Delegating authorization to applications on a client device in a networked environment

US 8,997,187 B2
Filed: 03/15/2013
Issued: 03/31/2015
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium encoded with software for execution and, when executed, operable to:

send to a remote server, from an agent application, a request for a first access credential;

receive from the remote server, the first access credential;

determine, by the agent application monitoring a managed application, that the managed application requires a second access credential;

in response to the determination that the managed application requires the second access credential, sending to the managed application, from the agent application, the second access credential;

store, by the agent application, an identification of a plurality of managed applications to be monitored for a need of the second access credential; and

monitor, by the agent application, the plurality of managed applications for the need of the second access credential.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-readable medium encoded with software for execution. When executed, the software may be operable to send to a remote server, from an agent application, a request for a first access credential. The software may also be operable to receive from the remote server, the first access credential. The software may further be operable to determine, by the agent application monitoring a managed application, that the managed application requires a second access credential. The software may additionally be operable to, in response to the determination that the managed application requires the second access credential, sending to the managed application, from the agent application, the second access credential.

214 Citations

18 Claims

1. A non-transitory computer-readable medium encoded with software for execution and, when executed, operable to:
- send to a remote server, from an agent application, a request for a first access credential;
  
  receive from the remote server, the first access credential;
  
  determine, by the agent application monitoring a managed application, that the managed application requires a second access credential;
  
  in response to the determination that the managed application requires the second access credential, sending to the managed application, from the agent application, the second access credential;
  
  store, by the agent application, an identification of a plurality of managed applications to be monitored for a need of the second access credential; and
  
  monitor, by the agent application, the plurality of managed applications for the need of the second access credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the software is further operable to:
    - receive at least one compliance rule; and
      
      determine if a device profile complies with the at least one compliance rule prior to sending the second access credential.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the software is further operable to:
    - determine, by the agent application monitoring the plurality of managed applications, that at least one of the plurality of managed applications requires the second access credential.
  - 4. The non-transitory computer-readable medium of claim 1, wherein:
    - determining that the managed application requires the second access credential comprises receiving, at the agent application, a request for the second access credential from the managed application.
  - 5. The non-transitory computer-readable medium of claim 1, wherein:
    - determining that the managed application requires the second access credential comprises monitoring, with the agent application, whether the managed application communicated with a resource server.
  - 6. The non-transitory computer-readable medium of claim 1, wherein:
    - the request comprises;
      
      a device identifier;
      
      a user credential; and
      
      device profile information.
  - 7. The non-transitory computer-readable medium of claim 1, wherein:
    - the request comprises a designation of at least the managed application as an intended delegate.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the software is further operable to:
    - receive from the remote server a designation of at least the managed application as an allowable delegate.
  - 9. The non-transitory computer-readable medium of claim 1, wherein the software is further operable to:
    - send, to the managed application, from the agent application, a revocation of the second access credential.
  - 10. The non-transitory computer-readable medium of claim 9, wherein the software is further operable to:
    - receive instructions, from the remote server, to revoke a delegation of the second access credential.
  - 11. The non-transitory computer-readable medium of claim 9, wherein the software is further operable to:
    - receive instructions to revoke a delegation of the second access credential from a user.
  - 12. The non-transitory computer-readable medium of claim 1, wherein:
    - the second access credential comprises a token.
  - 13. The non-transitory computer-readable medium of claim 12, wherein:
    - the token is transmittable by the managed application to a resource server so as to provide access to the managed application to resources on the resource server.

14. A method comprising:
- sending to a remote server, from an agent application, a request for;
  
  a first access credential; and
  
  authority to delegate the first access credential by granting at least a second access credential to at least one managed application;
  
  receiving from the remote server, the first access credential and an authority to delegate;
  
  determining that at least one managed application requires the second access credential;
  
  sending to the at least one managed application, from the agent application, the second access credential;
  
  store an identification of a plurality of managed applications to be monitored for a need of the second access credential; and
  
  monitor the plurality of managed applications for the need of the second access credential.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the method further comprises:
    - receiving from the remote server at least one compliance rule associated with the first access credential; and
      
      determining if a device profile complies with the at least one compliance rule prior to sending the second access credential.
  - 16. The method of claim 14, wherein the method further comprises:
    - receiving from the remote server at least one compliance rule associated with the authority to delegate; and
      
      determining if a device profile complies with the at least one compliance rule prior to sending the second access credential.

17. A system comprising:
- a remote server configured to;
  
  receive, from an agent application on a client device, a request for a first authorization to access at least one resource on a resource server;
  
  determine whether the request should be granted; and
  
  send, to the agent application on the client device, in response to a determination that the request should be granted, the first authorization and a second authorization to delegate the first authorization to at least a managed application;
  
  initiate storage in the agent application of an identification of a plurality of managed applications to be monitored for a need of a second authorization; and
  
  initiate monitoring by the agent application of the plurality of managed applications for the need of the second authorization.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein:
    - the remote server is further configured to;
      
      receive, from the agent application on the client device, a designation of at least the managed application; and
      
      determine if the managed application is an approved application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Manton, John Joseph
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/840,595
Publication Number

US 20140282894A1
Time in Patent Office

746 Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

Delegating authorization to applications on a client device in a networked environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

214 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Delegating authorization to applications on a client device in a networked environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

214 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links