Rules based detection and correction of problems on mobile devices of enterprise users

US 9,286,471 B2
Filed: 10/10/2012
Issued: 03/15/2016
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A mobile device comprising:

a processor and memory;

an enterprise agent installed on the mobile device, the enterprise agent being configured to enable enterprise applications installed on the mobile device to securely access resources of an enterprise system of an enterprise, the enterprise agent being further configured to collect state metric data values of a plurality of state metrics associated with the mobile device;

a plurality of rules stored in the memory of the mobile device, each particular rule of the plurality of rules comprising a rule name, a security key, and an encrypted rule body comprising logic of the particular rule, at least some of the plurality of rules mapping states indicated by one or more of the state metric data values to problems indicative of security risks or productivity risks associated with the enterprise, a first problem of the problems comprising detecting downloading of more than a threshold amount of data to the mobile device within a time period, and a second problem of the problems comprising a disablement of password protection for the mobile device; and

remedial action data stored in the memory of the mobile device, the remedial action data specifying remedial actions for addressing the problems, each of the remedial actions corresponding to at least one problem of the problems and being included in at least one rule of the plurality of rules for detecting the at least one problem of the problems, a first remedial action of the remedial actions comprising producing a message on a user interface of the mobile device, the message instructing a user of the mobile device to activate the password protection for the mobile device, and a second remedial action of the remedial actions comprising reducing a download throughput to the mobile device for a portion of the time period;

wherein the enterprise agent installed on the mobile device is configured to;

programmatically detect instances of the problems by using the rules to analyze the state metric data values using a process comprising;

determining a rule of the rules to be analyzed based on the rule name of the rule to be analyzed;

decrypting the encrypted rule body of the rule to be analyzed using the security key;

evaluating the logic of the rule to be analyzed from the decrypted rule body; and

detecting an instance of one of the problems based on the state metric data values;

determine a remedial action of the remedial actions that corresponds to the one of the problems based on the decrypted rule body; and

respond to the detected instance of one of the problems by executing the remedial action of the remedial actions on the mobile device,wherein the enterprise agent installed on the mobile device is further configured to;

detect the disablement of the password protection for the mobile device;

respond to the detected disablement of the password protection for the mobile device by producing the message on the user interface of the mobile device, the message instructing the user of the mobile device to activate the password protection for the mobile device; and

determine whether the user of the mobile device activated the password protection for the mobile device within a threshold time period.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

517 Citations

23 Claims

1. A mobile device comprising:
- a processor and memory;
  
  an enterprise agent installed on the mobile device, the enterprise agent being configured to enable enterprise applications installed on the mobile device to securely access resources of an enterprise system of an enterprise, the enterprise agent being further configured to collect state metric data values of a plurality of state metrics associated with the mobile device;
  
  a plurality of rules stored in the memory of the mobile device, each particular rule of the plurality of rules comprising a rule name, a security key, and an encrypted rule body comprising logic of the particular rule, at least some of the plurality of rules mapping states indicated by one or more of the state metric data values to problems indicative of security risks or productivity risks associated with the enterprise, a first problem of the problems comprising detecting downloading of more than a threshold amount of data to the mobile device within a time period, and a second problem of the problems comprising a disablement of password protection for the mobile device; and
  
  remedial action data stored in the memory of the mobile device, the remedial action data specifying remedial actions for addressing the problems, each of the remedial actions corresponding to at least one problem of the problems and being included in at least one rule of the plurality of rules for detecting the at least one problem of the problems, a first remedial action of the remedial actions comprising producing a message on a user interface of the mobile device, the message instructing a user of the mobile device to activate the password protection for the mobile device, and a second remedial action of the remedial actions comprising reducing a download throughput to the mobile device for a portion of the time period;
  
  wherein the enterprise agent installed on the mobile device is configured to;
  
  programmatically detect instances of the problems by using the rules to analyze the state metric data values using a process comprising;
  
  determining a rule of the rules to be analyzed based on the rule name of the rule to be analyzed;
  
  decrypting the encrypted rule body of the rule to be analyzed using the security key;
  
  evaluating the logic of the rule to be analyzed from the decrypted rule body; and
  
  detecting an instance of one of the problems based on the state metric data values;
  
  determine a remedial action of the remedial actions that corresponds to the one of the problems based on the decrypted rule body; and
  
  respond to the detected instance of one of the problems by executing the remedial action of the remedial actions on the mobile device,wherein the enterprise agent installed on the mobile device is further configured to;
  
  detect the disablement of the password protection for the mobile device;
  
  respond to the detected disablement of the password protection for the mobile device by producing the message on the user interface of the mobile device, the message instructing the user of the mobile device to activate the password protection for the mobile device; and
  
  determine whether the user of the mobile device activated the password protection for the mobile device within a threshold time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The mobile device of claim 1, wherein the message instructing the user of the mobile device to execute the action on the device comprises instructing the user of the mobile device to uninstall an application from the mobile device.
  - 3. The mobile device of claim 1, wherein the message instructing the user of the mobile device to execute the action on the device comprises instructing the user of the mobile device to delete data from the mobile device, the data being related to the enterprise, the enterprise agent installed on the mobile device configured to:
    - produce the message on the user interface of the mobile device, the message instructing the user of the mobile device to delete the data from the mobile device; and
      
      determine whether the user of the mobile device deleted the data from the mobile device within a threshold time period.
  - 4. The mobile device of claim 1, wherein the enterprise agent installed on the mobile device is configured to:
    - receive a script configured to enforce the reducing the download throughput to the mobile device for the portion of the time period.
  - 5. The mobile device of claim 1, wherein a third remedial action of the remedial actions comprises revoking a certificate of the mobile device.
  - 6. The mobile device of claim 1, wherein the enterprise agent installed on the mobile device is configured to:
    - detect the mobile device connecting to an unauthorized network connection; and
      
      respond to the unauthorized network connection by disconnecting from the unauthorized network connection.
  - 7. The mobile device of claim 1, wherein the enterprise agent installed on the mobile device is configured to:
    - activate or deactivate a feature of the mobile device in response to the detected instance of one of the problems.
  - 8. The mobile device of claim 7,wherein the feature of the mobile device comprises a network-connection capability of the mobile device;
    - andwherein a third remedial action of the remedial actions corresponds to a second problem of the problems, the second problem defined as the mobile device using the network-connection capability to connect to an unsecured network, and the third remedial action comprises one of;
      
      terminating the connection to the unsecured network, anddeactivating the network-connection capability.
  - 9. The mobile device of claim 1, wherein the enterprise agent installed on the mobile device is configured to:
    - selectively delete data related to the enterprise from the mobile device in response to the detected instance of one of the problems.
  - 10. The mobile device of claim 1, wherein the state metric data values comprise a battery level of the mobile device.
  - 11. The mobile device of claim 1, wherein the state metric data values comprise a signal strength of a network connection of the mobile device.
  - 12. The mobile device of claim 1, wherein the mobile device comprises:
    - a plurality of separate rule packages stored in the memory of the mobile device, each rule package of the separate rule packages comprising a rule of the plurality of rules and remedial action data defining one or more remedial actions corresponding to the rule of the plurality of rules.
  - 13. The mobile device of claim 12, wherein at least one rule package of the plurality of separate rule packages is customized for a user with a specific user role in the enterprise.
  - 14. The mobile device of claim 12, wherein at least one rule package of the plurality of separate rule packages is customized for a particular device type of the mobile device.
  - 15. The mobile device of claim 1, wherein the enterprise agent installed on the mobile device is configured to:
    - update the plurality of rules stored in the memory of the mobile device based on a rule update package received from the enterprise system, the rule update package comprising new rules to be added to the plurality of rules and modifications to existing rules of the plurality of rules, the rule update package being optimized by excluding rule information already existing on the mobile device.
  - 16. The mobile device of claim 1, wherein the enterprise agent is configured to select the executed remedial action based on a past result of executing the remedial action.
  - 17. The mobile device of claim 1, wherein the enterprise agent is configured to select the executed remedial action based on a computing cost associated with executing the remedial action.
  - 18. The mobile device of claim 1, wherein the enterprise agent is configured to select the executed remedial action based on a user preference of a user of the mobile device.
  - 19. The mobile device of claim 1, wherein the mobile device comprises a camera, and the enterprise agent installed on the mobile device is configured to:
    - detect the mobile device being located within premises of the enterprise with the camera available for use; and
      
      deactivate the camera in response to detecting the mobile device being located with the premises of the enterprise.

20. A non-transitory storage medium having stored thereon executable instructions that direct a mobile device to perform a process that comprises:
- collecting state metric data values of a plurality of state metrics associated with the mobile device;
  
  receiving and storing a plurality of rules on the mobile device, at least some of the rules mapping states indicated by one or more of the state metric data values to problems indicative of security risks or productivity risks associated with an enterprise, at least one of the problems comprising a disablement of password protection for the mobile device;
  
  receiving and storing remedial action data that specifies remedial actions for addressing particular problems, each remedial action corresponding to one or more of the problems, at least one remedial action of the remedial actions comprising producing a message on a user interface of the mobile device, the message instructing a user of the mobile device to activate the password protection for the mobile device;
  
  detecting the disablement of the password protection for the mobile device;
  
  responding to the detected disablement of the password protection for the mobile device by producing the message on the user interface of the mobile device, the message instructing the user of the mobile device to activate the password protection for the mobile device;
  
  determining whether the user of the mobile device activated the password protection for the mobile device within a threshold time period; and
  
  in response to determining that the user has used the mobile device without activating the password protection for the mobile device within a time period, activating or deactivating a feature of the mobile device corresponding to the password protection for the mobile device.
- View Dependent Claims (21)
- - 21. The non-transitory storage medium of claim 20, wherein the executable instructions further direct the mobile device to:
    - update the plurality of rules on the mobile device based on a rule update package received from an enterprise system, the rule update package comprising new rules to be added to the plurality of rules and modifications to existing rules of the plurality of rules, the rule update package being optimized by excluding rule information already existing on the mobile device.

22. A method comprising:
- collecting, by a computing device, state metric data values of a plurality of state metrics associated with the computing device;
  
  receiving and storing a plurality of rules, at least some of the rules mapping states indicated by one or more of the state metric data values to problems indicative of security risks or productivity risks associated with an enterprise, at least one of the problems comprising a disablement of password protection for the computing device;
  
  receiving and storing remedial action data that specifies remedial actions for addressing particular problems, each remedial action corresponding to one or more of the problems, at least one remedial action of the remedial actions comprising producing a message on a user interface of the computing device, the message instructing a user of the computing device to activate the password protection for the computing device;
  
  detecting the disablement of the password protection for the computing device;
  
  responding to the detected disablement of the password protection for the computing device by producing the message on the user interface of the computing device, the message instructing the user of the computing device to activate the password protection for the computing device;
  
  determining whether the user of the computing device activated the password protection for the computing device within a threshold time period; and
  
  in response to determining that the user has used the computing device without activating the password protection for the computing device within a time period, activating or deactivating a feature of the computing device corresponding to the password protection for the computing device.
- View Dependent Claims (23)
- - 23. The method claim 22, comprising:
    - updating the plurality of rules on the computing device based on a rule update package received from an enterprise system, the rule update package comprising new rules to be added to the plurality of rules and modifications to existing rules of the plurality of rules, the rule update package being optimized by excluding rule information already existing on the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, McGinty, John M.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US13/649,071
Publication Number

US 20140007193A1
Time in Patent Office

1,252 Days
Field of Search

726/3
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

Rules based detection and correction of problems on mobile devices of enterprise users

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

517 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Rules based detection and correction of problems on mobile devices of enterprise users

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

517 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others