Policy-based application management

US 9,111,105 B2
Filed: 10/03/2013
Issued: 08/18/2015
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by an electronic mobile device, a managed personal information management (PIM) application from an application server during a first communication, the managed PIM application being constructed to operate in accordance with a set of one or more policy files, wherein the one or more policy files define access controls that are enforced, by a mobile device management system on the electronic mobile device, against a plurality of different managed applications executing on the electronic mobile device;

receiving, by the electronic mobile device, the set of one or more policy files from the application server during a second communication which is different than the first communication, the set of one or more policy files being stored on the electronic mobile device separately from the managed PIM application;

running, by a processor, the managed PIM application on the electronic mobile device, the managed PIM application operating in accordance with the set of one or more policy files, wherein one of the policy files alters a message processing functionality of the managed PIM application on the electronic mobile device by defining one or more of the plurality of managed applications with which data sharing is permitted by the managed PIM application, and restricting the managed PIM application from sharing data with any application not permitted by the one or more policy files;

communicating, by the managed PIM application and based on the set of one or more policy files, with an enterprise resource via one or more application tunnels, wherein the managed PIM application, based on the set of one or more policy files, selectively employs caching and/or a compression technique within the one or more application tunnels; and

selectively providing a single sign-on (SSO) credential, by the managed PIM application in accordance with the set of one or more policy files, to authenticate a user and access a document stored in a secure document container of the mobile device, wherein the managed PIM application encrypts data stored in the secure document container, wherein the set of one or more policy files permit use of the SSO credential with the managed PIM application and block use of the SSO credential with a different application.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user'"'"'s own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things.

618 Citations

20 Claims

1. A method, comprising:
- receiving, by an electronic mobile device, a managed personal information management (PIM) application from an application server during a first communication, the managed PIM application being constructed to operate in accordance with a set of one or more policy files, wherein the one or more policy files define access controls that are enforced, by a mobile device management system on the electronic mobile device, against a plurality of different managed applications executing on the electronic mobile device;
  
  receiving, by the electronic mobile device, the set of one or more policy files from the application server during a second communication which is different than the first communication, the set of one or more policy files being stored on the electronic mobile device separately from the managed PIM application;
  
  running, by a processor, the managed PIM application on the electronic mobile device, the managed PIM application operating in accordance with the set of one or more policy files, wherein one of the policy files alters a message processing functionality of the managed PIM application on the electronic mobile device by defining one or more of the plurality of managed applications with which data sharing is permitted by the managed PIM application, and restricting the managed PIM application from sharing data with any application not permitted by the one or more policy files;
  
  communicating, by the managed PIM application and based on the set of one or more policy files, with an enterprise resource via one or more application tunnels, wherein the managed PIM application, based on the set of one or more policy files, selectively employs caching and/or a compression technique within the one or more application tunnels; and
  
  selectively providing a single sign-on (SSO) credential, by the managed PIM application in accordance with the set of one or more policy files, to authenticate a user and access a document stored in a secure document container of the mobile device, wherein the managed PIM application encrypts data stored in the secure document container, wherein the set of one or more policy files permit use of the SSO credential with the managed PIM application and block use of the SSO credential with a different application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the policy files define URL dispatch access controls, and wherein restricting comprises limiting the applications the managed PIM application can interact with using a preformed mail message identified in a URL dispatch.
  - 3. The method of claim 1, wherein the message processing functionality further comprises an installation process of the managed PIM application, and wherein altering comprises triggering an automatic installation of the managed PIM application using the installation process.
  - 4. The method of claim 1, wherein the policy files define one or more conditions under which a contact in an address book of the managed PIM application is sharable external to the managed PIM application, and wherein restricting comprises limiting sharing of the contact in accordance with the policy files.
  - 5. The method of claim 1, wherein policy files define one or more applications from which the managed PIM application can attach a file to an electronic message, and wherein restricting comprises limiting the applications from which the managed PIM application can attach the file to the electronic message based on the policy files.
  - 6. The method of claim 1, wherein the policy files define one or more applications in which the managed PIM application can open a file attached to a received electronic message, and wherein the restricting comprises limiting the applications in which the managed PIM application can open the file attached to the received electronic message based on the policy files.
  - 7. The method of claim 1, wherein the policy files define a length of time for which electronic communications meeting a predefined condition may be stored on the electronic mobile device before the electronic communications are automatically deleted.

8. One or more non-transitory computer readable media storing computer instructions that, when executed, cause an electronic mobile device to manage a personal information management (PIM) application by:
- receiving, by the electronic mobile device, a managed personal information management (PIM) application from an application server during a first communication, the managed PIM application being constructed to operate in accordance with a set of one or more policy files, wherein the one or more policy files define access controls that are enforced, by a mobile device management system on the electronic mobile device, against a plurality of different managed applications executing on the electronic mobile device;
  
  receiving, by the electronic mobile device, the set of one or more policy files from the application server during a second communication which is different than the first communication, the set of one or more policy files being stored on the electronic mobile device separately from the managed application;
  
  running, by a processor, the managed PIM application on the mobile device, the managed PIM application operating in accordance with the set of one or more policy files, wherein one of the policy files alters a characteristic of the managed PIM application on the electronic mobile device while not altering a similar characteristic of any non-PIM applications on the electronic mobile device;
  
  communicating, by the managed PIM application and based on the set of one or more policy files, with an enterprise resource via one or more application tunnels, wherein the managed PIM application, based on the set of one or more policy files, selectively employs caching and/or a compression technique within the one or more application tunnels; and
  
  selectively providing a single sign-on (SSO) credential, by the managed PIM application in accordance with the set of one or more policy files, to authenticate a user and access a document stored in a secure document container of the electronic mobile device, wherein the managed PIM application encrypts data stored in the secure document container, wherein the set of one or more policy files permit use of the SSO credential for responding to digest challenges and block use of the SSO credential for responding to certificate challenges.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The one or more non-transitory computer readable media of claim 8, wherein the characteristic is a URL dispatch process of the managed PIM application, and wherein altering comprises defining one or more applications to which the managed PIM application can call using the URL dispatch process.
  - 10. The one or more non-transitory computer readable media of claim 8, wherein the characteristic is an installation process of the managed PIM application, and wherein altering comprises triggering an automatic installation of the managed PIM application using the installation process.
  - 11. The one or more non-transitory computer readable media of claim 8, wherein the characteristic is an address book of the PIM application, and wherein altering comprises defining one or more conditions under which a contact in the address book is sharable external to the managed PIM application.
  - 12. The one or more non-transitory computer readable media of claim 8, wherein the characteristic is an attachment handling process of the managed PIM application, and wherein altering comprises defining one or more applications from which the managed PIM application can attach a file to an electronic message.
  - 13. The one or more non-transitory computer readable media of claim 8, wherein the characteristic is an attachment handling process of the managed PIM application, and wherein altering comprises defining one or more applications in which the managed PIM application can open a file attached to a received electronic message.
  - 14. The one or more non-transitory computer readable media of claim 8, wherein the characteristic is message retention process of the managed PIM application, and wherein altering comprises defining a length of time for which electronic communications meeting a predefined condition may be stored on the electronic mobile device before the electronic communications are automatically deleted.

15. An electronic mobile device, comprising:
- a processor; and
  
  memory storing computer readable instructions that, when executed by the processor, cause the electronic mobile device to manage a personal information management (PIM) application by;
  
  receiving, by the electronic mobile device, a managed personal information management (PIM) application from an application server during a first communication, the managed PIM application being constructed to operate in accordance with a set of one or more policy files, wherein the one or more policy files define access controls that are enforced, by a mobile device management system on the electronic mobile device, against a plurality of different managed applications executing on the electronic mobile device;
  
  receiving, by the electronic mobile device, the set of one or more policy files from the application server during a second communication which is different than the first communication, the set of one or more policy files being stored on the electronic mobile device separately from the managed PIM application;
  
  running, by the processor, the managed PIM application on the electronic mobile device, the managed PIM application operating in accordance with the set of one or more policy files, wherein one of the policy files alters a characteristic of the managed PIM application on the electronic mobile device while not altering a similar characteristic of any non-PIM applications on the electronic mobile device;
  
  communicating, by the managed PIM application and based on the set of one or more policy files, with an enterprise resource via one or more application tunnels, wherein the managed PIM application, based on the set of one or more policy files, selectively employs caching and/or a compression technique within the one or more application tunnels; and
  
  selectively providing a single sign-on (SSO) credential, by the managed PIM application and based on the set of one or more policy files, to authenticate a user and access a document stored in a secure document container of the mobile device, wherein the managed PIM application encrypts data stored in the secure document container, wherein the set of one or more policy files permit use of the SSO credential for responding to certificate challenges and block use of the SSO credential for responding to digest challenges.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The electronic mobile device of claim 15, wherein the characteristic is a URL dispatch process of the managed PIM application, and wherein altering comprises defining one or more applications to which the managed PIM application can call using the URL dispatch process.
  - 17. The electronic mobile device of claim 15, wherein the characteristic is an installation process of the managed PIM application, and wherein altering comprises triggering an automatic installation of the managed PIM application using the installation process.
  - 18. The electronic mobile device of claim 15, wherein the characteristic is an address book of the managed PIM application, and wherein altering comprises defining one or more conditions under which a contact in the address book is sharable external to the managed PIM application.
  - 19. The electronic mobile device of claim 15, wherein the characteristic is an attachment handling process of the managed PIM application, and wherein altering comprises defining one or more applications to or from which the managed PIM application can open or attach a file, respectively, associated with an electronic message.
  - 20. The electronic mobile device of claim 15, wherein the characteristic is message retention process of the managed PIM application, and wherein altering comprises defining a length of time for which electronic communications meeting a predefined condition may be stored on the mobile device before the electronic communications are automatically deleted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Walker, James Robert, Desai, Nitin, Lang, Zhongmin
Primary Examiner(s)
DOAN, DUYEN MY

Application Number

US14/044,946
Publication Number

US 20140032691A1
Time in Patent Office

684 Days
Field of Search

709/203, 709/229
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/54   by adding security routines...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/629   to features or functions of...

G06F 21/72   in cryptographic circuits

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 41/00   Arrangements for maintenanc...

H04L 41/28   Restricting access to netwo...

H04L 41/34   Signalling channels for net...

H04L 51/08   Annexed information, e.g. a...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04W 12/06 : Authentication

H04W 12/08 : Access security

H04W 12/30 : Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/63 : Location-dependent; Proximi...

View All

Policy-based application management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

618 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Policy-based application management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

618 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others