Real-time mobile security posture

US 10,178,132 B2
Filed: 02/06/2017
Issued: 01/08/2019
Est. Priority Date: 12/27/2014
Status: Active Grant

First Claim

Patent Images

1. A server apparatus, comprising:

a hardware platform comprising a processor and a network connection; and

a mobile device manager (MDM), policy decision point (PDP), and policy enforcement point (PEP) to operate on the hardware platform, wherein;

the MDM is to query an end-user device, determine that the device is a non-enterprise end-user device not owned by an enterprise, and grant the non-enterprise end-user device conditional access to an enterprise resource, a condition of the conditional access comprising compliance with a security posture;

the MDM is to instruct an MDM agent of the non-enterprise end-user device to register a mobile security posture event with an operating system of the non-enterprise user device, enter a sleep mode, and wake on detecting an instance of the mobile security posture event;

the MDM is to receive from the MDM agent an instance of the mobile security posture event, wherein the mobile security posture event is selected from the group consisting of a change in biometric authentication status, a change in location, a change in installation status of the MDM agent, installation of a blacklisted program, installation of an unknown program, or a change in physical location;

the PDP is to evaluate an impact of the mobile security posture event on the end-user device'"'"'s compliance with the mobile security posture and construct a policy decision in real-time or near-real-time; and

the PEP is to enforce the policy decision.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, there is described a server apparatus, comprising: a network connection; and one or more logic elements, including at least a processor and a memory, comprising a mobile device management (MDM) engine to: instruct an MDM agent to register a mobile security posture event; receive from the MDM agent an instance of the mobile security posture event; construct a policy decision responsive at least in part to the mobile security posture event; and enforce the policy decision.

Citations

25 Claims

1. A server apparatus, comprising:
- a hardware platform comprising a processor and a network connection; and
  
  a mobile device manager (MDM), policy decision point (PDP), and policy enforcement point (PEP) to operate on the hardware platform, wherein;
  
  the MDM is to query an end-user device, determine that the device is a non-enterprise end-user device not owned by an enterprise, and grant the non-enterprise end-user device conditional access to an enterprise resource, a condition of the conditional access comprising compliance with a security posture;
  
  the MDM is to instruct an MDM agent of the non-enterprise end-user device to register a mobile security posture event with an operating system of the non-enterprise user device, enter a sleep mode, and wake on detecting an instance of the mobile security posture event;
  
  the MDM is to receive from the MDM agent an instance of the mobile security posture event, wherein the mobile security posture event is selected from the group consisting of a change in biometric authentication status, a change in location, a change in installation status of the MDM agent, installation of a blacklisted program, installation of an unknown program, or a change in physical location;
  
  the PDP is to evaluate an impact of the mobile security posture event on the end-user device'"'"'s compliance with the mobile security posture and construct a policy decision in real-time or near-real-time; and
  
  the PEP is to enforce the policy decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The server apparatus of claim 1, wherein the MDM is further to:
    - receive a joint user/device authentication request from the MDM agent;
      
      redirect the joint user/device authentication request to an identity provider;
      
      receive from the identity provider a joint user/device authentication response; and
      
      act on the joint user/device authentication response.
  - 3. The server apparatus of claim 1, wherein the mobile security posture event is a registered operating system event.
  - 4. The server apparatus of claim 1, wherein instructing the MDM agent comprises providing an operating system event watch list.
  - 5. The server apparatus of claim 4, wherein the instance of the mobile security posture event comprises an occurrence of an event on the watch list.
  - 6. The server apparatus of claim 1, wherein the MDM is further to issue a certificate to the MDM agent.
  - 7. The server apparatus of claim 6, wherein the MDM is further to determine that a device hosting the MDM agent does not meet enterprise security requirements, and to revoke the certificate.
  - 8. The server apparatus of claim 1, wherein the mobile security posture event comprises determining that an owner of the end-user device has terminated employment with the enterprise.
  - 9. The server apparatus of claim 1, wherein the mobile security posture event comprises determining that a blacklisted application has been installed on the end-user device.
  - 10. The server apparatus of claim 1, wherein the mobile security posture event comprises determining that the MDM agent has been uninstalled or disabled from the end-user device.
  - 11. The server apparatus of claim 1, wherein the mobile security posture event comprises determining that a non-enterprise user has authenticated on the end-user device.

12. One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions to instruct a processor to:
- communicatively couple to a network connection; and
  
  provide a mobile device manager (MDM), policy decision point (PDP), and policy enforcement point (PEP) to operate on a hardware platform, wherein;
  
  the MDM is to query an end-user device, determine that the device is a non-enterprise end-user device not owned by an enterprise, and grant the non-enterprise end-user device conditional access to an enterprise resource, a condition of the conditional access comprising compliance with a security posture;
  
  the MDM is to instruct an MDM agent of the non-enterprise end-user device to register a mobile security posture event with an operating system of the non-enterprise user device, enter a sleep mode, and wake on detecting an instance of the mobile security posture event;
  
  the MDM is to receive from the MDM agent an instance of the mobile security posture event, wherein the mobile security posture event is selected from the group consisting of a change in biometric authentication status, a change in location, a change in installation status of the MDM agent, installation of a blacklisted program, installation of an unknown program, or a change in physical location;
  
  the PDP is to evaluate an impact of the mobile security posture event on the end-user device'"'"'s compliance with the mobile security posture and construct a policy decision in real-time or near-real-time; and
  
  the PEP is to enforce the policy decision.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the MDM is further to:
    - receive a joint user/device authentication request from the MDM agent;
      
      redirect the joint user/device authentication request to an identity provider;
      
      receive from the identity provider a joint user/device authentication response; and
      
      act on the joint user/device authentication response.
  - 14. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the mobile security posture event is a registered operating system event.
  - 15. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein instructing the MDM agent comprises providing an operating system event watch list.
  - 16. The one or more tangible, non-transitory computer-readable storage mediums of claim 15, wherein the instance of mobile security posture event comprises an occurrence of an event on the watch list.
  - 17. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the MDM is further to issue a certificate to the MDM agent.
  - 18. The one or more tangible, non-transitory computer-readable storage mediums of claim 17, wherein the MDM is further to determine that a device hosting the MDM agent does not meet enterprise security requirements, and to revoke the certificate.
  - 19. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the mobile security posture event comprises determining that an owner of the end-user device has terminated employment with the enterprise.
  - 20. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the mobile security posture event comprises determining that a blacklisted application has been installed on the end-user device.
  - 21. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the mobile security posture event comprises determining that the MDM agent has been uninstalled or disabled from the end-user device.
  - 22. The one or more tangible, non-transitory computer-readable storage mediums of claim 12, wherein the mobile security posture event comprises determining that a non-enterprise user has authenticated on the end-user device.

23. A computer-implemented method, comprising:
- communicatively coupling to a network connection; and
  
  providing a mobile device manager (MDM), policy decision point (PDP), and policy enforcement point (PEP) to operate on a hardware platform, wherein;
  
  the MDM is to query an end-user device, determine that the device is a non-enterprise end-user device not owned by an enterprise, and grant a non-enterprise end-user device conditional access to an enterprise resource, a condition of the conditional access comprising compliance with a security posture;
  
  the MDM is to instruct an MDM agent of the non-enterprise end-user device to register a mobile security posture event with an operating system of the non-enterprise user device, enter a sleep mode, and wake on detecting an instance of the mobile security posture event;
  
  the MDM is to receive from the MDM agent an instance of the mobile security posture event, wherein the mobile security posture event is selected from the group consisting of a change in biometric authentication status, a change in location, a change in installation status of the MDM agent, installation of a blacklisted program, installation of an unknown program, or a change in physical location;
  
  the PDP is to evaluate an impact of the mobile security posture event on the end-user device'"'"'s compliance with the mobile security posture and construct a policy decision in real-time or near-real-time; and
  
  the PEP is to enforce the policy decision.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein the MDM is further to:
    - receive a joint user/device authentication request from the MDM agent;
      
      redirect the joint user/device authentication request to an identity provider;
      
      receive from the identity provider a joint user/device authentication response; and
      
      act on the joint user/device authentication response.
  - 25. The method of claim 24, wherein the mobile security posture event is a registered operating system event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, LLC
Inventors
Chahal, Sudip, Tatourian, Igor
Primary Examiner(s)
Gee, Jason K

Application Number

US15/425,208
Publication Number

US 20170149839A1
Time in Patent Office

701 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04W 12/00   Security arrangements; Auth...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/128   Anti-malware arrangements, ...

H04W 12/37   Managing security policies ...

Real-time mobile security posture

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time mobile security posture

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links