Response generation after distributed monitoring and evaluation of multiple devices

What is claimed is: 1. A method comprising: at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy; at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices; at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data; at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and upon the determination, generating alert information by the server, wherein the alert information when processed causes performance of a first action on the first device. 2. The method of claim 1 , wherein the action on the first device comprises: blocking the first device from accessing a service. 3. The method of claim 1 , wherein the action on the first device comprises: transmitting to the first device instructions to uninstall an application program on the first device. 4. The method of claim 1 , wherein the step of generating an alert further comprises: transmitting a message to an administrator. 5. The method of claim 1 , wherein the observation data collected comprises: a first set of observation data associated with an organization and collected from a first subset of the plurality of devices associated with the organization, and a second set of observation data collected from a second subset of the plurality of device not associated with the organization. 6. A method comprising: at a server, based on a first data collection policy, collecting observation data from a plurality of devices, the collected observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, determining a normal pattern of activity occurring on the plurality of devices by processing the collected observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, deriving a second data collection policy from the determined normal pattern of activity occurring on the plurality of devices, the second data collection policy being different from the first data collection policy; at the server, based on the derived second data collection policy, collecting first device data from a first device of the plurality of devices; at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined using the first device data; at the server, determining that a deviation between the normal pattern of activity and the first pattern of activity associated with the first device is outside of a threshold deviation; and upon the determination, generating alert information by the server, wherein the alert information when processed causes at least one of: the transmitting by the server of a message to an administrator; the blocking of the first device from accessing a service; and transmitting to the first device instructions to uninstall an application program on the first device. 7. The method of claim 6 , wherein the observation data collected comprises: a first set of observation data associated with an organization and collected from a first subset of the plurality of devices associated with the organization, and a second set of observation data collected from a second subset of the plurality of device not associated with the organization. 8. The method of claim 7 , wherein: the first device is associated with the organization; and the determining the normal pattern of activity occurring on the plurality of devices by processing the collected observation data comprises processing the collected observation data from the first subset of the plurality of devices and not processing the collected observation data from the second subset of the plurality of devices to determine the normal pattern of activity. 9. A method comprising: at a server, monitoring a plurality of devices for observation data based on a first data monitoring policy, the monitored observation data including information associated with at least one of device configuration, device state, and device behavior; at the server, establishing a normal pattern of activity occurring on the plurality of devices based on the monitored observation data, the normal pattern of activity being associated with at least one of the device configuration, the device state, and the device behavior of the plurality of devices; at the server, deriving a second data monitoring policy from the determined normal pattern of activity occurring on the plurality of devices, the second data monitoring policy being different from the first data monitoring policy; at the server, based on the derived second data monitoring policy, monitoring a first device of the plurality of devices for first device data; at the server, comparing the normal pattern of activity occurring on the plurality of devices with a first pattern of activity occurring on the first device, the first pattern of activity being determined by the monitored first device data; at the server, determining that the first pattern of activity associated with the first device of the plurality of devices is outside of a threshold deviation from the normal pattern of activity; and upon the determination, modifying the second data monitoring policy for monitoring of the first device by the server. 10. The method of claim 9 , wherein the step of modifying the second data monitoring policy comprises: increasing the monitoring of the first device. 11. The method of claim 9 , wherein the step of modifying the second data monitoring policy comprises: decreasing the monitoring of the first device. 12. The method of claim 9 , wherein the normal pattern of activity indicates that a first event occurs during a first context, and the step of determining that activity on the first device is outside the normal pattern of activity comprises: determining that the first event occurred on the first device during a second context, different from the first context. 13. The method of claim 9 , wherein the step of determining that the first pattern of activity on the first device is outside the normal pattern of activity comprises: receiving from the first device an indication that a shared library has been loaded on the first device from a memory card. 14. The method of claim 9 comprising: generating a model of characteristics for a specific application program on the plurality of device; and wherein the step of determining that the first patte