Mobile device management
First Claim
1. A machine implemented method for managing a wireless device, the method comprising:
- sending, from the wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
in response to receiving a push notification associated with the push string from a push server, verifying a trust of the push notification against the management profile stored in the wireless device,wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;
establishing a secure network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to a control of configurations of the wireless device.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatuses that enroll a wireless device into an enterprise service with a management server addressed in a management profile are described. The enrollment may grant a control of configurations of the wireless device to the management server via the management profile. In response to receiving a notification from the management server, a trust of the notification may be verified against the management profile. If the trust is verified, a network session may be established with the management server. The network session may be secured via a certificate in the management profile. Management operations may be performed for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.
56 Citations
44 Claims
-
1. A machine implemented method for managing a wireless device, the method comprising:
-
sending, from the wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device, wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, and the enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device; in response to receiving a push notification associated with the push string from a push server, verifying a trust of the push notification against the management profile stored in the wireless device, wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string, wherein the trust is verified when the first verification string matches the second verification string; establishing a secure network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to a control of configurations of the wireless device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A machine implemented method for managing a wireless device, the method comprising:
-
installing a management profile into a configuration of the wireless device to participate in an enterprise service via a management server specified in the management profile, the configuration including one or more profiles to configure the wireless device; locking the configuration for the enterprise service via the management profile, the lock to restrict changes of the configuration from user instructions; sending, from the wireless device, an enrollment request to a management server addressed in the management profile, wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, and the enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device; in response to receiving a push notification associated with the push string from the push server, verifying a trust of the push notification against the management profile stored in the wireless device, wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string, wherein the trust is verified when the first verification string matches the second verification string; in response to receiving one or more commands from the management server, transparently applying updates to the configuration of the wireless device, the updates to enable additional capabilities provided by the enterprise service to the wireless device and the updates to disable existing capabilities prohibited by the enterprise service in the wireless device; and in response to receiving a user instruction, uninstalling the management profile to leave the enterprise service. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A machine implemented method for configuring a wireless device, the method comprising:
-
sending, from the wireless device, an enrollment request to a management server addressed in a management profile in a configuration stored in the wireless device, wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, and the enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device; in response to receiving a push notification associated with the push string from the push server, verifying a trust of the push notification against the management profile stored in the wireless device, wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string, wherein the trust is verified when the first verification string matches the second verification string; cryptographically establishing a first network connection with a management server if the trust is verified, the first network connection associated with parameters based on the management profile; in response to receiving a command from the management server via the first network connection, determining if a condition to perform an operation for the command on the configuration is satisfied; and sending a reply to the management server, the reply indicating whether the operation has been performed according to the determination. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A machine implemented method for mobile device management, the method comprising:
-
generating a management profile having an identity certificate, the management profile to restrict user changes on a configuration of a wireless device to be within a scope of an enterprise service; in response to receiving an enrollment request with the identity certificate from the wireless device, verifying the identity certificate to register the wireless device in the enterprise service, wherein the enrollment request includes at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device; sending a push notification to the wireless device via a push server for a polling request, the push notification including the first verification string; and in response to receiving the polling request from the wireless device via a network session separate from the push network, sending commands to manage the configuration of the wireless device for the enterprise service. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A non-transitory machine-readable storage medium having instructions, when executed by a machine, cause the machine to perform a method for a plurality of messaging services, the method comprising:
-
sending, from a wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device, wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, and the enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device; in response to receiving a push notification associated with the push string from a push server, verifying a trust of the push notification against the management profile stored in the wireless device, wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string, wherein the trust is verified when the first verification string matches the second verification string; establishing a secure network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.
-
-
44. An apparatus, comprising:
-
a memory storing executable instructions; a network interface coupled to a push network; a processor coupled to the network interface and the memory to execute the executable instructions from the memory for the messaging services, the processor being configured to; send, from a wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device, wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, and the enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device; in response to receiving a push notification associated with the push string from a push server via the push network, verify a trust of the push notification against the management profile; wherein verification comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string, wherein the trust is verified when the first verification string matches the second verification string; establish a network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and perform management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.
-
Specification