Delegating authorization to applications on a client device in a networked environment

US 9,686,287 B2
Filed: 03/19/2015
Issued: 06/20/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium for delegating security authorization to an agent application executable on a computing device embodying program instructions executable in the computing device that, when executed by the computing device, cause the computing device to:

send, by the agent application executable on the computing device, a request over a network to a remote server requesting that the agent application be permitted to control access to at least one network resource on behalf of the remote server for a plurality of managed applications, the request comprising a device profile describing at least one characteristic of the computing device, the remote server being configured to permit the agent application to control access to the at least one resource for the plurality of managed applications based at least in part on an analysis of the at least one characteristic and a compliance rule;

in response to the remote server permitting the agent application to control access to the at least one resource for the plurality of managed applications, store, by the agent application, an indication that the agent application is authorized to communicate access credentials to the plurality of managed applications on behalf of the remote server;

determine, by the agent application, that a first one of the plurality of managed applications requires a first access credential;

send, by the agent application, a request for the first access credential to the remote server;

receive, by the agent application, the first access credential from the remote server;

make, by the agent application being in communication with the plurality of managed applications, a determination that a second one of the plurality of managed applications requires a second access credential; and

in response to the determination that the second one of the managed applications requires the second access credential, receive the second access credential from the remote server and provide the second access credential to the second one of the plurality of managed applications.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for delegating security authorization to at least one application executed on a client device. A computing device is employed to send to a remote server, from an agent application, a request for a first access credential. The first access credential is received from the remote server and a determination is made by the agent application in communication with a managed application, that the managed application requires a second access credential. In response to the determination being made that the managed application requires the second access credential, the second access credential is sent to the managed application, from the agent application. An indication that the agent is authorized to be in communication with managed applications regarding a need for access credentials is stored and the agent application determines where at least one of the managed applications requires an access credential.

218 Citations

20 Claims

1. A non-transitory computer-readable medium for delegating security authorization to an agent application executable on a computing device embodying program instructions executable in the computing device that, when executed by the computing device, cause the computing device to:
- send, by the agent application executable on the computing device, a request over a network to a remote server requesting that the agent application be permitted to control access to at least one network resource on behalf of the remote server for a plurality of managed applications, the request comprising a device profile describing at least one characteristic of the computing device, the remote server being configured to permit the agent application to control access to the at least one resource for the plurality of managed applications based at least in part on an analysis of the at least one characteristic and a compliance rule;
  
  in response to the remote server permitting the agent application to control access to the at least one resource for the plurality of managed applications, store, by the agent application, an indication that the agent application is authorized to communicate access credentials to the plurality of managed applications on behalf of the remote server;
  
  determine, by the agent application, that a first one of the plurality of managed applications requires a first access credential;
  
  send, by the agent application, a request for the first access credential to the remote server;
  
  receive, by the agent application, the first access credential from the remote server;
  
  make, by the agent application being in communication with the plurality of managed applications, a determination that a second one of the plurality of managed applications requires a second access credential; and
  
  in response to the determination that the second one of the managed applications requires the second access credential, receive the second access credential from the remote server and provide the second access credential to the second one of the plurality of managed applications.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The non-transitory computer-readable medium of claim 1, further comprising program instructions that, when executed by the computing device, cause the computing device to:
    - send, by the agent application, a request for the second access credential to the remote server; and
      
      receive, by the agent application, the second access credential from the remote server.
  - 3. The non-transitory computer-readable medium of claim 1, wherein determining that the second one of the plurality of managed applications requires the second access credential further comprises receiving, by the agent application, a request for the second access credential from the second one of the plurality of managed applications.
  - 4. The non-transitory computer-readable medium of claim 1, further comprising program instructions that, when executed by the computing device, cause the computing device to:
    - access, by the agent application, at least one compliance rule received from the remote server; and
      
      determine, by the agent application, that the device profile for the computing device complies with the at least one compliance rule prior to sending the second access credential to the second one of the plurality of managed applications.
  - 5. The non-transitory computer-readable medium of claim 1, wherein determining that the second one of the plurality of managed applications requires the second access credential further comprises determining, by the agent application, that the second one of the plurality of managed applications communicated with a resource server.
  - 6. The non-transitory computer-readable medium of claim 1, further comprising program instructions that, when executed by the computing device, causes the computing device to cause a revocation of the second access credential to be sent to the second one of the plurality of managed applications from the agent application.

7. A system for delegating security authorization to an agent application executable on a computing device, comprising:
- a computing device comprising at least one hardware processor; and
  
  program instructions executable in the computing device that, when executed, cause the computing device to;
  
  send, by the agent application executable on the computing device, a request over a network to a remote server requesting that the agent application be permitted to control access to at least one network resource on behalf of the remote server for a plurality of managed applications, the request comprising a device profile describing at least one characteristic of the computing device, the remote server being configured to permit the agent application to control access to the at least one resource for the plurality of managed applications based at least in part on an analysis of the at least one characteristic and a compliance rule;
  
  in response to the remote server permitting the agent application to control access to the at least one resource for the plurality of managed applications, store, by the agent application, an indication that the agent application is authorized to communicate access credentials to the plurality of managed applications on behalf of the remote server;
  
  determine, by the agent application, that a first one of the plurality of managed applications requires a first access credential;
  
  send, by the agent application, a request for the first access credential to the remote server;
  
  receive, by the agent application, the first access credential from the remote server;
  
  make, by the agent application being in communication with the plurality of managed applications, a determination that a second one of the plurality of managed applications requires a second access credential; and
  
  in response to the determination that the second one of the plurality of managed applications requires the second access credential, receive the second access credential from the remote server and provide the second access credential to the second one of the plurality of managed applications.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, further comprising program instructions that, when executed, cause the computing device to:
    - send, by the agent application, a request for the second access credential to the remote server; and
      
      receive, by the agent application, the second access credential from the remote server.
  - 9. The system of claim 7, wherein determining that the second one of the plurality of managed applications requires the second access credential further comprises receiving, by the agent application, a request for the second access credential from the second one of the plurality of managed applications.
  - 10. The system of claim 7, further comprising program instructions that, when executed, cause the computing device to:
    - access, by the agent application, at least one compliance rule received from the remote server; and
      
      determine, by the agent application, that the device profile for the computing device complies with the at least one compliance rule prior to sending the second access credential to the second one of the plurality of managed applications.
  - 11. The system of claim 7, wherein determining that the second one of the plurality of managed applications requires the second access credential further comprises determining that the second one of the plurality of managed applications communicated with a resource server.
  - 12. The system of claim 7, further comprising program instructions that, when executed, cause the computing device to cause a revocation of the second access credential to be sent to the second one of the plurality of managed applications from the agent application.
  - 13. The system of claim 7, wherein the request for the first access credential comprises at least one of:
    - a device identifier, a user credential, or device profile information.

14. A computer-implemented method for delegating security authorization to an agent application executable on a computing device, comprising:
- sending, by the agent application, a request over a network to a remote server requesting that the agent application be permitted to control access to at least one network resource on behalf of the remote server for a plurality of managed applications, the request comprising a device profile describing at least one characteristic of the computing device, the remote server being configured to permit the agent application to control access to the at least one resource for the plurality of managed applications based at least in part on an analysis of the at least one characteristic and a compliance rule;
  
  in response to the remote server permitting the agent application to control access to the at least one resource for the plurality of managed applications, storing, by the agent application, an indication that the agent application is authorized to communicate access credentials to the plurality of managed applications on behalf of the remote server;
  
  determining, by the agent application, that a first one of the plurality of managed applications requires a first access credential;
  
  sending, by the agent application, a request for the first access credential to the remote server;
  
  receiving, by the agent application, the first access credential from the remote server;
  
  making, by the agent application being in communication with the plurality of managed applications, a determination that a second one of the plurality of managed applications requires a second access credential; and
  
  in response to the determination that the second one of the plurality of managed applications requires the second access credential, receiving the second access credential from the remote server and providing the second access credential to the second one of the plurality of managed applications.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-implemented method of claim 14, further comprising:
    - sending, by the agent application, a request for the second access credential to the remote server; and
      
      receiving, by the agent application, the second access credential from the remote server.
  - 16. The computer-implemented method of claim 14, wherein determining that the second one of the plurality of managed applications requires the second access credential further comprises receiving, by the agent application, a request for the second access credential from the second one of the plurality of managed applications.
  - 17. The computer-implemented method of claim 14, further comprising:
    - accessing, by the agent application, at least one compliance rule received from the remote server; and
      
      determining, by the agent application, that a device profile for the computing device complies with the at least one compliance rule prior to sending the second access credential to the second one of the plurality of managed applications.
  - 18. The computer-implemented method of claim 14, wherein determining that the second one of the plurality of managed applications requires the second access credential further comprises determining that the second one of the plurality of managed applications communicated with a resource server.
  - 19. The computer-implemented method of claim 14, further comprising causing, by the agent application, a revocation of the second access credential to be sent to the second one of the plurality of managed applications from the agent application.
  - 20. The computer-implemented method of claim 14, wherein the request for the first access credential comprises at least one of:
    - a device identifier, a user credential, or device profile information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirWatch LLC (Broadcom, Inc.)
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Kommireddy, Sridhara Babu, Rykowski, Adam Stephen, Manton, John Joseph
Primary Examiner(s)
DOAN, TRANG T

Application Number

US14/662,373
Publication Number

US 20150195284A1
Time in Patent Office

824 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

Delegating authorization to applications on a client device in a networked environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

218 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Delegating authorization to applications on a client device in a networked environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

218 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others