Automatically configuring mobile devices and applying policy based on device state

US 10,104,128 B2
Filed: 09/27/2017
Issued: 10/16/2018
Est. Priority Date: 07/12/2013
Status: Active Grant

First Claim

Patent Images

1. A system for automatically configuring mobile devices and applying policies based on a Host Information Profile (HIP) report, comprising:

a processor configured to;

receive a list of known malware and application characteristics from an external service;

receive the Host Information Profile (HIP) report for a mobile device, wherein the HIP report includes applications installed on the mobile device, device state information, and device configuration information, wherein the device state information and the device configuration information both comprise one or more features;

perform a policy match based on the HIP report for the mobile device, comprising to;

determine whether the HIP report indicates that one or more features are missing or one or more features are disabled causing the mobile device to fail the policy match;

determine whether an application installed on the mobile device is found on the list of known malware and application characteristics;

determine whether the HIP report from the mobile device matches with a first host information profile or a second host information profile;

determine a security policy based on a host information profile that matches the HIP report, the security policy being associated with a first security policy or a second security policy, the first host information profile being different from the second host information profile, the first security policy including granting access to a first enterprise resource, the second security policy including granting access to a second enterprise resource; and

in response to a determination that the security policy does not match the first host information profile or the second host information profile, determine that the security policy includes denying access to enterprise resources; and

perform an action based on the policy match based on the HIP report for the mobile device, comprising to;

in response to a determination that the HIP report matches a first security policy, grant access to a first enterprise resource; and

in response to a determination that the HIP report matches a second security policy;

perform one or more of the following;

automatically install the one or more missing features or enable the one or more features on the mobile device in response to a determination that the policy match has failed when the HIP report indicates that the one or more features are missing or the one or more features are disabled;

or

automatically uninstall the application installed on the mobile device in response to a determination that the policy match has failed when the application is found on the list of known malware and application characteristics; and

grant access to a second enterprise resource, the first security policy being different from the second security policy; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for network-based security for mobile devices based on device state are disclosed. In some embodiments, automatically configuring mobile devices and applying policies based on a Host Information Profile (HIP) report includes receiving a Host Information Profile (HIP) report for a mobile device; performing a policy match based on the HIP report for the mobile device; and performing an action based on the policy match based on the HIP report for the mobile device.

Citations

14 Claims

1. A system for automatically configuring mobile devices and applying policies based on a Host Information Profile (HIP) report, comprising:
- a processor configured to;
  
  receive a list of known malware and application characteristics from an external service;
  
  receive the Host Information Profile (HIP) report for a mobile device, wherein the HIP report includes applications installed on the mobile device, device state information, and device configuration information, wherein the device state information and the device configuration information both comprise one or more features;
  
  perform a policy match based on the HIP report for the mobile device, comprising to;
  
  determine whether the HIP report indicates that one or more features are missing or one or more features are disabled causing the mobile device to fail the policy match;
  
  determine whether an application installed on the mobile device is found on the list of known malware and application characteristics;
  
  determine whether the HIP report from the mobile device matches with a first host information profile or a second host information profile;
  
  determine a security policy based on a host information profile that matches the HIP report, the security policy being associated with a first security policy or a second security policy, the first host information profile being different from the second host information profile, the first security policy including granting access to a first enterprise resource, the second security policy including granting access to a second enterprise resource; and
  
  in response to a determination that the security policy does not match the first host information profile or the second host information profile, determine that the security policy includes denying access to enterprise resources; and
  
  perform an action based on the policy match based on the HIP report for the mobile device, comprising to;
  
  in response to a determination that the HIP report matches a first security policy, grant access to a first enterprise resource; and
  
  in response to a determination that the HIP report matches a second security policy;
  
  perform one or more of the following;
  
  automatically install the one or more missing features or enable the one or more features on the mobile device in response to a determination that the policy match has failed when the HIP report indicates that the one or more features are missing or the one or more features are disabled;
  
  or
  
  automatically uninstall the application installed on the mobile device in response to a determination that the policy match has failed when the application is found on the list of known malware and application characteristics; and
  
  grant access to a second enterprise resource, the first security policy being different from the second security policy; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system recited in claim 1, wherein the policy match is also determined based on a user/group match.
  - 3. The system recited in claim 1, wherein the policy match is also determined based on a device match.
  - 4. The system recited in claim 1, wherein the HIP report for the mobile device is received from an access gateway for implementing HIP-based policies for enforcing the security policy using the HIP report.
  - 5. The system recited in claim 1, wherein the HIP report for the mobile device is received from a mobile device management (MDM) server for implementing HIP-based policies for enforcing the security policy using the HIP report.

6. A method for automatically configuring mobile device settings based on a Host Information Profile (HIP) report, comprising:
- receiving a list of known malware and application characteristics from an external service;
  
  receiving the Host Information Profile (HIP) report for a mobile device, wherein the HIP report includes applications installed on the mobile device, device state information, and device configuration information, wherein the device state information and the device configuration information both comprise one or more features;
  
  performing a policy match based on the HIP report for the mobile device, comprising;
  
  determining whether the HIP report indicates that one or more features are missing or one or more features are disabled causing the mobile device to fail the policy match;
  
  determining whether an application installed on the mobile device is found on the list of known malware and application characteristics;
  
  determining whether the HIP report from the mobile device matches with a first host information profile or a second host information profile;
  
  determining a security policy based on a host information profile that matches the HIP report, the security policy being associated with a first security policy or a second security policy, the first host information profile being different from the second host information profile, the first security policy including granting access to a first enterprise resource, the second security policy including granting access to a second enterprise resource; and
  
  in response to a determination that the security policy does not match the first host information profile or the second host information profile, determining that the security policy includes denying access to enterprise resources; and
  
  performing an action based on the policy match based on the HIP report for the mobile device, comprising;
  
  in response to a determination that the HIP report matches a first security policy, granting access to a first enterprise resource; and
  
  in response to a determination that the HIP report matches a second security policy;
  
  performing one or more of the following;
  
  automatically installing the one or more missing features or enable the one or more features on the mobile device in response to a determination that the policy match has failed when the HIP report indicates that the one or more features are missing or the one or more features are disabled;
  
  orautomatically uninstalling the application installed on the mobile device in response to a determination that the policy match has failed when the application is found on the list of known malware and application characteristics; and
  
  granting access to a second enterprise resource, the first security policy being different from the second security policy.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method recited in claim 6, wherein the policy match is also determined based on a user/group match.
  - 8. The method recited in claim 6, wherein the policy match is also determined based on a device match.
  - 9. The method recited in claim 6, wherein the HIP report for the mobile device is received from an access gateway for implementing HIP-based policies for enforcing the security policy using the HIP report.
  - 10. The method recited in claim 6, wherein the HIP report for the mobile device is received from a mobile device management (MDM) server for implementing HIP-based policies for enforcing the security policy using the HIP report.

11. A computer program product for automatically configuring mobile devices based on a Host Information Profile (HIP) report, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- receiving a list of known malware and application characteristics from an external service;
  
  receiving the Host Information Profile (HIP) report for a mobile device, wherein the HIP report includes applications installed on the mobile device, device state information, and device configuration information, wherein the device state information and the device configuration information both comprise one or more features;
  
  performing a policy match based on the HIP report for the mobile device, comprising;
  
  determining whether the HIP report indicates that one or more features are missing or one or more features are disabled causing the mobile device to fail the policy match;
  
  determining whether an application installed on the mobile device is found on the list of known malware and application characteristics;
  
  determining whether the HIP report from the mobile device matches with a first host information profile or a second host information profile;
  
  determining a security policy based on a host information profile that matches the HIP report, the security policy being associated with a first security policy or a second security policy, the first host information profile being different from the second host information profile, the first security policy including granting access to a first enterprise resource, the second security policy including granting access to a second enterprise resource; and
  
  in response to a determination that the security policy does not match the first host information profile or the second host information profile, determining that the security policy includes denying access to enterprise resources; and
  
  performing an action based on the policy match based on the HIP report for the mobile device, comprising;
  
  in response to a determination that the HIP report matches a first security policy, granting access to a first enterprise resource; and
  
  in response to a determination that the HIP report matches a second security policy;
  
  performing one or more of the following;
  
  automatically installing the one or more missing features or enable the one or more features on the mobile device in response to a determination that the policy match has failed when the HIP report indicates that the one or more features are missing or the one or more features are disabled;
  
  orautomatically uninstalling the application installed on the mobile device in response to a determination that the policy match has failed when the application is found on the list of known malware and application characteristics; and
  
  granting access to a second enterprise resource, the first security policy being different from the second security policy.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product recited in claim 11, wherein the policy match is also determined based on a user/group match.
  - 13. The computer program product recited in claim 11, wherein the policy match is also determined based on a device match.
  - 14. The computer program product recited in claim 11, wherein the HIP report for the mobile device is received from an access gateway or from a mobile device management (MDM) server for implementing HIP-based policies for enforcing the security policy using the HIP report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Jacobsen, Michael Soren, Menon, Joby, Wang, Song
Primary Examiner(s)
Giddins, Nelson

Application Number

US15/717,801
Publication Number

US 20180139241A1
Time in Patent Office

384 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04L 67/303   Terminal profiles

H04L 67/306   User profiles

H04L 67/34   involving the movement of s...

H04W 12/08   Access security

H04W 12/128   Anti-malware arrangements, ...

H04W 12/37   Managing security policies ...

H04W 4/50   Service provisioning or rec...

H04W 4/60   Subscription-based services...

Automatically configuring mobile devices and applying policy based on device state

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically configuring mobile devices and applying policy based on device state

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links