Providing virtualized private network tunnels
First Claim
1. A method, comprising:
- receiving an authentication challenge at a mobile device in connection with an authentication process for a managed application establishing a per-application policy-controlled virtual private network (VPN) tunnel that is inaccessible to other applications of the mobile device;
analyzing policy information to determine that the policy information allows the mobile device to respond to the authentication challenge instead of a user or the managed application, wherein the policy information describes one or more policies for providing the managed application with access to at least one resource accessible through an access gateway;
responding, by the mobile device, to the authentication challenge instead of the user or the managed application;
providing the managed application with access to the at least one resource based at least on the per-application policy-controlled VPN tunnel, a ticket configured to provide authentication in connection with establishing the per-application policy-controlled VPN tunnel, and the policy information, wherein the ticket includes a validity duration;
transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
7 Assignments
0 Petitions
Accused Products
Abstract
Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.
298 Citations
19 Claims
-
1. A method, comprising:
-
receiving an authentication challenge at a mobile device in connection with an authentication process for a managed application establishing a per-application policy-controlled virtual private network (VPN) tunnel that is inaccessible to other applications of the mobile device; analyzing policy information to determine that the policy information allows the mobile device to respond to the authentication challenge instead of a user or the managed application, wherein the policy information describes one or more policies for providing the managed application with access to at least one resource accessible through an access gateway; responding, by the mobile device, to the authentication challenge instead of the user or the managed application; providing the managed application with access to the at least one resource based at least on the per-application policy-controlled VPN tunnel, a ticket configured to provide authentication in connection with establishing the per-application policy-controlled VPN tunnel, and the policy information, wherein the ticket includes a validity duration; transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time; closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method, comprising:
-
providing a managed browser executing on a mobile device with access to at least one resource accessible through an access gateway based at least on a per-application policy-controlled virtual private network (VPN) tunnel that is inaccessible to applications of the mobile device different from the managed browser, a ticket configured to provide authentication in connection with creating the per-application policy-controlled VPN tunnel, and policy information that describes one or more policies for providing the managed browser with access to the at least one resource, wherein the ticket includes a validity duration; receiving a message representing a demand for a certificate at a mobile device in connection with the managed browser; analyzing policy information to determine that the policy information allows the mobile device to respond to the message instead of a user or the managed browser; responding, by the mobile device, to the message instead of the user or the managed browser; transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time; closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
receiving, at an access gateway through which at least one resource is accessible, a message in connection with an initial authentication process that authenticates a user prior to allowing a managed application executing on a mobile device access to the at least one resource; determining credential information associated with the user, wherein the credential information includes a ticket configured to provide authentication in connection with creating a per-application policy-controlled virtual private network (VPN) tunnel to access the at least one resource, wherein the ticket includes a validity duration; transmitting the credential information to at least the mobile device; opening the per-application policy-controlled VPN tunnel to provide the managed application with access to the at least one resource; receiving, during the validity duration, the ticket at the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time; closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and after closing the per-application policy-controlled VPN tunnel, receiving, during the validity duration, the ticket at the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time. - View Dependent Claims (17, 18, 19)
-
Specification