Mobile device management

US 8,473,743 B2
Filed: 04/07/2010
Issued: 06/25/2013
Est. Priority Date: 04/07/2010
Status: Active Grant

First Claim

Patent Images

1. A machine implemented method for managing a wireless device, the method comprising:

sending, from the wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;

in response to receiving a push notification associated with the push string from a push server, verifying a trust of the push notification against the management profile stored in the wireless device,wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;

establishing a secure network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and

performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to a control of configurations of the wireless device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses that enroll a wireless device into an enterprise service with a management server addressed in a management profile are described. The enrollment may grant a control of configurations of the wireless device to the management server via the management profile. In response to receiving a notification from the management server, a trust of the notification may be verified against the management profile. If the trust is verified, a network session may be established with the management server. The network session may be secured via a certificate in the management profile. Management operations may be performed for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.

56 Citations

View as Search Results

44 Claims

1. A machine implemented method for managing a wireless device, the method comprising:
- sending, from the wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
  
  in response to receiving a push notification associated with the push string from a push server, verifying a trust of the push notification against the management profile stored in the wireless device,wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;
  
  establishing a secure network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
  
  performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to a control of configurations of the wireless device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the verifying further comprises:
    - causing execution of a suspended process or thread to continue, wherein the verifying is performed using the process or thread.
  - 3. The method of claim 2, wherein the enrollment comprises:
    - sending a request for the enterprise service to the management server via the network address, the request including a device certificate cryptographically identifying the wireless device.
  - 4. The method of claim 1, the at least one device identifier including a push token that enables push notifications sent by the push server to reach the wireless device.
  - 5. The method of claim 1, wherein the performing the management operations comprises:
    - requesting the update commands from the management server via the network session.
  - 6. The method of claim 1, wherein the management operations include a query of a status of the configuration of the wireless device, the status indicates whether an application installed in the wireless device is provisioned in a provisioning profile.
  - 7. The method of claim 6, wherein the management operations include removal of the provisioning profile to disable the application in the wireless device.
  - 8. The method of claim 6, wherein the management operations include installing the provisioning profile to enable the application in the wireless device.
  - 9. The method of claim 1, wherein the configuration includes an authorization data already expired for a capability provided by the enterprise service to the wireless device, and wherein the management operations include an update to bring the authorization data up to date.

10. A machine implemented method for managing a wireless device, the method comprising:
- installing a management profile into a configuration of the wireless device to participate in an enterprise service via a management server specified in the management profile, the configuration including one or more profiles to configure the wireless device;
  
  locking the configuration for the enterprise service via the management profile, the lock to restrict changes of the configuration from user instructions;
  
  sending, from the wireless device, an enrollment request to a management server addressed in the management profile,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
  
  in response to receiving a push notification associated with the push string from the push server, verifying a trust of the push notification against the management profile stored in the wireless device,wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;
  
  in response to receiving one or more commands from the management server, transparently applying updates to the configuration of the wireless device, the updates to enable additional capabilities provided by the enterprise service to the wireless device and the updates to disable existing capabilities prohibited by the enterprise service in the wireless device; and
  
  in response to receiving a user instruction, uninstalling the management profile to leave the enterprise service.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, wherein the uninstalling the management profile comprises:
    - restoring the configuration from the updates; and
      
      unlocking the configuration from the management profile.
  - 12. The method of claim 10, wherein the updates include one or more managed profiles installed from the management server, wherein the one or more managed profiles having dependency relationships, and wherein the application of the updates comprises:
    - maintaining the dependency relationships rooted from the management server within the configuration.
  - 13. The method of claim 12, wherein the uninstalling the management profile comprises:
    - uninstalling the managed profiles according to the dependency relationships.
  - 14. The method of claim 10, wherein the one or more profiles include a provisioning profile to authorize an application installed in the wireless device, wherein the application is outside of the enterprise service and wherein the updates include removal of the provisioning profile from the configuration.
  - 15. The method of claim 10, wherein the one or more profiles include a first restriction profile specifying a first constraint on possible value of a setting in the wireless device, wherein the updates include installation of a second restriction profile specifying a second constraint on the possible value of the setting, wherein the setting has a value satisfying both the first constraint and the second constraint during the participation of the enterprise service.
  - 16. The method of claim 15, wherein the setting has a first value prior to the participation of the enterprise service, the first value contradicting the second constraint, and wherein the updates include changing the setting from the first value to the value.
  - 17. The method of claim 16, wherein the second restriction profile is uninstalled if the management profile is uninstalled.
  - 18. The method of claim 10, wherein the application of the updates comprises installing a profile from the management server into the configuration of the wireless device.
  - 19. The method of claim 10, wherein the application of the updates comprises removing a profile from the configuration of the wireless device.
  - 20. The method of claim 10, wherein the application of the updates comprises replacing one of the one or more profiles in the configuration of the wireless device.

21. A machine implemented method for configuring a wireless device, the method comprising:
- sending, from the wireless device, an enrollment request to a management server addressed in a management profile in a configuration stored in the wireless device,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
  
  in response to receiving a push notification associated with the push string from the push server, verifying a trust of the push notification against the management profile stored in the wireless device,wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;
  
  cryptographically establishing a first network connection with a management server if the trust is verified, the first network connection associated with parameters based on the management profile;
  
  in response to receiving a command from the management server via the first network connection, determining if a condition to perform an operation for the command on the configuration is satisfied; and
  
  sending a reply to the management server, the reply indicating whether the operation has been performed according to the determination.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. The method of claim 21, wherein the management profile specifies one or more rights, wherein the command violates at least one of the rights and wherein the reply indicates the condition cannot be satisfied to perform the operation for the command.
  - 23. The method of claim 21, wherein the condition is determined not yet satisfied, the method further comprising:
    - waiting in a sleep state for the condition to be satisfied; and
      
      cryptographically establishing a second network connection with the management server for receiving the command when the condition is satisfied.
  - 24. The method of claim 21, wherein the waiting comprises:
    - terminating the first network connection; and
      
      storing a cookie data indicating the command for the enterprise service.
  - 25. The method of claim 24, further comprising:
    - registering an event associated with the condition; and
      
      waking up in response to receiving a notification of the event.
  - 26. The method of claim 21, wherein the push notification is received via a push network separate from the first network connection.
  - 27. The method of claim 21, wherein the wireless device stores at least one identity, wherein the push notification includes payload data, further comprising:
    - generating the at least one identity, wherein the authenticity of the push notification depends on whether the payload data includes the at least one identity.
  - 28. The method of claim 21, wherein the operation adds restrictions to the configuration and where in the restrictions prohibit enabling of an application installed in the wireless device.
  - 29. The method of claim 21, wherein the management profile includes an identity certificate, and wherein the first network connection is based on HTTPS (Hypertext Transfer Protocol Secure) authenticated via the identity certificate.
  - 30. The method of claim 21, further comprising:
    - sending a polling request to the management server via the first network connection transparently to a user, the polling request indicating the wireless device is ready to receive the command.
  - 31. The method of claim 30, further comprising:
    - sending another polling request separate from the polling request to the management server via the first network connection after the operation is successfully performed.
  - 32. The method of claim 21, wherein the wireless device is locked by a user, wherein the operation includes a change to the configuration, and wherein the condition depends on when the wireless device is unlocked by the user.
  - 33. The method of claim 21, wherein the condition is associated with a current processing load of the wireless device, and wherein the condition is satisfied if the current processing load is below a threshold specified in the configuration.

34. A machine implemented method for mobile device management, the method comprising:
- generating a management profile having an identity certificate, the management profile to restrict user changes on a configuration of a wireless device to be within a scope of an enterprise service;
  
  in response to receiving an enrollment request with the identity certificate from the wireless device, verifying the identity certificate to register the wireless device in the enterprise service, wherein the enrollment request includes at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
  
  sending a push notification to the wireless device via a push server for a polling request, the push notification including the first verification string; and
  
  in response to receiving the polling request from the wireless device via a network session separate from the push network, sending commands to manage the configuration of the wireless device for the enterprise service.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
- - 35. The method of claim 34, wherein the notification includes a push token to enable the notification to reach the wireless device via the push network, wherein the enrollment request is received via a particular network session, and wherein the push token is received from the wireless device via the particular network session.
  - 36. The method of claim 34, wherein the wireless device is associated with a UDID (unique device identifier) in the enterprise service, wherein the polling request includes a device identifier, and wherein the sending the commands comprises:
    - verifying an identity of the wireless device based on the UDID and the device identifier.
  - 37. The method of claim 34, wherein the polling request includes an identity certificate, the method further comprising:
    - cryptographically verifying a trust of the wireless device based on the identity certificate.
  - 38. The method of claim 34, wherein the push network is a 3G network over the air.
  - 39. The method of claim 34, wherein the commands include a query command for inspecting a status of the wireless device.
  - 40. The method of claim 39, further comprising:
    - determining additional commands for the wireless device based on the status.
  - 41. The method of claim 40, wherein the status indicates a provisioning profile authorizing an application outside the scope of the enterprise service, and wherein the additional commands include a removal command to remove the provisioning profile.
  - 42. The method of claim 34, wherein the commands include an installation command for installing a provisioning profile to the wireless device, the provisioning profile authorizing an application installed in the wireless device.

43. A non-transitory machine-readable storage medium having instructions, when executed by a machine, cause the machine to perform a method for a plurality of messaging services, the method comprising:
- sending, from a wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
  
  in response to receiving a push notification associated with the push string from a push server, verifying a trust of the push notification against the management profile stored in the wireless device,wherein verifying comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;
  
  establishing a secure network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
  
  performing management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.

44. An apparatus, comprising:
- a memory storing executable instructions;
  
  a network interface coupled to a push network;
  
  a processor coupled to the network interface and the memory to execute the executable instructions from the memory for the messaging services, the processor being configured to;
  
  send, from a wireless device, an enrollment request to a management server addressed in a management profile stored in the wireless device,wherein the management profile includes a network address of the management server, an identity certificate, and a push string to be used by the wireless device to receive push notifications, andthe enrollment request is a request to grant control of the wireless device to the management server in accordance with the management profile, the enrollment request including at least one device identifier uniquely identifying the wireless device, and a first verification string for verifying trust of the push notification, the first verification string uniquely identifying the wireless device;
  
  in response to receiving a push notification associated with the push string from a push server via the push network, verify a trust of the push notification against the management profile;
  
  wherein verification comprises extracting a second verification string from a payload of the push notification and comparing the first verification string to the second verification string,wherein the trust is verified when the first verification string matches the second verification string;
  
  establish a network session with the management server if the trust is verified, the network session being secured via a certificate in the management profile; and
  
  perform management operations for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Freedman, Gordie, Rahardja, David
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US12/756,146
Publication Number

US 20110252240A1
Time in Patent Office

1,175 Days
Field of Search

713/169, 713/153, 713/168, 726/1, 726/25, 726/26
US Class Current

713/169
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0823   using certificates cryptogr...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

H04W 4/50   Service provisioning or rec...

H04W 8/22   Processing or transfer of t...

Mobile device management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile device management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links