Secure container for protecting enterprise data on a mobile device
First Claim
1. A mobile device comprising computer-readable storage and at least one processor configured to execute computer-executable code stored on the computer-readable storage, the mobile device comprising:
- a secure container component installed on the computer-readable storage of the mobile device, the installed secure container component implemented by computer executable code stored on the computer-readable storage of the mobile device to create a secure document container on the computer-readable storage, the secure document container comprising a file system for a first portion of the computer-readable storage, the secure document container being encrypted, the secure document container storing first enterprise data of an enterprise, the first enterprise data including at least one enterprise document;
a second portion of the computer-readable storage of the mobile device, the second portion of the computer-readable storage storing private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in the enterprise, the second portion of the computer-readable storage being unencrypted, the first portion of the computer-readable storage being logically separate from the second portion of the computer-readable storage, wherein the first enterprise data in the secure document container is logically separate from the private data in the second portion of the computer-readable storage;
an access manager implemented by computer-executable code stored on the computer-readable storage of the mobile device that limits access to the file system for the first portion of the computer-readable storage based on one or more document-access policies that restrict availability of the first enterprise data stored in the secure document container, wherein a non-enterprise application not associated with the enterprise is prevented from accessing the first enterprise data stored in the secure document container; and
a secure virtual machine implemented by computer-executable code stored on the computer-readable storage of the mobile device, wherein an enterprise application associated with the enterprise and running in the secure virtual machine is configured to access the first enterprise data stored in the secure document container,wherein the first enterprise data is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials from the user, andwherein the document-access policies prevent a second enterprise document from being saved in the secure document container, wherein the second enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise.
9 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
-
Citations
28 Claims
-
1. A mobile device comprising computer-readable storage and at least one processor configured to execute computer-executable code stored on the computer-readable storage, the mobile device comprising:
-
a secure container component installed on the computer-readable storage of the mobile device, the installed secure container component implemented by computer executable code stored on the computer-readable storage of the mobile device to create a secure document container on the computer-readable storage, the secure document container comprising a file system for a first portion of the computer-readable storage, the secure document container being encrypted, the secure document container storing first enterprise data of an enterprise, the first enterprise data including at least one enterprise document; a second portion of the computer-readable storage of the mobile device, the second portion of the computer-readable storage storing private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in the enterprise, the second portion of the computer-readable storage being unencrypted, the first portion of the computer-readable storage being logically separate from the second portion of the computer-readable storage, wherein the first enterprise data in the secure document container is logically separate from the private data in the second portion of the computer-readable storage; an access manager implemented by computer-executable code stored on the computer-readable storage of the mobile device that limits access to the file system for the first portion of the computer-readable storage based on one or more document-access policies that restrict availability of the first enterprise data stored in the secure document container, wherein a non-enterprise application not associated with the enterprise is prevented from accessing the first enterprise data stored in the secure document container; and a secure virtual machine implemented by computer-executable code stored on the computer-readable storage of the mobile device, wherein an enterprise application associated with the enterprise and running in the secure virtual machine is configured to access the first enterprise data stored in the secure document container, wherein the first enterprise data is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials from the user, and wherein the document-access policies prevent a second enterprise document from being saved in the secure document container, wherein the second enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
creating, by a secure container component installed on a mobile device, a secure document container on computer-readable storage of the mobile device, the secure document container being encrypted and comprising a file system for a first portion of the computer-readable storage, wherein the first portion is separate from a second portion of the computer-readable storage of the mobile device, wherein the second portion of the computer-readable storage stores private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in an enterprise, the second portion of the computer-readable storage being unencrypted; receiving, by the mobile device, first enterprise data from an enterprise resource of the enterprise; storing, by the mobile device, the first enterprise data in the secure document container, the storing occurring automatically under control of an enterprise agent running on the mobile device; selectively controlling, by the mobile device, access to the first enterprise data in the secure document container in accordance with one or more document-access policies, the one or more document-access policies defining conditions for accessing the first enterprise data in the secure document container, wherein access to the second portion of the computer-readable storage of the mobile device is provided independent of the one or more document-access policies, wherein a non-enterprise application installed on the mobile device and not associated with the enterprise is prevented from accessing the first enterprise data in the secure document container, wherein an enterprise application associated with the enterprise and running in a secure virtual machine on the mobile device is configured to access the first enterprise data in the secure document container, wherein the first enterprise data in the secure document container is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials from the user of the mobile device, and wherein the one or more document-access policies prevent an enterprise document from being saved in the secure document container, wherein the enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory storage medium comprising instructions stored thereon executable by a processor of a mobile device to perform a process comprising:
-
creating, within a first portion of a memory of the mobile device, a secure document container, the secure document container comprising a file system and being encrypted, wherein the first portion is separate from a second portion of the memory of the mobile device, wherein the second portion of the memory stores private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in an enterprise, and the second portion of the memory being unencrypted; storing first enterprise data in the secure document container, the storing occurring automatically under control of an enterprise agent running on the mobile device; storing non-enterprise data in the second portion of the memory of the mobile device; and restricting access to the first enterprise data in the secure document container based on one or more rules defining conditions for allowing access to the first enterprise data in the secure document container, wherein access to the second portion of the memory of the mobile device is provided independent of the one or more rules, wherein a non-enterprise application installed on the mobile device and not associated with the enterprise is prevented from accessing the first enterprise data in the secure document container, wherein an enterprise application associated with the enterprise and running in a secure virtual machine on the mobile device is configured to access the first enterprise data in the secure document container, wherein the first enterprise data in the secure document container is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials for the user of the mobile device, and wherein the one or more rules prevent an enterprise document from being saved in the secure document container, wherein the enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification