Using derived credentials for enrollment with enterprise mobile device management services

US 9,668,136 B2
Filed: 09/25/2015
Issued: 05/30/2017
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a mobile computing device, a command to enroll with an enterprise mobile device management server;

in response to receiving the command to enroll with the enterprise mobile device management server, launching, by the mobile computing device, an enrollment application;

requesting, by the mobile computing device, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service;

after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving, by the mobile computing device, a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service;

sending, by the mobile computing device, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service;

switching, by the mobile computing device, from the enrollment application to a certificate management system application on the mobile computing device;

requesting, by the mobile computing device, using the certificate management system application, one or more derived credentials from a certificate management system server;

storing, by the mobile computing device, using the certificate management system application, the one or more derived credentials in a shared vault on the mobile computing device;

switching, by the mobile computing device, from the certificate management system application to the enrollment application;

retrieving, by the mobile computing device, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault on the mobile computing device; and

providing, by the mobile computing device, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll the mobile computing device with at least one mobile device management service provided by the enterprise mobile device management server.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer-readable media for using derived credentials to enroll a mobile computing device with an enterprise mobile device management system are described herein. In various embodiments, a mobile computing device, responsive to a command to enroll with an enterprise mobile device management server, may launch an enrollment application; send an enrollment request message to the enterprise mobile device management server; switch to a certificate management system application on the mobile computing device; request one or more derived credentials from a certificate management system server; store the one or more derived credentials in a shared vault on the mobile computing device; switch to the enrollment application; retrieve a derived credential of the one or more derived credentials stored in the shared vault; and, provide the derived credential to the enterprise mobile device management server to enroll the mobile computing device with at least one mobile device management service.

19 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving, by a mobile computing device, a command to enroll with an enterprise mobile device management server;
  
  in response to receiving the command to enroll with the enterprise mobile device management server, launching, by the mobile computing device, an enrollment application;
  
  requesting, by the mobile computing device, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service;
  
  after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving, by the mobile computing device, a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service;
  
  sending, by the mobile computing device, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service;
  
  switching, by the mobile computing device, from the enrollment application to a certificate management system application on the mobile computing device;
  
  requesting, by the mobile computing device, using the certificate management system application, one or more derived credentials from a certificate management system server;
  
  storing, by the mobile computing device, using the certificate management system application, the one or more derived credentials in a shared vault on the mobile computing device;
  
  switching, by the mobile computing device, from the certificate management system application to the enrollment application;
  
  retrieving, by the mobile computing device, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault on the mobile computing device; and
  
  providing, by the mobile computing device, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll the mobile computing device with at least one mobile device management service provided by the enterprise mobile device management server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - prompting, by the mobile computing device, using the enrollment application, a user of the mobile computing device, for an address of the enterprise mobile device management server.
  - 3. The method of claim 1, further comprising:
    - receiving, by the mobile computing device, using the enrollment application, a password from a user of the mobile computing device;
      
      generating, by the mobile computing device, using the enrollment application, a password validation value based on the password received from the user of the mobile computing device;
      
      storing, by the mobile computing device, using the enrollment application, the password validation value in the shared vault on the mobile computing device;
      
      providing, by the mobile computing device, using the enrollment application, the password received from the user of the mobile computing device to the certificate management system application; and
      
      validating, by the mobile computing device, using the certificate management system application, the provided password to the certificate management system application based on the password validation value stored in the shared vault on the mobile computing device.
  - 4. The method of claim 3, further comprising:
    - receiving, by the mobile computing device, responsive to the enrollment request message, a message from the enterprise mobile device management server comprising password complexity validation rules; and
      
      validating, by the mobile computing device, the password using the password complexity validation rules.
  - 5. The method of claim 3, wherein the generating the password validation value comprises:
    - generating a hash of the password; and
      
      encrypting the hash of the password.
  - 6. The method of claim 3, further comprising:
    - encrypting, by the mobile computing device, using the certificate management system application, the one or more derived credentials based on the password received from the user of the mobile computing device and provided to the certificate management system application, prior to storing the one or more derived credentials in the shared vault on the mobile computing device.
  - 7. The method of claim 3, further comprising:
    - encrypting, by the mobile computing device, using the certificate management system application, the one or more derived credentials using a private/public key pair, prior to storing the one or more derived credentials in the shared vault on the mobile computing device.
  - 8. The method of claim 1, further comprising:
    - prior to switching to the certificate management system application on the mobile computing device, receiving, by the mobile computing device, responsive to the enrollment request message, a message from the enterprise mobile device management server identifying the certificate management system application on the mobile computing device; and
      
      determining, by the mobile computing device, to switch to the certificate management system application on the mobile computing device based on the message received from the enterprise mobile device management server identifying the certificate management system application on the mobile computing device.
  - 9. The method of claim 1, further comprising:
    - storing, by the mobile computing device, using the certificate management system application, at least one derived credential of the one or more derived credentials after an enrollment process is completed.
  - 10. The method of claim 1, wherein the enrollment application and the certificate management system application are digitally signed with an identical development signing certificate.
  - 11. The method of claim 10, further comprising:
    - retrieving, by the mobile computing device, using one or more applications on the mobile computing device that are digitally signed with the same development signing certificate as the enrollment application and the certificate management system application, at least one derived credential of the one or more derived credentials from the shared vault; and
      
      using, by the mobile computing device the at least one derived credential of the one or more derived credentials retrieved from the shared vault to provide functionality in the one or more applications on the mobile computing device or to access enterprise resources with the one or more applications on the mobile computing device.
  - 12. The method of claim 1, further comprising:
    - retrieving, by the mobile computing device, using the enrollment application, a first derived credential and a second derived credential from the shared vault;
      
      providing, by the mobile computing device, using the enrollment application, the first derived credential to the enterprise mobile device management server to complete mobile device management enrollment; and
      
      providing, by the mobile computing device, using the enrollment application, the second derived credential to the enterprise mobile device management server to complete mobile application management enrollment.
  - 13. The method of claim 1, wherein the mobile computing device is provisioned by the enterprise mobile device management server with policies and applications after an enrollment process is completed.
  - 14. The method of claim 1, further comprising:
    - prior to requesting the one or more derived credentials from the certificate management system server;
      
      authenticating, by the mobile computing device, using the certificate management system application, with the certificate management system server using the certificate management system application.
  - 15. The method of claim 14, wherein authenticating with the certificate management system server comprises prompting a user of the mobile computing device to provide data for identification and authentication purposes.
  - 16. The method of claim 1, wherein switching to the certificate management system application on the mobile computing device comprises:
    - launching an application store on the mobile computing device; and
      
      prompting a user of the mobile computing device to install the certificate management system application, if or when the certificate management system application is not installed on the mobile computing device.

17. A system, comprising:
- at least one processor; and
  
  at least one memory storing computer executable instructions that, when executed by the at least one processor, cause the system to;
  
  receive a command to enroll with an enterprise mobile device management server;
  
  in response to receiving the command to enroll with the enterprise mobile device management server, launch an enrollment application;
  
  request, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service;
  
  after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service;
  
  send, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service;
  
  switch from the enrollment application to a certificate management system application;
  
  request, using the certificate management system application, one or more derived credentials from a certificate management system server;
  
  store, using the certificate management system application, the one or more derived credentials in a shared vault;
  
  switch from the certificate management system application to the enrollment application;
  
  retrieve, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault; and
  
  provide, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll with at least one mobile device management service provided by the enterprise mobile device management server.

18. One or more non-transitory computer-readable medium storing computer-executable instructions that, when executed by a computer system comprising at least one processor, and least one memory, cause the computer system to perform a method comprising:
- receiving a command to enroll with an enterprise mobile device management server;
  
  in response to receiving the command to enroll with the enterprise mobile device management server, launching an enrollment application;
  
  requesting, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service;
  
  after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service;
  
  sending, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service;
  
  switching from the enrollment application to a certificate management system application;
  
  requesting, using the certificate management system application, one or more derived credentials from a certificate management system server;
  
  storing, using the certificate management system application, the one or more derived credentials in a shared vault;
  
  switching from the certificate management system application to the enrollment application;
  
  retrieving, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault; and
  
  providing, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll with at least one mobile device management service provided by the enterprise mobile device management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Aftab, Younus, Mistry, Shaunak
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/865,376
Publication Number

US 20170094509A1
Time in Patent Office

613 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 67/141   Setup of application sessio...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 4/50   Service provisioning or rec...

H04W 4/60   Subscription-based services...

Using derived credentials for enrollment with enterprise mobile device management services

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Using derived credentials for enrollment with enterprise mobile device management services

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links