Controlling mobile device access to enterprise resources

US 9,529,996 B2
Filed: 10/10/2012
Issued: 12/27/2016
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the system to;

receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device;

store the mobile device property information that includes the information regarding the application installed on the mobile device;

store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise;

store at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise;

receive a request from the application installed on the mobile device to access the particular enterprise resource;

inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and

determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

560 Citations

29 Claims

1. A system comprising:
- one or more processors; and
  
  non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the system to;
  
  receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device;
  
  store the mobile device property information that includes the information regarding the application installed on the mobile device;
  
  store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise;
  
  store at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise;
  
  receive a request from the application installed on the mobile device to access the particular enterprise resource;
  
  inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and
  
  determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - determine whether to grant or deny the access to the particular enterprise resource based on whether the application installed on the mobile device is an unauthorized application, as determined from information reported by the enterprise agent installed on the mobile device.
  - 3. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - responsive to the request from the application installed on the mobile device to access the particular enterprise resource;
      
      look up the mobile device property information,look up the user information regarding the user of the mobile device,determine whether the looked-up mobile device property information and the looked-up user information comply with the at least one enterprise access policy associated with the particular enterprise resource.
  - 4. The system of claim 3, wherein the request from the application installed on the mobile device to access the particular enterprise resource comprises a request to form an application tunnel between the particular enterprise resource and the application installed on the mobile device.
  - 5. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - generate a plurality of gateway rules based on the at least one enterprise access policy and one or more of the mobile device property information and the user information including the information specifying the role of the user in the enterprise; and
      
      provide the plurality of gateway rules to a mobile gateway that controls the access to the particular enterprise resource.
  - 6. The system of claim 5, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - translate a plurality of enterprise access policies into a plurality of lower-level gateway rules based on at least the mobile device property information, the user information including the information specifying the role of the user in the enterprise, and a location of the mobile device; and
      
      provide the plurality of lower-level gateway rules to the mobile gateway.
  - 7. The system of claim 5, wherein the mobile gateway is configured to apply the plurality of gateway rules to determine whether to grant or deny an access request for the particular enterprise resource received from the mobile device, wherein the mobile gateway comprises a mobile gateway filter configured to run on an enterprise firewall server.
  - 8. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - send, to the mobile device, at least one rule indicating a specific condition that requires an associated remedial action, wherein the enterprise agent is configured to enforce the rule and apply the associated remedial action on the mobile device.
  - 9. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - determine that the mobile device has multiple applications of a particular application type installed;
      
      deny, to a first application of the particular application type, the access to the particular enterprise resource; and
      
      permit, to a second application of the particular application type, the access to the particular enterprise resource.
  - 10. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - determine that the mobile device has multiple applications of a particular application type installed;
      
      encrypt data transmitted to a first application of the particular application type from the particular enterprise resource; and
      
      not encrypt data transmitted to a second application of the particular application type from the particular enterprise resource.
  - 11. The system of claim 1, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - determine that the request from the application installed on the mobile device to access the particular enterprise resource uses a particular protocol,wherein determining whether to grant or deny the access is based on the request using the particular protocol.
  - 12. The system of claim 11, wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to:
    - encrypt attachment data before sending the attachment data to the mobile device, based on the request using the particular protocol.

13. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a mobile device to:
- install, on the mobile device, an agent component configured to;
  
  provide a secure path for one or more authorized applications installed on the mobile device to access enterprise resources of an enterprise system;
  
  identify an application installed on the mobile device;
  
  send mobile device property information that includes information regarding the application installed on the mobile device;
  
  send a request from the application installed on the mobile device to access a particular enterprise resource of the enterprise resources; and
  
  receive or be denied access to the particular enterprise resource based on the mobile device property information that includes the information regarding the application installed on the mobile device, a role of a user of the mobile device in an enterprise, and at least one enterprise access policy.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable media of claim 13, wherein the agent component is configured to prevent the application from running on the mobile device.
  - 15. The non-transitory computer-readable media of claim 13, wherein the agent component is configured to uninstall an unauthorized application from the mobile device.
  - 16. The non-transitory computer-readable media of claim 13, wherein the agent component is configured to block the mobile device from accessing the enterprise system.
  - 17. The non-transitory computer-readable media of claim 13, wherein the agent component is configured to delete, from the mobile device, information necessary for decrypting encrypted enterprise data stored on the mobile device.
  - 18. The non-transitory computer-readable media of claim 13, wherein the agent component creates the secure path by using protocol encapsulation to create an application tunnel between a particular authorized application and particular enterprise resources of the enterprise resources.
  - 19. The non-transitory computer-readable media of claim 13, wherein the agent component is configured to report, to a mobile device management system associated with the enterprise system, device property information comprising information regarding the application installed on the mobile device.
  - 20. The non-transitory computer-readable media of claim 19, wherein the mobile device management system is configured to determine, based on the information regarding the application installed on the mobile device, the role of the user of the mobile device in the enterprise, and a location of the mobile device, whether to grant a request by the application to access the enterprise resources via the secure path.

21. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a mobile device to:
- install, on the mobile device, an enterprise agent configured to;
  
  maintain a repository of a plurality of mobile-device rules specifying conditions and associated remedial actions for protecting enterprise resources of an enterprise;
  
  collect mobile device property information comprising information regarding applications installed on the mobile device;
  
  determine a role of a member of the enterprise within the enterprise;
  
  determine a location of the mobile device;
  
  send a request to access a particular enterprise resource of the enterprise resources; and
  
  receive or be denied access to the particular enterprise resource based on the mobile device property information, the role of the member of the enterprise within the enterprise, and the location of the mobile device.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The non-transitory computer-readable media of claim 21, wherein the enterprise agent is configured to:
    - use at least one of the plurality of mobile-device rules to determine whether an unauthorized application is installed on the mobile device; and
      
      execute a remedial action in response to determining that the unauthorized application is installed on the mobile device.
  - 23. The non-transitory computer-readable media of claim 21, wherein the enterprise agent is configured to:
    - use at least one of the plurality of mobile-device rules to determine whether a SIM card has been disengaged from the mobile device; and
      
      execute a remedial action in response to determining that the SIM card has been disengaged from the mobile device.
  - 24. The non-transitory computer-readable media of claim 21, wherein the enterprise agent is configured to:
    - determine whether password protection is disabled on the mobile device;
      
      instruct the member of the enterprise, in response to determining that the password protection is disabled on the mobile device, to activate the password protection on the mobile device; and
      
      in response to determining that a period of time has elapsed and the password protection on the mobile device has not been activated, disable functionality of the mobile device.
  - 25. The non-transitory computer-readable media of claim 21, wherein the enterprise agent is configured to:
    - disable a camera of the mobile device in response to determining that the location of the mobile device is a location where usage of the camera is not authorized.
  - 26. The non-transitory computer-readable media of claim 21, wherein the enterprise agent is configured to:
    - maintain, on the mobile device, a secure document container accessible only to authorized applications installed on the mobile device; and
      
      delete data from the secure document container in response to detecting a condition representing an enterprise security risk.
  - 27. The non-transitory computer-readable media of claim 21, wherein the enterprise agent is configured to:
    - use protocol encapsulation to create a plurality of application tunnels for a respective plurality of authorized applications installed on the mobile device to securely communicate with specific enterprise resources of the enterprise over a network.

28. A system comprising:
- a first device comprising;
  
  one or more processors; and
  
  non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the first device to;
  
  receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device;
  
  store the mobile device property information that includes the information regarding the application installed on the mobile device;
  
  store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise;
  
  generate at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the role of the user in the enterprise; and
  
  transmit the at least one enterprise access policy to a second device;
  
  the second device, configured to;
  
  receive the at least one enterprise access policy from the first device;
  
  receive a request from the application installed on the mobile device to access the particular enterprise resource;
  
  inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and
  
  determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the at least one enterprise access policy.

29. A method comprising:
- receiving, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device;
  
  storing the mobile device property information that includes the information regarding the application installed on the mobile device;
  
  storing user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise;
  
  storing at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise;
  
  receiving a request from the application installed on the mobile device to access the particular enterprise resource;
  
  inspecting a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and
  
  determining whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, McGinty, John M., Andre, Olivier, Abdullah, Shafaq
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US13/649,073
Publication Number

US 20140007183A1
Time in Patent Office

1,539 Days
Field of Search

726/1, 726/4, 713/165, 713/166, 713/168
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

Controlling mobile device access to enterprise resources

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

560 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling mobile device access to enterprise resources

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

560 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links