Controlling access to resources on a network

US 8,713,646 B2
Filed: 12/09/2011
Issued: 04/29/2014
Est. Priority Date: 12/09/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a proxy server that receives a request from a user of one of a plurality of client devices to access at least one enterprise resource provided by an enterprise device on a network, wherein the request comprises a set of user access credentials associated with the user and a device identifier associated with the one of the plurality of client devices, the proxy server being configured to;

store a copy of a plurality of device profiles respectively associated with the plurality of client devices,receive periodic updates to the plurality of device profiles from the respectively associated plurality of client devices, andauthenticate the user and the client device to determine whether the user is authorized to access to access the requested at least one enterprise resource from the client device, wherein the proxy server authenticates the user based at least in part on the set of user access credentials associated with the user and authenticates the client device based at least in part on the device identifier associated with the client device;

a compliance service that authorizes the client device to communicate with the enterprise device in response to the proxy server authenticating the user and the client device, wherein the compliance service authorizes the client device based at least in part on a determination of whether the periodically updated device profile associated with the client device stored on the proxy server is in compliance with at least one compliance rule; and

wherein the proxy server is further configured to;

modify the request to remove the user access credentials and insert a set of approved enterprise access credentials,transmit the modified request to the enterprise device if the client device is authorized to communicate with the enterprise device and the user has permission to access the at least one enterprise resource from the client device,receive the at least one enterprise resource provided by the enterprise device; and

transmitting the at least one enterprise resource to the client device.

View all claims

5 Assignments

Timeline View

Assignment View

1 Petition

Accused Products

Abstract

Disclosed are various embodiments for controlling access to data on a network. In one embodiment, a proxy service receives a request from a user on a client device to access a quantity of enterprise resources served up by an enterprise device. In response, the proxy service determines whether the user on the client device has been authenticated to access the enterprise resources. The proxy service also determines whether the client device from which the user requested the access is authorized to access the enterprise resources. Responsive to the determination that the user is authentic and that the client device is authorized, the proxy service associates a set of approved enterprise access credentials with the request and facilitates the transmission of the requested enterprise resources to the client device.

Citations

15 Claims

1. A system, comprising:
- a proxy server that receives a request from a user of one of a plurality of client devices to access at least one enterprise resource provided by an enterprise device on a network, wherein the request comprises a set of user access credentials associated with the user and a device identifier associated with the one of the plurality of client devices, the proxy server being configured to;
  
  store a copy of a plurality of device profiles respectively associated with the plurality of client devices,receive periodic updates to the plurality of device profiles from the respectively associated plurality of client devices, andauthenticate the user and the client device to determine whether the user is authorized to access to access the requested at least one enterprise resource from the client device, wherein the proxy server authenticates the user based at least in part on the set of user access credentials associated with the user and authenticates the client device based at least in part on the device identifier associated with the client device;
  
  a compliance service that authorizes the client device to communicate with the enterprise device in response to the proxy server authenticating the user and the client device, wherein the compliance service authorizes the client device based at least in part on a determination of whether the periodically updated device profile associated with the client device stored on the proxy server is in compliance with at least one compliance rule; and
  
  wherein the proxy server is further configured to;
  
  modify the request to remove the user access credentials and insert a set of approved enterprise access credentials,transmit the modified request to the enterprise device if the client device is authorized to communicate with the enterprise device and the user has permission to access the at least one enterprise resource from the client device,receive the at least one enterprise resource provided by the enterprise device; and
  
  transmitting the at least one enterprise resource to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the user access credentials provide the user with access to the proxy server.
  - 3. The system of claim 1, wherein the user access credentials are insufficient alone to provide the user with access to the enterprise device.
  - 4. The system of claim 1, wherein the proxy server authenticates the user and the client device by determining whether the user access credentials match at least one of a plurality of approved user access credentials and determining whether the device identifier matches at least one of a plurality of approved identifiers.
  - 5. The system of claim 4, wherein the approved user access credentials and the approved device identifiers are stored in a data store accessible to the proxy server.
  - 6. The system of claim 1, wherein the at least one compliance rule is specific to the at least one enterprise resource.
  - 7. The system of claim 1, wherein the at least one compliance rule comprises at least one of a plurality of hardware restrictions, a plurality of software restrictions, and a plurality of device management restrictions.
  - 8. The system of claim 1, wherein the user access credentials comprise a user name, a password, and biometric data associated with at least one of facial recognition, retina recognition, and fingerprint recognition.

9. A method comprising:
- receiving a request from a user of a client device to access a quantity of enterprise resources provided by an enterprise device, the request comprising a set of user access credentials associated with the user and a device identifier associated with the client device;
  
  authenticating the user based at least in part on the user access credentials and the client device based at least in part on the device identifier;
  
  in response to authenticating the user and the client device, determining whether the client device is authorized to access the requested quantity of enterprise resources, wherein determining whether the client device is authorized comprises determining whether a periodically updated device profile associated with the client device is in compliance with at least one compliance rule;
  
  modifying the request to remove the user access credentials and insert a set of approved enterprise access credentials;
  
  transmitting the modified request to the enterprise device to receive the requested quantity of enterprise resources;
  
  receiving the requested quantity of enterprise resources from the enterprise device; and
  
  transmitting the requested quantity of enterprise resources to the client device.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein the user access credentials are insufficient alone to provide the user with access to the enterprise device.
  - 11. The method of claim 9, wherein the at least one compliance rule comprises one of a plurality of compliance rules comprising at least one of a plurality of software restrictions, a plurality of hardware restrictions, and a plurality of device management restrictions.

12. A non-transitory computer-readable medium embodying a program executable in a computing device, the program, when executed, performing a method comprising:
- receiving a request from a user of a client device to access a quantity of enterprise resources provided by an enterprise device, the request comprising a set of user access credentials associated with the user and a device identifier associated with the client device;
  
  authenticating the user based at least in part on the user access credentials and the client device based at least in part on the device identifier;
  
  in response to authenticating the user and the client device, determining whether the client device is authorized to access the requested quantity of enterprise resources, wherein determining whether the client device is authorized comprises determining whether a periodically updated device profile associated with the client device is in compliance with at least one compliance rule;
  
  modifying the request to remove the user access credentials and insert a set of approved enterprise access credentials;
  
  transmitting the modified request to the enterprise device to receive the requested quantity of enterprise resources;
  
  receiving the requested quantity of enterprise resources from the enterprise device; and
  
  transmitting the requested quantity of enterprise resources to the client device.
- View Dependent Claims (13, 14, 15)
- - 13. The computer readable medium of claim 12, wherein the user access credentials are insufficient alone to provide the user with access to the requested quantity of enterprise resources.
  - 14. The computer readable medium of claim 12, wherein the at least one compliance rule comprises one of a plurality of compliance rules comprising at least one of a plurality of hardware restrictions, a plurality of software restrictions, and a plurality of device management restrictions.
  - 15. The computer readable medium of claim 12, wherein the user access credentials comprise a user name, a password, and biometric data related to at least one of facial recognition, fingerprint recognition, and retina recognition.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Stuntebeck, Erich
Primary Examiner(s)
Perungavoor, Venkat
Assistant Examiner(s)
DO, KHANG D

Application Number

US13/316,073
Publication Number

US 20130152169A1
Time in Patent Office

872 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/51   Discovery or management the...

H04W 12/37   Managing security policies ...

Controlling access to resources on a network

First Claim

5 Assignments

1 Petition

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to resources on a network

First Claim

5 Assignments

Subscription Required

Subscription Required

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links