CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES

US 20140007183A1
Filed: 10/10/2012
Published: 01/02/2014
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system for controlling mobile device access to enterprise resources of an enterprise system, the system comprising:

an enterprise agent that runs on mobile devices of enterprise users, the enterprise agent configured to cause the mobile devices to collect and report mobile device property information, including information regarding applications installed on the mobile devices; and

a mobile device management system configured to store at least (1) the mobile device property information reported by the mobile devices, (2) user information regarding users of the mobile devices, including information specifying respective roles of the users in an enterprise, and (3) data specifying enterprise access policies of the enterprise, including access policies associated with particular enterprise resources, said mobile device management system comprising one or more computing devices;

said mobile device management system configured to use the stored mobile device property information and user information associated with the mobile devices, in combination with the data specifying the enterprise access policies, to control accesses by the mobile devices to the enterprise resources.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

192 Citations

27 Claims

1. A system for controlling mobile device access to enterprise resources of an enterprise system, the system comprising:
- an enterprise agent that runs on mobile devices of enterprise users, the enterprise agent configured to cause the mobile devices to collect and report mobile device property information, including information regarding applications installed on the mobile devices; and
  
  a mobile device management system configured to store at least (1) the mobile device property information reported by the mobile devices, (2) user information regarding users of the mobile devices, including information specifying respective roles of the users in an enterprise, and (3) data specifying enterprise access policies of the enterprise, including access policies associated with particular enterprise resources, said mobile device management system comprising one or more computing devices;
  
  said mobile device management system configured to use the stored mobile device property information and user information associated with the mobile devices, in combination with the data specifying the enterprise access policies, to control accesses by the mobile devices to the enterprise resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the mobile device management system is configured to determine whether to grant a request by a mobile device to access an enterprise resource based at least in part on whether the mobile device has an unauthorized application installed thereon, as determined from information reported by the mobile device via the enterprise agent.
  - 3. The system of claim 1, wherein the mobile device management system is configured to respond to a request from a mobile device to access an enterprise resource by looking up the mobile device property information and user information associated with the device, and by determining whether the looked-up mobile device property information and user information comply with at least one enterprise access policy associated with the enterprise resource.
  - 4. The system of claim 3, wherein the request from the mobile device to access the enterprise resource is a request to form an application tunnel between the enterprise resource and an application running on the mobile device.
  - 5. The system of claim 3, wherein the mobile device management system is configured to grant or deny the request based at least partly on a role of the user of the mobile device within the enterprise.
  - 6. The system of claim 1, wherein the mobile device management is configured to grant or deny the request based at least partly on a location of the mobile device, as reported by the mobile device via the enterprise agent.
  - 7. The system of claim 1, wherein the mobile device management is configured to generate gateway rules based on the stored data specifying the enterprise access policies in combination with the mobile device property information and/or user information, and to control accesses at least partly by providing the gateway rules to a mobile gateway that regulates mobile device accesses to enterprise resources.
  - 8. The system of claim 7, wherein the mobile device management is configured to generate the gateway rules, at least in part, by translating enterprise access policies into lower-level gateway rules based on at least the stored mobile device property information and user information.
  - 9. The system of claim 7, further comprising a mobile gateway configured to apply the rules to access requests received from the mobile devices, said mobile gateway comprising a mobile gateway filter configured to run on an enterprise firewall server.
  - 10. The system of claim 1, wherein the enterprise agent is capable of performing a remedial action on a mobile device in response to determining that an unauthorized application is installed on the mobile device.
  - 11. The system of claim 1, wherein the remedial action comprises at least one of the following:
    - (1) blocking the unauthorized application from executing, and (2) deleting data from the mobile device.
  - 12. The system of claim 1, wherein the mobile device management system is configured to send rules to the mobile devices, including rules indicating specific conditions that require associated remedial actions, and wherein the enterprise agent is configured to apply the rules on the respective mobile devices on which the enterprise agent is installed.

13. A non-transitory computer-readable medium having stored thereon an agent component that is configured to be installed on a mobile device of an enterprise user, the agent component configured to at least:
- provide a secure path for one or more authorized applications installed on the mobile device to access enterprise resources of an enterprise system;
  
  identify applications installed on the mobile device;
  
  determine whether any of the applications installed on the mobile device are unauthorized applications; and
  
  execute a remedial action on the mobile device in response to determining that an unauthorized application is installed on the mobile device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the remedial action comprises preventing the unauthorized application from running on the mobile device.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the remedial action comprises uninstalling the unauthorized application from the mobile device.
  - 16. The non-transitory computer-readable medium of claim 13, wherein the remedial action comprises blocking the mobile device from accessing the enterprise system.
  - 17. The non-transitory computer-readable medium of claim 13, wherein the remedial action comprises deleting from the mobile device information necessary for decrypting encrypted enterprise data stored on the mobile device.
  - 18. The non-transitory computer-readable medium of claim 13, wherein the agent component creates said secure path by using protocol encapsulation to create application tunnels between particular authorized applications and particular enterprise resources.
  - 19. The non-transitory computer-readable medium of claim 13, wherein the agent component is configured to report, to a mobile device management system associated with the enterprise system, device property information, including information regarding the applications installed on the mobile device.
  - 20. The non-transitory computer-readable medium of claim 19, in combination with the mobile device management system, wherein the mobile device management system is configured to use the information regarding which applications are installed on the mobile device, in combination with other information associated with the mobile device, to determine whether to grant requests by the one or more authorized applications to access enterprise resources.

21. A non-transitory computer-readable medium having stored thereon an enterprise agent that is configured to be installed on mobile devices of members of an enterprise, the enterprise agent comprising executable code that directs a mobile device to at least:
- maintain a repository of mobile device rules, including rules received from a mobile device management system associated with the enterprise, at least some of the mobile device rules specifying conditions and associated remedial actions for protecting enterprise resources;
  
  collect mobile device property information, including information regarding applications installed on the mobile device; and
  
  apply the mobile device rules on the mobile device, wherein applying the mobile device rules comprises using the collected mobile device property information to determine whether said conditions exist, and executing remedial actions associated with detected conditions.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The computer-readable medium of claim 21, wherein the enterprise agent, via application of a mobile device rule, is configured to determine whether an unauthorized application is installed on the mobile device, and to execute a remedial action when an unauthorized application is installed.
  - 23. The computer-readable medium of claim 21, wherein the enterprise agent, via application of a mobile device rule, is configured to determine whether a SIM card has been disengaged from the mobile device, and to execute a remedial action in response to detecting such disengagement.
  - 24. The computer-readable medium of claim 21, wherein the enterprise agent, via application of a mobile device rule, is configured to instruct a user to activate password protection in response to determining that password protection is disabled on the mobile device.
  - 25. The computer-readable medium of claim 21, wherein the enterprise agent, via application of a mobile device rule, is configured to disable a camera of the mobile device in response to determining that the mobile device is located in a region in which usage of the camera is not authorized.
  - 26. The computer-readable medium of claim 21, wherein the enterprise agent is configured to maintain on the mobile device a secure document container that is accessible to authorized applications installed on the mobile device, and is configured to delete data from the secure document container in response to detecting a condition representing an enterprise security risk.
  - 27. The computer-readable medium of claim 21, wherein the enterprise agent is configured to use protocol encapsulation to create, for respective, authorized applications installed on the mobile device, application tunnels for securely communicating over a network with specific enterprise resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Zenprise, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, McGinty, John M., Andre, Olivier, Abdullah, Shafaq

Granted Patent

US 9,529,996 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

192 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

192 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links