Search

US-12621202-B2 - Edge-based unified endpoint management for management continuity

US12621202B2US 12621202 B2US12621202 B2US 12621202B2US-12621202-B2

Abstract

The present disclosure fallback management of managed devices utilizing edge management servers that periodically poll a primary management server. If the primary management server is unreachable, the edge management servers can assume management of a population of managed devices.

Inventors

  • Rohit Pradeep Shetty
  • Ramanandan Nambannor Kunnath
  • MADHAVAN KARA BHATTATHIRI
  • Erich Stuntebeck

Assignees

  • OMNISSA, LLC

Dates

Publication Date
20260505
Application Date
20240315
Priority Date
20230929

Claims (18)

  1. 1 . A computer system comprising: a management computer including a processor and memory; and a plurality of edge management computers each including a processor and memory, wherein the management computer is configured to execute instructions stored in the memory of the management computer to execute a management service, including performing the following steps: identify the edge management computers, which are executing an edge management service; identify a population of managed devices configured to be remotely managed by the management service; and assign each of the managed devices to a respective one of the edge management computers based upon at least one proximity factor, and wherein the edge management computers are configured to execute instructions stored in the memory of the edge management computers to execute the edge management service, including performing the following steps: synchronize data corresponding to respective managed devices with the management service; periodically poll the management service to determine whether the management service is unreachable over a network connection between the edge management computers and the management computer; and in response to determining that the management service is unreachable over the network connection, assume management of the managed devices, including instructing each of the managed devices to communicate with a respective one of the edge management computers.
  2. 2 . The computer system of claim 1 , wherein the at least one proximity factor comprises locations assigned to users of the managed devices.
  3. 3 . The computer system of claim 1 , wherein the management service assigns each of the managed devices to a respective one of the edge management computers based upon a geographic proximity to the respective one of the edge management computers.
  4. 4 . The computer system of claim 1 , wherein the edge management service determines that the management service is unreachable over the network connection for a predetermined period of time, and the edge management service further redirects the managed devices to the management service in response to the management service becoming reachable over the network connection.
  5. 5 . The computer system of claim 4 , wherein upon assuming management of the managed devices, the edge management computers communicate with the managed devices over hypertext transfer protocol (HTTP) channels or short-range communication channels.
  6. 6 . The computer system of claim 4 , wherein the edge management service synchronizes device data and user data with the management service during a period of time in which the edge management service assumes management of the managed devices.
  7. 7 . A method, comprising: identifying, by a management computer, a plurality of edge management computers executing an edge management service; identifying, by the management computer, a population of managed devices configured to be remotely managed by a management service running on the management computer; assigning each of the managed devices to a respective one of the edge management computers based upon at least one proximity factor; synchronizing, by the edge management computers, data corresponding to respective managed devices with the management service; periodically polling, by the edge management computers, the management service to determine whether the management service is unreachable over a network connection between the edge management computers and the management computer; and in response to determining that the management service is unreachable over the network connection, assuming, by the edge management computers, management of the managed devices, including instructing each of the managed devices to communicate with a respective one of the edge management computers.
  8. 8 . The method of claim 7 , wherein the at least one proximity factor comprises locations assigned to users of the managed devices.
  9. 9 . The method of claim 7 , further comprising: assigning, by the management computer, each of the managed devices to a respective one of the edge management computers based upon a geographic proximity to the respective one of the edge management computers.
  10. 10 . The method of claim 7 , further comprising: determining, by the edge management computers, that the management service is unreachable over the network connection for a predetermined period of time; and redirecting, by the edge management computers, the managed devices to the management service in response to the management service becoming reachable over the network connection.
  11. 11 . The method of claim 10 , further comprising: upon assuming management of the managed devices, communicating, by the edge management computers with the managed devices, over hypertext transfer protocol (HTTP) channels or short-range communication channels.
  12. 12 . The method of claim 10 , further comprising: synchronizing, by the edge management computers, device data and user data with the management service during a period of time in which the edge management service assumes management of the managed devices.
  13. 13 . One or more non-transitory computer-readable media embodying program instructions that, when executed, cause a management computer and a plurality of edge management computers to at least: identify the edge management computers, which are executing an edge management service; identify a population of managed devices configured to be remotely managed by a management service; assign each of the managed devices to a respective one of the edge management computers based upon at least one proximity factor; synchronize, by the edge management computers, data corresponding to respective managed devices with the management service; periodically poll the management service to determine whether the management service is unreachable over a network connection between the edge management computers and the management computer; and in response to determining that the management service is unreachable over the network connection, assume management of the managed devices by the edge management computers, including instructing each of the managed devices to communicate with a respective one of the edge management computers.
  14. 14 . The one or more non-transitory computer-readable media of claim 13 , wherein the at least one proximity factor comprises locations assigned to users of the managed devices.
  15. 15 . The one or more non-transitory computer-readable media of claim 13 , wherein the management service assigns each of the managed devices to a respective one of the edge management computers based upon a geographic proximity to the respective one of the edge management computers.
  16. 16 . The one or more non-transitory computer-readable media of claim 13 , wherein the edge management service determines that the management service is unreachable over the network connection for a predetermined period of time, and the edge management service further redirects the managed devices to the management service in response to the management service becoming reachable over the network connection.
  17. 17 . The one or more non-transitory computer-readable media of claim 16 , wherein upon assuming management of the managed devices, the edge management computers communicate with the managed devices over hypertext transfer protocol (HTTP) channels or short-range communication channels.
  18. 18 . The one or more non-transitory computer-readable media of claim 16 , wherein the edge management service synchronizes device data and user data with the management service during a period of time in which the edge management service assumes management of the managed devices.

Description

CROSS-REFERENCES This application claims the benefit of Indian Patent Application No. 202341065760, entitled “EDGE-BASED UNIFIED ENDPOINT MANAGEMENT FOR MANAGEMENT CONTINUITY,” filed on Sep. 29, 2023, of which is hereby incorporated by reference in its entirety. BACKGROUND In an enterprise environment, users often use multiple devices for various purposes. For example, a user might have a laptop, a tablet, a phone, and potentially other devices that are utilized to access enterprise resources. Information technology administrators can utilize a management framework that allows for user devices to be enrolled with a management service that can enforce enterprise security and compliance policies. The management service can also facilitate providing software updates and patches to the enrolled devices to further information security and compliance priorities. In some cases, the management service might be offline for extended periods of time, during which devices might be unable to obtain management commands or other data from the management service. An offline management service can be in a situation where it is unable to provide updates, management commands, and other data updates from the management service to managed devices, leading to a period of time where the managed devices are potentially in a compromised state. BRIEF DESCRIPTION OF THE DRAWINGS For a more complete understanding of the embodiments and the advantages thereof, reference is now made to the following description, in conjunction with the accompanying figures briefly described as follows: FIG. 1 shows an example of a networked environment 100 according to various embodiments of the present disclosure. FIG. 2 shows sequence diagrams that provide examples of functionality implemented by components of the networked environment, according to various embodiments of the present disclosure. FIG. 3 shows a flowchart that provides an example of a portion of the operation of the networked environment, according to various embodiments of the present disclosure. DETAILED DESCRIPTION The present disclosure relates to providing edge-based unified endpoint management servers to facilitate management of managed devices by a management service. Users in an enterprise environment can have multiple devices that are enrolled as managed devices. For example, a user might have a tablet device, a laptop computer, a smartphone, a wearable device, and potentially other devices that are enrolled with the management service. The devices can be managed by a management service that is tasked with deploying security policies, security keys or certificates, software updates, and enforcing other enterprise policies on a client device that can be specified by administrators of the management service. To effectively manage devices, the management service often relies upon device “check-ins” whereby managed devices, or a component installed or running on a managed device, periodically reports device status information to the management service. These device check-ins can also be referred to as device heartbeat data. A device check-in can take the form of a device identifier along with device status information that the management service can monitor, such as operating system version, network address, geolocation data, and other data from which the management service can determine whether the device requires any action to be taken on the device. In response to receiving a device check-in, the management service can determine whether any needed updates to policies or software on the managed device are needed and respond to the managed device with the updates or policies. Or, the management service can respond with instruction on where and how a management component on the client device can retrieve a software update, or what modifications to the configuration of the client device that should be made by the management component. The management service, and a server or cluster powering its operation, has become a central point of command for enterprises to remotely manage devices, continuously check device compliance, push down management polices, obtain device state information from managed devices, and perform other management tasks. In the modern world, we have seen that it's not just end user devices which are susceptible to attacks but even previously secure server instances. Thus, if the UEM Server goes down along with its services or is unreachable, the whole of the WS1 ecosystem and its functionalities are adversely impacted. This does not just adversely impact enterprise security but even impacts business continuity at enterprises as access to apps, documents and devices might no longer be available to employees. However, a server or cluster of servers powering the management service might become inaccessible due to network or other technical issues, which could impact the ability of managed devices to obtain or report critical data, such as device state information, m