Provisioning a mobile device with a security application on the fly

US 9,455,972 B1
Filed: 09/30/2013
Issued: 09/27/2016
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method of provisioning a mobile device with a security application on the fly, the method comprising:

providing, by processing circuitry of the mobile device, an initial access request to an enterprise gateway which is operated by an enterprise, the initial access request requesting access to a set of enterprise resources of the enterprise;

receiving, by the processing circuitry, an enterprise response message from the enterprise gateway in response to the initial access request, the enterprise response message denying access to the set of enterprise resources of the enterprise; and

automatically prompting, by the processing circuitry, the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise;

wherein the enterprise response message includes an address identifying the application server;

wherein prompting the mobile device to install the mobile security application from the application server includes;

prompting a user of the mobile device for an accept command to (i) download the mobile security application from the application server and (ii) automatically install the mobile security application on the mobile device;

wherein the initial access request is sent to the enterprise gateway via a browser running on the mobile device;

wherein the address identifying the application server is a universal resource locator (URL) which identifies a security application distribution website as the application server;

wherein the method further comprises;

receiving the accept command from the user of the mobile device,in response to the accept command, providing an application request to the security application distribution website based on the URL,receiving a website response to the application request from the security application distribution website, the website response including downloading and installation of the mobile security application on the mobile device,after the mobile security application is downloaded and installed on the mobile device, invoking the mobile security application to establish an activation session between the mobile device and a security server,while the activation session between the mobile device and the security server is established, sending a set of authentication factors to the security server to enable the security server to create a user profile based on the set of authentication factors and bind the user profile to the enterprise,after the user profile is bound to the enterprise, providing an authentication request to the security server using the mobile security application, the authentication request including a new set of authentication factors, andreceiving an authentication response from the security server in response to the authentication request;

wherein the authentication response includes an access token from the security server; and

wherein the method further comprises;

providing another access request to the enterprise gateway which is operated by the enterprise, the other access request including the access token from the security server, andreceiving another enterprise response message from the enterprise gateway in response to the other access request, the other enterprise response message granting access to the set of enterprise resources of the enterprise.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique provisions a mobile device (e.g., a smart phone, a tablet, a personal digital assistant, etc.) with a security application on the fly. The technique involves providing, by processing circuitry of the mobile device, an initial access request to an enterprise gateway which is operated by an enterprise. The technique further involves receiving, by the processing circuitry, an enterprise response message from the enterprise gateway in response to the initial access request. The enterprise response message denies access to a set of enterprise resources of the enterprise. The technique further involves automatically prompting, by the processing circuitry, the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise.

31 Citations

View as Search Results

16 Claims

1. A method of provisioning a mobile device with a security application on the fly, the method comprising:
- providing, by processing circuitry of the mobile device, an initial access request to an enterprise gateway which is operated by an enterprise, the initial access request requesting access to a set of enterprise resources of the enterprise;
  
  receiving, by the processing circuitry, an enterprise response message from the enterprise gateway in response to the initial access request, the enterprise response message denying access to the set of enterprise resources of the enterprise; and
  
  automatically prompting, by the processing circuitry, the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise;
  
  wherein the enterprise response message includes an address identifying the application server;
  
  wherein prompting the mobile device to install the mobile security application from the application server includes;
  
  prompting a user of the mobile device for an accept command to (i) download the mobile security application from the application server and (ii) automatically install the mobile security application on the mobile device;
  
  wherein the initial access request is sent to the enterprise gateway via a browser running on the mobile device;
  
  wherein the address identifying the application server is a universal resource locator (URL) which identifies a security application distribution website as the application server;
  
  wherein the method further comprises;
  
  receiving the accept command from the user of the mobile device,in response to the accept command, providing an application request to the security application distribution website based on the URL,receiving a website response to the application request from the security application distribution website, the website response including downloading and installation of the mobile security application on the mobile device,after the mobile security application is downloaded and installed on the mobile device, invoking the mobile security application to establish an activation session between the mobile device and a security server,while the activation session between the mobile device and the security server is established, sending a set of authentication factors to the security server to enable the security server to create a user profile based on the set of authentication factors and bind the user profile to the enterprise,after the user profile is bound to the enterprise, providing an authentication request to the security server using the mobile security application, the authentication request including a new set of authentication factors, andreceiving an authentication response from the security server in response to the authentication request;
  
  wherein the authentication response includes an access token from the security server; and
  
  wherein the method further comprises;
  
  providing another access request to the enterprise gateway which is operated by the enterprise, the other access request including the access token from the security server, andreceiving another enterprise response message from the enterprise gateway in response to the other access request, the other enterprise response message granting access to the set of enterprise resources of the enterprise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as in claim 1 wherein the enterprise response message further includes a signed enterprise identifier which identifies the enterprise;
    - and wherein providing the application request to the security application distribution website includes;
      
      sending the signed enterprise identifier to the security application distribution website, the mobile security application being provided to the mobile device from the security application distribution website as part of the website response only if the security application distribution website successfully verifies the signed enterprise identifier.
  - 3. A method as in claim 1 wherein the enterprise response message further includes an enterprise identifier which identifies the enterprise;
    - and wherein providing the application request to the security application distribution website includes;
      
      sending the enterprise identifier to the security application distribution website, the mobile security application being selected, by the security application distribution website, from a set of different security applications based on the enterprise identifier.
  - 4. A method as in claim 1 wherein providing the application request to the security application distribution website includes:
    - sending a location identifier to the security application distribution website, the location identifier identifying a current location of the mobile device, the mobile security application being provided to the mobile device from the security application distribution website as part of the website response only if the security application distribution website determines that the current location is an authorized installation location.
  - 5. A method as in claim 1 wherein the enterprise response message further includes a one-time request token;
    - and wherein invoking the mobile security application includes;
      
      establishing the activation session with the security server using the one-time request token, at least one of the mobile security application and the security server being prevented from establishing another activation session using a copy of the one-time request token.
  - 6. A method as in claim 1 wherein the security server is constructed and arranged to:
    - provide receiving, as part of the authentication responses, access tokens when the security server successfully authenticates users; and
      
      provide, as part of the authentication responses, indications that authentication is considered unsuccessful when the security server does not successfully authenticate the users.
  - 7. A method as in claim 1 wherein the application server is an online app store.
  - 8. A method as in claim 7 wherein the enterprise response message further includes a one-time use token.

9. A mobile device, comprising:
- a wireless interface;
  
  memory; and
  
  control circuitry coupled to the wireless interface and the memory, the memory storing instructions which, when carried out by the control circuitry, cause the control circuitry to;
  
  provide, through the wireless interface, an initial access request to an enterprise gateway which is operated by an enterprise,receive, through the wireless interface, an enterprise response message from the enterprise gateway in response to the initial access request, the enterprise response message denying access to a set of enterprise resources of the enterprise, andautomatically prompt the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise;
  
  wherein the enterprise response message includes an address identifying the application server;
  
  wherein the control circuitry, when prompting the mobile device to install the mobile security application from the application server, is constructed and arranged to;
  
  prompt a user of the mobile device for an accept command to (i) download the mobile security application from the application server and (ii) automatically install the mobile security application on the mobile device;
  
  wherein the initial access request is sent to the enterprise gateway via a browser running on the mobile device;
  
  wherein the address identifying the application server is a universal resource locator (URL) which identifies a security application distribution website as the application server;
  
  wherein the control circuitry is further constructed and arranged to;
  
  receive the accept command from the user of the mobile device,in response to the accept command, provide an application request to the security application distribution website based on the URL,receive a website response to the application request from the security application distribution website, the website response including downloading and installation of the mobile security application on the mobile device,after the mobile security application is downloaded and installed on the mobile device, invoke the mobile security application to establish an activation session between the mobile device and a security server,while the activation session between the mobile device and the security server is established, send a set of authentication factors to the security server to enable the security server to create a user profile based on the set of authentication factors and bind the user profile to the enterprise,after the user profile is bound to the enterprise, provide an authentication request to the security server using the mobile security application, the authentication request including a new set of authentication factors, andreceive an authentication response from the security server in response to the authentication request;
  
  wherein the authentication response includes an access token from the security server; and
  
  wherein the control circuitry is further constructed and arranged to;
  
  provide another access request to the enterprise gateway which is operated by the enterprise, the other access request including the access token from the security server, andreceive another enterprise response message from the enterprise gateway in response to the other access request, the other enterprise response message granting access to the set of enterprise resources of the enterprise.
- View Dependent Claims (10, 11, 12)
- - 10. A mobile device as in claim 9 wherein the enterprise response message further includes a signed enterprise identifier which identifies the enterprise;
    - and wherein the control circuitry, when providing the application request to the security application distribution website, is constructed and arranged to;
      
      send the signed enterprise identifier to the security application distribution website, the mobile security application being provided to the mobile device from the security application distribution website as part of the website response only if the security application distribution website successfully verifies the signed enterprise identifier.
  - 11. A mobile device as in claim 9 wherein the enterprise response message further includes an enterprise identifier which identifies the enterprise;
    - and wherein the control circuitry, when providing the application request to the security application distribution website, is constructed and arranged to;
      
      send the enterprise identifier to the security application distribution website, the mobile security application being selected, by the security application distribution website, from a set of different security applications based on the enterprise identifier.
  - 12. A mobile device as in claim 9 wherein the control circuitry, when providing the application request to the security application distribution website, is constructed and arranged to:
    - send a location identifier to the security application distribution website, the location identifier identifying a current location of the mobile device, the mobile security application being provided to the mobile device from the security application distribution website as part of the website response only if the security application distribution website determines that the current location is an authorized installation location.

13. A computer program product having a non-transitory computer readable medium which stores a set of instructions to provision a mobile device with a security application on the fly, the set of instructions, when carried out by computerized circuitry of the mobile device, causing the computerized circuitry to perform a method of:
- providing an initial access request to an enterprise gateway which is operated by an enterprise;
  
  receiving an enterprise response message from the enterprise gateway in response to the initial access request, the enterprise response message denying access to a set of enterprise resources of the enterprise; and
  
  automatically prompting the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise;
  
  wherein the enterprise response message includes an address identifying the application server;
  
  wherein prompting the mobile device to install the mobile security application from the application server includes;
  
  prompting a user of the mobile device for an accept command to (i) download the mobile security application from the application server and (ii) automatically install the mobile security application on the mobile device;
  
  wherein the initial access request is sent to the enterprise gateway via a browser running on the mobile device;
  
  wherein the address identifying the application server is a universal resource locator (URL) which identifies a security application distribution website as the application server;
  
  wherein the method further comprises;
  
  receiving the accept command from the user of the mobile device,in response to the accept command, providing an application request to the security application distribution website based on the URL,receiving a website response to the application request from the security application distribution website, the website response including downloading and installation of the mobile security application on the mobile device,after the mobile security application is downloaded and installed on the mobile device, invoking the mobile security application to establish an activation session between the mobile device and a security server,while the activation session between the mobile device and the security server is established, sending a set of authentication factors to the security server to enable the security server to create a user profile based on the set of authentication factors and bind the user profile to the enterprise,after the user profile is bound to the enterprise, providing an authentication request to the security server using the mobile security application, the authentication request including a new set of authentication factors, andreceiving an authentication response from the security server in response to the authentication request;
  
  wherein the authentication response includes an access token from the security server; and
  
  wherein the method further comprises;
  
  providing another access request to the enterprise gateway which is operated by the enterprise, the other access request including the access token from the security server; and
  
  receiving another enterprise response message from the enterprise gateway in response to the other access request, the other enterprise response message granting access to the set of enterprise resources of the enterprise.
- View Dependent Claims (14, 15, 16)
- - 14. A computer program product as in claim 13 wherein the enterprise response message further includes a signed enterprise identifier which identifies the enterprise;
    - and wherein providing the application request to the security application distribution website includes;
      
      sending the signed enterprise identifier to the security application distribution website, the mobile security application being provided to the mobile device from the security application distribution website as part of the website response only if the security application distribution website successfully verifies the signed enterprise identifier.
  - 15. A computer program product as in claim 13 wherein the enterprise response message further includes an enterprise identifier which identifies the enterprise;
    - and wherein providing the application request to the security application distribution website includes;
      
      sending the enterprise identifier to the security application distribution website, the mobile security application being selected, by the security application distribution website, from a set of different security applications based on the enterprise identifier.
  - 16. A computer program product as in claim 13 wherein providing the application request to the security application distribution website includes:
    - sending a location identifier to the security application distribution website, the location identifier identifying a current location of the mobile device, the mobile security application being provided to the mobile device from the security application distribution website as part of the website response only if the security application distribution website determines that the current location is an authorized installation location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dotan, Yedidya, Friedman, Lawrence N., Richards, Gareth
Primary Examiner(s)
Kim, Tae

Application Number

US14/041,108
Time in Patent Office

1,093 Days
Field of Search

713/191, 709/217, 709/218, 709220-222, 709/225
US Class Current

1/1
CPC Class Codes

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3213   using tickets or tokens, e....

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/35   Protecting application or s...

Provisioning a mobile device with a security application on the fly

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning a mobile device with a security application on the fly

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links