUI;
a second selection of a managed application for use at the student device by selecting from multiple available applications; and
a third selection of a resource for use with the managed application at the student device, wherein the resource is a file or webpage; and
sending a message to the management component of the student device, wherein the message includes a whitelist of resources that can be accessed by the student device and causes the management component of the student device to:
launch the managed application;
apply a lock that prevents the student device from exiting the managed application, wherein the lock allows use of all the resources in the whitelist while the lock is in place;
allow access to the resource from within the managed application while the lock is in place; and
while the lock is in place, restrict the managed application from accessing other resources presented for selection but unselected at the teacher device as for use with the managed application.

US Pat. No. 9,980,165

VISUAL PRIVACY SYSTEMS FOR ENTERPRISE MOBILITY MANAGEMENT

AirWatch LLC, Atlanta, G...

1. A system for displaying information that a management server can collect from a mobile device, comprising:a non-transitory, computer-readable medium that contains instructions;
a processor that executes the instructions to perform stages including:
receiving, at the management server, an enrollment request from the mobile device, the enrollment request identifying a user;
determining an ownership status indicating whether the mobile device is a personal device or a corporate device;
based on the user and ownership status, creating a plurality of privacy settings that control the information that the management server can collect from the mobile device;
as part of enrollment at the management server, transmitting, to the mobile device, a privacy component that visually summarizes the information that the management server can collect;
receiving acceptance from the mobile device acknowledging the information that the management server can collect;
after enrollment is complete, applying a privacy modification at the management server to the plurality of privacy settings; and
sending a notice to the privacy component that causes the mobile device to visually display an indication that the privacy modification occurred.

US Pat. No. 9,954,833

MANAGEMENT OF ACCESS SESSIONS

Airwatch LLC, Atlanta, G...

1. A method, comprising:obtaining a first key and timeout data stored in secured storage of a client device using an application that is signed with a developer certificate, wherein access to the secured storage is restricted based at least in part on the developer certificate;
determining that an access session has expired based on the timeout data;
responsive to determining that the access session has expired, erasing the first key from the secured storage;
generating a second key based at least in part on a user code obtained through a user interface of the application; and
encrypting the second key based at least in part on boot time data that identifies a latest time the client device was booted.

US Pat. No. 9,584,508

PEER TO PEER ENTERPRISE FILE SHARING

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed
by the client device, being configured to cause the client device to at least:
generate a request to obtain an authentication token from an authentication server, the request comprising a file identifier
corresponding to a file associated with a file repository;

obtain an authentication token from the authentication server;
transmit the authentication token to a second client device;
obtain a second authentication token from the second client device;
transmit a request to verify the second authentication token to the authentication server; and
establish a file transfer session with the second client device in response to the authentication server verifying the second
authentication token.

US Pat. No. 10,108,808

DATA ACCESS SHARING

AIRWATCH LLC, Atlanta, G...

1. A computer-implemented method for controlling data security when sharing content between personal and electronic corporate calendars, comprising:obtaining, using a synchronization service executing on a server, a first calendar event originating from a personal electronic calendar of a first user, the first calendar event including first event details;
displaying the first calendar event and the first event details in a first electronic corporate calendar of the first user, the first electronic corporate calendar executing within a sandboxed environment that restricts export of data to applications executing outside the sandboxed environment;
obtaining, using the synchronization service executing on the server, a second calendar event originating from the first electronic corporate calendar of the first user, the second calendar event including second event details;
displaying the first calendar event on a second electronic corporate calendar for a second user without displaying the first event details;
displaying the second calendar event on the second electronic corporate calendar for the second user;
obtaining, using the synchronization service executing on the server, a third calendar event from the first electronic corporate calendar of the first user, the third calendar event comprising third event details;
providing the third calendar event to the personal electronic calendar of the first user without the third event details, wherein the third event details are omitted automatically by the server based on the third calendar event being provided from a corporate calendar to a personal electronic calendar, without requiring an initial input or selection from the first user and without the first user having to manually remove the third event details;
displaying the third calendar event on the personal electronic calendar of the first user without the third event details; and
restricting transmission of the first calendar event displayed on the second electronic corporate calendar for a second user from the second electronic corporate calendar to a second personal electronic calendar of the second user.

US Pat. No. 10,089,388

OBTAINING SEARCH RESULTS

AIRWATCH LLC, Atlanta, G...

1. A method for obtaining search results in a search client, comprising:displaying, by a computing device associated with a user and enrolled in a management service that is operated by an enterprise, a plurality of user interface elements on a gesture-enabled input device;
obtaining, in the computing device, a search term from the user in response to the user interacting with at least one of the user interface elements;
transmitting, from the computing device and in response to the gesture-enabled input device detecting a first gesture, the search term to a search engine;
obtaining, in the computing device, a plurality of search results from the search engine, each one of the plurality of search results comprising a representation of a portion of a document file that is within a specified contextual boundary, the search results being based on a role of the user within the enterprise, the role determined by at least one of a job title or calendar data; and
generating, by the computing device, a rendering of the search results that comprises contextual content for the search term.

US Pat. No. 10,068,071

SCREEN SHOT MARKING AND IDENTIFICATION FOR DEVICE SECURITY

AirWatch LLC, Atlanta, G...

15. A system, comprising:a client device comprising a data store and at least one hardware processor;
program instructions stored in the data store that, when executed by the client device, cause the client device to:
display, by a first client application executing on the client device, a watermark pattern in a portion of a user interface shown in a display of the client device, wherein the watermark pattern is displayed such that the watermark pattern is imperceptible to a user of the client device;
after the watermark pattern is displayed, detect, by the first client application, that a screen capture event has been performed on the client device where a digital image file of a screenshot is generated;
in response to the screen capture event being performed on the client device, send, by the first client application, the digital image file to a remote computing device, wherein the remote computing device is configured to:
determine that the digital image file of the screenshot comprises the watermark pattern; and
analyze the digital image file to determine that a user interface of a second client application is shown in the digital image file;
receive, by the first client application, a response from the remote computing device that indicates that the digital image comprises the watermark pattern and the user interface of the second client application is shown in the digital image file; and
in response to the digital image comprising the watermark pattern and the user interface of the second client application being shown in the digital image file, cause, by the first client application, performance of a remedial action in association with the digital image file.

US Pat. No. 9,979,553

SECURE CERTIFICATE DISTRIBUTION

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a computing device comprising a processor and a memory; and
an application stored in the memory of the computing device that, when executed by the processor of the computing device, causes the computing device to at least:
send a uniform resource locator (URL) and a one-time password to a client device, wherein the URL represents an address from which the client device can request a user certificate with the one-time password and the URL comprises a unique identifier for the client device;
send a certificate for a registration authority to the client device, wherein the certificate comprises a first public key and a first private key;
decrypt a certificate signing request (CSR) received from the client device at the URL, wherein the CSR is encrypted with the first public key;
validate the CSR based at least in part on the URL and the one-time password sent to the client device;
encrypt the user certificate with a second public key provided by the client device;
sign the user certificate with the first private key;
send the user certificate to the client device; and
delete the unique identifier from the memory of the computing device.

US Pat. No. 9,954,930

GENERATING CONTENT FRAGMENTS FOR CONTENT DISTRIBUTION

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed by the computing device, being configured to cause the computing device to at least:identify a plurality of segments of a content file for storage on a client device;
generate a plurality of content fragments corresponding to the segments of the content file, the plurality of content fragments comprising less than an entirety the content file;
designate a set of the plurality of content fragments for local storage on the client device and a remainder of the plurality of content fragments for remote storage external to the client device;
generate a manifest file that identifies the segments of the content file, the manifest file further associating the content fragments with a respective one of the segments of the content file and identifying the set of the plurality of content fragments for local storage on the client device and the remainder of the plurality of content fragments for remote storage;
package the content fragments into a content file package; and
transmit the content file package to the client device.

US Pat. No. 9,936,046

SAMPLING FOR CONTENT SELECTION

AIRWATCH LLC, Atlanta, G...

1. A method comprising:collecting data from a plurality of devices upon respective ones of the plurality of devices individually entering a geographic area, wherein the data comprises content preference data and device data, the content preference data comprising at least one user preference associated with at least one user of at least one of the plurality of devices, and the device data comprising a content viewing history associated with the at least one user;
identifying at least one data trend according to the content preference data and the device data;
selecting at least one content item according to the at least one data trend;
locating an appropriate output device from among a plurality of output devices in the geographic area based upon a location of the appropriate output device relative to locations of at least two of the plurality of devices; and
causing the at least one content item to be provided for output to the appropriate output device.

US Pat. No. 10,142,494

ENFORCEMENT OF COMPLIANCE RULES

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying instructions executable in a client device, the instructions, when executed by the client device, causing the client device to at least:execute an agent application that instructs the client device to communicate with a server for accessing resources of an enterprise, wherein the server manages functionality of multiple client devices assigned to users of the enterprise;
render a dialer user interface on a display controlled by the client device;
identify, by the agent application, a location of the client device and a network to which the client device is connected;
obtain a request to initiate a call to a contact identifier via the dialer user interface;
determine, by the agent application, whether a compliance rule requires a redirect prompt to be presented on the dialer user interface based on the location of the client device and the network to which the client device is connected, wherein the compliance rule is obtained by the agent application from the server based on a first profile assigned to the client device;
identify a computing device separate from the client device; and
display the redirect prompt on the client device, the redirect prompt requesting an indication from a user of the client device to redirect the call from the client device to the identified computing device.

US Pat. No. 10,129,024

ENCRYPTED FILE STORAGE

AIRWATCH LLC, Atlanta, G...

1. A method of storing files comprising:sending, to an index server from a file management application on a client device, a request to store a first file on behalf of a user of the client device associated with access credentials of a user account in a cloud data storage provider;
receiving, by the file management application from the index server, a first storage location identified by the index server for the first file at the cloud data storage provider that is different from the index server;
encrypting, by the file management application, the first file based on a first key associated with the first storage location, the first key being different than the access credentials for the cloud data storage provider; and
sending by the file management application an encrypted version of the first file to the identified first storage location at the cloud data storage provider.

US Pat. No. 9,866,589

MANAGEMENT OF ACTIONS INITIATED BY APPLICATIONS IN CLIENT DEVICES

AirWatch LLC, Atlanta, G...

1. A method, comprising:
identifying, using a client device, an action being performed using a first application in the client device, the first application
comprising a first email client and the action comprising text entry into the first application;

determining, using the client device, whether the first application is authorized to be used to perform the action by determining
whether text within the text entry appears within a list of words or phrases that are indicative of enterprise content; and

in response to determining that the first application is not authorized to be used to perform the action, intercepting the
action to cause an email to be sent using the first application that includes the text, initiating, using the client device,
a remedial action, the remedial action comprising at least:

identifying, using the client device, a second application that is authorized to be used to send the email, wherein the second
application comprises a second email client; and

in response to identifying the second application, copying the text into a text entry field within the second application.

US Pat. No. 9,686,287

DELEGATING AUTHORIZATION TO APPLICATIONS ON A CLIENT DEVICE IN A NETWORKED ENVIRONMENT

AirWatch, LLC, Atlanta, ...

1. A non-transitory computer-readable medium for delegating security authorization to an agent application executable on a
computing device embodying program instructions executable in the computing device that, when executed by the computing device,
cause the computing device to:
send, by the agent application executable on the computing device, a request over a network to a remote server requesting
that the agent application be permitted to control access to at least one network resource on behalf of the remote server
for a plurality of managed applications, the request comprising a device profile describing at least one characteristic of
the computing device, the remote server being configured to permit the agent application to control access to the at least
one resource for the plurality of managed applications based at least in part on an analysis of the at least one characteristic
and a compliance rule;

in response to the remote server permitting the agent application to control access to the at least one resource for the plurality
of managed applications, store, by the agent application, an indication that the agent application is authorized to communicate
access credentials to the plurality of managed applications on behalf of the remote server;

determine, by the agent application, that a first one of the plurality of managed applications requires a first access credential;
send, by the agent application, a request for the first access credential to the remote server;
receive, by the agent application, the first access credential from the remote server;
make, by the agent application being in communication with the plurality of managed applications, a determination that a second
one of the plurality of managed applications requires a second access credential; and

in response to the determination that the second one of the managed applications requires the second access credential, receive
the second access credential from the remote server and provide the second access credential to the second one of the plurality
of managed applications.

US Pat. No. 10,021,050

SECURE CONVERSATION AND DOCUMENT BINDER

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:receive a plurality of files for storage in a data store from a plurality of client devices;
make the plurality of files accessible through a network-based file repository as a collection to the plurality of client devices having a client application executing thereon;
identify at least one user-defined message made in a communication window of the client application that pertains to one of the plurality of files;
store the user-defined message in the data store according to a message storage policy;
associate at least a portion of the user-defined message with the one of the plurality of files in the collection;
generate a manifest file that provides access to the portion of the user-defined message and the one of the plurality of files, wherein the manifest file is an extensible markup language (XML) document having data stored in a hierarchical arrangement, the manifest file comprising at least:
a location reference for individual ones of a plurality of files in the collection and the user-defined message stored inline in the XML document; and
an indication that the portion of the user-defined message is associated with the one of the plurality of files in the collection;
receive a request to access the one of the plurality of files in the collection from one of the plurality of client devices; and
in response to the request to access the one of the plurality of files being received:
identify the one of the plurality of files and the user-defined message pertaining to the one of the plurality of files in the collection from the manifest file; and
provide the one of the plurality of files and the user-defined message for display in the client application.

US Pat. No. 9,703,949

TIME-BASED CONFIGURATION PROFILE TOGGLING

AirWatch, LLC, Atlanta, ...

1. A non-transitory computer-readable medium having program instructions stored thereon that, when executed by at least one
computing device, cause the at least one computing device to:
maintain a personal configuration profile and an enterprise configuration profile in memory for a client device in remote
communication with the at least one computing device over a network, wherein the personal configuration profile or the enterprise
configuration profile specifies at least one authorized function that can be performed on the client device in compliance
with a compliance rule in place of an unauthorized function on the client device;

identify that the personal configuration profile is enabled on the client device;
cause the client device to toggle between the personal configuration profile to the enterprise configuration profile by:
determining a current time for the client device;
identifying that the client device is authorized to enable the enterprise configuration profile on the client device based
at least in part on the current time determined for the client device complying with the compliance rule, wherein the compliance
rules specifies at least one time period during which the client device is authorized to enable the enterprise configuration
profile;

in response to the current time associated with the client device complying with the compliance rule, enabling the enterprise
configuration profile on the client device; and

in response to the enterprise configuration profile being enabled on the client device, disabling the personal configuration
profile on the client device.

US Pat. No. 9,311,464

AUTHENTICATION VIA ACCELEROMETER

AirWatch, LLC, Palo Alto...

1. A method for authenticating a user, comprising:
capturing, using at least one sensor of a device:
an authentication movement comprising a plurality of characteristics describing a movement of the device, and
at least one image comprising the user and a field of view of the device;
determining whether the authentication movement comprises an approved movement and whether the at least one image comprises
a facial recognition of the user;

determining whether the authentication movement is correlated with the at least one image, wherein determining whether the
authentication movement is correlated with the at least one image comprises determining whether a position of the user within
the field of view of the device is expected based at least in part on the plurality of characteristics describing the movement
of the device; and,

if the authentication movement comprises an approved movement, the at least one image comprises a verified facial recognition,
and the approved movement is correlated with the at least one image, authenticating the user.

US Pat. No. 10,116,662

ON-DEMAND SECURITY POLICY ACTIVATION

AirWatch LLC, Atlanta, G...

1. A method comprising:receiving, using a first application at a mobile computing device, a user selection of a resource locator, wherein the resource locator comprises a reference to a resource;
determining, using the mobile computing device, whether the selected resource locator is associated with a security policy; and
in response to determining that the resource locator is associated with the security policy:
activating, in the mobile computing device, a profile identified by the security policy, wherein the profile allows access to the resource, referred to by the resource locator and selected using the first application, if the mobile computing device is connected to a Virtual Private Network (VPN) connection;
launching, at the mobile computing device, the VPN connection; and
accessing the resource referred to by the resource locator using the VPN connection.

US Pat. No. 10,104,051

SEARCHING CONTENT ASSOCIATED WITH MULTIPLE APPLICATIONS

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a computing device;
a storage device storing a first application executed on the computing device, wherein the first application causes the computing device to at least:
obtain a search query;
obtain a first search result based upon the search query from a first search component of the first application;
provide a request to a second application executed on the computing device to search for content associated with the second application that corresponds to the search query, wherein the request comprises a key to notify the second application that the first application is authorized to request the second application to search for the content, wherein the second application verifies an authenticity of the key based upon a stored value accessible to the second application;
obtain a second search result from the second application based on the request, the second search result from the second application generated by a second search component of the second application;
present the first search result and the second search result in a user interface for the first application;
search for additional content associated with the first application that corresponds to the search query;
generate an additional search result based on the search query; and
present the additional search result in the user interface for the first application.

US Pat. No. 10,073,720

RESTRICTED APPLICATION VISIBILITY

AIRWATCH, LLC, Atlanta, ...

1. A system, comprising:a computing device comprising a processor and a memory;
an application hiding service stored in the memory of the computing device that, when executed by the processor of the computing device, causes the computing device to at least:
remove a default launch activity alias for a user application from a manifest file corresponding to the user application, the default launch activity alias comprising a first reference to an application programming interface (API) to initiate execution of the user application; and
a container application stored in the memory of the computing device that, when executed by the processor of the computing device, causes the computing device to at least:
send a message to the application hiding service to remove the default launch activity alias for the user application from the manifest file, wherein the message is sent based on a determination that an identity of a cryptographic key corresponding to a cryptographic signature of the user application matches an identity of an authorized key;
identify, in the manifest file, a container activity alias specified for the user application, wherein the container activity alias comprises a second reference to the API to initiate execution of the user application;
display an application icon representing the user application based at least in part on the container activity alias; and
call the container activity alias for the user application based at least in part on a manipulation of the application icon.

US Pat. No. 9,672,383

FUNCTIONALITY WATERMARKING AND MANAGEMENT

AirWatch, LLC, Atlanta, ...

1. A non-transitory computer-readable medium embodying program code executable in a computing device that, when executed by
the computing device, causes the computing device to:
identify a request to perform a function of the computing device where at least one resource is generated or modified;
query a data store to identify at least one watermark template from a plurality of available watermark templates and a compliance
rule based at least in part on the function of the computing device requested to be performed, the at least one watermark
template comprising a state of a security setting of the computing device;

communicate a device profile describing a current configuration of a plurality of software components executable on the computing
device to a compliance server over a network;

obtain an authorization received from the compliance server authorizing the function to be performed on the computing device,
where the authorization is made by the compliance server in response to a determination that the computing device complies
with the compliance rule indicating that no vulnerability exists on the computing device, wherein the determination is based
at least in part on an analysis of the configuration of the plurality of software components executable on the computing device
and the state of the security setting of the computing device; and

in response to the authorization being obtained from the compliance server, cause the function to be performed on the computing
device, where at least a portion of the at least one watermark template is applied to the at least one resource.

US Pat. No. 10,257,207

MANAGED CLONE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A method comprising:receiving an application that is publicly available via an application distribution environment, the application being associated with a first icon;
generating a managed clone of the application by:
adding a management wrapper to the application;
generating a badge; and
applying the badge to a second icon associated with the managed clone of the application;
deploying the managed clone of the application to the mobile client device, wherein the managed clone of the application and the application are both installed by the mobile client device, and wherein the mobile client device displays the first icon for the application and the second icon with the badge for the managed clone of the application; and
instructing the mobile client device to automatically launch the application, rather than the managed clone of the application, in response to:
receiving a user selection of the managed clone of the application; and
determining that a compliance rule established remotely by an administrator and provided to the mobile client device prevents launch of the managed clone.

US Pat. No. 10,187,374

MULTI-FACTOR AUTHENTICATION FOR MANAGED APPLICATIONS USING SINGLE SIGN-ON TECHNOLOGY

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:receive an authentication request for a first client application executed in a client device;
receive data generated by a single sign-on credential from the client device as part of a single sign-on process, the single sign-on credential being configured to be used by a plurality of client applications of the client device;
verify the data generated by the single sign-on credential;
determine whether at least one supplementary authentication factor is required from a second client application by:
determining a version of an operating system of the client device; and
determining that the at least one second authentication factor should be requested when the version of the operating system corresponds to a particular operating system version;
when the at least one supplementary authentication factor is required, and prior to sending an authentication token to the first client application:
request the at least one supplementary authentication factor from the second client application;
receive the at least one supplementary authentication factor from the second client application; and
verify the at least one supplementary authentication factor prior to allowing the first client application to be authenticated in the single sign-on process;
in response to verifying the data generated by the single sign-on credential and verifying the at least one supplementary authentication factor from the second client application, generate the authentication token; and
send the authentication token to the first client application.

US Pat. No. 10,187,386

NATIVE ENROLLMENT OF MOBILE DEVICES

AIRWATCH LLC, Atlanta, G...

1. A system for native enrollment of mobile devices, comprising:a computing device comprising a processor and a memory;
a management service comprising machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least:
receive a first message from a management agent executing on a client device, wherein the first message comprises an enrollment request for the client device;
send a protection agent to the client device in response to receipt of the enrollment request, wherein the protection agent is to be installed on the client device and the protection agent monitors for and prevents attempts to remove or modify the management agent;
receive a second message from the protection agent executing on the client device, wherein the second message comprises an authentication request;
provide authentication credentials to the protection agent executing on the client device in response to the second message;
receive a third message from the protection agent executing on the client device, wherein the third message comprises an enrollment confirmation for the client device;
change an enrollment status of the client device; and
send to the protection agent executing on the client device a policy assigned to the client device, the policy specifying a configuration option of the client device to be enforced during operation of the client device.

US Pat. No. 10,187,425

ISSUING SECURITY COMMANDS TO A CLIENT DEVICE

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in a client device, the program, when executed by the client device, enforces at least one compliance rule to regulate access to e-mail by causing the client device to at least:configure a mail client executed by the client device to identify a locally addressable network address as a mail server, the locally addressable network address corresponding to a mail proxy executed by the client device;
receive, in the mail proxy, a request to communicate with a remote mail server from the mail client;
determine whether the client device complies with the at least one compliance rule stored on the client device;
in response to determining that the client device complies with the at least one compliance rule, forward the request from the mail client to the remote mail server through a network; and
in response to determining that the client device fails to comply with the at least one compliance rule, cause the mail proxy executed by the client device to perform a security action specified by the at least one compliance rule, wherein the security action comprises issuing a command to the mail client to erase data stored on the client device.

US Pat. No. 10,146,950

SYSTEMS FOR MODULAR DOCUMENT EDITING

AIRWATCH LLC, Atlanta, G...

1. A system for modular document management, the system comprising:a content server, having a processor and a memory device, that receives a document from a content manager device, the document created by a native application and including a first permission selection associated with a first portion of the document and a second permission selection associated with a second portion of the document, the first and second permission selections being different;
a management server, having a processor and a memory device, for: storing permission controls for a plurality of user devices;
determining that a first user device within the plurality of user devices can access the first portion by associating a permission control for the first user device to the first permission selection;
based on the determination, allowing the first user device access to the first portion; and
instructing a content rendering engine to:
obtain the first portion from the content server;
create a first information bundle that includes:
at least one page identifier corresponding to at least one page of the document;
object information comprising the type and location of at least one object present in the first portion, and
formatting information for the first portion to instruct the first user device to format the first portion for display by a non-native application, based, at least in part, on the at least one page identifier, object information, and formatting information;
send the first information bundle to the first user device in response to the first user device requesting access to the first portion;
obtain a first token from the management server based on the first user device requesting access to the first portion;
create a second token based on the first token received from the management server;
send the second token to the first user device
after sending the first information bundle, receive a resource request from the first user device for a resource identified in the first information bundle, the resource request including the second token; and
send the resource to the first user device.

US Pat. No. 10,135,684

DIFFERENTIAL STAGING OF DEVICES IN BULK ENROLLMENT

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program instructions executable in at least one computing device comprising at least one hardware processor that, when executed by the at least one computing device, cause the at least one computing device to:detect a network connection event in which a client device establishes a connection with a network device, wherein the at least one computing device is communicatively coupled to the network device;
in response to the client device establishing the connection with the network device, create a thread for a configuration of the client device, wherein the thread is processed by the at least one computing device in parallel with a plurality of other threads created for configuration for a plurality of other devices;
generate, in the thread, a configuration file for the client device that comprises a library of touch events, the library being determined based at least in part on an operating system of the client device, wherein the configuration file comprises executable code operable to call the library to simulate at least one user interface touch event in a user interface shown on the client device to configure the client device in accordance with at least one predefined configuration setting specified in the configuration file;
copy, in the thread, the configuration file from a data store of the at least one computing device to local memory of the client device;
initiate, in the thread, a configuration of the client device by executing the executable code of the configuration file on the client device; and
in response to the configuration of the client device being successfully completed, terminate execution of the thread on the at least one computing device.

US Pat. No. 10,133,682

MANAGING GROUPED STUDENT DEVICES WITH TIMED LOCKS

AIRWATCH LLC, Atlanta, G...

1. A system comprising:at least one processor; and
at least one non-transitory computer-readable medium including instructions, which when executed by the at least one processor, cause the at least one processor to perform stages including:
executing a calendar application for scheduling future events;
receiving, at the calendar application, a lock request to schedule a lock to be applied to at least one user device, the lock request including at least one user identifier identifying the at least one user device, an asset identifier, and timing information, the lock request identifying a function of the at least one user device to disable while the at least one user device is locked into an asset associated with the asset identifier; and
transmitting the lock request to a management server causing the at least one user device to be locked into the asset associated with the asset identifier for a duration, the duration being based, at least in part, on the timing information.

US Pat. No. 9,665,723

WATERMARKING DETECTION AND MANAGEMENT

AirWatch, LLC, Atlanta, ...

1. A computer-implemented method, comprising:
causing, by a computing device that manages a user device enrolled with a remote service operated through the computing device
through a network, a scan of memory of the user device or a remote storage device to identify at least one resource that has
been made accessible to the user device;

determining, by the computing device, that a watermark template has been applied to the at least one resource, the watermark
template comprising a plurality of data elements, at least a portion of the plurality of data elements added when the at least
one resource was generated or modified, a first one of the plurality of data elements comprising a function performed on the
user device that generated or modified the at least one resource and a second one of the plurality of data elements comprising
a sensitivity level associated with the at least one resource;

in response to a determination that the watermark template has been applied to the at least one resource accessible to the
user device:

identifying, by the computing device, at least one compliance rule according to the watermark template applied to the at least
one resource, wherein the at least one compliance rule requires that the function performed on the user device comply with
the sensitivity level associated with the at least one resource;

determining, by the computing device, that the user device does not comply with the at least one compliance rule in response
to the function identified from the first one of the plurality of data elements not complying with the sensitivity level;
and

in response to the user device not complying with the at least one compliance rule, performing, by the computing device, at
least one remedial action in association with the at least one resource specified by the at least one compliance rule, the
at least one remedial action comprising at least one of:

a denial of access to the at least one resource by the user device,
a removal of the at least one resource from the memory of the user device, or
a removal of the at least one resource from memory of the remote storage device.

US Pat. No. 9,219,741

TIME-BASED CONFIGURATION POLICY TOGGLING

AirWatch, LLC, Atlanta, ...

1. A method comprising:
identifying, by at least one computing device, a personal configuration profile associated with a user device from a memory;
determining, by the at least one computing device, whether the user device is authorized to enable the personal configuration
profile on the user device based at least in part on:

whether a current time associated with the user device complies with a first compliance rule that specifies at least one time
period when the user device is authorized to enable the personal configuration profile on the user device; or

whether a current location associated with the user device complies with a second compliance rule that specifies at least
one location where the user device is authorized to enable the personal configuration profile on the user device; and

in response to a determination that the user device is not authorized to enable the personal configuration profile on the
user device:

disabling, by the at least one computing device, the personal configuration profile on the user device;
identifying, by the at least one computing device, a business configuration profile associated with the user device from the
memory;

determining, by the at least one computing device, whether the user device is authorized to enable the business configuration
profile on the user device based at least in part on:

whether the current time associated with the user device complies with a third compliance rule that specifies at least one
time period when the user device is authorized to enable the business configuration profile on the user device; or

whether the current location associated with the user device complies with a fourth compliance rule that specifies at least
one location where the user device is authorized to enable the business configuration profile on the user device; and

enabling, by the at least one computing device, the business configuration profile on the user device in response to a determination
that the user device is authorized to enable the business configuration profile on the user device based at least in part
on the current time or the current location.

US Pat. No. 10,257,180

SECURELY AUTHORIZING ACCESS TO REMOTE RESOURCES

AirWatch LLC, Atlanta, G...

1. A method for authorizing access to a cloud-based content repository, comprising:receiving, based on a determination that a mobile device complies with one or more compliance policies provided by a management service, a management identifier;
transmitting an access request including the management identifier to the content repository; and
receiving access to the content repository based on a determination that the management identifier is valid, wherein the step of receiving access to the content repository is preconditioned on bringing the mobile device into compliance with an encryption policy, wherein bringing the mobile device into compliance can include enabling encryption based on a configuration profile from the management service, and wherein the compliance is checked at the time of receiving the access request.

US Pat. No. 10,171,434

MANAGED DEVICE SCATTERNET ADMINISTRATION

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device, the program code being configured to cause the at least one computing device to at least:receive a network entry request from a client device;
examine a structure of a network to identify an opening for the client device in a network sublayer of the network in response to the network entry request;
transmit network access data to the client device, the network access data comprising a network address of a sublayer propagator device for the network sublayer having the opening;
transmit client admission data to the sublayer propagator device, the client admission data comprising a unique identifier for the client device and a session key for communications with the client device; and
dispatch configuration data for the client device to the sublayer propagator device.

US Pat. No. 9,998,463

PEER TO PEER ENTERPRISE FILE SHARING

AirWatch, LLC, Atlanta, ...

17. A method, comprising:broadcasting, from a client device, a request to obtain a file, the request broadcasted to at least one second client device accessible through a network;
obtaining, in the client device, a plurality of interrogator responses to the request to obtain the file from the at least one second client device, the plurality of interrogator responses comprising a plurality of status parameters associated with the at least one second client device;
selecting, in the client device, a plurality of sender client devices based upon the plurality of interrogator responses to the request to obtain the file;
authenticating, in the client device, the plurality of sender client devices based at least upon a one-time password generated from a file hash associated with the file, wherein the one-time password is generated by generating the file hash from metadata associated with the file; and
establishing, in the client device, a respective file transfer session with the plurality of sender client devices in response to the authentication of the plurality of sender client devices, wherein each of the plurality of sender client devices transmits a respective portion of the file to the client device.

US Pat. No. 9,705,813

CONTROLLING DISTRIBUTION OF RESOURCES ON A NETWORK

AirWatch, LLC, Atlanta, ...

1. A non-transitory computer-readable medium embodying a program executable in a computing device, the program comprising
code that, when executed by the computing device, causes the computing device to perform a method comprising:
storing a plurality of resources in a data store associated with a distribution service in response to a request from a user
interface to transfer the plurality of resources;

receiving a selection of access rights and a plurality of distribution rules associated with the plurality of resources;
receiving, from a client device, a request to access the plurality of resources hosted by the distribution service;
determining whether a pairing of a user of the client device and the client device is authorized to access the distribution
service based at least in part on the access rights associated with the plurality of resources;

identifying which of a plurality of resource grouping identifiers are associated with the pairing, in response to determining
that the pairing is authorized to access the distribution service;

identifying which of the plurality of resources are associated with the resource grouping identifiers;
identifying which of the plurality of distribution rules are associated with the identified resources, the distribution rules
comprising at least one of a plurality of location rules or a plurality of time rules; and

transmitting the identified resources and the identified distribution rules to the client device, the resources being encrypted
and configured to be exclusively accessible by a containerized client side application using a decryption key while the client
device satisfies the identified distribution rules associated with the resources based on a device profile, wherein the containerized
client side application is configured to prevent access to the identified resources by another application executed by the
client device.

US Pat. No. 9,699,193

ENTERPRISE-SPECIFIC FUNCTIONALITY WATERMARKING AND MANAGEMENT

AirWatch, LLC, Atlanta, ...

1. A non-transitory computer-readable medium embodying program code executable in the at least one computing device that,
when executed by the at least one computing device, causes the at least one computing device to:
receive a request from a client device originated in response to an attempt to perform an enterprise function on the client
device, the request being received from the client device over a network, the enterprise function being associated with a
compliance rule stored remotely from the client device;

identify at least one watermark template from a plurality of available watermark templates based at least in part on the enterprise
function; and

generate a communication that, when received by the client device, causes the client device to:
configure the client device such that, when the enterprise function is performed, the at least one watermark template is added
to the at least one resource generated or modified as a result of the enterprise function being performed;

in response to the enterprise function being performed, identify that a wrapper is acting as a security layer encapsulating
the at least one resource, the wrapper protecting the at least one resource from certain actions being taken on the at least
one resource; and

apply the at least one watermark template to the wrapper encapsulating the at least one resource such that performing the
enterprise function complies with the compliance rule.

US Pat. No. 10,257,067

NETWORK SPEED DETECTION

Airwatch LLC, Atlanta, G...

1. A method, comprising:generating, by a management service, a network testing profile for a client device, the network testing profile comprising a network testing schedule;
transmitting, from the device management server, the network testing profile to the client device, the network testing profile identifying a testing schedule associated with the client device, the testing schedule specifying a schedule for execution of at least one network test with a particular network testing endpoint;
receiving, in response to transmitting the network testing profile, at least one test result associated with the client device based upon exchange of at least one test packet with the particular network testing endpoint and the client device;
determining, by the management service, that a network speed of a connection between the client device and the particular network endpoint fails to meet a threshold; and
causing, by the management service, an amount of data reported by the management component to the management service to be reduced in response to determining that the network speed of the connection fails to meet the threshold.

US Pat. No. 10,255,092

MANAGED VIRTUAL MACHINE DEPLOYMENT

AirWatch LLC, Atlanta, G...

1. A method, comprising:obtaining a request to access an application on behalf of a user, the request being obtained from a client device associated with the user;
determining that the client device is required to execute a virtual machine for the application based at least in part on a compliance rule or a comparison of a plurality of compatible operating systems for the application with a host operating system being executed on the client device;
identifying that the virtual machine is not installed in the client device;
determining that a hypervisor associated with the client device is authorized to install the virtual machine;
causing the virtual machine to be installed in the client device by instructing the hypervisor to retrieve a virtual machine package associated with the virtual machine;
generating a virtual machine profile for the virtual machine, the virtual machine profile comprising at least one hardware restriction for the virtual machine according to a compliance rule assigned to the client device, the at least one hardware restriction prohibiting the virtual machine from accessing a storage device attached to the client device; and
installing the virtual machine profile in the client device, wherein installing the virtual machine profile enforces the at least one hardware restriction on the client device.

US Pat. No. 10,229,209

PROVIDING SEARCH RESULTS BASED ON ENTERPRISE DATA

Airwatch LLC, Atlanta, G...

1. A method, comprising:obtaining, in a server computer, a search term from a client device, wherein the client device is enrolled in a management service managed by an enterprise that operates the server computer, the client device comprising a containerized content application;
identifying, using the server computer, a user associated with the containerized content application;
determining, using the server computer, an authorization for the user;
obtaining, in the server computer, user data that is associated with the user;
obtaining, in the server computer, search index data based on the search term, wherein the search index data specifies a document that contains a particular term associated with the search term, a location for the particular term within content of the document, and a contextual boundary for the particular term within the content, the contextual boundary for the particular term being defined by at least a beginning portion and an ending portion of contextual content within the document proximate to the location for the particular term within the document, wherein the contextual content comprises a sentence, paragraph, or other structural segment of content in which the particular term appears, and the contextual content included in the contextual boundary provides context for the user of the particular term as used in the document;
generating, using the server computer, a search result that is based on the search index data, the user data, and the authorization for the user, the search result including an encoded representation of the content of the document that is within the contextual boundary; and
transmitting, using the server computer, the search result to the client device.

US Pat. No. 10,218,691

SINGLE SIGN-ON FRAMEWORK FOR BROWSER-BASED APPLICATIONS AND NATIVE APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A system for providing a single sign-on capability to at least one application installed on a client device, comprising:the client device; and
an identity provider application executable by the client device, the identity provider application causing the client device to at least:
register the identity provider application as a local identity provider on the client device using an application programming interface (API) associated with an operating system of the client device, wherein the identity provider application specifies a particular identity provider server address for an identity provider service for which the identity provider application is the local identity provider;
obtain a user credential associated with a user account;
authenticate the user credential for the user account with the identity provider service;
obtain a request to validate an installation of an application installed on the client device based upon the user account;
validate the installation of the application based upon at least one parameter embedded within the request, the installation of the application being validated by extracting a package family name from the request to authenticate the installation of the application, generating a session identifier associated with the request to authenticate the installation of the application and providing the session identifier and an encryption key to the installation of the application;
request an authentication key from the identity provider service; and
provide the authentication key to the application, wherein the application authenticates the user account with the identity provider service using the authentication key.

US Pat. No. 10,200,452

CONTENT SNIP CAPTURE AND SHARING

AIRWATCH LLC, Atlanta, G...

1. A method for content snip capture and sharing, comprising:presenting an indicator of at least one accessible range of a content file for a recipient and at least one inaccessible range of the content file for the recipient based on content access rules for the recipient;
identifying a selection of a snip within the at least one accessible range of the content file for the recipient;
generating, with the at least one computing device, a copy of the snip of the content file; and
forwarding, with the at least one computing device, the copy of the snip of the content file to the recipient.

US Pat. No. 10,200,489

SECURE DEMAND-DRIVEN FILE DISTRIBUTION

AIRWATCH LLC, Atlanta, G...

1. A system for file distribution, comprising:a messaging computing device configured to transmit a notification based on a change in content in a distribution network;
a client device configured to receive the notification and transmit a check in request in response to the notification; and
a device services computing device configured to:
receive the check in request from the client device;
transmit a call to a global cache computing device for a path list of one or more of a plurality of cache computing devices in the distribution network for distribution of a file to the client device;
build a markup file including the path list for the file; and
transmit the markup file to the client device in response to the check in request.

US Pat. No. 10,200,529

RESTRICTIONS ON MOBILE DEVICE USAGE WHEN DRIVING A VEHICLE

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device, wherein when executed the program causes the at least one computing device to at least:determine that a mobile device is in use in a moving vehicle based at least in part on a plurality of global positioning system (GPS) readings of the mobile device that indicate that the mobile device is in motion beyond a first predefined speed;
determine that the mobile device is in use by a driver of the moving vehicle based at least in part on a lack of a fixed gaze by the driver upon the mobile device, the lack of the fixed gaze being detected via a camera of the mobile device;
restrict a functionality of the mobile device based at least in part on determining that the mobile device is in use by the driver of the moving vehicle; and
restore at least a portion of the restricted functionality of the mobile device based at least in part on determining that the moving vehicle is maintaining at least a second predefined speed, the second predefined speed being greater than the first predefined speed.

US Pat. No. 10,198,253

BUNDLE ADMINISTRATION AND MANAGEMENT

AIRWATCH LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying program code executable in at least one computing device, the program code being configured to cause the at least one computing device to at least:receive a bundle over a computer network;
open the bundle in response to an instruction, the bundle comprising a content file and a manifest to manage access to the content file, the manifest comprising an administration timeframe for the bundle, a pointer to obtain an application to open the content file that is not contained in the bundle, a qualification for installation of the application, and a profile dependency for access to the content file using the application;
evaluate a status of the qualification for installation of the application pursuant to the manifest;
based on the status of the qualification for installation of the application, obtain and install the application for the content file on the at least one computing device with reference to the pointer;
evaluate a status of the profile dependency to determine that at least one user profile is updated after the application is installed on the at least one computing device; and
based on the at least one user profile being updated, open the content file on the at least one computing device using the application.

US Pat. No. 10,194,266

ENFORCEMENT OF PROXIMITY BASED POLICIES

Airwatch LLC, Atlanta, G...

1. A non-transitory, computer-readable medium including instructions that, when executed by a processor of an anchor device, cause the processor to perform stages for providing a user with access to an anchor device using a companion device, the stages comprising:receiving a request from the companion device to an application installed on the anchor device;
identifying a policy stored in a data store that associates the anchor device and the companion device, wherein the policy is configured at a user interface generated by a management console;
determining, by the application of the anchor device, whether to grant access to the anchor device based at least in part upon the request from the companion device; and
in response to a determination that the policy is not violated, issuing a command from the application, the command providing a user of the companion device with access to the anchor device.

US Pat. No. 10,180,834

PROVISIONING OF APPLICATIONS DEPLOYED ON CLIENT DEVICES

Airwatch LLC, Atlanta, G...

1. A computer-implemented method comprising:obtaining, by a management service, an application from an application distribution system, the application associated with at least one key-value pair identifying at least one application setting of the application, the at least one application setting comprising a reference to a security certificate and a server address;
defining, by the management service, an application profile associated with the application based upon the at least one key-value pair;
associating, by the management service, the application profile with the application;
obtaining, by the management service, a request to deploy the application to a client device associated with a user;
initiating, by the management service, deployment of the security certificate on the client device, wherein the security certificate uniquely identifies a particular user associated with the application; and
initiating, by the management service, deployment of the application to a particular workspace of the client device, wherein the application is deployed with a parameter identifying the security certificate and a parameter identifying the server address populated within an application setting from the application profile.

US Pat. No. 10,171,502

MANAGED APPLICATIONS

AIRWATCH LLC, Atlanta, G...

1. A method, comprising:receiving, by a computing device, a managed application package generated by an enterprise computing environment, the managed application package comprising a managed application, a target application, and target application resources for the target application;
executing, by the computing device, the managed application according to the managed application package, the managed application comprising a target application loader;
initiating, by the target application loader of the managed application, an execution of the target application in the computing device according to the managed application package;
intercepting, by the target application loader, a request from the target application for access to the target application resources and returning a path to a storage location on the computing device for the target application resources in response to the request; and
determining, by the managed application, whether the execution of the target application complies with a compliance rule specified remotely by the enterprise computing environment.

US Pat. No. 10,171,448

SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES

AIRWATCH LLC, Atlanta, G...

8. A system, comprising:at least one computing device comprising a processor and a memory; and
a service provider executable by the at least one computing device, the service provider configured to cause the at least one computing device to at least:
receive an access request from a first client application executed in a client device;
cause a mapping between a predefined scheme name and a second client application to be registered with the client device;
cause the first client application, using a redirection response that redirects the access request to an identity provider, to request an authentication token from the second client application executed in the client device, the authentication token being requested by the first client application using a local uniform resource locator (URL) beginning with the predefined scheme name that is registered with the client device to correspond to the second client application;
receive the authentication token from the first client application; and
authenticate the first client application in response to verifying the authentication token.

US Pat. No. 9,979,728

PEER TO PEER ENTERPRISE FILE SHARING

AirWatch, LLC, Atlanta, ...

17. A method, comprising:broadcasting, from a client device, a request to obtain a file, the request broadcasted to at least one second client device accessible through a network;
obtaining, in the client device, a plurality of interrogator responses to the request to obtain the file from the at least one second client device, the plurality of interrogator responses comprising a plurality of status parameters associated with the at least one second client device;
selecting, in the client device, a plurality of sender client devices based upon the plurality of interrogator responses to the request to obtain the file;
authenticating, in the client device, the plurality of sender client devices based at least upon a one-time password generated from a file hash associated with the file, wherein the one-time password is generated by generating the file hash from metadata associated with the file; and
establishing, in the client device, a respective file transfer session with the plurality of sender client devices in response to the authentication of the plurality of sender client devices, wherein each of the plurality of sender client devices transmits a respective portion of the file to the client device.

US Pat. No. 9,979,814

DETECTING DRIVING AND MODIFYING ACCESS TO A USER DEVICE

AirWatch, LLC, Atlanta, ...

1. A method for restricting access to an application of a user device while a user is driving, comprising:enrolling a user device with a management server;
establishing a driving policy to be carried out by a management agent installed on the user device; and
sending a management agent from the management server to the user device, wherein the management agent carries out stages comprising:
detecting, based on information generated by the user device without manual input by the user, that the user is in a vehicle;
in response to detecting that the user is in a vehicle, determining, based on the generated information, whether the user is driving the vehicle; and
in response to determining that the user is driving the vehicle, enforcing the driving policy for the user device,
wherein enforcing the driving policy comprises limiting access to at least one application installed on the user device, and
wherein enforcing the driving policy comprises delaying or modifying notifications generated by the at least one application installed on the user device.

US Pat. No. 10,255,819

SYSTEMS FOR CLASSROOM MEDIA SHARING

AIRWATCH LLC, Atlanta, G...

1. A non-transitory, computer-readable medium containing instructions executed by at least one processor to perform stages for sharing media, the stages comprising:receiving a message granting a sharing request, the sharing request originating from a sender device and being approved by a moderator device;
receiving a sharing location indicating where the media can be streamed from the sender device;
identifying a plurality of receiver devices associated with an environment common to the sender device and the moderator device;
sending validation criteria and the sharing location to each of the plurality of receiver devices, wherein the validation criteria allows each of the plurality of receiver devices to stream the media from the sender device at the sharing location; and
locking the plurality of receiver devices into the sharing location.

US Pat. No. 10,257,194

DISTRIBUTION OF VARIABLY SECURE RESOURCES IN A NETWORKED ENVIRONMENT

AIRWATCH LLC, Atlanta, G...

1. A method comprising:receiving a request from an application executing on a client device to access a first set of resources and a second set of resources;
determining that the first set of resources is associated with a first distribution rule that permits the first set of resources being rendered while the client device is not in communication with a distribution service;
determining that the second set of resources is associated with a second distribution rule that prohibits the second set of resources being rendered while the client device is not in communication with the distribution service;
detecting whether the client device is in communication with the distribution service; and
in response to receiving the request and detecting that the client device is not in communication with the distribution service:
denying the application access to the second set of resources according to the second distribution rule; and
permitting the application access to the first set of resources according to the first distribution rule.

US Pat. No. 10,248,305

MANIPULATING DOCUMENTS IN TOUCH SCREEN FILE MANAGEMENT APPLICATIONS

AirWatch LLC, Atlanta, G...

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device comprising at least one hardware processor, the program, when executed by the at least one computing device, being configured to cause the at least one computing device to:cause active ones of a plurality of files to be shown on a touch screen display of a client device, wherein the active ones of the files are shown in a first region of a user interface of a client application in association with a toggle component;
in an instance in which the toggle component is manipulated, cause a listing of the files to be shown in a second region of the user interface concurrently with the active one of the files shown in the first region;
receive a communication from the client device indicating that a touch input designating a selected one of the files was made on the client device from the second region, wherein the touch input is made by a gesture performed on the touch screen display;
identify a type of the gesture performed on the touch screen display, the type of the gesture being a long press gesture or a short press gesture, the long press gesture or the short press gesture being identified based at least in part on an amount of time the gesture was performed;
in response to the type of the gesture being a long press gesture:
identify the active ones of the files in the first region of the user interface;
generate a spatial arrangement for a subset of the files that comprises the active ones of the files and the selected one of the files, wherein the spatial arrangement comprises a size and a position for individual ones of the files in the subset, wherein the size is determined as a function of a priority determined for the files in the subset using at least one of: a file age, a frequency of access, a favorite file designation, or a required file designation; and
cause the user interface to show the files in the subset simultaneously in the first region of the user interface in accordance with the spatial arrangement; and
in response to the type of the gesture being the short press gesture:
identify the selected one of the files; and
cause the user interface to show only the selected one of the files in the first region of the user interface.

US Pat. No. 10,250,615

ANALOG SECURITY FOR DIGITAL DATA

AIRWATCH LLC, Atlanta, G...

1. A system, comprising:a computing device comprising a processor and a memory; and
an application comprising a set of machine readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least:
receive encrypted framelet data from a network service in response to a request to view content, the content comprising a plurality of pixels, wherein a respective pixel is divided into a plurality of subpixels;
decrypt the framelet data to generate a first framelet, the first framelet comprising a first subset of the subpixels, wherein the first framelet requires visual alignment with a second framelet to reproduce the content, and a particular shade of the respective pixel is reproduced by the first subset of the subpixels being overlaid with a second subset of the subpixels, the second framelet comprising the second set of the subpixels; and
display the first framelet on the computing device, wherein the second framelet is displayed by a second computing device.