Controlling mobile device access to enterprise resources
First Claim
1. A system comprising:
- one or more processors; and
non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the system to;
receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device;
store the mobile device property information that includes the information regarding the application installed on the mobile device;
store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise;
store at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise;
receive a request from the application installed on the mobile device to access the particular enterprise resource;
inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and
determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy.
8 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
560 Citations
29 Claims
-
1. A system comprising:
-
one or more processors; and non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the system to; receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device; store the mobile device property information that includes the information regarding the application installed on the mobile device; store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise; store at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise; receive a request from the application installed on the mobile device to access the particular enterprise resource; inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a mobile device to:
install, on the mobile device, an agent component configured to; provide a secure path for one or more authorized applications installed on the mobile device to access enterprise resources of an enterprise system; identify an application installed on the mobile device; send mobile device property information that includes information regarding the application installed on the mobile device; send a request from the application installed on the mobile device to access a particular enterprise resource of the enterprise resources; and receive or be denied access to the particular enterprise resource based on the mobile device property information that includes the information regarding the application installed on the mobile device, a role of a user of the mobile device in an enterprise, and at least one enterprise access policy. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
21. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a mobile device to:
install, on the mobile device, an enterprise agent configured to; maintain a repository of a plurality of mobile-device rules specifying conditions and associated remedial actions for protecting enterprise resources of an enterprise; collect mobile device property information comprising information regarding applications installed on the mobile device; determine a role of a member of the enterprise within the enterprise; determine a location of the mobile device; send a request to access a particular enterprise resource of the enterprise resources; and receive or be denied access to the particular enterprise resource based on the mobile device property information, the role of the member of the enterprise within the enterprise, and the location of the mobile device. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
28. A system comprising:
-
a first device comprising; one or more processors; and non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the first device to; receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device; store the mobile device property information that includes the information regarding the application installed on the mobile device; store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise; generate at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the role of the user in the enterprise; and transmit the at least one enterprise access policy to a second device; the second device, configured to; receive the at least one enterprise access policy from the first device; receive a request from the application installed on the mobile device to access the particular enterprise resource; inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the at least one enterprise access policy.
-
-
29. A method comprising:
-
receiving, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device; storing the mobile device property information that includes the information regarding the application installed on the mobile device; storing user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise; storing at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise; receiving a request from the application installed on the mobile device to access the particular enterprise resource; inspecting a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and determining whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy.
-
Specification