Selectively wiping a remote device

US 8,056,143 B2
Filed: 01/18/2008
Issued: 11/08/2011
Est. Priority Date: 01/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method, the method comprising:

determining an authorization level selected from a plurality of authorization levels for a command issuer at a server, the command issuer being associated with one of said plurality of authorization levels, each one of the plurality of authorization levels permitting issuance of a securing command;

issuing the command comprising an indicator of said authorization level from the server;

receiving said command at a client device;

determining, using a corresponding predefined rule stored at the client device and associated with said authorization level indicated by said indicator, which of a plurality of data types at the client device is to be secured, said corresponding predefined rule comprising a value indicating each of the plurality of data types to be secured in response to a received command; and

securing, at the client device, the data corresponding to each of the plurality of data types thus determined by;

setting a flag at the client device, the flag comprising a subset value for said each of the plurality of data types, the subset value indicating whether the data of that data type is to be secured,checking each of the subset values of the flag, andcarrying out a securing operation if the subset value indicates that the data of that data type is to be secured, andafter each of the subset values has been checked, resetting the subset values to indicate that no further securing operation is to be carried out.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for selectively securing data from unauthorized access on a client device storing a plurality of data types with reference to an authorization level indicated in a command. A command is received at a client device comprising an authorization level indicator. Based on at least one predefined rule, which may be implemented in an IT policy stored at the client device, each of the plurality of data types to be secured is determined, and then the data corresponding to those types is secured. The data may be secured by encrypting and/or deleting the data at the client device. The predefined rules associated with each authorization level may be configured by a user or administrator having an authorization level that exceeds the associated authorization level. The system and method thus provide a method for securing only selected data types, depending on the authorization level of the issuer of the command.

82 Citations

View as Search Results

15 Claims

1. A method, the method comprising:
- determining an authorization level selected from a plurality of authorization levels for a command issuer at a server, the command issuer being associated with one of said plurality of authorization levels, each one of the plurality of authorization levels permitting issuance of a securing command;
  
  issuing the command comprising an indicator of said authorization level from the server;
  
  receiving said command at a client device;
  
  determining, using a corresponding predefined rule stored at the client device and associated with said authorization level indicated by said indicator, which of a plurality of data types at the client device is to be secured, said corresponding predefined rule comprising a value indicating each of the plurality of data types to be secured in response to a received command; and
  
  securing, at the client device, the data corresponding to each of the plurality of data types thus determined by;
  
  setting a flag at the client device, the flag comprising a subset value for said each of the plurality of data types, the subset value indicating whether the data of that data type is to be secured,checking each of the subset values of the flag, andcarrying out a securing operation if the subset value indicates that the data of that data type is to be secured, andafter each of the subset values has been checked, resetting the subset values to indicate that no further securing operation is to be carried out.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the at least one predefined rule is stored at the client device in association with an IT policy.
  - 3. The method of claim 1, wherein the act of securing the data comprises one of deleting the data;
    - encrypting the data;
      
      or encrypting, then deleting, the data.
  - 4. The method of claim 3, wherein the securing operation comprises one of deleting the data of that data type;
    - encrypting the data of that data type;
      
      or encrypting, then deleting, the data of that data type.
  - 5. The method of claim 1, wherein the command is received in an encrypted message, and prior to securing the data the command is authenticated by decrypting the message and extracting the command, such that the command is authenticated if the command is extracted successfully.
  - 6. The method of claim 1 wherein the client device comprises a mobile communications device.
  - 7. The method of claim 6 wherein the command is received over the air.
  - 8. The method of claim 1, further comprising, prior to receiving the command at the client device:
    - defining, at a location remote from the client device, a plurality of predefined rules associated with an authorization level; and
      
      transmitting to the client device the plurality of predefined rules thus defined.
  - 9. The method of claim 8, wherein defining the plurality of predefined rules comprises:
    - for a given authorization level, presenting a set of configuration options for configuring securing operations for each of the plurality of data types for authorization levels lower than the given authorization level; and
      
      constructing a plurality of rules comprising selected configuration options.
  - 10. The method of claim 1, wherein the plurality of data types comprise at least one of an operating system, encryption and decryption keys, personal information management applications, messaging applications, e-mail data, short message service data, instant messaging data, multimedia message data, voicemail data, calendar data, address book data, or IT policies.

11. A non-transitory computer readable memory having recorded thereon statements and instructions for execution by one or more computing devices to:
- determine an authorization level selected from a plurality of authorization levels for a command issuer at a server, the command issuer being associated with one of said plurality of authorization levels, each one of the plurality of authorization levels permitting issuance of a securing command;
  
  issue the command comprising an indicator of said authorization level from the server;
  
  receive said command at a client device;
  
  determine, using a corresponding predefined rule stored at the client device and associated with said authorization level indicated by said indicator, which of a plurality of data types at the client device is to be secured, said corresponding predefined rule comprising a value indicating each of the plurality of data types to be secured in response to a received command; and
  
  secure, at the client device, the data corresponding to each of the plurality of data types thus determined by;
  
  setting a flag at the client device, the flag comprising a subset value for said each of the plurality of data types, the subset value indicating whether the data of that data type is to be secured,checking each of the subset values of the flag, andcarrying out a securing operation if the subset value indicates that the data of that data type is to be secured, andafter each of the subset values has been checked, resetting the subset values to indicate that no further securing operation is to be carried out.

12. A method comprising:
- determining an authorization level selected from a plurality of authorization levels for a command issuer at a server, the command issuer being associated with one of said plurality of authorization levels, each one of the plurality of authorization levels permitting issuance of a securing command;
  
  issuing the command comprising an indicator of said authorization level from the server;
  
  receiving said command at a client device;
  
  determining which of the plurality of data types at the client device is to be secured by identifying each of a plurality of predefined rules corresponding to an authorization level equal to or less than the authorization level indicated in the received command, each of the plurality of predefined rules being associated with one of the plurality of data types, said each of the plurality of predefined rules comprising a value indicating each of the plurality of data types to be secured in response to a received command; and
  
  securing only the data corresponding to each of the plurality of data types thus identified by;
  
  setting a flag at the client device, the flag comprising a subset value for said each of the plurality of data types, the subset value indicating whether the data of that data type is to be secured,checking each of the subset values of the flag, andcarrying out a securing operation if the subset value indicates that the data of that data type is to be secured, andafter each of the subset values has been checked, resetting the subset values to indicate that no further securing operation is to be carried out.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein the act of securing the data comprises one of deleting the data;
    - encrypting the data;
      
      or encrypting, then deleting, the data.
  - 14. The method of claim 12 wherein the client device comprises a mobile communications device.

15. A non-transitory computer readable memory having recorded thereon statements and instructions for execution by one or more computing devices to:
- determine an authorization level selected from a plurality of authorization levels for a command issuer at a server, the command issuer being associated with one of said plurality of authorization levels, each one of the plurality of authorization levels permitting issuance of a securing command;
  
  issue the command comprising an indicator of said authorization level from the server;
  
  receive said command at a client device;
  
  determine which of the plurality of data types at the client device is to be secured by identifying each of a plurality of predefined rules corresponding to an authorization level equal to or less than the authorization level indicated in the received command, each of the plurality of predefined rules being associated with one of the plurality of data types, said each of the plurality of predefined rules comprising a value indicating each of the plurality of data types to be secured in response to a received command; and
  
  secure only the data corresponding to each of the plurality of data types thus identified by;
  
  setting a flag at the client device, the flag comprising a subset value for said each of the plurality of data types, the subset value indicating whether the data of that data type is to be secured,checking each of the subset values of the flag, andcarrying out a securing operation if the subset value indicates that the data of that data type is to be secured, andafter each of the subset values has been checked, resetting the subset values to indicate that no further securing operation is to be carried out.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blackberry Limited
Original Assignee
Blackberry Limited
Inventors
Brown, Michael S., Brown, Michael K., Little, Herbert A., Totzke, Scott W.
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/016,723
Publication Number

US 20080178300A1
Time in Patent Office

1,390 Days
Field of Search

726/29
US Class Current

726/29
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 21/88   Detecting or preventing the...

G06F 2221/2107   File encryption

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 12/08   Access security

Selectively wiping a remote device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively wiping a remote device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links