Policy-Based Application Management

US 20140040638A1
Filed: 10/03/2013
Published: 02/06/2014
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by processing circuitry of an electronic mobile device, a copy command;

encrypting, by the processing circuitry and in response to the copy command, original data from a first secure application to form encrypted data; and

writing, by the processing circuitry and in response to the copy command, the encrypted data to a secure clipboard residing in memory of the electronic mobile device to enable a second secure application to subsequently read and decrypt the encrypted data from the secure clipboard, the secure clipboard residing at a location of the memory which is different than that of a general clipboard residing in the memory, the general clipboard being accessible by a set of unsecure applications running on the electronic mobile device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user'"'"'s own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things.

116 Citations

20 Claims

1. A method comprising:
- receiving, by processing circuitry of an electronic mobile device, a copy command;
  
  encrypting, by the processing circuitry and in response to the copy command, original data from a first secure application to form encrypted data; and
  
  writing, by the processing circuitry and in response to the copy command, the encrypted data to a secure clipboard residing in memory of the electronic mobile device to enable a second secure application to subsequently read and decrypt the encrypted data from the secure clipboard, the secure clipboard residing at a location of the memory which is different than that of a general clipboard residing in the memory, the general clipboard being accessible by a set of unsecure applications running on the electronic mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as in claim 1, further comprising:
    - receiving, by the processing circuitry, a paste command which directs pasting contents of the secure clipboard to the second secure application;
      
      in response to the paste command, reading the encrypted data from the secure clipboard, decrypting the encrypted data to form decrypted data, and providing the decrypted data to the second secure application.
  - 3. A method as in claim 2, further comprising:
    - configuring each secure application to write information only to the secure clipboard in response to copy commands to restrict that secure application from writing information to the general clipboard.
  - 4. A method as in claim 3 wherein configuring each secure application includes:
    - modifying an initial binary version of the first secure application to form a modified binary version of the first secure application, anddeploying the modified binary version of the first secure application on the electronic mobile device, the initial binary version being un-configured, and the modified binary version being configured to write information only to the secure clipboard.
  - 5. A method as in claim 4 wherein configuring each secure application further includes:
    - providing a memory address of the secure clipboard and a set of cryptographic keys to each secure application.
  - 6. A method as in claim 4 wherein configuring each secure application further includes:
    - (i) providing a first memory address of the secure clipboard and a first set of cryptographic keys to a first group of secure applications, and (ii) providing a second memory address to another secure clipboard and a second set of cryptographic keys to a second group of secure applications, to equip multiple groups of secure applications to utilize different secure clipboards.
  - 7. A method as in claim 1, further comprising:
    - detecting a copy event in which unencrypted new data is copied to the general clipboard from an unsecure application; and
      
      in response to the copy event, encrypting the unencrypted new data to form encrypted new data and writing the encrypted new data to the secure clipboard.

8. A method, comprising:
- receiving, by a processor of an electronic mobile device, a managed application from an application server during a first communication, the managed application being constructed to operate in accordance with a set of one or more policy files;
  
  receiving, by the processor, the set of one or more policy files from the application server during a second communication which is different than the first communication, the set of one or more policy files being stored on the electronic mobile device separately from the managed application; and
  
  running, by the processor, the managed application on the mobile device, the managed application operating in accordance with the set of one or more policy files,wherein one of the policy files defines when the managed application may access a secure encrypted clipboard, and further defines when the managed application may access a general clipboard,wherein the secure encrypted clipboard resides at a location of memory of the electronic mobile device which is different than that of the general clipboard, the general clipboard being accessible by a set of unsecure applications running on the electronic mobile device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - enabling a second secure application to subsequently read and decrypt the encrypted data from the secure clipboard;
      
      receiving a paste command which directs pasting contents of the secure encrypted secure clipboard to the second secure application;
      
      in response to the paste command, reading the encrypted data from the secure clipboard, decrypting the encrypted data to form decrypted data, and providing the decrypted data to the second secure application.
  - 10. The method of claim 9, further comprising configuring each secure application to write information only to the secure clipboard in response to copy commands to restrict that secure application from writing information to the general clipboard.
  - 11. The method of claim 10, wherein configuring each secure application includes:
    - modifying an initial binary version of the first secure application to form a modified binary version of the first secure application, anddeploying the modified binary version of the first secure application on the electronic mobile device, the initial binary version being un-configured, and the modified binary version being configured to write information only to the secure clipboard.
  - 12. The method of claim 11 wherein configuring each secure application further includes:
    - providing a memory address of the secure clipboard and a set of cryptographic keys to each secure application.
  - 13. The method of claim 11 wherein configuring each secure application further includes:
    - (i) providing a first memory address of the secure clipboard and a first set of cryptographic keys to a first group of secure applications, and (ii) providing a second memory address to another secure clipboard and a second set of cryptographic keys to a second group of secure applications, to equip multiple groups of secure applications to utilize different secure clipboards, andwherein one of the policy files defines which secure application has access to each secure clipboard.
  - 14. The method of claim 8, further comprising:
    - detecting a copy event in which unencrypted new data is copied to the general clipboard from an unsecure application; and
      
      in response to the copy event, encrypting the unencrypted new data to form encrypted new data and writing the encrypted new data to the secure clipboard.

15. One or more non-transitory computer readable media storing computer readable instructions that, when executed by an electronic mobile device having a memory, cause the device to perform:
- receiving, by the processing circuitry, a copy command;
  
  encrypting, by the processing circuitry and in response to the copy command, original data from a first secure application to form encrypted data; and
  
  writing, by the processing circuitry and in response to the copy command, the encrypted data to a secure clipboard residing in the memory to enable a second secure application to subsequently read and decrypt the encrypted data from the secure clipboard, the secure clipboard residing at a location of the memory which is different than that of a general clipboard residing in the memory, the general clipboard being accessible by a set of unsecure applications running on the electronic mobile device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable media of claim 15, said instructions further comprising:
    - receiving, by the processing circuitry, a paste command which directs pasting contents of the secure clipboard to the second secure application;
      
      in response to the paste command, reading the encrypted data from the secure clipboard, decrypting the encrypted data to form decrypted data, and providing the decrypted data to the second secure application.
  - 17. The computer readable media of claim 16, said instructions further comprising:
    - configuring each secure application to write information only to the secure clipboard in response to copy commands to restrict that secure application from writing information to the general clipboard.
  - 18. A method as in claim 17 wherein configuring each secure application includes:
    - modifying an initial binary version of the first secure application to form a modified binary version of the first secure application, anddeploying the modified binary version of the first secure application on the electronic mobile device, the initial binary version being un-configured, and the modified binary version being configured to write information only to the secure clipboard.
  - 19. A method as in claim 18 wherein configuring each secure application further includes:
    - providing a memory address of the secure clipboard and a set of cryptographic keys to each secure application.
  - 20. A method as in claim 18 wherein configuring each secure application further includes:
    - (i) providing a first memory address of the secure clipboard and a first set of cryptographic keys to a first group of secure applications, and (ii) providing a second memory address to another secure clipboard and a second set of cryptographic keys to a second group of secure applications, to equip multiple groups of secure applications to utilize different secure clipboards.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Walker, James Robert, Desai, Nitin, Lang, Zhongmin

Granted Patent

US 9,213,850 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/54   by adding security routines...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 21/72   in cryptographic circuits

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 41/34   Signalling channels for net...

H04L 51/08   Annexed information, e.g. a...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04W 12/06 : Authentication

H04W 12/08 : Access security

H04W 12/30 : Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/63 : Location-dependent; Proximi...

View All

Policy-Based Application Management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-Based Application Management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links