Policy-based secure containers for multiple enterprise applications

The invention claimed is: 1. A client compute device comprising: trust agent circuitry to send device attribute information to an enterprise policy server, the device attribute information indicative of at least one of a hardware component of the client compute device or a software environment of the client compute device; and security management circuitry to: receive, from the enterprise policy server, an enterprise application, wherein the enterprise application is to access enterprise data; receive a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; construct a secure container on the client compute device; and add the enterprise application to the secure container, wherein the secure container is to enforce the security policy while the enterprise application is executed on the client compute device. 2. The client compute device of claim 1 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device. 3. The client compute device of claim 1 , further including a security processor, wherein the security processor is a trusted hardware component. 4. The client compute device of claim 1 , wherein to enforce the security policy, the secure container to disallow cut and paste for the enterprise application. 5. The client compute device of claim 1 , wherein the set of rules for control of behavior of the enterprise application includes a rule indicating whether to allow access to one or more network connections. 6. The client compute device of claim 1 , wherein the device attribute information includes a device-specific unique identifier. 7. A client compute device comprising: one or more processors; one or more storage devices including a plurality of instructions that, when executed by the one or more processors, cause the client compute device to: send device attribute information to an enterprise policy server, the device attribute information indicative of a hardware component of the client compute device or a software environment of the client compute device; access an enterprise application received from the enterprise policy server, wherein the enterprise application is to access enterprise data; receive a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; construct a secure container on the client compute device; add the enterprise application to the secure container; and configure the secure container to enforce the security policy while the enterprise application is executed on the client compute device. 8. The client compute device of claim 7 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device. 9. The client compute device of claim 7 , further including a security processor, wherein the security processor is a trusted hardware component. 10. The client compute device of claim 7 , wherein the instructions, when executed, cause the client compute device to disallow cut and paste for the enterprise application in order to enforce the security policy. 11. The client compute device of claim 7 , wherein the set of rules for control of behavior of the enterprise application include a rule indicating whether to allow access to one or more network connections. 12. The client compute device of claim 7 , wherein the device attribute information includes a device-specific unique identifier. 13. One or more data storage devices comprising a plurality of instructions that, when executed by one or more processors of a client compute device, cause the client compute device to: send device attribute information to an enterprise policy server, the device attribute information indicative of a hardware component of the client compute device or a software environment of the client compute device; access an enterprise application received from the enterprise policy server, wherein the enterprise application is to access enterprise data; receive a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; construct a secure container on the client compute device; add the enterprise application to the secure container; and configure the secure container to enforce the security policy while the enterprise application is executed on the client compute device. 14. The one or more data storage devices of claim 13 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device. 15. The one or more data storage devices of claim 13 , wherein the enforcing of the security policy includes disallowing cut and paste for the enterprise application. 16. The one or more data storage devices of claim 13 , wherein the set of rules for control of behavior of the enterprise application includes a rule indicating whether to allow access to one or more network connections. 17. The one or more data storage devices of claim 13 , wherein the device attribute information includes a device-specific unique identifier. 18. A client compute device comprising: means for sending device attribute information to an enterprise policy server, the device attribute information indicative of a hardware component of the client compute device or a software environment of the client compute device; means for accessing an enterprise application received from the enterprise policy server, wherein the enterprise application is to access enterprise data; means for receiving a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; means for constructing a secure container on the client compute device; means for adding the enterprise application to the secure container; and means for enforcing the security policy while the enterprise application is executed on the client compute device. 19. The client compute device of claim 18 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device. 20. The client compute device of claim 18 , further including a security processor, wherein the security processor is a trusted hardware component. 21. The client compute device of claim 18 , wherein the means for enforcing the security policy includes means for disallowing cut and paste for the enterprise application. 22. The client compute device of claim 18 , wherein the set of rules for control of behavior of the enterprise application includes a rule indicating whether to allow access to one or more network connections. 23. The client compute device of claim 18 , wherein the device attribute information includes a device-specific unique identifier.