Enforcement of proximity based policies

US 9,584,964 B2
Filed: 12/22/2014
Issued: 02/28/2017
Est. Priority Date: 12/22/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying program code being configured to allow remote application of a policy that controls the type of authentication to be used between devices under a device management system, the program code being executable in a computing device, the program code being configured to cause the computing device to at least:

obtain, remotely at a policy server, a first location indication associated with an anchor device, the first location indication being at least one of a geographic location or a network location of the anchor device;

obtain, remotely at the policy server, a second location indication associated with a companion device, the second location indication being at least one of a geographic location or a network location of the companion device;

identify, on the policy server, a policy stored in a data store that associates the anchor device and the companion device, the policy specifying a security requirement that when the first location and the second location are within a proximity, the companion device can be accessed using a reduced authentication, and when the first location and the second location are not within the proximity, the companion device cannot be accessed using the reduced authentication;

determine whether the policy is violated based at least in part upon the first location indication and the second location indication; and

issue a command to the companion device from the policy server in response to a determination that the policy is violated based at least in part upon the first location indication and the second location indication, the command requiring that the companion device be accessed in accordance with the security requirement, wherein the policy server operates as part of the device management system to vary and control the types of authorization required between a plurality of anchor devices and companion devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the disclosure are related to enforcing a policy on a computing device, or a companion device, based upon its proximity to another computing device, or an anchor device. In one example, the anchor device and companion device can report their location with respect to one another to a policy server. The policy server can determine whether the anchor device and proximity device are in proximity to one another as well as determine whether a policy should be applied to the companion device based upon whether it is in proximity to the anchor device.

357 Citations

21 Claims

1. A non-transitory computer-readable medium embodying program code being configured to allow remote application of a policy that controls the type of authentication to be used between devices under a device management system, the program code being executable in a computing device, the program code being configured to cause the computing device to at least:
- obtain, remotely at a policy server, a first location indication associated with an anchor device, the first location indication being at least one of a geographic location or a network location of the anchor device;
  
  obtain, remotely at the policy server, a second location indication associated with a companion device, the second location indication being at least one of a geographic location or a network location of the companion device;
  
  identify, on the policy server, a policy stored in a data store that associates the anchor device and the companion device, the policy specifying a security requirement that when the first location and the second location are within a proximity, the companion device can be accessed using a reduced authentication, and when the first location and the second location are not within the proximity, the companion device cannot be accessed using the reduced authentication;
  
  determine whether the policy is violated based at least in part upon the first location indication and the second location indication; and
  
  issue a command to the companion device from the policy server in response to a determination that the policy is violated based at least in part upon the first location indication and the second location indication, the command requiring that the companion device be accessed in accordance with the security requirement, wherein the policy server operates as part of the device management system to vary and control the types of authorization required between a plurality of anchor devices and companion devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the policy further specifies a restriction on a capability with respect to launching a particular application by the companion device.
  - 3. The non-transitory computer-readable medium of claim 2, wherein the particular application comprises a browser application.
  - 4. The non-transitory computer-readable medium of claim 1, wherein the first location indication or the second location indication comprises at least one of:
    - location data obtained by a positioning system or a network address.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the policy is determined to be violated based at least in part upon the difference between the first location indication and the second location indication when the second location is determined to be more than a threshold distance from the first location.
  - 6. The non-transitory computer-readable medium of claim 1, wherein the first location or the second location comprise at least one communication between the anchor device and the companion device using a first localized communication interface associated with the anchor device and a second localized communication interface associated with the companion device.
  - 7. The non-transitory computer-readable medium of claim 6, wherein the first localized communication interface and the second localized communication interface comprise at least one of a Bluetooth interface, a near-field communication (NFC) interface or a radio-frequency identification (RFID) interface.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the policy further specifies a restriction on a capability comprising restricting access to content stored on the companion device.
  - 9. The non-transitory computer-readable medium of claim 1, wherein the command comprises a command to lock a display device associated with the companion device.

10. A method for remotely applying a policy that controls the type of authentication to be used between devices under a device management system comprising:
- establishing, at a remote policy server, a proximity policy for selectively enforcing a restriction upon at least one of an anchor device or a companion device;
  
  transmitting a first location indicator to the policy server using a network, the first location indicator indicating a location of the companion device relative to the anchor device; and
  
  obtaining a command from the policy server or in response to the first location indicator, the command being related to a proximity of the companion device to an anchor device, the proximity being determined based upon the first location indicator, the command further specifying the restriction enforced upon at least one of the anchor device or the companion device, whereinthe restriction indicates that when the first location and the second location are within the proximity, the companion device can be accessed using a reduced authentication, and when the first location and the second location are not within the proximity, the companion device cannot be accessed using the reduced authentication, wherein the policy server operates as part of the device management system to vary and control the types of authorization required between a plurality of anchor devices and companion devices.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the command specifies a restriction with respect to executing a particular application installed on the companion device.
  - 12. The method of claim 11, wherein the restriction disables launching of the particular application.
  - 13. The method of claim 10, wherein the command enables a functionality of the companion device in response to the first location indicator.
  - 14. The method of claim 10, wherein the command disables a networking capability of the companion device.
  - 15. The method of claim 10, wherein the command is obtained further in response to a second location indicator associated with the anchor device.

16. A method for remotely applying a policy that controls the type of authentication to be used between devices under a device management system, comprising:
- obtaining, remotely in a policy server, a first location indicator corresponding to a location of a first computing device relative to a second computing device;
  
  determining, in the policy server, whether a policy is associated with the first computing device and the second computing device, the policy specifying a security requirement associated with the first computing device based upon a proximity of the first computing device to the second computing device, the security requirement indicating that when the first location and the second location are within the proximity, the first computing device can be accessed using a reduced authentication, and when the first location and the second location are not within the proximity, the first computing device cannot be accessed using the reduced authentication;
  
  determining, in the policy server, whether the first computing device complies with the policy based upon the proximity; and
  
  issuing, remotely from the policy server, a command specified by the policy, wherein the policy server operates as part of the device management system to vary and control the types of authorization required between a plurality of first computing devices and second computing devices.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the first location indicator comprises an indication that the first computing device is outside of a communication range of a localized communication interface of the first computing device.
  - 18. The method of claim 16, wherein the command disables a communication interface associated with the first computing device.
  - 19. The method of claim 16, wherein the command disables a particular application installed on the first computing device.

20. A system for remotely changing the authentication types required between devices under a device management system based on proximity, comprising:
- a first computing device;
  
  a second computing device; and
  
  a policy server that is remote to the first computing device and remote to the second computing device, wherein;
  
  the policy server stores a profile with a security restriction, the security restriction indicating that when the second computing device is not within the proximity to the first computing device, the first computing device must be accessed using additional authentication;
  
  the policy server issues a command to the first computing device requiring the additional authentication when the first computing device is not within the proximity of the second computing device; and
  
  the policy server varies and controls the types of authorization required between a plurality of first computing devices and second computing devices.

21. A system for changing authentication types based on proximity, comprising:
- a first computing device; and
  
  a second computing device, wherein;
  
  the first computing device receives a profile with a security restriction from a remote policy server, the remote policy server storing a plurality of different profiles for controlling authentication types between devices under a device management system,the first computing device determines a proximity between the first computing device and the second computing device;
  
  the first computing device accesses the profile with the security restriction, the security restriction indicating that when the second computing device is within the proximity to the first computing device, the first computing device can be accessed using a reduced authentication; and
  
  the first computing device detects the proximity with the second computing device and allows access using the reduced authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Pelkey, Joshua Grey
Primary Examiner(s)
Gelin, Jean

Application Number

US14/579,314
Publication Number

US 20160183164A1
Time in Patent Office

799 Days
Field of Search

455/414.1, 455/411, 455/417, 455/420, 455/419, 455/422.1, 455/404.1, 455/404.2, 455/456.1, 455/456.2, 455/456.3
US Class Current

1/1
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04W 12/065   Continuous authentication

H04W 12/084   using delegated authorisati...

H04W 4/02   Services making use of loca...

H04W 4/023   using mutual or relative lo...

H04W 4/80   Services using short range ...

H04W 48/04   based on user or terminal l...

Enforcement of proximity based policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

357 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcement of proximity based policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

357 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links