SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

US 20190036933A1
Filed: 07/31/2017
Published: 01/31/2019
Est. Priority Date: 07/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method for providing application-specific access to a server, comprising:

receiving a request for access to the server from a user device, the request including a user authentication credential associated with a user, a device identifier associated with the user device, and an application identifier associated with an application being used to request access;

sending an out-of-band message to the user, the message requesting confirmation from the user regarding the request for access from the user device;

receiving confirmation from the user in response to the out-of-band message;

sending an authentication token to the user device, wherein the authentication token is specific to the user device, the user, and the application being used to request access;

updating a database with information regarding the authentication token and the associated user device, user, and application; and

providing access to the server based on receiving the user authentication credential, device identifier, and authentication token from the user device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples described herein include systems and methods for controlling access to a server, such as an email server or a gateway, in situations where the identity of the requesting device is unknown or where the user device accesses the server using an unknown or unmanaged application. In one example, the system can utilize a user authentication credential included in the request to identify other devices belonging to the user that happen to be enrolled with the system. An out-of-band message can be sent to those enrolled devices, requesting confirmation from the user and, in conjunction with an authentication token, allowing the system to trust the previously unknown device. In the example of an unmanaged application attempting to access an email server, the system can confirm compliance of the requesting device and issue an authentication token that, along with an appropriate command sent to the email server, provides access.

Citations

20 Claims

1. A method for providing application-specific access to a server, comprising:
- receiving a request for access to the server from a user device, the request including a user authentication credential associated with a user, a device identifier associated with the user device, and an application identifier associated with an application being used to request access;
  
  sending an out-of-band message to the user, the message requesting confirmation from the user regarding the request for access from the user device;
  
  receiving confirmation from the user in response to the out-of-band message;
  
  sending an authentication token to the user device, wherein the authentication token is specific to the user device, the user, and the application being used to request access;
  
  updating a database with information regarding the authentication token and the associated user device, user, and application; and
  
  providing access to the server based on receiving the user authentication credential, device identifier, and authentication token from the user device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein sending an out-of-band message to the user is performed in response to determining that the device identifier associated with the user device is not present on a list of device identifiers approved for access to the server.
  - 3. The method of claim 1, further comprising sending a request for verification from the server to an identity management server based on information associated with the request for access.
  - 4. The method of claim 1, wherein sending an out-of-band message to the user comprises sending the out-of-band message to a second user device of the user, wherein the second user device is enrolled with a management server.
  - 5. The method of claim 1, wherein providing access to the server includes sending an allow command to the server, instructing the server to allow access based on a device identifier, application identifier, user authentication credential, or some combination thereof.
  - 6. The method of claim 1, wherein the device identifier is at least a portion of a user agent string.
  - 7. The method of claim 1, wherein the server is a gateway having privileged access to an email server, and wherein providing access to the server comprises providing access to the email server through the gateway.

8. A non-transitory, computer-readable medium comprising instructions that, when executed by a processor associated with a computing device, cause the processor to perform stages for providing application-specific access to a server, the stages comprising:
- receiving a request for access to the server from a user device, the request including a user authentication credential associated with a user, a device identifier associated with the user device, and an application identifier associated with an application being used to request access;
  
  sending an out-of-band message to the user, the message requesting confirmation from the user regarding the request for access from the user device;
  
  receiving confirmation from the user in response to the out-of-band message;
  
  sending an authentication token to the user device, wherein the authentication token is specific to the user device, the user, and the application being used to request access;
  
  updating a database with information regarding the authentication token and the associated user device, user, and application; and
  
  providing access to the server based on receiving the user authentication credential, device identifier, and authentication token.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, wherein sending an out-of-band message to the user is performed in response to determining that the device identifier associated with the user device is not present on a list of device identifiers approved for access to the server.
  - 10. The non-transitory, computer-readable medium of claim 8, the stages further comprising sending a request for verification from the server to an identity management server based on information associated with the request for access.
  - 11. The non-transitory, computer-readable medium of claim 8, wherein sending an out-of-band message to the user comprises sending the out-of-band message to a second user device of the user, wherein the second user device is enrolled with a management server.
  - 12. The non-transitory, computer-readable medium of claim 8, wherein providing access to the server includes sending an allow command to the server, instructing the server to allow access based on a device identifier, application identifier, user authentication credential, or some combination thereof.
  - 13. The non-transitory, computer-readable medium of claim 8, wherein the device identifier is at least a portion of a user agent string.
  - 14. The non-transitory, computer-readable medium of claim 8, wherein the server is a gateway having privileged access to an email server, and wherein providing access to the server comprises providing access to the email server through the gateway.

15. A system for providing application-specific access to a gateway, comprising:
- a gateway that controls access to a mail server,wherein the gateway;
  
  receives a request for access to the mail server from a user device, the request including a user authentication credential associated with a user, a device identifier associated with the user device, and an application identifier associated with an application being used to request access;
  
  sends an out-of-band message to the user, the message requesting confirmation from the user regarding the request for access from the user device;
  
  receives confirmation from the user in response to the out-of-band message;
  
  sends an authentication token to the user device, wherein the authentication token is specific to the user device, the user, and the application being used to request access;
  
  updates a database with information regarding the authentication token and the associated user device, user, and application; and
  
  provides access to the mail server based on receiving the user authentication credential, device identifier, and authentication token.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein sending an out-of-band message to the user is performed in response to determining that the device identifier associated with the user device is not present on a list of device identifiers approved for access to the server.
  - 17. The system of claim 15, wherein the gateway sends a request for verification to an identity management server based on information associated with the request for access.
  - 18. The system of claim 15, wherein sending an out-of-band message to the user comprises sending the out-of-band message to a second user device of the user, wherein the second user device is enrolled with a management server.
  - 19. The system of claim 15, wherein providing access to the gateway includes sending an allow command to the gateway, instructing the gateway to allow access based on a device identifier, application identifier, user authentication credential, or some combination thereof.
  - 20. The system of claim 15, wherein the device identifier is at least a portion of a user agent string.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Pitchaimani, Saravanan, Kodaganallur, Vijay Pitchumani, Newell, Craig, Kalsi, Vishal

Granted Patent

US 10,491,595 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/66   Arrangements for connecting...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/18   using different networks or...

H04L 67/10   in which an application is ...

H04L 67/125   involving control of end-de...

H04L 67/146   Markers for unambiguous ide...

H04L 67/53   using third party service p...

H04W 12/06   Authentication

H04W 12/37   Managing security policies ...

H04W 12/71   Hardware identity

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR CONTROLLING EMAIL ACCESS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links