Mobile posture-based policy, remediation and access control for enterprise resources

US 8,869,307 B2
Filed: 11/19/2010
Issued: 10/21/2014
Est. Priority Date: 11/19/2010
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, from a control agent installed on a mobile device, a list that includes one or more applications currently installed on the mobile device;

detecting, based at least in part on the list, an installation of at least one new application on the mobile device;

determining, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application;

in the event that the installation of the new application is determined to be not authorized, adjusting a state of one or more mobile device data objects associated with the mobile device; and

denying access by the mobile device to one or more network application services based at least in part on the adjusted state of the one or more mobile device data objects, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services.

View all claims

6 Assignments

Timeline View

Assignment View

Litigations

3 Petitions

Accused Products

Abstract

A mobile device management system that monitors the security state of one or more mobile devices and sets indicators related to such security state. Enterprise network applications, such as an email application, can access the security state information when making access control decisions with respect to a given mobile device.

39 Citations

View as Search Results

24 Claims

1. A computer-implemented method, comprising:
- receiving, from a control agent installed on a mobile device, a list that includes one or more applications currently installed on the mobile device;
  
  detecting, based at least in part on the list, an installation of at least one new application on the mobile device;
  
  determining, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application;
  
  in the event that the installation of the new application is determined to be not authorized, adjusting a state of one or more mobile device data objects associated with the mobile device; and
  
  denying access by the mobile device to one or more network application services based at least in part on the adjusted state of the one or more mobile device data objects, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising blocking the new application from launching on the mobile device.
  - 3. The method of claim 1 further comprising receiving an indication from a control client installed on the mobile device that the at least one new application has been installed on the mobile device.
  - 4. The method of claim 1 further comprising transmitting a command to a control client installed on the mobile device, the command operative to cause the control client to delete one or more files on the mobile device.
  - 5. The method of claim 1 further comprising transmitting one or more notifications if the new application is not authorized.
  - 6. The method of claim 1 wherein the mobile device data objects are accessible to one or more remote network application services.
  - 7. The method of claim 1, wherein based at least in part on the adjusted state of the one or more mobile device data objects associated with the mobile device, a web sockets proxy or firewall denies access by the mobile device to one or more network applications.
  - 8. The method of claim 1, wherein the control agent detects installation of the new application and updates the list of applications currently installed on the mobile device based at least in part on the detected installation.

9. An apparatus, comprising:
- a memory;
  
  a network interface;
  
  one or more processors; and
  
  computer program code stored on a non-transitory computer-readable medium comprising instructions operative, when executed, to cause the one or more processors to;
  
  receive, from a control agent installed on a mobile device, a list that includes one or more applications currently installed on the mobile device;
  
  detect, based at least in part on the list, an installation of at least one new application on the mobile device;
  
  determine, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application;
  
  in the event that the installation of the new application is determined to be not authorized, adjust a state of one or more mobile device data objects associated with the mobile device; and
  
  deny access by the mobile device to one or more network application services based at least in part on the adjusted state of the one or more mobile device data objects, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9 wherein the computer program code further comprises instructions operative to cause the one or more processors to receive an indication from a control client installed on the mobile device that the application has been installed on the mobile device.
  - 11. The apparatus of claim 9 wherein the computer program code further comprises instructions operative to cause the one or more processors to:
    - transmit a command to a control client installed on the mobile device, the command operative to cause the control client to delete one or more files on the mobile device.
  - 12. The apparatus of claim 9 wherein the computer program code further comprises instructions operative to cause the one or more processors to:
    - transmit one or more notifications if the application is not authorized.
  - 13. The apparatus of claim 9 wherein the mobile device data objects are accessible to one or more remote network application services.
  - 14. The apparatus of claim 9, wherein based at least in part on the adjusted state of the one or more mobile device data objects associated with the mobile device, a web sockets proxy or firewall denies access by the mobile device to one or more network applications.
  - 15. The apparatus of claim 9, wherein the control agent detects installation of the new application and updates the list of applications currently installed on the mobile device based at least in part on the detected installation.

16. An apparatus, comprising:
- a memory;
  
  a network interface;
  
  one or more processors; and
  
  computer program code stored on a non-transitory computer-readable medium comprising instructions operative, when executed, to cause the one or more processors to;
  
  monitor a security state of one or more managed mobile devices at least in part by receiving, from control clients installed on each of the one or more managed mobile devices, lists that include one or more applications currently installed on each of the one or more managed mobile devices;
  
  detect, based at least in part on a first list, an installation of a new application on a first managed mobile device;
  
  determine, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the first managed mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application;
  
  in the event that the installation of the new application is determined to be not authorized, adjust the monitored security state associated with the first managed mobile device, wherein a mobile device security data structure includes a plurality of posture-based profiles that include the monitored security state associated with each of the one or more managed mobile devices; and
  
  deny access by the first managed mobile device to one or more network application services based at least in part on the adjusted monitored security state associated with the first managed mobile device, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The apparatus of claim 16 wherein the computer program code further comprises instructions operative to cause the one or more processors to block the new application from launching on the first managed mobile device.
  - 18. The apparatus of claim 16 wherein the computer program code further comprises instructions operative to cause the one or more processors to receive an indication from a control client installed on the first managed mobile device that the new application has been installed on the first managed mobile device.
  - 19. The apparatus of claim 16 wherein the computer program code further comprises instructions operative to cause the one or more processors to receive an indication from a control client installed on the first managed mobile device that a security profile configuration of the mobile device does not meet a current security policy.
  - 20. The apparatus of claim 16, wherein the mobile device security data structure is accessible to one or more network application services, and wherein based at least in part on the adjusted monitored security state associated with the first managed mobile device, at least one network application service determines to deny access by the first managed mobile device.
  - 21. The apparatus of claim 16, wherein the mobile device security data structure is accessible to a web sockets proxy or a firewall, and wherein based at least in part on the adjusted monitored security state associated with the first managed mobile device, the web sockets proxy or the firewall determines to deny access by the first managed mobile device to one or more network application services.

22. A system, comprising:
- a mobile device management system comprising a processor and a memory coupled with the processor, wherein the processor is operative to;
  
  monitor a security state of one or more managed mobile devices at least in part by receiving, from control clients installed on each of the one or more managed mobile devices, lists that include or more applications currently installed on each of the one or more managed mobile devices;
  
  detect, based at least in part on a first list, an installation of a new application on a first managed mobile device;
  
  determine, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the first managed mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application; and
  
  in the event that the installation of the new application is determined to be not authorized, adjust the monitored security state associated with the first managed mobile device, wherein a mobile device security data structure includes a plurality of posture-based profiles that include the security state associated with each of the one or more managed mobile devices, and wherein the mobile device security data structure is accessible to one or more network application services;
  
  one or more network application services, each comprising a processor and a memory coupled with the processor, wherein the processor is operative to;
  
  host an enterprise network application;
  
  receive a request from a managed mobile device to access the enterprise network application;
  
  access the mobile device security data structure to determine the security state of the managed mobile device based at least in part on the posture-based profile associated with the managed mobile device; and
  
  in the event that the determined security state indicates installation of one or more unauthorized applications on the managed mobile device, deny the managed mobile device access to the enterprise network application based at least in part on the determined security state, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the enterprise network application.
- View Dependent Claims (23, 24)
- - 23. The system of claim 22 wherein the mobile device management system is operative to interact with control clients installed on the managed mobile devices to monitor the security state of the one or more managed mobile devices.
  - 24. The system of claim 22 further comprising one or more managed mobile devices, each comprising a control client operative to interact with the mobile device management system.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Broch, Josh Glenn, Singamsetty, Ratnarekha, Lindeman, Jesse Wagner, Batchu, Suresh Kumar
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US12/950,947
Publication Number

US 20120131685A1
Time in Patent Office

1,432 Days
Field of Search

726 1- 27, 709/217, 455/410, 455/411
US Class Current

726/30
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/102   Entity profiles

H04L 63/168   above the transport layer

H04M 1/72403   with means for local suppor...

H04M 1/72463   to restrict the functionali...

H04M 1/724631   by limiting the access to t...

H04W 12/08   Access security

H04W 12/082   using revocation of authori...

H04W 12/37   Managing security policies ...

H04W 24/00   Supervisory, monitoring or ...

H04W 48/02   Access restriction performe...

H04W 8/22   Processing or transfer of t...

Mobile posture-based policy, remediation and access control for enterprise resources

First Claim

6 Assignments

Litigations

3 Petitions

Accused Products

Abstract

39 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile posture-based policy, remediation and access control for enterprise resources

First Claim

6 Assignments

Subscription Required

Subscription Required

Litigations

3 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links