Dynamically generating perimeters

US 9,497,220 B2
Filed: 10/17/2011
Issued: 11/15/2016
Est. Priority Date: 10/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request to add to a mobile device an enterprise application for accessing an enterprise account;

in response to detection of a parameter or a pattern associated with an account setting, retrieving a security policy from a resource server for the enterprise account;

in response to the request to add the enterprise application and the detection of the parameter or the pattern associated with the account setting, generating, by the mobile device, a new logical separation of resources associated with the enterprise application and other enterprise resources on the mobile device, wherein the new logical separation of resources prevents applications on the mobile device external to the new logical separation of resources from accessing resources associated with the new logical separation of resources;

receiving, from the resource server, a client certificate for establishing a secure channel with an enterprise;

assigning the client certificate to the new logical separation of resources;

when the new logical separation of resources is unlocked, granting access between the other enterprise resources and the enterprise application and granting the external resources on the mobile device to access the enterprise application and the other enterprise resources on the mobile device, wherein an unlock state allows applications to access files in a file system domain;

when the new logical separation of resources is soft locked, granting access and operations between the other enterprise resources and the enterprise application while preventing user interactions with the enterprise application the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein the soft locked state allows applications running on the mobile device to access the files in the file system domain and locks an user interface on the mobile device; and

when the new logical separation of resources is hard locked, preventing access between the other enterprise resources and the enterprise application while preventing the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein a hard lock state prohibits applications from accessing the files in the file system domain and locks an underlying encryption domain.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and techniques relating to securely managing electronic resources are described. A described technique includes receiving a request to add to a mobile device an account setting for a server resource account. Detecting a trigger event for a new perimeter based on the account setting. In response to a parameter or a pattern associated with the account setting, retrieving a security policy from a resource server for the server resource account, and generating, by the mobile device, a new perimeter including the server resource account based on the security policy. The new perimeter is configured to prevent transferring data associated with the server resource account being transferred to mobile-device resources external to the new perimeter.

Citations

25 Claims

1. A method, comprising:
- receiving a request to add to a mobile device an enterprise application for accessing an enterprise account;
  
  in response to detection of a parameter or a pattern associated with an account setting, retrieving a security policy from a resource server for the enterprise account;
  
  in response to the request to add the enterprise application and the detection of the parameter or the pattern associated with the account setting, generating, by the mobile device, a new logical separation of resources associated with the enterprise application and other enterprise resources on the mobile device, wherein the new logical separation of resources prevents applications on the mobile device external to the new logical separation of resources from accessing resources associated with the new logical separation of resources;
  
  receiving, from the resource server, a client certificate for establishing a secure channel with an enterprise;
  
  assigning the client certificate to the new logical separation of resources;
  
  when the new logical separation of resources is unlocked, granting access between the other enterprise resources and the enterprise application and granting the external resources on the mobile device to access the enterprise application and the other enterprise resources on the mobile device, wherein an unlock state allows applications to access files in a file system domain;
  
  when the new logical separation of resources is soft locked, granting access and operations between the other enterprise resources and the enterprise application while preventing user interactions with the enterprise application the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein the soft locked state allows applications running on the mobile device to access the files in the file system domain and locks an user interface on the mobile device; and
  
  when the new logical separation of resources is hard locked, preventing access between the other enterprise resources and the enterprise application while preventing the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein a hard lock state prohibits applications from accessing the files in the file system domain and locks an underlying encryption domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the enterprise account comprises at least one of an email account, a calendar account, or a contacts account.
  - 3. The method of claim 1, wherein generating the new logical separation of resources comprises automatically generating the new logical separation of resources independent of an administrator of the resource server setting policies or configuring of the new logical separation of resources.
  - 4. The method of claim 1, wherein the pattern or parameter includes at least one of an account address, a network address, a policy, one or more settings associated with adding access to a new account that provides push synchronization, or one or more settings associated with connecting to a bridge device.
  - 5. The method of claim 1, wherein the security policy includes at least one of password protection or data encryption.
  - 6. The method of claim 1, wherein the account setting includes login information.
  - 7. The method of claim 1, wherein the account setting includes an email address.
  - 8. The method of claim 1, wherein the server resource account includes an enterprise account.
  - 9. The method of claim 8, wherein the enterprise account includes an enterprise email account.
  - 10. The method of claim 1, wherein the new logical separation of resources includes a logical separation of resources for enterprise or a logical separation of resources for corporate.

11. A mobile device, comprising:
- one or more processors operable to;
  
  receive a request to add to a mobile device an enterprise application for accessing an enterprise account;
  
  in response to detection of a parameter or a pattern associated with an account setting, retrieve a security policy from a resource server for the enterprise account;
  
  in response to the request to add the enterprise application and the detection of the parameter or the pattern associated with the account setting, generate, by the mobile device, a new logical separation of resources associated with the enterprise application and other enterprise resources on the mobile device, wherein the new logical separation of resources prevents applications on the mobile device external to the new logical separation of resources from accessing resources associated with the new logical separation of resources including the enterprise application;
  
  receive, from the resource server, a client certificate for establishing a secure channel with an enterprise;
  
  assign the client certificate to the new logical separation of resources;
  
  when the new logical separation of resources is unlocked, grant access between the other enterprise resources and the enterprise application and grant the external resources on the mobile device to access the enterprise application and the other enterprise resources on the mobile device, wherein an unlock state allows applications to access files in a file system domain;
  
  when the new logical separation of resources is soft locked, grant access between the other enterprise resources and the enterprise application and prevent user interactions with the enterprise application, wherein the soft locked state allows applications running on the mobile device to access the files in the file system domain and locks an user interface on the mobile device; and
  
  when the new logical separation of resources is hard locked, prevent access between the other enterprise resources and the enterprise application and prevent the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein a hard lock state prohibits applications from accessing the files in the file system domain and locks an underlying encryption domain.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The mobile device of claim 11, wherein the enterprise account comprises at least one of an email account, a calendar account, or a contacts account.
  - 13. The mobile device of claim 11, wherein the one or more processors operable to generate the new logical separation of resources comprises the one or more processors operable to automatically generate the new logical separation of resources independent of an administrator of the resource server setting policies or configuring the new logical separation of resources.
  - 14. The mobile device of claim 11, wherein the pattern or parameter includes at least one of an account address, a network address, a policy, one or more settings associated with adding access to a new account that provides push synchronization, or one or more settings associated with connecting to a bridge device.
  - 15. The mobile device of claim 11, wherein the security policy includes at least one of password protection or data encryption.

16. A computer program product encoded on a non- transitory storage medium, the product comprising computer readable instructions for causing one or more processors to perform operations comprising:
- receiving a request to add to a mobile device an enterprise application for accessing an enterprise account;
  
  in response to detection of a parameter or a pattern associated with an account setting, retrieving a security policy from a resource server for the enterprise account;
  
  in response to the request to add the enterprise application and the detection of the parameter or the pattern associated with the account setting, generating, by the mobile device, a new logical separation of resources associated with the enterprise application and other enterprise resources on the mobile device, wherein the new logical separation of resources prevents applications on the mobile device external to the new logical separation of resources from accessing resources associated with the new logical separation of resources;
  
  receiving, from the resource server, a client certificate for establishing a secure channel with an enterprise;
  
  assigning the client certificate to the new Ironical separation of resources;
  
  when the new logical separation of resources is unlocked, granting access between the other enterprise resources and the enterprise application and granting the external resources on the mobile device to access the enterprise application and the other enterprise resources on the mobile device, wherein an unlock state allows applications to access files in a file system domain;
  
  when the new logical separation of resources is soft locked, granting access and operations between the other enterprise resources and the enterprise application while preventing user interactions with the enterprise application the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein the soft locked state allows applications running on the mobile device to access the files in the file system domain and locks an user interface on the mobile device; and
  
  when the new logical separation of resources is hard locked, preventing access between the other enterprise resources and the enterprise application while preventing the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein a hard lock state prohibits applications from accessing the files in the file system domain and locks an underlying encryption domain.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, wherein the enterprise account comprises at least one of an email account, a calendar account, or a contacts account.
  - 18. The computer program product of claim 16, wherein the instructions for causing one or more processors to perform operations comprising generating the new logical separation of resources comprises the instructions for causing one or more processors to perform operations comprising automatically generating the new logical separation of resources independent of an administrator of the resource server setting policies or configuring the new logical separation of resources.
  - 19. The computer program product of claim 16, wherein the pattern or parameter includes at least one of an account address, a network address, a policy, one or more settings associated with adding access to a new account that provides push synchronization, or one or more settings associated with connecting to a bridge device.
  - 20. The computer program product of claim 16, wherein the security policy includes at least one of password protection or data encryption.

21. A system, comprising:
- a first mobile device configured to connect a second mobile device to a network through the first mobile device; and
  
  a second mobile device configured to receive a request to add to a mobile device an-enterprise application for accessing an enterprise account, retrieve a security policy from a resource server for the enterprise account in response to detection of a parameter or a pattern associated with an account setting, generate a new logical separation of resources associated with the enterprise application and other enterprise resources on the mobile device in response to the request to add the enterprise application and the detection of the parameter or the pattern associated with the account setting, wherein the new logical separation of resources prevents applications on the mobile device external to the new logical separation of resources from accessing resources associated with the new logical separation of resources including the enterprise application, receive a client certificate from the resource server for establishing a secure channel with an enterprise, assign the client certificate to the new logical separation of resources, when the new logical separation of resources is unlocked, granting access between the other enterprise resources and the enterprise application and granting the external resources on the mobile device to access the enterprise application and the other enterprise resources on the mobile device, wherein an unlock state allows applications to access files in a file system domain, when the new logical separation of resources is soft locked, granting access between the other enterprise resources and the enterprise application while preventing user interactions with the enterprise application, wherein the soft locked state allows applications running on the mobile device to access the files in the file system domain and locks an user interface on the mobile device, when the new logical separation of resources is hard locked, the new logical separation of resources is configured to prevent access between the other enterprise resources and the enterprise application while preventing the external resources on the mobile device from accessing the enterprise application and the other enterprise resources on the mobile device, wherein a hard lock state prohibits applications from accessing the files in the file system domain and locks an underlying encryption domain.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system of claim 21, wherein the enterprise account comprises at least one of an email account, a calendar account, or a contacts account.
  - 23. The system of claim 21, wherein the second mobile device configured to generate the new logical separation of resources comprises the second mobile device configured to automatically generate the new logical separation of resources independent of an administrator of the resource server setting policies or configuring the new logical separation of resources.
  - 24. The system of claim 21, wherein the pattern or parameter includes at least one of an account address, a network address, a policy, one or more settings associated with adding access to a new account that provides push synchronization, or one or more settings associated with connecting to a bridge device.
  - 25. The system of claim 21, wherein the security policy includes at least one of password protection or data encryption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
2236008 Ontario Inc. (Blackberry Limited), Blackberry Limited
Inventors
Cardamore, Daniel, May, Darrell Reginald, Nagarajan, Sivakumar, Cherry, Carl Lloyd
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Gracia, Gary

Application Number

US13/274,913
Publication Number

US 20130097657A1
Time in Patent Office

1,856 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 3/1204   resulting in reduced user o...

G06F 3/1286   via local network

H04L 63/20   for managing network securi...

H04W 12/084   using delegated authorisati...

H04W 12/086   using security domains

H04W 12/088   using filters or firewalls

Dynamically generating perimeters

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically generating perimeters

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links