Secure execution of enterprise applications on mobile devices
First Claim
1. A method comprising:
- receiving, by a mobile device, a managed application from an application server during a first communication, the managed application being constructed to operate in accordance with a set of one or more policy files defined independently of the managed application;
receiving, by the mobile device, the set of one or more policy files from the application server during a second communication different from the first communication, the set of one or more policy files being stored on the mobile device separately from the managed application;
receiving, by the mobile device, a custom secure sockets layer (SSL) library that is different from an SSL library of an operating system of the mobile device;
installing, by the mobile device, the custom SSL library on the mobile device;
determining a geographic location of the system;
running the managed application on the mobile device in accordance with policies defined in the set of one or more policy files that is stored on the mobile device separately from the managed application; and
determining, based on the policies defined in the set of one or more policy files that is stored on the mobile device separately from the managed application, that the geographic location of the system is within an unauthorized geographical zone,wherein the policies defined in the set of one or more policy files, when applied to the managed application while the geographic location of the system is within the unauthorized geographical zone, cause the managed application to restrict a data-sharing feature otherwise made available on the mobile device while the geographic location of the system is not within the unauthorized geographical zone, andwherein the policies defined in the set of one or more policy files cause the managed application to create a secure application tunnel using the custom SSL library on the mobile device in place of the SSL library of the operating system of the mobile device.
9 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by a mobile device, a managed application from an application server during a first communication, the managed application being constructed to operate in accordance with a set of one or more policy files defined independently of the managed application; receiving, by the mobile device, the set of one or more policy files from the application server during a second communication different from the first communication, the set of one or more policy files being stored on the mobile device separately from the managed application; receiving, by the mobile device, a custom secure sockets layer (SSL) library that is different from an SSL library of an operating system of the mobile device; installing, by the mobile device, the custom SSL library on the mobile device; determining a geographic location of the system; running the managed application on the mobile device in accordance with policies defined in the set of one or more policy files that is stored on the mobile device separately from the managed application; and determining, based on the policies defined in the set of one or more policy files that is stored on the mobile device separately from the managed application, that the geographic location of the system is within an unauthorized geographical zone, wherein the policies defined in the set of one or more policy files, when applied to the managed application while the geographic location of the system is within the unauthorized geographical zone, cause the managed application to restrict a data-sharing feature otherwise made available on the mobile device while the geographic location of the system is not within the unauthorized geographical zone, and wherein the policies defined in the set of one or more policy files cause the managed application to create a secure application tunnel using the custom SSL library on the mobile device in place of the SSL library of the operating system of the mobile device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause a system to:
-
receive a managed application from an application server during a first communication, the managed application being constructed to operate in accordance with a set of one or more policy files defined independently of the managed application; receive the set of one or more policy files from the application server during a second communication different from the first communication, the set of one or more policy files being stored on the system separately from the managed application; receive a custom secure sockets layer (SSL) library that is different from an SSL library of an operating system of the system; install the custom SSL library on the system; determine that a password has been removed from the system; and run the managed application in accordance with policies defined in the set of one or more policy files that is stored on the system separately from the managed application, wherein the policies defined in the set of one or more policy files, when applied to the managed application, cause deletion of one or more files of the managed application responsive to determining that the password has been removed from the system for longer than a threshold period of time, and wherein the policies defined in the set of one or more policy files cause the managed application to create a secure application tunnel using the custom SSL library on the system in place of the SSL library of the operating system of the system. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
at least one processor; and non-transitory memory storing computer-readable instructions that, when executed by the at least one processor, cause the system to; receive a managed application from an application server during a first communication, the managed application being constructed to operate in accordance with a set of one or more policy files defined independently of the managed application; receive the set of one or more policy files from the application server during a second communication different from the first communication, the set of one or more policy files being stored on the system separately from the managed application; receive a custom secure sockets layer (SSL) library that is different from an SSL library of an operating system of the system; install the custom SSL library on the system; determine that a SIM card has been removed from the system; and run the managed application in accordance with policies defined in the set of one or more policy files that is stored on the system separately from the managed application, wherein the policies defined in the set of one or more policy files, when applied to the managed application, cause deletion of one or more files of the managed application responsive to the SIM card having been removed from the system for longer than a threshold period of time, and wherein the policies defined in the set of one or more policy files cause the managed application to create a secure application tunnel using the custom SSL library on the system in place of the SSL library of the operating system of the system. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification