Mobile posture-based policy, remediation and access control for enterprise resources
DCFirst Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving, from a control agent installed on a mobile device, a list that includes one or more applications currently installed on the mobile device;
detecting, based at least in part on the list, an installation of at least one new application on the mobile device;
determining, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application;
in the event that the installation of the new application is determined to be not authorized, adjusting a state of one or more mobile device data objects associated with the mobile device; and
denying access by the mobile device to one or more network application services based at least in part on the adjusted state of the one or more mobile device data objects, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services.
6 Assignments
Litigations
3 Petitions
Accused Products
Abstract
A mobile device management system that monitors the security state of one or more mobile devices and sets indicators related to such security state. Enterprise network applications, such as an email application, can access the security state information when making access control decisions with respect to a given mobile device.
39 Citations
24 Claims
-
1. A computer-implemented method, comprising:
-
receiving, from a control agent installed on a mobile device, a list that includes one or more applications currently installed on the mobile device; detecting, based at least in part on the list, an installation of at least one new application on the mobile device; determining, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application; in the event that the installation of the new application is determined to be not authorized, adjusting a state of one or more mobile device data objects associated with the mobile device; and denying access by the mobile device to one or more network application services based at least in part on the adjusted state of the one or more mobile device data objects, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
- a memory;
a network interface;
one or more processors; and
computer program code stored on a non-transitory computer-readable medium comprising instructions operative, when executed, to cause the one or more processors to;receive, from a control agent installed on a mobile device, a list that includes one or more applications currently installed on the mobile device; detect, based at least in part on the list, an installation of at least one new application on the mobile device; determine, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application; in the event that the installation of the new application is determined to be not authorized, adjust a state of one or more mobile device data objects associated with the mobile device; and deny access by the mobile device to one or more network application services based at least in part on the adjusted state of the one or more mobile device data objects, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services. - View Dependent Claims (10, 11, 12, 13, 14, 15)
- a memory;
-
16. An apparatus, comprising:
-
a memory; a network interface; one or more processors; and computer program code stored on a non-transitory computer-readable medium comprising instructions operative, when executed, to cause the one or more processors to; monitor a security state of one or more managed mobile devices at least in part by receiving, from control clients installed on each of the one or more managed mobile devices, lists that include one or more applications currently installed on each of the one or more managed mobile devices; detect, based at least in part on a first list, an installation of a new application on a first managed mobile device; determine, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the first managed mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application; in the event that the installation of the new application is determined to be not authorized, adjust the monitored security state associated with the first managed mobile device, wherein a mobile device security data structure includes a plurality of posture-based profiles that include the monitored security state associated with each of the one or more managed mobile devices; and deny access by the first managed mobile device to one or more network application services based at least in part on the adjusted monitored security state associated with the first managed mobile device, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the one or more network application services. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A system, comprising:
-
a mobile device management system comprising a processor and a memory coupled with the processor, wherein the processor is operative to; monitor a security state of one or more managed mobile devices at least in part by receiving, from control clients installed on each of the one or more managed mobile devices, lists that include or more applications currently installed on each of the one or more managed mobile devices; detect, based at least in part on a first list, an installation of a new application on a first managed mobile device; determine, in response to the detection of the installation of the new application, whether the new application is authorized to be installed on the first managed mobile device based at least in part on one or more policies that indicate whether the new application is a recognized application; and in the event that the installation of the new application is determined to be not authorized, adjust the monitored security state associated with the first managed mobile device, wherein a mobile device security data structure includes a plurality of posture-based profiles that include the security state associated with each of the one or more managed mobile devices, and wherein the mobile device security data structure is accessible to one or more network application services; one or more network application services, each comprising a processor and a memory coupled with the processor, wherein the processor is operative to; host an enterprise network application; receive a request from a managed mobile device to access the enterprise network application; access the mobile device security data structure to determine the security state of the managed mobile device based at least in part on the posture-based profile associated with the managed mobile device; and in the event that the determined security state indicates installation of one or more unauthorized applications on the managed mobile device, deny the managed mobile device access to the enterprise network application based at least in part on the determined security state, wherein access is denied by blocking, at an intermediate node, traffic from the mobile device to the enterprise network application. - View Dependent Claims (23, 24)
-
Specification