System for the distribution and deployment of applications with provisions for security and policy conformance
First Claim
1. A method for deploying applications to endpoint devices, the method comprising:
- obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID;
launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device;
during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether an application is bound to an endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID;
determining the authenticity of the user;
determining whether the application is bound to the user, wherein determining whether the application is bound to the user comprises;
obtaining the user-binding token;
comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and
when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and
invoking the application logic on the endpoint device if the application is bound to the user and to the device and the user is authenticated.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.
49 Citations
26 Claims
-
1. A method for deploying applications to endpoint devices, the method comprising:
-
obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID; launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device; during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether an application is bound to an endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID; determining the authenticity of the user; determining whether the application is bound to the user, wherein determining whether the application is bound to the user comprises; obtaining the user-binding token; comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and invoking the application logic on the endpoint device if the application is bound to the user and to the device and the user is authenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for deploying applications to endpoint devices, the method comprising:
-
obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID; launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device; during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether the application is bound to the endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID; determining the authenticity of the user; comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and invoking the application logic on the endpoint device if the application is bound to the user and to the device and the user is authenticated.
-
-
26. A method for deploying applications to endpoint devices, the method comprising:
-
obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID; launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device; during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether an application is bound to an endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID; determining whether the application is bound to the user, wherein determining whether the application is bound to the user includes; obtaining the user-binding token; comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and invoking the application logic on the endpoint device if the application is bound to the user and to the endpoint device.
-
Specification