Mobile Device Management

US 20110252240A1
Filed: 04/07/2010
Published: 10/13/2011
Est. Priority Date: 04/07/2010
Status: Active Grant

First Claim

Patent Images

1. A machine implemented method for managing a wireless device, the method comprising:

in response to receiving a notification from a management server managing the wireless device for an enterprise service, verifying a trust of the notification against a management profile stored in the wireless device;

establishing a network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and

performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to a control of configurations of the wireless device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses that enroll a wireless device into an enterprise service with a management server addressed in a management profile are described. The enrollment may grant a control of configurations of the wireless device to the management server via the management profile. In response to receiving a notification from the management server, a trust of the notification may be verified against the management profile. If the trust is verified, a network session may be established with the management server. The network session may be secured via a certificate in the management profile. Management operations may be performed for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.

171 Citations

47 Claims

1. A machine implemented method for managing a wireless device, the method comprising:
- in response to receiving a notification from a management server managing the wireless device for an enterprise service, verifying a trust of the notification against a management profile stored in the wireless device;
  
  establishing a network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
  
  performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to a control of configurations of the wireless device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - enrolling the wireless device into the enterprise service with the management server addressed in the management profile, the enrollment to grant the control to the management server via the management profile.
  - 3. The method of claim 2, wherein the enrollment comprises:
    - installing the management profile in the wireless device, the management profile including a network address of the management server; and
      
      sending a request for the enterprise service to the management server via the network address, the request including a device certificate cryptographically identifying the wireless device.
  - 4. The method of claim 3, further comprising:
    - sending a magic string uniquely identifying the wireless device to the management server; and
      
      sending a network token to enable the wireless device to receive the notification via a push network.
  - 5. The method of claim 4, wherein the notification is associated with the network token and wherein the push network verifies the network token for the wireless device.
  - 6. The method of claim 4, wherein the notification includes a device string, and wherein the trust is not verified if the magic string does not match the device string.
  - 7. The method of claim 1, wherein the performing the management operations comprises:
    - requesting the update commands from the management server via the network session.
  - 8. The method of claim 1, wherein the management operations include a query of a status of the configuration of the wireless device, the status indicates whether an application installed in the wireless device is provisioned in a provisioning profile.
  - 9. The method of claim 8, wherein the management operations include removal of the provisioning profile to disable the application in the wireless device.
  - 10. The method of claim 8, wherein the management operations include installing the provisioning profile to enable the application in the wireless device.
  - 11. The method of claim 1, wherein the configuration includes an authorization data already expired for a capability provided by the enterprise service to the wireless device, and wherein the management operations include an update to bring the authorization data up to date.

12. A machine implemented method for managing a wireless device, the method comprising:
- installing a management profile into a configuration of the wireless device to participate in an enterprise service via a management server specified in the management profile, the configuration including one or more profiles to configure the wireless device;
  
  locking the configuration for the enterprise service via the management profile, the lock restrict changes of the configuration from user instructions;
  
  in response to receiving one or more commands from the management server, transparently applying updates to the configuration of the wireless device, the updates to enable additional capabilities provided by the enterprise service to the wireless device and the updates to disable existing capabilities prohibited by the enterprise service in the wireless device; and
  
  in response to receiving a user instruction, uninstalling the management profile to leave the enterprise service.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the uninstalling the management profile comprises:
    - restoring the configuration from the updates; and
      
      unlocking the configuration from the management profile.
  - 14. The method of claim 12, wherein the updates include one or more managed profiles installed from the management server, wherein the one or more managed profiles having dependency relationships, and wherein the application of the updates comprises:
    - maintaining the dependency relationships rooted from the management server within the configuration.
  - 15. The method of claim 14, wherein the uninstalling the management profile comprises:
    - uninstalling the managed profiles according to the dependency relationships.
  - 16. The method of claim 12, wherein the one or more profiles include a provisioning profile to authorize an application installed in the wireless device, wherein the application is outside of the enterprise service and wherein the updates include removal of the provisioning profile from the configuration.
  - 17. The method of claim 12, wherein the one or more profiles include a first restriction profile specifying a first constraint on possible value of a setting in the wireless device, wherein the updates include installation of a second restriction profile specifying a second constraint on the possible value of the setting, wherein the setting has a value satisfying both the first constraint and the second constraint during the participation of the enterprise service.
  - 18. The method of claim 17, wherein the setting has a first value prior to the participation of the enterprise service, the first value contradicting the second constraint, and wherein the updates include changing the setting from the first value to the value.
  - 19. The method of claim 18, wherein the second restriction profile is uninstalled if the management profile is uninstalled.
  - 20. The method of claim 12, wherein the application of the updates comprisesinstalling a profile from the management server into the configuration of the wireless device.
  - 21. The method of claim 12, wherein the application of the updates comprisesremoving a profile from the configuration of the wireless device.
  - 22. The method of claim 12, wherein the application of the updates comprisesreplacing one of the one or more profiles in the configuration of the wireless device.

23. A machine implemented method for configuring a wireless device, the method comprising:
- in response to receiving a push notification, verifying if the push notification is authentic in an enterprise service, the wireless device having a configuration to participate in the enterprise service;
  
  cryptographically establishing a first network connection with a management server if the push notification is authentic, the first network connection associated with parameters based on a management profile in the configuration;
  
  in response to receiving a command from the management server via the first network connection, determining if a condition to perform an operation for the command on the configuration is satisfied; and
  
  sending a reply to the management server, the reply indicating whether the operation has been performed according to the determination.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 24. The method of claim 23, wherein the management profile specifies one or more rights, wherein the command violates at least one of the rights and wherein the reply indicates the condition cannot be satisfied to perform the operation for the command.
  - 25. The method of claim 23, wherein the condition is determined not yet satisfied, the method further comprisingwaiting in a sleep state for the condition to be satisfied;
    - andcryptographically establishing a second network connection with the management server for receiving the command when the condition is satisfied.
  - 26. The method of claim 25, wherein the waiting comprises:
    - terminating the first network connection; and
      
      storing a cookie data indicating the command for the enterprise service.
  - 27. The method of claim 26, further comprising:
    - registering an event associated with the condition; and
      
      waking up in response to receiving a notification of the event.
  - 28. The method of claim 25, wherein the push notification is received via a push network separate from the first network connection.
  - 29. The method of claim 23, wherein the wireless device stores at least one identity, wherein the push notification includes payload data, further comprising:
    - generating the at least one identity, wherein the authenticity of the push notification depends on whether the payload data includes the at least one identity.
  - 30. The method of claim 23, wherein the operation adds restrictions to the configuration and where in the restrictions prohibit enabling of an application installed in the wireless device.
  - 31. The method of claim 23, wherein the management profile includes an identity certificate, and wherein the first network connection is based on HTTPS (Hypertext Transfer Protocol Secure) authenticated via the identity certificate.
  - 32. The method of claim 23, further comprising:
    - sending a polling request to the management server via the first network connection transparently to a user, the polling request indicating the wireless device is ready to receive the command.
  - 33. The method of claim 32, further comprising:
    - sending another polling request separate from the polling request to the management server via the first network connection after the operation is successfully performed.
  - 34. The method of claim 23, wherein the wireless device is locked by a user, wherein the operation includes a change to the configuration, and wherein the condition depends on when the wireless device is unlocked by the user.
  - 35. The method of claim 23, wherein the condition is associated with a current processing load of the wireless device, and wherein the condition is satisfied if the current processing load is below a threshold specified in the configuration.

36. A machine implemented method for mobile device management, the method comprising:
- generating a management profile having an identity certificate, the management profile to restrict user changes on a configuration of a wireless device to be within a scope of an enterprise service;
  
  in response to receiving an enrollment request with the identity certificate from the wireless device, verifying the identity certificate to register the wireless device in the enterprise service;
  
  sending a notification to the wireless device via a push network for a polling request; and
  
  in response to receiving the polling request from the wireless device via a network session separate from the push network, sending commands to manage the configuration of the wireless device for the enterprise service.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 37. The method of claim 36, wherein the notification includes a push token to enable the notification to reach the wireless device via the push network, wherein the enrollment request is received via a particular network session, and wherein the push token is received from the wireless device via the particular network session.
  - 38. The method of claim 37, wherein the notification includes a magic string for a trust to the wireless device, and wherein the magic string is received from the wireless device via the particular network session.
  - 39. The method of claim 36, wherein the wireless device is associated with a UDID (unique device identifier) in the enterprise service, wherein the polling request includes a device identifier, and wherein the sending the commands comprises:
    - verifying an identity of the wireless device based on the UDID and the device identifier.
  - 40. The method of claim 36, wherein the polling request includes an identity certificate, the method further comprising:
    - cryptographically verifying a trust of the wireless device based on the identity certificate.
  - 41. The method of claim 36, wherein the push network is a 3G network over the air.
  - 42. The method of claim 36, wherein the commands include a query command for inspecting a status of the wireless device.
  - 43. The method of claim 42, further comprising:
    - determining additional commands for the wireless device based on the status.
  - 44. The method of claim 43, wherein the status indicates a provisioning profile authorizing an application outside the scope of the enterprise service, and wherein the additional commands include a removal command to remove the provisioning profile.
  - 45. The method of claim 36, wherein the commands include an installation command for installing a provisioning profile to the wireless device, the provisioning profile authorizing an application installed in the wireless device.

46. A machine-readable storage medium having instructions, when executed by a machine, cause the machine to perform a method for a plurality of messaging services, the method comprising:
- enrolling the wireless device into an enterprise service with a management server addressed in a management profile, the enrollment to grant a control of configurations of the wireless device to the management server via the management profile;
  
  in response to receiving a notification from the management server, verifying a trust of the notification against the management profile;
  
  establishing a network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
  
  performing management operations for management commands received over the secure network session to managing the configurations transparently to a user of the wireless device according to the control.

47. An apparatus, comprising:
- a memory storing executable instructions;
  
  a network interface coupled to a push network;
  
  a processor coupled to the network interface and the memory to execute the executable instructions from the memory for the messaging services, the processor being configured to;
  
  enroll in an enterprise service with a management server addressed in a management profile, the enrollment to grant a control of configurations of the wireless device to the management server via the management profile;
  
  in response to receiving a notification from the management server via the push network, verify a trust of the notification against the management profile;
  
  establish a network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
  
  perform management operations for management commands received over the secure network session to managing the configurations transparently to a user of the wireless device according to the control.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Freedman, Gordie, Rahardja, David

Granted Patent

US 8,473,743 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0823   using certificates cryptogr...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

H04W 4/50   Service provisioning or rec...

H04W 8/22   Processing or transfer of t...

Mobile Device Management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

171 Citations

47 Claims

Specification

Use Cases

Quick Links

Others

Mobile Device Management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

47 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others