Certificate based profile confirmation

US 9,819,682 B2
Filed: 03/15/2013
Issued: 11/14/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing a device independent of enrollment with a mobile device management (MDM) service, comprising:

installing a profile in the device, wherein the profile specifies that an application is permitted to execute on the device, the profile comprises a certificate that uniquely identifies the profile from another profile, the profile is uniquely associated with the application, and the certificate comprises at least one of a root certificate or an intermediate certificate;

storing the certificate in storage accessible to the device to indicate that the profile is installed in the device and that the profile is applicable to the device;

receiving, using the device, a request to execute the application on the device;

in response to the request to execute the application, determining, using the device, that the certificate is located in the storage accessible to the device to verify that the profile that specifies that the application is permitted to execute on the device is applicable to the device; and

responsive to determining that the certificate is located in the storage accessible to the device, initiating an execution of the application on the device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for controlling access to resources in a network environment. Methods may include installing a profile on the device and installing a certificate included in or otherwise associated with the profile on the device. A request to execute an application, and/or access a resource using a particular application, is received and determination is made as to whether the certificate is installed on the device based on an identification of the certificate by the application. If the certificate is installed on the device, then execution of the application and/or access to the resource is allowed. If the certificate is not installed on the device, then the request for execution and/or access is refused.

Citations

18 Claims

1. A method for managing a device independent of enrollment with a mobile device management (MDM) service, comprising:
- installing a profile in the device, wherein the profile specifies that an application is permitted to execute on the device, the profile comprises a certificate that uniquely identifies the profile from another profile, the profile is uniquely associated with the application, and the certificate comprises at least one of a root certificate or an intermediate certificate;
  
  storing the certificate in storage accessible to the device to indicate that the profile is installed in the device and that the profile is applicable to the device;
  
  receiving, using the device, a request to execute the application on the device;
  
  in response to the request to execute the application, determining, using the device, that the certificate is located in the storage accessible to the device to verify that the profile that specifies that the application is permitted to execute on the device is applicable to the device; and
  
  responsive to determining that the certificate is located in the storage accessible to the device, initiating an execution of the application on the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method for managing the device independent of enrollment with the MDM service of claim 1, wherein determining whether the certificate is located in storage accessible to the device includes determining whether the certificate is installed in a memory of the device.
  - 3. The method for managing the device independent of enrollment with the MDM service of claim 1, further comprising, responsive to determining that the certificate is located in storage accessible to the device, sending an access request to access a resource in a remote server.
  - 4. The method for managing the device independent of enrollment with the MDM service of claim 1, wherein the profile specifies a plurality of mandated settings.
  - 5. The method for managing the device independent of enrollment with the MDM service of claim 4, wherein at least one of the plurality of mandated settings controls data transfer between the device and a remote server.
  - 6. The method for managing the device independent of enrollment with the MDM service of claim 4, wherein at least one of the plurality of mandated settings is associated with at least one of:
    - a camera function of the device, a screen capture function of the device, a communication function of the device, or an audio function of the device.
  - 7. The method for managing the device independent of enrollment with the MDM service of claim 1, wherein storing the certificate in storage accessible to the device includes storing the certificate in a trust store of the device, and wherein determining that the certificate is located in the storage accessible to the device includes determining whether the certificate is stored in the device.
  - 8. The method for managing the device independent of enrollment with the MDM service of claim 7, further comprising periodically determining whether the certificate is accessible to the device.

9. A method for managing a device independent of enrollment with a mobile device management (MDM) service, comprising:
- determining, by the device, that a profile has been disabled in the device, wherein the profile specifies that an application is permitted to execute on the device, the profile is uniquely associated with the application, the profile comprises a certificate that uniquely identifies the profile from another profile, and the certificate comprises at least one of a root certificate or an intermediate certificate;
  
  in response to determining that the profile has been disabled in the device, removing the certificate from storage that is accessible to the device to indicate that the profile has been uninstalled from the device;
  
  receiving, in the device, a request to execute the application on the device;
  
  determining, using the device, that the certificate is inaccessible to the device; and
  
  responsive to determining that the certificate is inaccessible to the device, refusing the request to execute the application in the device.
- View Dependent Claims (10)
- - 10. The method for managing the device independent of enrollment with the MDM service of claim 9, wherein the profile further includes a setting that controls data transfer between the device and a remote server.

11. An apparatus for managing a computing device independent of enrollment with a mobile device management (MDM) service, the computing device comprising:
- a display; and
  
  at least one processor configured to execute program instructions that cause the at least one processor to at least;
  
  install a profile that specifies that an application is permitted to execute on the computing device, wherein the profile comprises a certificate that uniquely the profile from another profile, the profile is uniquely associated with the application, and the certificate comprises at least one of a root certificate or an intermediate certificate;
  
  install the certificate associated with the profile to indicate to the computing device that the computing device is in compliance with the profile;
  
  receive a request to execute the application by the at least one processor;
  
  in response to the request to execute the application, determine that the certificate is installed the computing device; and
  
  responsive to a determination that the certificate is installed on the computing device, execute the application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The apparatus for managing the computing device independent of the enrollment with MDM service of claim 11, wherein the program instructions further cause the at least one processor to, responsive to the determination that the certificate is accessible to the computing device, send a notification to a remote server.
  - 13. The apparatus for managing the computing device independent of enrollment with the MDM service of claim 11, wherein the profile further includes a setting that controls data transfer between the computing device and a remote server.
  - 14. The apparatus for managing the computing device independent of enrollment with the MDM service of claim 11, wherein the profile further includes a setting operative to disable at least one of a camera function of the computing device, a screen capture function of the computing device, a communication function of the computing device, or an audio function of the apparatus of the computing device.
  - 15. The apparatus for managing the computing device independent of enrollment with the MDM service of claim 11, wherein the profile comprises a root certificate.
  - 16. The apparatus for managing the computing device independent of enrollment with the MDM service of claim 11, wherein the profile comprises an intermediate certificate.
  - 17. The apparatus of claim 11 for managing the computing device independent of enrollment with the MDM service, wherein the profile further specifies that a particular application is to be installed on the computing device.
  - 18. The apparatus of claim 11 for managing the computing device independent of enrollment with the MDM service, wherein the profile further specifies an email account configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Omnissa, LLC
Original Assignee
AirWatch LLC (Broadcom, Inc.)
Inventors
Dabbiere, Alan, Stuntebeck, Erich
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US13/835,542
Publication Number

US 20140282869A1
Time in Patent Office

1,705 Days
Field of Search

726 3
US Class Current
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

H04L 63/10   for controlling access to d...

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Certificate based profile confirmation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate based profile confirmation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links